If you use the banks' mobile applications on your own mobile terminals, then it would be good to know that your devices are capable of telling hackers what sequence of digits you type in the terminals. a published study by two researchers from the prestigious Cambridge University tells us that the microphone and the front camera of a mobile terminal can be used to reveal the PIN typed in a bank application. By recording the audio feed while typing the numbers on the virtual keyboard and recording video images during the typing, a software can determine with a fairly high accuracy the PINs of the cards. The researchers claim that in 30% of cases the PINs are entered correctly in up to 3 attempts, the percentage increasing in cases where the number of attempts is greater than 5.
By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users. In a test set of 50 4-digit PINs, the app (which has a server-side component for image-processing, so as to avoid suspiciously running down the battery) correctly guessed more than 30 percent of PINs after a couple of attempts, and over half after 5 attempts. Obviously longer PINs help, but even with 8-digit codes, PIN Skimmer still worked out around 45 percent after 5 attempts.
The data provided today is worrying because it reveals that any application in a App Store it can steal important information without us knowing. Of course, the application must communicate with a hacker server in order to process the data recorded during the use of the applications, but even so, we are talking about a problem that will become extremely dangerous over time because extremely many banks and mobile payment systems are available all over the world and are becoming more and more popular. For now, the only method to make it difficult to discover PINs is the use of sequences of more than 8 digits for PINs, but for this to be implemented, the cooperation of the banks is needed.
