How to fend off shoulder surfing

https://doi.org/10.1016/j.jbankfin.2005.09.010Get rights and content

Abstract

Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) are obtained by shoulder surfing, through the use of mirrors or concealed miniature cameras. Both elements, the PIN and the card, are generally sufficient to give the criminal full access to the victim’s account. In this paper, we present alternative PIN entry methods to which we refer as cognitive trapdoor games. These methods make it significantly harder for a criminal to obtain PINs even if he fully observes the entire input and output of a PIN entry procedure. We also introduce the idea of probabilistic cognitive trapdoor games, which offer resilience to shoulder surfing even if the criminal records a PIN entry procedure with a camera. We studied the security as well as the usability of our methods. The result support the hypothesis that our primary mechanism strikes a balance between security and usability that is of practical value. In this article, we give a detailed account of our mechanisms and their evaluation.

Introduction

Personal identification numbers (PIN) are used as a means of authenticating oneself when withdrawing money from automatic teller machines (ATM), authorizing point of sales (POS) transactions, unlocking our cell phones and portable digital assistants (PDA), gaining access to secure areas, or disarming anti-burglar alarms, to name a few examples. Typically, a user proves himself to a machine by entering a four digit PIN number using a PIN pad with three by four keys, and an automatic process verifies whether the entered PIN is correct.

However, anyone who has the PIN pad in his field of view may observe the PIN number that a prover enters and use that information to impersonate the legitimate prover. This particular attack is widely known as shoulder surfing.1

As an added security mechanism against such involuntary PIN disclosure, many authentication systems require not only something that the legitimate prover knows but also something that he has, such as a magnetic stripe card with certain information stored on it. However, fraudsters steal or skim valid cards with increasing sophistication (Weinstock, 1987, Brader, 1998, Wood, 2003, Summers and Toyne, 2003, Colville, 2003) causing significant damage to customers and the banking industry. The means by which fraudsters obtain the corresponding PIN numbers also increased. In several recent cases, miniature camera devices were planted at ATMs in a concealed fashion which radioed video images of PIN entry sequences to nearby receivers (Wood, 2003, Summers and Toyne, 2003, Colville, 2003).

We investigated whether the method by which PINs are entered can be designed in a way that is resilient to human shoulder surfers even if all input and output is in plain sight, perhaps even if all input and output is recorded by a concealed camera. At the same time, the method should be efficient and easily usable. Our contribution is a novel design which consciously leverages the fact that certain cognitive capabilities of humans are very limited, particularly humans’ ability to store and retain information in their short-term memory (Miller, 1956, Anderson, 2000, Vogel and Machizawa, 2004).

We refer to our principal design as an interactive cognitive trapdoor game between a verifier and a prover where all input and output is in plain sight of an observer, and authenticating oneself amounts to winning the game. The game is designed so that winning the game is well within the bounds of human’s cognitive capacity if the correct PIN is known. If, however, the PIN is not known then winning the game requires cognitive capacity beyond what is typically found in humans.

A simple example may serve as an illustration of the general idea. Assume that the prover wishes to enter a single digit using a PIN pad with the typical fixed layout of keys and digits. Further, assume that the verifier has the ability to set the background color of each individual key to either black or white. The verifier randomly partitions the set {0, 1,  , 9} of possible PIN digits into two equally sized sets A and B. The digits in set A are displayed on white background and the digits in set B are displayed on black background. If the prover’s digit is in set B then she enters white, and black otherwise. After playing the game for a few rounds, the verifier can uniquely determine the digit by intersecting the sets indicated by the prover. The observer, on the other hand, does not know the digit and in order to calculate the set intersection she has to quickly memorize or record at least one set, its color, and the prover’s response in each round. The game is repeated until all digits are entered.

In the remainder of the article, we elaborate on the design and its security. We describe multiple variations of it some of which are especially suitable for people with certain handicaps such as blindness. We also present and discuss the results of several user studies we conducted with the goal to assess the security and the usability of our most prominent variants. The outcome of the studies support the hypothesis that our primary method offers resilience against shoulder surfing while still being reasonably usable – and thus have considerable practical value where shoulder surfing is a concern. Certain modifications of our design that we describe – the introduction of ambiguity into provers’ answers – provide limited resilience even against a single recording by a concealed camera. However, that has been noted before by Baker (1995) and thus does not constitute a novel result.

Section snippets

Background

In this section, we summarize background material that we assume as known in the remainder of our article, namely: a description of our threat model, the psychological foundation of our mechanism design, as well as mathematical tools that we applied in our usability evaluation. Readers who are familiar with these fields may safely skip the corresponding sections and continue reading the description of our mechanism design in Section 3.

Cognitive trapdoor games

The general principle we apply is to consecutively display the set of PIN digits to the verifier as two partitions. The verifier indicates the partition in which the current PIN digit is. After a few rounds, the prover determines the correct PIN digit by intersecting the indicated partitions. The algorithm may be repeated for as many digits as the prover wishes to enter. The input and output methods determine the difficulty of the cognitive task that must be accomplished by the prover and the

Related work

The problem of how PIN numbers can be entered in the face of shoulder surfing has inspired numerous related work. A common approach of which several variants were proposed is based on a keypad with randomized layout of keys (Hirsch, 1982, Hirsch, 1984, Cairns, 1990, Thrower, 1989, Rehm, 1985, Hoover, 2001, Collins, 1990, McIntyre et al., 2003, Baker, 1995). The prover must locate and press the keys on the keypad that are labeled with his or her PIN digits. Of course, that provides added

Security and usability study

We conducted three studies with the objective to assess the security and usability of our immediate response design (IOC) versus the delayed response design (DOC) versus the regular PIN entry method (REG). The first study put subjects into the role of the shoulder surfer, the second study put them into the role of the prover. We presented these studies in (Roth et al., 2004). For reference, we give a brief summary of the results below. Based on the outcome of these studies, we refined the user

Conclusions

Towards a PIN entry method that is robust against shoulder surfing, we proposed two variants of an interactive challenge-response protocol (the immediate and delayed choice variants) to which we refer as cognitive trapdoor games. The essential feature of such a game is that it is easily won if the PIN is known, and hard to win otherwise. The cognitive capabilities of a human are generally not sufficient to derive the genuine PIN through observation of the entire game’s input and output. As a

Acknowledgments

This article is a significantly revised and extended version of Roth et al. (2004) which we presented at the 11th ACM Conference on Computer and Communications Security. The described methods are Patent pending. We would like to thank Abraham Bernstein and other (anonymous) reviewers very much for their detailed and supportive comments which helped and guided us in improving our original manuscript. We would also like to thank everyone who participated in our usability studies for their time

References (51)

  • J.R. Anderson

    Cognitive Psychology and its Implications

    (2000)
  • Anvekar, D.K., 2003. Method for non-disclosing password entry. US Patent #6,658,574, United States Patent and Trademark...
  • Baker, D.G., 1995. Nondisclosing password entry system. US Patent #5,428,349, United States Patent and Trademark...
  • G.E.P. Box et al.

    Statistics for Experimenters

    (1978)
  • Brader, M., 1998. Shoulder-surfing automated. Risks Digest 19.70, April...
  • J. Brooke

    SUS: A quick and dirty usability scale

  • Cairns, J.P., 1990. System for cryptographing and identification. US Patent #4,962,530, United States Patent and...
  • Collins, E.R., 1990. Computer access security code system. US Patent #4,926,481, United States Patent and Trademark...
  • Colville, J., 2003. ATM scam netted $620,000 Australian. Risks Digest 22.85, August...
  • Cottrell, S.R., 1995. Method to provide security for a computer and a device therefore. US Patent #5,465,084, United...
  • Count Zero, 1992. Card-o-rama: Magnetic stripe technology and beyond. Phrack...
  • Hirsch, S.B., 1982. Secure keyboard input terminal. US Patent #4,333,090, United States Patent and Trademark Office,...
  • Hirsch, S.B., 1984. Secure input system. US Patent #4,479,112, United States Patent and Trademark Office, 305 Peck Dr.,...
  • <http://www.swiveltechnologies.com>, July...
  • Hoover, D., 2001. Method and apparatus for secure entry of access codes in a computer environment. US Patent...
  • Hopper, N.J., Blum, M., 2000. A secure human–computer authentication scheme. Technical Report CMU-CS-00-139, School of...
  • N.J. Hopper et al.

    Secure human identification protocols

  • ISO, 2002. Banking – personal identification number (PIN) management and security – Part 1: Basic principles and...
  • James Smith Jr., A., 2001. Method and apparatus for securing passwords and personal identification numbers. US Patent #...
  • James Smith Jr., A., 2003. Method and apparatus for securing a list of passwords and personal identification numbers....
  • Johnson, W.J., Weber, O.W., 1997. Method and system for variable password access. US Patent #5,682,475, United States...
  • W.H. Kruskal et al.

    Use of ranks in one-criterion variance analysis

    Journal of the American Statistical Association

    (1952)
  • Kuhn, M., 1997. Probability theory for pickpockets – ec-PIN guessing. Available from...
  • X.-Y. Li et al.

    Practical human–machine identification over insecure channels

    Journal of Combinatorial Optimization

    (1999)
  • R. Likert

    A Technique for the Measurement of Attitudes

    (1932)
  • Cited by (5)

    View full text