This article may require copy editing for from the section "Painting album mechanism" onwards, the grammar and spelling becomes confusing and in places nonsensical..(December 2023) |
In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping. [1] [2]
This attack can be performed either at close range (by directly looking over the victim's shoulder) or from a longer range with, for example, a pair of binoculars or similar hardware. [3] Attackers do not need any technical skills in order to perform this method, and keen observation of victims' surroundings and the typing pattern is sufficient. In the early 1980s, shoulder surfing was practiced near public pay phones to steal calling card digits and make long-distance calls or sell them in the market for cheaper prices than the original purchaser paid. However, the advent of modern-day technologies like hidden cameras and secret microphones makes shoulder surfing easier and gives the attacker more scope to perform long-range shoulder surfing. A hidden camera allows the attacker to capture the whole login process and other confidential data of the victim, which ultimately could lead to financial loss or identity theft. [4] Shoulder surfing is more likely to occur in crowded places because it is easier to observe the information without getting the victim's attention. [5] There are two types of shoulder-surfing attack: direct observation attacks, in which authentication information is obtained by a person who is directly monitoring the authentication sequence, and recording attacks, in which the authentication information is obtained by recording the authentication sequence for later analysis to open the device. Apart from threats to password or PIN entry, shoulder surfing also occurs in daily situations to uncover private content on handheld mobile devices; shoulder surfing visual content was found to leak sensitive information of the user and even private information about third parties. [6]
The basic procedure for gaze-based password entry is similar to normal password entry, except that in place of typing a key or touching the screen, the user looks at each desired character or trigger region in sequence (same as eye typing). The approach can, therefore, be used both with character-based passwords by using an on-screen keyboard and with graphical password schemes as surveyed in. [7] A variety of considerations is important for ensuring usability and security. Eye-tracking technology has progressed significantly since its origins in the early 1900s. [8] State of the art eye trackers offers non-encumbering, remote video-based eye tracking with an accuracy of 1˚ of visual angle. Eye trackers are a specialized application of computer vision. A camera is used to monitor the user's eyes. One or more infrared light sources illuminate the user's face and produce a glint – a reflection of the light source on the cornea. As the user looks in different directions the pupil moves but the location of the glint on the cornea remains fixed. The relative motion and position of the center of the pupil and the glint are used to estimate the gaze vector, which is then mapped to coordinates on the screen plane.
Researchers proposed ways to counter shoulder surfing on mobile devices by leveraging the front-facing camera for gaze-based password entry. For example, GazeTouchPIN [9] and GazeTouchPass [10] combine gaze input in the form of eye movements to the left/right, and touch input by tapping on-screen buttons. These methods are more secure than traditional touch-based input (e.g., PIN and Lock Patterns) because they require shoulder surfers to (1) observe the user's eyes, (2) observe the user's touch input, and (3) combine the observations.
Painting album mechanism is an anti-shoulder surfing mechanism, which has characteristics of both recall and recognition graphical techniques. Rather than using a regular PIN or password involving alphanumeric characters, users select a sequence of colors or pictures to unlock the system. The order of the colors and pictures selected during the sign-in process has to match with the order at registration. [11] This anti-shoulder surfing security method was developed based on survey results of users' affinity of choices, [12] and through observation on the way children paint pictures. The resulting mechanism was developed from the survey of user choices, and the outcome created three input schemes named Swipe Scheme, Colour Scheme, and Scot Scheme. Swipe Scheme is implemented in Microsoft Windows 8, and in later versions, it is known as Picture Password; however it has drawn criticism for requiring the user to use a secure enough gesture. [13]
Input Schemes | Input Methods |
---|---|
Swipe Scheme | Swipe the pictures |
Color Scheme | Touch the picture then select the colored boxes |
Scot Scheme | Swipe the picture, touch the pictures and select the colored boxes, all at the same time |
For access to sensitive information with a low risk of shoulder surfing, the secret tap method is a technique that does not expose the authentication information during entry, even if other individuals try to view the input process. Additionally, the risk of camera recordings also poses a threat. Therefore, it is necessary to make the authentication process more complex in order to prevent authentication information from being stolen. For example, smartphones use biometrics such as fingerprint scanning or facial recognition which cannot be replicated by a shoulder surfer.
The secret tap authentication method can use icons or some other form of system. The goals of a secret tap system are:
The primary benefit of graphical passwords compared to alphanumeric passwords is improved memorability. However, the potential detriment of this advantage is the increased risk of shoulder-surfing. Graphical passwords that use graphics or pictures [14] such as PassFaces, Jiminy, [15] VIP, Passpoints [14] or a combination of graphics and audio such as AVAP are likely all subject to this increased risk unless somehow mitigated in implementation. The results indicate the fact that both alphanumeric and graphical password-based authentication mechanisms may have a significant vulnerability to shoulder-surfing unless certain precautions are taken. Despite the common belief that nondictionary passwords are the most secure type of password-based authentication, the results demonstrate that it is, in fact, the most vulnerable configuration to shoulder-surfing.
Personal identification number (or PIN for short) is used to authenticate oneself in various situations, while withdrawing or depositing money from an automatic teller machine, unlocking a phone, a door, a laptop or a PDA. Though this method of authentication is a two step verification process in some situations, it is vulnerable to shoulder surfing attacks. An attacker can obtain the PIN either by directly looking over the victim's shoulder or by recording the whole login process. On items such as mobile phones with glass, glossy screens, the user could leave smudges on the screen, revealing a PIN. [16] Some highly advanced attacks use thermal cameras to see the thermal signature of the PIN entered. [17] Thermal attacks take advantage of heat fingerprints remaining on keys after the authenticating person is done entering the secret. [18] So, various shoulder surfing resistant PIN entry methodologies are used to make the authentication process secure. [19] Examples include PIN pads with built-in privacy shields. Another example used in ATMs and some entry systems is that of the use of metal PIN pads, making thermal camera attacks nearly impossible due to their material, [20] shielding, reflectivity or internal heating. [18] The transfer of heat through wiping with warm objects or hands is found effective to counter thermal attacks in experiments. [18]
The cognitive trapdoor game has three groups involved in it: a machine verifier, a human prover, and a human observer. The goal of each group is that a human prover has to input the PIN by answering the questions posed by the machine verifier while an observer attempts to shoulder surf the PIN. As the countermeasures are by design harder to easily usurp, it is not easy for the observer to remember the whole login process unless the observer has a recording device. [21]
A user could wear a virtual reality headset to mitigate the issues of shoulder surfing; however, gesture controls, buttons pressed, and voice commands could still be attacked. [22]
A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.
An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.
A personal identification number is a numeric passcode used in the process of authenticating a user accessing a system.
A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.
A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.
Safe-cracking is the process of opening a safe without either the combination or the key.
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).
Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.
Draw a Secret (DAS) is a graphical password input scheme developed by Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter and Aviel D. Rubin and presented in a paper at the 8th USENIX Security Symposium in Augusts 1999.
Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.
In computing, an input device is a piece of equipment used to provide data and control signals to an information processing system, such as a computer or information appliance. Examples of input devices include keyboards, computer mice, scanners, cameras, joysticks, and microphones.
A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a smartphone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.
A graphical password or graphical user authentication is a form of authentication using images rather than letters, digits, or special characters. The type of images used and the ways, in which users interact with them vary between implementations.
PassMap is a map-based graphical password method of authentication, similar to passwords, proposed by National Tsing Hua University researchers. The word PassMap originates from the word password by substituting word with map.
Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. Examples of web authentication systems are passwords, federated identity systems, email-based single sign-on (SSO) systems, QR code-based systems or any other system used to authenticate a user's identity on the web. Even though the usability of web authentication systems should be a key consideration in selecting a system, very few web authentication systems have been subjected to formal usability studies or analysis.
A thermal attack is an approach that exploits heat traces to uncover the entered credentials. These attacks rely on the phenomenon of heat transfer from one object to another. During authentication, heat transfers from the users' hands to the surface they are interacting with, leaving heat traces behind that can be analyzed using thermal cameras that operate in the far-infrared spectrum. These traces can be recovered and used to reconstruct the passwords. In some cases, the attack can be successful even 30 seconds after the user has authenticated.
An evil maid attack is an attack on an unattended device, in which an attacker with physical access alters it in some undetectable way so that they can later access the device, or the data on it.
Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.