The Pin for a smartphone can be revealed by its camera and microphone, researchers have warned.
Using a program called PIN Skimmer, a team from the University of Cambridge found that codes entered on a number-only soft keypad could be identified.
The software watches your face via the camera and listens to clicks through the microphone as you type.
The tests were carried out on the Google Nexus-S and the Galaxy S3 smartphones.
"We demonstrated that the camera, usually used for conferencing or face recognition, can be used maliciously," say the report's authors Prof Ross Anderson and Laurent Simon.
According to the research, the microphone is used to detect "touch-events" as a user enters their Pin. In effect, it can "hear" the clicks that the phone makes as a user presses the virtual number keys.
The camera then estimates the orientation of the phone as the user is doing this and "correlates it to the position of the digit tapped by the user".
"We watch how your face appears to move as you jiggle your phone by typing," said Ross Anderson, professor of security engineering at Cambridge University.
"It did surprise us how well it worked," he told the BBC.
When trying to work out four-digit Pins the programme was successful more than 50% of the time after five attempts. With eight-digit PINs the success rate was 60% after 10 attempts.
Many smartphone users have a Pin code to lock their phone but they are increasingly used to access other types of applications on a smartphone, including banking apps.
This raises the question of which resources should remain accessible on a phone when someone is entering a sensitive PIN, say the report's authors.
"For instance when a call comes in, the user needs to hear the ring tone while unlocking his phone; otherwise he may assume the caller has hung up."
One suggestion to prevent a PIN being identified is to use a longer number but the researchers warn this affects "memorability and usability".
"Randomising" the position of numbers on the keypad is also suggested but the researchers believe this would "cripple usability on phones".
Getting rid of passwords altogether and using fingerprints or face recognition are offered as more drastic solutions.
"If you're developing payment apps, you'd better be aware that these risks exist," warns Prof Anderson.