Snooping on movement can reveal smartphone PINs It’s not the first time boffins have proposed the use of smartphone accelerometers as an attack vector, but it’s scarily efficient: with as few as five guesses, Swarthmore College researchers say they can use phone moments to reveal user PINs. As noted in his paper (PDF - Practicality of Accelerometer Side Channels on …
Google has been pushing users to turn on 2-step verification on all Android phones and all other Google services for months now. By implementing simple security techniques like choosing a relatively complex unlock pin, changing unlock pins occasionally, and setting up the phone to automatically delete non-essential cookies daily, an Android phone with 2-step verification implemented throughout the user's Google services is a fairly secure device.
"Pin code but with a randomised keypad instead of a standard layout."
I wonder if most devs code their own keypads or if it's bought in from a 3rd party. In which they'd have to offer the option and the devs would have to pick it up.
Of course it would play havoc with anyone with vision problems but I presume a vocal version could be worked out for them as well.
This post has been deleted by its author
On the tram in the morning I can easilly follow the swipe codes of someone a few metres away. The image that it creates is easy to visualise and remember. For some strange reason many people tend not to hide their screen from prying eyes at that moment.
The viewing angle on sopme phones is also quite large which doesn't help in hiding whats being typed/swiped on those LARGE dots/numbers.
"In controlled settings ... with the participants sitting still] our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns."
The key here is that the test set was 50, rather than the more typical 10,000 for a four digit pin.
If you had 50 marbles, numbered 1 to 50, there would be a 10% chance of selecting a specific desired number with any 5 random selections from a set of 50. So 43% is only four times better than random guessing. Does the software know what the valid 50 numbers are, and pick the closest match? If so, the results are not impressive.
If you had 50 marbles, numbered 1 to 50, there would be a 10% chance of selecting a specific desired number with any 5 random selections from a set of 50. So 43% is only four times better than random guessing. Does the software know what the valid 50 numbers are, and pick the closest match? If so, the results are not impressive.
Whoa there... the number 50 is the size of their test sample, and nothing to do with the number of possible PINs, so your probability calculation is meaningless. In other words, their program is being asked to guess what the PIN is, and not "guess which one of these 50 known patterns/PINS" we've given you".
The way you should look at it is that each random PIN guess (having no accelerometer hints) would be right 1/10,000 of the time (ie, 0.0001). If they can guess the PIN 43% of the time with 5 guesses, then their success rate per guess is 0.43 / 5 or 0.086. So in fact their ability to guess a PIN is actually 0.086 / 0.0001 = 860 times better than chance, not four times better!
There was a fascinating presentation at a recent Cambridge Wireless event by Laurent Simon of the Cambridge University Computer Lab, who not only pointed this out, but also the fact that it's pretty easy to tell whether the user is male or female, as you get very different accellerometer signals depending on whether you carry your phone in your pocket or your handbag. And it doesn't take much imagination to realise there a lot more you can pick up about what the user's doing.
You can download his presentation from http://bit.ly/WDpWgI
This is interesting Social Engineering.
The first (very expensive) Telephone lines were Party Lines. The Telephone Exchange and the Telephone Booth were invented nearly simultaneously. Hmmmm ... So you have an expensive Party Line assuring that your well heeled competitors can listen in, but you "trust" them because they are well heeled like you, but you are relieved when the riff-raff can't listen in to one side of the business you are conducting.
I'm so glad to hear that the hip wired nerds are so much smarter than the elite used to be :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
