Smartwatches Can Be Used To Spy On Your Card's PIN Code

An anonymous reader writes: A researcher has developed a smartwatch app that can interpret hand motions and translate the movements to specific keystrokes on 12-key keypads, like the ones used at ATMs. The app sends the data to a nearby smartphone, which then relays it to a server, for analysis. The whole AI algorithm on which it's built has a 73% accuracy for touchlogging events, and 59% for keylogging. The entire code is on GitHub, along with his research paper, and a YouTube video.

And in the real world

[Mr+D+from+63]

Most people wear watches on their off hand, so it won't be a problem.

Re:And in the real world

[Gojira+Shipi-Taro]

Exactly. I thought for two seconds about this, realized I use my right hand for pin and keep my watch on my left, and knew that at least for me it was a non issue.

Re:And in the real world

[MatthewCCNA]

I use whichever hand is closer the the pad (most are set up for right hand use); however, unlike a keyboard I touch type on a pin pad.

Re:And in the real world

[JargonScott]

Unless it's a drive-up ATM (well, for countries with right side driving roads). Since most people are right handed they'll wear the watch on their left, and will be stretched out to reach a keypad.

Re:And in the real world

[fermion]

Also, at 73% accurate for 'touch log' events, it will only capture an average of 2.92 characters of a four digit pin. It is absolutely a fascinating technology, and these technologies do improve over time. What is more interesting is the keyboard accuracy. At 59% it might be possible for a user to leak significant information. Language includes a lot of redundant information, and assuming a touch typist you are only dealing with half of the characters which can reduce the error. I assume that knowing the language one could fill in missing data.

Re:And in the real world

I have never used a drive-up ATM. I've gotten pretty far out of my way to avoid it.

Re:And in the real world

Came here to say this.

Also, who the fuck uses a *pin* and owns a smartwatch? Aren't these early adopter types the ones using google wallet and apple pay?

Re:And in the real world

[JonahsDad]

Came here to say this.

Also, who the fuck uses a *pin* and owns a smartwatch? Aren't these early adopter types the ones using google wallet and apple pay?

No. We're running modded Android on our phones, which means no Android Pay.

Re:And in the real world

[j2.718ff]

Most people wear watches on their off hand, so it won't be a problem.

I'm left handed, and wear a watch on my right hand. I also tend to use my right hand to type on numeric keypads, since they're generally located on the right side of a standard keyboard.

I don't know if my behavior is standard for left handed people or not. But your point is still generally valid since most people are right handed.

Re:And in the real world

[j2.718ff]

Also, at 73% accurate for 'touch log' events, it will only capture an average of 2.92 characters of a four digit pin.

It depends how the accuracy is divided. I would suspect the biggest divide is between people who touch type, and those who hunt and peck. It is possible that 73% of people hunt and peck, and for these individuals, it's easier to record their entire pin. For the touch-typers, it will be much less likely to accurately record any portion of the pin.

Re:And in the real world

[j2.718ff]

Came here to say this.

Also, who the fuck uses a *pin* and owns a smartwatch? Aren't these early adopter types the ones using google wallet and apple pay?

I own a smartwatch, and I still occasionally need cash. I'm more likely to get cash by visiting an ATM than by walking inside the bank to talk to a teller.

Re:And in the real world

What about getting cash from a drone?

Re:And in the real world

I've never seen them outside of the US. I guess we're not so lazy overseas...

handedness

[umafuckit]

Except that most people are right-handed and wear watches on their left hand. So not a problem in most cases (as even TFA hints)

But I don't really move my hand...

Try typing on the numerical keyboard, like a cashier. You only need to use fingers to reach every number, this is why it is so efficient.

Which wrist?

I don't own a smart watch, but when I wear a watch it's on my left wrist. If I enter a PIN code it's with my right hand. I don't see how this could work unless they're on the same hand?

Or you could enter your pin with the other hand

Also it will only work if your hand is made of concrete.

Left, right, detour.

Wristwatches are usually worn on the left hand. Most people type PINs with the right hand, which is the more talented limb for the majority of people. Thus an "Attack on Smartwatch" doesn't seem to warrant a live action adaptation?

Epic Fail, if you ask me.

[darthsilun]

When I wear a watch at all, I wear it on my left wrist. I type ATM PIN codes with my right hand (because I'm right handed. And most lefties I know wear their watches on their right wrist.)

But if I ever do get a smartwatch, I'll definitely make sure I don't wear it on my right wrist.

How is this a Master's Thesis?

This is a perfect scenario re-created to prove a thesis. "Pre-trained model" Can we get a definition of what this is? Because this could be highly skewed.

Re:How is this a Master's Thesis?

It's like a pre-heated oven, to use turkey analogy.

Expected.

As you are using more "smart" devices with ability to load apps, there are more opportunities to hack you.

Fortunately, I'm right-handed and am wearing my watch on a left wrist. And best of all - it's not a "smart" one.

Wahhabite bite.

This PIN attack would be highly practical in Saudi Arabia, where the salafite medieval ruling classes have a penchant to chop off peoples' left hand, thus forcing them to wear a smartwatch on the remaining (right) hand.

Insecure by design ...

[gstoddart]

So, while I see some good points about which hand you're going to type your PIN with ... as I see it, smart watches and so many other products are pretty much insecure by design.

Some company rushes a product to market because it sounds cool, they build in some features which also sound cool, and they make it so it can communicate with everything.

In the process someone glosses over that it wants to talk to everything, or that they forgot to add any security, or that is leaks personal information all over the place by uploading information to several different sites ... ads, analytics, telemetry, the company who sold it so they have your personal information.

You walk into a store, it connects to their wifi, the store's app detects you, updates information about you, sends you a custom sale flyer based on your previous purchases ... it keeps track of the fact that you spend a lot of time in the pain aisle. It updates more of your information. They sell that information to 5 other places.

You go home, it tells your thermostat you're home. Your hacked nanny cam records what you do. Google connects your last purchase with your ad profile, and when you sit down at your computer you see fresh ads for paint.

All of these gadgets and doo-dads, I just don't see the point. I don't need to be tracked wherever I go so I can sign into Facebook or tweet that I'm in McDonalds.

At the end of the day, between the fact that the companies you give the information to are lazy and terrible at security your information gets out, between what they share with their 15 ad partners your information gets out and you probably get served malware, and your connected whatsit probably gets hacked because it's got crap security.

I don't trust the makers of these products, and quite frankly I can't make myself get excited about an internet connected roll of toilet paper. I don't need my fridge to tweet me that I'm low on butter. My oven doesn't need to be pre-heated from my phone. My front door doesn't need to be able to recognize my friends. My kitchen table doesn't need to update my Facebook status.

It's insecure, or it's untrustworthy. And in an awful lot of cases it's pointless.

Re:Insecure by design ...

[VFA]

Mod this UP! I wholeheartedly agree. Most of the IOT stuff is more cool than useful and it's not even that cool. It's this obsession with the "cool" factor that will get people hacked in the IOT age. I, for one, dread it whenever another connected device comes on the scene. Windows 10 now is a spy machine. What?! Yes, it defaults to all the sensors on the computer to be turned on and listening/watching/recording EVERYTHING. Supposedly so you can just say: "Okay, Cortana, what time is it?" Seriously?! Is this really all that cool? Especially in light of what you give up to have it? All your life continuously recorded and stored at some MS/Google/Apple/Amazon server? Most disturbing part is that people not only want and demand it, but are willing to pay money for it! We are paying for companies to spy on us! Waiting in lines to pay for it, in some cases! Ridiculous. And at some point (probably when it's too late) masses will realize: "Holy shit, Batman, we are completely encased in spy equipment that is insecure and untrustworthy!" Perhaps it will turn around before then and some design practices will change, but I am not seeing it at all. Between trying to get the latest wizbang feature on the market and just bad business ethics we are headed for a disaster. Enjoy your smart watch! I will stick with "dumb" devices for as long as I can. Heck, my newest car is from 1998 because in 1999 this same car got updated to a fly-by-wire throttle control instead of the good old steel cable. Well, the electronic throttle control goes bad often and costs $400 to repair/replace. My steel cable has not failed and if and when it does will cost $40. The advantage of the electronic throttle was to do traction control and such, but honestly, if you have good driving skills you don't need no stinking traction control. We routinely trade skill requirements for gadgets. The compromise we make is security, privacy, cost, etc. Just because we do not want to answer our (already smart) phone that's in the pocket we need a watch to do it for us. Yep, makes sense, LOL.

Re:Insecure by design ...

[Errol+backfiring]

Companies just never learn. Internet Explorer 6 was introduced with "features that will make developers smile". Microsoft probably really believed it. All the developers were not smiling at all, but all malicious hackers are probably still laughing.

Re:Insecure by design ...

[Nemyst]

The funny bit is that your entire rant only shows how you don't understand what a smart watch even is... The vast majority of them only have Bluetooth and have no GPS. The only thing they do is relay information to the phone and, especially, get information from it. They can't do anything particularly scary in and of themselves. If you wanted to have that rant, you should've done it back when the iPhone came out.

Re:Insecure by design ...

How is a watch insecure by design? I agree that your concerns about the "internet of things" are valid, but how is, say, an Apple Watch insecure by design? For that to be owned, the paired phone would need to be owned, at bare minimum.

omg(ok that almost a stereotype)

You mean I could get accurate many axes of output from a wrist mount?

Cover it

[Etherwalk]

If you don't have a habit of covering any pad you are entering a PIN on with another hand, you are naive at best.

Small cameras aimed at pads to capture PINs have been around for years.

Re:Cover it

[gstoddart]

Except this is likely using the accelerometer, and has nothing at all to do with if you cover the PIN pad with your other hand. This has nothing at all to do with someone LOOKING at you entering your PIN, but figuring out what your PIN is based on how your hand moves.

What you've just said is the solution to someone being able to pick your lock is to wear a blindfold and wear a condom.

Of course, that has nothing at all to do with the problem at hand.

Re:Cover it

[Etherwalk]

Of course, that has nothing at all to do with the problem at hand.

Ho-Ho-Ho. :)

Don't put it on your dumbwatch

But the mind boggles. An accurate hand,(ok arm and wrist) based controller? That would be one of the most awesome rc controllers ever. But we can't have that because it would be too dangerous.

Re:Don't put it on your dumbwatch

yes, definitely can't have that: http://techcrunch.com/2016/01/06/spheros-new-wristband-will-let-you-control-bb-8-with-gestures-and-also-the-force/

Touch screen keypads?

[Midnight+Thunder]

This might just lead to touch screen keypads, where the numbers change sequence per use?

I already know of one bank where your online pin needs to be entered via a reconfiguring onscreen keypad. I believe the intent is to avoid key loggers.

The truth is, with interactive security, the human is always going to be the weak point.

Re:Touch screen keypads?

[kammermusik]

Sounds like it will be hard to access by vision-impaired people.

Re:Touch screen keypads?

[jittles]

This might just lead to touch screen keypads, where the numbers change sequence per use?

I already know of one bank where your online pin needs to be entered via a reconfiguring onscreen keypad. I believe the intent is to avoid key loggers.

The truth is, with interactive security, the human is always going to be the weak point.

It's to prevent shoulder surfing. I used to work at a government facility where the keypad sequence would scramble every time you hit the button to enter your access code. This was in addition to a badge scan. Once you got past those, there was another door with a 'combination' style lock that had a shared code used by all. Sort of a last ditch effort to try and keep out anyone who may have managed to sneak in that far.

Re:Touch screen keypads?

[The-Ixian]

Did you use an out-of-order pay phone booth as an elevator down to the office floor?

Re:Touch screen keypads?

[sconeu]

Zomehow, The-Ixian, I find zat razzer hard to believe!

Hunt'n'Peck

[DrYak]

Also, for this to work, the PIN needs to by typed by "Hunt'n'Peck" method (one finger, hand moving around the keypad) so that there's actual wrist motions to be detected and spied on by the smartwatch.

Currently, smart-watches are worn by nerdy geeks (and are considered un fashionnable by the general population, though some marketing-centered companies like Apple are bound to eventually change the general perception of these gadgets), and geeks tend to touch type (thus more finger motion, using more than 1 finger and less wrist motion) by habit of using computers.

In other worlds, handedness aside, the poeple who tend to do the most spy-able like motion are the less likely to wear the spy device.

That's why the real-world crooks (card skimmer) have been relying on camera for the spying (when not plain tampering with the keypad).

Re:Hunt'n'Peck

Currently, smart-watches are worn by nerdy geeks (and are considered un fashionnable by the general population, though some marketing-centered companies like Apple are bound to eventually change the general perception of these gadgets), and geeks tend to touch type (thus more finger motion, using more than 1 finger and less wrist motion) by habit of using computers.

By the time I was eligible for the school typing lessons I was already going quite fast with my self taught 4 fingers & 2 thumbs hunt and peck typing, which I employ to this day 30 years later. The lessons were quite expensive and I preferred to have the next technic lego box so I never took them. However, I do keep my hand still and use separate fingers to type my PIN, simply because it makes it much harder to do an old fashion over the shoulder peek. Something I learned from a folder spread by my bank long before there were smart phones and smart watches and tiny cameras. It just seems good common sense really.

OMG ENGRISH

It's a PIN.. Not a PIN Code.. Not a PIN Number.
You just said "Personal Identification Number Code"
You know what? Nevermind. Sound stupid.

I'm going to set your feet on fire while you sleep tonight, though, samzenpus.....

#OxfordCommaCaliphate

typing style?

[j2.718ff]

When I type my pin, I use at least 3 fingers, and my wrist barely moves at all. Many people use one finger, and move their entire arm between each keypress. I assume this technology is better at the second style of typing.

Don't design for theft, design for USE

[gurps_npc]

If the watch is that good, then it could learn some variant of sign language, allowing people to silently communicate with their devices faster than typing.

It would be a huge boon to the deaf, and might encourage people to learn sign language.

Re:Don't design for theft, design for USE

> might encourage people to learn sign language

The deaf people are superstitious, luddite, yet full of hubris. They refuse the stellar "cochlear implant" artificial hearing technology (funded by the state almost everywhere) and even claim it's a kind of Holocaust attempt?!
They expect the whole world to learn their hand-waving, which is impossible. In fact there is no single, global hand-waving system for the deaf, as they weren't smart enough to invent a kind of signed esperanto but ended up with 1 (or 2) diverse system for EACH national language!
They are defaming God by publicly claiming that they are NOT handicapped, even though Man was created with two ears for hearing.
It is a pity we cannot help the blind people with artifical eyes yet. They are humble and never demand the world submit to them, such a big contrast with the deafs.

1234

Srsly.

tinfoil hat wearer here

I guess I'm the only one who uses two fingers or hands to enter 4 digit pin? I have a credit union, so for me easy access to ATMs means going to the nearest 7eleven.

You may understand the unease I had at first, but really when compared to a Chase ATM, it was about the same.

So for my personal security, I always check for card skimmers by gripping and shaking the scanner. Then, I use one hand with two fingers, or two hands to enter the PIN for one of two few reasons: speed, reducing the amount of time at an ATM, and for blocking visual access to the keys I press. I always look around for any" security cameras" around the ATM.

I try to only visit the same ATM, so I can see why changes to the hardware.

Then when I'm done, I randomly press keys to protect myself against heat signature attacks.

Finally, I wait until the terminal is ready to accept a new transaction. #1 I always ask for to receipt. And because of the inconsistent manner ATMs function, I can't trust that nothing will come out, so I want.

#2 some ATMs a actually wait for input to close out a session." would you like do perform transaction? "

So I don't trust ATMs very much,except that they'll give you the correct amount of money.

Tin foil hat wearer - now with edits!

[socz]

I guess I'm the only one who uses two fingers or hands to enter 4 digit PIN?

I have a credit union, so for me easy access to ATMs means going to the nearest 7eleven.

You may understand the unease I had at first, but really when compared to a Chase ATM, it was about the same.

So for my personal security, I always check for card skimmers by gripping and shaking the scanner. Then, I use one hand with two fingers, or two hands to enter the PIN for one of two reasons: speed; reducing the amount of time at an ATM, or for blocking visual access to the keys I press. I always look around for any "security cameras" around the ATM.

I try to only visit the same ATM, so I can see what changes in the hardware.

Then when I'm done, I randomly press keys to protect myself against heat signature attacks.

Finally, I wait until the terminal is ready to accept a new transaction. #1 I always ask for no receipt. And because of the inconsistent manner ATMs function, I can't trust that nothing will come out, so I wait.

#2 some ATMs actually wait for input to close out a session "Would you like to perform another transaction?"

So I don't trust ATMs very much, except that they'll give you the correct amount of money.

On an aside, I'm using firefox on android, and it seems to lag terribly. And when I swipe the top stories, the entire page swipes to nothing. smh

"smart" = spy

Who doesn't know that all "smart" devices spy on the user. Even though you bought it, you don't own it. You don't have complete control over what it does or doesn't do. You pay for convenience with your personal data. Some people value their personal data more than others.

Potential for more than just cracking

[Webmoth]

I see potential here: strap an accelerometer array (smartphone) to each wrist, and enable typing without a keyboard. Write your next novel tapping away at a blank desk... or even just wiggling your fingers in the air. Sure would be easier than tapping away at a tiny smartphone screen, and you wouldn't have to lug around a BT keyboard.

As for entering PINs, I always have at least three fingers over the keypad at all times, to obfuscate which key is being pressed/tapped. Not foolproof, but maybe makes it just difficult enough for the nefarious person to move on to the next potential victim.