Browse > Article
http://dx.doi.org/10.13089/JKIISC.2014.24.6.1159

Shoulder Surfing Attack Modeling and Security Analysis on Commercial Keypad Schemes  

Kim, Sung-Hwan (Center for Information Security Technologies(CIST), Korea University)
Park, Min-Su (Center for Information Security Technologies(CIST), Korea University)
Kim, Seung-Joo (Center for Information Security Technologies(CIST), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.24, no.6, 2014 , pp. 1159-1174 More about this Journal
Abstract
As the use of smartphones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There has been only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology(CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced QWERTY keyboard and numeric keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.
Keywords
Shoulder surfing attack; Attack potential; Security Keypad;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Richard M. Shiffrin and Robert M. Nosofsky, "Seven plus or minus two: A commentary on capacity limitations," Psychological Review, pp.357-361, Apr. 1994.
2 Choo-Youn Chong, "Korean typography interface evaluation and development of legibility formula in smartpad device," KAIST, 2012.
3 Yunho Lee, "An Analysis on the Vulnerability of Secure Keypads for Mobile Devices," Journal of Korean Society for Internet Information, vol.14, no.3, pp. 15-21, June. 2013.   과학기술학회마을   DOI   ScienceOn
4 Sooyeon Shin and Taekyoung Kwon, "STM-GOMS Model : A Security Model for Authentication Schemes in Mobile Smart Device Environments," KIISC, vol.22, no.6 , pp. 1243-1252, Dec. 2012.
5 Inseok Lee, Seung Min Mo, Yong Ku Kong, Young Woong Song, and Myung Chul Jung, "Evaluation of Main Factors Affecting on the Legibility of One- Syllable Korean Characters and Numbers," Journal of the Ergonomics Society of Korea, vol.28, no.4 pp.1-7, Nov. 2009.   과학기술학회마을   DOI
6 Seung Min Mo, Young Woong Song, Inseok Lee, Myung Chul Jung, and Yonggu Jeong, "Legibility comparison of Korean characters and words," Ergonomics Society of Korea, pp.474-477, May. 2009.
7 Seung Min Mo, Daemin Kim, Young Woong Song, and Myung Chul Jung, "Evaluations of Factors Affecting Legibility," Journal of the Ergonomics Society of Korea, pp.20-23, Oct. 2008.
8 Taekyoung Kwon, Sooyeon Shin, and Sarang Na, "Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected," IEEE Transactions on Systems, Man, And Cybernetics: Systems, June. 2014.
9 "Common Criteria: Evaluation Methodology," Version 3.1, Revision 4, Sep. 2012.
10 Arash Habibi Lashkari, Samaneh Farmand, Omar Bin Zakaria, and Rosli Saleh, "Shoulder surfing attack in graphical password authentication," International Journal of Computer Science and Information Security, Vol. 6, No.2, 2009.
11 Robert Biddle, Sonia Chiasson, and P.C. van Oorschot, "Graphical Passwords: Learning from the First Twelve Years," ACM Computing Surveys, Feb. 2011.
12 "Application of Attack Potential to POIs," Joint Interpretation Library, June. 2011.
13 "Application of Attack Potential to Hardware Devices with Security Boxes," Joint Interpretation Library, May. 2012.
14 "Application of Attack Potential to Smartcards," Joint Interpretation Library, Apr. 2006.
15 Qiang Yan, Jin Han, Yingjiu Li, Jianying Zhou, and Robrt H. Deng, "Designing leakage resilient password entry on touchscreen mobile devices," ACM CCS, May. 2013.
16 Leonardo Sobrado and Jean-Camille Birget, "Graphical Passwords," The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol.4, 2002.
17 Jeonghyuk Kim, Munseon Bae, and Ara Yang, "Usage of domestic Internet banking services in 2014 first quarter," Bank of Korea, May. 2014
18 Jaesik Mun, "2014 Statistical information of the wireless communication subscriber," Ministry of Science, ICT and Future Planning, June. 2014.
19 Kevin D. Mitnick and JOHNNY LONG, "No Tech Hacking: A guide to Social Engineering, Dumpster Diving, and Shoulder Surfing," SYNGRESS, pp. 27-60, Nov. 2007.
20 Xiaoyuan Suo, Ying Zhu, and G. Scott. Owen, "Graphical Passwords: A Survey," IEEE Computer Security Applications Conference, 21st Annual, pp. 463-472, Dec. 2005.
21 Sunshuang Man, Dawei Hong, and Manton Mathews, "A shoulder surfing resistant graphical password scheme," Proceedings of International conference on security and management, Nov. 2003.
22 Passfaces White Papers, "The Science Behind Passfaces," RealUser(www.realu ser.com), June. 2005.
23 Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin, "The Design and Analysis of Graphical Passwords," Proceedings of the 8th USENIX Security Symposium, Aug. 1999.
24 Jeongmo Lee, Eunjoo Kang, and Minsik Kim et al., "Cognitive Psychology," HAKJISA, Jan. 2009.
25 Joseph Goldberg, Jennifer Hagman, and Vibha Sazawal, "Doodling Our Way to Better Authentication," ACM, Proceedings of Human Factors in Computing Systems(CHI), pp. 868-869 Apr. 2002.
26 G. E. Blonder, "Graphical Passwords," Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996.
27 M. N. Doja and Naveen Kumar, "User Authentication Schemes for Mobile and Handheld Services," INFOCOMP Journal of Computer Science, vol.7, no.4, pp.38-47, 2008.
28 "Information Supplement: ATM Security Guidelines," PCI Security Standards Council, Jan. 2013.
29 George A. Miller, "The magical number seven, plus or minus two: Some limits on our capacity for processing information," Psychol. Rev., vol. 63, no. 2, Mar. 1956.
30 "Personal Space," Wikipedia, Aug. 2014.
31 Alexander De Luca, Emanuel von Zezschwitz, Ngo Dieu Huong Nguyen, Max-Emanuel Maurer, Elisa Rubegni, and Marcello Paolo Scipioni, and Marc Langheinrich, "Back-of-device authentication on smartphones," ACM Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp.2389-2398, 2013.