According to a team from the University of Cambridge, a PIN for a smartphone can be discovered through the camera and microphone.
The programme, called PIN Skimmer, can identify the codes that have been entered on a number-only soft keypad. It works by observing your face via the smartphone camera and then through the microphone listens to the clicks as you type the PIN.
The research report explains that the microphone is used to detect “touch-events”, effectively it can “hear” the clicks that the phone makes as a result of the user pressing the virtual number keys. The camera estimates the position of the phone and “correlates it to the position of the digit tapped by the user”.
Professor Ross and Anderson and Laurent Simon, who carried out the tests using the Google Nexus-S and the Galaxy S3 handsets, said: “We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously.”
“We watch how your face appears to move as you jiggle your phone by typing,” said Anderson, professor of security engineering at Cambridge University. It did surprise us how well it worked.”
The programme was able to successfully detect four-digit PINs more than 50 percent of the time after five attempts. So with more smartphones using these PINs for more sensitive apps like banking, the researchers raise the question over whether they should be accessible with PINs.
One possible solution to prevent a PIN being identified is to use a longer number but the researchers say this will affect “memorability and usability”.
Another suggestion is “randomising” the position of the numbers but again it raises the issue of usability.
There is the option of doing away with passwords altogether and instead using fingerprint or face recognition.
Whatever the solution Prof Anderson has some words of warning for those developing payment apps: “If you’re developing payment apps, you’d better be aware that these risks exist.”
[Image via ikeepcurrent]