smartphone optical illusion hacking security
Hackers looking to steal smartphone users' passcodes could be thwarted by an optical illusion. iStock

Entering your PIN on a cash machine or inputting a passcode onto a mobile phone always comes with the risk that somebody could be watching with the purpose of stealing it. Unless users cover their actions they can be easily viewed and copied – but researchers have created an optical illusion to fool them.

New York University has devised a secure system to thwart 'shoulder-surfing' crooks by employing an eye-bending technique of hybrid images that blends two touchscreen keyboards. The user of either a smartphone or an ATM screen will see one numerical keypad, while the criminal standing at a distance will see another.

The optical trickery is called IllusionPIN and is a first-of-its-kind security counter measure that can combat prying eyes or even spy cameras with such a method. Led by Nasir Memon, professor of computer science and engineering, the technology layers one image of a keyboard with high spatial frequency and another completely different configuration at a low spatial frequency.

"The traditional configuration of numbers on a keypad is so familiar that it's possible for an observer to discern a PIN or access code after several viewings of surveillance video," said Memon. "On a device running IllusionPIN, the user — who is closest to the device — sees one configuration of numbers, but someone looking from a distance sees a completely different keypad."

To make the system even more secure the numerical keyboard configuration is shuffled every time the user is required to input a pin code, making it almost impossible for anyone to remember the pattern used previously.

smartphone optical illusion hacking security
IllusionPIN foils identify theft by deploying a hybrid-image keyboard to confuse would-be hackers. NYU

During a series of 84 simulated shoulder-surfing attacks on smartphone devices the research team revealed no one was able to successfully crack the code. In contrast, they performed the same test without the IllusionPIN tool and saw 100% of the attacks successful.

The humble passcode was once the only line of protection stopping criminals accessing stolen phones but is looking rather rudimentary these days. Smartphone manufacturers have ramped up security by introducing biometric access via fingerprint ID or iris scanning, such as that seen on the Samsung Galaxy S8.

However, a number of users still rely on a four-digit PIN, particularly on ATMs. For modern machines that use a screen rather than a keypad, this optical illusion technology could provide a useful defence.

TSB announced this year that it would be the first European bank to introduce iris scanning for customers logging into its banking app. However some security experts have warned even this along with other biometric measures are risky because if a hacker has managed to somehow steal your biometric identity this cannot be changed, unlike passcodes.