An alarming new way to steal your passwords

Source: Thinkstock

At a restaurant, you pull out your phone to check email. Without even thinking about it, you tap in a PIN to unlock your phone. Your back’s to the wall and nobody can see what you’re typing, so there’s no reason to worry that somebody could intercept your passcode.

Except, sadly, there is. Researchers at Syracuse University have demonstrated that hackers can guess PINs by analyzing video of people tapping on their smartphone screens -- even when the screen itself isn’t visible. Software used to analyze such video relies on “spatio-temporal dynamics” to gauge the distance from the fingers to the phone’s screen, and then approximate which characters the fingers tap on a keypad. “It’s like lip reading,” says Vir Phoha, an engineering and computer science professor at Syracuse and co-author of a paper on the technology. “Based on hand movement and the known geometry of the phone, we can see which keys are pressed.”

There don’t appear to be any known instances of hackers stealing PINs this way, but technologists think it’s only a matter of time. “We believe that it is very likely to be adopted by adversaries who seek to stealthily steal sensitive private information,” Phoha and three others Syracuse researchers wrote in their paper, published last year by the Association for Computing Machinery. The technology is fairly simple for anybody familiar with programming, and the exploding use of smartphones provides many millions of targets.

On top of that, the increased use of phones for banking and managing other financial accounts makes PINs a lucrative prize for hackers. And the same video-analysis technology can be used to infer PINs punched into ATMs, smart locks on the front doors of homes, garage door openers and other gizmos requiring similar codes.

Used by the good guys, too

Publicizing such black-hat technology through articles such as this one can obviously tip fraudsters to possible new methods of ripping people off. Security experts and some of their criminal foes already know about it, however, since such research has been published in technical journals. So Yahoo Finance decided it’s appropriate to alert consumers to this new form of hacking. National security and law enforcement agencies could also use it to keep track of bad guys; DARPA, the Pentagon’s technology skunk works, for instance, partly funded the Syracuse research.

The Syracuse experiments involved 50 volunteers typing PINs into HTC One smartphones, in a variety of different settings and postures. For each volunteer, researchers shot four different videos. The recordings were made using two off-the-shelf devices: a Google Nexus 5 smartphone camera and a Sony camcorder. All the videos were shot from the side or back of the phone, from 12 to 15 feet away. None of the videos captured the phone screen or explicitly showed what users were typing.

Software filled in the gaps, however, with a combination of image analysis and motion tracking algorithms being remarkably effective at “guessing” the PINs users typed in. On the first guess, software determined the correct password between 40% and 62% of the time, depending on the quality of the video and the zoom ratio. The highest-quality video produced an 82% accuracy rate after 5 guesses and 94% accuracy after 10 guesses. Using more than one video for each phone raises the odds of success even further.

“We can do it in about 30 minutes once we capture the video,” says Phoha. “We have almost 100% accuracy.” This graph lays out the results of computer guesswork for video shot using the Nexus smartphone and the Sony camcorder at zoom levels of 2x, 4x and 6x:

Sources: Diksha Shukla, Rajesh Kumar, Abdul Serwadda and Vir V. Phoha of Syracuse University; Association for Computing Machinery
Sources: Diksha Shukla, Rajesh Kumar, Abdul Serwadda and Vir V. Phoha of Syracuse University; Association for Computing Machinery

Hackers could shoot the necessary video without phone users ever noticing, especially in busy settings such as a bar, restaurant, bus, train, airport or shopping mall. Thieves have long nabbed people’s credit card numbers or ATM PINs by “shoulder snooping” during a transaction, or even looking on from a distance with binoculars or a camera with a zoom lens. So in a way, hacking via video—which can be done surreptitiously on a smartphone while the perpetrator appears to be harmlessly tapping on the screen—is nothing more than a new variation on an old theme.

There are still several additional steps hackers would have to take to steal or vandalize with a captured PIN. For starters, they’d have to crack into separate bank or financial accounts. They might be able to do that by stealing the phone, logging in with the hacked PIN and opening apps that aren’t password protected because the user assumed the smartphone PIN was protection enough.

Hackers could also glean additional information about targeted individuals, like email addresses and account numbers, and use those to log into accounts. If acquaintances or work colleagues were the target, some of that information might already be available. Since hackers already have partial information on millions of consumers, a smartphone PIN could be a crucial missing piece -- especially if it doubles as a passcode for other accounts.

They'll eventually get lucky enough

The odds of any one person getting digitally robbed in this fashion are low, but hackers would probably get lucky often enough to make it worth the trouble, since a lot of people use the same PIN for multiple accounts and devices. On top of that, the same technology used to crack 4- to 7-digit smartphone PINs could be refined to decode longer passwords such as those often required for computer access.

There are limits to such image-analysis technology. It’s harder to detect PINs when people type them with two fingers rather than one, for example. The use of a full keyboard instead of a 10-character phone-style keypad makes it harder still, as does the use of capital letters and symbols that aren’t on a 10-character pad. And fingerprint validation in lieu of a PIN solves the whole problem, even though it’s available on only a small portion of smartphones at the moment, and not at all on ATMs and other gadgets requiring PINS.

As always, countermeasures will ensue if unseen PIN hacking were to grow into a major problem. Smartphone makers could create keypads that appear in different locations on the screen every time, foiling pattern-recognition algorithms that rely on consistent spatio-temporal dynamics. Keypads that jumble the 10 numerals in a different random order during each use might also do the trick, though they could also drive users crazy and encourage them to ditch the passcode because it’s too much trouble.

Meanwhile, protecting yourself against sneaky PIN hacking wouldn’t be difficult, once you know what to do. Keeping your phone completely out of sight when entering a PIN or other sensitive data is the most obvious step. Newer iPhone and Android devices allow you to choose a longer, more complex alphanumeric passcode over a simple 4-digit one (although typing it in can be a pain). And practicing good security—by using two-factor authentication, password-tracking apps and so on—helps improve security and speed the notification time if somebody has infiltrated your accounts. It’s probably safe to assume somebody is always watching. Sooner or later, they will be.

Rick Newman’s latest book is Liberty for All: A Manifesto for Reclaiming Financial and Political Freedom. Follow him on Twitter: @rickjnewman.