An official website of the United States government
Personal Identification Numbers (PINs) are the most common user authentication method for in-person banking transactions at ATMs. The US Federal Reserve reported that, in 2018, PINs secured 31.4 billion transactions in the US, with an overall worth of US$ 1.19 trillion. One well-known attack type involves the use of cameras to spy on the ATM PIN pad during PIN entry. Countermeasures include covering the PIN pad with a shield or with the other hand while typing. Although this protects PINs from visual attacks, acoustic emanations from the PIN pad itself open the door for another attack type. In this paper, we show the feasibility of an acoustic side-channel attack (called PinDrop) to reconstruct PINs by profiling acoustic signatures of individual keys of a PIN pad. We demonstrate the practicality of PinDrop via two sets of data collection experiments involving two commercially available metal PIN pad models and 58 participants who entered a total of 5,800 5-digit PINs. We simulated two realistic attack scenarios: (1) a microphone placed near the ATM (0.3 m away) and (2) a real-time attacker (with a microphone) standing in the queue at a common courtesy distance of 2 m. In the former case, we show that PinDrop recovers 96% of 4-digit, and up to 94% of 5-digits, PINs. Whereas, at 2 m away, it recovers up to 57% of 4-digit, and up to 39% of 5-digit PINs in three attempts. We believe that these results are both
more »
« less
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs ($$\mathbf{n=1220}$$) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of ``easy to guess'' PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10\,\% of the PIN space may provide the best balance between usability and security.
more »
« less
- Award ID(s):
- 1845300
- PAR ID:
- 10190630
- Date Published:
- Journal Name:
- 2020 IEEE Symposium on Security and Privacy (SP)
- Page Range / eLocation ID:
- 286 to 303
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
A novel technique for electronic control unit (ECU) identification is proposed in this study to address security vulnerabilities of the controller area network (CAN) protocol. The reliable ECU identification has the potential to prevent spoofing attacks launched over the CAN due to the lack of message authentication. In this regard, we model the ECU-specific random distortion caused by the imperfections in the digital-to-analog converter and semiconductor impurities in the transmitting ECU for fingerprinting. Afterward, a 4-layered artificial neural network (ANN) is trained on the feature set to identify the transmitting ECU and the corresponding ECU pin. The ECU-pin identification is also a novel contribution of this study and can be used to prevent voltage-based attacks. We have evaluated our method using ANNs over a dataset generated from 7 ECUs with 6 pins, each having 185 records, and 40 records for each pin. The performance evaluation against state-of-the-art methods revealed that the proposed method achieved 99.4% accuracy for ECU identification and 96.7% accuracy for pin identification, which signifies the reliability of the proposed approach.more » « less
-
null (Ed.)Simulations are used to find the zero temperature jamming threshold, ϕ j , for soft, bidisperse disks in the presence of small fixed particles, or “pins”, arranged in a lattice. The presence of pins leads, as one expects, to a decrease in ϕ j . Structural properties of the system near the jamming threshold are calculated as a function of the pin density. While the correlation length exponent remains ν = 1/2 at low pin densities, the system is mechanically stable with more bonds, yet fewer contacts than the Maxwell criterion implies in the absence of pins. In addition, as pin density increases, novel bond orientational order and long-range spatial order appear, which are correlated with the square symmetry of the pin lattice.more » « less
-
Many studies of mobile security and privacy are, for simplicity, limited to either only Android users or only iOS users. However, it is not clear whether there are systematic differences in the privacy and security knowledge or preferences of users who select these two platforms. Understanding these differences could provide important context about the generalizability of research results. This paper reports on a survey (n=493) with a demographically diverse sample of U.S. Android and iOS users. We compare users of these platforms using validated privacy and security scales (IUIPC-8 and SA-6) as well as previously deployed attitudinal and knowledge questions from Pew Research Center. As a secondary analysis, we also investigate potential differences among users of different smart-speaker platforms, including Amazon Echo and Google Home. We find no significant differences in privacy attitudes of different platform users, but we do find that Android users have more technology knowledge than iOS users. In addition, we find evidence (via comparison with Pew data) that Prolific participants have more technology knowledge than the general U.S. population.more » « less
-
null (Ed.)Abstract Evolution has shaped the limbs of hoofed animals in specific ways. In artiodactyls, it is the common assumption that the metatarsal is composed of the fusion of digits III and IV, whereas the other three digits have been lost or are highly reduced. However, evidence from the fossil record and internal morphology of the metatarsal challenges these assumptions. Furthermore, only a few taxonomic groups have been analysed. In giraffes, we discovered that all five digits are present in the adult metatarsal and are highly fused and modified rather than lost. We examined high-resolution micro-computed tomography scans of the metatarsals of two mid and late Miocene giraffid fossils and the extant giraffe and okapi. In all the Giraffidae analysed, we found a combination of four morphologies: (1) four articular facets; (2) four or, in most cases, five separate medullary cavities internally; (3) a clear, small digit I; and (4) in the two fossil taxa of unknown genus, the presence of external elongated grooves where the fusions of digits II and V have taken place. Giraffa and Okapia, the extant Giraffidae, show a difference from all the extinct taxa in having more flattened digits tightly packed together, suggesting convergent highly fused digits despite divergent ecologies and locomotion. These discoveries provide evidence that enhances our understanding of how bones fuse and call into question current hypotheses of digit loss.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1109/SP40000.2020.00100
