Stealing PINs via Mobile Sensors: Actual Risk versus User Perception
In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website...
Saved in:
| Published in | arXiv.org |
|---|---|
| Main Authors | , , , |
| Format | Paper Journal Article |
| Language | English |
| Published |
Ithaca
Cornell University Library, arXiv.org
18.04.2017
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2331-8422 |
| DOI | 10.48550/arxiv.1605.05549 |
Cover
| Abstract | In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. |
|---|---|
| AbstractList | International Journal of Information Security, P1-23, April 2017 In this paper, we present the actual risks of stealing user PINs by using
mobile sensors versus the perceived risks by users. First, we propose
PINlogger.js which is a JavaScript-based side channel attack revealing user
PINs on an Android mobile phone. In this attack, once the user visits a website
controlled by an attacker, the JavaScript code embedded in the web page starts
listening to the motion and orientation sensor streams without needing any
permission from the user. By analysing these streams, it infers the user's PIN
using an artificial neural network. Based on a test set of fifty 4-digit PINs,
PINlogger.js is able to correctly identify PINs in the first attempt with a
success rate of 74% which increases to 86 and 94% in the second and third
attempts, respectively. The high success rates of stealing user PINs on mobile
devices via JavaScript indicate a serious threat to user security. With the
technical understanding of the information leakage caused by mobile phone
sensors, we then study users' perception of the risks associated with these
sensors. We design user studies to measure the general familiarity with
different sensors and their functionality, and to investigate how concerned
users are about their PIN being discovered by an app that has access to all
these sensors. Our studies show that there is significant disparity between the
actual and perceived levels of threat with regard to the compromise of the user
PIN. We confirm our results by interviewing our participants using two
different approaches, within-subject and between-subject, and compare the
results. We discuss how this observation, along with other factors, renders
many academic and industry solutions ineffective in preventing such side
channel attacks. In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks. |
| Author | Shahandashti, Siamak F Toreini, Ehsan Feng, Hao Mehrnezhad, Maryam |
| Author_xml | – sequence: 1 givenname: Maryam surname: Mehrnezhad fullname: Mehrnezhad, Maryam – sequence: 2 givenname: Ehsan surname: Toreini fullname: Toreini, Ehsan – sequence: 3 givenname: Siamak surname: Shahandashti middlename: F fullname: Shahandashti, Siamak F – sequence: 4 givenname: Hao surname: Feng fullname: Feng, Hao |
| BackLink | https://doi.org/10.1007/s10207-017-0369-x$$DView published paper (Access to full text may be restricted) https://doi.org/10.48550/arXiv.1605.05549$$DView paper in arXiv |
| BookMark | eNotj8tOwzAUBS0EEqX0A1hhiXWCn7HDriqvSgUqWtaRHd8gl5AUO4ng7yktq7MZHc2coeOmbQChC0pSoaUk1yZ8-yGlGZEpkVLkR2jEOKeJFoydokmMG0IIyxSTko_Q7aoDU_vmHS_nzxEP3uCn1voa8Aqa2IZ4g6dl15sav_r4gQcIsY_4LULASwglbDvfNufopDJ1hMn_jtH6_m49e0wWLw_z2XSRGMlEojQBACEzAxYoBSttnpWqYoKX1DnNK15yqXJdKeustjmRQgjlXF5qR5ziY3R5uN0nFtvgP034Kf5Si33qjrg6ENvQfvUQu2LT9qHZORWMKMmpVlzwXz-MV90 |
| ContentType | Paper Journal Article |
| Copyright | 2017. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. http://arxiv.org/licenses/nonexclusive-distrib/1.0 |
| Copyright_xml | – notice: 2017. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. – notice: http://arxiv.org/licenses/nonexclusive-distrib/1.0 |
| DBID | 8FE 8FG ABJCF ABUWG AFKRA AZQEC BENPR BGLVJ CCPQU DWQXO HCIFZ L6V M7S PHGZM PHGZT PIMPY PKEHL PQEST PQGLB PQQKQ PQUKI PRINS PTHSS AKY GOX |
| DOI | 10.48550/arxiv.1605.05549 |
| DatabaseName | ProQuest SciTech Collection ProQuest Technology Collection Materials Science & Engineering Collection (subscription) ProQuest Central (Alumni) ProQuest Central UK/Ireland ProQuest Central Essentials ProQuest Central Technology collection ProQuest One Community College ProQuest Central SciTech Premium Collection ProQuest Engineering Collection Engineering Database (subscription) ProQuest Central Premium ProQuest One Academic (New) Publicly Available Content Database ProQuest One Academic Middle East (New) ProQuest One Academic Eastern Edition (DO NOT USE) ProQuest One Applied & Life Sciences ProQuest One Academic ProQuest One Academic UKI Edition ProQuest Central China Engineering Collection arXiv Computer Science arXiv.org |
| DatabaseTitle | Publicly Available Content Database Engineering Database Technology Collection ProQuest One Academic Middle East (New) ProQuest Central Essentials ProQuest One Academic Eastern Edition ProQuest Central (Alumni Edition) SciTech Premium Collection ProQuest One Community College ProQuest Technology Collection ProQuest SciTech Collection ProQuest Central China ProQuest Central ProQuest One Applied & Life Sciences ProQuest Engineering Collection ProQuest One Academic UKI Edition ProQuest Central Korea Materials Science & Engineering Collection ProQuest Central (New) ProQuest One Academic ProQuest One Academic (New) Engineering Collection |
| DatabaseTitleList | Publicly Available Content Database |
| Database_xml | – sequence: 1 dbid: GOX name: arXiv.org url: http://arxiv.org/find sourceTypes: Open Access Repository – sequence: 2 dbid: 8FG name: ProQuest Technology Collection url: https://search.proquest.com/technologycollection1 sourceTypes: Aggregation Database |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Physics |
| EISSN | 2331-8422 |
| ExternalDocumentID | 1605_05549 |
| Genre | Working Paper/Pre-Print |
| GroupedDBID | 8FE 8FG ABJCF ABUWG AFKRA ALMA_UNASSIGNED_HOLDINGS AZQEC BENPR BGLVJ CCPQU DWQXO FRJ HCIFZ L6V M7S M~E PHGZM PHGZT PIMPY PKEHL PQEST PQGLB PQQKQ PQUKI PRINS PTHSS AKY GOX |
| ID | FETCH-LOGICAL-a524-780eee456aebe11eb5b96c7f243c1dd83f3c35798f7bdb8b9054447dd9c8d0d73 |
| IEDL.DBID | 8FG |
| IngestDate | Tue Jul 22 22:02:01 EDT 2025 Mon Jun 30 09:42:46 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a524-780eee456aebe11eb5b96c7f243c1dd83f3c35798f7bdb8b9054447dd9c8d0d73 |
| Notes | SourceType-Working Papers-1 ObjectType-Working Paper/Pre-Print-1 content type line 50 |
| OpenAccessLink | https://www.proquest.com/docview/2075318734?pq-origsite=%requestingapplication% |
| PQID | 2075318734 |
| PQPubID | 2050157 |
| ParticipantIDs | arxiv_primary_1605_05549 proquest_journals_2075318734 |
| PublicationCentury | 2000 |
| PublicationDate | 20170418 |
| PublicationDateYYYYMMDD | 2017-04-18 |
| PublicationDate_xml | – month: 04 year: 2017 text: 20170418 day: 18 |
| PublicationDecade | 2010 |
| PublicationPlace | Ithaca |
| PublicationPlace_xml | – name: Ithaca |
| PublicationTitle | arXiv.org |
| PublicationYear | 2017 |
| Publisher | Cornell University Library, arXiv.org |
| Publisher_xml | – name: Cornell University Library, arXiv.org |
| SSID | ssj0002672553 |
| Score | 1.6243093 |
| SecondaryResourceType | preprint |
| Snippet | In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js... International Journal of Information Security, P1-23, April 2017 In this paper, we present the actual risks of stealing user PINs by using mobile sensors... |
| SourceID | arxiv proquest |
| SourceType | Open Access Repository Aggregation Database |
| SubjectTerms | Artificial neural networks Cell phones Cellular telephones Computer Science - Cryptography and Security Cybersecurity Electronic devices Perceptions Risk perception Sensors Smartphones Streams Websites |
| SummonAdditionalLinks | – databaseName: arXiv.org dbid: GOX link: http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwdV3fS8MwED7mnnwRRWXTKXnwtbimaZPubahzCFPRDfpW8qtQhFXabfjne0k7fRBfQxLI5S7fl8vdBeAGGbDUItWBpTYOGGVJoAzaFTJvmQgdq9A6P-TiOZmv2FMWZz0g-1wYWX-Vu7Y-sGpuw8S5PBDx0gOXq-i09vElax8nfSmurv9vP-SYvunP0erxYnYMRx3RI9N2Z06gZ9encO_CZ10COMHbdEN2pSSLSqFhkne8TlZ1MyFTn9FB3srmg7iQiW1DVqgm5PUnAuUMlrOH5d086P4xCGRMWcDF2FqLREWiwMLQqlilieYFZZEOjRFREeko5qkouDJKqBRZFGPcmFQLMzY8Oof-ulrbAZCx4kwYXSQKUQVnwcPJOQOpNDgnK-gQBn71-WdbqiJ3gsm9YIYw2gsk79S0ySkSBjRqHrGL_0dewiF1WOYKHIoR9Df11l4hEm_Utd-Ob9-QiHI priority: 102 providerName: Cornell University |
| Title | Stealing PINs via Mobile Sensors: Actual Risk versus User Perception |
| URI | https://www.proquest.com/docview/2075318734 https://arxiv.org/abs/1605.05549 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwfV1LS8NAEF60RfDmk1Zr2YPXaLLZZDdexEcfCK2lttBb2FegCE1N2uLJ3-7sNtaD4CWQLCxkdnZm9ttvZhC6hghYKJ4ozxATeZTQ2JMa9hVE3iLmKpKBsTjkYBj3p_RlFs0qwK2saJU_NtEZap0ri5FbJATUhbOQ3i8_PNs1yt6uVi009lE9IKBJNlO829thLCRmEDGH28tMV7rrVhSf842FVKIbHzyppSG6T39MsfMv3SNUH4mlKY7RnlmcoANHy1TlKXq2dFubMI7h9F3izVzgQS5hI-M3OH7mRXmHH1wGCB7Py3dsKRbrEk9BrfBox1g5Q5NuZ_LU96q-B56ICPUY940xENgIEHAQGBnJJFYsIzRUgdY8zEIVRizhGZNacplA1EUp0zpRXPuaheeotsgXpoGwLxnlWmWxBC8Es4Axs-AhERrmpBlpoob7-3S5LW2RWsGkTjBN1PoRSFqpdZn-LsLF_8OX6JBY_2eLIvIWqq2KtbkC772SbbdEbVR_7AxHY3jrvc7gOfjqfAMIr5zf |
| linkProvider | ProQuest |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1LSwMxEB60RfTmE6tVc9DjapvNbrKCiE9ataVoBW9LXgtFaGvXVv1x_jcn6VYPgjevuzCQyTy-mcwDYB8RsNQi0YGlNgoYZXGgDOoVIm8ZCx2punV5yFY7bjyym6foaQ4-Z70wrqxyZhO9oTYD7XLkLhOC4iJ4yE6HL4HbGuVeV2crNGSxWsGc-BFjRWPHrf14wxAuP2le4n0fUHp91b1oBMWWgUBGlAVc1Ky1CCMkHqdetypSSax5Rlmo68aIMAt1GPFEZFwZJVSCGIcxbkyihakZHiLZeSgj6ghRqcrnV-3O_XeSh8YcIXs4fU31s8OO5Oi9N3E5neiwhq7c1UH6T798gXdw18tQ7sihHa3AnO2vwoKvC9X5Gly6el_XsU4w_M_JpCdJa6DQkpAHjH8Ho_yYnPkWFHLfy5-Jq_EY5-QR5Zp0vktm1qH7HyzZgFJ_0LebQGqKM2F0Fit0g0gFranLXlJpkCbLaAU2_enT4XS2RuoYk3rGVKA6Y0ha6FWe_kjB1t-_92Cx0W3dpXfN9u02LFHnjN2ERlGF0utobHcQSryq3eLCCKT_LCJfLY_csQ |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Stealing+PINs+via+Mobile+Sensors%3A+Actual+Risk+versus+User+Perception&rft.jtitle=arXiv.org&rft.au=Mehrnezhad%2C+Maryam&rft.au=Toreini%2C+Ehsan&rft.au=Shahandashti%2C+Siamak+F&rft.au=Feng%2C+Hao&rft.date=2017-04-18&rft.pub=Cornell+University+Library%2C+arXiv.org&rft.eissn=2331-8422&rft_id=info:doi/10.48550%2Farxiv.1605.05549 |