Two-Thumbs-Up: Physical protection for PIN entry secure against recording attacks

Abstract We present a new Personal Identification Number (PIN) entry method for smartphones that can be used in security-critical applications, such as smartphone banking. The proposed “Two-Thumbs-Up” (TTU) scheme is resilient against observation attacks such as shoulder-surfing and camera recording, and guides users to protect their PIN information from eavesdropping by shielding the challenge area on the touch screen. To demonstrate the feasibility of TTU, we conducted a user study for TTU, and compared it with existing authentication methods (Normal PIN, Black and White PIN, and ColorPIN) in terms of usability and security. The study results demonstrate that TTU is more secure than other PIN entry methods in the presence of an observer recording multiple authentication sessions.

[1]  Aziz Mohaisen,et al.  Transaction authentication using complementary colors , 2015, Comput. Secur..

[2]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[3]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[4]  Jun Ho Huh,et al.  PIN selection policies: Are they really effective? , 2012, Comput. Secur..

[5]  Ian Oakley,et al.  Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry , 2012, Interact. Comput..

[6]  Mun-Kyu Lee,et al.  Security Notions and Advanced Method for Human Shoulder-Surfing Resistant PIN-Entry , 2014, IEEE Transactions on Information Forensics and Security.

[7]  Karin Strauss,et al.  Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications , 2012, SOUPS.

[8]  T. Perkovic,et al.  SSSL: Shoulder Surfing Safe Login , 2009, SoftCOM 2009 - 17th International Conference on Software, Telecommunications & Computer Networks.

[9]  Carlisle M. Adams,et al.  Personal Identification Number (PIN) , 2005, Encyclopedia of Cryptography and Security.

[10]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[11]  Giacomo Boracchi,et al.  A fast eavesdropping attack against touchscreens , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[12]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[13]  Ian Oakley,et al.  CASA: context-aware scalable authentication , 2013, SOUPS.

[14]  Heinrich Hußmann,et al.  Making graphic-based authentication secure against smudge attacks , 2013, IUI '13.

[15]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[16]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Heinrich Hußmann,et al.  Using fake cursors to secure on-screen password entry , 2013, CHI.

[18]  Dong Kyue Kim,et al.  Secure bimodal PIN-entry method using audio signals , 2016, Comput. Secur..

[19]  Tal Garfinkel,et al.  Reducing shoulder-surfing by using gaze-based password entry , 2007, SOUPS '07.

[20]  Frédo Durand,et al.  The visual microphone , 2014, ACM Trans. Graph..

[21]  Ted Taekyoung Kwon,et al.  TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems , 2014, Comput. Secur..

[22]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[23]  Julie Thorpe,et al.  Pass-thoughts: authenticating with our minds , 2005, NSPW '05.

[24]  Muthu Ramachandran,et al.  Towards Achieving Data Security with the Cloud Computing Adoption Framework , 2016, IEEE Transactions on Services Computing.

[25]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[26]  Marc Langheinrich,et al.  Back-of-device authentication on smartphones , 2013, CHI.

[27]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[28]  Jin Hong,et al.  Analysis and Improvement of a PIN-Entry Method Resilient to Shoulder-Surfing and Recording Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[29]  Patrick Olivier,et al.  Multi-touch authentication on tabletops , 2010, CHI.

[30]  Nasir D. Memon,et al.  Design and Analysis of Shoulder Surfing Resistant PIN Based Authentication Mechanisms on Google Glass , 2015, Financial Cryptography Workshops.

[31]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.

[32]  M. Shirali-Shahreza,et al.  Mobile banking services in the bank area , 2007, SICE Annual Conference 2007.

[33]  C. Spence,et al.  The cost of expecting events in the wrong sensory modality , 2001, Perception & psychophysics.

[34]  Martin Hell,et al.  Visual Cryptography and Obfuscation: A Use-Case for Decrypting and Deobfuscating Information Using Augmented Reality , 2015, Financial Cryptography Workshops.

[35]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[36]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[37]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[38]  Rakesh Bobba,et al.  On the Memorability of System-generated PINs: Can Chunking Help? , 2015, SOUPS.

[39]  Giovanni Vigna,et al.  ClearShot: Eavesdropping on Keyboard Input from Video , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[40]  Jun Ho Huh,et al.  SysPal: System-Guided Pattern Locks for Android , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[41]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[42]  Syed Abdul Haq,et al.  PERSUASIVE CUED CLICK-POINTS : DESIGN , IMPLEMENTATION , AND EVALUATION OF A KNOWLEDGE-BASED AUTHENTICATION MECHANISM , 2014 .

[43]  Matthew K. Franklin,et al.  Enhancing the Security of Personal Identification Numbers with Three-Dimensional Displays , 2016, Mob. Inf. Syst..

[44]  Aziz Mohaisen,et al.  Keylogging-Resistant Visual Authentication Protocols , 2014, IEEE Transactions on Mobile Computing.

[45]  Jan-Michael Frahm,et al.  iSpy: automatic reconstruction of typed input from compromising reflections , 2011, CCS '11.

[46]  Seung Ryoul Maeng,et al.  A Trusted IaaS Environment with Hardware Security Module , 2016, IEEE Transactions on Services Computing.

[47]  David Griffiths,et al.  Shoulder surfing defence for recall-based graphical passwords , 2011, SOUPS.

[48]  Robert H. Deng,et al.  Designing leakage-resilient password entry on touchscreen mobile devices , 2013, ASIA CCS '13.

[49]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[50]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[51]  Ping Wang,et al.  Understanding Human-Chosen PINs: Characteristics, Distribution and Security , 2017, AsiaCCS.

[52]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.