How to fend off shoulder surfing
Introduction
Personal identification numbers (PIN) are used as a means of authenticating oneself when withdrawing money from automatic teller machines (ATM), authorizing point of sales (POS) transactions, unlocking our cell phones and portable digital assistants (PDA), gaining access to secure areas, or disarming anti-burglar alarms, to name a few examples. Typically, a user proves himself to a machine by entering a four digit PIN number using a PIN pad with three by four keys, and an automatic process verifies whether the entered PIN is correct.
However, anyone who has the PIN pad in his field of view may observe the PIN number that a prover enters and use that information to impersonate the legitimate prover. This particular attack is widely known as shoulder surfing.1
As an added security mechanism against such involuntary PIN disclosure, many authentication systems require not only something that the legitimate prover knows but also something that he has, such as a magnetic stripe card with certain information stored on it. However, fraudsters steal or skim valid cards with increasing sophistication (Weinstock, 1987, Brader, 1998, Wood, 2003, Summers and Toyne, 2003, Colville, 2003) causing significant damage to customers and the banking industry. The means by which fraudsters obtain the corresponding PIN numbers also increased. In several recent cases, miniature camera devices were planted at ATMs in a concealed fashion which radioed video images of PIN entry sequences to nearby receivers (Wood, 2003, Summers and Toyne, 2003, Colville, 2003).
We investigated whether the method by which PINs are entered can be designed in a way that is resilient to human shoulder surfers even if all input and output is in plain sight, perhaps even if all input and output is recorded by a concealed camera. At the same time, the method should be efficient and easily usable. Our contribution is a novel design which consciously leverages the fact that certain cognitive capabilities of humans are very limited, particularly humans’ ability to store and retain information in their short-term memory (Miller, 1956, Anderson, 2000, Vogel and Machizawa, 2004).
We refer to our principal design as an interactive cognitive trapdoor game between a verifier and a prover where all input and output is in plain sight of an observer, and authenticating oneself amounts to winning the game. The game is designed so that winning the game is well within the bounds of human’s cognitive capacity if the correct PIN is known. If, however, the PIN is not known then winning the game requires cognitive capacity beyond what is typically found in humans.
A simple example may serve as an illustration of the general idea. Assume that the prover wishes to enter a single digit using a PIN pad with the typical fixed layout of keys and digits. Further, assume that the verifier has the ability to set the background color of each individual key to either black or white. The verifier randomly partitions the set {0, 1, … , 9} of possible PIN digits into two equally sized sets A and B. The digits in set A are displayed on white background and the digits in set B are displayed on black background. If the prover’s digit is in set B then she enters white, and black otherwise. After playing the game for a few rounds, the verifier can uniquely determine the digit by intersecting the sets indicated by the prover. The observer, on the other hand, does not know the digit and in order to calculate the set intersection she has to quickly memorize or record at least one set, its color, and the prover’s response in each round. The game is repeated until all digits are entered.
In the remainder of the article, we elaborate on the design and its security. We describe multiple variations of it some of which are especially suitable for people with certain handicaps such as blindness. We also present and discuss the results of several user studies we conducted with the goal to assess the security and the usability of our most prominent variants. The outcome of the studies support the hypothesis that our primary method offers resilience against shoulder surfing while still being reasonably usable – and thus have considerable practical value where shoulder surfing is a concern. Certain modifications of our design that we describe – the introduction of ambiguity into provers’ answers – provide limited resilience even against a single recording by a concealed camera. However, that has been noted before by Baker (1995) and thus does not constitute a novel result.
Section snippets
Background
In this section, we summarize background material that we assume as known in the remainder of our article, namely: a description of our threat model, the psychological foundation of our mechanism design, as well as mathematical tools that we applied in our usability evaluation. Readers who are familiar with these fields may safely skip the corresponding sections and continue reading the description of our mechanism design in Section 3.
Cognitive trapdoor games
The general principle we apply is to consecutively display the set of PIN digits to the verifier as two partitions. The verifier indicates the partition in which the current PIN digit is. After a few rounds, the prover determines the correct PIN digit by intersecting the indicated partitions. The algorithm may be repeated for as many digits as the prover wishes to enter. The input and output methods determine the difficulty of the cognitive task that must be accomplished by the prover and the
Related work
The problem of how PIN numbers can be entered in the face of shoulder surfing has inspired numerous related work. A common approach of which several variants were proposed is based on a keypad with randomized layout of keys (Hirsch, 1982, Hirsch, 1984, Cairns, 1990, Thrower, 1989, Rehm, 1985, Hoover, 2001, Collins, 1990, McIntyre et al., 2003, Baker, 1995). The prover must locate and press the keys on the keypad that are labeled with his or her PIN digits. Of course, that provides added
Security and usability study
We conducted three studies with the objective to assess the security and usability of our immediate response design (IOC) versus the delayed response design (DOC) versus the regular PIN entry method (REG). The first study put subjects into the role of the shoulder surfer, the second study put them into the role of the prover. We presented these studies in (Roth et al., 2004). For reference, we give a brief summary of the results below. Based on the outcome of these studies, we refined the user
Conclusions
Towards a PIN entry method that is robust against shoulder surfing, we proposed two variants of an interactive challenge-response protocol (the immediate and delayed choice variants) to which we refer as cognitive trapdoor games. The essential feature of such a game is that it is easily won if the PIN is known, and hard to win otherwise. The cognitive capabilities of a human are generally not sufficient to derive the genuine PIN through observation of the entire game’s input and output. As a
Acknowledgments
This article is a significantly revised and extended version of Roth et al. (2004) which we presented at the 11th ACM Conference on Computer and Communications Security. The described methods are Patent pending. We would like to thank Abraham Bernstein and other (anonymous) reviewers very much for their detailed and supportive comments which helped and guided us in improving our original manuscript. We would also like to thank everyone who participated in our usability studies for their time
References (51)
Cognitive Psychology and its Implications
(2000)- Anvekar, D.K., 2003. Method for non-disclosing password entry. US Patent #6,658,574, United States Patent and Trademark...
- Baker, D.G., 1995. Nondisclosing password entry system. US Patent #5,428,349, United States Patent and Trademark...
- et al.
Statistics for Experimenters
(1978) - Brader, M., 1998. Shoulder-surfing automated. Risks Digest 19.70, April...
SUS: A quick and dirty usability scale
- Cairns, J.P., 1990. System for cryptographing and identification. US Patent #4,962,530, United States Patent and...
- Collins, E.R., 1990. Computer access security code system. US Patent #4,926,481, United States Patent and Trademark...
- Colville, J., 2003. ATM scam netted $620,000 Australian. Risks Digest 22.85, August...
- Cottrell, S.R., 1995. Method to provide security for a computer and a device therefore. US Patent #5,465,084, United...
Secure human identification protocols
Use of ranks in one-criterion variance analysis
Journal of the American Statistical Association
Practical human–machine identification over insecure channels
Journal of Combinatorial Optimization
A Technique for the Measurement of Attitudes
Cited by (5)
Analysis of respondents’ opinions and attitudes toward the security of payment systems
2019, Entrepreneurship and Sustainability IssuesVote-for-It: Investigating Mobile Device-Based Interaction Techniques for Collocated Anonymous Voting and Rating
2019, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Security aspects: Protection of people in connection with the use of personal identification numbers
2019, Journal of Security and Sustainability IssuesDragPIN: A secured PIN entry scheme to avert attacks
2018, International Arab Journal of Information TechnologyThree steps secure login: A systematic approach
2016, ACM International Conference Proceeding Series