Hackers don’t need to actually see you enter information on your phone to steal your codes. I’ve mentioned before that they can sometimes figure that kind of information out by looking at smudges on a a touchscreen, but it turns out that they don’t even need to get that close.
Crooks can covertly record video and decode what you’re entering into your device by the motion of your hands. Researchers at Syracuse University tested this theory out using the known measurements of a particular models of phone compared to hand motions. They were able to break into one model of phone 50% of the time on the very first try. That success rate jumped to 85% after 10 tries.
With cameras everywhere these days thanks to tablets and smartphones, it’s not really much of a challenge to covertly record someone using his or her phone in public. You could also record PIN codes at banks or numerical codes on door locks. Crooks would need to know the basic keyboard layouts of the devices they were attempting to read, but that’s not difficult information to find out. For example, they would not need to see the screen of an ATM, but only have a side view that showed the position of your hand in order to determine the code.
The researchers reported anywhere from an 84 to 94% success rate at cracking codes within 10 tries. The scientists said the wanted to debunk the myth that simply shielding your device’s screen from the prying eyes of others is enough to protect your sensitive information.
Now crooks wouldn’t have to look and just guess, researchers used software to fill in the blanks. In this image below, the camera can only see the back of the phone, but the software was still able to easily crack the PIN.
One possible defense suggested by these researchers would be to randomize the position and size of keyboard on screens, so that it would be more difficult for crooks to figure to crack your passwords.
Your best bet is try to keep your hands and your device completely out of sight when entering information and to take advantage of two-factor authentication when available, even if it is a more trouble.