University of Waterloo study finds phone PIN protection methods have high failure rate

PIN phone

Tilting a smartphone to hide an entered passcode may not be very effective, according to a new study from the University of Waterloo.

The study found that such popular methods of protecting smartphone personal identification number (PINs) may only be successful 20 percent of the time.

Researchers found that widely adopted defence strategies like tilting a phone doesn’t conceal the phone screen from people close to the user, like partners and co-workers. This is true even when the ‘attacker’ is looking over from across a room, according to the study.

“We found that even when the device screen is tilted at an angle of 60 degrees or more away from the attackers they are still able to figure out a part of the PIN,” said lead researcher Hassan Khan, a post-doctoral fellow at Waterloo’s Cheriton School of Computer Science. “This comes from the fact that the layout of the keypad is known.

“So, the attackers know where the number one is and that four is always beneath it, and so on. So, using these cues the attackers are able to make these guesses.”

To conduct the study, researchers recorded videos of 30 people entering a PIN from different positions with different conditions, including instances where a device’s screen was tilted away from the camera. Thirty attackers were then instructed to mount over 1,000 “shoulder surfing” attacks.

According to Khan, attackers only had to observe a PIN being entered four times or less to determine the code successfully 80 percent of the time. The most successful attackers were the ones who paid attention to the “pattern of relative finger movement, movement in direction and distance relative to the previous tap,”  the study found.

As a result, Khan said that protection methods other than simply tilting a phone may need to be considered.

“A simple defence is to cover the keypad using the other hand, but this might not be a possibility against people close to you, such as your spouse, because you want to avoid showing that you do not trust them,” Khan said. “Another possible defence against these attacks is to randomize the location of the keys on the keypad. This eliminates the ‘known layout’ which tremendously helped the attackers. Similarly, using longer passwords instead of four-digit PINs will likely provide better protection.”

The study, titled ‘Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing,’ was co-authored by Khan, Urs Hengartner and Daniel Vogel, all of Waterloo’s Cheriton School of Computer Science. The study was presented at the 36th Annual ACM Conference on Human Factors in Computing Systems (CHI 2018).

Source: University of Waterloo