this pin can be easily guessed
play

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone - PowerPoint PPT Presentation

Apr 25, 2023 •174 likes •355 views

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Drmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy Overview ?!

  1. This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy

  2. Overview ?! Priming Agenda Practice Creation Why study PINs? User Study Results 1/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  3. Why PINs? Fingerprint PHOTO: Dan Seifert | The Verge (Vox Media) Iris Face 2/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  4. Who uses PINs? 1220 participants 759 use a biometric 461 do not use a biometric 210 use a PIN 595 use a PIN Overall 805 (66%) use a PIN 3/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  5. What we know about PINs What we don’t know ● User chosen 4-digit PINs are ● How secure are 4- or 6-digit PINs in predictable [1] the smartphone unlock setting? ● User chosen 6-digit PINs aren’t any ● What are the effects of different better [2] blacklists on the security of PINs? ● Blacklisting popular PINs can ● How to balance security and usability increase security [1] when composing a blacklist? [1] J. Bonneau, S. Preibusch, and R. Anderson. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. FC ‘12 [2] D. Wang, Q. Gu, X. Huang, and P. Wang. Understanding Human-Chosen PINs : Characteristics, Distribution and Security. AsiaCCS ‘17 4/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  6. Treatments 4-digit 6-digit No Blacklist Blacklist No Blacklist Blacklist 1. Control 2. Placebo 3. iOS 4. DD Small 5. DD Large 6. Control 7. Placebo 8. iOS Placebo iOS Data-Driven (DD) “Test general effect of warning” “Test effect of iOS blacklists” “Test effect of different blacklist sizes” Blacklist: Blacklist: Blacklist: ● “1st choice” blocked ● 274 PINs (4-digit) ● Top 27 PINs of Amitay (small) ● Any other PIN allowed ● 2910 PINs (6-digit) ● Top 2740 PINs of Amitay (large) 5/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  7. Extracting the iOS Blacklists This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  8. User Study Consent Priming PIN Creation Practice 8/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  9. User Study Followup Consent Priming Questionnaires Demographics PIN Creation Practice Recall 8/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  10. Attacker Model ● No information about the victim 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  11. Attacker Model ● No information about the victim Rank 4-digit PINs 6-digit PINs 1 1234 123456 1 2 0000 123123 ● Guesses PINs in decreasing probability order 2 3 3 2580 111111 ⁝ ⁝ ⁝ 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  12. Attacker Model ● No information about the victim 1 ● Guesses PINs in decreasing probability order 2 3 ● Slowed down by rate-limiting Android iOS 10 Guesses 30s 1h 36m 0s 100 Guesses 10h 45min 30s — 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  13. Attacker Model ● No information about the victim 1 ● Guesses PINs in decreasing probability order 2 3 Rank 4-digit PINs 6-digit PINs 1 1234 123456 ● Slowed down by rate-limiting not allowed 2 0000 123123 3 2580 111111 ⁝ ⁝ ⁝ 1 ● Knows the blacklist and skips impossible choices x 3 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  14. Research Questions 4 vs. 6 RQ1: How secure are 4- and 6-digit PINs in the smartphone unlock setting? Small? RQ2: What are the effects of different blacklists on the security of PINs? Medium? Large? RQ3: How to balance security and usability when composing a blacklist? 10/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  15. RQ1: 4- vs. 6-digit PINs Observations: ● Overall comparable security of 4- and 6-digit PINs in the defined attacker model ● Differences depending on the number of guesses 11/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  16. RQ2: Different Blacklist Sizes Observations: ● iOS and Data-Driven Small offer comparable security ● Data-Driven Large drastically increases the security ● Blacklist Hitrate: DD Small 5% iOS 15% DD Large 70% 12/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  17. RQ3: Balancing Security and Usability Observations: ● Different extrema throughout the curve ● Maxima: “Usable” “Secure” users choose popular PINs ● Minima: users choose unpopular PINs ● Blacklisting ~10% is ideal 13/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  18. Takeaways Agenda Priming Security of 4- and 6-digit 4 ≈ 6 Practice Creation PINs is comparable Blacklists need to be large XXL to have an effect No biometric Biometric Blacklisting ~10% is ideal Most of the participants in our study (66%) use a PIN Why study PINs? Results User Study philipp.markert@rub.de @philipp_markert https://this-pin-can-be-easily-guessed.github.io 14/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for Algebra JKU Joint work with Doron Zeilberger 1 2 3 Let A be the number of edges joining sites of the same color 4 Let A be the number of

1.98k views • 129 slides
Which sports could be played easily without having gender categories? What could be

Which sports could be played easily without having gender categories? What could be

Which sports could be played easily without having gender categories? What could be alterna/ve categories in sport? Female hyperandrogenism high level of testosterone some women disqualified or forced to change their healthy

390 views • 10 slides
DC power supplies and distribution modules for your subsystem and control protocol 11 We

DC power supplies and distribution modules for your subsystem and control protocol 11 We

Subject: Re: 2x2@MINOS electronics integeration Date: Mon, 11 Nov 2019 18:10:34 +0300 From: Nikolay Anfimov <anphimov@gmail.com> Dear Ting, I guessed that you discussed most of these topics with Igor who presented light readout at the

214 views • 3 slides
Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM

Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM

Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM with OpenAirInterface using OSM Thomas Dreibholz, dreibh@simula.no dreibh@simula.no Thomas Dreibholz, th OSM Hackfest, 9 th OSM Hackfest, Madrid

354 views • 16 slides
Designing classes How to write classes in a way that they are easily understandable,

Designing classes How to write classes in a way that they are easily understandable,

Objects First With Java A Practical Introduction Using BlueJ Designing classes How to write classes in a way that they are easily understandable, maintainable, and reusable 2.0 Main concepts to be covered Responsibility-driven design

606 views • 27 slides
What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic

What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic

What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic identification and data capture or AIDC technology Composed of two parts : Device Identifier or DI - mandatory, fixed, identifies the labeler and

214 views • 10 slides
What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio

What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio

What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio State University Mo@va@on How am I going to aCract peoples aCen@on to my Web page Product brochure Marke@ng pamphlet Design is

410 views • 24 slides
DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an

DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an

DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an internet company? E.g. yahoo.com. amazon.com, etc. Answer: https://www.whois.com/whois/ 2) Q. How can you protect yourself from forgetting your logon

404 views • 3 slides
GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily

GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily

GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily understood statistics delivered in ways users find easy to access, use, understand and re-use March 2014 0 Vision The GSS will deliver professionally

383 views • 14 slides
SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1 CAB,INTA-CSIC 2 Spanish Virtual Observatory ASTERICS European Data Provider Forum and Training Event Heidelberg, June 2016 Introduction SVOCat is an

526 views • 20 slides
SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1 CAB,INTA-CSIC 2 Spanish Virtual Observatory European Data Provider Forum and Training Event Heidelberg, June 2018 Introduction SVOCat 1.0 is an application

446 views • 30 slides
Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start with Appium testing, and scale according to need Easily write stable Appium tests, or run your existing Appium scripts Set up within minutes,

386 views • 14 slides
YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S.

YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S.

YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S. KALIUZHNYI-VERBOVETSKYI, ILYA M. SPITKOVSKY, AND HUGO J. WOERDEMAN Dubrovnik, May 14 2009 1 2 1. Introduction A matrix N C n n is called normal if N N = NN

1.23k views • 73 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

The Straight and Easy Way to Complete IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable Scalable Readily Integrated & Realizable High Web-Based ROI Everest is an End-to-End IT Infrastructure

210 views • 19 slides
Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart

Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart

Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart Artefacts Written by: Lars Erik Holmquist, Friedemann Mattern, Bernt Schiele, Petteri Alahuhta, Michael Beigl and Hans W. Gellersen S hi l P tt i

743 views • 31 slides
Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and

Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and

Black Holes, Gravity, and Information Theory Roland Winston Schools of Natural Science and Engineering, University of California Merced Director, California Advanced Solar Technologies Institute (UC Solar) rwinston@ucmerced.edu

1.63k views • 115 slides
Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its

Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its

Timing properties of the black hole candidate XTE J1752-223 during the initial hard state of its 2009-2010 outburst Tao Chen Overview Observation and Data Reduction Results Timing analysis Spectral analysis Connection between

673 views • 23 slides
r t ssr

r t ssr

r t ssr rstr tss t rtt

739 views • 60 slides
Probing Black Hole Microstates Stefano Giusto October 18-19 2019 PRIN Kickoff Meeting - SNS

Probing Black Hole Microstates Stefano Giusto October 18-19 2019 PRIN Kickoff Meeting - SNS

Probing Black Hole Microstates Stefano Giusto October 18-19 2019 PRIN Kickoff Meeting - SNS Overview The Hawking paradox Classical horizon % $ (i) AB are maximally entangled , (ii) A cannot be entangled with C

693 views • 31 slides
S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 ,

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 ,

S GX E LIDE : Enabling Enclave Code Secrecy via Self-Modification Erick Bauman 1 , Huibo Wang 1 , Mingwei Zhang 2 , Zhiqiang Lin 1 , 3 1 University of Texas at Dallas 2 Intel Labs 3 The Ohio State University CGO 2018 Introduction Background and

1.08k views • 74 slides
Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can

Blacklisting the Blacklist in Digital Advertising Improving Delivery by Bidding for What You Can Win AdKDD2017 Yeming Shi, Claudia Perlich, Ori Stitelman yshi, claudia, ostitelman@dstillery.com Dstillery, Inc. Outline Introduction

635 views • 17 slides
This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker

TOWARDS A UNIFIED TELEMETRY SERVICE FRAMEWORK FOR HPC ENVIRONMENTS Ole Weidner Adam Barker Malcolm Atkinson School of Informatics School of Computer Science School of Informatics University of Edinburgh University of St Andrews University

443 views • 26 slides

More recommend