“That means whenever you are typing private data on a webpage and this webpage for example has some advert banners at the side or the bottom, the advert provider as part of the page can ‘listen in’ and find out what you type in that page,”
Dr. Siamak F Shahandashti
According to their research in International Journal of Information Security, the group states that the attack does also require the user to first open a malicious web page and enter characters and that the app itself does not require the use of installation or installation of a companion app. Instead, the logger dubbed Pinlogger.js makes its way onto the victim via the use of html iframe tags (this is what embeds documents and such into a document commonly seen with ads) and that the app could infer any characters being typed upon an iOS or Android device without any knowledge to it’s existence. An example of such an environment for this to occur would involve say a user opening a first page that may have a malicious Pinlogger-infected ad and filling out a form on page two, unaware that page one is listening and logging the information being provided from the user’s actions.
Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe – the device will tilt in a certain way and it’s quite easy to start to recognize tilt patterns associated with ‘Touch Signatures’ that we use regularly.
——-Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat.
Dr Siamak Shahandasht
In the meanwhile, the following methods can be used to protect yourself from having your PIN compromised on smart devices.
- Change your PIN and password every so often (every 3 months usually recommended)
- Close Background apps and we pages you don’t need
- Keep your phone and apps up to date to prevent exploits
- Audit and keep track of your app permissions
- Only install trusted apps
- Use a PIN scrambler to adjust how the PIN layout is situated for each and every unlock attempt
¹The team initially threw over 50 PIN codes at PINlogger.js for initial setup and sample scripting