The shoulder-surfing attack
That used to be a good security step not letting the person behind you see your PIN, when withdrawing money from an ATM or paying for your groceries when contactless is not an option. However researchers using video footage, of people covering up whilst inputting PINs, and AI (of course) have been able to guess 30% of the 5 digit PINs within three attempts.
Read the paper here:
[2110.08113] Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand (arxiv.org)
This is not a real-world attack (yet) but it does show the shape of things to come – PINs and passwords are really no match for our future technical world.
However the idea is not new idea! I found similar research that could infer PINs from the movements and device sensor data for both smartphones and smartwatches from 2014 and 2015.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Cardaioli, M., Cecconello, S., Conti, M., Milani, S., Picek, S., & Saraci, E. (2021). Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand.
A. Sarkisyan, R. Debbiny and A. Nahapetian, “WristSnoop: Smartphone PINs prediction using smartwatch motion sensors,” 2015 IEEE International Workshop on Information Forensics and Security (WIFS), 2015, pp. 1-6, doi: 10.1109/WIFS.2015.7368569.
Shukla, D., Kumar, R., Serwadda, A., & Phoha, V. V. (2014, November). Beware, your hands reveal your secrets!. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 904-917).
