this pin can be easily guessed
play

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone - PowerPoint PPT Presentation

Apr 25, 2023 •174 likes •355 views

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Drmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy Overview ?!

  1. This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy

  2. Overview ?! Priming Agenda Practice Creation Why study PINs? User Study Results 1/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  3. Why PINs? Fingerprint PHOTO: Dan Seifert | The Verge (Vox Media) Iris Face 2/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  4. Who uses PINs? 1220 participants 759 use a biometric 461 do not use a biometric 210 use a PIN 595 use a PIN Overall 805 (66%) use a PIN 3/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  5. What we know about PINs What we don’t know ● User chosen 4-digit PINs are ● How secure are 4- or 6-digit PINs in predictable [1] the smartphone unlock setting? ● User chosen 6-digit PINs aren’t any ● What are the effects of different better [2] blacklists on the security of PINs? ● Blacklisting popular PINs can ● How to balance security and usability increase security [1] when composing a blacklist? [1] J. Bonneau, S. Preibusch, and R. Anderson. A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs. FC ‘12 [2] D. Wang, Q. Gu, X. Huang, and P. Wang. Understanding Human-Chosen PINs : Characteristics, Distribution and Security. AsiaCCS ‘17 4/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  6. Treatments 4-digit 6-digit No Blacklist Blacklist No Blacklist Blacklist 1. Control 2. Placebo 3. iOS 4. DD Small 5. DD Large 6. Control 7. Placebo 8. iOS Placebo iOS Data-Driven (DD) “Test general effect of warning” “Test effect of iOS blacklists” “Test effect of different blacklist sizes” Blacklist: Blacklist: Blacklist: ● “1st choice” blocked ● 274 PINs (4-digit) ● Top 27 PINs of Amitay (small) ● Any other PIN allowed ● 2910 PINs (6-digit) ● Top 2740 PINs of Amitay (large) 5/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  7. Extracting the iOS Blacklists This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  8. User Study Consent Priming PIN Creation Practice 8/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  9. User Study Followup Consent Priming Questionnaires Demographics PIN Creation Practice Recall 8/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  10. Attacker Model ● No information about the victim 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  11. Attacker Model ● No information about the victim Rank 4-digit PINs 6-digit PINs 1 1234 123456 1 2 0000 123123 ● Guesses PINs in decreasing probability order 2 3 3 2580 111111 ⁝ ⁝ ⁝ 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  12. Attacker Model ● No information about the victim 1 ● Guesses PINs in decreasing probability order 2 3 ● Slowed down by rate-limiting Android iOS 10 Guesses 30s 1h 36m 0s 100 Guesses 10h 45min 30s — 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  13. Attacker Model ● No information about the victim 1 ● Guesses PINs in decreasing probability order 2 3 Rank 4-digit PINs 6-digit PINs 1 1234 123456 ● Slowed down by rate-limiting not allowed 2 0000 123123 3 2580 111111 ⁝ ⁝ ⁝ 1 ● Knows the blacklist and skips impossible choices x 3 9/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  14. Research Questions 4 vs. 6 RQ1: How secure are 4- and 6-digit PINs in the smartphone unlock setting? Small? RQ2: What are the effects of different blacklists on the security of PINs? Medium? Large? RQ3: How to balance security and usability when composing a blacklist? 10/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  15. RQ1: 4- vs. 6-digit PINs Observations: ● Overall comparable security of 4- and 6-digit PINs in the defined attacker model ● Differences depending on the number of guesses 11/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  16. RQ2: Different Blacklist Sizes Observations: ● iOS and Data-Driven Small offer comparable security ● Data-Driven Large drastically increases the security ● Blacklist Hitrate: DD Small 5% iOS 15% DD Large 70% 12/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  17. RQ3: Balancing Security and Usability Observations: ● Different extrema throughout the curve ● Maxima: “Usable” “Secure” users choose popular PINs ● Minima: users choose unpopular PINs ● Blacklisting ~10% is ideal 13/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

  18. Takeaways Agenda Priming Security of 4- and 6-digit 4 ≈ 6 Practice Creation PINs is comparable Blacklists need to be large XXL to have an effect No biometric Biometric Blacklisting ~10% is ideal Most of the participants in our study (66%) use a PIN Why study PINs? Results User Study philipp.markert@rub.de @philipp_markert https://this-pin-can-be-easily-guessed.github.io 14/14 This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

Recommend

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for Algebra JKU Joint work with Doron Zeilberger 1 2 3 Let A be the number of edges joining sites of the same color 4 Let A be the number of

1.98k views • 129 slides
Which sports could be played easily without having gender categories? What could be

Which sports could be played easily without having gender categories? What could be

Which sports could be played easily without having gender categories? What could be alterna/ve categories in sport? Female hyperandrogenism high level of testosterone some women disqualified or forced to change their healthy

390 views • 10 slides
DC power supplies and distribution modules for your subsystem and control protocol 11 We

DC power supplies and distribution modules for your subsystem and control protocol 11 We

Subject: Re: 2x2@MINOS electronics integeration Date: Mon, 11 Nov 2019 18:10:34 +0300 From: Nikolay Anfimov <anphimov@gmail.com> Dear Ting, I guessed that you discussed most of these topics with Igor who presented light readout at the

214 views • 3 slides
Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM

Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM

Easily Settjng up 4G/5G Testbeds Easily Settjng up 4G/5G Testbeds with OpenAirInterface using OSM with OpenAirInterface using OSM Thomas Dreibholz, dreibh@simula.no dreibh@simula.no Thomas Dreibholz, th OSM Hackfest, 9 th OSM Hackfest, Madrid

354 views • 16 slides
Designing classes How to write classes in a way that they are easily understandable,

Designing classes How to write classes in a way that they are easily understandable,

Objects First With Java A Practical Introduction Using BlueJ Designing classes How to write classes in a way that they are easily understandable, maintainable, and reusable 2.0 Main concepts to be covered Responsibility-driven design

606 views • 27 slides
What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic

What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic

What is the FDA UDI? Appearing in two forms* : Easily readable plain-text , and Automatic identification and data capture or AIDC technology Composed of two parts : Device Identifier or DI - mandatory, fixed, identifies the labeler and

214 views • 10 slides
What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio

What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio

What We Can Easily See Han-Wei Shen Department of Computer Science and Engineering The Ohio State University Mo@va@on How am I going to aCract peoples aCen@on to my Web page Product brochure Marke@ng pamphlet Design is

410 views • 24 slides
DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an

DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an

DONT YOU WISH YOU KNEW THAT - WYNMOOR 1) Q. How can you easily get the phone number for an internet company? E.g. yahoo.com. amazon.com, etc. Answer: https://www.whois.com/whois/ 2) Q. How can you protect yourself from forgetting your logon

404 views • 3 slides
GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily

GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily

GSS Presentation & Dissemination Strategy Professionally presented, meaningful, easily understood statistics delivered in ways users find easy to access, use, understand and re-use March 2014 0 Vision The GSS will deliver professionally

383 views • 14 slides
SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1 CAB,INTA-CSIC 2 Spanish Virtual Observatory ASTERICS European Data Provider Forum and Training Event Heidelberg, June 2016 Introduction SVOCat is an

526 views • 20 slides
SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1

SVOCat Easily publishing catalogues in the VO (and web) Carlos Rodrigo Blanco 1 , 2 1 CAB,INTA-CSIC 2 Spanish Virtual Observatory European Data Provider Forum and Training Event Heidelberg, June 2018 Introduction SVOCat 1.0 is an application

446 views • 30 slides
Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start with Appium testing, and scale according to need Easily write stable Appium tests, or run your existing Appium scripts Set up within minutes,

386 views • 14 slides
YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S.

YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S.

YET ANOTHER EASILY FORMULATED YET UNSOLVED PROBLEM IN MATRIX THEORY DMITRY S. KALIUZHNYI-VERBOVETSKYI, ILYA M. SPITKOVSKY, AND HUGO J. WOERDEMAN Dubrovnik, May 14 2009 1 2 1. Introduction A matrix N C n n is called normal if N N = NN

1.23k views • 73 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable

The Straight and Easy Way to Complete IT Infrastructure Management User-Friendly End-to-End Easily Customizable & Deployable Scalable Readily Integrated & Realizable High Web-Based ROI Everest is an End-to-End IT Infrastructure

210 views • 19 slides
Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart

Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart

Smart Its Friends: A Technique for Users to Easily q y Establish Connections between Smart Artefacts Written by: Lars Erik Holmquist, Friedemann Mattern, Bernt Schiele, Petteri Alahuhta, Michael Beigl and Hans W. Gellersen S hi l P tt i

743 views • 31 slides
Introducing - cy High igh Accu Accura racy VEN PRO ROVEN ROI Easily Achieved in the 1st

Introducing - cy High igh Accu Accura racy VEN PRO ROVEN ROI Easily Achieved in the 1st

le Stab able iable Rel eliabl nt Cons onsis istent ble Rep epeat eatabl ent Effici icien ive Cos ost Effe Effectiv ife Long L ong Life Introducing - cy High igh Accu Accura racy VEN PRO ROVEN ROI Easily Achieved in the 1st

310 views • 4 slides
Responsibility, n. A detachable burden easily shifted to the shoulders of God, Fate, Fortune,

Responsibility, n. A detachable burden easily shifted to the shoulders of God, Fate, Fortune,

http://www.physics.smu.edu/pseudo Responsibility, n. A detachable burden easily shifted to the shoulders of God, Fate, Fortune, Luck or one's neighbor. In the days of astrology it was customary to unload it upon a star. --Ambrose Bierce

554 views • 29 slides
2018 and beyond: Time for Wiltshire and the Great West Way Why Wiltshire? Easily accessible

2018 and beyond: Time for Wiltshire and the Great West Way Why Wiltshire? Easily accessible

2018 and beyond: Time for Wiltshire and the Great West Way Why Wiltshire? Easily accessible - only 90 minutes from London, 2 hours from the South Coast, Midlands and Wales An ancient land shrouded in mystery and steeped in legend - with

155 views • 13 slides
Efficiency and Computational Complexity What is a good algorithm/ program? Solution is

Efficiency and Computational Complexity What is a good algorithm/ program? Solution is

Efficiency and Computational Complexity What is a good algorithm/ program? Solution is simple but powerful/general Easily understood by reader Easily modifiable and maintainable Correct for clearly defined situations

391 views • 26 slides
the need How can blind people easily identify objects? 21M visually impaired; 7%

the need How can blind people easily identify objects? 21M visually impaired; 7%

D T mockup review 2.009 Team Blue B October 16, 2008 the need How can blind people easily identify objects? 21M visually impaired; 7% population (U.S.) Braille labeling a solution Braille

127 views • 8 slides
PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute

PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute

PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute make high quality cuts precision of measurement easily positioned by hand small cutting forces easily transportable carried in standard router case

192 views • 18 slides
Great West Way Why Wiltshire? Easily accessible - only 90 minutes from London, 2 hours from

Great West Way Why Wiltshire? Easily accessible - only 90 minutes from London, 2 hours from

2018 and beyond: Time for Wiltshire and the Great West Way Why Wiltshire? Easily accessible - only 90 minutes from London, 2 hours from the South Coast, Midlands and Wales An ancient land shrouded in mystery and steeped in legend - with

422 views • 13 slides
THE EASY TOE (PATENTED) by NTA Srl Firenze ITALY The EASY TOE attachment is easily

THE EASY TOE (PATENTED) by NTA Srl Firenze ITALY The EASY TOE attachment is easily

THE AUTOMATIC SOCK SEAMING ATTACHMENT THE EASY TOE (PATENTED) by NTA Srl Firenze ITALY The EASY TOE attachment is easily fitted to single cylinder sock knitting machines including: LONATI MATEC SANGIACOMO ANGE The new

393 views • 3 slides

More recommend