An analogue of a handwritten signature, presented in the form of a numerical-alphabetic sequence, a closed requisite of the Client, Agent, Participant of the Electronic Payment System.
Content:
During the experiment, users of Apple and Android devices were instructed to set four- or six-digit PIN codes. Some participants were free to choose their PIN, while others were only allowed to choose non-blacklisted combinations. If they tried to use one of the prohibited combinations, they received a corresponding warning.
The researchers used a variety of blacklists, including one they extracted from an iPhone in another experiment. As it turns out, six-digit PINs don't provide much more security than four-digit PINs.
From a mathematical point of view, of course, there is a huge difference. A four-digit PIN can be used to create 10 thousand different combinations, and a six-digit PIN can be used to create 1 million. However, users prefer certain sets of numbers and use them much more often, for example, 123456 and 654321, experts explained.
As the researchers noted, the “ideal” PIN blacklist should contain about 1 thousand entries and be slightly different from Apple’s list. The most common four-digit PIN codes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998, and the six-digit ones were 123456, 654321, 111111, 000000, 123123, 6666. 66, 121212, 112233, 789456 and 159753.
The microphone(s) of a mobile device is capable of recording sound waves and “hearing” finger presses, and wave distortions make it possible to determine the location of a tap on the screen, the authors of the work explain. Thus, by recording audio through the built-in microphone, a malicious application can recognize the text entered by the user.
The team developed an Android application that captures the sound of taps and correlates it with keystrokes using a machine learning algorithm tuned to a specific smartphone or tablet model. The researchers tested the new method on LG Nexus 5 and Samsung Nexus 9 devices. The experiment, which was carried out in rooms with relatively high noise levels (a common room, a reading room and a library), involved 45 participants.
The first group of volunteers randomly entered numbers from 1 to 9 (10 attempts), the second - 200 unique four-digit PIN codes, the third - letters, and the fourth - words consisting of five letters. Using the new method, scientists were able to recognize 61% of PIN codes (in 20 attempts), 7 and 19 passwords out of 27 on Nexus 5 and Nexus 9, respectively.
According to experts, there are several ways to prevent such an attack, such as physically turning off the microphone, using microphones with a lower sampling rate, covering the screen with an additional layer of glass that absorbs the sound of pressing, or preventing sound from being recorded during data entry. However, all these measures have their own nuances that may affect the design and usability of the device, the researchers admit. Instead, they propose implementing a mechanism that blocks the microphone while the user enters a password or other sensitive data.
Modern smartphones can contain a large amount of confidential information: correspondence history, applications for managing a bank account or important documents. Because of this, attackers are developing new ways to hack smartphones, and not all of them do so directly using vulnerabilities in the software. Some developers create hacking methods that are based on the principle of side-channel attacks. It implies that the attack is not on the system as such, but on its practical implementation - for example, you can find out the operations performed by the processor and their parameters by measuring its energy consumption.
An example of entering the combination 0852 on the accelerometer data graph. David Berend et al.
Cybersecurity researchers led by Shivam Bhasin from Nanyang Technological University in Singapore used sensor data from a smartphone to discreetly determine a smartphone's PIN code. They wrote an application for Android smartphones that collects data from sensors and then sends it to a server for analysis. The developers chose six sensors that are present in most modern smartphones, and at the same time, the application does not need to obtain user permission to use them: an accelerometer, a gyroscope, a rotation sensor, a magnetometer and a light sensor.
Because the numbers on the keyboard are located in known locations, tilting the device or changing the amount of light hitting the light sensor can calculate which key the user pressed, without the need for data directly from the touchscreen. To automatically calculate numbers from large amounts of data, the researchers used different algorithms, but ultimately settled on a type of neural network called a multilayer perceptron.
Having tested the work of the neural network on volunteers, the researchers found that when tested on all ten thousand possible combinations of four digits, the recognition accuracy in 20 attempts was 83.7 percent, and when recognizing among the 50 most common PIN codes, the accuracy was 99.5 percent in one attempt . The researchers also found that data from different sensors gave different effectiveness, and the best results were obtained from combined data from the accelerometer and gyroscope.
PIN-on-Glass technology allows you to enter a PIN verification code on the screen of a smartphone, tablet or other commercial device. The technology is expected to soon allow consumers around the world to enter a personal identification number on the screen of their device to make purchases.
As PCI Security Standards Council Chief Technology Officer Troy Leach explained, the technology is unique in that PIN entry will be performed on COTS (commercial off-the-shelf devices) devices that are not intended solely for payment.
Overall, the application-based PIN standard is one of seven PCI standards published or updated in 2017. This standard allows you to separate the PIN from other account information. Isolating the PIN from other information is expected to help prevent fraudsters from trying to steal payment information in public places, Leach added.
The three main components of the PIN-on-Glass standard are:
Security researchers from Newcastle University in the UK published a paper in the Journal of Infermation Security that described the ability to track user gestures on smartphones. To do this, you only need a small JavaScript application that exploits the programming interfaces (APIs) of the device’s motion sensors.
According to the authors of the study, this application can collect enough information from sensors to figure out the unlock combination on the first try in 70% of cases. On the third try, the PINlogger.js script “guesses” the PIN in 94% of cases.
“Most smartphones, tablets and other wearable devices today are equipped with a variety of sensors, ranging from the well-known GPS modules, cameras and microphones to gyroscopes, range and rotation sensors, accelerometers, and NFC modules. Because mobile apps and websites don't require special permissions to access most of them, malware can secretly spy on your sensor data streams and use it to obtain a wide range of sensitive information about you, including call duration and physical activity. and even... about PINs and passwords,” the researchers said in their publication.
And that is not all
As the head of the research group, Dr. Maryam Mehrnezhad, noted in a press release, her colleagues were able to find out that in several mobile browsers, malicious code embedded in one page can monitor all user actions on all other tabs. That is, for example, if a resource containing a malicious script is open in one tab, and a bank authorization page is open in another, the script can still intercept user-entered data. Sometimes closing the “malicious” tab will help prevent this, sometimes only closing the browser entirely.
(c) https://www.tadviser.ru/
Content:
- 2020: Research into the security of four- and six-digit PIN codes
- 2019: Method of stealing PIN codes and passwords from mobile devices
- 2017
- The neural network spied the smartphone PIN code in the accelerometer data
- Development of a security standard for PIN-on-Glass
- Any iPhone can be hacked through a new "hole" in JavaScript
2020: Research into the security of four- and six-digit PIN codes
On March 16, 2020 it became known that security researchers Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth and Adam J. Aviv. Aviv's research looked at how users choose PIN codes for their mobile devices and how they can be persuaded to use a more secure number combination. As it turns out, using 6-digit PIN codes is not much more effective than 4-digit ones.During the experiment, users of Apple and Android devices were instructed to set four- or six-digit PIN codes. Some participants were free to choose their PIN, while others were only allowed to choose non-blacklisted combinations. If they tried to use one of the prohibited combinations, they received a corresponding warning.
The researchers used a variety of blacklists, including one they extracted from an iPhone in another experiment. As it turns out, six-digit PINs don't provide much more security than four-digit PINs.
From a mathematical point of view, of course, there is a huge difference. A four-digit PIN can be used to create 10 thousand different combinations, and a six-digit PIN can be used to create 1 million. However, users prefer certain sets of numbers and use them much more often, for example, 123456 and 654321, experts explained.
As the researchers noted, the “ideal” PIN blacklist should contain about 1 thousand entries and be slightly different from Apple’s list. The most common four-digit PIN codes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998, and the six-digit ones were 123456, 654321, 111111, 000000, 123123, 6666. 66, 121212, 112233, 789456 and 159753.
2019: Method of stealing PIN codes and passwords from mobile devices
Keyloggers are not the only means by which attackers can find out the password of a tablet or smartphone. A group of scientists from the University of Cambridge described in March 2019 a method of acoustic side-channel attack, which allows you to determine characters entered on a virtual keyboard by the sound waves generated when you press the keys.The microphone(s) of a mobile device is capable of recording sound waves and “hearing” finger presses, and wave distortions make it possible to determine the location of a tap on the screen, the authors of the work explain. Thus, by recording audio through the built-in microphone, a malicious application can recognize the text entered by the user.
The team developed an Android application that captures the sound of taps and correlates it with keystrokes using a machine learning algorithm tuned to a specific smartphone or tablet model. The researchers tested the new method on LG Nexus 5 and Samsung Nexus 9 devices. The experiment, which was carried out in rooms with relatively high noise levels (a common room, a reading room and a library), involved 45 participants.
The first group of volunteers randomly entered numbers from 1 to 9 (10 attempts), the second - 200 unique four-digit PIN codes, the third - letters, and the fourth - words consisting of five letters. Using the new method, scientists were able to recognize 61% of PIN codes (in 20 attempts), 7 and 19 passwords out of 27 on Nexus 5 and Nexus 9, respectively.
According to experts, there are several ways to prevent such an attack, such as physically turning off the microphone, using microphones with a lower sampling rate, covering the screen with an additional layer of glass that absorbs the sound of pressing, or preventing sound from being recorded during data entry. However, all these measures have their own nuances that may affect the design and usability of the device, the researchers admit. Instead, they propose implementing a mechanism that blocks the microphone while the user enters a password or other sensitive data.
2017
The neural network spied the smartphone PIN code in the accelerometer data
The neural network was taught to recognize the user’s PIN code using data from the accelerometer, light sensor and other smartphone sensors with an accuracy of 84 percent. The developers note that applications do not need to ask for user permission to access these sensors, according to the study, a preprint of which was published by the Cryptology ePrint Archive.Modern smartphones can contain a large amount of confidential information: correspondence history, applications for managing a bank account or important documents. Because of this, attackers are developing new ways to hack smartphones, and not all of them do so directly using vulnerabilities in the software. Some developers create hacking methods that are based on the principle of side-channel attacks. It implies that the attack is not on the system as such, but on its practical implementation - for example, you can find out the operations performed by the processor and their parameters by measuring its energy consumption.
An example of entering the combination 0852 on the accelerometer data graph. David Berend et al.
Cybersecurity researchers led by Shivam Bhasin from Nanyang Technological University in Singapore used sensor data from a smartphone to discreetly determine a smartphone's PIN code. They wrote an application for Android smartphones that collects data from sensors and then sends it to a server for analysis. The developers chose six sensors that are present in most modern smartphones, and at the same time, the application does not need to obtain user permission to use them: an accelerometer, a gyroscope, a rotation sensor, a magnetometer and a light sensor.
Because the numbers on the keyboard are located in known locations, tilting the device or changing the amount of light hitting the light sensor can calculate which key the user pressed, without the need for data directly from the touchscreen. To automatically calculate numbers from large amounts of data, the researchers used different algorithms, but ultimately settled on a type of neural network called a multilayer perceptron.
Having tested the work of the neural network on volunteers, the researchers found that when tested on all ten thousand possible combinations of four digits, the recognition accuracy in 20 attempts was 83.7 percent, and when recognizing among the 50 most common PIN codes, the accuracy was 99.5 percent in one attempt . The researchers also found that data from different sensors gave different effectiveness, and the best results were obtained from combined data from the accelerometer and gyroscope.
Development of a security standard for PIN-on-Glass
As it became known in early December 2017, work is underway on a security standard for PIN-on-Glass, which may be ready as early as December 2017.PIN-on-Glass technology allows you to enter a PIN verification code on the screen of a smartphone, tablet or other commercial device. The technology is expected to soon allow consumers around the world to enter a personal identification number on the screen of their device to make purchases.
As PCI Security Standards Council Chief Technology Officer Troy Leach explained, the technology is unique in that PIN entry will be performed on COTS (commercial off-the-shelf devices) devices that are not intended solely for payment.
Overall, the application-based PIN standard is one of seven PCI standards published or updated in 2017. This standard allows you to separate the PIN from other account information. Isolating the PIN from other information is expected to help prevent fraudsters from trying to steal payment information in public places, Leach added.
The three main components of the PIN-on-Glass standard are:
- Isolating PIN from PAN.
- Covers software requirements for payment applications that manage transactions on commercial devices. To create isolation, you must be able to enter the account number in a way that it cannot be decrypted on commercial devices.
- Software security.
- To ensure that PIN information is properly protected, commercial device security needs to be improved.
- Monitoring.
- Remote monitoring must be provided by an independent party to confirm that commercial device software and transactions have integrity and behave as expected, and to look for various types of suspicious activity.
Any iPhone can be hacked through a new "hole" in JavaScript
Watch your fingersSecurity researchers from Newcastle University in the UK published a paper in the Journal of Infermation Security that described the ability to track user gestures on smartphones. To do this, you only need a small JavaScript application that exploits the programming interfaces (APIs) of the device’s motion sensors.
According to the authors of the study, this application can collect enough information from sensors to figure out the unlock combination on the first try in 70% of cases. On the third try, the PINlogger.js script “guesses” the PIN in 94% of cases.
“Most smartphones, tablets and other wearable devices today are equipped with a variety of sensors, ranging from the well-known GPS modules, cameras and microphones to gyroscopes, range and rotation sensors, accelerometers, and NFC modules. Because mobile apps and websites don't require special permissions to access most of them, malware can secretly spy on your sensor data streams and use it to obtain a wide range of sensitive information about you, including call duration and physical activity. and even... about PINs and passwords,” the researchers said in their publication.
And that is not all
As the head of the research group, Dr. Maryam Mehrnezhad, noted in a press release, her colleagues were able to find out that in several mobile browsers, malicious code embedded in one page can monitor all user actions on all other tabs. That is, for example, if a resource containing a malicious script is open in one tab, and a bank authorization page is open in another, the script can still intercept user-entered data. Sometimes closing the “malicious” tab will help prevent this, sometimes only closing the browser entirely.
(c) https://www.tadviser.ru/
