Except, sadly, there is. Researchers at Syracuse University have demonstrated that hackers can guess PINs by analyzing video of people tapping on their smartphone screens -- even when the screen itself isn’t visible. Software used to analyze such video relies on “spatio-temporal dynamics” to gauge the distance from the fingers to the phone’s screen, and then approximate which characters the fingers tap on a keypad. “It’s like lip reading,” says Vir Phoha, an engineering and computer science professor at Syracuse and co-author of a paper on the technology. “Based on hand movement and the known geometry of the phone, we can see which keys are pressed.”
There don’t appear to be any known instances of hackers stealing PINs this way, but technologists think it’s only a matter of time. “We believe that it is very likely to be adopted by adversaries who seek to stealthily steal sensitive private information,” Phoha and three others Syracuse researcherswrote in their paper, published last year by the Association for Computing Machinery. The technology is fairly simple for anybody familiar with programming, and the exploding use of smartphones provides many millions of targets.
On top of that, the increased use of phones for banking and managing other financial accounts makes PINs a lucrative prize for hackers. And the same video-analysis technology can be used to infer PINs punched into ATMs, smart locks on the front doors of homes, garage door openers and other gizmos requiring similar codes.
Publicizing such black-hat technology through articles such as this one can obviously tip fraudsters to possible new methods of ripping people off. Security experts and some of their criminal foes already know about it, however, since such research has been published in technical journals. So Yahoo Finance decided it’s appropriate to alert consumers to this new form of hacking. National security and law enforcement agencies could also use it to keep track of bad guys; DARPA, the Pentagon’s technology skunk works, for instance, partly funded the Syracuse research.
The Syracuse experiments involved 50 volunteers typing PINs into HTC One smartphones, in a variety of different settings and postures. For each volunteer, researchers shot four different videos. The recordings were made using two off-the-shelf devices: a Google Nexus 5 smartphone camera and a Sony camcorder. All the videos were shot from the side or back of the phone, from 12 to 15 feet away. None of the videos captured the phone screen or explicitly showed what users were typing.
Software filled in the gaps, however, with a combination of image analysis and motion tracking algorithms being remarkably effective at “guessing” the PINs users typed in. On the first guess, software determined the correct password between 40% and 62% of the time, depending on the quality of the video and the zoom ratio. The highest-quality video produced an 82% accuracy rate after 5 guesses and 94% accuracy after 10 guesses. Using more than one video for each phone raises the odds of success even further.
“We can do it in about 30 minutes once we capture the video,” says Phoha. “We have almost 100% accuracy.” This graph lays out the results of computer guesswork for video shot using the Nexus smartphone and the Sony camcorder at zoom levels of 2x, 4x and 6x:
Hackers could shoot the necessary video without phone users ever noticing, especially in busy settings such as a bar, restaurant, bus, train, airport or shopping mall. Thieves have long nabbed people’s credit card numbers or ATM PINs by “shoulder snooping” during a transaction, or even looking on from a distance with binoculars or a camera with a zoom lens. So in a way, hacking via video—which can be done surreptitiously on a smartphone while the perpetrator appears to be harmlessly tapping on the screen—is nothing more than a new variation on an old theme.
There are still several additional steps hackers would have to take to steal or vandalize with a captured PIN. For starters, they’d have to crack into separate bank or financial accounts. They might be able to do that by stealing the phone, logging in with the hacked PIN and opening apps that aren’t password protected because the user assumed the smartphone PIN was protection enough.
Hackers could also glean additional information about targeted individuals, like email addresses and account numbers, and use those to log into accounts. If acquaintances or work colleagues were the target, some of that information might already be available. Since hackers already have partial information on millions of consumers, a smartphone PIN could be a crucial missing piece -- especially if it doubles as a passcode for other accounts.
They'll eventually get lucky enough
The odds of any one person getting digitally robbed in this fashion are low, but hackers would probably get lucky often enough to make it worth the trouble, since a lot of people use the same PIN for multiple accounts and devices. On top of that, the same technology used to crack 4- to 7-digit smartphone PINs could be refined to decode longer passwords such as those often required for computer access.
There are limits to such image-analysis technology. It’s harder to detect PINs when people type them with two fingers rather than one, for example. The use of a full keyboard instead of a 10-character phone-style keypad makes it harder still, as does the use of capital letters and symbols that aren’t on a 10-character pad. And fingerprint validation in lieu of a PIN solves the whole problem, even though it’s available on only a small portion of smartphones at the moment, and not at all on ATMs and other gadgets requiring PINS.
As always, countermeasures will ensue if unseen PIN hacking were to grow into a major problem. Smartphone makers could create keypads that appear in different locations on the screen every time, foiling pattern-recognition algorithms that rely on consistent spatio-temporal dynamics. Keypads that jumble the 10 numerals in a different random order during each use might also do the trick, though they could also drive users crazy and encourage them to ditch the passcode because it’s too much trouble.
Meanwhile, protecting yourself against sneaky PIN hacking wouldn’t be difficult, once you know what to do. Keeping your phone completely out of sight when entering a PIN or other sensitive data is the most obvious step. Newer iPhone and Android devices allow you to choose a longer, more complex alphanumeric passcode over a simple 4-digit one (although typing it in can be a pain). And practicing good security—by using two-factor authentication, password-tracking apps and so on—helps improve security and speed the notification time if somebody has infiltrated your accounts. It’s probably safe to assume somebody is always watching. Sooner or later, they will be.
http://finance.yahoo.com/news/an-alarming-new-way-to-steal-your-passwords-135027327.html
Fri Jul 19, 2024 10:30 am by faithhharris
» CCS.N0000 ( Ceylon Cold Stores)
Wed Mar 20, 2024 11:31 am by Hawk Eye
» Sri Lanka plans to allow tourists from August, no mandatory quarantine
Wed Sep 13, 2023 12:16 pm by lauryfriese
» When Will It Be Safe To Invest In The Stock Market Again?
Wed Apr 19, 2023 6:41 am by කිත්සිරි ද සිල්වා
» Dividend Announcements
Wed Apr 12, 2023 5:41 pm by කිත්සිරි ද සිල්වා
» MAINTENANCE NOTICE / නඩත්තු දැනුම්දීම
Thu Apr 06, 2023 3:18 pm by කිත්සිරි ද සිල්වා
» ඩොලර් මිලියනයක මුදල් සම්මානයක් සහ “ෆීල්ඩ්ස් පදක්කම” පිළිගැනීම ප්රතික්ෂේප කළ ගණිතඥයා
Sun Apr 02, 2023 7:28 am by කිත්සිරි ද සිල්වා
» SEYB.N0000 (Seylan Bank PLC)
Thu Mar 30, 2023 9:25 am by yellow knife
» Here's what blind prophet Baba Vanga predicted for 2016 and beyond: It's not good
Thu Mar 30, 2023 9:25 am by HaeroMaero
» The Korean Way !
Wed Mar 29, 2023 7:09 am by කිත්සිරි ද සිල්වා
» In the Meantime Within Our Shores!
Mon Mar 27, 2023 5:51 pm by කිත්සිරි ද සිල්වා
» What is Known as Dementia?
Fri Mar 24, 2023 10:09 am by කිත්සිරි ද සිල්වා
» SRI LANKA TELECOM PLC (SLTL.N0000)
Mon Mar 20, 2023 5:18 pm by කිත්සිරි ද සිල්වා
» THE LANKA HOSPITALS CORPORATION PLC (LHCL.N0000)
Mon Mar 20, 2023 5:10 pm by කිත්සිරි ද සිල්වා
» Equinox ( වසන්ත විෂුවය ) !
Mon Mar 20, 2023 4:28 pm by කිත්සිරි ද සිල්වා
» COMB.N0000 (Commercial Bank of Ceylon PLC)
Sun Mar 19, 2023 4:11 pm by කිත්සිරි ද සිල්වා
» REXP.N0000 (Richard Pieris Exports PLC)
Sun Mar 19, 2023 4:02 pm by කිත්සිරි ද සිල්වා
» RICH.N0000 (Richard Pieris and Company PLC)
Sun Mar 19, 2023 3:53 pm by කිත්සිරි ද සිල්වා
» Do You Have Computer Vision Syndrome?
Sat Mar 18, 2023 7:36 am by කිත්සිරි ද සිල්වා
» LAXAPANA BATTERIES PLC (LITE.N0000)
Thu Mar 16, 2023 11:23 am by කිත්සිරි ද සිල්වා
» What a Bank Run ?
Wed Mar 15, 2023 5:33 pm by කිත්සිරි ද සිල්වා
» 104 Technical trading experiments by HUNTER
Wed Mar 15, 2023 4:27 pm by katesmith1304
» GLAS.N0000 (Piramal Glass Ceylon PLC)
Wed Mar 15, 2023 7:45 am by කිත්සිරි ද සිල්වා
» Cboe Volatility Index
Tue Mar 14, 2023 5:32 pm by කිත්සිරි ද සිල්වා
» AHPL.N0000
Sun Mar 12, 2023 4:46 pm by කිත්සිරි ද සිල්වා
» TJL.N0000 (Tee Jey Lanka PLC.)
Sun Mar 12, 2023 4:43 pm by කිත්සිරි ද සිල්වා
» CTBL.N0000 ( CEYLON TEA BROKERS PLC)
Sun Mar 12, 2023 4:41 pm by කිත්සිරි ද සිල්වා
» COMMERCIAL DEVELOPMENT COMPANY PLC (COMD. N.0000))
Fri Mar 10, 2023 4:43 pm by yellow knife
» Bitcoin and Cryptocurrency
Fri Mar 10, 2023 1:47 pm by කිත්සිරි ද සිල්වා
» CSD.N0000 (Seylan Developments PLC)
Fri Mar 10, 2023 10:38 am by yellow knife
» PLC.N0000 (People's Leasing and Finance PLC)
Thu Mar 09, 2023 8:02 am by කිත්සිරි ද සිල්වා
» Bakery Products ?
Wed Mar 08, 2023 5:30 pm by කිත්සිරි ද සිල්වා
» NTB.N0000 (Nations Trust Bank PLC)
Sun Mar 05, 2023 7:24 am by කිත්සිරි ද සිල්වා
» Going South
Sat Mar 04, 2023 10:47 am by කිත්සිරි ද සිල්වා
» When Seagulls Follow the Trawler
Thu Mar 02, 2023 10:22 am by කිත්සිරි ද සිල්වා
» Re-activating
Sat Feb 25, 2023 5:12 pm by කිත්සිරි ද සිල්වා
» අපි තමයි හොඳටම කරේ !
Tue Feb 14, 2023 3:54 pm by ruwan326
» මේ අර් බුධය කිසිසේත්ම මා විසින් නිර්මාණය කල එකක් නොවේ
Tue Jan 03, 2023 6:43 pm by ruwan326
» SAMP.N0000 (Sampath Bank PLC)
Wed Nov 30, 2022 8:24 am by කිත්සිරි ද සිල්වා
» APLA.N0000 (ACL Plastics PLC)
Fri Nov 18, 2022 7:49 am by කිත්සිරි ද සිල්වා
» AVOID FALLING INTO ALLURING WEEKEND FAMILY PACKAGES.
Wed Nov 16, 2022 9:28 pm by කිත්සිරි ද සිල්වා
» Banks, Finance & Insurance Sector Chart
Tue Nov 15, 2022 5:26 pm by කිත්සිරි ද සිල්වා
» VPEL.N0000 (Vallibel Power Erathna PLC)
Sun Nov 13, 2022 12:15 pm by කිත්සිරි ද සිල්වා
» DEADLY COCKTAIL OF ISLAND MENTALITY AND PARANOID PERSONALITY DISORDER MIX.
Mon Nov 07, 2022 6:36 pm by කිත්සිරි ද සිල්වා
» WATA - Watawala
Sat Nov 05, 2022 8:44 am by කිත්සිරි ද සිල්වා
» KFP.N0000(Keels Food Products PLC)
Sat Nov 05, 2022 8:42 am by කිත්සිරි ද සිල්වා
» Capital Trust Broker in difficulty?
Fri Oct 21, 2022 5:25 pm by කිත්සිරි ද සිල්වා
» IS PIRATING INTELLECTUAL PROPERTY A BOON OR BANE?
Thu Oct 20, 2022 10:13 am by කිත්සිරි ද සිල්වා
» What Industry Would You Choose to Focus?
Tue Oct 11, 2022 6:39 pm by කිත්සිරි ද සිල්වා
» Should I Stick Around, or Should I Follow Others' Lead?
Tue Oct 11, 2022 9:07 am by කිත්සිරි ද සිල්වා