 |
Eberhard Karls Universität Tübingen Wilhelm-Schickard-Institut für Informatik (WSI) Arbeitsbereich für Theoretische Informatik/Formale Sprachen |
|
Eberhard Karls Universität Tübingen Wilhelm-Schickard-Institut für Informatik (WSI) Arbeitsbereich für Theoretische Informatik/Formale Sprachen |
It is easy for a trojan to tap the password of an online account (email, bank, game server, etc.): the trojan just logs the key strokes while the user is typing the password. The purpose of the Fotohandy-PIN method is to prevent this via the mobile camera phone of the account user.
For this demonstration you need need a mobile camera phone on which the Fotohandy-PIN program is downloaded - the program and the list of supported camera phones you can find on our download page (in German). If you don't have an appropriate camera phone you can - for this demonstration - call a simulated camera phone:
Take a picture of the 2D code on the screen with the Fotohandy-PIN program on your camera phone. As a response the camera phone will show on its display a number field with permuted digits. Enter your PIN via mouse clicks on the fields on the number field on the screen, according to the permutation shown on the camera display (the PIN is shown - for this demonstration - in the "cloud" right to the number field). Below you find an instruction video with English subtitles.
|
 | ||||||
Why does this method prevent a trojan from tapping the PIN? because a trojan only "sees" mouse clicks into the empty number field, but the trojan does not know the meaning of the clicks.
The security is guaranteed by a secret key which is already pre-installed for this special demonstration account. An extended variant of the demonstration for which the key ist not pre-installed but is read in by the camera phone, is available here (in German).
This is the J2ME Version. For the Android version please go here.
