Toggle Main Menu Toggle Search

ePrints

Stealing PINs via mobile sensors: actual risk versus user perception

Lookup NU author(s): Dr Maryam Mehrnezhad, Ehsan Toreini, Professor Feng Hao

Downloads


Licence

This work is licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0).


Abstract

© 2017 The Author(s) In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.


Publication metadata

Author(s): Mehrnezhad M, Toreini E, Shahandashti SF, Hao F

Publication type: Article

Publication status: Published

Journal: International Journal of Information Security

Year: 2018

Volume: 17

Issue: 3

Pages: 291-313

Print publication date: 01/06/2018

Online publication date: 07/04/2017

Acceptance date: 02/04/2016

ISSN (print): 1615-5262

ISSN (electronic): 1615-5270

Publisher: Springer Verlag

URL: https://doi.org/10.1007/s10207-017-0369-x

DOI: 10.1007/s10207-017-0369-x


Altmetrics

Altmetrics provided by Altmetric


Actions

    Link to this publication


Share