Breaking News
Translate

With side channel attack… How private is your private information?

By LAJU ARENYEKA

“Please enter your secret number” that’s what the Automated Teller Machine, ATM, tells you at first approach. You look left and right and above, cover the ATM with your body before typing in your pin. In your mind, your pin is between you and God alone… but is that always the case?. Same goes for your really expensive phone; it’s got a fool proof pin too. But with advances in technology come more advances in insecurity.

Just when we thought that cyber transactions were safe as long as we kept our private pins private, Cambridge security researchers have been hacking smartphone passwords using the devices’ own cameras and microphones. Laurent Simon and Ross Anderson at the University of Cambridge used an app they called “PIN Skimmer” to capture passwords as they were entered into a Samsung Galaxy S3 and a Google Nexus S,  both of which  use number-only soft keyboards. The PIN Skimmer can tell when you’re tapping keys by listening to clicks via the phone’s microphone. It correlates this with a recording of your face through the camera, then analyzes how the orientation of the phone changes from tap to tap.

Users on queue at a bank's ATM
Users on queue at a bank’s ATM

That tells it which part of the screen you’re touching, in other words, which number you’re pressing.

This kind of attack is known as a “side channel attack,” which means it uses the physical properties of the phone. It doesn’t seem fair to know that while you’re doing your best to be discreet, Big Brother is watching from within your OWN device. According to the researchers’ paper, previous studies have used a phone’s accelerometer and gyroscope to collect PINs, but theirs is the first to work with the camera and microphone.

When they tested PIN Skimmer with a set of 50 potential four-digit passwords, they found it correctly inferred 30 percent of PINs after two attempts, and more than 50 percent after five attempts. It is bad enough that your phone itself can be hacked, but what about all the other online transactions you do on your phone?

It isn’t really a question of ‘if’, but when scammers get hold of this technology, just how can you ensure security of your private information? Perhaps, using a longer pin? Researchers say this is of little help against the PIN Skimmer program. In fact, when test sets of 200 passwords were used, it correctly guessed more eight-digit PINs than four-digit PINs after five attempts. That’s because the longer the PIN, the more information the program has to work with, and the less likely it is to confuse one password with another. The Chip and Pin however, is not as secure as experts would have us believe. So what then is safe? Finger printing? Well, not entirely.

With the launch of the iPhone 5S, more people will be using fingerprint sensors as part of their daily security than ever before. And hackers on the other hand, will be anxious to find a way around it.

So how can we get to the point where we are entirely sure that our private security is really private? For one, sticking to the already popular rules would go a long way. You’re more likely to get scammed if you are careless with your information, than if you aren’t. Another thing you must do is try to change your pin regularly, and update yourself as more security tips evolve.

Cyber security however, is not just the responsibility of one individual. Laws and structures must be put in place to create a non conducive environment for cyber criminals. This is why stakeholders in the sector have been calling on National Assembly to as a matter of urgency to pass into law the Cyber security Bill 2013 sent to it by the executive arm of government to protect the nation from cyber attacks from hackers. This bill, if passed will be used by government agencies and private sector organizations to plan their information technology activities at international standards, and as such reduce insecurity.


Disclaimer

Comments expressed here do not reflect the opinions of vanguard newspapers or any employee thereof.