Targeted Mimicry Attacks on Touch Input Based Implicit Authentication Schemes

Touch input implicit authentication (``touch IA'') employs behavioural biometrics like touch location and pressure to continuously and transparently authenticate smartphone users. We provide the first ever evaluation of targeted mimicry attacks on touch IA and show that it fails against shoulder surfing and offline training attacks. Based on experiments with three diverse touch IA schemes and 256 unique attacker-victim pairs, we show that shoulder surfing attacks have a bypass success rate of 84% with the majority of successful attackers observing the victim's behaviour for less than two minutes. Therefore, the accepted assumption that shoulder surfing attacks on touch IA are infeasible due to the hidden nature of some features is incorrect. For offline training attacks, we created an open-source training app for attackers to train on their victims' touch data. With this training, attackers achieved bypass success rates of 86%, even with only partial knowledge of the underlying features used by the IA scheme. Previous work failed to find these severe vulnerabilities due to its focus on random, non-targeted attacks. Our work demonstrates the importance of considering targeted mimicry attacks to evaluate the security of an implicit authentication scheme. Based on our results, we conclude that touch IA is unsuitable from a security standpoint.

[1]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[2]  Achintya Prakash,et al.  Crowdsourcing Attacks on Biometric Systems , 2014, SOUPS.

[3]  Alex X. Liu,et al.  Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it , 2013, MobiCom.

[4]  Markus Jakobsson,et al.  Implicit Authentication through Learning User Behavior , 2010, ISC.

[5]  Nasir D. Memon,et al.  Biometric-rich gestures: a novel approach to authentication on multi-touch devices , 2012, CHI.

[6]  Vir V. Phoha,et al.  Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings , 2013, TSEC.

[7]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[8]  Urs Hengartner,et al.  Towards application-centric implicit authentication on smartphones , 2014, HotMobile.

[9]  Vir V. Phoha,et al.  When kids' toys breach mobile phone security , 2013, CCS.

[10]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[11]  Tao Feng,et al.  TIPS: context-aware implicit user identification using touch screen in uncontrolled environments , 2014, HotMobile.

[12]  Michael R. Lyu,et al.  Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones , 2014, SOUPS.

[13]  Martin L. Griss,et al.  Soft Authentication with Low-Cost Signatures , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[14]  Ivan Martinovic,et al.  Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics , 2015, NDSS.

[15]  Tao Feng,et al.  Continuous Mobile Authentication Using Virtual Key Typing Biometrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[16]  Tao Feng,et al.  Continuous mobile authentication using touchscreen gestures , 2012, 2012 IEEE Conference on Technologies for Homeland Security (HST).

[17]  Xiang-Yang Li,et al.  SilentSense: silent user identification via touch and movement behavioral biometrics , 2013, MobiCom.

[18]  Tao Feng,et al.  Continuous mobile authentication using a novel Graphic Touch Gesture Feature , 2013, 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[19]  Daniel Vogel,et al.  Usability and Security Perceptions of Implicit Authentication: Convenient, Secure, Sometimes Annoying , 2015, SOUPS.

[20]  Einar Snekkenes,et al.  Spoof Attacks on Gait Authentication System , 2007, IEEE Transactions on Information Forensics and Security.

[21]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[22]  Dawn Xiaodong Song,et al.  Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication , 2012, IEEE Transactions on Information Forensics and Security.

[23]  Debin Gao,et al.  I can be You: Questioning the use of Keystroke Dynamics as Biometrics , 2013, NDSS.

[24]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[25]  Deron Liang,et al.  A Novel Non-intrusive User Authentication Method Based on Touchscreen of Smartphones , 2013, 2013 International Symposium on Biometrics and Security Technologies.

[26]  Daniel P. Lopresti,et al.  Forgery Quality and Its Implications for Behavioral Biometric Security , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[27]  Shridatt Sugrim,et al.  User-generated free-form gestures for authentication: security and memorability , 2014, MobiSys.

[28]  David Starobinski,et al.  Poster: gait-based smartphone user identification , 2011, MobiSys '11.

[29]  Reihaneh Safavi-Naini,et al.  User Authentication Using Human Cognitive Abilities , 2015, Financial Cryptography.

[30]  Jiang Zhu,et al.  KeySens: Passive User Authentication through Micro-behavior Modeling of Soft Keyboard Interaction , 2013, MobiCASE.

[31]  Gary M. Weiss,et al.  Cell phone-based biometric identification , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[32]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.