Sunghwan Kim, Heekyeong Noh, Chunghan Kim and Seungjoo Kim, Korea University, Korea

As the use of smart phones and tablet PCs has exploded in recent years, there are many occasions where such devices are used for treating sensitive data such as financial transactions. Naturally, many types of attacks have evolved that target these devices. An attacker can capture a password by direct observation without using any skills in cracking. This is referred to as shoulder surfing and is one of the most effective methods. There is currently only a crude definition of shoulder surfing. For example, the Common Evaluation Methodology (CEM) attack potential of Common Criteria (CC), an international standard, does not quantitatively express the strength of an authentication method against shoulder surfing. In this paper, we introduce a shoulder surfing risk calculation method that supplements CC. Risk is calculated first by checking vulnerability conditions one by one and the method of the CC attack potential is applied for quantitative expression. We present a case study for security-enhanced qwerty-keypad and numeric-keypad input methods, and the commercially used mobile banking applications are analyzed for shoulder surfing risks.

Shoulder surfing attack, Attack potential, Security keypad