Smartphone PIN protection methods have high failure rate

Friday, June 8, 2018

Popular methods of protecting smartphone personal identification number (PINs) may only be successful in safeguarding your personal information 20 per cent of the time, according to a new study out of the University of Waterloo.

The study found that methods such as tilting the smartphone, a widely adopted defence strategy, does not guard against people close to you such as romantic partners and co-workers who might be angling for access to your device. 

The study also found that even when the attacker is observing from across the room they still have a good success rate of stealing your PIN from a distance.

“We found that even when the device screen is tilted at an angle of 60 degrees or more away from the attackers they are still able to figure out a part of the PIN,” said lead researcher Hassan Khan, who is a post-doctoral fellow at Waterloo’s David R. Cheriton School of Computer Science. “This comes from the fact that the layout of the keypad is known. 

"So, the attackers know where the number one is and that four is always beneath it, and so on. So, using these cues the attackers are able to make these guesses.”

In conducting the study, videos were recorded of 30 people entering a PIN from different positions with different conditions, such as the screen of the device tilted away from the camera. Thirty attackers were then recruited to mount over 1,000 shoulder surfing attacks, which involved watching videos of users entering PINs on a phone. 

The researchers found that attackers who paid attention to the pattern of relative finger movement, movement in direction and distance relative to the previous tap, were more successful than the attackers who guessed only based on the current position of the finger and the layout of the keypad.

With attackers having to observe the victim entering their PIN only four times or less to figure out PINs 80 per cent of the time, even when the device is tilted, Khan said a better mechanism than tilting the device screen away needs to be considered. 

“A simple defence is to cover the keypad using the other hand, but this might not be a possibility against people close to you, such as your spouse, because you want to avoid showing that you do not trust them,” Khan said. “Another possible defence against these attacks is to randomize the location of the keys on the keypad. This eliminates the “known layout” which tremendously helped the attackers. Similarly, using longer passwords instead of four-digit PINs will likely provide better protection.”

The study, Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing, which was co-authored by Khan, Urs Hengartner and Daniel Vogel, all of Waterloo’s Cheriton School of Computer Science, was presented at the 36th Annual ACM Conference on Human Factors in Computing Systems (CHI 2018).