[amarant]

at first, this seems completely harmless, but there are a few scenarios in which this could potentially be a viable attack.

I doubt it's much use on computers, but imagine someone rigging a candid infrared camera across the street from an ATM. You'd block the cameras view while typing, but then you leave and it's game over.

[faitswulff]

This is a fairly well known attack on ATMs with plastic keys, but last I heard metal keys make it nearly impossible to carry out.

[rafaele]

Whenever possible I type in the PIN with a house key or car key. That way there's little, if not none at all, heat left behind and I don't have to contact a germ-laden touchpad. #germaphobe

[amarant]

replace ATM with the CC terminal in your favorite foodtruck then. this is even better, since you're not likely to type in a withdrawal amount into those (and thus adding noise by pressing more keys)

same thing goes, but they're rarely made of metal

[brianberns]

A debit card can be used as a credit card at a CC terminal. No PIN and no transaction fee. I don't think you'll find many people typing a PIN into a CC terminal in the wild.

[taumhn]

AFAIK it's mostly in the US that using cards don't always require PINs. Here in Canada I have to enter my PIN whether it's my credit or debit card, for every purchase at a CC terminal. The only exception is if I'm using contactless payment. This was also true in Europe last I checked.

[Uberphallus]

All the time in the EU, except if the card has NFC, then without PIN up to 20€ (depending on the bank).

[raverbashing]

Well you still have to get the order right, though it might be possible to have an idea through the temperature differences

[IshKebab]

Yeah metal reflects thermal IR like a mirror.

[Uberphallus]

It also generates IR by itself. It wouldn't be a big problem to carry out the attack, as long as the keypad isn't reflecting any strong IR source towards the camera.

[neuralRiot]

A thermal camera that have enough resolution to get individual keys from across the street is not gonna be cheap, A 1.8Mpx @30Hz is above $20k without lens.

[no_one_ever]

This is why I habitually run my fingers across the keypad after entering my PIN. Paranoid thinking? Maybe.

[privacypoller]

I do something similar but I think it's far more likely that a cheap webcam is positioned where it can view the keypad of those who don't screen it well. I always throw in a few "phantom" keypresses when entering a pin for my cc or bank card.