A few days ago I wrote about why PIN still matters in card-present payments. A 2025 IEEE paper reminded me of the other side of that argument: PIN matters — and so does how it is implemented and how cardholders actually use it at the terminal.

The research is sobering. Researchers from the University of Padua and TU Delft conducted a large-scale study across 142 participants and nearly 14,000 PINs entered on real Ingenico terminals. Using hidden cameras and a CNN-LSTM deep learning model trained on hand movement video, they achieved over 50% Top-3 accuracy for 4-digit PINs — even when cardholders covered the keypad with their free hand.

Three things worth understanding:

1️⃣ Covering the keypad helps. It is not enough on its own.**

The study tested participants who actively shielded the PIN pad with their non-typing hand — the behavior we tell cardholders to adopt. The attack remained effective. The model does not need to see the digits. It reads the motion of the hand entering them. Covering style matters: placing the hand flat and horizontally over the pad (“Over” position) was the most effective defensive posture. Side and front coverage left more motion signal exposed. The physical geometry of how someone types is the attack surface — not the keypad visibility alone.

2️⃣ Terminal design is a security variable — not just a UX one.**

The study found that smaller PIN pads are harder to attack because hand movement is more constrained and coverage is easier. But they also found that when a terminal is tilted at 45° — the default stand position for many Ingenico models — attack accuracy increased significantly. The uniform thumb-typing posture adopted by participants in that configuration gave the model a cleaner, more consistent motion signal to classify. Terminal form factor, stand angle, and keypad size are not neutral decisions. They affect the difficulty of side-channel inference directly. POS architects need to account for this.

3️⃣ Camera distance matters — but less than you might expect.**

Attack accuracy remained effectively unchanged at 2 meters from the terminal. It began to degrade at 4 meters, and dropped below 10% at 8 meters for most configurations. A commodity spycam costing between 15 and 80 euros, placed within 2 meters of a terminal — on a ceiling, a shelf, or embedded in a fixture — is a realistic attack setup. The researchers note that motion-detection battery modes extend operational time significantly. The infrastructure cost for this attack is low. The barrier is placement opportunity, not technology.

The architectural takeaway:

PIN entry is not just a cryptographic control. It is a physical interaction that produces observable motion signals. The security of that interaction depends on terminal geometry, keypad layout, camera field of view, and cardholder behavior — all of which are design decisions. Randomized keypad layouts, multi-factor step-up flows, and AI-based anomaly detection at the terminal are among the countermeasures the authors propose. None of them are free. All of them require architectural intent at design time.

EMV protects the instrument. PIN protects against unauthorized use. And the PIN entry moment itself needs to be treated as an attack surface — not an afterthought.

Full breakdown on corebaseit.com: 🔗 https://corebaseit.com

Reference

S. Cecconello, M. Cardaioli, L. Pasa, S. Picek and G. Smaragdakis, “Your PIN is Mine: Uncovering Users’ PINs at Point of Sale Machines,” IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 6, pp. 7302–7318, Nov./Dec. 2025. DOI: 10.1109/TDSC.2025.3594630

#Payments #PIN #POS #EMV #PaymentSecurity #SoftPOS #CardPresent #FraudPrevention #PaymentArchitecture #CVM #Acquiring #MachineLearning #Fintech #corebaseit