An alarming new way to steal your passwords

You are dining outside in a restaurant and you receive an email. You remove your phone and without even thinking twice, you key in the PIN required to unlock your phone. Nobody can see what password you have typed, as your back is facing the wall. Hence, you are not worried that someone could intercept your passcode. However, sadly, there is.

Hackers can speculate PINs by interpreting video of people tapping on their smartphone screens even when the display itself is not visible, according to the presentation shown by the researchers at Syracuse University.

Software used to interpret such video relies on “spatio-temporal dynamics” to measure the distance from the fingers to the phone’s screen, and then guess exact which characters the fingers tap on a keypad. “It’s like lip reading,” says Vir Phoha, an engineering and computer science professor at Syracuse and co-author of a paper on the technology. “Based on hand movement and the known geometry of the phone, we can see which keys are pressed.”

No instances have been reported of hackers stealing PINs in such a way has been reported, however, it’s only a matter of time as anticipated by technologists. Phoha and three others Syracuse researchers wrote in their paper that “We believe that it is very likely to be adopted by adversaries who seek to stealthily steal sensitive private information.” This research was published by the Association for Computing Machinery last year. The technology is very easy simple for anybody who knows programming, and millions of targets are available due to the flaring use of smartphones.

In addition to this, the increased use of phones for doing banking transactions and managing other financial accounts makes PINs a profitable deal for hackers. The same video-analysis technology can be used to interpret PINs perforated into ATMs, smart locks on the front doors of homes, garage door openers and other gizmos that require similar codes.

Publishing such unauthorized technology through articles can surely tip hackers to think of new methods of cheating people. However, since technical journals have published such research articles, Security experts and some of their criminal enemies already are aware about it. So that’s when Yahoo Finance decided it’s the right time to notify consumers of this new form of hacking. National security and law enforcement agencies could also use it to keep record of bad guys; DARPA, the Pentagon’s technology skunk works, for instance, partly funded the Syracuse research.

50 volunteers were involved in the Syracuse experiments that had them keying PINs into HTC One smartphones, in a variety of different settings and postures. Researchers shot four different videos for each volunteer. Two off-the-shelf devices were used to make these recordings: a Google Nexus 5 smartphone camera and a Sony camcorder. All the videos were recorded from 12 to 15 feet away from either the side or back of the phone. None of the video recordings captured the phone screen or definitely showed what users were typing.

With a combination of image analysis and motion tracking algorithms, software filled in the gaps, which were remarkably effective at “guessing” the PINs users typed in. The software figured out the correct password between 40% and 62% of the time on the first guess, which depended on the quality of the video and the zoom ratio. Nearly 82% accuracy was produced after 5 guess that involved using of highest-quality video and 94% accuracy after 10 guesses. Use of more than one video for each phone raises the odds of success even further.

“We can do it in about 30 minutes once we capture the video,” says Phoha. “We have almost 100% accuracy.” This graph lays out the results of computer guesswork for video shot using the Nexus smartphone and the Sony camcorder at zoom levels of 2x, 4x and 6x:

The hackers could shoot the said video with the phone users not noticing them, especially in busy surroundings such as a bar, restaurant, bus, train, airport or shopping mall. Robbers have long seized people’s credit card numbers or ATM PINs by “shoulder snooping” during a transaction, or even looking on from a distance with binoculars or a camera with a zoom lens. In a way, hacking via video—which can be done secretly on a smartphone while the perpetrator appears to be safely tapping on the screen—is nothing more than a new twist to an old theme.