Don't Forget to Include that Camera in the Threat Model

Video Surveillance Systems (VSS) that are used to provide physical protection to assets and personnel of organizations open up new information channels, but they are often not considered an integral part of the organization's information system. Therefore, more often than not, VSS is not considered when designing and evaluating organizations' information security. Hence, a VSS may weaken the information security of an organization while strengthening physical security. We present such a threat that the VSS used in ATM kiosks of Sri Lankan banks can severely weaken the ATM PIN security due to the ad hoc placement of cameras. While we have observed that in some installations, the video camera directly captures the PIN-pad, we show that forearm movements' visibility is sufficient to infer PINs with a significant level of accuracy. We used a mock-up of an ATM kiosk for our analysis, and we show that a human observer can guess a PIN with 22.5% accuracy within 3 attempts without the PIN Pad's visuals. A computer can infer the PIN using the same footages with an accuracy of 50% using a straightforward algorithm. Critical processes in the banks, such as authentication, are built around the assumption of the confidentiality of the PIN thus invest heavily in the PIN generation process. This well-protected PIN is exposed to the VSS when entering the PIN, thus violating a crucial assumption. However, this violation has hitherto gone unnoticed by the banks' security audits because VSS is not considered an inalienable component of the information system