Towards a metric for recognition-based graphical password security

Recognition-based graphical password (RBGP) schemes are not easily compared in terms of security. Current research uses many different measures which results in confusion as to whether RBGP schemes are secure against guessing and capture attacks. If it were possible to measure all RBGP schemes in a common way it would provide an easy comparison between them, allowing selection of the most secure design. This paper presents a discussion of potential attacks against recognition-based graphical password (RBGP) authentication schemes. As a result of this examination a preliminary measure of the security of a recognition-based scheme is presented. The security measure is a 4-tuple based on distractor selection, shoulder surfing, intersection and replay attacks. It is aimed to be an initial proposal and is designed in a way which is extensible and adjustable as further research in the area develops. Finally, an example is provided by application to the PassFaces scheme

Fingereye: improvising security and optimizing ATM transaction time based on iris-scan authentication

The tumultuous increase in ATM attacks using eavesdropping, shoulder-surfing, has risen great concerns. Attackers often target the authentication stage where a customer may be entering his login information on the ATM and thus use direct observation techniques by looking over the customer's shoulder to steal his passwords. Existing authentication mechanism employs the traditional password-based authentication system which fails to curb these attacks. This paper addresses this problem using the FingerEye. The FingerEye is a robust system integrated with iris-scan authentication. A customer’s profile is created at registration where the pattern in his iris is analyzed and converted into binary codes. The binary codes are then stored in the bank database and are required for verification prior to any transaction. We leverage on the iris because every user has unique eyes which do not change until death and even a blind person with iris can be authenticated too. We implemented and tested the proposed system using CIMB bank, Malaysia as case study. The FingerEye is integrated with the current infrastructure employed by the bank and as such, no extra cost was incurred. Our result demonstrates that ATM attacks become impractical. Moreover, transactions were executed faster from 6.5 seconds to 1.4 seconds

Towards Baselines for Shoulder Surfing on Mobile Authentication

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or prevent the threat of shoulder surfing, our understanding of how the attack performs on current systems is less well studied. In this paper, we describe a large online experiment (n=1173) that works towards establishing a baseline of shoulder surfing vulnerability for current unlock authentication systems. Using controlled video recordings of a victim entering in a set of 4- and 6-length PINs and Android unlock patterns on different phones from different angles, we asked participants to act as attackers, trying to determine the authentication input based on the observation. We find that 6-digit PINs are the most elusive attacking surface where a single observation leads to just 10.8% successful attacks, improving to 26.5\% with multiple observations. As a comparison, 6-length Android patterns, with one observation, suffered 64.2% attack rate and 79.9% with multiple observations. Removing feedback lines for patterns improves security from 35.3\% and 52.1\% for single and multiple observations, respectively. This evidence, as well as other results related to hand position, phone size, and observation angle, suggests the best and worst case scenarios related to shoulder surfing vulnerability which can both help inform users to improve their security choices, as well as establish baselines for researchers.Comment: Will appear in Annual Computer Security Applications Conference (ACSAC

Designing leakage-resilient password entry on head-mounted smart wearable glass devices

AXA Research Fun

A Secure Mobile-based Authentication System

Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetric cryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks. Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their own trusted computers.La informació financera és extremadament sensible. Per tant, la banca electrònica ha de proporcionar un sistema robust per autenticar als seus clients i fer-los accedir a les dades de forma remota. D'altra banda, aquest sistema ha de ser usable, accessible, i portàtil. Es proposa una resposta al desafiament basat en una contrasenya única (OTP), esquema que utilitza la criptografia simètrica en combinació amb un mòdul de maquinari de seguretat. Amés, aquesta solució ofereix mobilitat convenient per als usuaris que volen bancària en línia en qualsevol moment i en qualsevol lloc, no només des dels seus propis equips de confiança.La información financiera es extremadamente sensible. Por lo tanto, la banca electrónica debe proporcionar un sistema robusto para autenticar a sus clientes y hacerles acceder a sus datos de forma remota. Por otra parte, dicho sistema debe ser usable, accesible, y portátil. Se propone una respuesta al desafío basado en una contraseña única (OTP), esquema que utiliza la criptografía simétrica en combinación con un módulo hardware de seguridad hardware. Además, esta solución ofrece una movilidad conveniente para los usuarios que quieren la entidad bancaria en línea en cualquier momento y en cualquier lugar, no sólo des de sus propios equipos de confianza

Survey and Systematization of Secure Device Pairing

Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis.The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications Surveys & Tutorials 2017 (Volume: PP, Issue: 99

Automated Privacy Protection for Mobile Device Users and Bystanders in Public Spaces

As smartphones have gained popularity over recent years, they have provided usersconvenient access to services and integrated sensors that were previously only available through larger, stationary computing devices. This trend of ubiquitous, mobile devices provides unparalleled convenience and productivity for users who wish to perform everyday actions such as taking photos, participating in social media, reading emails, or checking online banking transactions. However, the increasing use of mobile devices in public spaces by users has negative implications for their own privacy and, in some cases, that of bystanders around them. Specifically, digital photography trends in public have negative implications for bystanders who can be captured inadvertently in users’ photos. Those who are captured often have no knowledge of being photographed and have no control over how photos of them are distributed. To address this growing issue, a novel system is proposed for protecting the privacy of bystanders captured in public photos. A fully automated approach to accurately distinguish the intended subjects from strangers is explored. A feature-based classification scheme utilizing entire photos is presented. Additionally, the privacy-minded case of only utilizing local face images with no contextual information from the original image is explored with a convolutional neural network-based classifier. Three methods of face anonymization are implemented and compared: black boxing, Gaussian blurring, and pose-tolerant face swapping. To validate these methods, a comprehensive user survey is conducted to understand the difference in viability between them. Beyond photographing, the privacy of mobile device users can sometimes be impacted in public spaces, as visual eavesdropping or “shoulder surfing” attacks on device screens become feasible. Malicious individuals can easily glean personal data from smartphone and mobile device screens while they are accessed visually. In order to protect displayed user content, anovel, sensor-based visual eavesdropping detection scheme using integrated device cameras is proposed. In order to selectively obfuscate private content while an attacker is nearby, a dynamic scheme for detecting and hiding private content is also developed utilizing User-Interface-as-an-Image (UIaaI). A deep, convolutional object detection network is trained and utilized to identify sensitive content under this scheme. To allow users to customize the types ofcontent to hide, dynamic training sample generation is introduced to retrain the content detection network with very few original UI samples. Web applications are also considered with a Chrome browser extension which automates the detection and obfuscation of sensitive web page fields through HTML parsing and CSS injection

Secure E- Commerce Transaction using Noisy Password with Voiceprint and OTP

E-Commerce application is used for trading products by using communication technology. To protect customer's privacy and against fraud, special attention must be given to the issues related to security of e-commerce transactions. Web application uses traditional passwords which are vulnerable to replay attack. To overcome this problem OTP mechanism is used. Biometric technique measures unique individual features of user for personal recognition. In this paper, we have implemented a new password technique, i.e. Noisy Password to protect against attacks like shoulder surfing, key loggers, etc. The proposed idea is to use biometric with cryptography to enhance security of OTP