University of Cambridge boffins Laurent Simon and Prof. Ross Anderson have demonstrated a new vulnerability in the security features of certain smart phones. By deploying custom software – dubbed ‘PIN Skimmer’ – the device’s accelerometer and gyroscope channels can be interrogated (potentially by third parties), and in doing so it appears possible to determine probable PIN number entries.
Prof. Anderson tested his theory on the Google Nexus-S and the Galaxy S3 smart phone platforms – this week he released a report claiming actual ‘proof of concept’.
“By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events.”
“Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users”, explains Prof Ross Anderson.
In a 2010 survey of mobile customers, 33 percent of smart phone users cited security concerns as a main reason why they avoid using their phones to access financial accounts. (source: comScore.com/insights)
It could be argued that with the advent of ‘PIN Skimmer’ their concerns are not without grounds – because many smart phone users have a PIN code not only to secure their phone, but also to unlock e-payment applications.
11 November 2013