If one has to enter a pin code, say 4 digits, on a touchscreen from e.g. an ATM or a smartphone one can see which positions are touched. This can be done by a heat camera or just by checking for "finger-wax".
If one knows the 4 digits, assuming they are all different, the hacker has 4! = 24 possibilities to guess the pin code. Mathematically one can proof that if you have an N digit pin code, you better have one digit twice (e.g. abbc). As the hacker doesn't know which digit is used twice, there are more possibilities, but still not too much.
How could we prevent the heat / finger wax “attack”?
The idea is as follows, imagine a touchscreen with a numeric keypad, typical 4x3. There are 2 common layouts, calculator (high digits in top row) and phone (high digits in bottom row).
If we would randomize the keys of the keypad every time, the same pin code would be a different pattern, presses on different positions, different moves. In extreme the keypad layout could change after each key selected. Yes, it would be harder for the user, but almost impossible for the hacker.
It would be easy enough to randomise the character associated with each key and given that the keypad is displayed on a screen each key could be labelled with its current value
You could take it a step further and have each number float around on screen in a bubble. This way they are always moving and not in a set layout. You will just need to add the collision logic so that no two buttons overlap.
You could also be diabolical and put the numbers in a looping carousal.
You can indeed reduce the effectiveness of thermal or residue attacks by breaking the link between the PIN and the touched locations or by reducing the persistence or visibility of traces. Randomizing the keypad is one option and my bank does that for example, when I need to log in, they ask for my 6 digits pin code
and they randomize the position of the digits on screen.
The UI could also be different, for example a scroll wheel to select the numbers (the numbers are displayed as you scroll and once it stops the number fades into a * so it's not visible)
You could ask the user to perform decoy touches before or after entering the PIN so that real touches become indistinguishable among others. Some ATM use that approach (asking you if you want 100€ as 2x50€, 10x10€, etc and a validate button that are in the same positions as the PINs keys.
Some ATMs blur heat traces by actively heating or cooling the touchscreen surface so that the user’s touches do not differ thermally from the background and deal with the residue attack by using a textured or oleophobic surface that reduces the adherence of residues and minimizes visible patterns.
I haven't touched an ATM keypad since 1990s because none of "yall" wash your hands, evAr (statistically). I use a stylus or a knuckle that usually has a scab or cracked skin.
P.S. My circulation is so lacking, my phone does not "hear" my fingers if the temperature is near "cellar" temperature.
