Can Your Smartwatch Give Away Your ATM Password?

Could wearing a fitness tracker or smartwatch make it easier for scammers to exploit your private PIN? That’s the conclusion of a shocking new study released this month.

In the paper, “Friend or Foe?: Your Wearable Devices Reveal Your Personal Pin,” researchers from Binghamton University and the Stevens Institute of Technology describe how, with the help of a computer algorithm, they used data collected by these devices to crack passwords, which they managed to do with 80% accuracy on the first try and more than 90% accuracy after three tries.

Over 11 months, the researchers performed 5,000 key-entry tests on three key-based security systems, including an ATM, while 20 adults wore a variety of devices, such as activity trackers and smartwatches.

Typically, a hacker would need to install a video camera or fake keypad in order to uncover personal information, the researchers wrote.

However, they found wearable devices “can be exploited to discriminate mm-level distances and directions of the user’s fine-grained hand movements, which enable attackers to reproduce the trajectories of the user’s hand and further to recover the secret key entries.” Put in layman’s terms: The hackers could record information about your hand movements to reproduce the seemingly-secret entries.

Get everything you need to master your credit today.

Get started for free

The researchers added, “our system confirms the possibility of using embedded sensors in wearable devices, i.e., accelerometers, gyroscopes and magnetometers, to derive the moving distance of the user’s hand between consecutive key entries regardless of the pose of the hand.” So, infecting your device with malware or intercepting the Bluetooth connection that syncs your watch to your phone wouldn’t be much of a stretch.

Keeping Your Information Safe

Though it’s too soon to tell how this will impact everyday wearers — manufacturers have yet to respond to the study — it’s yet another reason to be vigilant about how and where you share your finances, especially online. Short of using your device-free hand to code in any passwords, it’s a good idea to follow best online safety practices, which include only shopping on encrypted sites, avoiding clicking on phony emails and doing your best to keep your passwords to yourself.

It’s also a good idea to keep an eye on your accounts for common signs of fraud. This can include unfamiliar addresses, sudden drops in your credit score and mysterious accounts opening up in your name. (You can view two of your free credit scores, updated every 14 days, on Credit.com.)