• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1159-1174
• /
• 2014

As the use of smartphones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There has been only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology(CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced QWERTY keyboard and numeric keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2012.04a
• /
• pp.654-657
• /
• 2012

스마트폰이 널리 보급되면서 사진, 금융정보 같은 중요한 정보를 저장하고 이를 활용한 다양한 서비스가 제공되고 있으며, 이러한 중요정보를 보호하기 위해 사용자인증의 중요성이 증대되고 있다. 하지만 일반적으로 많이 사용하는 4자리 PIN(Personal Identification Number)은 무작위 대입 공격 및 어깨너머 훔쳐보기 공격에 취약하다. 이러한 문제점을 해결하기 위해 다양한 인증 기술들이 개발되고 있다. 본 논문은 지뢰찾기 게임을 이용하여 어깨너머 훔쳐보기 공격에 안전한 새로운 패스워드 기반 사용자 인증방식을 제안한다. 제안기술은 사용자가 쉽게 패스워드를 기억할 수 있으며 실제 패스워드를 직접 입력하는 것이 아닌 패스워드를 이용한 계산된 값을 입력하는 방식을 통해 어깨너머 훔쳐보기 공격에 안전성을 보장한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1138-1141
• /
• 2010

모바일 기기나 ATM에서의 사용자 인증에는 PIN(Personal Identification Number)이 주로 사용된다. 그 이유는, PIN은 사용자가 외우기 쉽고 단순한 UI(User Interface)로 구현이 가능하다는 장점이 있기 때문이다. 하지만 PIN은 어깨너머 공격에 취약하다는 단점이 있다. 기존의 연구들은 이미지 기반, 인식 기반, PIN과 이미지의 혼합방식을 이용한 다양한 사용자 인증 방법들을 제안하였다. 하지만 이들 연구는 모바일의 작은 화면을 고려하지 않아 구현이 어렵거나, 어깨너머 공격에 취약하거나, 사용자에게 기억에 대한 부담을 증가시키는 등의 문제점이 있다. 본 논문에서는 PIN과 패턴 이미지를 결합하여 모바일 기기에 적합하면서, 어깨너머 공격에 대해 기존의 방법들에 비해 안전하고 사용자가 외워야 하는 기호(숫자, 이미지 등)가 적은 사용자 인증 방법을 제안한다.

• Journal of the Korea Convergence Society
• /
• v.8 no.6
• /
• pp.37-44
• /
• 2017

Mobile devices provide various services through payment and authentication by inputting important information such as passwords on the screen with the virtual keypads. In order to infer the password inputted by the user, the attacker captures the user's touch location information. The attacker is able to infer the password by using the location information or to obtain password information by peeping with Google Glass or Shoulder Surfing Attack. As existing secure keypads place the same letters in a set order except for few keys, considering handy input, they are vulnerable to attacks from Google Glass and Shoulder Surfing Attack. Secure keypads are able to improve security by rearranging various shapes and locations. In this paper, we propose secure keypads that generates 13 different shapes and sizes of Tetris and arranges keypads to be attached one another. Since the keypad arranges different shapes and sizes like the game, Tetris, for the virtual keypad to be different, it is difficult to infer the inputted password because of changes in size even though the attacker knows the touch location information.

• Journal of Convergence for Information Technology
• /
• v.12 no.3
• /
• pp.38-45
• /
• 2022

Due to the development of fintech technology, financial transactions using smart phones are being activated. The password for user authentication during financial transactions is entered through the virtual keypad displayed on the screen of the smart phone. When the password is entered, the attacker can find out the password by capturing it with a high-resolution camera or spying over the shoulder. A virtual keypad with security applied to prevent such an attack is difficult to input on a small touch-screen, and there is still a vulnerability in peeping attacks. In this paper, the entire keypad is divided into several groups and displayed on a small screen, touching the group to which the character to be input belongs, and then touching the corresponding character within the group. The proposed method selects the group to which the character to be input belongs, and displays the keypad in the group on a small screen with no more than 10 keypads, so that the size of the keypad can be enlarged more than twice compared to the existing method, and the location is randomly placed, hence location of the touch attacks can be blocked.

• Journal of Convergence for Information Technology
• /
• v.10 no.8
• /
• pp.144-151
• /
• 2020

User-authentication process is necessary in Fintech Service. Especially, authentication on smartphones are carried out through PIN which is inputted through virtual keypads on touch screen. Attacker can analogize password by watching touched letter and position over the shoulder or using high definition cameras. To prevent password spill, various research of virtual keypad techniques are ongoing. It is hard to design secure keypad which assures safety by fluctuative keypad and enhance convenience at once. Also, to reconfirm user whether password is wrongly pressed, the inputted information is shown on screen. This makes the password easily exposed through high definition cameras or Google Class during recording. This research analyzed QWERTY based secure keypad's merits and demerits. And through these features, creating Tetris shaped keypad and piece them together on Android environment, and showing inputted words as Tetris shape to users through smart-screen is suggested for the ways to prevent password spill by recording.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.3
• /
• pp.73-80
• /
• 2018

Due to the popularity of smartphones and the simplification of financial services, the number of mobile financial services is increasing. However, the security keypads developed for existing financial services are susceptible to probability analysis attacks and have security vulnerabilities. In this paper, we propose and implement a security keypad based on dual touch. Prior to the proposal, we examined the existing types of security keypads used in the mobile banking and mobile payment systems of Korean mobile financial businesses and analyzed the vulnerabilities. In addition, we compared the security of the proposed dual touch keypad as well as existing keypads using the authentication framework and the existing keypad attack types (Brute Force Attack, Smudge Attack, Key Logging Attack, and Shoulder Surfing Attack, Joseph Bonneau). Based on the results, we can confirm that the proposed security keypad with dual touch presented in this paper shows a high level of security. The security keypad with dual touch can provide more secure financial services, and it can be applied to other mobile services to enhance their security.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.21 no.11
• /
• pp.2109-2114
• /
• 2017

Personal Identification Number (PIN) is the most common user-authentication method for the access control of private and commercial applications. The users need to enter PIN information to the applications whenever the users get access to the private services. However, the process imposes a burden on the users and is vulnerable to the potential shoulder-surfing attacks. In order to resolve both problems, we present a continuous authentication method for both smartphone and smartwatch, namely, synchronized authentication. First we analyze the previous smartwatch based authentication and point-out some shortcomings. In the proposed method, we verify the validity of user by analyzing the combined acceleration data of both smartphone and smartwatch. If the monitored sensor data shows the high correlations between them, the user is successfully authenticated. For the authentication test, we used the Samsung Galaxy Note5 and Sony Smartwatch2.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.18 no.12
• /
• pp.2899-2910
• /
• 2014

In this paper, we present method that verifies the validity of inputted message rather than showing last character on virtual keyboard. This encrypts password and valid input only can receive right feedback. This is implemented on Android phone and tested. This shows higher security than former method by 68.23% and accuracy shows 100%. This secure keypad is practical and secure so this can replace current input keypad without difficulty.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.23 no.5
• /
• pp.613-621
• /
• 2019

In the case of door locks most widely used in the market, the most used area as a one-dimensional problem is worn out, and a worn area which does not use a special attack method enables password guessing. To solve this problem, various methods such as a keypad for randomly displaying numbers are introduced, but this is also not completely safe. The common feature of all the solutions so far is that the keypad area is fixed. In this paper, we consider that point in reverse and create a new area smaller than the entire area in the entire area of the keypad, making the keypad of the new area move randomly, thereby preventing the password from being deduced. When using this technique, a new type of keypad is proposed for the first time because of the impossibility of a shoulder surfing attack even though the number of keypad is left as it is.