The Library
Stealing PINs via mobile sensors : actual risk versus user perception
Tools
Tools
Tools
Mehrnezhad, Maryam, Toreini, Ehsan, Shahandashti, Siamak F. and Hao, Feng (2018) Stealing PINs via mobile sensors : actual risk versus user perception. International Journal of Information Security, 17 (3). pp. 291-313. doi:10.1007/s10207-017-0369-x
Research output not available from this repository, contact author.
Official URL: http://dx.doi.org/10.1007/s10207-017-0369-x
Abstract
In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.
| Item Type: | Journal Article | ||||||
|---|---|---|---|---|---|---|---|
| Divisions: | Faculty of Science > Computer Science | ||||||
| Journal or Publication Title: | International Journal of Information Security | ||||||
| Publisher: | Springer | ||||||
| ISSN: | 1615-5262 | ||||||
| Official Date: | June 2018 | ||||||
| Dates: |
|
||||||
| Volume: | 17 | ||||||
| Number: | 3 | ||||||
| Page Range: | pp. 291-313 | ||||||
| DOI: | 10.1007/s10207-017-0369-x | ||||||
| Status: | Peer Reviewed | ||||||
| Publication Status: | Published | ||||||
| Access rights to Published version: | Restricted or Subscription Access | ||||||
| Description: | 1st European Workshop on Usable Security (EuroUSEC), 2016 |
Request changes or add full text files to a record
Repository staff actions (login required)
 |
View Item |
