The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Advanced Password Input Method in Automated Teller Machines/Cash Dispenser

현금자동입출금기/현금지급기에서 개선된 비밀번호 입력 방법

  • Received : 2010.10.06
  • Accepted : 2011.01.10
  • Published : 2011.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Financial accidents such as password exposure of credit cards or bankbooks occur often when a password is inputted to ATM/CD(Automated Teller Machines and Cash Dispenser), so particular attention is required when inputting a password. This study suggested a method to input a password safely to prevent stealing a glance at a password in case of the use of ATM/CD. The method is that users input a password when numbers are randomly displayed and disappear not to notice the password even though someone is next to or behind the users. As methods to input a password safely, the study verified safety by dividing the methods into a test of shoulder surfing, an intuitive perspective, and a theoretical analysis. In addition, the result of implementation to apply the method to ATM/CD shows that a percentage of acquiring a password from the attack of shoulder surfing is found to be lower than an existing method, so password exposure can be prevented.

현금자동입출금기/현금지급기에서 비밀번호를 입력할 때 신용카드나 통장의 비밀번호가 노출되어 자신도 모르게 현금이 인출되는 금융사고가 빈번하게 발생하고 있으므로 비밀번호를 입력하는 과정에서 각별한 주의가 요청되고 있다. 본 논문은 현금자동입출금기/현금지급기를 사용할 때 어깨너머로 비밀번호를 훔쳐보는 것을 방지하기 위하여 비밀번호를 안전하게 입력하는 방법을 제안하였다. 제안한 방법은 사용자가 비밀번호를 입력하는 과정을 옆이나 뒤에서 훔쳐봐도 무엇을 입력하였는지를 알 수 없도록 숫자들이 무작위 순으로 표시되었다가 사라진 상태에서 비밀번호를 입력함으로써 비밀번호 훔쳐보기를 원천적으로 차단하여 비밀번호가 유출되는 것을 방지할 수 있다. 비밀번호를 안전하게 입력하는 방법은 훔쳐보기 시험, 직관적인 관점 및 이론적인 분석으로 구분하여 안전성을 검증하였다. 또한, 현금자동입출금기/현금지급기에서 적용할 수 있도록 구현한 결과는 비밀번호 훔쳐보기 공격으로부터 비밀번호 획득 확률이 기존 방법보다 현저하게 낮은 것으로 평가되어 비밀번호가 유출되는 것을 방지할 수 있다.

Keywords

References

  1. Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, "Applied Cryptography", CRC Press, 1997.
  2. M.S. Kang, Y.I, Kim, Design and Implementation of Pinpad using Secure Technology from Shoulder Surfing Attack, The KIPS Transactions : Part D, Vol.17-D, No.2, pp.167-174, 2010. https://doi.org/10.3745/KIPSTD.2010.17D.2.167
  3. Financial Supervisory Service, "UK Internet banking-related fraud increased", Information of Financial Supervisory Service, No.396, pp.43-44, Nov., 2006.
  4. Li, Zhi., Sun, Qibin., Lian, Yong., Giusto, D.D., "An Association-Based Graphical Password Design Resistant to Shoulder-Surfing Attack", 2005 IEEE International Conference on Multimedia and Expo(ICME-05), pp.245-248, 2005. https://doi.org/10.1109/ICME.2005.1521406
  5. Lei, M., Xiao, Y., Vrbsky, S.V., "Virtual password using random linear functions for on-line services, ATM machines, and pervasive computing", Computer communications, Vol.31 No.18, pp.4367-4375, 2008. https://doi.org/10.1016/j.comcom.2008.05.005
  6. S.B. Park, M.S. Kang, Secure Password System against Imposter, The KIPS Transactions : Part C, Vol.10-C, No.2, pp.141-144, 2003. https://doi.org/10.3745/KIPSTC.2003.10C.2.141
  7. S.B. Park, M.S. Kang, and S.J. Lee, "Authenticated key exchange protocol secure against off-line dictionary attack and server compromise", Lecture Notes in Computer Science, Vol.3032, pp.924-931, 2004. https://doi.org/10.1007/978-3-540-24679-4_154
  8. Sorinamoo Solution, "Secure method for generating one time password and interpreting one time password", Korean Intellectual Property Office, 2007. 01
  9. Nebojsa Jojic and Paul Roberts, "image based password systems", http://research.microsoft.com/en-us/um/people/darkok/projectssyscli.htm.
  10. D. Kirovski, N. Jojic, and P. Roberts. "Click Passwords", 21st IFIP International Information Security Conference, pp.351-363, 2006.
  11. RealUser, "Passfaces: Two Factor Authentication, Graphical Password", http://www.realuser.com/index.htm.
  12. Manu Kumar, Tal Garfinkel, Dan Boneh, Terry Winograd, "Reducing Shoulder-surfing by Using Gaze-based Password Entry", Proceedings of the 3rd symposium on Usable Privacy and Security(SOUPS 2007), pp.13-19, 2007.
  13. BeOnePlus Co., Ltd, RhythmPass & ChamID, http://www.beone.co.kr/.
  14. Nemeth, Garth Snyder, and Trent R. Hein, "Linux Administration Handbook(2nd Edition)", Prentice Hall PTR, 2006.
  15. Edward K. Vogel & Maro G. Machizawa, "Neural activity predicts individual differences in visual working memory capacity", Nature, Vol.428, pp.748-751, 2004. https://doi.org/10.1038/nature02447
  16. INCA Internt Co., Ltd., P-Protect, http://www.inca.co.kr/include_file/pdf_down /A-P-Protect.pdf.
  17. 금융보안연구원, '○○은행 A-DAS' 금융보안적합성 시험 검토 보고서, 금융보안연구원(FSA : Financial Security Agency, http://www.fsa.or.kr), pp.1-10, 2008.