Shoulder surfing is an unavoidable problem with smartphones in a crowd, but 14 feet away feels like enough distance to be safe from video eavesdropping. And although there are workarounds to block the attack—turn down the screen brightness or turn off the pop-up keypress confirmation that makes the iPhone's virtual keyboard so much easier to use—it's unlikely that customers will be willing to do that. Store associates, on the other hand, might want to do both those things, along with being careful to guard their screens and watch for customers who happen to be using video cameras nearby. The biggest question is whether they can be convinced to do anything.
The researchers, from the University of North Carolina at Chapel Hill, used consumer-grade cameras (ranging from a $1,000 Canon camcorder to a $90 Kodak PlayTouch) aimed at users keying in text on iPhones indoors, outdoors and on a moving bus. With more than a little algorithmic magic involving some computer vision techniques, researchers were able to reconstruct the text that users typed at better than 94 percent accuracy—certainly good enough to put passwords and PINs at risk.
The secret to their success was the pop-up feedback with each character typed. "Although the on-screen text is essentially unreadable, the pop-out event provides a strong visual cue to help identify the letter that was tapped," the researchers wrote.
That made it possible to capture text from a distance even when the phone's screen was reflected in a user's sunglasses—a scenario that would usually be safe from a thief looking on. (It probably helped that computer processing is likely to be better at correcting for the distorted reflection in the lenses of sunglasses.)
As with all academic papers on security topics, there's not quite enough information for thieves to simply lift the researchers' work and put it immediately to evil use. But now thieves know it can be done. And even if the results aren't as good as those that the researchers got, they may still be good enough to pose a security problem.
And for customers, there's not much retailers can do.And for customers, there's not much retailers can do. Many customers are oblivious to what's going on around them—that's why they dictate payment-card numbers over their mobile phones in loud voices in public places. There's no reason to believe they'll be much more careful when it comes to PINs or passwords they're keying into their phones, even with strangers within a few feet. From several yards away, they'll likely feel completely secure—if they even notice anything.
But if you can't save customers from themselves, there are still store associates, whose in-store mobile POS devices are typically from Apple (like the devices the Chapel Hill researchers spied on). IT can make security recommendations for associates. Reducing the brightness of the screen would "have a detrimental effect on any reconstruction," according to the researchers—in other words, it would chop down the distance a thief could be able to surreptitiously record from. That would also make conventional shoulder surfing more difficult.
Disabling the visual keypress confirmation—the pop-up letters that appear while typing—would make this attack completely unusable, according to the researchers. Both the size and the position of the pop-up letters and numbers are critical to capturing typing at a distance. Trouble is, without them, the device itself might be unusable for many associates.
Of course, the best defense would be to train associates to guard their screens carefully while they're keying in anything sensitive, including PINs, passwords and payment-card numbers. In practice, that may be impossible. Part of the reason for using Apple devices is that it keeps the need for in-person training to a minimum. Reminding associates via E-mail that they should guard their screens isn't likely to be any more useful that telling them to report a missing device immediately.
And although it would be nice to think that alerting store managers to the risk would work, that would depend very heavily on how security-conscious the manager is. From observations in the field, that's not promising. We recently were in a Starbucks when an associate called all the way across the store to a manager that he needed her password to correct a transaction. In response, she carefully dictated the password in a loud, clear voice that every customer in the place could hear.
Maybe just locking down the screen brightness is the most practical way to go after all.