Archive for the ‘Password’ category

“Disability research leads to shoulder surfing breakthrough”

August 30, 2007

From fraudwatchonline.com:

The lens makes things easier to see, but harder to shoulder surf

Research initially aimed at helping partially sighted customers use chip and PIN keypads has led to the creation of a device which can protect customers from “shoulder surfing”.

This is the term used for the practice whereby a “criminally motivated” bystander casually observes the PIN when paying for goods or services or getting money from an ATM.

Neil Radford an Enterprise Fellow at the University of Warwick has worked with colleagues in the University of Warwick’s manufacturing Group to create a special “cradle” for chip & pin keypads, which innovatively incorporates a magnifying lens.

The use of the lens (patent pending) is of significant benefit to visually impaired people, as it enlarges the pin pad display whilst also improving security. The enhanced view, to any user standing directly in front of the key pad, alone is of great benefit by reducing the degree of difficulty and the associated anxiety many face in simply reading the display – from partially sighted people through to the many people who need simply to switch to reading glasses for some tasks – whilst vendors see improved transaction times.

Importantly the device, also provides tremendous additional benefit to customers, vendors and banks in that it has been proven to be a highly effective defence against shoulder surfing, by distorting the view available from any other angle by a casual observer or even CCTV and hidden cameras, thus frustrating shoulder surfers and more sophisticated fraudsters.

Neil Radford has now established a company, Secure Access Solutions Limited, to market the “PED Cradle”.

Boots is piloting 35 cradles in its Cambridge, UK store. Secure Access Solutions is also in discussions with the Royal National Institute of the Blind who are giving their expert assessment. Additional trials will be held with RNIB in July.

Secure Access Solutions has identified how the same issues affect transactions at ATM Cash points and are already well advanced with a range of complementary products for ATM’s, which are scheduled for further trials later this year with a UK Bank.

A lens seems like a good idea, but I hope it does a better job of obscuring the keypad then it appears to from the photograph.

Using Eye-Tracking to Stop Shoulder Surfing

August 30, 2007

An interesting new paper Reducing Shoulder-surfing by Using Gaze-based Password Entry

Abstract:
Shoulder-surfing — using direct observation techniques, such as looking over someone’s shoulder, to get passwords, PINs and other sensitive personal information is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user’s password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional approaches.

Great idea, and could be done today on iMacs and MacBooks, with their built-in cameras.

Unfortunately, the paper falls-short at testing.

To evaluate EyePassword, we conducted user studies with 18 subjects, 9 males and 9 females with an average age of 21…. Twelve subjects reported that they were touch- typists. On average subjects had 12 years of experience using a keyboard and mouse.

We compared the password entry speed and error rates of three approaches: a standard keyboard for entering a password (Keyboard) to provide a baseline, using EyePassword with dwell- based activation (Gaze+Dwell) and using EyePassword with

trigger-based activation (Gaze+Trigger). In addition, we evaluated two different on-screen layouts for the dwell case:
QWERTY layout and alphabetic layout. At the end of the study we asked subjects to fill out a survey to collect data on the user’s subjective opinion of the techniques.

(the passwords used were): computer, security, apple314, sillycat, Garfield, password, $dollar$, GoogleMap, dinnertime, Chinatown.

That’s a very select group, and probably all college students at Stanford too (although the paper does not say one way or the other, which is an experimental failing). Unfortunately, this means the conclusion that “subjects preferred the gaze-based password entry approach over traditional approaches.” must be taken with a big grain of salt. Actually I’d completely disregard it.

The test passwords are not strong enough. With the test-passwords used, the subjects only use the Shift function 6 times, out of 94 characters that are inputted (94 = 84 password characters + 10 “enter” characters to mark the end of the password). The passwords are mostly recognizable words, occasionally with up to 3 extra characters tacked on. Real passwords shouldn’t look like that. This makes me skeptical of the published speeds and error rates, because many passwords need more capital and special characters to be accepted by a system. The paper did not give me an understanding of how the eye-tracking system could be expected to perform with a password as strong as the one I use for this blog.

But most importantly (to me) there was no testing with a randomized keyboard layout. Without a randomized keyboard, a camera only has to record people’s eye-movements to get their password. A randomized keyboard is necessary for strong security. But the paper gives no data on how this would affect usability. Not even a gross rule-of-thumb, or qualitative advice.

Still, eye-tracking is an interesting idea, and it could do a lot to stop “standard” shoulder surfing, even if it is not effective against an attacker with some hardware.

EDITED TO ADD: another benefit of gaze-based PIN entry is that it is more hygienic. You don’t have to touch a keypad that thousands of other people have touched today. (ATMs near bathrooms are always kinda scary). Input for transactions could also handled only via eye-movement tracking. Obviously for transactions lot more feedback could be provided for the user, making it a very pleasant experience.