Your PIN is Mine

None, None; None, None; None, None; None, None; None, None

Your PIN is Mine

Uncovering Users' PINs at Point of Sale Machines

Journal Article (2025)

Author(s)

S. Cecconello (Università degli Studi di Padova, TU Delft - Cyber Security)

Matteo Cardaioli (GFT)

Luca Pasa (Università degli Studi di Padova)

S. Picek (Radboud Universiteit Nijmegen, University of Zagreb)

G. Smaragdakis (TU Delft - Cyber Security)

Research Group

Cyber Security

DOI related publication

https://doi.org/10.1109/TDSC.2025.3594630

Machine Learning Authentication Security and Privacy Protection Usable Security

To reference this document use:

https://resolver.tudelft.nl/uuid:1fb4ad02-10ba-43bc-9ada-691e9806f1a3

More Info

expand_more

Publication Year

2025

Language

English

Research Group

Cyber Security

Bibliographical Note

Green Open Access added to TU Delft Institutional Repository as part of the Taverne amendment. More information about this copyright law amendment can be found at https://www.openaccess.nl. Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public. @en

Issue number

6

Volume number

22

Pages (from-to)

7302-7318

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Point of Sale (PoS) machines have become extremely popular recently. In many economies, most transactions occur using them. Although PoS technology is evolving, PINs are still heavily used. In this paper, we perform a large-scale study to understand how difficult it is to uncover user PINs at PoS, even when the users cover the pad with their hands. Our study involves 142 participants, two types of PoS, and around 13,800 PINs. We develop machine learning techniques to infer PoS PINs by using hidden cameras. Our results show that uncovering PINs in PoS is more complex than in other cases where a user PIN is used, e.g., ATMs, because of the small pad area of PoS. Nevertheless, we could achieve more than 50% Top-3 accuracy for 4-digit PINs and 45% Top-3 accuracy for 5-digit PINs, even when the PIN is covered by the user's hand. We comment on the impact of the camera's position and PoS on the successful inference of the user's PINs. We also comment on the hardness of inferring PINs depending on the physical distance of digits and recommend what are good practices to generate PINs and cover PoS to make PIN inference difficult.

Files

Your_PIN_is_Mine_Uncovering_Us... (pdf)

(pdf | 2.67 Mb)

License info not available

File under embargo until 02-03-2026