A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Bonneau, Joseph; Preibusch, Sören; Anderson, Ross

doi:10.1007/978-3-642-32946-3_3

Cited by 121 publications

(129 citation statements)

References 13 publications

Supporting

Mentioning

124

Contrasting

Order By: Relevance

“…However, we believe that the attack could still be practical when selecting from a limited set of PINs since users do not select their PINs randomly [19]. It has been reported that around 27% of all possible 4-digit PINs belong to a set of 20 PINs, 4 including straightforward ones like "1111", "1234", or "2000".…”

Section: Identification Of Pin Digitsmentioning

confidence: 99%

“…As an example, in addition to user name and passwords, HSBC authenticates their customers through TouchID 17 and voice ID. 18 Another example is Smile to Pay facial recognition app 19 where deep learning is applied to overcome the difficulty of face authentication when the face photograph is not in the normal form. Recently Yahoo has also introduced its ear-based smartphone identification system.…”

Section: Biometric Sensorsmentioning

confidence: 99%

See 1 more Smart Citation

Stealing PINs via mobile sensors: actual risk versus user perception

Mehrnezhad

Toreini

Shahandashti

et al. 2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. B Maryam Mehrnezhad

show abstract

Section: Identification Of Pin Digitsmentioning

confidence: 99%

Section: Biometric Sensorsmentioning

confidence: 99%

Stealing PINs via mobile sensors: actual risk versus user perception

Mehrnezhad

Toreini

Shahandashti

et al. 2017

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…We present a comparison of the security properties against guessing adversaries of several ZeTA parameters with passwords and PINs in Table 1: a listing of the bit strength of alphanumeric passwords in practice, as reported by Bonneau [65], and 4 digit PINs both in theory and in practice, as reported by Bonneau et al [66], as well as several theoretical values for ZeTA as presented in Table 2.…”

Section: Comparison Of Example Parametersmentioning

confidence: 99%

ZeTA-Zero-Trust Authentication: Relying on Innate Human Ability, Not Technology

Gutmann

Renaud

Maguire

et al. 2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Abstract-Reliable authentication requires the devices and channels involved in the process to be trustworthy; otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

show abstract

“…Sharing of PIN among users or family members also add more security risks. Studies [12][13][14] have reported that most users use their date of births as PINs. Such tendency leads to a critical security vulnerability as date of birth can be known from different sources, such as a co-worker, family member, relative, various record management systems etc.…”

Section: Personal Identification Numbers (Pins)mentioning

confidence: 99%

Improving Mobile Money Security with Two-Factor Authentication

Mtaho¹

2015

IJCA

View full text Add to dashboard Cite

Security is a leading factor for establishing and maintaining customer trust in mobile money services (MMSs). MMSs in Tanzania rely on the use of Personal Identification Number (PIN) as an authentication method. However, a PIN can be easily guessed, forged or misused. This paper explores security challenges in MMSs and weaknesses associated with the current Mobile Money Authentication (MMA) method. Further, the study proposes the use of two-factor authentication model as an alternative method. The proposed model combines the current approach of using PIN and adds another layer of security that uses fingerprint recognition technology. Evaluation of the proposed model shows that it mitigates security vulnerabilities that exist in the current MMA method.

show abstract

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Cited by 121 publications

References 13 publications

Stealing PINs via mobile sensors: actual risk versus user perception

Stealing PINs via mobile sensors: actual risk versus user perception

ZeTA-Zero-Trust Authentication: Relying on Innate Human Ability, Not Technology

Improving Mobile Money Security with Two-Factor Authentication

Contact Info

Product

Resources

About