A PIN-entry method resilient against shoulder surfing

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A PIN-entry method resilient against shoulder surfing

Full text

Pdf (301 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 11th ACM conference on Computer and communications security table of contents

Washington DC, USA

SESSION: Puzzles and users table of contents

Pages: 236 - 245

Year of Publication: 2004

ISBN:1-58113-961-6

Authors

Volker Roth	OGM Laboratory LLC
Kai Richter	ZGDV
Rene Freidinger	Technical University Darmstadt, Germany

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 158, Citation Count: 14

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1030083.1030116 What is a DOI?

ABSTRACT

Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) are obtained by shoulder surfing, through the use of mirrors or concealed miniature cameras. Both elements, the PIN and the card, are generally sufficient to give the criminal full access to the victim's account. In this paper, we present alternative PIN entry methods to which we refer as cognitive trapdoor games. These methods make it significantly harder for a criminal to obtain PINs even if he fully observes the entire input and output of a PIN entry procedure. We also introduce the idea of probabilistic cognitive trapdoor games, which offer resilience to shoulder surfing even if the criminal records a PIN entry procedure with a camera. We studied the security as well as the usability of our methods, the results of which we also present in the paper.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	http://www.swiveltechnologies.com, July 2004.
	2	http://www.hirschelectronics.com/Products_ScramblePads.asp, July 2004.
	3	Passfaces. www.realuser.com, Apr. 2004.
	4	Ross Anderson, Why cryptosystems fail, Proceedings of the 1st ACM conference on Computer and communications security, p.215-227, November 03-05, 1993, Fairfax, Virginia, United States [doi>10.1145/168588.168615]
	5	Dirk Balfanz, Usable Access Control for the World Wide Web, Proceedings of the 19th Annual Computer Security Applications Conference, p.406, December 08-12, 2003
	6	BRADER, M. Shoulder-surfing automated. Risks Digest 19.70, Apr. 1998.
	7	BRIER, E., NACCACHE, D., AND PAILLIER, P. Chemical combinatorial attacks on keyboards. International Association for Cryptographic Research ePrint Archive 2003, 217 (2003).
	8	BROOKE, J. SUS: A quick and dirty usability scale. In Usability evaluation in industry, P. Jordan, B. Thomas, B. Weerdmeester, and I. McClelland, Eds. Taylor and Francis, London, 1996, pp. 189--194.
	9	COLVILLE, J. Atm scam netted $620,000 australian. Risks Digest 22.85, Aug. 2003.
	10	COUNT ZERO. Card-o-rama: Magnetic stripe technology and beyond. Phrack, 37 (1992).
	11	DHAMIJA, R., AND PERRIG, A. Déjà vu: A user study using images for authentication. In Proc. 9th USENIX Security Symposium (Denver, CO, USA, Aug. 2000).
	12	Paul Dourish , David Redmiles, An approach to usable security based on event monitoring and visualization, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia [doi>10.1145/844102.844116]
	13	HOPPER, N. J., AND BLUM, M. A secure human-computer authentication scheme. Technical Report CMU-CS-00-139, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, May 2000.
	14	Nicholas J. Hopper , Manuel Blum, Secure Human Identification Protocols, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.52-66, December 09-13, 2001
	15	INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. Banking - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, May 2002. TC 68/SC 6.
	16	KUHN, M. Probability theory for pickpockets - ec-PIN guessing. Available at http://www.cl.cam.ac.uk/~mgk25/, 1997.
	17	LI, X.-Y., AND TENG, S.-H. Practical human-machine identification over insecure channels. Journal of Combinatorial Optimization 3, 4 (1999).
	18	MATSUMOTO, T., AND IMAI, H. Human identification through insecure channel. In EUROCRYPT (1991), D. W. Davies, Ed., vol. 547 of Lecture Notes in Computer Science, Springer Verlag, pp. 409--421.
	19	MILLER, G. A. The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review 63 (1956), 81--97.
	20	MOLLER, B. Schwachen des ec-PIN-Verfahrens. Available at http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller, Feb. 1997. Manuscript.
	21	MURDOCK, B. B. The retention of individual items. Journal of of Experimental Psychology 62 (1961), 618--625.
	22	Andrew S. Patrick , A. Chris Long , Scott Flinn, HCI and security systems, CHI '03 extended abstracts on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA [doi>10.1145/765891.766146]
	23	PERTERSON, L. R., AND PETERSON, M. J. Short-term retention of individual verbal items. Journal of of Experimental Psychology, 58 (1959), 193--198.
	24	PLATH, H.-E., AND RICHTER, P. Ermüdungs-Monotonie-Sättigung-Stress (BMS). Tech. rep., Psychodiagnostisches Zentrum, Dresden, Germany, 1984.
	25	SASSE, M. A. Computer security: Anatomy of a usability, and a plan for recovery. {22}.
	26	D. K. Smetters , R. E. Grinter, Moving from the design of usable security technologies to the design of useful secure applications, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia [doi>10.1145/844102.844117]
	27	Sidney L. Smith, Authenticating users by word associations, Computers and Security, v.6 n.6, p.464-470, December 1, 1987 [doi>10.1016/0167-4048(87)90027-7]
	28	Yishay Spector , Jacob Ginzberg, Pass-sentence—a new approach to computer code, Computers and Security, v.13 n.2, p.145-160, April 1994 [doi>10.1016/0167-4048(94)90064-7]
	29	STIRZAKER, D. Elementary Probability, 2nd ed. Cambridge University Press, 2003.
	30	SUMMERS, C., AND TOYNE, S. Gangs preying on cash machines. BBC News Online, Oct. 2003.
	31	TOM MARKOTTEN, D. G. User-centered security engineering. In Proc. 4th NordU Conference (Helsinki, Finland, Feb. 2002).
	32	VOGEL, E. K., AND MACHIZAWA, M. G. Neural activity predicts individual differences in visual working memory capacity. Nature 428 (Apr. 2004), 748--751.
	33	WEINSTOCK, C. Atm fraud. Risks Digest 4.86, May 1987.
	34	WHITTEN, A., AND TYGAR, J. D. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proc. 9th USENIX Security Symposium (August 1999).
	35	WILFONG, G. T. Method and apparatus for secure PIN entry. US Patent #5,940,511, United States Patent and Trademark Office, May 1997. Assignee: Lucent Technologies, Inc. (Murray Hill, NJ).
	36	WOOD, D. Spain uncovers hi-tech cashpoint fraud. BBC News Online, Jan. 2003.
	37	Ka-Ping Yee, User Interaction Design for Secure Systems, Proceedings of the 4th International Conference on Information and Communications Security, p.278-290, December 09-12, 2002
	38	Moshe Zviran , William J. Haga, Cognitive passwords: the key to easy access control, Computers and Security, v.9 n.9, p.723-736, Dec. 1990 [doi>10.1016/0167-4048(90)90115-A]

CITED BY 14

	Desney S. Tan , Pedram Keyani , Mary Czerwinski, Spy-resistant keyboard: more secure password entry on public touch screen displays, Proceedings of the 19th conference of the computer-human interaction special interest group (CHISIG) of Australia on Computer-human interaction: citizens online: considerations for today and the future, November 21-25, 2005, Canberra, Australia
	Susan Wiedenbeck , Jim Waters , Leonardo Sobrado , Jean-Camille Birget, Design and evaluation of a shoulder-surfing resistant graphical password scheme, Proceedings of the working conference on Advanced visual interfaces, May 23-26, 2006, Venezia, Italy
	Julie Thorpe , P. C. van Oorschot , Anil Somayaji, Pass-thoughts: authenticating with our minds, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
	Saranga Komanduri , Dugald R. Hutchings, Order and entropy in picture passwords, Proceedings of graphics interface 2008, May 28-30, 2008, Windsor, Ontario, Canada
	Alexander De Luca , Roman Weiss , Heiko Drewes, Evaluation of eye-gaze interaction methods for security enhanced PIN-entry, Proceedings of the 2007 conference of the computer-human interaction special interest group (CHISIG) of Australia on Computer-human interaction: design: activities, artifacts and environments, November 28-30, 2007, Adelaide, Australia
	Alexander J. DeWitt , Jasna Kuljis, Aligning usability and security: a usability study of Polaris, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
	Furkan Tari , A. Ant Ozok , Stephen H. Holden, A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
	Alexander De Luca , Roman Weiss , Heinrich Hussmann, PassShape: stroke based shape passwords, Proceedings of the 2007 conference of the computer-human interaction special interest group (CHISIG) of Australia on Computer-human interaction: design: activities, artifacts and environments, November 28-30, 2007, Adelaide, Australia
	Manu Kumar , Tal Garfinkel , Dan Boneh , Terry Winograd, Reducing shoulder-surfing by using gaze-based password entry, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
	Hirokazu Sasamoto , Nicolas Christin , Eiji Hayashi, Undercover: authentication usable in front of prying eyes, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
	Ming Lei , Yang Xiao , Susan V. Vrbsky , Chung-Chih Li, Virtual password using random linear functions for on-line services, ATM machines, and pervasive computing, Computer Communications, v.31 n.18, p.4367-4375, December, 2008
	Alexander De Luca , Martin Denzel , Heinrich Hussmann, Look into my eyes!: can you guess my password?, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California
	Alexander De Luca , Emanuel von Zezschwitz , Heinrich Hußmann, Vibrapass: secure authentication based on shared lies, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA
	K. V. Renaud, Guidelines for designing graphical authentication mechanism interfaces, International Journal of Information and Computer Security, v.3 n.1, p.60-85, June 2009