Abstract Personal Identification Numbers (PIN) are widely used for authenticating users for financial transactions. PIN numbers are entered at Automatic Teller Machine (ATMs), card payments at Point of Sale (POS) counters and for e-banking services. When PIN numbers are keyed in by the users, they are vulnerable to shoulder surfing and keylogging attacks. By entering PIN numbers through virtual keyboards, the keylogging attacks can be mitigated, but it elevates the risk of shoulder surfing. A number of shoulder surfing resistive keyboard schemes have been proposed. But many of them offer inadequate security and are poor in usability. They also demand substantial user intelligence, training, user memory and additional devices for entering the PIN numbers. Keeping in mind that securing PIN number should not be done at the cost of user inconvenience, a new scheme based on key sliding is proposed in this paper. Two variations of the scheme are presented. They are based on manual and automatic sliding of keys and indirect user entry of PIN numbers. Our proposed schemes are simple and easy to adopt. They are sufficiently stronger against attacks. Our extensive analysis and user study of the schemes have proved their security and usability.

References

[1] De Luca A., Frauendienst B., Boring S., and Hussmann H., My phone is my Keypad:Privacy- Enhanced PIN-Entry on Public Terminals, in Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group: Design: Open 24/7, Melbourne, pp. 401-404, 2009.

[2] De Luca A., Hertzschuch K., and Hussmann H., ColorPIN: Securing PIN Entry Through Indirect Input, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Atlanta, pp. 1103-1106, 2010.

[3] Kim C. and Lee M., Secure and User Friendly Pin Entry Method, in Proceedings of International Conference on Consumer Electronics, Las Vegas, pp. 203-204, 2010.

[4] K lsch M. and Turk M., Keyboards Without Keyboards: A Survey of Virtual Keyboards, Technical Report, 2002.

[5] Kumar M., Garfinkel T., Boneh D., and Winograd T., Reducing Shoulder-Surfing by Using Gaze-Based Password Entry, in Proceedings of the 3rd Symposium on Usable Privacy and Security, Pittsburgh, pp. 13-19, 2007.

[6] Kwon T. and Na S., SwitchPIN: Securing Smartphone PIN Entry with Switchable Keypads, in Proceedings of the IEEE International Conference on Consumer Electronics, Las Vegas, pp. 23-24, 2014.

[7] Lee M., Security Notions and Advanced Method for Human Shoulder-Surfing Resistant PIN-Entry, IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp. 695-708, 2014.

[8] Malek B., Orozco M., and El Saddik A., Novel Shoulder-Surfing Resistant Haptic-based Graphical Password, in Proceedings of EuroHaptics Society, vol. 6, pp. 179-184, 2006.

[9] Mohaisen A., Nyang D., and Kang J., Keylogging-Resistant Visual Authentication Protocols, IEEE Transactions on Mobile Computing, vol. 13, no. 11, pp. 2566-2579, 2014.

[10] Perkovi T., agalj M., and Saxena N., Shoulder-Surfing Safe Login in a Partially Observable Attacker Model, in Proceedings of Financial Cryptography and Data Security, Canary Islands, pp. 351-358, 2010.

[11] Por L., Frequency of Occurrence Analysis Attack and its Countermeasure, The International Arab Journal of Information Technology, vol. 10, no. 2, pp. 189-197. 2013.

[12] Raddum H., Nest s L., and Hole K., Security Analysis of Mobile Phones used as OTP Generators, in Proceedings of Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, Passau, pp. 324-331, 2010.

[13] Rajarajan S., Maheswari K., Hemapriya R., and Sriharilakshmi S., Shoulder Surfing Resistant Virtual Keyboard for Internet Banking, World Applied Sciences Journal, vol. 31, no. 7, pp. 1297-1304, 2014.

[14] Roth V., Richter K., and Freidinger R., A PIN- Entry Method Resilient Against Shoulder Surfing, in Proceedings of the 11th ACM Conference on Computer and communications Security, Washington, pp. 236-245, 2004.

[15] Roth V. and Richter K., How to Fend off Shoulder Surfing, Journal of Banking and Finance, vol. 30, no. 6, pp. 1727-1751, 2006.

[16] Shi P., Zhu B., and Youssef A., A PIN entry Scheme Resistant to Recording-based Shoulder- Surfing, in Proceedings of Third International DragPIN: A Secured PIN Entry Scheme to Avert Attacks 223 Conference on Emerging Security Information, Athens, pp. 237-241, 2009.

[17] Shi P., Zhu B., and Youssef A., A Rotary Pin Entry Scheme Resilient to Shoulder-Surfing, International Conference for Internet Technology and Secured Transactions, London, pp. 1-7, 2009.

[18] Tari F., Ozok A., and Holden S., A Comparison of Perceived and Real Shoulder-Surfing Risks Between Alphanumeric and Graphical Passwords, in Proceedings of the Second Symposium on Usable Privacy and Security, Pittsburgh, pp. 56-66, 2006.

[19] Wilfong, G., Method and Apparatus for Secure PIN Entry, U.S. Patent 5,940,511, 1999.

[20] Wu T., Lee M., Lin H., and Wang C., Shoulder- Surfing-proof Graphical Password Authentication Scheme, International Journal of Information Security, vol. 13, no. 3, pp. 245-254, 2014. Rajarajan Srinivasan received M.Tech in CSE from SASTRA University. He is presently pursuing part time PhD at SASTRA University, India. He is an Assistant Professor at the same university. His area of research interest includes computer security, e-banking and graphical passwords.