Using Screen Brightness to Improve Security in Mobile Social Network Access

In the today's mobile communications scenario, smartphones offer new capabilities to develop sophisticated applications that seem to make daily life easier and more convenient for users. Such applications, which may involve mobile ticketing, identification, access control operations, etc., are often accessible through social network aggregators, that assume a fundamental role in the federated identity management space. While this makes modern smartphones very powerful devices, it also makes them very attractive targets for spyware injection. This kind of malware is able to bypass classic authentication measures and steal user credentials even when a secure element is used, and can, therefore, perform unauthorized mobile access to social network services without the user's consent. Such an event allows stealing sensitive information or even a full identity theft. In this work, we address this issue by introducing BrightPass, a novel authentication mechanism based on screen brightness. BrightPass allows users to authenticate safely with a PIN-based confirmation in the presence of specific operations on sensitive data. We compare BrightPass with existing schemes, in order to show its usability and security within the social network arena. Furthermore, we empirically assess the security of BrightPass through experimentation. Our tests indicate that BrightPass protects the PIN code against automatic submissions carried out by malware while granting fast authentication phases and reduced error rates.

[1]  Jeong Hyun Yi,et al.  FakePIN: Dummy Key Based Mobile User Authentication Scheme , 2014 .

[2]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[3]  Mauro Coccoli,et al.  A taxonomy-based model of security and privacy in online social networks , 2014, Int. J. Comput. Sci. Eng..

[4]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[5]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[6]  G. Moy,et al.  Distortion estimation techniques in solving visual CAPTCHAs , 2004, CVPR 2004.

[7]  Bonnie E. John,et al.  CogTool-Explorer: a model of goal-directed user exploration that considers information layout , 2012, CHI.

[8]  Jeong Hyun Yi,et al.  Touch Logger Resistant Mobile Authentication Scheme Using Multimodal Sensors , 2014 .

[9]  Kenneth R. Koedinger,et al.  Predictive human performance modeling made easy , 2004, CHI.

[10]  Jean-Louis Lanet,et al.  A security mechanism to increase confidence in m-transactions , 2011, 2011 6th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[11]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[12]  Sonia Chiasson,et al.  The usability of CAPTCHAs on smartphones , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[13]  M. Shirali-Shahreza,et al.  Drawing CAPTCHA , 2006, 28th International Conference on Information Technology Interfaces, 2006..

[14]  Jun Han,et al.  ACCessory: password inference using accelerometers on smartphones , 2012, HotMobile '12.

[15]  Yeuan-Kuen Lee,et al.  A New CAPTCHA Interface Design for Mobile Devices , 2011, AUIC.

[16]  Taejin Kim,et al.  Spyware Resistant Smartphone User Authentication Scheme , 2014, Int. J. Distributed Sens. Networks.

[17]  Philippe Golle,et al.  Machine learning attacks against the Asirra CAPTCHA , 2008, CCS.

[18]  Ross J. Anderson,et al.  Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[19]  Manuel Blum,et al.  reCAPTCHA: Human-Based Character Recognition via Web Security Measures , 2008, Science.

[20]  Emmanouil Magkos,et al.  Automated CAPTCHA Solving: An Empirical Comparison of Selected Techniques , 2014, 2014 9th International Workshop on Semantic and Social Media Adaptation and Personalization.

[21]  Anjali Avinash Chandavale,et al.  Algorithm to Break Visual CAPTCHA , 2009, 2009 Second International Conference on Emerging Trends in Engineering & Technology.

[22]  Markus Jakobsson,et al.  Making CAPTCHAs clickable , 2008, HotMobile '08.

[23]  Chris O. Imafidon,et al.  The Need for Two Factor Authentication in Social Media , 2013 .

[24]  Yaroslav Bulatov,et al.  Multi-digit Number Recognition from Street View Imagery using Deep Convolutional Neural Networks , 2013, ICLR.

[25]  Ching-Jung Liao,et al.  A Game and Accelerometer-based CAPTCHA Scheme for Mobile Learning System , 2013 .

[26]  Paul C. van Oorschot,et al.  Exploring the Usability of CAPTCHAS on Smartphones: Comparisons and Recommendations , 2015 .

[27]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[28]  Alan C. Bovik,et al.  Mean squared error: Love it or leave it? A new look at Signal Fidelity Measures , 2009, IEEE Signal Processing Magazine.

[29]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[30]  Mohamed Benmohammed,et al.  A Completely Automatic Public Physical test to tell Computers and Humans Apart: A way to enhance authentication schemes in mobile devices , 2015, 2015 International Conference on High Performance Computing & Simulation (HPCS).

[31]  Muhammad Sharif,et al.  A Survey of Password Attacks and Comparative Analysis on Methods for Secure Authentication , 2012 .

[32]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.