Skip to content Skip to navigation
University of Warwick
  • Study
  • |
  • Research
  • |
  • Business
  • |
  • Alumni
  • |
  • News
  • |
  • About

University of Warwick
Publications service & WRAP

Highlight your research

  • WRAP
    • Home
    • Search WRAP
    • Browse by Warwick Author
    • Browse WRAP by Year
    • Browse WRAP by Subject
    • Browse WRAP by Department
    • Browse WRAP by Funder
    • Browse Theses by Department
  • Publications Service
    • Home
    • Search Publications Service
    • Browse by Warwick Author
    • Browse Publications service by Year
    • Browse Publications service by Subject
    • Browse Publications service by Department
    • Browse Publications service by Funder
  • Help & Advice
University of Warwick

The Library

  • Login
  • Admin

Stealing PINs via mobile sensors : actual risk versus user perception

Tools
- Tools
+ Tools

Mehrnezhad, Maryam, Toreini, Ehsan, Shahandashti, Siamak F. and Hao, Feng (2018) Stealing PINs via mobile sensors : actual risk versus user perception. International Journal of Information Security, 17 (3). pp. 291-313. doi:10.1007/s10207-017-0369-x

Research output not available from this repository, contact author.
Official URL: http://dx.doi.org/10.1007/s10207-017-0369-x

Request Changes to record.

Abstract

In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.

Item Type: Journal Article
Divisions: Faculty of Science > Computer Science
Journal or Publication Title: International Journal of Information Security
Publisher: Springer
ISSN: 1615-5262
Official Date: June 2018
Dates:
DateEvent
June 2018Published
7 April 2017Available
Volume: 17
Number: 3
Page Range: pp. 291-313
DOI: 10.1007/s10207-017-0369-x
Status: Peer Reviewed
Publication Status: Published
Access rights to Published version: Restricted or Subscription Access
Description:

1st European Workshop on Usable Security (EuroUSEC), 2016

Request changes or add full text files to a record

Repository staff actions (login required)

View Item View Item
twitter

Email us: wrap@warwick.ac.uk
Contact Details
About Us