Mobile Finance Blog

Finance Blogs » Mobile Finance » ‘Wearables’ can snoop your PINs, passwords

‘Wearables’ can snoop your PINs, passwords

By Claes Bell, CFA · Bankrate.com
Wednesday, August 6, 2014
Posted: 3 pm ET

Google Glass isn't just a way to show the world you're both technology savvy and fashion illiterate, it may also be a handy way to snoop PINs and other passcodes.mobile-blog-teddy-bear-wearing-google-glass

Many wearable devices, including smartwatches, contain small cameras, and those cameras can inconspicuously record any users around them and use special software to decode almost anything a user types into a keypad, says Xinwen Fu, an associate professor of computer science at the University of Massachusetts, Lowell.

"With the Glass and smartwatches, people are always wearing it. They don't need to get a phone out and hold it in your face and record you," Fu says. "They can just record you all the time without any outwardly suspicious actions."

Fu and his team have managed to hack Glass units to track the movement of users' fingers as they type in their PINs on iPads, ATMs and other devices.

How?

"From the movement of your finger, the attackers could discover your password or your PIN," Fu says. "Whenever you touch the screen, we can figure out where you touch."

That means that a Glass user could, in theory, stand behind you in line at the ATM and easily snoop your ATM PIN with a very high degree of accuracy, even if they couldn't see your finger touch the individual keys.

Passwords, too
Most of the reporting on Fu's research so far has focused on the PINs used to lock many mobile devices such as iPads, but the technology could just as easily be used to snoop out anything typed on a QWERTY keyboard, including a victim's mobile banking or other password, Fu says.

"We actually have a success rate of 90 percent to recover 4-digit PINs and also passcodes typed on QWERTY keyboards," Fu says.

Thankfully, because of the weak lenses found on many wearables, the range of this technique is limited, Fu says. However, a more powerful lens, like those found on a good camcorder, can snoop ATM PINs from up to 100 meters away, far enough that a snooper could potentially hide in a building across the street.

Google downplays the issue
In response to an article in Wired highlighting Fu's research, Google pointed out that the screen lights up when Glass is activated:

"Unfortunately, stealing passwords by watching people as they type them…is nothing new," a Google spokesman wrote in a statement. "We designed Glass with privacy in mind. The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device."

But Fu says that doesn't necessarily have to be the case.

"The Glass uses Android, which is open source. You can disable anything you want. You can just turn off the display, and nobody will see you," he says.

Technology moving faster than passwords' security
Fu isn't saying that wearables are inherently bad (or planning on using the techniques he's developed to make extra cash).

"They are good. They will make our lives easier, and they will be ubiquitously deployed, but we just want to show people, with the benefit comes a danger," Fu says. "So we have to be careful, especially with mobile banking."

Until we find some other way of authenticating our identity in mobile banking that goes beyond typing into a keyboard, you may want to step into a private area to type in your password for mobile banking or other financial services, he says.

"Do not do mobile banking in public. That's too dangerous," Fu says.

What do you think? Do you feel freaked out when you see someone wearing Google Glass in public? Do you ever worry about someone snooping your passwords or PINs? For more information on mobile security, check out our mobile finance hubpage.

Follow me on Twitter: @ClaesBell.

«
»
Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
4 Comments
ingrid smith
August 07, 2014 at 5:56 pm

Mr.Weiss,
This has happened to me but in my case I knew who, when and Where.And I could prove it. the bank gave me my money back even the late charges and bounce check fees and said, "It cost our lawyers more money an hour to procscute than it would to pay you your money back" I said as long as this woman don't steal $2000.00 from your customers she will get away with it? What about the principal of the matter? In the end all I got was shut-up Ms. Smith you got your money back.Where do we draw the line?

wisefool
August 07, 2014 at 4:16 pm

Bill, then get people out of prison convicted of drug use (not selling, just buying). They don't belong in there. Prisons are full of guys like that. The benefit is not greater than the cost of scaring a few people into not buying drugs anymore.

Eric Weiss
August 07, 2014 at 3:50 pm

Thanks for telling me "NOW"
I just got " PINGED " for three grand,
somehow here in Florida, someone, I think useing a skimmer,
got my debit card & Pin # , I'm sure from a gas station
Hess here in Delay Beach, I cannot prove it of course.
With that said, the theif, & freinds in NYC, lower east side,
hit ATM machines for $122.50 about twenty times, at different
locations, all within 36 hours. What bothers me, is WHY did'nt
the bank call me, & ask are you in New York, are you going to
ATMs. That Debit card was only used for my business, I'm self
employed. The history of usage of the card is only "HERE" were
I live, in Delray Beach Fl., & I generaly use it just for gas. The Banks answer is "No one was watching" I told the bank that credit cards have called me when
they saw something out of the ordinary. There answer, "Your Money is Insured" !It's not even the money, it's just that it could have been prevented, if someone was watching

Bill
August 07, 2014 at 1:33 pm

Start filling up the prisons with people (5 yrs first offense; 20 yrs second; no parole) who do this.

Add a comment

(Comments may take 5-10 minutes to appear)