Two new attacks on PIN entry on ATMs and smartphones force us to find new countermeasures.

PINs still under attack!

This summer was very interesting for new attacks. There are two that I really liked, for very different reasons. They are also both attacks on PIN codes, yet they are quite different.

The first one is an attack on ATMs, with a thermal camera, hoping that your fingers stay on the keys long enough to heat them up. Well, it seems that if all conditions are good, the trick can work. The great thing about this attack is that it naturally captures the order (the warmest key is the last one). The attack even works well in optimal conditions (recovering half of the PIN codes after one minute), which sounds good, even a bit alarming.

Luckily, it is quite sensitive to various conditions, like the material in which the keys are made (plastic seems better for the attack than metal, which conducts heat away too easily). Having cold fingers also is a good security measure, since the amount of heat transferred is lower. The researchers haven’t tried it, but the temperature of the environment should also have some influence. So, against this attack, I guess that selecting an ATM in full sun, with metal keys (the authors’ recommendation) and wearing gloves should make it.

The second attack is about using a smartphone’s motion sensor to guess a PIN code typed on it. Of course, when you type on a smartphone while holding it, you apply some pressure on the screen, and the result in terms of movement depends on where you type. It doesn’t work as well as the previous attacks, but apparently, they get over 70% of the digits typed on a 10-digit keyboard.

The obvious countermeasure is to make sure that your phone is safely lying on a table, which will severely limit any movement. In terms of countermeasure, this also raises the bar for people who are developing systems that protect the touchscreen: well, you may as well protect the motion sensors, because if a hacker controls that, he may just get the PIN code that we want to protect. Of course, that ‘s until another attack comes, using another sensor.

For me, these two attacks have in common to be absolutely obvious. You just read the title of the paper and you think “Of course, this is nice”. And yet, they are quite practical, and they can become a real problem for real people. They also both rely on using a disruptive attack technology: PIN protection requirements usually don’t consider thermal cameras and motion sensors as potential threats, but they may in he future. This is another reminder that security is a wonderful job, because as soon as you have covered all known threats, new ones come up that you also need to cover.

One Comment

  • One obvious method to prevent smartphone screen password attacks by motion sensors in the phone is to randomise the keyboard which have long been implemented by Cyanogen.

    In fact the more secure method is to include a PIN or biometric entry on the security device/smart card for on-device authenticatiin then press a OK or Cancel transaction on the securitu device/smart card.

    The Zwipe product includes a fingerprint sensor on a smart card and the likes of Plastc and other E-ink cards are embedding touchscreen E-ink or buttons on smart cards.

    Finally, the Ledger Blue hardware is a personal security device integrating a ST31 secure element tied to a touchscreen with USB, NFC and BLE connectivity for secure applications and PIN entry onto a single device to make scraping PIN much harder.

Leave a Reply

Your email is never shared.Required fields are marked *