Journal of Practical Engineering Education (실천공학교육논문지)

Korean Institute for Pratical Engineering Education (한국실천공학교육학회)
권호 표지
DOI QR코드

DOI QR Code

Design of an Enhanced Group Keypad to Prevent Shoulder-Surfing Attacks and Enable User Convenience

어깨 너머 공격을 차단하고 사용 편의성이 가능한 개선된 그룹 키패드 설계

  • Hyung-Jin Mun (Department of Information & Communication Engineering, Sungkyul University)
  • 문형진 (성결대학교 정보통신공학과)
  • Received : 2023.10.30
  • Accepted : 2023.12.05
  • Published : 2023.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

In the fintech environment, ensuring secure financial transactions with smartphones requires authenticating the device owner. Smartphone authentication techniques encompass a variety of approaches, such as passwords, biometrics, SMS authentication, and more. Among these, password-based authentication is commonly used and highly convenient for user authentication. Although it is a simple authentication mechanism, it is susceptible to eavesdropping and keylogging attacks, alongside other threats. Security keypads have been proposed to address vulnerabilities in password input on smartphones. One such innovation is a group keypad, resistant to attacks that guess characters based on touch location. However, improvements are needed for user convenience. In this study, we aim to propose a method that enhances convenience while being resistant to eavesdropping and recording attacks on the existing group keypad. The proposed method uses new signs to allow users to verify instead of the last character confirmation easily and employs dragging-to-touch for blocking recording attacks. We suggest diverse positioning methods tailored for domestic users, improving efficiency and security in password input compared to existing methods.

핀테크 환경에서 스마트 폰을 이용한 금융거래가 안전하게 거래되기 위해서는 스마트 폰의 소유자에 대한 인증이 필수적이다. 스마트 폰을 이용한 인증기법은 패스워드 인증, 생체인증, SMS 인증 등이 있다. 사용자 인증에서 패스워드 입력을 통한 인증이 보편적이고 편리성이 높기 때문에 스마트 폰에서 많이 활용되고 있다. 손쉬운 인증이지만 키로깅 공격이나 엿보기 등의 공격에 취약점이 존재한다. 스마트 폰에서 패스워드 입력에서의 취약점을 해결하기 위한 보안 키패드가 제안되고 있다. 터치하는 위치로 입력하는 문자를 유추하는 공격에 강인한 그룹 키패드가 제안되었지만 사용 편리성 측면에 개선이 필요하다. 본 연구에서는 기존의 그룹 키패드에서 그룹핑된 키패드를 측면에 배치하고, 드래그를 활용하여 편리성을 제공하면서 엿보기나 레코딩 공격에 강한 새로운 방법을 제안하고자 한다. 제안 기법은 레코딩 공격을 차단하기 위해 마지막 문자확인 대신 키패드의 새로운 표시를 통해 사용자가 쉽게 확인하고, 터치하는 방법에서도 드래그를 사용하였다. 국내 사용자를 위한 다양한 배치 방법을 제시하여 패스워드 입력에서 기존 방식보다 입력의 효율성과 안전성을 제시하였다.

Keywords

References

  1. J. H. Jeon, "A study on the security vulnerability factors of smart phones," Jouranl of Information and Security, vol. 22, no. 2, pp. 43-50, 2022.  https://doi.org/10.33778/kcsa.2022.22.2.043
  2. C. Nayak, M. Parhi, and S. Ghosal, "Robust virtual keyboard for online banking," International Journal of Computer Applications, vol. 107, no. 21, pp. 36-38, 2014. doi: 10.5120/19142-0530 
  3. H. J. Mun, "Design for position protection secure keypads based on double-touch using grouping in the fintech," Journal of Convergence for Information Technology, vol. 12, no. 3, pp. 38-45, 2022. doi: 10.22156/CS4SMB.2022.12.03.038 
  4. J. O. Park and B. W. Jin, "A study on authentication method for secure payment in fintech environment," The Journal of the Institute of Internet, Broadcasting and Communication, vol. 15, no. 4, pp. 25-31, 2015.  https://doi.org/10.7236/JIIBC.2015.15.4.25
  5. D. Y. Kim and S. M. Cho, "A proposal of smart phone app for preventing smishing attack," Journal of Security Engineering, vol. 12, no. 3, pp. 207-220, 2015.  https://doi.org/10.14257/jse.2015.06.08
  6. S. H. Kim, M. S. Park, and S. J. Kim, "Shoulder surfing attack modeling and security analysis on commercial keypad schemes," Journal of the Korea Institute of Information Security & Cryptology, vol. 24, no. 6, pp. 1159-1174, 2014. doi: 10.13089/JKIISC.2014.24.6.1159 
  7. G. O. Baik, C. H. Lim, and J. G. Shon, "A virtual keyboard system for preventing keylogging," Journal of Security Engineering, vol. 7, no. 4, pp. 319-334, 2010. 
  8. Q. Yue, Z. Ling, X. Fu, B. Liu, W. Yu, and W. Zhao, "My google glass sees your passwords!," Proceedings of the Black Hat USA, 2014. 
  9. J. S. Song, M. W. Chung, S. H. Seo, and S. H. Lee, "Security vulnerability analysis of simple mobile payments services," The Korea Information Processing Society Fall Conference, vol. 22, no. 2, pp. 817-820, 2015. 
  10. D. H. Lee, D. H. Bae, S. L. Yoo, J. Y. Chae, Y. Lee, and H. G. Yang, "Analysis of safety in secure keypads for smartphone," REVIEW of the Korea Institute of Information Security and Cryptology, vol. 21, no. 7, pp. 30-37, 2011. doi: KIISC.2011.21.7.30 
  11. W. G. Pak, S. Yeo, and Y. R. Cha, "A secure virtual keypad for mobile devices," Proceeding of Korea Information Science Society, pp. 875-876, 2015. 
  12. H. J. Mun, "Virtual keypads based on tetris with resistance for attack using location information," Journal of the Korea Convergence Society, vol. 8, no. 6, pp. 37-44, 2017. doi: 10.15207/JKCS.2017.8.6.037 
  13. Y. H. Lee, "An analysis on the vulnerability of secure keypads for mobile devices," Journal of Korean Society for Internet Information, vol. 14, no. 3, pp. 15-21, 2013. https://doi.org/10.7472/jksii.2013.14.3.15
  14. J. Song, M. W. Jung, J. I. Choi, and S. H. Seo, "Proposal and implementation of security keypad with dual touch," KIPS Transactions on Computer and Communication Systems, vol. 7, no. 3, pp. 73-80, 2018. doi: 10.3745/KTCCS.2018.7.3.73 
  15. H. J. Kim, H. J. Seo, Y. C. Lee, T. H. Park, and H. W. Kim, "Implementation of virtual finace keypads with resistance for shoulder surfing attack," REVIEW the Korea Institute of Information Security and Cryptology(KIISC), vol. 23, no. 6, pp. 21-29, 2013. https://koreascience.kr/article/JAKO201304163995554.page 
  16. I. Kim, "Secure numeric keypad against attacks guessing passwords from key touching," Journal of Knowledge Information Technology and Systems, vol. 15, no. 5, pp. 591-598, 2020. doi: 10.34163/jkits.2020.15.5.001