Popular
methods
of
protecting
smartphone
personal
identification
number
(PINs)
may
only
be
successful
in
safeguarding
your
personal
information
20
per
cent
of
the
time,
according
to
a
new
study
out
of
the
University
of
Waterloo.
The
study
found
that
methods
such
as
tilting
the
smartphone, a
widely
adopted
defence
strategy, does
not
guard
against
people
close
to
you
such
as
romantic
partners
and
co-workers
who
might
be
angling
for
access
to
your
device.
The study also found that even when the attacker is observing from across the room they still have a good success rate of stealing your PIN from a distance.
“We
found
that
even
when
the
device
screen
is
tilted
at
an
angle
of
60
degrees
or
more
away
from
the
attackers
they
are
still
able
to
figure
out
a
part
of
the
PIN,”
said
lead
researcher
Hassan
Khan,
who
is
a
post-doctoral
fellow
at
Waterloo’s
David
R. Cheriton
School
of
Computer
Science.
“This
comes
from
the
fact
that
the
layout
of
the
keypad
is
known.
"So,
the
attackers
know
where
the
number
one
is
and
that
four
is
always
beneath
it,
and
so
on.
So,
using
these
cues
the
attackers
are
able
to
make
these
guesses.”
In conducting the study, videos were recorded of 30 people entering a PIN from different positions with different conditions, such as the screen of the device tilted away from the camera. Thirty attackers were then recruited to mount over 1,000 shoulder surfing attacks, which involved watching videos of users entering PINs on a phone.
The researchers found that attackers who paid attention to the pattern of relative finger movement, movement in direction and distance relative to the previous tap, were more successful than the attackers who guessed only based on the current position of the finger and the layout of the keypad.
With attackers having to observe the victim entering their PIN only four times or less to figure out PINs 80 per cent of the time, even when the device is tilted, Khan said a better mechanism than tilting the device screen away needs to be considered.
“A simple defence is to cover the keypad using the other hand, but this might not be a possibility against people close to you, such as your spouse, because you want to avoid showing that you do not trust them,” Khan said. “Another possible defence against these attacks is to randomize the location of the keys on the keypad. This eliminates the “known layout” which tremendously helped the attackers. Similarly, using longer passwords instead of four-digit PINs will likely provide better protection.”
The study, Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing, which was co-authored by Khan, Urs Hengartner and Daniel Vogel, all of Waterloo’s Cheriton School of Computer Science, was presented at the 36th Annual ACM Conference on Human Factors in Computing Systems (CHI 2018).