marrec said:
That is not really a large volume of test results. It's a great place to start and to show that there is probably something worth figureing out here, but a sample size of 21 is very small.
If you say so. They say they isolated for the variety of techniques used to enter PINs. I yield that it's possible that they're lying, they didn't isolate, and that those 21 people all enter PINs identically, and everyone else on earth uses a secret strategy that their technique doesn't work for.
But again your initial reaction that you're now defending was made sight unseen, so I think your response is more "This is a plausible way that I could still not be totally wrong" rather than "This is what I sincerely believe to be a methodological error with the study".
Secondly, I really want to see the set up that they used, the size of the camera and the make and model of the camera.
Make and model are posted in the PDF, as well as cost. The size is not described, although
you can feel free to look it up, and I don't think "I'd notice the camera" is a very good defence given the rapid iteration of skimming scams including virtually undetectable ones as posted above in the thread and given that skimming cameras are already used and given that banks already have security cameras so the presence of an additional camera, even in plain site, would not necessarily trigger suspicion fast enough.
Where they placed the camera is also mentioned, and they do a limited amount of analysis to suggest that the camera's distance from the PINpad does not significantly impede the results (they doubled the distance with no loss of precision). But in the gate-crashing example, they also speculate about portable non-permanent devices and other applications of the technique, so it's a bit moot.
Are the pictures posted earlier in the thread relavant?
The right image in the OP is from the survey. Nothing else in the thread relates to the survey.
but when you have a study saying there is a 60-80% success rate of grabbing your PIN number after 15-45 seconds then I think it's reasonable to question it as much as possible.
I would say that launching a ton of separate objections to a study, most of which are addressed in the study, without having read the study, is not reasonable.
Your objections so far:
1) Not fast enough <-- and yet it is, even when they kneecap it in the survey, and they address it.
2) 50-80% accuracy is not good enough <-- and yet it is, given that you're trying to steal as many accounts as possible rather than one account with 100% accuracy, and they address it.
3) Thermal cameras are too expensive <-- and yet they're not, and they provide the price in the survey.
4) For this to work they'd need an automated program <-- they have one, which they provide in the survey
5) Yeah, but the average criminal doesn't have one <-- they easily could, which they deal with in the survey and in fact cause in the survey but explicitly describing their techniques.
6) There are varying techniques for entering PINs <-- they deal with this in the survey
7) Debit fraud is too much work, credit fraud is easier <-- and yet debit fraud still exists and this technique is a strict improvement on existing techniques.
8) I'm more worried about employees using skimmers <-- employees can just as easily do this.
9) Debit fraud isn't worth enough to make it economically viable <-- " In large-scale attacks involving many unique codes, such as on ATM PINs, our success rate indicates that an adversary can correctly recover enough codes to make such an attack economically viable"
10) Their sample size isn't large enough
I mean, is there some point where you're eventually going to say "Maybe I was a little premature, and maybe now I'm just trying to rationalize my initial reaction"?
marrec said:
Let me rephrase, Whats wrong with lay GAF-man questioning an article written based on a PDF showing that under lab experiments of 21 people entering PIN numbers, their setup could capture 60-80% of the numbers? Maybe it's because I'm an engineer (electrical engineer), but those numbers wouldn't get me to development of a project. These criminals work in vast quantities... like Wal-Mart! So 60-80% in a perfect world might translate to 30-50% in the real world which would probably still meet their profit goals.
1) Almost all of what you just included was information you found out after I called you out for having clearly not read the article, 2) I see you've settled on the sample size argument, 3) their study is not the perfect world and I've already provided you with the major specific way in which they handicap their own results which you've chosen to, I guess, ignore, 4) and you even yield the point that it's probably profitable in the end.
