Usably Secure, Low-Cost Authentication for Mobile Banking, SOUPS, 10
The authors describe a security flaw in a two factor authentication scheme involving codebook+PIN for mobile banking in India. In the existing scheme (flawed) the user has a codebook with many 10 digits nonces. Each such nonce has blanks at 4 random positions. The user needs to enter the 10 digits replacing blanks with his PIN in his mobile phone. The scheme does not require cryptographic functions and thus suitable for very low end mobile phones. The flaw is that by searching for a common 4-digit subsequence in several 10-digit nonces can reveal the PIN and with high probability this happens with less than 7 such nonces. The agent (e.g., shop keeper) through whom the users do the transactions are in a suitable place to know many nonces and to exploit the flaw.
To remedy the flaw, the authors then propose to change the codebook nonces so that each nonce now contains a random 10-digit number and say, if a user's PIN is 2593, he has to enter the nonce-digits at 2nd, 5th, 9th, and 3rd place. This requires less information to enter and enhance usability. The new scheme is equivalent to a one-time pad. Each PIN in this scheme has to contain distinct digits, otherwise say if PIN is 1111 the resulting signature could be 2222.
A user study with 8 (agents)+13 (existing customers)+13 (potential customers) = 34 participants reveals that the new scheme has an average login time of 10.43 seconds as opposed to the old one's 18.40 seconds and that error rate is lower for the new scheme. AlThough compared to regular PIN with login time (4.22 seconds) and error rate (0), the new scheme is inferior, the enhanced security make it a good choice. An interesting usability effect is that the new scheme requires the user to lookup digits at the same places in the nonce and thus over time they can be more efficient in entering the digits requiring less time to login.
Citation (ACM Ref): Saurabh Panjwani and Edward Cutrell. 2010. Usably secure, low-cost authentication for mobile banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS '10). ACM, New York, NY, USA, , Article 4 , 12 pages. DOI=10.1145/1837110.1837116 http://doi.acm.org/10.1145/1837110.1837116
To remedy the flaw, the authors then propose to change the codebook nonces so that each nonce now contains a random 10-digit number and say, if a user's PIN is 2593, he has to enter the nonce-digits at 2nd, 5th, 9th, and 3rd place. This requires less information to enter and enhance usability. The new scheme is equivalent to a one-time pad. Each PIN in this scheme has to contain distinct digits, otherwise say if PIN is 1111 the resulting signature could be 2222.
A user study with 8 (agents)+13 (existing customers)+13 (potential customers) = 34 participants reveals that the new scheme has an average login time of 10.43 seconds as opposed to the old one's 18.40 seconds and that error rate is lower for the new scheme. AlThough compared to regular PIN with login time (4.22 seconds) and error rate (0), the new scheme is inferior, the enhanced security make it a good choice. An interesting usability effect is that the new scheme requires the user to lookup digits at the same places in the nonce and thus over time they can be more efficient in entering the digits requiring less time to login.
Citation (ACM Ref): Saurabh Panjwani and Edward Cutrell. 2010. Usably secure, low-cost authentication for mobile banking. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS '10). ACM, New York, NY, USA, , Article 4 , 12 pages. DOI=10.1145/1837110.1837116 http://doi.acm.org/10.1145/1837110.1837116
Touch me once and I know it's you! Implicit Authentication based on Touch Screen Patterns, CHI, 12
A password entry method for touch screen enabled mobile phones have been proposed where authentication is based on user's pass shape and also on a set of behavioral biometrics (exhibited while entering the pass shape): how hard the finger presses, area of the finger touching the screen, X and Y coordinates, and time pressed between two different points. Dynamic Time Warping algorithm was used to compare current set of biometrics with the template. Even if the attacker knows the pass shape, he is unlikely to reproduce the set of biometrics with enough accuracy.
A user study with 31 participants with average age of 27 years reveals that overall accuracy was 77% with maximum warp distance as the threshold of comparison. The authors note than a dynamic template which evolves over time could increase accuracy. An attack was defined as a comparison between a target user and all other users which is not what happens in a real attack where the attacker observes the user's input process and then try to impersonate.
Citation (ACM Ref): Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI '12). ACM, New York, NY, USA, 987-996. DOI=10.1145/2207676.2208544 http://doi.acm.org/10.1145/2207676.2208544
A user study with 31 participants with average age of 27 years reveals that overall accuracy was 77% with maximum warp distance as the threshold of comparison. The authors note than a dynamic template which evolves over time could increase accuracy. An attack was defined as a comparison between a target user and all other users which is not what happens in a real attack where the attacker observes the user's input process and then try to impersonate.
Citation (ACM Ref): Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI '12). ACM, New York, NY, USA, 987-996. DOI=10.1145/2207676.2208544 http://doi.acm.org/10.1145/2207676.2208544