Browse by author
Lookup NU author(s): Dr Maryam Mehrnezhad, Ehsan Toreini, Professor Feng Hao
This work is licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0).
© 2017 The Author(s) In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.
Author(s): Mehrnezhad M, Toreini E, Shahandashti SF, Hao F
Publication type: Article
Publication status: Published
Journal: International Journal of Information Security
Year: 2018
Volume: 17
Issue: 3
Pages: 291-313
Print publication date: 01/06/2018
Online publication date: 07/04/2017
Acceptance date: 02/04/2016
Date deposited: 13/06/2017
ISSN (print): 1615-5262
ISSN (electronic): 1615-5270
Publisher: Springer Verlag
URL: https://doi.org/10.1007/s10207-017-0369-x
DOI: 10.1007/s10207-017-0369-x
Altmetrics provided by Altmetric
