Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Balagani, Kirana; 2 | Cardaioli, Matteob; d; * | Conti, Maurob | Gasti, Paoloa | Georgiev, Martinc; 3 | Gurtler, Tristana; 4 | Lain, Danieleb; 5 | Miller, Charissaa; 6 | Molas, Kendalla | Samarin, Nikitaa; 7 | Saraci, Eugenb | Tsudik, Genec | Wu, Lynna; 8
Affiliations: [a] New York Institute of Technology, USA | [b] University of Padua, Italy | [c] University of California, Irvine, USA | [d] GFT Italy, Italy
Correspondence: [*] Corresponding author. E-mail: [email protected].
Note: [1] Submitted to the ESORICS 2018 special issue.
Note: [2] Authors are listed in alphabetical order.
Note: [3] Current affiliation: University of Oxford.
Note: [4] Current affiliation: University of Illinois at Urbana-Champaign.
Note: [5] Current affiliation: ETH Zurich.
Note: [6] Current affiliation: Rochester Institute of Technology.
Note: [7] Current affiliation: University of California, Berkeley.
Note: [8] Current affiliation: Bryn Mawr College.
Abstract: This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters (∗ or ∙) that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work (In European Symposium on Research in Computer Security (2018) 263–280 Springer). In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper.
Keywords: Authentication, information leakage, shoulder-surfing attacks, PIN inference, password inference
DOI: 10.3233/JCS-191289
Journal: Journal of Computer Security, vol. 27, no. 4, pp. 405-425, 2019
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
[email protected]
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office [email protected]
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
[email protected]
For editorial issues, like the status of your submitted paper or proposals, write to [email protected]
如果您在出版方面需要帮助或有任何建, 件至: [email protected]