In today’s age of cybercriminals gathering our personal information from a variety of hacks, it isn’t that surprising that people are a bit more wary than they used to be when entering their PIN codes or account numbers when someone is standing behind them.
Researchers at NYU Tandon School of Engineering have developed an application that may help in fending off tactics such as “shoulder-surfing,” where someone peers at you from behind or through a video camera.
The method, called IllusionPIN, deploys a hybrid-image keyboard that appears one way to the close-up user and differently to an observer at a distance of three feet or greater. The technology uses one image of a keyboard configuration with high spatial frequency and a second, completely different keyboard with low spatial frequency. The visibility of each keyboard is dependent on the distance from where it is viewed.
"The traditional configuration of numbers on a keypad is so familiar that it's possible for an observer to discern a PIN or access code after several viewings of surveillance video," says Nasir Memon, professor of computer science and engineering at NYU Tandon. "On a device running IllusionPIN, the user—who is closest to the device—sees one configuration of numbers, but someone looking from a distance sees a completely different keypad."
The IllusionPIN even reconfigures the keypad for each authentication or login attempt.
Researchers tested the technology in a series of shoulder-surfing attacks on smartphones to test its effectiveness at various distances. Out of the 84 attempted attacks on 21 users, none of them were successful. They balanced the test with mounted 21 shoulder-surfing attacks on unprotected phones using the same distance parameters. All 21 attacks were successful. Researchers indicate the IllusionPIN technology made it nearly impossible to steal PIN or other sensitive information using surveillance footage.
"PIN authentication is popular for good reasons, namely that it is easy to use and to remember," Memon says. "Our goal was to increase the resilience of PIN authentication without straining the device or compromising user experience."
The full research can be found in the IEEE Xplore Digital Library.