Security Threats of Mobile Phone: Graphical Password & Security



Faculty Mentor:
Ms.Aakanksha Chopra

Student Name:
Akshay Singh (MCA – II)


1.INTRODUCTION

We shall be unravelling those hidden threats that a telecommunication device possess even after the advancement of the futuristic comprehensive growth of technologies.Our security still lacks the full security of any device which are connected to outer world. Various survey’s shows that devices are lacking the security. Focusing on only developing won’t allow any device to overcome security but to make a device capable enough to learning the vulnerabilities and to battle those conflicts effectively and efficiently. Further discussion is about the various threats to the mobile security of smartphones also a way to overcome those vulnerabilities of security. Mobile phone has developed so much that today: the data storage has become the one of the trouble with another issue of security which is the most important aspect of any device. It’s not easy to secure your devices from different kind of attacks always, as mentioned earlier every attacker is behind your back to steal your valuables data by attacking your password. Thus focus is lot about the passwords and possible threats that not only make the device vulnerable but also compromiseto the network. Traditionally, text and PIN passwords have already been used for the decades and we know that those policies of the password protection or the password remembering app has made a convincing effects on the users to remember their password. However, in the past decade technology has achieved so much that today we’ve face recognition, pattern, and fingerprint password, face recognition. So the question arises that are they fully reliable? According to the US based technology media “The Verge” the answer is a big NO because what if the owner of phone like Apple is held up against the will and forced to open the phone just by grabbing his face or similar for the finger print where one can easily track the fingerprint of the user through just tape and last touched place thus, there is no such concept of fully secure device even though text and PIN password has played a very crucial role of defining the password technique but somehow it lacs its congeniality in security and the strength of the security of the devices, therefore this article will befocused on mainly on the passwords technique which one can work on for better security end at either side of the network.

2.VARIOUS POSSIBLE ATTACKS

When the smartphones are purchased, it comes with the warning of data security. The moment people start collecting data on the devices it becomes vulnerable and attackers who are thriving on the data stealing and asking for the ransom to unlock that data which is thus named,Ransomware.This is the one of the type of attack that can happen with anyone, there is another attackers which is living among us like friends, siblings, colleagues etc. who can look for our device, passwords, as you are typing or the pattern smudge on the screen of your device called as SocialEngineering.MITM(Man in the Middle) and Phishingis one of thoseattacks where one can overlook through your device password and gain access through it by tricking the user as a legitimate source of information or medium who transfer and receives the information. Another type of attacks in the Eavesdropping, Shoulder Surfing etc., where the attacker does the looking through your data and keep track of inputs by keeping quiet and watching you either through access to their device orplanting video recorder in your workplace. Thus one has to understand the cause of their vulnerable device and how to protect it in the best possible way. A survey from Homeland Securityshows that 41% of the mobile phones around the world is at risk of mobile threats, even IoT devices are not safe from the attackers because of the data space is increasing day by day and security is needed to secure out valuable data. For example, social engineering has become one of the cause of being attacked by the ones who are the solely cause of your destruction where password are easily be retained by gaining someone’s trust, and to prove this there is an IBM study of 2017 shows it is proved that 91% of the attacks were done through social engineering. Another way to make your mobile phone vulnerable is through the database SQL injection or the database lookup where the attacker injects a malicious code into the database makes the device weak and attacker may enter into your device and access it remotely. How to deal with such security threats in the devices? People came up with the idea of Graphical Passwords which are not only easy to remember but also the manageable way to store the password in hashed table to secure from the attackers though the existing techniques are the doing well which are:
  • Textual or PIN based passcodes
  • Graphical passcodes
  • Biometric authentication
Users are introduced with various way to authenticate themselves on the particular device where the mobile devices like smartphones, tablets etc., has extended their security level. Old techniques are becoming weaker and weaker.The new techniques faces the same situation but today combination of passcodes with hash codes has made it difficult for the attackers to easily breach the security and compromise the device though the attackers.

3.GRAPHICAL PASSWORDS

In experiment by Passface of 255 people, it is shown that people who have kept the password with number, letters and symbols or combination of these are more likely to lose their password after remembering many other passwords which made them obscured which is around 51% of the 255 people. Though the usability and conventionality of the graphical password doesn’t seems to be the easy but seems to be better. As one can see conventionally knowledge-based authentication is well known to everyone which are the easy-to-remember password which an attacker can easily gain even through social engineering as most people doesn’t make any complex passwords which are hard to remember by. Graphical password which have much gain over the old conventional password saving for the devices because after all humans are more image-prone learner then the textual or the PIN based passwords. The term of graphical password is very differentiable to learn about it, thus the graphical security is categorised under three major categories:
  • Recall
  • Recognition
  • And, Cued-Recall
Human brain is much superior in the imagery learning then the others, and centuries are the proof of that because recognizing and recalling of the image is much easier than the text. If to talk about the process of recall, recognition and cued-recall, the person is acquired with remembrance where he/she is to remember the information out with cueing them together. While recognition is about providing all options to the person and to recognize among them to match the information he/she possess. Though there exist a conflictual statements between recalland recognitionis about memory based and both does share a unique process even though retrieval of both is quite different to one another. Whatsoever the recognition is considered the better than the recall process. In the cued-recall the process is much easier because the external help is “cued” (provided) to remember the information. A study by two scientist (Tulving &Pearlstone) shows that human brain store the information in the section but does not retrieve until the cue is provided to jog that information part.

4.SECURITY WITH MEASURES

What do we understand by security? Answer is still incomplete even though the human technology is so advanced and updated, this is because of the attackers are also evolving with time and they know how to breach any secure system whether it’s the IoT devices, automatic lock system etc., Security will be never defined completely until and unless attackers are out there to make your devices vulnerable to the outer world of network. Security is to provide authentication of the desired system in which it fails then it’s not a secure environment. A system must be evaluated through its minimum level to the highest level of security breach and brief record should be maintained. Further distinction of the knowledge-based attacks are guessing and capture: Guessing is purely based on the guessing the password of the device based on the knowledge he/she possess, as guessing the password is so much exhaustive only person with idle time can do so. However, other is password capture where the attacker can use either one of the technique to gain the password that is, either through Shoulder-surfing or Phishing. Now the again one can ask that similar things could be done through the graphical passwords also, but here is the catch graphical password doesn’t depends only on the one-time-password (OTP), they are generating hash values every time one enters the password and saved into the hash table, also they create distinct re-entry points for the passwords because encoding and discretization of the passwords and data is the work of cyber security, to provide optimum level of security of the data. It may also be said that these techniques are very much distinct and environment flexible.

5.RECALL BASED TECHNIQUE

When we are a child we are thought to draw certain things based on memory recall, similar is the concept of the recall based technique where the user is provided with the blank canvas or a grid where the user need to draw a pattern or the last drawn two dimensional figure which will unlock the device. Since recalling every time is not only difficult but also a troublesome for those deals with memory problem. As it is one of the method of password security it is considered though not suitable for the global level execution, we might consider it but cannot implement as in textual password there is certain hash code attached to store in table but if the same hash code is used for the password then it won’t be defined as the better security, similarly what happens that sometime people use the system name in the password for the better recall of the cue to remember their password which becomes there one of the weak link of protection. It is totally based on the memory of the person to jag his/her memory. Though there are certain things where the recall based techniques lack like other security techniques; Shoulder Surfing is still possible, Phishing is another way to violate the security and also the Social Engineering. Since the graphical password was introduced Draw-A-Secret was the firstly came into existence where the grid of certain measure was provided to draw figure with continuous flow of pen or to measure the pen-stroke for number of ups and restart again. While the user is drawing its figure along the grid (Figure1), encoding is done simultaneously so that when the user draws the exact figure along with the coordinates he/she can log in into their device.
image

Also the there is a study from DeholoNali and Julie Thorpestudy they provided the 6x6 grid to 16 participant to draw “6 logos” and “6 doodles” to visually inspect the their difference and note down the symmetry they have and number of pen-strokes they used to draw their figure. Notably it was found that symmetry in between their figures created an encoding difficulty as theoretically it provides space comparable with textual passwords.

6.RECOGNITION BASED TECHNIQUE

Picture captcha is well-known where certain picture are to be selected to authenticate one. Similarly, to define the recognitionbased technique we can say that the number of pictures are provided to the user, then he/she has to choose the correct one among the decoys one which help in differentiating between the decoy and the original pictures. Problems being faced here in recognitionbased technique is that this also take a lot space comparable to the textual or PIN passwords. This technique is also not suitable for every situation then also it possess some great extension over the recall one: here the user is available to choose the images he/she can recognize based on the images generated and authenticate his/herself. In here the technique is to generate the image bundle in a grid to let the user recognize the images he/she has set for the login. This technique is advancement of recall technique, but it also faces the Phishing, Man-in-the-Middle attacks etc. Social engineering and Shoulder surfing are one of the easiest attack of this recognition based technique. Also in this technique a separate file is kept to keep track of the portfolio of the images that user use to ease the access which is also the major weakness of it, which deliberately can be gained by the attacker as they are not even encoded with the hash code. Let us understand this technique with the real time execution presented by Passface (an tech company working on graphical password) what they do is they provide a grid of 3x3 where 9 images are presented with decoy ones and user has to choose 1 image every round equal to 4x times i.e., n = 4 and M = 9 which gives us the cardinality of Mn (6561~213) possible passcodes for the user to authenticate (Figure 2).
image

7.CUED-BASED TECHNIQUE

When one remember something through just looking at it one somehow makes a cue in their mind to remember that particular situation similarly in cued-based technique is implemented with the cue to remember by the image passcode. In other words one can say that the user target the specific location by remembering the image of that grid. This technique is by further the most theoretically and usable concept because the memory requirement is very low, and easier to recall images to as cue is provided thus, it’s much better that recall technique. In this the user is freed from remembering the whole image as an entity. A study by Hollingworth and Henderson briefs that human brain is more familiar with the once visualized objects and retain that accuracy to further recognize the object, thus only the cue is required to remember it as whole which will help in cued-recall technique. Cued-recall graphical password systems date back to Blon-der's patent. PassPoints, its successor, launched re-search in the cued-recall subclass sometimes called click-based graphical passwords. Further explanation of the cued-recall technique can interpreted by an example experimented by the PassPoint on the acceptation from Suo, who proposed a shoulder surfing version of it as follows: a user has just to press Y (for yes) or N (for no) on key board/mouse-clicks for the correct points on the image as the image will be blurred and only those points will be displayed clear where the user has its pin-point tagged. The process will have repeated for 10 rounds until all five points have been approved. Since this is not the end of the techniques there are further extension of this graphical based techniques like, Cued Click Points, Persuasive Cued Click Points etc., are the just advancement of the Cued Click Points with more possible and better algorithms.

8.CONCLUSION

From this extensive approach of understanding the graphical passwords and attacks one can conclude that attacks like shoulder surfing, phishing, social engineering, MITM etc., are never ending attacks until and unless the machine itself is not learning with the help of whether artificial learning or the algorithms which are self-modifying at every iteration of authentication. Conclusion of the above is that the every graphical password is not possible to adapt at practical level as one can see that they take comparatively quite a large space then symmetry is another problem of graphical password when a similar hand draws. Based on the above theoretical knowledge, surveys, or the experiment it is proved that graphical password not only lacking the essence of usability but also lacking behind in the comparability of textual password because the recovery from textual password is much easier than the graphical passwords and they require very less space.

9.REFRENCES

[1]Russel Brandom The five biggest question about apple’s
face recognition (Sep 2017)
[2]https://www.theverge.com/2017/9/12/16298156/
apple-iphone-x-face-id-security-privacy-police-unlock
[3]DeholoNali and Julie Thorpe. Analyzing user choice in
graphical password (2004).
[4]https://www.researchgate.net/publication/228687492
_Analyzing_user_choice_in_graphical_passwords
[5]Megan Geuss. 2015. Mozilla: data stolen from hacked bug database
was used to attack Firefox. (Sep 2015).
[6]http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-
hacked-bug-database-was- used-to-attack-firefox/
[7]Dr. Robert P. Griffin, Jr. Under Secretary (Acting) for Science and
Technology,Study on Mobile Device Security (April 2017).
[8]https://www.dhs.gov/sites/default/files/publications
/DHS%20Study%20on%20Mobile%20Device%
20Security%20-%20April%202017-FINAL.pdf
[9]Michelle Alvarez,The changing face of IT security in the
government sector (May 2017).
[10]https://www.ibm.com/downloads/cas/YQZM86DB
[11]William Melicher, Darya Kurilova, Sean M. Segreti,
PranshuKalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Michelle L. Mazurek.
Usablity and Security of text
password on Mobile Devices (2016)
[12]https://www.archive.ece.cmu.edu/~lbauer/papers
/2016/chi2016-mobile-pwds.pdf
[13]Xiaoyuan Suo, Ying Zhu, G. Scott. Owen Graphical Passwords:
A Survey (Jan 2005).
[14]https://ieeexplore.ieee.org/abstract/
document/1565273
[15]Elizabeth Stobert, Alain Forget, Sonia Chiasson, onExploring Usability Effects of Increasing Security in Click-based Graphical Passwords (2010).
[16]https://dl.acm.org/citation.cfm?id=1920273

Copyright © 2019, JIMS