PIN skimmer: Inferring PINs through the camera and microphone

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 67-78

  Simon, Laurent ^a   Anderson, Ross ^a  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

Author keywords

audio; camera; covert channel; microphone; mobile; mobile malware; pin; side channel; video camera

Indexed keywords

AUDIO; COVERT CHANNELS; MOBILE; MOBILE MALWARE; PIN; SIDE-CHANNEL;

CAMERAS; COMPUTER APPLICATIONS; MICROPHONES; MOBILE COMPUTING; MOBILE DEVICES; SIGNAL ENCODING; SMARTPHONES; TELEPHONE SETS;

VIDEO CAMERAS;

EID: 84888985855     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2516760.2516770     Document Type: Conference Paper

References (47)

1. "Samsung KNOX." https://www.samsung.com/global/business/mobile/ solution/security/samsung-knox.
2. "BlackBerry Enterprise Service 10." http://uk.blackberry.com/ business/software/bes-10.html.
3. "Xen project." http://www.xen.org/.
4. "Okl4 microvisor : Open kernel labs." http://www.ok-labs.com/ products/okl4-microvisor.
5. "Trustzone: Arm." http://www.arm.com/products/processors/ technologies/trustzone.php.
6. "Google play." https://play.google.com/store.
7. "Amazon.com: App store for android." http://www.amazon.com/ mobile-apps/b?ie=UTF8&node=2350149011.
8. "Alcatel club games free download. android games for alcatel club." http://android.mob.org/brands/alcatel/alcatel-club/.
9. "Gfan." http://bbs.gfan.com.
10. "eoemarket." http://www.eoemarket.com.
11. T. Anscombe, "Social engineering still biggest threat to consumers." http://blogs.avg.com/consumer/social-engineering-biggest- threat-consumers/, Jul 2012.
12. R. Naraine, "Android drive-by download attack via phishing sms." http://www.zdnet.com/blog/security/android-drive-by-download-attack- via-phishing-sms/10422, Feb 2012.
13. D. Goodin, "Android users targeted in drive-by download attacks." http://arstechnica.com/gadgets/2012/05/android-users-targeted- for-the-first-time-in-drive-by-download-attacks/, May 2012.
14. J. Leyden, "That square qr barcode on the poster? check it's not a sticker." http://www.theregister.co.uk/2012/12/10/qr-code-sticker-scam/ print.html, Dec 2012.
15. "California prosecutors push for anti-phone theft moves." http://www.kcra.com/California-prosecutors-push-for-anti-phone-theft-moves/-/ 11798090/20553058/-/qphknhz/-/index.html.
16. J. DAVENPORT and W. GANT, "iphone muggers on bikes plague london." http://www.standard.co.uk/news/crime/iphone-muggers-on-bikes- plague-london-8323324.html, Nov 2012.
17. S. Das, L. Green, B. Perez, and M. Murphy, "Detecting User Activities Using the Accelerometer on Android Smartphones," 2010.
18. R. Templeman, Z. Rahman, D. Crandall, and A. Kapadia, "PlaceRaider: Virtual theft in physical spaces with smartphones," in Proceedings of The 20th Annual Network and Distributed System Security Symposium (NDSS), Feb 2013.
19. "Facetime, the easiest way to call face-to-face." http://www.apple.com/ios/facetime/.
20. "Video chat - free online video calls - video calling - skype." http://www.skype.com/intl/en-us/features/allfeatures/video-call/.
21. "Tor project." https://www.torproject.org/.
22. L. Constantin, "Pushdo botnet is evolving, becomes more resilient to takedown attempts." http://www.pcworld.com/article/2038893/pushdo-botnet- is-evolving-becomes-more-resilient-to-takedown-attempts.html, May 2013.
23. "Rageagaisntthecage." http://thesnkchrmr.wordpress.com/2011/03/ 24/rageagainstthecage/.
24. "Giesecke & devrient: Creating confidence." http://www.gi-de.com/en/index.jsp.
25. Z. Yaniv, "Random Sample Consensus (RANSAC) Algorithm, A Generic Implementation." isiswiki.georgetown.edu/zivy/writtenMaterial/RANSAC.pdf, Oct 2010.
26. G. Roth, "Homography." http://people.scs.carleton.ca/~c-shu/ Courses/comp4900d/notes/homography.pdf, 2013.
27. "OpenCv." http://opencv.willowgarage.com/wiki.
28. A. Zisserman, "The SVM classifier." http://www.robots.ox.ac.uk/ ~az/lectures/ml/lect2.pdf, 2013.
29. "LibSvm - A Library for Support Vector Machines." http://www.csie.ntu.edu.tw/~cjlin/libsvm/.
30. "Weka 3: Data mining software in java." http://www.cs.waikato. ac.nz/ml/weka/.
31. J. Bonneau, S. Preibusch, and R. Anderson, "A birthday present every eleven wallets? The security of customer-chosen banking PINs," in FC '12: The 16th International Conference on Financial Cryptography and Data Security, Mar 2012.
32. "Pin analysis." http://www.datagenetics.com/blog/ september32012/, author = John Koetsier, September 2013.
33. "Alertdialog j android developers." http://developer.android. com/reference/android/app/AlertDialog.html.
34. "Sensor j android developers." http://developer.android.com/ reference/android/hardware/Sensor.html.
35. C. Cachin, Entropy measures and unconditional security in cryptography. PhD thesis, ETH Zurich, 1997.
36. S. Brostoff and M. A. Sasse, ""ten strikes and you're out": Increasing the number of login attempts can improve password usability," in CHI Workshop on HCI and Security Systems, John Wiley, 2003.
37. F. Stajano, "Pico: no more passwords!," in Proceedings of the 19th international conference on Security Protocols, SP'11, (Berlin, Heidelberg), pp. 49-81, Springer-Verlag, 2011.
38. O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos, "Progressive authentication: deciding when to authenticate on mobile phones," in Proceedings of the 21st USENIX conference on Security symposium, Security'12, (Berkeley, CA, USA), pp. 15-15, USENIX Association, 2012.
39. S. Maggi, A. Volpatto, S. Gasparini, G. Boracchi, and S. Zanero, "Poster: fast, automatic iphone shoulder surfing," in Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, (New York, NY, USA), pp. 805-808, ACM, 2011.
40. R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm, "ispy: automatic reconstruction of typed input from compromising reflections," in Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, (New York, NY, USA), pp. 527-536, ACM, 2011.
41. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, "Smudge attacks on smartphone touch screens," in Proceedings of the 4th USENIX conference on Offensive technologies, WOOT'10, pp. 1-7, USENIX Association, 2010.
42. P. Marquardt, A. Verma, H. Carter, and P. Traynor, "(sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers," in Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, (New York, NY, USA), pp. 551-562, ACM, 2011.
43. Z. Xu, K. Bai, and S. Zhu, "Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors," in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, WISEC '12, (New York, NY, USA), pp. 113-124, ACM, 2012.
44. L. Cai and H. Chen, "Touchlogger: inferring keystrokes on touch screen from smartphone motion," in Proceedings of the 6th USENIX conference on Hot topics in security, HotSec'11, (Berkeley, CA, USA), pp. 9-9, USENIX Association, 2011.
45. L. Cai and H. Chen, "On the practicality of motion based keystroke inference attack," in Proceedings of the 5th international conference on Trust and Trustworthy Computing, TRUST'12, (Berlin, Heidelberg), pp. 273-290, Springer-Verlag, 2012.
46. A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith, "Practicality of accelerometer side channels on smartphones," in Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, (New York, NY, USA), pp. 41-50, ACM, 2012.
47. E. Miluzzo, A. Varshavsky, S. Balakrishnan, and R. R. Choudhury, "Tapprints: your finger taps have fingerprints," in Proceedings of the 10th international conference on Mobile systems, applications, and services, MobiSys '12, (New York, NY, USA), pp. 323-336, ACM, 2012.