Here you put the password on your smartphone. It does not matter which: 6-digit, text, picture or even hidden clicks on the screen.
Think he’s impregnable? Nothing like this. There are many methods to get to know him, and it is not necessary to spy on you over your shoulder.
Attackers can steal your passwords from everyone in sight, even when they are watched by cameras.
How to prevent this?
Enough simple thermal imager
You entered the password, then simply removed the smartphone. Scientists from the University of Stuttgart, together with colleagues from the University of Munich Ludwig-Maximilians proved that it is not safe.
Armed with a compact thermal imager, scientists were able to read the entered password from the smartphone screen. 15 seconds after entry, a four-digit PIN was recognized 90% of the time . And the graphic key was obtained to guess almost always even after 30 seconds.
If you hide the imager in the sleeve or disguise it as a toy, no one would think that the person passing by the smartphone read the code.
Scientists have offered to protect themselves by random swipes across the screen (b). Among the hardware methods – increasing the brightness of the display for a few seconds (a) or a sharp increase in the load on the processor (c). In the imager, this is as follows:
You can calculate the password for oil traces
A high-resolution camera is able to make a high-quality picture in which it will be possible to recognize oil fingerprints on the smartphone screen. Back in 2010, University of Pennsylvania specialists described this method.
Even an amateur camera or a good smartphone is capable of such a thing today. It’s not difficult to pretend that at dinner you’re shooting not your colleague’s smartphone, but your food for Instagram.
This method is best to detect traces of input graphical key , a little more complicated – PIN-code or alphanumeric password. If it is not a word, phrase or date of birth, there will be too many options for the order of letters and numbers.
In general, the Android graphic key is the most insecure.
The more complex the pattern, the easier it is to recognize it, the researchers say . It is enough to sit on the side of the victim at a distance of 5 meters and it is banal to remove the unlock process on the video.
Then the video is uploaded to a special application. It analyzes finger movements and offers up to five key options. In 95% of cases, one of these keys is correct.
Your password may “drain” the Wi-Fi network.
Former Technical Director of SpringSource Adrian Collier told how to intercept a PIN codeusing Wi-Fi signal analysis. He called the technology WindTalker.
The necklace found that the movement of fingers across the screen affects the Wi-Fi signal. If the attacker creates an access point, he will be able to track these micro-interference.
In the experiment, Choker managed to crack the account of Alipay, the payment system of the company Alibaba. The application gave him three password options, and one of them came up.
The accuracy of the method is 68% . The more data, the more accurate the analysis. The more input attempts the application allows, the more likely it is to enter the correct password.
The movements of the fitness tracker or smartwatch also “pass” the password
If the hacker installs a special scanner near your workplace, ATM or terminal, he will be able to obtain a password or PIN code, tracking your hands on a fitness tracker or smart watch.
The experiment was conducted by employees of the Stevens Institute of Technology and Binghamton University (USA). They developed a scanner that tracks electromagnetic radiation from sensors in smart watches and trackers. Data from the scanner was transmitted via Bluetooth.
The scan results were processed in an application that defines up to 5 thousand key movements . To create the algorithm, two dozen users were involved, two models of smart watches and a fitness bracelet with a standard nine-axis accelerometer.
At the first attempt, the password was recognized 80% of the time, with the second (if the user enters the same combination twice) – 90%. The more sensors in a wearable device (gyroscopes, magnetometers, accelerometers), the higher the accuracy. The position of the hand does not affect it.
Even screenshots will give out your password.
Your computer can technically take a screenshot at any time, including when you enter a password. The opportunity in November 2017 found the founder of the company Fastlane Tools Felix Krause.
The screenshot is made by the CGWindowListCreateImage function . Permissions from the user, it does not require.
A virus that takes screenshots can run in the background. It will still have access to literally every pixel.
Go to this hacking. MITM attacks
MITM (Man-in-the-middle) – man-in-the-middle attacks. Most often, sniffers like Intercepter-NG are used to intercept passwords and cookies using cookies of this type .
The intercepted data allows you to enter other people’s accounts, see downloaded files, etc. In addition, the application allows you to forcibly delete the user’s cookies, forcing him to re-authorize.
Previously, the tool allowed to intercept even passwords from iCloud. But Apple developers have already fixed this.
Other ways to intercept traffic (including passwords) also exist . Even if these are passwords from HTTPS resources. The main thing is that the victim’s device is on the same Wi-Fi network as the hacker’s device.
How to protect against such hardcore methods
1. Do not leave your smartphone lying screen up . Then neither the imager nor the photo prints on the screen you are not afraid.
2. Do not enter passwords in public Wi-Fi networks . The use of reliable paid VPN reduces the risk, but does not completely eliminate hacking.
3. When entering passwords in applications, do not enable the display function . Otherwise, the password can be quickly photographed, or the virus will make a screenshot.
4. Cover the screen with your hand when you enter the pattern . It is advisable to install a key that starts not from the corner of the display. And better choose smartphones with a fingerprint scanner or other biometric identification method – so more reliable.
5. Do not enter passwords and PIN codes with the hand on which you wear a smart watch or fitness tracker . It’s all clear.
There are also applications that automatically send data about an attacker who incorrectly entered the password from your smartphone. Some of the most popular are Prey Anti-Theftfor iOS and Lockwatch for Android. They silently take a photo and send it to you by e-mail along with GPS coordinates. The main thing is that GPS and Internet access are active.