Strengthening e-banking security using keystroke dynamics

This paper investigates keystroke dynamics and its possible use as a tool to prevent or detect fraud in the banking industry. Given that banks are constantly on the lookout for improved methods to address the menace of fraud, the paper sets out to review keystroke dynamics, its advantages, disadvantages and potential for improving the security of e-banking systems. This paper evaluates keystroke dynamics suitability of use for enhancing security in the banking sector. Results from the literature review found that keystroke dynamics can offer impressive accuracy rates for user identification. Low costs of deployment and minimal change to users modus operandi make this technology an attractive investment for banks. The paper goes on to argue that although this behavioural biometric may not be suitable as a primary method of authentication, it can be used as a secondary or tertiary method to complement existing authentication systems

Development of a typing behaviour recognition mechanism on Android

This paper proposes a biometric authentication system which use password based and behavioural traits (typing behaviours) authentication technology to establish user’s identity on a mobile phone. The proposed system can work on the latest smart phone platform. It uses mobile devices to capture user’s keystroke data and transmit it to web server. The authentication engine will establish if a user is genuine or fraudulent. In addition, a multiplier of the standard deviation “α” has been defined which aims to achieve the balance between security and usability. Experimental results indicate that the developed authentication system is highly reliable and very secure with an equal error rate is below 7.5%

Keystroke dynamics in the pre-touchscreen era

Biometric authentication seeks to measure an individual’s unique physiological attributes for the purpose of identity verification. Conventionally, this task has been realized via analyses of fingerprints or signature iris patterns. However, whilst such methods effectively offer a superior security protocol compared with password-based approaches for example, their substantial infrastructure costs, and intrusive nature, make them undesirable and indeed impractical for many scenarios. An alternative approach seeks to develop similarly robust screening protocols through analysis of typing patterns, formally known as keystroke dynamics. Here, keystroke analysis methodologies can utilize multiple variables, and a range of mathematical techniques, in order to extract individuals’ typing signatures. Such variables may include measurement of the period between key presses, and/or releases, or even key-strike pressures. Statistical methods, neural networks, and fuzzy logic have often formed the basis for quantitative analysis on the data gathered, typically from conventional computer keyboards. Extension to more recent technologies such as numerical keypads and touch-screen devices is in its infancy, but obviously important as such devices grow in popularity. Here, we review the state of knowledge pertaining to authentication via conventional keyboards with a view toward indicating how this platform of knowledge can be exploited and extended into the newly emergent type-based technological contexts

Implicit Smartphone User Authentication with Sensors and Contextual Machine Learning

Authentication of smartphone users is important because a lot of sensitive data is stored in the smartphone and the smartphone is also used to access various cloud data and services. However, smartphones are easily stolen or co-opted by an attacker. Beyond the initial login, it is highly desirable to re-authenticate end-users who are continuing to access security-critical services and data. Hence, this paper proposes a novel authentication system for implicit, continuous authentication of the smartphone user based on behavioral characteristics, by leveraging the sensors already ubiquitously built into smartphones. We propose novel context-based authentication models to differentiate the legitimate smartphone owner versus other users. We systematically show how to achieve high authentication accuracy with different design alternatives in sensor and feature selection, machine learning techniques, context detection and multiple devices. Our system can achieve excellent authentication performance with 98.1% accuracy with negligible system overhead and less than 2.4% battery consumption.Comment: Published on the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2017. arXiv admin note: substantial text overlap with arXiv:1703.0352

A novel word-independent gesture-typing continuous authentication scheme for mobile devices

In this study, we produce a new continuous authentication scheme for gesture-typing on mobile devices. Our scheme is the first scheme that authenticates gesture-typing interactions in a word-independent format. The scheme relies on groupings of features extracted from the word gesture after it has been reduced to parts common to all gestures. We show that movement sensors are also important in differentiating between users. We describe the feature extraction processes and analyse our proposed feature set. The unique process of our authentication scheme is presented and described. We collect our own gesture typing dataset including data collected during sitting, standing and walking activities for realism. We test our features against state-of-the-art touch-screen interaction features and compare feature extraction times on real mobile devices. Our scheme authenticates users with an equal error rate of 3.58% for a single word-gesture. The equal error rate is reduced to 0.81% when 3 word-gestures are used to authenticate

Deployment of Keystroke Analysis on a Smartphone

The current security on mobile devices is often limited to the Personal Identification Number (PIN), a secretknowledge based technique that has historically demonstrated to provide ineffective protection from misuse. Unfortunately, with the increasing capabilities of mobile devices, such as online banking and shopping, the need for more effective protection is imperative. This study proposes the use of two-factor authentication as an enhanced technique for authentication on a Smartphone. Through utilising secret-knowledge and keystroke analysis, it is proposed a stronger more robust mechanism will exist. Whilst keystroke analysis using mobile devices have been proven effective in experimental studies, these studies have only utilised the mobile device for capturing samples rather than the more computationally challenging task of performing the actual authentication. Given the limited processing capabilities of mobile devices, this study focuses upon deploying keystroke analysis to a mobile device utilising numerous pattern classifiers. Given the trade-off with computation versus performance, the results demonstrate that the statistical classifiers are the most effective

Secure Pick Up: Implicit Authentication When You Start Using the Smartphone

We propose Secure Pick Up (SPU), a convenient, lightweight, in-device, non-intrusive and automatic-learning system for smartphone user authentication. Operating in the background, our system implicitly observes users' phone pick-up movements, the way they bend their arms when they pick up a smartphone to interact with the device, to authenticate the users. Our SPU outperforms the state-of-the-art implicit authentication mechanisms in three main aspects: 1) SPU automatically learns the user's behavioral pattern without requiring a large amount of training data (especially those of other users) as previous methods did, making it more deployable. Towards this end, we propose a weighted multi-dimensional Dynamic Time Warping (DTW) algorithm to effectively quantify similarities between users' pick-up movements; 2) SPU does not rely on a remote server for providing further computational power, making SPU efficient and usable even without network access; and 3) our system can adaptively update a user's authentication model to accommodate user's behavioral drift over time with negligible overhead. Through extensive experiments on real world datasets, we demonstrate that SPU can achieve authentication accuracy up to 96.3% with a very low latency of 2.4 milliseconds. It reduces the number of times a user has to do explicit authentication by 32.9%, while effectively defending against various attacks.Comment: Published on ACM Symposium on Access Control Models and Technologies (SACMAT) 201

Conceivable security risks and authentication techniques for smart devices

With the rapidly escalating use of smart devices and fraudulent transaction of users’ data from their devices, efficient and reliable techniques for authentication of the smart devices have become an obligatory issue. This paper reviews the security risks for mobile devices and studies several authentication techniques available for smart devices. The results from field studies enable a comparative evaluation of user-preferred authentication mechanisms and their opinions about reliability, biometric authentication and visual authentication techniques

Advanced user authentification for mobile devices

Access to the full-text thesis is no longer available at the author's request, due to 3rd party copyright restrictions. Access removed on 28.11.2016 by CS (TIS).Metadata merged with duplicate record ( http://hdl.handle.net/10026.1/1101 - now deleted) on 20.12.2016 by CS (TIS).Recent years have witnessed widespread adoption of mobile devices. Whereas initial popularity was driven by voice telephony services, capabilities are now broadening to allow an increasing range of data orientated services. Such services serve to extend the range of sensitive data accessible through such devices and will in turn increase the requirement for reliable authentication of users. This thesis considers the authentication requirements of mobile devices and proposes novel mechanisms to improve upon the current state of the art. The investigation begins with an examination of existing authentication techniques, and illustrates a wide range of drawbacks. A survey of end-users reveals that current methods are frequently misused and considered inconvenient, and that enhanced methods of security are consequently required. To this end, biometric approaches are identified as a potential means of overcoming the perceived constraints, offering an opportunity for security to be maintained beyond pointof- entry, in a continuous and transparent fashion. The research considers the applicability of different biometric approaches for mobile device implementation, and identifies keystroke analysis as a technique that can offer significant potential within mobile telephony. Experimental evaluations reveal the potential of the technique when applied to a Personal Identification Number (PIN), telephone number and text message, with best case equal error rates (EER) of 9%, 8% and 18% respectively. In spite of the success of keystroke analysis for many users, the results demonstrate the technique is not uniformly successful across the whole of a given population. Further investigation suggests that the same will be true for other biometrics, and therefore that no single authentication technique could be relied upon to account for all the users in all interaction scenarios. As such, a novel authentication architecture is specified, which is capable of utilising the particular hardware configurations and computational capabilities of devices to provide a robust, modular and composite authentication mechanism. The approach, known as IAMS (Intelligent Authentication Management System), is capable of utilising a broad range of biometric and secret knowledge based approaches to provide a continuous confidence measure in the identity of the user. With a high confidence, users are given immediate access to sensitive services and information, whereas with lower levels of confidence, restrictions can be placed upon access to sensitive services, until subsequent reassurance of a user's identity. The novel architecture is validated through a proof-of-concept prototype. A series of test scenarios are used to illustrate how IAMS would behave, given authorised and impostor authentication attempts. The results support the use of a composite authentication approach to enable the non-intrusive authentication of users on mobile devices.Orange Personal Communication Services Ltd