Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

An Analysis on the Vulnerability of Secure Keypads for Mobile Devices

모바일 기기를 위한 보안 키패드의 취약점 분석

  • Lee, Yunho (Dept. of Cyber Security & Police, Gwangju University)
  • Received : 2012.09.08
  • Accepted : 2013.04.23
  • Published : 2013.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Due to the widespread propagation of mobile platforms such as smartphones and tablets, financial and e-commercial transactions based on these mobile platforms are growing rapidly. Unlike PCs, almost all mobile platforms do not provide physical keyboards or mice but provide virtual keypads using touchscreens. For this reason, an attacker attempts to obtain the coordinates of touches on the virtual keypad in order to get actual key values. To tackle this vulnerability, financial applications for mobile platforms use secure keypads, which change position of each key displayed on the virtual keypad. However, these secure keypads cannot protect users' private information more securely than the virtual keypads because each key has only 2 or 3 positions and moreover its probability distribution is not uniform. In this paper, we analyze secure keypads used by the most financial mobile applications, point out the limitation of the previous research, and then propose a more general and accurate attack method on the secure keypads.

스마트폰과 태블릿 PC 등의 모바일 플랫폼이 급격히 보급됨에 따라 이를 이용한 금융 거래나 전자상거래도 급증하고 있다. 모바일 환경에서는 데스크탑 PC 환경과는 달리 키보드나 마우스 대신 터치 스크린 상의 가상 키패드를 이용하여 패스워드 등의 중요 개인 정보를 입력하게 되는데, 이 때 터치 좌표가 노출될 경우 키 값이 쉽게 노출될 수 있다. 이러한 문제를 해결하기 위해 금융 거래와 관련된 대부분의 모바일 프로그램은 가상 키패드에서 키의 위치를 무작위로 바꾸는 보안 키패드를 채택하고 있다. 하지만, 각 키의 가변 위치가 2~3개에 불과하고 확률도 균등하지 않기 때문에 사용자의 중요 정보를 보호하는데는 한계가 있다. 본 논문에서는 대부분의 금융 관련 모바일 프로그램에 사용되는 보안 키패드에 대해 설명한 후, 기존 안전성 분석의 한계를 지적하고 터치 위치를 기반으로 키 값을 유추하는 새로운 공격 방법을 제시하고자 한다.

Keywords

References

  1. 이동현, 배동환, 유승록, 채진영, 이윤호, 양형규, "Security Analysis on the Keypad for Smartphones", Review of KIISC, Vol. 21, No. 7, KIISC, 2011, pp. 30-37.
  2. MK News, "국내 스마트폰 가입자 3000만명 돌파 전 망", http://news.mk.co.kr/newsRead.php?year=2012&no= 469973.
  3. MoneyToday, "모바일뱅킹 고객 3천만. '스마트폰' 열풍 덕", http://news.mt.co.kr/mtview.php?no=2012 081609493763978&type=1.
  4. Roland M., Langer J. and Scharinger J., "Practical Attack Scenarios on Secure Element-Enabled Mobile Devices," 2012 4th International Workshop on Near Field Communication, 2012, pp. 19-24.
  5. Porras P., Saidi H. and Yegneswaran V., "An Analysis of the iKee.B iPhone Botnet," MobiSec 2010, 2010, pp. 141-152.
  6. Vidasa T., Zhangb C. and Christin N., "Toward a general collection methodology for Android devices," 11th Annual Digital Forensics Research Conference, 2011, pp. S14-S24.
  7. Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., Albayrak, S. and Yildizli, C., "Smartphone malware evolution revisited: Android next target?," 4th International Conference on Malicious and Unwanted Software, 2009, pp. 1-7.
  8. Sanders, B. M., "Privacy and Security Enhancements for Android Applications," Thesis of Master of Science in Computer Science, University of California, 2008.
  9. La Polla, M., Martinelli, F. and Sgandurra, D., "A Survey on Security for Mobile Devices," IEEE Communications Surveys & Tutorials, 2012, pp. 1-26.
  10. AhnLab, "An Android Malwares for the APT attacks", Ahnlab ASEC Report Vol. 31, 2012.
  11. Guo, C, Wang, H. J. and Zhu, W., "Smart-phone attacks and defenses," Proceedings of the 3rd Workshop on Hot Topics in Networks, 2004.
  12. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y. and Dolev, S., "Google Android: A State-of-the-Art Review of Security Mechanisms," CoRR abs/ 0912.5101, 2009.
  13. Chin, E., Felt, A. P., Sekar, V. and Wagner, D., "Measuring user confidence in smartphone security and privacy," Proceedings of the Eighth Symposium on Usable Privacy and Security, 2012.

Cited by

  1. Shoulder Surfing Attack Modeling and Security Analysis on Commercial Keypad Schemes vol.24, pp.6, 2014, https://doi.org/10.13089/JKIISC.2014.24.6.1159
  2. Behavioural Analysis of Password Authentication and Countermeasure to Phishing Attacks - from User Experience and HCI Perspectives vol.15, pp.3, 2014, https://doi.org/10.7472/jksii.2014.15.3.79
  3. An Efficient and Secure Data Storage Scheme using ECC in Cloud Computing vol.15, pp.2, 2014, https://doi.org/10.7472/jksii.2014.15.2.49
  4. Keyloggers: silent cyber security weapons vol.2020, pp.2, 2013, https://doi.org/10.1016/s1353-4858(20)30021-0