The closer we move toward using our mobile devises as universal keys (to our bank accounts, credit cards, house and car locks, let alone personal information), the more the people around us start to pose a serious threat. Nowadays, mobile security is not only about protecting our devices from hackers.

The malicious observers could easily steal our credentials by glancing at our screens, plus they could gain physical access to our devices themselves. Relying on biometrics isn't a very viable alternative either, since your biometric data is also readily available to the "bad guys" around you.

We call this threat a HITBAD problem, which stands for "Here Is The Body And Device". This is a relatively new security challenge, and it differs from the rest.

Why is HITBAD a new problem? Before the arrival of the mobile era, we mainly used desktop computers behind closed doors. Now, we regularly unlock our smart devices and log in to sensitive apps in public when we can't always keep our devices completely hidden from the people around us.

How is HITBAD different from other mobile security risks? Any solution that could protect you against hackers is absolutely useless when it comes to protecting you against a HITBAD problem. It doesn't matter how secure your encryption methods or transaction protocols are, since a criminal could steal your password and gain physical access to your device. On the other hand, any solutions that could protect you against a HITBAD problem would be considered too weak to use against experienced hackers. That means any measure that protects against a HITBAD problem should act as a complimentary layer of protection, not a replacement to any existing security solution.

What about using longer PINs? If your PIN is six-digit long, would it provide a better protection from HITBAD problem, if compare it with four-digit analog? Unfortunately, long PINs protect only from passcode guessing. When it comes to HITBAD, it is not about guessing, it's about knowing exactly what your PIN is...

Two-factor authentication? This security measure is meant to protect you from online threats, and it also does not work from HITBAD problem, simply because your device, credentials and biometrics could wound up in the hands of other people.

HITBAD AND "GOOD" PEOPLE

An interesting aspect of HITBAD problem, it is not only about BAD guys who want to steal your money. In many cases, it is about your friends, family members and other "good" people around you, who can challenge the privacy of sensitive data on your device.

There are many stories in mainstream media about leaked private pictures, unauthorized online purchases, broken relationships, etc.

"Man accused of stealing nude photos off co-worker's cellphone"

"Teen charged for allegedly stealing nude pic from teacher's phone"

"6-year-old child uses sleeping mom's fingerprints to buy $250-worth Pokemon gifts"

"7-year-old boy used father's password to rack up $5900 by playing game on iPad"

"10-year-old kid bypasses Face-ID on his Mom's iPhone X"

"A woman who accessed her husband's phone using his fingerprint and found out he was cheating has caused a mid-flight emergency"

All these HITBAD related cases happened because wrong people got access to other people devices and managed to bypass the devices' security.

HITBAD AND SMART GADGETS

Another important aspect of HITBAD problem is related to massive advances in wearable technologies. Why do wearable devices add up to the problem? Using such devices equipped with high resolution cameras, a malicious observer can easily acquire your password credentials even from the distance. Protection based on biometrics (face recognition, fingerprint and retina scan) is not a hurdle for advanced devices either.

"Hacker fakes German minister's fingerprints using photos of her hands"

"Hackers cracked iPhone X Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts"

Just in case you are wondering, what HITBAD has to do with 3D-printed plastic mask, taking several pictures of your face from different angles would be suffice to produce such a mask. Plus, all needed components (hardware and software) are already readily available.

To make long story short, wearables are worsening HITBAD problem significantly, and the threat will only grow greater in the wake of further advances in smart gadgetry.

PROTECTING FROM HITBAD PROBLEM

As demonstrated above, biometrics is not a reliable protection against HITBAD problem, let alone old-fashioned passwords.

When it comes to passwords, there are several popular approaches to protect your login steps: using screen draw patterns and picture unlock features, making the login numeric pad look like a calculator, applying self-adhesive privacy screen protectors, etc. All these methods have a common and serious drawback: if a malicious observer sees your screen when you are unlocking your device or logging in to a sensitive app, the wrongdoer can easily repeat your login steps and access your information.

What could be a viable solution to HITBAD problem? A game. A quick-game (2-3 seconds long) that works as a login method.

With a login game you have two secrets: the purpose of the game (your passcode) and the rules of the game (the way you interact with your computing device). Since both these secrets are configurable, a malicious observer would not be able to steal your credentials just by looking at your screen when you are unlocking your device.

For more details about how (and why) a quick-game could be used as a login method, click here.

There are many ways of how such a quick-game could be implemented. One of the possible approaches would be using SPINT technology.

To try it yourself, download our free TouchyNotes app that is capable of protecting your sensitive data against HITBAD problem.



presi#hitbad
Igor Polivanyi
Last update: Feb 2, 2018