A PIN-entry method resilient against shoulder surfing

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2004, Pages 236-245

  Roth, Volker ^a   Richter, Kai ^b   Freidinger, Rene ^c  

^a OGM Laboratory LLC   (United States)

^b ZGDV   (Germany)

^c DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

ATM; Cognitive trapdoor games; Password; PIN; Shoulder surfing

Indexed keywords

AUTOMATIC TELLER MACHINES; COGNITIVE SYSTEMS; ELECTRONIC COMMERCE; ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

COGNITIVE TRAPDOOR GAMES; PASSWORD; PERSONAL IDENTIFICATION NUMBERS (PIN); SHOULDER SURFING;

SECURITY OF DATA;

EID: 14844314151     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030083.1030116     Document Type: Conference Paper

References (38)

1. http://www.swiveltechnologies.com, July 2004.
2. http://www.hirschelectronics.com/Products_ScramblePads.asp, July 2004.
3. Passfaces. www.realuser.com, Apr. 2004.
4. ANDERSON, R. Why cryptosystems fail. In Proc. 1st ACM Computers and Communications Security Conference (Fairfax, Virginia, USA, Nov. 1993).
5. BALFANZ, D. Usable access control for the world wide web. In Proc. Nineteenth Annual Computer Security Applications Conference (Dec. 2003), IEEE, pp. 406-415.
6. BRADER, M. Shoulder-surfing automated. Risks Digest 19.70, Apr. 1998.
7. BRIER, E., NACCACHE, D., AND PAILLIER, P. Chemical combinatorial attacks on keyboards. International Association for Cryptographic Research ePrint Archive 2003, 217 (2003).
8. BROOKE, J. SUS: A quick and dirty usability scale. In Usability evaluation in industry, P. Jordan, B. Thomas, B. Weerdmeester, and I. McClelland, Eds. Taylor and Francis, London, 1996, pp. 189-194.
9. COLVILLE, J. Atm scam netted $620,000 australian. Risks Digest 22.85, Aug. 2003.
10. COUNT ZERO. Card-o-rama: Magnetic stripe technology and beyond. Phrack, 37 (1992).
11. DHAMIJA, R., AND PERRIG, A. Déjà vu: A user study using images for authentication. In Proc. 9th USENIX Security Symposium (Denver, CO, USA, Aug. 2000).
12. DOURISH, P., AND REDMILES, D. An approach to usable security based on event monitoring and visualization. In Proc. New Security Paradigms Workshop (Virginia Beach, VA, USA, Sept. 2002), ACM, pp. 75-81.
13. HOPPER, N. J., AND BLUM, M. A secure human-computer authentication scheme. Technical Report CMU-CS-00-139, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, May 2000.
14. HOPPER, N. J., AND BLUM, M. Secure human identification protocols. In ASIACRYPT (2001), C. Boyd, Ed., vol. 2249 of Lecture Notes in Computer Science, Springer Verlag, pp. 52-66.
15. INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. Banking - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems. May 2002. TC 68/SC 6.
16. KUHN, M. Probability theory for pickpockets - ec-PIN guessing. Available at http://www.cl.cam.ac.uk/~mgk25/, 1997.
17. LI, X.-Y., AND TENG, S.-H. Practical human-machine identification over insecure channels. Journal of Combinatorial Optimization 3, 4 (1999).
18. MATSUMOTO, T., AND IMAI, H. Human identification through insecure channel. In EUROCRYPT (1991), D. W. Davies, Ed., vol. 547 of Lecture Notes in Computer Science, Springer Verlag, pp. 409-421.
19. MILLER, G. A. The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review 63 (1956), 81-97.
20. MÖLLER, B. Schwächen des ec-PIN-Verfahrens. Available at http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller, Feb. 1997. Manuscript.
21. MURDOCK, B. B. The retention of individual items. Journal of of Experimental Psychology 62 (1961), 618-625.
22. PATRICK, A., LONG, C., AND (ORGANIZERS), S. F. Workshop on human-computer interaction and security systems at acm chi 2003. Web pages at URL http://www.andrewpatrick.ca/CHI2003/HCISEC/index.html, Apr. 2003.
23. PERTERSON, L. R., AND PETERSON, M. J. Short-term retention of individual verbal items. Journal of of Experimental Psychology, 58 (1959), 193-198.
24. PLATH, H.-E., AND RICHTER, P. Ermüdungs-Monotonie-Sättigung- Stress (BMS). Tech. rep., Psychodiagnostisches Zentrum, Dresden, Germany, 1984.
25. SASSE, M. A. Computer security: Anatomy of a usability, and a plan for recovery. [22].
26. SMETTERS, D. K., AND GRINTER, R. E. Moving from the design of usable security technologies to the design of useful secure applications. In Proceedings of the New Security Paradigms Workshop (Virginia Beach, VA, USA, Sept. 2002), ACM, pp. 82-89.
27. SMITH, S. L. Authenticating users by word association. Computers & Security 6 (1987), 464-470.
28. SPECTOR, Y., AND GINZBERG, J. Pass-sentence - a new approach to computer code. Computers & Security 13 (1994), 145-160.
29. STIRZAKER, D. Elementary Probability, 2nd ed. Cambridge University Press, 2003.
30. SUMMERS, C., AND TOYNE, S. Gangs preying on cash machines. BBC News Online, Oct. 2003.
31. TOM MARKOTTEN, D. G. User-centered security engineering. In Proc. 4th NordU Conference (Helsinki, Finland, Feb. 2002).
32. VOGEL, E. K., AND MACHIZAWA, M. G. Neural activity predicts individual differences in visual working memory capacity. Nature 428 (Apr. 2004), 748-751.
33. WEINSTOCK, C. Atm fraud. Risks Digest 4.86, May 1987.
34. WHITTEN, A., AND TYGAR, J. D. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proc. 9th USENIX Security Symposium (August 1999).
35. WILFONG, G. T. Method and apparatus for secure PIN entry. US Patent #5,940,511, United States Patent and Trademark Office, May 1997. Assignee: Lucent Technologies, Inc. (Murray Hill, NJ).
36. WOOD, D. Spain uncovers hi-tech cashpoint fraud. BBC News Online, Jan. 2003.
37. YEE, K.-P. User interaction design for secure systems. In Proc. 4th International Conference on Information and Communications Security (Singapore, Dec. 2002), R. Deng, S. Qing, F. Bao, and J. Zhou, Eds., vol. 2513 of Lecture Notes in Computer Science, Springer Verlag, pp. 278-290. ISBN 3-540-00164-6.
38. ZVIRAN, M., AND HAGA, W. J. Cognitive passwords: The key to easy access control. Computers & Security 9 (1990), 723-736.