Mike Just

Financial Cryptography and Data Security

We study the efficiency of statistical attacks on human authentication systems relying on personal knowledge questions. We adapt techniques from guessing theory to measure security against a trawling attacker attempting to compromise a large number of strangers’ accounts. We then examine a diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places and find that personal knowledge questions are significantly less secure than graphical or textual passwords. We also demonstrate that statistics can be used to increase security by proactively shaping the answer distribution to lower the prevalence of common responses.

Personal choice and challenge questions: a security and usability assessment

Challenge questions are an increasingly important part of mainstream authentication solutions, yet there are few published studies concerning their usability or security. This paper reports on an experimental investigation into user-chosen questions. We collected questions from a large cohort of students, in a way that encouraged participants to give realistic data. The questions allow us to consider possible modes of attack and to judge the relative effort needed to crack a question, according to an innovative model of the knowledge of the attacker. Using this model, we found that many participants were likely to have chosen questions with low entropy answers, yet they believed that their challenge questions would resist attacks from a stranger. Though by asking multiple questions, we are able to show a marked improvement in security for most users. In a second stage of our experiment, we applied existing metrics to measure the usability of the questions and answers. Despite having youthful memories and choosing their own questions, users made errors more frequently than desirable.

Why aren't Users Using Protection? Investigating the Usability of Smartphone Locking

One of the main reasons why smartphone users do not adopt screen locking mechanisms is due to the inefficiency of entering a PIN/pattern each time they use their phone. To address this problem we designed a context-sensitive screen locking application which asked participants to enter a PIN/pattern only when necessary, and evaluated its impact on efficiency and satisfaction. Both groups of participants, who prior to the study either locked or did not lock their phone, adopted our application and felt that unlocking their phone only when necessary was more efficient, did not annoy them and offered a reasonable level of security. Participants responded positively to the option of choosing when a PIN/pattern is required in different contexts. Therefore, we recommend that designers of smartphone locking mechanisms should consider ceding a reasonable level of control over security settings to users to increase adoption and convenience, while keeping smartphones reasonably secure.

Sensor use and usefulness: Trade-offs for data-driven authentication on mobile devices

Modern mobile devices come with an array of sensors that support many interesting applications. However, sensors have different sampling costs (e.g., battery drain) and benefits (e.g., accuracy) under different circumstances. In this work we investigate the trade-off between the cost of using a sensor and the benefit gained from its use, with application to data-driven authentication on mobile devices. Current authentication practice, where user behaviour is first learned from the sensor data and then used to detect anomalies, typically assumes a fixed sampling rate and does not consider the battery consumption and usefulness of sensors. In this work we study how battery consumption and sensor effectiveness (e.g., for detecting attacks) vary when using different sensors and different sensor sampling rates. We use data from both controlled lab studies, as well as field trials, for our experiments. We also propose an adaptive sampling technique that adjusts the sampling rate based on an expected device vigilance level. Our results show that it is possible to reduce the battery consumption tenfold without significantly impacting the detection of attacks.

“Give Me Letters 2, 3 and 6!”: Partial Password Implementations and Attacks

A partial password is a query of a subset of characters from a full password, posed as a challenge such as “Give me letters 2, 3 and 6 from your password”. Partial passwords are commonly used in the consumer financial sector, both online and in telephone banking. They provide a cheap way of providing a varying challenge that prevents eavesdroppers or intermediate systems learning a shared secret in a single step. Yet, despite widespread adoption among millions of consumers, this mechanism has had little attention in the academic literature. Answers to obvious questions are not clear, for example, how many observations are needed for an attacker to learn the complete password, or to successfully answer the next challenge? In this paper we survey a number of online banking implementations of partial passwords, and investigate the security of the mechanism. In particular, we look at guessing attacks with a projection dictionary ranked by likelihood, and recording attacks which use previous information collected by an attacker. The combination of these techniques yields the best attack on partial passwords.

Investigating Time Series Visualisations to Improve the User Experience

Research on graphical perception of time series visualisations has focused on visual representation, and not on interaction. Even for visual representation, there has been limited study of the impact on users of visual encodings and the strengths and weaknesses of Cartesian and Polar coordinate systems. In order to address this research gap, we performed a comprehensive graphical perception study that measured the effectiveness of time series visualisations with different interactions, visual encodings and coordinate systems for several tasks. Our results show that, while positional and colour visual encodings were better for most tasks, area visual encoding performed better for data comparison. Most importantly, we identified that introducing interactivity within time series visualisations considerably enhances the user experience, without any loss of efficiency or accuracy. We believe that our findings can greatly improve the development of visual analytics tools using time series visualisations in a variety of domains.

Challenging challenge questions: an experimental analysis of authentication technologies and user behaviour

To authenticate human users to systems, challenge questions based on personal information are often used, typically when a primary authentication credential, such as a password, is forgotten. This ought to be a trustworthy mechanism, that is both reliable and accurate: personal information should be inherently memorable and not known to others. However, concerns have been raised recently about these assumptions: for example, some commonly used questions may be based on information that is available publicly. A possible improvement, then, is to allow users to choose their own questions. Here we report on an experiment which gathered user chosen questions and a subsequent security and usability analysis of them. Our experiment itself follows a novel method which is designed to engender the trust of participants, so they participate honestly. This methodological innovation demonstrates that it is possible to perform ethical authentication experiments where sensitive information does not have to be collected from users. Our experiments revealed some surprising results. Although subjects sometimes seemed aware of the need for security, they often ‘missed the mark’ by a wide margin; similarly, there are serious concerns over the usability of freely chosen questions with free-form answers. These results should raise some serious questions for those setting the policy agenda for either testing or building authentication solutions for Internet applications.

Investigating the work practices of network security professionals

Purpose – The purpose of this paper is to investigate the work practices of network security professionals and to propose a new and robust work practices model of these professionals. Design/methodology/approach – The proposed work practices model is composed by combining the findings of ten notable empirical studies performed so far this century. The proposed model was then validated by an online survey of 125 network security professionals with a wide demographic spread. Findings – The empirical data collected from the survey of network security professionals strongly validate the proposed work practices model. The results also highlight interesting trends for different groups of network security professionals, with respect to performing different security-related activities. Research limitations/implications – Further studies could investigate more closely the links and dependencies between the different activities of the proposed work practices model and tools used by network security professionals to...

An ID and Address Protection Unit for NoC based Communication Architectures

Security is becoming the primary concern in todays embedded systems. Network-on-Chip (NoC) based communication architectures have emerged as an alternative to shared bus mechanism in Multiprocessor System-on-Chip (MPSoC) devices, and the increasing number and functionality of processing cores has made such systems vulnerable to security attacks. In this paper an id and address verification (IAV) security module is presented, which is embedded in each router at the communication level. IAV verifies the identity and address range to be accessed by incoming and outgoing data packets in a NoC-based many-core shared memory architecture. Our IAV architecture is implemented on a FPGA device for functional verification and evaluated in terms of its area and power consumption overhead. For FPGA-based systems, the IAV module can be reconfigured at run-time through partial reconfiguration. In addition, a cycle-accurate simulation is carried out to analyse the performance overhead for different network configurations. The proposed IAV module has reduced area and power consumption overhead when compared with similar existing solutions.

Secure On-Chip Communication Architecture for Reconfigurable Multi-Core Systems

Security is becoming the primary concern in today’s embedded systems. Network-on-chip (NoC)-based communication architectures have emerged as an alternative to shared bus mechanism in multi-core system-on-chip (SoC) devices and the increasing number and functionality of processing cores have made such systems vulnerable to security attacks. In this paper, a secure communication architecture has been presented by designing an identity and address verification (IAV) security module, which is embedded in each router at the communication level. IAV module verifies the identity and address range to be accessed by incoming and outgoing data packets in an NoC-based multi-core shared memory architecture. Our IAV module is implemented on an FPGA device for functional verification and evaluated in terms of its area and power consumption overhead. For FPGA-based systems, the IAV module can be reconfigured at run-time through partial reconfiguration. In addition, a cycle-accurate simulation is carried out to analyze the performance and total network energy consumption overhead for different network configurations. The proposed IAV module has presented reduced area and power consumption overhead when compared with similar existing solutions.