Slashdot Mirror
Hackers Can Use Smart Watch Movements To Reveal A Wearer's ATM PIN (ieee.org)
the_newsbeagle writes: By gaining access to the sensors in someone's smart watch, hackers could track the person's hand movements at an ATM and figure out his/her pin. The hacker needn't be anywhere near the ATM; data can be lifted from the smart watch by either a discreet wireless sniffer or by malware on the watch that sends info to a server. This is hardly the first demonstration of the security flaws in smart watches. Last year, a research group showed that a watch's sensors can reveal keystrokes on a computer keyboard. The team of researchers, led by Chen Wang and Yingying Chen at the Stevens Institute of Technology in Hoboken, New Jersey, were able to record movements down to the millimeter and crack private ATM PINs with 80 percent accuracy on the first try. To eliminate the security breach, manufacturers could better secure the data stored in their wearables, and/or add noise so one's physical hand movements cannot be as easily translated. Of course, consumers could simply wear their smart watch on their non-dominant hand.
I can't speak for everyone, but I think almost everyone wears their watch on their non-dominant hand?
University professors are under constant pressure to come up with something interesting to show they are a world class expert in their field. And grad students who do most of the grunt work are under pressure to prove themselves as well. So this is yet another impractical technique. No hacker is going to bother with something this hard to make work. Maybe a nation state hacking team might, but probably not.
Much simpler to install a hidden camera or a direct electrical monitor on the button presses from the keypad itself. Also, look at it this way. On that bitcoin bazaar, Evolution I think it was called, people's pin numbers were about 10 bucks each. Not worth this kind of hassle. This tells me there is far more stolen information readily available than there are crooks to use that information to make fraudulent purchases and cash withdraws with.
Which makes sense - there are probably still many, many ways to gain access to a database of credit card numbers, or places to set up a skimmer. The actual task of writing the number to a fake credit card and then using it somewhere in person is a far riskier task and one far more likely to result in one's eventual arrest and imprisonment...
that I am a carpenter who hammers nails at odd hours.
People don't realize this, but about a hundred years ago when people switched from pocket watches to wrist watches, they were clever enough to realize that future models would feature motion sensors and people would do their banking at electronic cash dispensing machines. Hence the tradition of wearing watches on the left hand.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
In this case, 1111, 2222, 3333, etc. would be the most secure PINs.
Even without this technology, your fingers will leave a heat mark on the ATM keys long enough for a malicious person to take a picture of it with a thermal camera. Therefore, when I use an ATM machine, I always hold my fingers over a subset of keys to warm them up while waiting for the excruciatingly slow computer in the thing to do its job. That probably sufficiently masks the thermal print left by actually entering my PIN. Furthermore, I have developed a habit of pressing on the keypad frame as if pressing a key on the pad to fool lurkers. That would probably also protect against the smartwatch appraoch. It's rather easy to protect against such attacks, just introduce sufficient noise.
Note that most ATM machines allow pressing random keys while they're not ready for input. You might also want to press random keys during that time.
0x or or snor perron?!