Blog

Smartwatch Ado About Nothing (or, How to get rich slowly as an ATM fraudster)

There's been a lot of hoopla lately about a group of researchers who developed an algorithm for stealing PINs from smartwatches. But as ATM fraud headaches go, this one barely rates as a forehead slap.

July 21, 2016 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

A five-member team from Stevens Institute of Technology in Hoboken, New Jersey, recently published a paper about what they describe as a "serious security breach" in wearable devices.

It seems that a clever fraudster can steal the PIN from a smartwatch wearer as he or she enters the number on a keypad at, say, a POS terminal or an ATM.

When the news broke, it made for a profusion of headlines and hand-wringing in the mass media. A Google search for "smartwatch PIN" yields nearly a half-million headlines on the subject.

But if journalists and readers were to pause and exercise a few brain cells thinking about this latest newsflash, they'd rightly conclude that it's a concern that ranks  right up there with being struck by a meteor while waiting on line for the Small World ride at Disneyland.

In fact, the only story here is about a bunch of really smart people solving a pretty hard physics problem. It's certainly not an above-the-fold headline about a looming threat to ATM users and their bank accounts.

The gist of the story

According to an abstract of the article, student researchers figured out how to determine a person's PIN number by interpreting the distance and direction of his or her finger movements across the face of a keypad while entering a PIN.

"[O]ur system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes, and magnetometers, to derive the moving distance of the user's hand between consecutive key entries."

This determination is possible regardless of the pose of the hand or even the type or size of the keyboard or PIN pad used for information entry, the article said.

The paper is accompanied with a great number of graphs incomprehensible to the average journalist, that presumably verify the SIT students' algorithm for inferring a PIN from a smartwatch.

The researchers found that the PIN determination can be carried out in two ways: from within the device, via malware downloaded by the unsuspecting owner of the owner of the wearable; and from outside the device, by means of intercepting Bluetooth data exchanged between the wearable and the owner's smartphone.

Using a complex algorithm, the researchers were able to determine the wearable user's PIN 80 percent of the time on the first attempt and more than 90 percent accuracy within three tries.

Is that all you got?

The accuracy and efficiency of this PIN algorithm is impressive and alarming — until you consider the monetary incentive for attempting to use it, which is virtually nonexistent for several reasons. Among them:

Firstly, the number of smartwatch-sporting cardholders worldwide is miniscule drop in the ocean-sized bucket of card accounts. In the U.S., smartwatch owners constitute a 3 percent of the total population over the age of 16, according to Cnet. And it's not even clear that all of these leading-edge techies are using banking app-enabled devices.

Secondly, most people strap on a smartwatch the same way as a wristwatch — that is, on their nondominant arm. That's so they can use the fingers of their dominant hand to do things like tapping the face of a smartwatch — or entering a PIN on an ATM keypad while their smartwatch arm hangs motionless by their side.

Thirdly, the demographic group whose members are most likely to buy new tech gadgetry — millennials — is also the demographic group whose members generally have the lowest bank balances and credit card limits. Especially the ones who have purchased a smartwatch.

And finally there's the fact that the fraudster also needs an undetectable method for obtaining card data and CCV information, which must later be matched up with what, at most, would amount to a handful of smartwatch-derived PINs.

Bigger fraudsters to fry

It can be done. It's just that there are far more efficient, cheaply obtained and readily implemented methods of ATM compromise already available to criminals.

Painstaking research into a theoretical potential risk to accountholders is not headline news to an industry that has already identified far more alarming security problems (e.g., Tyupkin et al, card reader insert skimmers, explosive attacks) in far greater need of immediate solutions. And no amount of mainstream media-generated Sturm und Drang will move this particular needle.

This is not to say that finding and fixing weaknesses in emerging technologies is a matter of no great importance in fintech. Understanding self-service banking security holes and their implications is enormously important and will only grow in urgency as consumers adopt increasingly tech-enabled, omni-everything lifestyles.

But for now, in a nation that hasn't fully implemented EMV and is making only little tiny baby steps toward contactless transactions, a few more headlines about just using your watch-hand to cover the keypad while you enter your PIN would be welcome.

About Suzanne Cluckey

---

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.