Personal Identification Number (PIN) Personal identification number Secret key, access code

2020: A research of safety of four - and six-digit PIN codes

On March 16, 2020 it became known that researchers of security Philipp Markert, Daniel V. Bailey (Daniel V. Bailey), Maximilian Golla, Markus Dürmuth and Adam J. Aviv (Adam J. Aviv) within the research studied how users select PIN codes for the mobile devices and as they can be convinced of use of safer combination of numbers. As it appeared, use of 6-unit PIN codes is not much more effective than 4-unit.

During the experiment - and Android devices charged to set to users of Apple four - or six-digit PIN codes. Some participants could select freely the PIN code whereas it was authorized to others to select only the combinations which are not included in the black list. If they tried to use one of the prohibited combinations, then received the corresponding warning.

Specialists used different black lists, including those which they took from iPhone as a result of other experiment. As it appeared, six-digit PIN codes do not ensure much more big safety, than four-digit.

From the mathematical point of view, of course, there is a huge difference. A four-digit PIN code it is possible to use for creation 10 thousand different combinations, and six-digit — for creation of 1 million. However users prefer certain sets of numbers and use them much more often, for example, 123456 and 654321 — experts explained.

As researchers noted, the "ideal" black list of PIN codes should contain about 1 thousand records and differ from the list of Apple a little. The most widespread four-digit PIN codes appeared 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998, and six-digit — 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456 and 159753^[1].

2019: A method of theft of PIN codes and passwords from mobile devices

Keyloggers – not the only means using which malefactors can learn the password of the tablet or smartphone. The group of scientists of the Cambridge university told a method of acoustic side channel attack^[2] in March, 2019^[3]allowing to determine the characters entered on the virtual keyboard by the sound waves arising when clicking keys^[4].

The microphone(s) of the mobile device is capable to fix sound waves and "hear" clicking of a finger, and distortions of a wave allow to define the place tapa on the screen, authors of work explain. Thus, writing audio via the built-in microphone, the malware can recognize the text entered by the user.

The command developed Android a-application which fixes a sound of tops and correlates it with clicking keys using the algorithm machine learning configured on a certain model of the smartphone or tablet. Researchers tested a new method on LG Samsung Nexus 5 and Nexus 9 devices. Involved 45 participants in an experiment which was made in premises with rather high level of noise (the general hall, the reading room and library).

The first group of volunteers randomly entered digit from 1 to 9 (10 attempts), the second – 200 unique four-digit PIN codes, the third – letters, and the fourth – the words consisting of five letters. Using a new method scientists managed to distinguish 61% of PIN codes (for 20 attempts), 7 and 19 passwords from 27 on Nexus 5 and Nexus 9 respectively.

According to experts, there are several methods to prevent the similar attack, for example, physically to switch-off the microphone, to use microphones with a smaller sampling rate, to cover the screen with the additional layer of glass absorbing a sound from clicking or to prohibit sound recording during data entry. However all these measures have the nuances which can affect design and convenience of using of the device, researchers recognize. Instead they suggest to implement the mechanism blocking the microphone when the user enters the password or other confidential data.

2017

The neuronet spotted a smartphone PIN code in data of the accelerometer

Neuronet taught to distinguish the user's PIN code by data from the accelerometer, the light sensor and other sensors of smartphones with accuracy of 84 percent. Developers note that for access to these sensors to applications it is not necessary to request permission of the user, reported in a research which pre-print is published^[5][6].

Modern smartphones may contain big the number of confidential information: the history of correspondence, the application for management of the bank account or important documents. Because of it malefactors develop new methods to crack smartphones, and, not all do it of them directly using vulnerabilities in the software. Some developers create cracking methods which cornerstone the principle of side channel attack is. It means that the attack is made not on a system as such, and on its implementation — for example, it is possible to learn the transactions and their parameters made by the processor, measuring its energy consumption.

Example of input of a combination 0852 on the diagram of data from the accelerometer. David Berend et al. / Cryptology ePrint Archive, 2017

Researchers in information security field under the leadership of Shivam Bhasin from the Nanyang Technological University in Singapore used for imperceptible determination of the PIN code of the smartphone data from its sensors. They wrote the application for Android smartphones which collects data from sensors, and then sends them on the server for the analysis. Developers selected six sensors which are present at the majority of modern smartphones, and at the same time for their use the application does not need to get permission of the user: accelerometer, gyroscope, rotation sensor, magnetometer and light sensor.

As digits on the keyboard are located in famous places, on an inclination of the device or change of the amount of light getting on the light sensor it is possible to calculate what key was clicked by the user, needlessly in data directly from the touch screen. Automatically to calculate digits from the large volume of data researchers involved different algorithms, but as a result stopped on the neuronet type called by a multilayer perceptron.

Having tested work of a neuronet on volunteers, researchers found out that at tests on all ten thousand possible combinations of four digits recognition accuracy in 20 attempts was 83.7 percent, and at recognition among 50 most widespread PIN codes accuracy was 99.5 percent from one attempt. Researchers also found out that data from different sensors gave different efficiency, and the best results were yielded by the combined data from the accelerometer and a gyroscope.

Development of the standard of security for  PIN-on-Glass

As it became known at the beginning of December, 2017, works on the standard of security for  PIN-on-Glass which can be ready in December, 2017 are conducted.

The PIN-on-Glass technology provides a possibility of input of a verification code of PIN on the screen of the smartphone, the tablet or other commercial device. It is expected that soon using this technology buyers around the world will be able to enter personal identification number on the screen of the device for shopping.

As the executive technical director of Council for standards of security of PCI Troy Leitch, feature of technology that input of the PIN code will be performed on the COTS devices (commercial devices) which are not intended only for payment explained.

With whole the standard on input of the PIN code through the application is one of seven PCI standards published or updated in 2017. This standard allows to separate PIN from other information of the account. It is supposed that isolation of the PIN code from other information will help to prevent the attacks of swindlers aimed at theft of payment data in public places, Leitch added.

Three main components of the standard for PIN-on-Glass:

• Isolation of PIN from PAN. 
  • Requirements of the software for payment applications which manage transactions on commercial devices are considered. For creation of isolation it is necessary to provide an opportunity to enter an account number in such a way that it could not be decoded on commercial devices.

• Security of the software. 
  • For the purpose of ensuring due protection of PIN-information increase in security of commercial devices is necessary.

• Monitoring. 
  • Remote control should be provided with the independent party to confirm that the software of commercial devices and transaction have integrity and behave properly and also to find different types of suspicious activity.^[7]

Any iPhone can be cracked through new "hole" in JavaScript

You monitor fingers

Researchers of security issues from the university of Newcastle in Great Britain published work in the Journal of Infermation Security edition in which described an opportunity to monitor the user gestures on smartphones. For this purpose only the small application on JavaScript which operates program interfaces (API) of sensors of the movement of the structure^[8] will be required^[9].

According to authors of a research, this application can collect enough information from sensors that in 70% of cases to find out an unblocking combination from the first attempt. From the third attempt the script of PINlogger.js "guesses" PIN in 94% of cases.

"The most part of smartphones, tablets and other wearable devices are equipped a set of sensors, in the range from well-known GPS modules, cameras and microphones to gyroscopes, sensors of range and rotation, accelerometers and also NFC modules today. As mobile applications and websites do not need special permissions to access to most of them, malware can secretly spy on data streams from your sensors and use them for obtaining broad range of important information about you, including, about duration of calls, physical activity and even... about PIN and passwords", said in the publication of researchers.

And there is more to come

As the head of research group doctor Maryam Mehrnezhad noted in the press release, her colleagues managed to find out that in several mobile browsers the malicious code which is built in one page can monitor all actions of the user on all other tabs. So for example, if in one tab the resource containing a harmful script is open, and in another — the page of authorization of bank, then a script all the same can intercept the data entered by the user. Sometimes it will help to prevent closing of a "harmful" tab, sometimes — only closing of the browser entirely.

Notes