Smartphone PIN Protection Methods Have High Failure Rate: University of Waterloo

Popular methods of protecting smartphone personal identification number (PINs) may only be successful in safeguarding your personal information 20 per cent of the time, according to a new study out of the University of Waterloo.

The study found that methods such as tilting the smartphone, a widely adopted defence strategy, does not guard against people close to you such as romantic partners and co-workers who might be angling for access to your device.

The study also found that even when the attacker is observing from across the room they still have a good success rate of stealing your PIN from a distance.

In conducting the study, videos were recorded of 30 people entering a PIN from different positions with different conditions, such as the screen of the device tilted away from the camera. Thirty attackers were then recruited to mount over 1,000 shoulder surfing attacks, which involved watching videos of users entering PINs on a phone.

The researchers found that attackers who paid attention to the pattern of relative finger movement, movement in direction and distance relative to the previous tap, were more successful than the attackers who guessed only based on the current position of the finger and the layout of the keypad.

With attackers having to observe the victim entering their PIN only four times or less to figure out PINs 80 per cent of the time, even when the device is tilted, Khan said a better mechanism than tilting the device screen away needs to be considered.

The study, Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing which was co-authored by Khan, Urs Hengartner and Daniel Vogel, all of Waterloo’s Cheriton School of Computer Science, was presented at the 36th Annual ACM Conference on Human Factors in Computing Systems (CHI 2018).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: