• The Journal of Korea Institute of Information, Electronics, and Communication Technology
• /
• v.13 no.1
• /
• pp.17-26
• /
• 2020

As more users use mobile devices, shoulder surfing attacks have emerged as an important issue in security. According to research report, in fact, the result showed that about 30% of smartphone users are hit by shoulder surfing attacks. To this end, in this paper, we consider a shoulder surfing attack and propose a partially hidden password system to resistant to its attack. In order to help readers understand, we describe the proposed password system in more detail using one simple example. The core idea behind the proposed system is to place the user's password randomly in the specified grid instead of entering a password directly. As a result, even if an attacker makes a shoulder surfing attack to observe the password, the user can hide the preset password and defend against the attack. We also show how the security of the password system proposed in this paper is improved. In addition, even if there are consecutive shoulder surfing attacks, the security of the proposed password system is robust.

• The KIPS Transactions:PartD
• /
• v.17D no.2
• /
• pp.167-174
• /
• 2010

When entering the PIN(personal identification number), the greatest security threat is shoulder surfing attack. Shoulder surfing attack is watching the PIN being entered from over the shoulder to obtain the number, and it is the most common and at the same time the most powerful security threat of stealing the PIN. In this paper, a psychology based PINpad technology referred to as DAS(Dynamic Authentication System) that safeguards from shoulder surfing attack was proposed. Also, safety of the proposed DAS from shoulder surfing attack was tested and verified through intuitive viewpoint, shoulder surfing test, and theoretical analysis. Then, a PINpad with an internal DAS that was certified for its safety from shoulder surfing attack was designed and produced. Because the designed PINpad significantly decreases the chances for shoulder surfing attackers being able to steal the PIN when compared to the ordinary PINpad, it was determined to be suitable for use at ATM(automated teller machine)s operated by banks and therefore has been introduced and is being used by many financial institutions.

• Journal of Korea Multimedia Society
• /
• v.18 no.3
• /
• pp.368-375
• /
• 2015

Nowaday, financial institutions provide secure mobile keyboard solutions to keep their mobile banking services safe. However, these are still vulnerable to attacks, such as shoulder surfing attack. Especially, in the case of handicapped person such as visual impairment and blindness, they are more vulnerable than ordinary person because of inconvenience of secure information input. Among them, we focused on the color blind. For the color blind, 4-color based secure keyboard method causes more inconvenience to notify exact color. Thus, we propose a secure mobile keyboard solution to provide advanced functionality for the color blind users. Our method is based on 4-color theorem to support color blind users. In addition, our scheme is robust against shoulder surfing attack. According to the evaluation result, our method offers increased security against shoulder surfing attack compare with existing methods.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1159-1174
• /
• 2014

As the use of smartphones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There has been only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology(CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced QWERTY keyboard and numeric keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.49 no.9
• /
• pp.215-224
• /
• 2012

Using password on system is easy to build and shorten the access time to authorize user, which is high in use for vary system that requires users' authorization. Many input device are able to perform the password system easily, such as PC, smart-phone, tablet PC, etc. Beside the high usability of password, physical attack occurs when user put their password on the device, known as Shoulder Surfing attack. It used to be formed in numbers, characters or mix of different kinds, but new kind of password arose. Exploiting image or making scenarios are those kinds which are able to reflect users' intentions. Not many estimation exists for new password, so there's need to be standard for those new password for highlighting usability and accessability. In this paper, we propose password system with simple image and switching key-board to test statistical method to estimate usability on the password.

• Journal of Korea Multimedia Society
• /
• v.19 no.1
• /
• pp.41-50
• /
• 2016

Moblie device based financial services are vulnerable to social engineering attacks because of the display screen of mobile devices. In other words, in the case of shoulder surfing, attackers can easily look over a user's shoulder and expose his/her password. To resolve this problem, a colour-based secure keyboard solution has been proposed. However, it is inconvenient for genuine users to verify their password using this method. Furthermore, password colours can be exposed because of fixed keyboard colours. Therefore, we propose a secure mobile authentication method to provide advanced functionality and strong privacy. Our authentication method is robust to social engineering attacks, especially keylogger and shoulder surfing attacks. According to the evaluation results, our method offers increased security and improved usability compared with existing methods.

• 한국HCI학회:학술대회논문집
• /
• 2009.02a
• /
• pp.34-39
• /
• 2009

Four-digit PIN(Personal Identification Number) is a well-known user authentication method used for many applications including ATMs and mobile phones. However, it is vulnerable to shoulder surfing attacks(SSAs). In this paper, we present new PIN entry methods which are secure against SSA and easy to use. We compare the usability and security of these methods with those of the existing methods.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.23 no.4
• /
• pp.470-476
• /
• 2019

The pattern locking technique applied to smart phones is a locking technique that many people use conveniently. However, the safety of pattern locking techniques is very low compared with other techniques. The pattern locking technique is vulnerable to a shoulder surfing attack, which is based on the user's input and can be interpreted by looking at the movement of the shoulder, and the smudge attack is also vulnerable due to fingerprint drag marks remaining on the mobile phone pad. Therefore, in this paper, we want to add a new security method to check the pressed time by using a thread in the pattern locking scheme to secure the vulnerability. It is divided into short, middle, and long click according to the pressing time at each point. When dragging using the technique, security performance enhances $3^n$ tiems. Therefore, even if dragging in the same 'ㄱ' manner, it becomes a completely different pattern depending on the pressing time at each point.

• Journal of information and communication convergence engineering
• /
• v.15 no.2
• /
• pp.91-96
• /
• 2017

PIN-entry interfaces have high risks to leak secret values if the malicious attackers perform shoulder-surfing attacks with advanced monitoring and observation devices. To make the PIN-entry secure, many studies have considered invisible radio channels as a secure medium to deliver private information. However, the methods are also vulnerable if the malicious adversaries find a hint of secret values from user's $na{\ddot{i}}ve$ gestures. In this paper, we revisit the state-of-art radio channel based bimodal PIN-entry method and analyze the information leakage from the previous method by exploiting the sight tracking attacks. The proposed sight tracking attack technique significantly reduces the original password complexities by 93.8% after post-processing. To keep the security level strong, we introduce the advanced bimodal PIN-entry technique. The new technique delivers the secret indicator information through a secure radio channel and the smartphone screen only displays the multiple indicator options without corresponding numbers. Afterwards, the users select the target value by following the circular layout. The method completely hides the password and is secure against the advanced shoulder-surfing attacks.

• Journal of Korea Society of Industrial Information Systems
• /
• v.22 no.6
• /
• pp.17-22
• /
• 2017

In this paper, a password recognition system that can overcome a shoulder-surfing attack is developed. During the time period of password insertion, the developed system can prevent the attack and enhance the safety of the password. In order to raise the detection rate of the password image, the mopology technique is utilized. By adapting 4 times of the expansion and dilation, the niose from the binary image of the password is removed. Finally, the mobile phone application is also developed to recognize the one time password and the detection rate is measured. It is shown that the detection rate of 90% is achieved under the dark light condition.