A team of mobile-misgivings-mongers from the University of Cambridge have demonstrated how easy it is to pinch your password using a program tellingly called ‘PIN Skimmer’…
A truly sneaky bit of software, PIN Skimmer surreptitiously accesses your smartphone’s front-facing camera and monitors your mug when you enter your pass-number, while simultaneously hacking into your microphone to pick up the clicking sound of your soft keypad… if you’ve not yet worked out how to turn that off. Then, once in possession of this ill-gleened information, PIN Skimmer works out the orientation of the phone from the position of your physiognomy and works out from that which keys have been pressed.
“We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously,” says one of the report’s authors, Ross Anderson, professor of security engineering at Cambridge. “It did surprise us how well it worked.”
Carrying out the tests on a Nexus 5 and a Samsung Galaxy S3, the program successfully thieved the four-digit PIN for unlocking a phone 50 per cent of the time after just five attempts, and managed a 60 per cent success rate with eight-digit PINs after 10 attempts – stats which will no doubt delight iPhone fanboys as the Apple of their smartphone eye was oddly omitted from the tests.
Naturally, the worry here is not that some previously remote Russian hood will start to stalk you in the street once he’s PIN Skimmed your blower intent on coshing you down an alleyway and stealing said phone, but that the software will be used to work out the online banking PINS and passwords of unwitting users.
What solution do the boffins recommend? Ditching passwords and using fingerprint or face recognition instead… Hang on, who funded this ‘research’? Apple by any chance?