research-article

Comparing Video Based Shoulder Surfing with Live Simulation

Authors:

Ravi KuberAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 453 - 466

https://doi.org/10.1145/3274694.3274702

Published: 03 December 2018 Publication History

Abstract

We analyze the claims that video recreations of shoulder surfing attacks offer a suitable alternative and a baseline, as compared to evaluation in a live setting. We recreated a subset of the factors of a prior video-simulation experiment conducted by Aviv et al. (ACSAC 2017), and model the same scenario using live participants (n = 36) instead (i.e., the victim and attacker were both present). The live experiment confirmed that for Android's graphical patterns video simulation is consistent with the live setting for attacker success rates. However, both 4- and 6-digit PINs demonstrate statistically significant differences in attacker performance, with live attackers performing as much 1.9x better than in the video simulation. The security benefits gained from removing feedback lines in Android's graphical patterns are also greatly diminished in the live setting, particularly under multiple attacker observations, but overall, the data suggests that video recreations can provide a suitable baseline measure for attacker success rate. However, we caution that researchers should consider that these baselines may greatly underestimate the threat of an attacker in live settings.

References

[1]

Ali Abdolrahmani, Ravi Kuber, and Amy Hurst. 2016. An empirical investigation of the situationally-induced impairments experienced by blind mobile device users. In Proceedings of the 13th Web for All Conference. ACM, 21.

Digital Library

[2]

Abdullah Ali, Adam J Aviv, and Ravi Kuber. 2016. Developing and evaluating a gestural and tactile mobile interface to support user authentication. IConference 2016 Proceedings (2016).

[3]

Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, New York, NY, USA, 301--310.

Digital Library

[4]

Adam J. Aviv, John T. Davin, Flynn Wolf, and Ravi Kuber. 2017. Towards Baselines for Shoulder Surfing on Mobile Authentication. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). ACM, New York, NY, USA, 486--498.

Digital Library

[5]

Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In International Conference on Financial Cryptography and Data Security. Springer, 25--40.

[6]

Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into My Eyes!: Can You Guess My Password?. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS '09). ACM, New York, NY, USA, Article 7, 12 pages.

Digital Library

[7]

Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch Me Once and I Know It's You!: Implicit Authentication Based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 987--996.

Digital Library

[8]

Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hussmann, and Matthew Smith. 2014. Now You See Me, Now You Don'T: Protecting Smartphone Authentication from Shoulder Surfers. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2937--2946.

Digital Library

[9]

Alexander De Luca, Katja Hertzschuch, and Heinrich Hussmann. 2010. Color-PIN: Securing PIN Entry Through Indirect Input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 1103--1106.

Digital Library

[10]

Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are You Ready to Lock?. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 750--761.

Digital Library

[11]

Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM, 4254--4265.

Digital Library

[12]

Alain Forget, Sonia Chiasson, and Robert Biddle. 2010. Shoulder-surfing Resistance with Eye-gaze Entry in Cued-recall Graphical Passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 1107--1110.

Digital Library

[13]

H. Gao, Z. Ren, X. Chang, X. Liu, and U. Aickelin. 2010. A New Graphical Password Scheme Resistant to Shoulder-Surfing. In 2010 International Conference on Cyberworlds. 194--199.

Digital Library

[14]

Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It's a hard lock life: A field study of smartphone (un) locking behavior and risk perception. In Symposium on usable privacy and security (SOUPS). 213--230.

Digital Library

[15]

Hassan Khan, Urs Hengartner, and Daniel Vogel. 2018. Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI'18). ACM, New York, NY, USA, Article 164, 10 pages.

Digital Library

[16]

Jesper Kjeldskov and Mikael B Skov. 2014. Was it worth the hassle?: ten years of mobile HCI research discussions on lab and field evaluations. In Proceedings of the 16th international conference on Human-computer interaction with mobile devices & services. Acm, 43--52.

Digital Library

[17]

Katharina Krombholz, Thomas Hupperich, and Thorsten Holz. 2016. Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 207--219. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/krombholz

Digital Library

[18]

Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. 2007. Reducing Shoulder-surfing by Using Gaze-based Password Entry. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS'07). ACM, New York, NY, USA, 13--19.

Digital Library

[19]

Shushuang Man, Dawei Hong, and Manton M Matthews. 2003. A Shoulder-Surfing Resistant Graphical Password Scheme-WIW. 105--111 pages.

[20]

Hee Jung Ryu and Florian Schroff. 2017. Electronic Screen Protector with Efficient and Robust Mobile Vision. In Demos section, Neural Information Processing Systems Conference.

[21]

Alireza Sahami Shirazi, Peyman Moghadam, Hamed Ketabdar, and Albrecht Schmidt. 2012. Assessing the vulnerability of magnetic gestural authentication to video-based shoulder surfing attacks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2045--2048.

Digital Library

[22]

Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia (MUM'12). ACM, New York, NY, USA, Article 13, 10 pages.

Digital Library

[23]

Florian Schaub, Marcel Walch, Bastian Könings, and Michael Weber. 2013. Exploring the design space of graphical passwords on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 11.

Digital Library

[24]

Emanuel Von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hussmann. 2015. SwiPIN: Fast and secure pin-entry on smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 1403--1406.

Digital Library

[25]

Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hussmann. 2015. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2339--2342.

Digital Library

[26]

Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. 2006. Design and Evaluation of a Shoulder-surfing Resistant Graphical Password Scheme. In Proceedings of the Working Conference on Advanced Visual Interfaces (AVI '06). ACM, New York, NY, USA, 177--184.

Digital Library

[27]

Oliver Wiese and Volker Roth. 2015. Pitfalls of Shoulder Surfing Studies. In NDSS Workshop on Usable Security. 1--6.

[28]

Oliver Wiese and Volker Roth. 2016. See you next time: A model for modern shoulder surfers. In Proceedings of the 18th International Conference on Human-Computer Interaction with Mobile Devices and Services. ACM, 453--464.

Digital Library

Cited By

Saad ALiebers JSchneegass SGruenefeld U(2023)“They see me scrollin”—Lessons Learned from Investigating Shoulder Surfing Behavior and Attack Mitigation StrategiesHuman Factors in Privacy Research10.1007/978-3-031-28643-8_10(199-218)Online publication date: 10-Mar-2023
https://doi.org/10.1007/978-3-031-28643-8_10
Kamarushi MWatson STigwell GPeiris R(2022)OneButtonPIN: A Single Button Authentication Method for Blind or Low Vision Users to Improve Accessibility and Prevent EavesdroppingProceedings of the ACM on Human-Computer Interaction10.1145/35467476:MHCI(1-22)Online publication date: 20-Sep-2022
https://dl.acm.org/doi/10.1145/3546747
Mathis FO'Hagan JKhamis MVaniea K(2022)Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00048(291-300)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00048
Show More Cited By

Index Terms

Comparing Video Based Shoulder Surfing with Live Simulation
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Understanding Shoulder Surfing in the Wild: Stories from Users and Observers
CHI '17: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems

Research has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present the results of a user survey (N=174) in which we investigate ...
Towards Baselines for Shoulder Surfing on Mobile Authentication
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Given the nature of mobile devices and unlock procedures, unlock authentication is a prime target for credential leaking via shoulder surfing, a form of an observation attack. While the research community has investigated solutions to minimize or ...
Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems

We evaluate the efficacy of shoulder surfing defenses for PIN-based authentication systems. We find tilting the device away from the observer, a widely adopted defense strategy, provides limited protection. We also evaluate a recently proposed defense ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Saad ALiebers JSchneegass SGruenefeld U(2023)“They see me scrollin”—Lessons Learned from Investigating Shoulder Surfing Behavior and Attack Mitigation StrategiesHuman Factors in Privacy Research10.1007/978-3-031-28643-8_10(199-218)Online publication date: 10-Mar-2023
https://doi.org/10.1007/978-3-031-28643-8_10
Kamarushi MWatson STigwell GPeiris R(2022)OneButtonPIN: A Single Button Authentication Method for Blind or Low Vision Users to Improve Accessibility and Prevent EavesdroppingProceedings of the ACM on Human-Computer Interaction10.1145/35467476:MHCI(1-22)Online publication date: 20-Sep-2022
https://dl.acm.org/doi/10.1145/3546747
Mathis FO'Hagan JKhamis MVaniea K(2022)Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00048(291-300)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00048
Markert PBailey DGolla MDürmuth MAviv A(2021)On the Security of Smartphone Unlock PINsACM Transactions on Privacy and Security10.1145/347304024:4(1-36)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3473040
Mathis FVaniea KKhamis MKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)RepliCueAuth: Validating the Use of a Lab-Based Virtual Reality Setup for Evaluating Authentication SystemsProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445478(1-18)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445478
Mathis F(2021)[DC] VirSec: Virtual Reality as Cost-Effective Test Bed for Usability and Security Evaluations2021 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW52623.2021.00235(705-706)Online publication date: Mar-2021
https://doi.org/10.1109/VRW52623.2021.00235
Mathis FVaniea KKhamis M(2021)Prototyping Usable Privacy and Security Systems: Insights from ExpertsInternational Journal of Human–Computer Interaction10.1080/10447318.2021.194913438:5(468-490)Online publication date: 5-Aug-2021
https://doi.org/10.1080/10447318.2021.1949134
Li QDong PZheng J(2020)Enhancing the Security of Pattern Unlock with Surface EMG-Based BiometricsApplied Sciences10.3390/app1002054110:2(541)Online publication date: 11-Jan-2020
https://doi.org/10.3390/app10020541
Bošnjak LBrumen B(2020)Shoulder surfing experiments: A systematic literature reviewComputers & Security10.1016/j.cose.2020.10202399(102023)Online publication date: Dec-2020
https://doi.org/10.1016/j.cose.2020.102023
Tsoukas VKakarountas AGkogkidis AGiannakas GManolopoulos YPapadopoulos GStassopoulou ADionysiou IKyriakides ITsapatsoulis N(2019)Multi-screen lockProceedings of the 23rd Pan-Hellenic Conference on Informatics10.1145/3368640.3368657(90-95)Online publication date: 28-Nov-2019
https://dl.acm.org/doi/10.1145/3368640.3368657
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents