Not feeling paranoid enough today? Here you go: Your phone lock screen might actually make it easier for nefarious cyber bandits to steal your passwords.
Researchers at the University of Massachusetts Lowell recently conducted a study illustrating how easy it is to steal phone PINS, even from across the room. They used cameras on Google Glass, an iPhone 5, and a Logitech webcam to test how well these devices can record when people entered their passwords. Glass could detect someone’s PIN with 83 per cent accuracy from three metres away, even when the screen wasn’t visible. The webcam correctly recorded passwords with 92 per cent accuracy.
The iPhone 5 camera detected the passcode every single time.
Wired talked to Xinwen Fu, a computer scientist working on the project. “I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” Fu told them. “If someone can take a video of you typing on the screen, you lose everything.”
It’s not exactly news that people can use their mobile devices to snake your information. The threat of constant, surreptitious surveillance is one of the reasons people are wary of Google Glass. As Forbes recently pointed out, hackers have even devised ways to automate over-the-shoulder password theft. This specific research is freaky because it shows that people can figure out and record your passwords even if they can’t see your screen; it offers no respite to the paranoid PIN-typer hunching over and cupping her hand across the top of her phone. And once someone has your phone passcode, they often have a golden ticket to your bank accounts, since ATM PINs are typically four-digit codes as well.
So, what is to be done? Make your mobile PIN different than your ATM PIN or other important passcodes, for starters. Choosing a password other than 1234 or 1111 is also something you should have already done, because those passwords are dumb. For iPhone users, you can turn off the “Simple Passcode” in Settings to give yourself a longer, more complicated password. For Android, you can choose to unlock your phone via facial recognition if you have Ice Cream Sandwich or higher, or select a more sophisticated lock screen password than the standard four-digit option.
Fu and the UMass researchers created an Android app called Privacy Enhancing Keyboard that will randomise the order of the numbers as they appear on your passcode screen, which would make it much harder to figure out what someone types in. They plan to release it after they give a Black Hat talk on their research. Hopefully their talk will spark increased interest in developing even more sophisticated options to keep passwords secure.