4,107 research outputs found
PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos
This paper studies leakage of user passwords and PINs based on observations
of typing feedback on screens or from projectors in the form of masked
characters that indicate keystrokes. To this end, we developed an attack called
Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our
attack extracts inter-keystroke timing information from videos of password
masking characters displayed when users type their password on a computer, or
their PIN at an ATM. We conducted several experiments in various attack
scenarios. Results indicate that, while in some cases leakage is minor, it is
quite substantial in others. By leveraging inter-keystroke timings, PILOT
recovers 8-character alphanumeric passwords in as little as 19 attempts. When
guessing PINs, PILOT significantly improved on both random guessing and the
attack strategy adopted in our prior work [4]. In particular, we were able to
guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold
improvement compared to random guessing. Our results strongly indicate that
secure password masking GUIs must consider the information leakage identified
in this paper
Security and Online learning: to protect or prohibit
The rapid development of online learning is opening up many new learning opportunities. Yet, with this increased potential come a myriad of risks. Usable security systems are essential as poor usability in security can result in excluding intended users while allowing sensitive data to be released to unacceptable recipients. This chapter presents findings concerned with usability for two security issues: authentication mechanisms and privacy. Usability issues such as memorability, feedback, guidance, context of use and concepts of information ownership are reviewed within various environments. This chapter also reviews the roots of these usability difficulties in the culture clash between the non-user-oriented perspective of security and the information exchange culture of the education domain. Finally an account is provided of how future systems can be developed which maintain security and yet are still usable
Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps
This paper presents a measurement study of information leakage and SSL
vulnerabilities in popular Android apps. We perform static and dynamic analysis
on 100 apps, downloaded at least 10M times, that request full network access.
Our experiments show that, although prior work has drawn a lot of attention to
SSL implementations on mobile platforms, several popular apps (32/100) accept
all certificates and all hostnames, and four actually transmit sensitive data
unencrypted. We set up an experimental testbed simulating man-in-the-middle
attacks and find that many apps (up to 91% when the adversary has a certificate
installed on the victim's device) are vulnerable, allowing the attacker to
access sensitive information, including credentials, files, personal details,
and credit card numbers. Finally, we provide a few recommendations to app
developers and highlight several open research problems.Comment: A preliminary version of this paper appears in the Proceedings of ACM
WiSec 2015. This is the full versio
A Survey on Acoustic Side Channel Attacks on Keyboards
Most electronic devices utilize mechanical keyboards to receive inputs,
including sensitive information such as authentication credentials, personal
and private data, emails, plans, etc. However, these systems are susceptible to
acoustic side-channel attacks. Researchers have successfully developed methods
that can extract typed keystrokes from ambient noise. As the prevalence of
keyboard-based input systems continues to expand across various computing
platforms, and with the improvement of microphone technology, the potential
vulnerability to acoustic side-channel attacks also increases. This survey
paper thoroughly reviews existing research, explaining why such attacks are
feasible, the applicable threat models, and the methodologies employed to
launch and enhance these attacks.Comment: 22 pages, conferenc
Ethical guidelines for nudging in information security & privacy
There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider first the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. We explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research
Enhancing User Authentication with Facial Recognition and Feature-Based Credentials
This research proposes a novel and trustworthy user authentication method that creates individualized and trusted credentials based on distinctive facial traits using facial recognition technology. The ability to easily validate user identification across various login methods is provided by this feature. The fundamental elements of this system are face recognition, feature extraction, and the hashing of characteristics to produce usernames and passwords. This method makes use of the OpenCV library, which is free software for computer vision. Additionally, it employs Hashlib for secure hashing and Image-based Deep Learning for Identification (IDLI) technology to extract facial tags. For increased security and dependability, the system mandates a maximum of ten characters for users and passwords. By imposing this restriction, the system increases its resilience by reducing any possible weaknesses in its defense. The policy also generates certificates that are neatly arranged in an Excel file for easy access and management. To improve user data and provide reliable biometric authentication, this study intends to create and implement a recognition system that incorporates cutting-edge approaches such as face feature extraction, feature hashing, and password creation. Additionally, the system has robust security features using face recognition
Privacy-centered authentication: a new framework and analysis
© 2023 Elsevier. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/The usage of authentication schemes is increasing in our daily life with the ubiquitous spreading Internet services. The verification of user’s identity is still predominantly password-based, despite of being susceptible to various attacks and openly hated by users. Bonneau et al. presented a framework, based on Usability, Deployability, and Security criteria (UDS), to evaluate authentication schemes and find a replacement for passwords. Although the UDS framework is a mature and comprehensive evaluation framework and has been extended by other authors, it does not analyse privacy aspects in the usage of authentication schemes. In the present work, we extend the UDS framework with a privacy category to allow a more comprehensive evaluation, becoming an UDSP framework. We provide a thorough, rigorous assessment of sample authentication schemes, including analyse novel behavioural biometrics. Our work also discusses implementation aspects regarding the new privacy dimension and sketches the prospect of future authentication schemes.Javier Parra-Arnau is the recipient of a “Ramón y Cajal” fellowship (ref. RYC2021–034256-I) funded by the Spanish Ministry of Science and Innovation and the European Union – “NextGenerationEU”/PRTR (Plan de Recuperación, Transformación y Resiliencia). This work was also supported by the Spanish Government under the project “Enhancing Communication Protocols with Machine Learning while Protecting Sensitive Data (COMPROMISE)” PID2020–113795RB-C31, funded by MCIN/AEI/10.13039/501100011033, and through the project “MOBILYTICS” (TED2021–129782B-I00), funded by MCIN/AEI/10.13039/501100011033 and the European Union “NextGenerationEU”/PRTR.Peer ReviewedPostprint (published version
- …