Breaking undercover: Exploiting design flaws and nonuniform human behavior

SOUPS 2011 - Proceedings of the 7th Symposium on Usable Privacy and Security

Volumn , Issue , 2011, Pages

  Perković, Toni ^a   Li, Shujun ^b   Mumtaz, Asma ^c   Khayam, Syed Ali ^c   Javed, Yousra ^c   Čagalj, Mario ^a  

^a UNIVERSITY OF SPLIT   (Croatia)

^b UNIVERSITY OF KONSTANZ   (Germany)

^c NATIONAL UNIVERSITY OF SCIENCES AND TECHNOLOGY   (Pakistan)

Author keywords

audio channel; intersection attack; observation attack; passwords; tactile device; timing attack; undercover

Indexed keywords

AUDIO CHANNELS; OBSERVATION ATTACK; PASSWORDS; TACTILE DEVICE; TIMING ATTACKS; UNDERCOVER;

AUTHENTICATION; DESIGN; HUMAN COMPUTER INTERACTION; SOCIAL SCIENCES; USER INTERFACES;

BEHAVIORAL RESEARCH;

EID: 84862945377     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2078827.2078834     Document Type: Conference Paper

References (49)

1. A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40-46, 1999.
2. F. A. Alsulaiman, J. Cha and A. El Saddik. User identification based on handwritten signatures with haptic information. In Haptics: Perception, Devices and Scenarios, 6th International Conference, EuroHaptics 2008, Proceedings, Volume 5024 of Lecture Notes in Computer Science, 114-121, Springer, 2008.
3. R. J. Anderson. Why cryptosystems fail. Communications of the ACM, 37(11): 32-49, 1994.
4. H. J. Asghar, S. Li, J. Pieprzyk and H. Wang. Cryptanalysis of the Convex Hull Click human identification protocol. In Information Security, 13th International Conference, ISC 2010, Revised Selected Papers, Volume 6531 of Lecture Notes in Computer Science, 24-30, Springer, 2011.
5. H. J. Asghar, J. Pieprzyk and H. Wang. A new human identification protocol and Coppersmith's baby-step giant-step algorithm. In Applied Cryptography and Network Security, 8th International Conference, ACNS 2010, Proceedings, Volume 6123 of Lecture Notes in Computer Science, 349-366, Springer, 2010.
6. J. Aycock. Computer Viruses and Malware. Springer, 2006.
7. X. Bai, W. Gu, S. Chellappan, X. Wang, D. Xuan and B. Ma. PAS: Predicate-based Authentication Services against powerful passive adversaries. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC'2008), 433-442, IEEE Computer Society, 2008.
8. A. Bianchi, J. K. Lee, I. Oakley and D. S. Kwon. The Haptic wheel: design & evaluation of a tactile password system. In Proceedings of the 28th International Conference on Human Factors in Computing Systems: Extended Abstracts (CHI EA'2010), 3525-3530, ACM, 2010.
9. A. Bianchi, I. Oakley, V. Kostakos and D. S. Kwon. The Phone Lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In Proceedings of the 5th International Conference on Tangible, Embedded, and Embodied Interaction (TEI'2011), 197-200, ACM, 2011.
10. A. Bianchi, I. Oakley and D. S. Kwon. The Secure Haptic Keypad: a tactile password system. In Proceedings of the 28th ACM International Conference on Human Factors in Computing Systems (CHI'2010), 1089-1092, ACM, 2010.
11. D. Davis, F. Monrose and M. K. Reiter. On user choice in graphical password schemes. In Proceedings of the 13th USENIX Security Symposium, 151-164, USENIX, 2004.
12. A. De Luca and B. Frauendienst. A privacy-respectful input method for public terminals. In Proceedings of the 5th Nordic Conference on Human-computer Interaction: Building Bridges (NordiCHI'2008), 455-458, ACM, 2008.
13. A. De Luca, M. Langheinrich and H. Hußmann. Towards understanding ATM security: a field study of real world ATM use. In Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS'2010), Article 16, ACM, 2010.
14. A. De Luca, E. von Zezschwitz and H. Hußmann. VibraPass -secure authentication based on shared lies. In Proceedings of the 27th ACM International Conference on Human Factors in Computing Systems (CHI'2009), 913-916, ACM, 2009.
15. T. Deyle and V. Roth. Accessible authentication via tactile pin entry. Computer Graphics Topics, Issue 3, 2006. http://www.zgdv.de/PDFs/topics/2006/ topics3-2006.pdf.
16. R. Dhamija and A. Perrig. Déjà Vu: a user study using images for authentication. In Proceedings of the 9th Conference on USENIX Security Symposium, 45-58, USENIX, 2000.
17. K. Dunham (Technical Editor). Mobile Malware Attacks and Defense. Syngress Publishing, 2008.
18. L. Fleming Fallon. Color blindness. In Gale Encyclopedia of Children's Health: Infancy through Adolescence, Volume 1, 449-452, Gale, 2005.
19. A. Forget, S. Chiasson and R. Biddle. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th ACM International Conference on Human Factors in Computing Systems (CHI'2010), 1107-1110, ACM, 2010.
20. P. Golle and D. Wagner. Cryptanalysis of a cognitive authentication scheme. In Proceedings of 2007 IEEE Symposium on Security and Privacy (S&P'2007), 66-70, IEEE Computer Society, 2007.
21. M. Hasegawa, N. Christin and E. Hayashi. New directions in multisensory authentication. In Adjunct Proceedings of theSeventh International Conference on Pervasive Computing (Pervasive 2009) - Late Breaking Results, 2009.
22. E. Hayashi, N. Christin, R. Dhamija and A. Perrig. Use Your Illusion: secure authentication usable anywhere. In Proceedings of the 4th Symposium on Usable Privacy and Security (SOUPS'2008), 35-45, ACM, 2008.
23. N. J. Hopper and M. Blum. Secure human identification protocols. In Advances in Cryptology - ASIACRYPT 2001, Volume 2248 of Lecture Notes in Computer Science, 52-66, Springer, 2001.
24. M. Jakobsson and S. Myers (Editors). Phishing and Countermeasures. John Wiley & Sons, 2007.
25. H. Jameel, R. Shaikh, H. Lee and S. Lee. Human Identification through image evaluation using secret predicates. In Topics in Cryptology - CT-RSA 2007, Volume 4377 of Lecture Notes in Computer Science, 67-84, 2007.
26. H. Jameel, R. Shaikh, L. Hung, Y. Wei, S, Raazi, N. Canh, S. Lee, H. Lee, Y. Son and M. Fernandes. Image-feature based human identification protocols on limited display devices. In Information Security Applications, 9th International Workshop, WISA 2008, Revised Selected Papers, Volume 5379 of Lecture Notes in Computer Science, 211-224, Springer, 2009.
27. R. Kuber and W. Yu. Authentication using tactile feedback. In Proceedings of the 20th British HCI Group Annual Conference on People and Computers (HCI'2006), Volume 2, 141-145, British Computer Society, 2006.
28. R. Kuber and W. Yu. Feasibility study of tactile-based authentication. International Journal of Human Computer Studies, 68(3):158-181, 2010.
29. D. F. Kune and Y. Kim. Timing attacks on PIN input devices. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'2010), 678-680, ACM, 2010.
30. M. Lei, Y. Xiao, S. V. Vrbsky, C.-C. Li and L. Liu. A virtual password scheme to protect passwords. In Proceedings of 2008 IEEE International Conference on Communications (ICC'2008), 1536-1540, IEEE, 2008.
31. S. Li, H. J. Asghar, J. Pieprzyk, A.-R. Sadeghi, R. Schmitz and H. Wang. On the security of PAS (Predicate-based Authentication Service). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC'2009), 209-218, IEEE Computer Society, 2009.
32. S. Li, S. A. Khayam, A.-R. Sadeghi and R. Schmitz. Breaking randomized linear generation functions based virtual password system. In Proceedings of 2010 IEEE International Conference on Communications (ICC'2010), IEEE, 2010.
33. S. Li and H.-Y. Shum. Secure Human-Computer Identification against peeping attacks (SecHCI): A survey. Technical report, 2003. http://www.hooklee. com/Papers/SecHCI-Survey.pdf.
34. S. Li and H.-Y. Shum. Secure Human-Computer Identification (Interface) systems against peeping attacks: SecHCI. IACR's Cryptology ePrint Archive: Report 2005/268, 2005.
35. X.-Y. Li and S.-H. Teng. Practical human-machine identification over insecure channels. Journal of Combinatorial Optimization, 3(4):347-361, 1998.
36. B. Malek, M. Orozco and A. El Saddik. Novel shoulder-surfing resistant haptic-based graphical password, In Proceedings of EuroHaptics'2006, 179-184, EuroHaptics Society, 2006.
37. T. Matsumoto. Human-computer cryptography: an attempt. In Proc. 3rd ACM Conference on Computer and Communications Security (CCS'96), 68-75, ACM, 1996.
38. T. Matsumoto and H. Imai. Human identification through insecure channel. In Advances in Cryptology -EUROCRYPT'91, Volume 547 of Lecture Notes in Computer Science, 409-421, Springer, 1991.
39. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.
40. Passfaces Corporation. Passfaces: Two Factor Authentication for the Enterprise. http://www.passfaces.com, last visited on 6th June 2011.
41. T. Perković, M. Čagalj and N. Saxena. Shoulder-surfing safe login in a partially observable attacker model. In Financial Cryptography and Data Security: 14th International Conference, FC 2010, Revised Selected Papers, Volume 6052 of Lecture Notes in Computer Science, 351-358, Springer, 2010.
42. V. Roth, K. Richter and R. Freidinger. A PIN-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'2004), 236-245, ACM, 2004.
43. H. Sasamoto, N. Christin and E. Hayashi. Undercover: authentication usable in front of prying eyes. In Proceeding of the 26th ACM International Conference on Human Factors in Computing Systems (CHI'2008), 183-192, ACM, 2008.
44. L. Sobrado and J. C. Birget. Graphical passwords. The Rutgers Scholar, vol. 4, 2002.
45. F. Tari, A. A. Ozok, and S. H. Holden. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS'2006), 56-66, ACM, 2006.
46. C.-H. Wang, T. Hwang and J.-J. Tsai. On the Matsumoto and Imai's human identification scheme. In Advances in Cryptology - EUROCRYPT'95, Volume 921 of Lecture Notes in Computer Science, 382-392, Springer, 1995.
47. D. Weinshall. Cognitive authentication schemes safe against spyware. In Proceedings of 2006 IEEE Symposium on Security and Privacy (S&P'2006), 295-300, IEEE Computer Society, 2006.
48. S. Wiedenbeck, J. Waters, L. Sobrado and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of International Working Conference on Advanced Visual Interfaces (AVI'2006), 177- 184, ACM, 2006.
49. H. Zhao and X. Li. S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'2007), 467-472, IEEE Computer Society, 2007.