35 research outputs found
Risks of Offline Verify PIN on Contactless Cards
Contactless card payments are being introduced around the world al- lowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require veri- fication of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder
Memorable And Secure: How Do You Choose Your PIN?
Managing all your PINs is difficult. Banks acknowledge this by allowing and facilitating PIN
changes. However, choosing secure PINs is a difficult task for humans as they are incapable of
consciously generating randomness. This leads to certain PINs being chosen more frequently
than others, which in turn increases the danger of someone else guessing correctly. We
investigate different methods of supporting PIN changes and report on an evaluation of these
methods in a study with 152 participants. Our contribution is twofold: We introduce an
alternative to system-generated random PINs, which considers people’s preferred
memorisation strategy, and, secondly, we provide indication that presenting guidance on how
to avoid insecure PINs does indeed nudge people towards more secure PIN choices when they
are in the process of changing their PINs
Red Button and Yellow Button: Usable Security for Lost Security Tokens
Currently, losing a security token places the user in a dilemma: reporting the loss as soon as it is discovered involves a significant burden which is usually overkill in the common case that the token is later found behind a sofa. Not reporting the loss, on the other hand, puts the security of the protected account at risk and potentially leaves the user liable.
We propose a simple architectural solution with wide applicability that allows the user to reap the security benefit of reporting the loss early, but without paying the corresponding usability penalty if the event was later discovered to be a false alarm.The authors with a Cambridge affiliation are grateful to the European Research Council for funding this research through grant StG 307224 (Pico). Goldberg thanks NSERC for grant RGPIN-341529. We also thank the workshop attendees for comments
PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos
This paper studies leakage of user passwords and PINs based on observations
of typing feedback on screens or from projectors in the form of masked
characters that indicate keystrokes. To this end, we developed an attack called
Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our
attack extracts inter-keystroke timing information from videos of password
masking characters displayed when users type their password on a computer, or
their PIN at an ATM. We conducted several experiments in various attack
scenarios. Results indicate that, while in some cases leakage is minor, it is
quite substantial in others. By leveraging inter-keystroke timings, PILOT
recovers 8-character alphanumeric passwords in as little as 19 attempts. When
guessing PINs, PILOT significantly improved on both random guessing and the
attack strategy adopted in our prior work [4]. In particular, we were able to
guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold
improvement compared to random guessing. Our results strongly indicate that
secure password masking GUIs must consider the information leakage identified
in this paper
Revisiting Security Vulnerabilities in Commercial Password Managers
In this work we analyse five popular commercial password managers for security vulnerabilities. Our analysis is twofold. First, we compile a list of previously disclosed vulnerabilities through a comprehensive review of the academic and non-academic sources and test each password manager against all the previously disclosed vulnerabilities. We find a mixed picture of fixed and persisting vulnerabilities. Then we carry out systematic functionality tests on the considered password managers and find four new vulnerabilities. Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result steal the user's password for the targeted service. We implement a proof-of-concept attack to show the feasibility of this vulnerability in a real-life scenario. Finally, we report and reflect on our experience of responsible disclosure of the newly discovered vulnerabilities to the corresponding password manager vendors
It's not stealing if you need it: A panel on the ethics of performing research using public data of illicit origin
In a world where sensitive data can be published to a worldwide audience with the press of a button, researchers are increasingly making use of datasets that were publicized under questionable circumstances. In many cases, such research would otherwise not
Towards Baselines for Shoulder Surfing on Mobile Authentication
Given the nature of mobile devices and unlock procedures, unlock
authentication is a prime target for credential leaking via shoulder surfing, a
form of an observation attack. While the research community has investigated
solutions to minimize or prevent the threat of shoulder surfing, our
understanding of how the attack performs on current systems is less well
studied. In this paper, we describe a large online experiment (n=1173) that
works towards establishing a baseline of shoulder surfing vulnerability for
current unlock authentication systems. Using controlled video recordings of a
victim entering in a set of 4- and 6-length PINs and Android unlock patterns on
different phones from different angles, we asked participants to act as
attackers, trying to determine the authentication input based on the
observation. We find that 6-digit PINs are the most elusive attacking surface
where a single observation leads to just 10.8% successful attacks, improving to
26.5\% with multiple observations. As a comparison, 6-length Android patterns,
with one observation, suffered 64.2% attack rate and 79.9% with multiple
observations. Removing feedback lines for patterns improves security from
35.3\% and 52.1\% for single and multiple observations, respectively. This
evidence, as well as other results related to hand position, phone size, and
observation angle, suggests the best and worst case scenarios related to
shoulder surfing vulnerability which can both help inform users to improve
their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference
(ACSAC