Bibliography | Ogando, Sophie: Exploring User-Centered Attack Scenarios in the Wild. University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Master Thesis No. 65 (2017). 77 pages, english.
|
Abstract | Nowadays, most people store vast amounts of personal data on their smartphones which has made secure authentication methods increasingly important. However, the commonly used authentication methods, PINs, passwords, and patterns are vulnerable to various user-centered attacks such as shoulder-surfing, smudge, and thermal attacks. In the literature, many works focus on preventing such user-centered attacks. Although this shows that user centered-attacks are of particular interest, little work exists which explores the attacks in detail in a real-world setting. Therefore, the goal of this thesis was to collect quantifiable data on user-centered attacks while they are occurring in the real-world, as well as obtaining subjective user assessments on such user-centered attack incidents. To this end, we developed a data collection app which records data in the background as well as subjective user-ratings. The app automatically takes a photo each time a user unlocks the smartphone to analyze the shoulder-surfing frequency. It also records the touch data to examine how fast after authenticating other touch input events cover smudge and heat traces left on the smartphone screen from the PIN/password/pattern entry. Subjective user ratings then supplement the photo data. During a two-week user study in the wild, the app was used by participants to collect data on user-centered attacks. We found that the majority of participants are aware of shoulder-surfing, smudge, and thermal attacks. We collected data from 7638 login events, whereby users were part of 380 shoulder-surfing incidents. Most shoulder-surfing attacks occurred at work/university, followed by the second most on public transport. Thereby, participants did not perceive the majority (95%) of shoulder-surfing situations as a threat. We also found that the threat of smudge and thermal attacks on smartphones might be smaller than expected in real-life situations since large parts of the screen, especially those where the input field for the login information is usually located, get frequently covered after only using the smartphone for 1 minute. Altogether, our findings contribute to a better understanding of user-centered attacks in a real-world setting.
|