Researchers at the University of Pennsylvania have brought to light the potential dangers of touchscreen smudges in a paper released yesterday.According to the paper, residual fingerprint oils on smartphones can be used to determine passwords, such as a PIN used to access a mobile banking account.
The researchers conducted several experiments using cameras to photograph Android phones. "Using photographs taken under a variety of lighting and camera positions ... in many situations full or partial pattern recovery is possible, even with smudge 'noise' from simulated application usage or distortion caused by incidental clothing contact," the report says.
Not only could researchers see clearly the pattern of a user's finger over the phone screen, but they could easily determine the direction of the smudges and therefore pick up the sequence of the pattern.
What should banks do to protect their mobile banking customers from smudge fraud? The report concludes that password patterns should be strengthened, especially for Android phones.
Some banks are experimenting with extra authentication measures, such as temporary passwords sent to a cell phone and only usable for a very short period of time. Such measures could help prevent "passive" attacks, where the criminal doesn't have access to the phone itself. But if the phone is stolen, another security layer may be needed.