PIN Skimmer Can Read Your Smartphone PIN
November 12, 2013

Smartphone Camera And Microphone Can Reveal PIN, Experts Warn

[ Watch the Video: Is Your Smartphone Watching You? ]

redOrbit Staff & Wire Reports - Your Universe Online

British researchers warned on Monday that a smartphone’s PIN could be determined by tapping into the device’s microphone and camera.

Using a program called “PIN Skimmer,” the University of Cambridge team found that codes entered on a number-only soft keypad could be easily identified.

The software was able to “watch” a user’s face via the camera, and then “listen” to clicks through the microphone as the user typed in their PIN.

The demonstration was conducted on the Google Nexus-S and the Galaxy S3 smartphones.

"We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously," wrote Professor Ross Anderson, professor of security engineering at Cambridge University, and Laurent Simon in a report about the findings.

The researchers said the smartphone’s microphone is used to detect "touch-events" as a user enters their PIN, meaning it can effectively "hear" the clicks that the phone makes as a user presses the virtual number keys.

The camera then approximates the orientation of the phone as the user is typing in their PIN, and correlates it to the position of the digit tapped by the user.

"We watch how your face appears to move as you jiggle your phone by typing," Anderson told BBC News. "It did surprise us how well it worked.”

Indeed, the program was successful more than half the time after five attempts to determine a four digit PIN, and had a success rate of 60 percent after ten attempts to determine an eight-digit PIN.

While many smartphone owners use a PIN to lock their phone, these passwords are increasingly used to access other types of applications, such as banking apps, raising the question of which resources should remain accessible on a phone when a person is entering a sensitive PIN, the researchers said.

"If you're developing payment apps, you'd better be aware that these risks exist," warned Anderson.

One possible solution is to use longer PINs, but Anderson said this would affect the "memorability and usability” of the phone.

"Randomizing" the position of numbers on the keypad might also help, but would "cripple usability on phones,” the researchers said.

The report suggests a possible, although more drastic, answer may be to eliminate PINs altogether, turning instead to biometrics such as fingerprints and facial recognition, or electronic devices that phones can sense, such as smart watches and smart glasses.