Shoulder surfing can be a serious security and privacy concern for the naive internet user, logging in at a cybercafé, airport or even their place of work, where a glance at their computer screen, tablet or other mobile device could reveal to a third party the sites they are visiting, the subjects they are searching for or even their login details. New research published in the International Journal of Trust Management in Computing and Communications, offers “HoneyString” an alternative to a honey trap to protect unwary users.
Nilesh Chakraborty and Samrat Mondal Department of Computer Science and Engineering, Indian Institute of Technology Patna, explain that there are screen protectors, browser plugins and other approaches that can be used to protect users from shoulder surfers. The physical systems reduce the viewable angle of an LCD or LED screen, while plugins attempt to camouflage what is being displayed but require the user to have a pair of spectacles with red lenses, for instance.
With HoneyString, the team hopes to reduce the need for user intervention in protecting themselves. Where a username and password or PIN are to be entered on a devices, the HoneyString approach asks the user for input, such as 3rd letter, number or other character of the password, 1st, 5th, then another until a sufficient portion of the password or PIN is completed. This way the casual crowd surfer, not knowing the password in advance, obviously, would not be able to easily see what is being entered at a specific point in the process nor what the prompt was. The HoneyString approach overcomes earlier protection methods known as tag digit-based schemes. In addition to requesting characters from the actual password be entered sequentially at a given prompt, interspersed among those characters are prompts for banal letters from string of characters unrelated to the password, the HoneyString.
For example, if the password is “(pUrput4” and the HoneyString is “bAcb7*”, the HoneyString prompt might ask the use to enter the second character from the password – U – then the third character from the honeytrap word – c – and so on until the password is sufficiently complete. The protection only needs to obfuscate the real password from someone attempting to view the user’s screen from over their shoulder, as it were. The system would suit ATM, automated teller machine, security as well as PIN entry for mobile and other devices.
If the shoulder-surfing attacker has noted the responses they will not be able to login elsewhere at their leisure because they will have some characters from the password but not necessarily in the correct order interspersed with HoneyString characters too. The new HoneyString prompts will be different in all subsequent sessions and because the attacker never actually gained access to the complete password in the first place, they will fail to complete the login successfully.
The team points out that the HoneyString system is simple to use and does not extend login time too much, but prevents third-party and malicious access to the account into which the user is logging in.
Chakraborty, N. and Mondal, S. (2015) ‘HoneyString: an improved methodology over tag digit-based honeypot to detect shoulder surfing attack’, Int. J. Trust Management in Computing and Communications, Vol. 3, No. 2, pp.93–114.