Abstract
Keystroke behaviour-based authentication employs the unique typing behaviour of users to authenticate them. Recent such proposals for virtual keyboards on smartphones employ diverse temporal, contact, and spatial features to achieve over 95% accuracy. Consequently, they have been suggested as a second line of defense with text-based password authentication. We show that a state-of-the-art keystroke behaviour-based authentication scheme is highly vulnerable against mimicry attacks. While previous research used training interfaces to attack physical keyboards, we show that this approach has limited effectiveness against virtual keyboards. This is mainly due to the large number of diverse features that the attacker needs to mimic for virtual keyboards. We address this challenge by developing an augmented reality-based app that resides on the attacker’s smartphone and leverages computer vision and keystroke data to provide real-time guidance during password entry on the victim’s phone. In addition, we propose an audiovisual attack in which the attacker overlays transparent film printed with spatial pointers on the victim’s device and uses audio cues to match the temporal behaviour of the victim. Both attacks require neither tampering or installing software on the victim’s device nor specialized hardware. We conduct experiments with 30 users to mount over 400 mimicry attacks. We show that our methods enable an attacker to mimic keystroke behaviour on virtual keyboards with little effort. We also demonstrate the extensibility of our augmented reality-based technique by successfully mounting mimicry attacks on a swiping behaviour-based continuous authentication system.
- Mansour Alsaleh, Mohammad Mannan, and Paul C. van Oorschot. 2012. Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Depend. Secure Comput. 9, 1 (2012), 128--141.Google Scholar
Digital Library
- Fraser Anderson, Tovi Grossman, Justin Matejka, and George Fitzmaurice. 2013. YouMove: Enhancing movement training with an augmented reality mirror. In Proceedings of the 26th Annual ACM Symposium on User Interface Software and Technology. ACM.Google Scholar
Digital Library
- Salil P. Banerjee and Damon L. Woodard. 2012. Biometric authentication and identification using keystroke dynamics: A survey. J. Pattern Recogn. Res. 7, 1 (2012), 116--139.Google Scholar
Cross Ref
- Wei Bao, Hong Li, Nan Li, and Wei Jiang. 2009. A liveness detection method for face recognition based on optical flow field. In Proceedings of the International Conference on Image Analysis and Signal Processing. IEEE, 233--236.Google Scholar
- BehavioSec. 2017. A supplement to Authentication in an Internet Banking Environment. Retrieved rom https://www.behaviosec.com/financial-services/.Google Scholar
- Karissa Bell. 2017. New ARKit iPhone app will help your learn to be a better dancer. Retrieved from https://mashable.com/2017/07/09/dance-reality-arkit-app.Google Scholar
- Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. What the app is that? Deception and countermeasures in the android user interface. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.Google Scholar
Digital Library
- Cheng Bo, Lan Zhang, Xiang-Yang Li, Qiuyuan Huang, and Yu Wang. 2013. SilentSense: Silent user identification via touch and movement behavioral biometrics. In Proceedings of the 19th Annual International Conference on Mobile Computing 8 Networking. ACM, 187--190.Google Scholar
Digital Library
- Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.Google Scholar
Digital Library
- Matthew Boyle, Avraham Klausner, David Starobinski, Ari Trachtenberg, and Hongchang Wu. 2011. Poster: Gait-based smartphone user identification. In Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. ACM, New York, NY.Google Scholar
Digital Library
- Ulrich Burgbacher and Klaus Hinrichs. 2014. An implicit author verification system for text messages based on gesture typing biometrics. In Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM.Google Scholar
Digital Library
- Daniel Buschek, Alexander De Luca, and Florian Alt. 2015. Improving accuracy, applicability and usability of keystroke biometrics on mobile touchscreen devices. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM.Google Scholar
Digital Library
- Géry Casiez, Nicolas Roussel, and Daniel Vogel. 2012. 1-Euro filter: A simple speed-based low-pass filter for noisy input in interactive systems. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2527--2530.Google Scholar
Digital Library
- Chih-Chung Chang and Chih-Jen Lin. 2011. LIBSVM: A library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 3 (2011), 27.Google Scholar
Digital Library
- Nathan L. Clarke and S. M. Furnell. 2007. Authenticating mobile phone users using keystroke analysis. Int. J. Info. Secur. 6, 1 (2007), 1--14.Google Scholar
Digital Library
- Michael B. Dillencourt, Hanan Samet, and Markku Tamminen. 1992. A general approach to connected-component labeling for arbitrary image representations. J. ACM 39, 2 (1992), 253--280.Google Scholar
Digital Library
- David H. Douglas and Thomas K. Peucker. 1973. Algorithms for the reduction of the number of points required to represent a digitized line or its caricature. Cartographica: Int. J. Geogr. Info. Geovisual. 10, 2 (1973), 112--122.Google Scholar
Cross Ref
- Benjamin Draffin, Jiang Zhu, and Joy Zhang. 2014. KeySens: Passive user authentication through micro-behavior modeling of soft keyboard interaction. In Mobile Computing, Applications, and Services. Springer, 184--201.Google Scholar
- Richard O. Duda, Peter E. Hart, and David G. Stork. 2012. Pattern Classification. John Wiley 8 Sons.Google Scholar
- Serge Egelman, Sakshi Jain, Rebecca S Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are you ready to lock? In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM.Google Scholar
Digital Library
- Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 35th Annual ACM Conference on Human Factors in Computing Systems. ACM.Google Scholar
Digital Library
- Tao Feng, Jun Yang, Zhixian Yan, Emmanuel Munguia Tapia, and Weidong Shi. 2014. TIPS: Context-aware implicit user identification using touch screen in uncontrolled environments. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM.Google Scholar
Digital Library
- Tao Feng, Xi Zhao, Bogdan Carbunar, and Weidong Shi. 2013. Continuous mobile authentication using virtual key typing biometrics. In Proceedings of the 12th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 1547--1552.Google Scholar
Digital Library
- Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Info. Forensics Secur. 8, 1 (2013), 136--148.Google Scholar
Digital Library
- Davrondzhon Gafurov, Einar Snekkenes, and Patrick Bours. 2007. Spoof attacks on gait authentication system. IEEE Trans. Info. Forensics Secur. 2, 3 (2007), 491--502.Google Scholar
Digital Library
- Cristiano Giuffrida, Kamil Majdanik, Mauro Conti, and Herbert Bos. 2014. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 92--111.Google Scholar
- Sture Holm. 1979. A simple sequentially rejective multiple test procedure. Scand. J. Stat. 6, 2 (1979), 65--70.Google Scholar
- Feng Hong, Meiyu Wei, Shujuan You, Yuan Feng, and Zhongwen Guo. 2015. Waving authentication: Your smartphone authenticate you on motion gesture. In Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems. ACM.Google Scholar
Digital Library
- Seong-seob Hwang, Sungzoon Cho, and Sunghoon Park. 2009. Keystroke dynamics-based authentication for mobile devices. Comput. Secur. 28, 1 (2009), 85--93.Google Scholar
Digital Library
- Hassan Khan and Urs Hengartner. 2014. Towards application-centric implicit authentication on smartphones. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM.Google Scholar
Digital Library
- Hassan Khan, Urs Hengartner, and Daniel Vogel. 2016. Targeted mimicry attacks on touch input-based implicit authentication schemes. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM.Google Scholar
Digital Library
- Hassan Khan, Urs Hengartner, and Daniel Vogel. 2018. Augmented reality-based mimicry attacks on behaviour-based smartphone authentication. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services. ACM.Google Scholar
Digital Library
- Jennifer R. Kwapisz, Gary M. Weiss, and Samuel A. Moore. 2010. Cell phone-based biometric identification. In Proceedings of the 4th IEEE International Conference on Biometrics: Theory Applications and Systems. IEEE, 1--7.Google Scholar
- Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium, Vol. 13.Google Scholar
- Emanuele Maiorana, Patrizio Campisi, Noelia González-Carballo, and Alessandro Neri. 2011. Keystroke dynamics authentication for mobile phones. In Proceedings of the Symposium on Applied Computing. ACM, 21--26.Google Scholar
Digital Library
- Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: Your finger taps have fingerprints. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. ACM, 323--336.Google Scholar
Digital Library
- Fabian Monrose, Michael K. Reiter, and Susanne Wetzel. 2002. Password hardening based on keystroke dynamics. Int. J. Info. Secur. 1, 2 (2002), 69--83.Google Scholar
Cross Ref
- Mozilla. 2019. MDB Browser compatibility data. https://github.com/mdn/browser-compat-data. Last accessed: 07/2019.Google Scholar
- Parimarjan Negi, Prafull Sharma, Vivek Jain, and Bahman Bahmani. 2018. K-means++ vs. behavioral biometrics: One loop to rule them all. In Proceedings of the 25th Network and Distributed System Security Symposium.Google Scholar
Cross Ref
- Nobuyuki Otsu. 1979. A threshold selection method from gray-level histograms. IEEE Trans. Syst. Man Cybernet. 9, 1 (1979), 62--66.Google Scholar
Cross Ref
- Saurabh Panjwani and Achintya Prakash. 2014. Crowdsourcing attacks on biometric systems. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS’14). USENIX Association.Google Scholar
- Bruce Schneier. 2009. Schneier on Security: Biometrics. Retrieved from https://www.schneier.com/blog/archives/2009/01/biometrics.html.Google Scholar
- Abdul Serwadda and Vir V. Phoha. 2013a. Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Trans. Info. Syst. Secur. 16, 2 (2013), 8.Google Scholar
Digital Library
- Abdul Serwadda and Vir V. Phoha. 2013b. When kids’ toys breach mobile phone security. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security. ACM, 599--610.Google Scholar
- Muhammad Shahzad, Alex X. Liu, and Arjmand Samuel. 2013. Secure unlocking of mobile touch screen devices by simple gestures: You can see it but you can not do it. In Proceedings of the 19th Annual International Conference on Mobile Computing 8 Networking. ACM, 39--50.Google Scholar
Digital Library
- Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium.Google Scholar
- The Register. 2019. Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds. Retrieved from https://www.theregister.co.uk/2019/08/14/biostar_2_suprema_database_exposed_27m_records/.Google Scholar
- W3C. 2019. Touch Events: Draft Community Group Report. Retrieved from https://w3c.github.io/touch-events/.Google Scholar
- Xiao Wang, Tong Yu, Ole Mengshoel, and Patrick Tague. 2017. Towards continuous and passive authentication across mobile devices: An empirical study. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 35--45.Google Scholar
Digital Library
- Lei Yang, Yi Guo, Xuan Ding, Jinsong Han, Yunhao Liu, Cheng Wang, and Changwei Hu. 2015. Unlocking smart phone through handwaving biometrics. IEEE Trans. Mobile Comput. 14, 5 (2015), 1044--1055.Google Scholar
Cross Ref
- Hongzi Zhu, Jingmei Hu, Shan Chang, and Li Lu. 2017. ShakeIn: Secure user authentication of smartphones with single-handed shakes. IEEE Trans. Mobile Comput. 16, 10 (2017), 2901--2912.Google Scholar
Cross Ref
Index Terms
Mimicry Attacks on Smartphone Keystroke Authentication
Recommendations
Augmented Reality-based Mimicry Attacks on Behaviour-Based Smartphone Authentication
MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and ServicesWe develop an augmented reality-based app that resides on the attacker's smartphone and leverages computer vision and raw input data to provide real-time mimicry attack guidance on the victim's phone. Our approach does not require tampering or ...
Targeted Mimicry Attacks on Touch Input Based Implicit Authentication Schemes
MobiSys '16: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and ServicesTouch input implicit authentication (``touch IA'') employs behavioural biometrics like touch location and pressure to continuously and transparently authenticate smartphone users. We provide the first ever evaluation of targeted mimicry attacks on touch ...
Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings
Research on keystroke-based authentication has traditionally assumed human impostors who generate forgeries by physically typing on the keyboard. With bots now well understood to have the capacity to originate precisely timed keystroke sequences, this ...






Comments