Smartwatches Can Be Used To Spy On Your Card's PIN Code

An anonymous reader writes: A researcher has developed a smartwatch app that can interpret hand motions and translate the movements to specific keystrokes on 12-key keypads, like the ones used at ATMs. The app sends the data to a nearby smartphone, which then relays it to a server, for analysis. The whole AI algorithm on which it's built has a 73% accuracy for touchlogging events, and 59% for keylogging. The entire code is on GitHub, along with his research paper, and a YouTube video.

And in the real world

[Mr+D+from+63]

Most people wear watches on their off hand, so it won't be a problem.

Insecure by design ...

[gstoddart]

So, while I see some good points about which hand you're going to type your PIN with ... as I see it, smart watches and so many other products are pretty much insecure by design.

Some company rushes a product to market because it sounds cool, they build in some features which also sound cool, and they make it so it can communicate with everything.

In the process someone glosses over that it wants to talk to everything, or that they forgot to add any security, or that is leaks personal information all over the place by uploading information to several different sites ... ads, analytics, telemetry, the company who sold it so they have your personal information.

You walk into a store, it connects to their wifi, the store's app detects you, updates information about you, sends you a custom sale flyer based on your previous purchases ... it keeps track of the fact that you spend a lot of time in the pain aisle. It updates more of your information. They sell that information to 5 other places.

You go home, it tells your thermostat you're home. Your hacked nanny cam records what you do. Google connects your last purchase with your ad profile, and when you sit down at your computer you see fresh ads for paint.

All of these gadgets and doo-dads, I just don't see the point. I don't need to be tracked wherever I go so I can sign into Facebook or tweet that I'm in McDonalds.

At the end of the day, between the fact that the companies you give the information to are lazy and terrible at security your information gets out, between what they share with their 15 ad partners your information gets out and you probably get served malware, and your connected whatsit probably gets hacked because it's got crap security.

I don't trust the makers of these products, and quite frankly I can't make myself get excited about an internet connected roll of toilet paper. I don't need my fridge to tweet me that I'm low on butter. My oven doesn't need to be pre-heated from my phone. My front door doesn't need to be able to recognize my friends. My kitchen table doesn't need to update my Facebook status.

It's insecure, or it's untrustworthy. And in an awful lot of cases it's pointless.

Hunt'n'Peck

[DrYak]

Also, for this to work, the PIN needs to by typed by "Hunt'n'Peck" method (one finger, hand moving around the keypad) so that there's actual wrist motions to be detected and spied on by the smartwatch.

Currently, smart-watches are worn by nerdy geeks (and are considered un fashionnable by the general population, though some marketing-centered companies like Apple are bound to eventually change the general perception of these gadgets), and geeks tend to touch type (thus more finger motion, using more than 1 finger and less wrist motion) by habit of using computers.

In other worlds, handedness aside, the poeple who tend to do the most spy-able like motion are the less likely to wear the spy device.

That's why the real-world crooks (card skimmer) have been relying on camera for the spying (when not plain tampering with the keypad).

Re:Touch screen keypads?

[kammermusik]

Sounds like it will be hard to access by vision-impaired people.