Don’t Get Your PIN Skimmed by Your Own Mobile Camera

Photo and video editing apps are on the rise with mobile device owners. In fact, according to a poll by Flickr, 43% of people use their mobile phones as their primary camera. And with so many photo editing and voice recording apps out there, it can be difficult to keep track of who and what has access to the sensitive data that you store on your mobile device. Allowing apps to access photos or even the microphone on your smartphone or tablet may seem fairly innocuous, but throw a malicious app into the mix and you may be unwittingly opening yourself up to a number of security vulnerabilities.

For instance, with the right software a hacker can gain access to your photos, share your photos, as well as use the microphone and camera to steal your personal identification number (PIN) code. A team of researchers at the University of Cambridge created a software package for Android to test out this very theory. Their results might have you thinking twice before allowing a new app of any kind access to the hardware in your device.

The app, called PIN Skimmer, used a mobile phone’s camera and microphone to figure out and unlock a user’s PIN code. While not 100% accurate, the method did glean the correct 4-digit PIN by recording movement and sound more than half of the time, with an 8-digit PIN proving even easier to crack after several attempts. Surprisingly, longer PINs actually gave the program more information initially, which made them easier to predict versus shorter codes. Just like a typical piece of malware, this attack used stealth to go undetected by both the user and the device itself. The app ran remotely in order to minimize battery drain, and disabled the LED light that switches on in some handsets when the camera is in use to avoid suspicion.

Luckily, PIN Skimmer is not an app on the market, but rather was created with the intent to spread awareness, not actually steal personal information. However, it does help shed light on what malware can already do—most likely even better when created by skilled hackers. If researchers can create software to steal PINs using a smartphone’s camera and microphone, it’s almost guaranteed that cybercriminals can too.

Security threats like PIN Skimmer are an issue for both users and phone manufacturers, and the latter should explore solutions like restricting phone resources during PIN entry or even using biometrics as an extra layer of security. Incorporating fingerprint scanning or other biometrics steps could thwart malicious apps like PIN Skimmer since in such cases the PIN is only half of the information needed to unlock a device. While biometrics have their own security risks, staying one step ahead of hackers starts with the latest tools.

In the meantime, Android users should be extra vigilant when it comes to mobile security in order to avoid being taken advantage of by similar schemes. The name of the game for these kinds of malicious apps is “stealth,” so superficial safety checks won’t be enough to detect anything potentially harmful. However, there are steps you can take to prevent bad apps from getting in. To begin with, always know what each app can access, including the camera and other key functions, as well as why. Just like with your laptop or home computer, any strange behavior like battery drainage or a sudden onslaught of spam messages should be checked out right away. Additionally, use security software with the capability to detect hidden apps like the notorious Obad.a Trojan and others like it.

Also, consider these additional tips to help keep your device and information safe from current as well as potential threats:

  • Secure your device with a strong passcode. While PIN Skimmer cracked passcodes more than 50% of the time, some security is still better than none at all. Make sure to steer clear of easy options such as 1234 or your birth year.
  • Review app permissions before you download. Third-party apps, especially games or entertainment apps, should have limited access to personal data such as location or social networking sites. Requesting too much permission is a definite red flag that this could be an app up to no good.
  • Only download apps from official sources. Third-party app stores and websites are known for fostering risky apps and malware. Stick to downloading from trusted online sources, such as the Apple App Store and Google Play.
  • Update your mobile software. Depending on if your mobile carrier allows for it, updating your OS can immediately improve the security of your device.
  • Never use public Wi-Fi networks to access sensitive information. Avoid checking your bank account or downloading content on unsecure networks. Cybercriminals often use public Wi-Fi in places like coffee shops and airports as a hunting ground for victims.
  • Go the extra mile when it comes to mobile security. Sometimes taking all the precautions you can is just not enough. McAfee® Mobile Security comes with many features to help protect your smartphone and tablet from a variety of threats, including hidden device admin detector and remote lock and wipe functions should your device become lost or stolen, as well as virus protection with continuous scanning and monitoring of your mobile activity.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post Don’t Get Your PIN Skimmed by Your Own Mobile Camera appeared first on McAfee Blogs.