Stealing PINs via mobile sensors: actual risk versus user perception
Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a...
Ausführliche Beschreibung
Autor*in: |
Mehrnezhad, Maryam [verfasserIn] Toreini, Ehsan [verfasserIn] Shahandashti, Siamak F. [verfasserIn] Hao, Feng [verfasserIn] |
---|
Format: |
E-Artikel |
---|---|
Sprache: |
Englisch |
Erschienen: |
2017 |
---|
Schlagwörter: |
---|
Übergeordnetes Werk: |
Enthalten in: International Journal of Information Security - Springer-Verlag, 2001, 17(2017), 3 vom: 07. Apr., Seite 291-313 |
---|---|
Übergeordnetes Werk: |
volume:17 ; year:2017 ; number:3 ; day:07 ; month:04 ; pages:291-313 |
Links: |
---|
DOI / URN: |
10.1007/s10207-017-0369-x |
---|
Katalog-ID: |
SPR00913218X |
---|
LEADER | 01000caa a22002652 4500 | ||
---|---|---|---|
001 | SPR00913218X | ||
003 | DE-627 | ||
005 | 20201124063521.0 | ||
007 | cr uuu---uuuuu | ||
008 | 201005s2017 xx |||||o 00| ||eng c | ||
024 | 7 | |a 10.1007/s10207-017-0369-x |2 doi | |
035 | |a (DE-627)SPR00913218X | ||
035 | |a (SPR)s10207-017-0369-x-e | ||
040 | |a DE-627 |b ger |c DE-627 |e rakwb | ||
041 | |a eng | ||
100 | 1 | |a Mehrnezhad, Maryam |e verfasserin |4 aut | |
245 | 1 | 0 | |a Stealing PINs via mobile sensors: actual risk versus user perception |
264 | 1 | |c 2017 | |
336 | |a Text |b txt |2 rdacontent | ||
337 | |a Computermedien |b c |2 rdamedia | ||
338 | |a Online-Ressource |b cr |2 rdacarrier | ||
520 | |a Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. | ||
650 | 4 | |a Mobile sensors |7 (dpeaa)DE-He213 | |
650 | 4 | |a JavaScript attack |7 (dpeaa)DE-He213 | |
650 | 4 | |a Mobile browsers |7 (dpeaa)DE-He213 | |
650 | 4 | |a User security |7 (dpeaa)DE-He213 | |
650 | 4 | |a User privacy |7 (dpeaa)DE-He213 | |
650 | 4 | |a Machine learning |7 (dpeaa)DE-He213 | |
650 | 4 | |a PINs |7 (dpeaa)DE-He213 | |
650 | 4 | |a Risk perception |7 (dpeaa)DE-He213 | |
650 | 4 | |a User study |7 (dpeaa)DE-He213 | |
700 | 1 | |a Toreini, Ehsan |e verfasserin |4 aut | |
700 | 1 | |a Shahandashti, Siamak F. |e verfasserin |4 aut | |
700 | 1 | |a Hao, Feng |e verfasserin |4 aut | |
773 | 0 | 8 | |i Enthalten in |t International Journal of Information Security |d Springer-Verlag, 2001 |g 17(2017), 3 vom: 07. Apr., Seite 291-313 |w (DE-627)SPR009127291 |7 nnns |
773 | 1 | 8 | |g volume:17 |g year:2017 |g number:3 |g day:07 |g month:04 |g pages:291-313 |
856 | 4 | 0 | |u https://dx.doi.org/10.1007/s10207-017-0369-x |z kostenfrei |3 Volltext |
912 | |a GBV_USEFLAG_A | ||
912 | |a SYSFLAG_A | ||
912 | |a GBV_SPRINGER | ||
951 | |a AR | ||
952 | |d 17 |j 2017 |e 3 |b 07 |c 04 |h 291-313 |
author_variant |
m m mm e t et s f s sf sfs f h fh |
---|---|
matchkey_str |
mehrnezhadmaryamtoreiniehsanshahandashti:2017----:taigisimblsnosculikes |
hierarchy_sort_str |
2017 |
publishDate |
2017 |
allfields |
10.1007/s10207-017-0369-x doi (DE-627)SPR00913218X (SPR)s10207-017-0369-x-e DE-627 ger DE-627 rakwb eng Mehrnezhad, Maryam verfasserin aut Stealing PINs via mobile sensors: actual risk versus user perception 2017 Text txt rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 Toreini, Ehsan verfasserin aut Shahandashti, Siamak F. verfasserin aut Hao, Feng verfasserin aut Enthalten in International Journal of Information Security Springer-Verlag, 2001 17(2017), 3 vom: 07. Apr., Seite 291-313 (DE-627)SPR009127291 nnns volume:17 year:2017 number:3 day:07 month:04 pages:291-313 https://dx.doi.org/10.1007/s10207-017-0369-x kostenfrei Volltext GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER AR 17 2017 3 07 04 291-313 |
spelling |
10.1007/s10207-017-0369-x doi (DE-627)SPR00913218X (SPR)s10207-017-0369-x-e DE-627 ger DE-627 rakwb eng Mehrnezhad, Maryam verfasserin aut Stealing PINs via mobile sensors: actual risk versus user perception 2017 Text txt rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 Toreini, Ehsan verfasserin aut Shahandashti, Siamak F. verfasserin aut Hao, Feng verfasserin aut Enthalten in International Journal of Information Security Springer-Verlag, 2001 17(2017), 3 vom: 07. Apr., Seite 291-313 (DE-627)SPR009127291 nnns volume:17 year:2017 number:3 day:07 month:04 pages:291-313 https://dx.doi.org/10.1007/s10207-017-0369-x kostenfrei Volltext GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER AR 17 2017 3 07 04 291-313 |
allfields_unstemmed |
10.1007/s10207-017-0369-x doi (DE-627)SPR00913218X (SPR)s10207-017-0369-x-e DE-627 ger DE-627 rakwb eng Mehrnezhad, Maryam verfasserin aut Stealing PINs via mobile sensors: actual risk versus user perception 2017 Text txt rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 Toreini, Ehsan verfasserin aut Shahandashti, Siamak F. verfasserin aut Hao, Feng verfasserin aut Enthalten in International Journal of Information Security Springer-Verlag, 2001 17(2017), 3 vom: 07. Apr., Seite 291-313 (DE-627)SPR009127291 nnns volume:17 year:2017 number:3 day:07 month:04 pages:291-313 https://dx.doi.org/10.1007/s10207-017-0369-x kostenfrei Volltext GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER AR 17 2017 3 07 04 291-313 |
allfieldsGer |
10.1007/s10207-017-0369-x doi (DE-627)SPR00913218X (SPR)s10207-017-0369-x-e DE-627 ger DE-627 rakwb eng Mehrnezhad, Maryam verfasserin aut Stealing PINs via mobile sensors: actual risk versus user perception 2017 Text txt rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 Toreini, Ehsan verfasserin aut Shahandashti, Siamak F. verfasserin aut Hao, Feng verfasserin aut Enthalten in International Journal of Information Security Springer-Verlag, 2001 17(2017), 3 vom: 07. Apr., Seite 291-313 (DE-627)SPR009127291 nnns volume:17 year:2017 number:3 day:07 month:04 pages:291-313 https://dx.doi.org/10.1007/s10207-017-0369-x kostenfrei Volltext GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER AR 17 2017 3 07 04 291-313 |
allfieldsSound |
10.1007/s10207-017-0369-x doi (DE-627)SPR00913218X (SPR)s10207-017-0369-x-e DE-627 ger DE-627 rakwb eng Mehrnezhad, Maryam verfasserin aut Stealing PINs via mobile sensors: actual risk versus user perception 2017 Text txt rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 Toreini, Ehsan verfasserin aut Shahandashti, Siamak F. verfasserin aut Hao, Feng verfasserin aut Enthalten in International Journal of Information Security Springer-Verlag, 2001 17(2017), 3 vom: 07. Apr., Seite 291-313 (DE-627)SPR009127291 nnns volume:17 year:2017 number:3 day:07 month:04 pages:291-313 https://dx.doi.org/10.1007/s10207-017-0369-x kostenfrei Volltext GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER AR 17 2017 3 07 04 291-313 |
language |
English |
source |
Enthalten in International Journal of Information Security 17(2017), 3 vom: 07. Apr., Seite 291-313 volume:17 year:2017 number:3 day:07 month:04 pages:291-313 |
sourceStr |
Enthalten in International Journal of Information Security 17(2017), 3 vom: 07. Apr., Seite 291-313 volume:17 year:2017 number:3 day:07 month:04 pages:291-313 |
format_phy_str_mv |
Article |
institution |
findex.gbv.de |
topic_facet |
Mobile sensors JavaScript attack Mobile browsers User security User privacy Machine learning PINs Risk perception User study |
isfreeaccess_bool |
true |
container_title |
International Journal of Information Security |
authorswithroles_txt_mv |
Mehrnezhad, Maryam @@aut@@ Toreini, Ehsan @@aut@@ Shahandashti, Siamak F. @@aut@@ Hao, Feng @@aut@@ |
publishDateDaySort_date |
2017-04-07T00:00:00Z |
hierarchy_top_id |
SPR009127291 |
id |
SPR00913218X |
language_de |
englisch |
fullrecord |
<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a22002652 4500</leader><controlfield tag="001">SPR00913218X</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20201124063521.0</controlfield><controlfield tag="007">cr uuu---uuuuu</controlfield><controlfield tag="008">201005s2017 xx |||||o 00| ||eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1007/s10207-017-0369-x</subfield><subfield code="2">doi</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)SPR00913218X</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(SPR)s10207-017-0369-x-e</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Mehrnezhad, Maryam</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Stealing PINs via mobile sensors: actual risk versus user perception</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2017</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">Text</subfield><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">Computermedien</subfield><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Online-Ressource</subfield><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Mobile sensors</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">JavaScript attack</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Mobile browsers</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User security</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User privacy</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Machine learning</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">PINs</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Risk perception</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User study</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Toreini, Ehsan</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Shahandashti, Siamak F.</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Hao, Feng</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">International Journal of Information Security</subfield><subfield code="d">Springer-Verlag, 2001</subfield><subfield code="g">17(2017), 3 vom: 07. Apr., Seite 291-313</subfield><subfield code="w">(DE-627)SPR009127291</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:17</subfield><subfield code="g">year:2017</subfield><subfield code="g">number:3</subfield><subfield code="g">day:07</subfield><subfield code="g">month:04</subfield><subfield code="g">pages:291-313</subfield></datafield><datafield tag="856" ind1="4" ind2="0"><subfield code="u">https://dx.doi.org/10.1007/s10207-017-0369-x</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_SPRINGER</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">17</subfield><subfield code="j">2017</subfield><subfield code="e">3</subfield><subfield code="b">07</subfield><subfield code="c">04</subfield><subfield code="h">291-313</subfield></datafield></record></collection>
|
author |
Mehrnezhad, Maryam |
spellingShingle |
Mehrnezhad, Maryam misc Mobile sensors misc JavaScript attack misc Mobile browsers misc User security misc User privacy misc Machine learning misc PINs misc Risk perception misc User study Stealing PINs via mobile sensors: actual risk versus user perception |
authorStr |
Mehrnezhad, Maryam |
ppnlink_with_tag_str_mv |
@@773@@(DE-627)SPR009127291 |
format |
electronic Article |
delete_txt_mv |
keep |
author_role |
aut aut aut aut |
collection |
springer |
remote_str |
true |
illustrated |
Not Illustrated |
topic_title |
Stealing PINs via mobile sensors: actual risk versus user perception Mobile sensors (dpeaa)DE-He213 JavaScript attack (dpeaa)DE-He213 Mobile browsers (dpeaa)DE-He213 User security (dpeaa)DE-He213 User privacy (dpeaa)DE-He213 Machine learning (dpeaa)DE-He213 PINs (dpeaa)DE-He213 Risk perception (dpeaa)DE-He213 User study (dpeaa)DE-He213 |
topic |
misc Mobile sensors misc JavaScript attack misc Mobile browsers misc User security misc User privacy misc Machine learning misc PINs misc Risk perception misc User study |
topic_unstemmed |
misc Mobile sensors misc JavaScript attack misc Mobile browsers misc User security misc User privacy misc Machine learning misc PINs misc Risk perception misc User study |
topic_browse |
misc Mobile sensors misc JavaScript attack misc Mobile browsers misc User security misc User privacy misc Machine learning misc PINs misc Risk perception misc User study |
format_facet |
Elektronische Aufsätze Aufsätze Elektronische Ressource |
format_main_str_mv |
Text Zeitschrift/Artikel |
carriertype_str_mv |
cr |
hierarchy_parent_title |
International Journal of Information Security |
hierarchy_parent_id |
SPR009127291 |
hierarchy_top_title |
International Journal of Information Security |
isfreeaccess_txt |
true |
familylinks_str_mv |
(DE-627)SPR009127291 |
title |
Stealing PINs via mobile sensors: actual risk versus user perception |
ctrlnum |
(DE-627)SPR00913218X (SPR)s10207-017-0369-x-e |
title_full |
Stealing PINs via mobile sensors: actual risk versus user perception |
author_sort |
Mehrnezhad, Maryam |
journal |
International Journal of Information Security |
journalStr |
International Journal of Information Security |
lang_code |
eng |
isOA_bool |
true |
recordtype |
marc |
publishDateSort |
2017 |
contenttype_str_mv |
txt |
container_start_page |
291 |
author_browse |
Mehrnezhad, Maryam Toreini, Ehsan Shahandashti, Siamak F. Hao, Feng |
container_volume |
17 |
format_se |
Elektronische Aufsätze |
author-letter |
Mehrnezhad, Maryam |
doi_str_mv |
10.1007/s10207-017-0369-x |
author2-role |
verfasserin |
title_sort |
stealing pins via mobile sensors: actual risk versus user perception |
title_auth |
Stealing PINs via mobile sensors: actual risk versus user perception |
abstract |
Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. |
abstractGer |
Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. |
abstract_unstemmed |
Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. |
collection_details |
GBV_USEFLAG_A SYSFLAG_A GBV_SPRINGER |
container_issue |
3 |
title_short |
Stealing PINs via mobile sensors: actual risk versus user perception |
url |
https://dx.doi.org/10.1007/s10207-017-0369-x |
remote_bool |
true |
author2 |
Toreini, Ehsan Shahandashti, Siamak F. Hao, Feng |
author2Str |
Toreini, Ehsan Shahandashti, Siamak F. Hao, Feng |
ppnlink |
SPR009127291 |
mediatype_str_mv |
c |
isOA_txt |
true |
hochschulschrift_bool |
false |
doi_str |
10.1007/s10207-017-0369-x |
up_date |
2024-07-04T00:47:47.587Z |
_version_ |
1803607413975154688 |
fullrecord_marcxml |
<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a22002652 4500</leader><controlfield tag="001">SPR00913218X</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20201124063521.0</controlfield><controlfield tag="007">cr uuu---uuuuu</controlfield><controlfield tag="008">201005s2017 xx |||||o 00| ||eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1007/s10207-017-0369-x</subfield><subfield code="2">doi</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)SPR00913218X</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(SPR)s10207-017-0369-x-e</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Mehrnezhad, Maryam</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Stealing PINs via mobile sensors: actual risk versus user perception</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2017</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">Text</subfield><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">Computermedien</subfield><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Online-Ressource</subfield><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">Abstract In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user’s PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users’ perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Mobile sensors</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">JavaScript attack</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Mobile browsers</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User security</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User privacy</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Machine learning</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">PINs</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Risk perception</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">User study</subfield><subfield code="7">(dpeaa)DE-He213</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Toreini, Ehsan</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Shahandashti, Siamak F.</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Hao, Feng</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">International Journal of Information Security</subfield><subfield code="d">Springer-Verlag, 2001</subfield><subfield code="g">17(2017), 3 vom: 07. Apr., Seite 291-313</subfield><subfield code="w">(DE-627)SPR009127291</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:17</subfield><subfield code="g">year:2017</subfield><subfield code="g">number:3</subfield><subfield code="g">day:07</subfield><subfield code="g">month:04</subfield><subfield code="g">pages:291-313</subfield></datafield><datafield tag="856" ind1="4" ind2="0"><subfield code="u">https://dx.doi.org/10.1007/s10207-017-0369-x</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_A</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_SPRINGER</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">17</subfield><subfield code="j">2017</subfield><subfield code="e">3</subfield><subfield code="b">07</subfield><subfield code="c">04</subfield><subfield code="h">291-313</subfield></datafield></record></collection>
|
score |
7.3990517 |