Article Preview
TopIntroduction
Most payment and banking services at both point of sale terminals (PoS) and automated teller machines (ATMs) are authenticated with the use of PINs (Nathaniel & Osuo-Genseleke, 2018). These applications are in public places where other people may be able to observe the process of keying in the PIN to authenticate the transaction. An adversary can easily gain access to the information by looking over one’s shoulder to observe the process (Bošnjak & Brumen, 2019). Another way an adversary can obtain the information is through an inference attack (Kovelamudi, Zheng, & Mukkamala, 2017). This is done by observing the position and movement of the potential victim during the PIN entry process on the keypad. With the fixed positions for the keys on the standardized numeric keypad, it is not very difficult to accurately guess the digits of a PIN just by observing the login process. The attacker can gain access to the victim’s financial information, be able to impersonate the victim to gain access to sensitive information or use the victim’s identity to commit a crime. Scrambling keypad has been proposed to help overcome shoulder surfing and inference attack.
A scrambling keypad has a layout similar to a telephone keypad, but each time a key on the keypad is pressed the digits are scrambled to different positions other than the standard number positions (Phoka, Phetsrikran, & Massagram, 2018). This is to maintain optimum security such that when someone watching the PIN key-in process would not be able to determine the numbers being entered. The purpose of scrambling keypad is to prevent shoulder-surfing and inference attacks. Shoulder-surfing is a type of social engineering technique which attackers use to obtain information such as personal identification numbers, passwords and other confidential data by looking over the user's shoulder, either from keystrokes on a device or sensitive information being spoken (Hindusree & Sasikumar, 2015). Shoulder-surfing is a form of data theft where criminals steal a victim’s personal information by observation the victim when using devices such as ATMs, computers, PoS terminals, and other electronics systems that require the use of a PIN for authentication (Kasat, Bhadade, & Trivedi, 2015). This can lead to identity theft or fraud. Evidence suggests that shoulder surfing occurs more frequently and can be easily carried out by an average user (Bošnjak & Brumen, 2019). Though it is quite safe when one is using a personal device in transactions that require an input of sensitive data, such as PINs on the numeric keypad, the issue of shoulder-surfing comes to play when using a public device or have to perform the transaction in a public place.
Inference attack is a data mining technique that is used to illegally access information about a subject or database by analyzing collected trivia data that is disclosed unknowingly. This is an example of breached information security where the attacker is able to deduce key or critical information of a database from trivial information, often through social engineering without directly accessing it (Turkanović, Družovec, & Hölbl, 2015). The most used mode of authentication is through the use of passwords and PINs (Kwon & Hong, 2015). The commonly used access control method is the password-based authentication, where the user inputs a pre-arranged textual, graphical or numerical password using a keypad directly through the user interface of the system (Shukla et al., 2018). The PIN is a common authentication method widely used for ATMs, point of sale terminals, access control systems and mobile devices such as phones and tablets.