Smartwatches Can Be Used To Spy On Your Card's PIN Code

An anonymous reader writes: A researcher has developed a smartwatch app that can interpret hand motions and translate the movements to specific keystrokes on 12-key keypads, like the ones used at ATMs. The app sends the data to a nearby smartphone, which then relays it to a server, for analysis. The whole AI algorithm on which it's built has a 73% accuracy for touchlogging events, and 59% for keylogging. The entire code is on GitHub, along with his research paper, and a YouTube video.

And in the real world

[Mr D from 63]

Most people wear watches on their off hand, so it won't be a problem.

Re:

[Gojira Shipi-Taro]

Exactly. I thought for two seconds about this, realized I use my right hand for pin and keep my watch on my left, and knew that at least for me it was a non issue.

Re:

[MatthewCCNA]

I use whichever hand is closer the the pad (most are set up for right hand use); however, unlike a keyboard I touch type on a pin pad.

Hunt'n'Peck

[DrYak]

Also, for this to work, the PIN needs to by typed by "Hunt'n'Peck" method (one finger, hand moving around the keypad) so that there's actual wrist motions to be detected and spied on by the smartwatch.

Currently, smart-watches are worn by nerdy geeks (and are considered un fashionnable by the general population, though some marketing-centered companies like Apple are bound to eventually change the general perception of these gadgets), and geeks tend to touch type (thus more finger motion, using more than 1 finger and less wrist motion) by habit of using computers.

In other worlds, handedness aside, the poeple who tend to do the most spy-able like motion are the less likely to wear the spy device.

That's why the real-world crooks (card skimmer) have been relying on camera for the spying (when not plain tampering with the keypad).

Re:

[JargonScott]

Unless it's a drive-up ATM (well, for countries with right side driving roads). Since most people are right handed they'll wear the watch on their left, and will be stretched out to reach a keypad.

Re:

[fermion]

Also, at 73% accurate for 'touch log' events, it will only capture an average of 2.92 characters of a four digit pin. It is absolutely a fascinating technology, and these technologies do improve over time. What is more interesting is the keyboard accuracy. At 59% it might be possible for a user to leak significant information. Language includes a lot of redundant information, and assuming a touch typist you are only dealing with half of the characters which can reduce the error. I assume that knowing th

Re:

[j2.718ff]

Also, at 73% accurate for 'touch log' events, it will only capture an average of 2.92 characters of a four digit pin.

It depends how the accuracy is divided. I would suspect the biggest divide is between people who touch type, and those who hunt and peck. It is possible that 73% of people hunt and peck, and for these individuals, it's easier to record their entire pin. For the touch-typers, it will be much less likely to accurately record any portion of the pin.

Re:

[JonahsDad]

Came here to say this.

Also, who the fuck uses a *pin* and owns a smartwatch? Aren't these early adopter types the ones using google wallet and apple pay?

No. We're running modded Android on our phones, which means no Android Pay.

Re:

[j2.718ff]

Came here to say this.

Also, who the fuck uses a *pin* and owns a smartwatch? Aren't these early adopter types the ones using google wallet and apple pay?

I own a smartwatch, and I still occasionally need cash. I'm more likely to get cash by visiting an ATM than by walking inside the bank to talk to a teller.

Re:

[j2.718ff]

Most people wear watches on their off hand, so it won't be a problem.

I'm left handed, and wear a watch on my right hand. I also tend to use my right hand to type on numeric keypads, since they're generally located on the right side of a standard keyboard.

I don't know if my behavior is standard for left handed people or not. But your point is still generally valid since most people are right handed.

handedness

[umafuckit]

Except that most people are right-handed and wear watches on their left hand. So not a problem in most cases (as even TFA hints)

Epic Fail, if you ask me.

[darthsilun]

When I wear a watch at all, I wear it on my left wrist. I type ATM PIN codes with my right hand (because I'm right handed. And most lefties I know wear their watches on their right wrist.)

But if I ever do get a smartwatch, I'll definitely make sure I don't wear it on my right wrist.

How is this a Master's Thesis?

[Anonymous Coward]

This is a perfect scenario re-created to prove a thesis. "Pre-trained model" Can we get a definition of what this is? Because this could be highly skewed.

Insecure by design ...

[gstoddart]

So, while I see some good points about which hand you're going to type your PIN with ... as I see it, smart watches and so many other products are pretty much insecure by design.

Some company rushes a product to market because it sounds cool, they build in some features which also sound cool, and they make it so it can communicate with everything.

In the process someone glosses over that it wants to talk to everything, or that they forgot to add any security, or that is leaks personal information all over the place by uploading information to several different sites ... ads, analytics, telemetry, the company who sold it so they have your personal information.

You walk into a store, it connects to their wifi, the store's app detects you, updates information about you, sends you a custom sale flyer based on your previous purchases ... it keeps track of the fact that you spend a lot of time in the pain aisle. It updates more of your information. They sell that information to 5 other places.

You go home, it tells your thermostat you're home. Your hacked nanny cam records what you do. Google connects your last purchase with your ad profile, and when you sit down at your computer you see fresh ads for paint.

All of these gadgets and doo-dads, I just don't see the point. I don't need to be tracked wherever I go so I can sign into Facebook or tweet that I'm in McDonalds.

At the end of the day, between the fact that the companies you give the information to are lazy and terrible at security your information gets out, between what they share with their 15 ad partners your information gets out and you probably get served malware, and your connected whatsit probably gets hacked because it's got crap security.

I don't trust the makers of these products, and quite frankly I can't make myself get excited about an internet connected roll of toilet paper. I don't need my fridge to tweet me that I'm low on butter. My oven doesn't need to be pre-heated from my phone. My front door doesn't need to be able to recognize my friends. My kitchen table doesn't need to update my Facebook status.

It's insecure, or it's untrustworthy. And in an awful lot of cases it's pointless.

Re:

[VFA]

Mod this UP! I wholeheartedly agree. Most of the IOT stuff is more cool than useful and it's not even that cool. It's this obsession with the "cool" factor that will get people hacked in the IOT age. I, for one, dread it whenever another connected device comes on the scene. Windows 10 now is a spy machine. What?! Yes, it defaults to all the sensors on the computer to be turned on and listening/watching/recording EVERYTHING. Supposedly so you can just say: "Okay, Cortana, what time is it?" Seriously?! Is thi

Re:

[Errol backfiring]

Companies just never learn. Internet Explorer 6 was introduced with "features that will make developers smile". Microsoft probably really believed it. All the developers were not smiling at all, but all malicious hackers are probably still laughing.

Re:

[Nemyst]

The funny bit is that your entire rant only shows how you don't understand what a smart watch even is... The vast majority of them only have Bluetooth and have no GPS. The only thing they do is relay information to the phone and, especially, get information from it. They can't do anything particularly scary in and of themselves. If you wanted to have that rant, you should've done it back when the iPhone came out.

Cover it

[Etherwalk]

If you don't have a habit of covering any pad you are entering a PIN on with another hand, you are naive at best.

Small cameras aimed at pads to capture PINs have been around for years.

Re:

[gstoddart]

Except this is likely using the accelerometer, and has nothing at all to do with if you cover the PIN pad with your other hand. This has nothing at all to do with someone LOOKING at you entering your PIN, but figuring out what your PIN is based on how your hand moves.

What you've just said is the solution to someone being able to pick your lock is to wear a blindfold and wear a condom.

Of course, that has nothing at all to do with the problem at hand.

Re:

[Etherwalk]

Of course, that has nothing at all to do with the problem at hand.

Ho-Ho-Ho. :)

Touch screen keypads?

[Midnight Thunder]

This might just lead to touch screen keypads, where the numbers change sequence per use?

I already know of one bank where your online pin needs to be entered via a reconfiguring onscreen keypad. I believe the intent is to avoid key loggers.

The truth is, with interactive security, the human is always going to be the weak point.

Re:

[kammermusik]

Sounds like it will be hard to access by vision-impaired people.

Re:

[jittles]

This might just lead to touch screen keypads, where the numbers change sequence per use?

I already know of one bank where your online pin needs to be entered via a reconfiguring onscreen keypad. I believe the intent is to avoid key loggers.

The truth is, with interactive security, the human is always going to be the weak point.

It's to prevent shoulder surfing. I used to work at a government facility where the keypad sequence would scramble every time you hit the button to enter your access code. This was in addition to a badge scan. Once you got past those, there was another door with a 'combination' style lock that had a shared code used by all. Sort of a last ditch effort to try and keep out anyone who may have managed to sneak in that far.

Re:

[The-Ixian]

Did you use an out-of-order pay phone booth as an elevator down to the office floor?

Re:

[sconeu]

Zomehow, The-Ixian, I find zat razzer hard to believe!

typing style?

[j2.718ff]

When I type my pin, I use at least 3 fingers, and my wrist barely moves at all. Many people use one finger, and move their entire arm between each keypress. I assume this technology is better at the second style of typing.

Don't design for theft, design for USE

[gurps_npc]

If the watch is that good, then it could learn some variant of sign language, allowing people to silently communicate with their devices faster than typing.

It would be a huge boon to the deaf, and might encourage people to learn sign language.

Tin foil hat wearer - now with edits!

[socz]

I guess I'm the only one who uses two fingers or hands to enter 4 digit PIN?

I have a credit union, so for me easy access to ATMs means going to the nearest 7eleven.

You may understand the unease I had at first, but really when compared to a Chase ATM, it was about the same.

So for my personal security, I always check for card skimmers by gripping and shaking the scanner. Then, I use one hand with two fingers, or two hands to enter the PIN for one of two reasons: speed; reducing the amount of time at

Potential for more than just cracking

[Webmoth]

I see potential here: strap an accelerometer array (smartphone) to each wrist, and enable typing without a keyboard. Write your next novel tapping away at a blank desk... or even just wiggling your fingers in the air. Sure would be easier than tapping away at a tiny smartphone screen, and you wouldn't have to lug around a BT keyboard.

As for entering PINs, I always have at least three fingers over the keypad at all times, to obfuscate which key is being pressed/tapped. Not foolproof, but maybe makes it just