The launch of PCI’s SPoC specification, Software PIN on COTS – Commercially Off The Shelf (thats PIN on mobile / PIN on Glass, to you and me) raised an eyebrow or two at Consult Hyperion. Could PIN on mobile actually be secure? The researchers at Newcastle University produced a paper stating that PINs entered on mobiles can be recovered by capturing the mobiles sensor data.
We’re well versed in building the security architectures and systems needed to secure payment cards on mobile devices using software only solutions, think Google Pay / Barclaycard Contactless Mobile, or Worldpay’s fabulous My Business Mobile card reader, all of which protect card PANs in one way or another. As well as building security, we are just as adept at testing such architectures and implementations to validate their security. This leads us to ask the question; is securing a cardholders’ PIN the same as securing a card PAN?
Gut instinct would suggest that exposing a PIN is more risky than exposing a PAN, however one is of no use without the other. A PIN cannot be used without the PAN whereas a PAN can be used without the PIN. Indeed the PAN could be used for online payments, the PIN is only of use if the physical card is present.
PCI SPoC sets out a comprehensive architecture to protect the cardholders’ PIN involving the mobile device, card reader and host system, which is all very sensible. From a business point of view, reducing the cost of the card reader device by removing the physical keyboard, may make accepting payment cards a more attractive option from a cost perspective. Equally from a customer experience point of view, it appears quick and easy and less cumbersome than interactions with a different PED.
However, what if you could use the mobile devices own sensors to steal the PIN? Is this possible? Can you use a mobiles sensor data to recreate a PIN? Even if it were possible surely a PIN entry application would ensure the sensor data was blocked? Researchers at Newcastle University published a paper on “Stealing PINs via Mobile Sensors: Actual Risk versus User Perception.” In this paper the team of researchers claim an accuracy of 80% on obtaining PINs from mobile sensors, which if true, would significantly compromise PIN on Glass solutions as set out in the PCI SPoC standard.
We set our Hyperlab team the task of recreating the research to fully understand the proposed attack and if it did indeed translate into a realistic attack, and if so could we counter it. We contacted the researchers at Newcastle University who were very helpful in setting us on the right path to recreate their work. We built the PIN Logger App and the AI engine which would process the data to attempt to “guess the PIN”. The attack works by feeding mobile sensor data into an AI / Machine Learning engine, actually it’s a Neural Network, which is then able to determine the PIN number pressed. However in order for the AI Engine to correctly guess the PIN number, it needs to learn the patterns of sensor data associated with the PIN number. This takes data, lots of data, and lots of processing power.
In their paper, the researchers at Newcastle University used 1.4million data points (that’s 140,000 per PIN digit) to train their Neural Network over 10million iterations, after which they were then able to achieve a 70-80% accuracy on a restricted number of PINs (just 50 PINs from ~10,000 possible PINs).
Our Hyperlab team worked their magic, and by applying a few restrictions and limitations (i.e. using fewer data points and restricting the mobile PIN entry to a single plane) we were able to reproduce the attack with a 30% accuracy. We were able to adjust the accuracy level by feeding fewer or more data points when training the Neural Network, which leads us to believe that the results obtained by the Newcastle researchers are achievable. What’s more it’s not possible to block a background app in Android from obtaining the sensor data whilst PIN entry (as defined in PCI SPoC) is taking place. Surely this is a disaster for software PIN on Glass?
There are several things to consider here. In order to mount the attack you need 1.4million data points, and plenty of processing power to train the Neural Network, and that’s just for a single mobile device. Plus the training app needs to use the same keypad layout as the keypad you are trying to steal PINs from. A malicious data gathering app then needs to be present and active on a PCI SPoC device. However even then it does not know when a PIN will be entered, and will have to find the PIN entry within the rest of the screen taps, e-mails, SMS, rounds of Candy Crush that a merchant may use their mobile for on a normal day. This amount of entropy itself would render the attack method futile.
Hats off to the researchers at Newcastle University their paper and attack vector is enlightening and should be taken seriously. Whilst we do not believe it is a scalable attack it will certainly be taken into consideration when we build our next clients security architectures to support PCI SPoC PIN entry.
Consult Hyperion is known for robust architecture designs and rigorous test plans, making sure our clients launch products and services that protect their customers financial and personal data, and the brand reputation of the client. If you would like to talk to us, please do get in touch – firstname.lastname@example.org.