PIN Entry Resilient to Shoulder Surfing

This is joint work with Kai Richter.

Motivation

Each time a user withdraws money from an ATM, pays at a POS terminal with his debit card, or unlocks his cell phone, he types the identical four-digit PIN number sequence (or swipes the same pattern). Anyone who observes this procedure e.g., by looking over the shoulder of a user, can easily memorize the PIN (or pattern). In conjunction with stolen or skimmed material such as magnetic stripe cards, account numbers printed on receipts, or mobile devices, criminals easily gain access e.g., to a victimized user's bank account or telecommuncations services.

Synopsis

The question then is, can the PIN entry method be redesigned in way that renders it more secure while still being easily usable? Towards an answer to that problem, we consider what we call an interactive cognitive trapdoor game. The key idea behind such a game is that it is easily won if the PIN is known, and is hard to win otherwise. Knowledge of the PIN therefore constitutes a trapdoor. Additionally, being able to observe the game must not yield sufficient information to substantially improve the observer's ability to win subsequent instances of the game. Here, we assume that the observer's resources are bounded by the cognitive capabilities of a human e.g., by the capacity of a human's short term memory. Hence, the term cognitive trapdoor game. We considered multiple variants of such a game; one variant is illustrated below.

The principal idea is to present the user two sets of PIN digits layed out on a regular PIN pad, by randomly coloring half of the keys black and the other half white. The user has to enter in which set the digit is by pressing either the black or the white button. Then, the sets are shuffled and another round is played. After 3-4 rounds the ATM can determine the entered PIN digit unambiguously by intersecting the chosen sets. The game is played repeatedly until all PIN digits are entered. The example sequence shown below illustrates how a "3" would be entered.


Illustrates the entry sequence for digit "3".
We refer to this variant as "immediate choice" because the user must enter his responses without hesitation. The security is derived from the observation that the capacity of the human short term memory is too limited to remember sufficient information to derive the entered PIN.

An observer who records an entire session with a camera will be able to determine the entered PIN by the same algorthm as the ATM. However, by reducing the number of rounds and thereby introducing uncertainty about the entered PIN digits, the PIN entry scheme can be made resilient against a single camera recording. We conducted a security and usability study of our schemes and found that they provide significantly better security against shoulder surfing that the regular PIN entry method while still being reasonably usable.

Associated publications

  1. Volker Roth, Kai Richter, and Rene Freidinger. 2004. A PIN-entry method resilient against shoulder surfing. In Proc. CCS. ACM, 236–245.
  2. Volker Roth and Kai Richter. How to fend off shoulder surfers. J. of Banking and Finance, 30(6):1727-1751, June 2006. Issue on Frontiers in Payment and Settlement Systems. doi:10.1016/j.jbankfin.2005.09.010.