1,720,965 research outputs found
Color wheel pin: Usable and resilient ATM authentication
No full textWe are witnessing a growing demand for ATM authentication solutions that overcome the limitations of the de facto standard mechanism based on magnetic card and numeric PIN, that has revealed to be weak against ATM-specific attacks (e.g., skimming and recording attacks). An emerging trend is relying on smartphones as a carrier for authentication. However, authentication mechanisms based on the use of a smartphone requires the same mechanisms to be resilient to new, smartphone-specific threats like device theft and common attacks like shoulder-surfing attacks and spyware. In this paper, we propose a new ATM authentication mechanism called Color Wheel Pin which combines a usable ATM authentication mechanism with robustness against both generic and smartphone and ATM specific security threats
A Fraud-Resilient Blockchain-Based Solution for Invoice Financing
No full textInvoice financing has been a steadily growing component of the financing market as a whole for the last few years, and, in 2016, it became the third largest financing market. Nonetheless, the risk of frauds is still very high, and most solutions proposed so far are based on private, proprietary platforms that cannot match the global nature of such a market. Even the most recent proposals based on blockchain are mainly adopting a private, permissioned blockchain due to the lack of confidentiality in public blockchain. In this article, we propose an Invoice financing platform based on a public blockchain supporting both fully open and group-restricted auctioning of invoices. We addressed the confidentiality issue by storing the confidential data encrypted in IPFS and the corresponding hash in the smart contract hosted on Ethereum blockchain. Our blockchain-based solution ensures data confidentiality and benefits from the main properties of the public blockchain required in Invoice financing systems, such as transparency, immutability, trustworthiness, and security. Furthermore, our platform introduces a reputation system based on the past behavior of entities, computed using the blockchain global ledger. Such a reputation system allows insurance companies to modulate the cost of the insurance contracts they offer. This combination guarantees the complete transparency and tamperproofness of a public blockchain, while it allows reducing insurance costs and fraud possibilities
Gotta CAPTCHA 'Em All: A Survey of 20 Years of the Human-or-computer Dilemma
Full text linkA recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [102]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, and so on. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel, and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability, and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes. © 2021 Association for Computing Machinery
Securing PIN-based authentication in smartwatches with just two gestures
No full textSmartwatches are becoming increasingly ubiquitous as they offer new capabilities to develop sophisticated applications that make daily life easier and more convenient for consumers. The services provided include applications for mobile payment, ticketing, identification, access control, etc. While this makes modern smartwatches very powerful devices, it also makes them very attractive targets for attackers. Indeed, PINs and Pattern Lock have been widely used in smartwatches for user authentication. However, such authentication methods are not robust against various forms of cybersecurity attacks, such as side channel, phishing, smudge, shoulder surfing, and video-recording attacks. Moreover, the recent adoption of hardware-based solutions, like the Trusted Execution Environment (TEE), can mitigate only partially such problems. Thus, the user's security and privacy are at risk without a strong authentication scheme in place. In this work, we propose 2GesturePIN, a new authentication framework that allows users to authenticate securely to their smartwatches and related sensitive services through solely two gestures. 2GesturePIN leverages the rotating bezel or crown, which are the most intuitive ways to interact with a smartwatch, as a dedicated hardware. 2GesturePIN improves the resilience of the regular PIN authentication method against state-of-the-art cybersecurity attacks while maintaining a high level of usability
Towards a SIP-based DDoS Attack to the 4G Network
No full textCellular networks are fundamental infrastructures nowadays, so that any communication problem could affect the user in different ways, from accessing social networks up to personal safety issues. In this work, we explore the feasibility of carrying out a DDoS attack to the Home Subscriber Server of the 4G network through non-3GPP access, i.e. access points that are not specified by the Third Generation Partnership Project, in particular using the SIP register procedure. A previous study on a DDoS attack to UMTS Network showed that injecting 2500 requests in every 4.7s time window is possible to reduce the HLR capability to serve legitimate requests by 93%, and that such an attack can be mounted with a few hundred devices. A limit to that attacking approach is that we would require mobile devices that need to connect to an eNodeB (cellular base station). Instead, in the approach proposed in this paper we carry out a preliminary study to explore the possibility of using devices that are generically connected to the Internet: this means that the population of devices that can be leveraged to mount the attack is wider than in the first case; furthermore, the constraint of having legitimate SIM modules is removed
ascCAPTCHA: an Invisible Sensor CAPTCHA for PCs Based on Acoustic Side Channel
No full textOur growing reliance on the digital world has caused a similar growth in the sophistication of bots trying to impersonate humans. The most classic tool to tell human and computers apart is the CAPTCHA, however CAPTCHAs based on cognitive challenges are becoming either insecure or very difficult to be solved by humans too. A possible solution is leveraging the rich sensor set of modern mobile devices to capture the physical nature of humans while they are interacting with the system, however, traditional PCs do not have the same opportunity. In this paper we describe ascCAPTCHA, a CAPTCHA based on an acoustic side-channel that leveraging a simple microphone is compatible with PCs lacking the rich sensor set of smart devices
Continuous Authentication on a Smartwatch
No full textThe purpose of this work is to leverage two types of sensors, motion and optical, to create a continuous authentication system for smart devices such as smartwatches. The proposed solution is based on an Android application that uses the accelerometer and gyroscope to measure movements and to classify them in normal and session-endangering classes. If suspicious movements are identified, then the app enacts a second decision level and activates the heart or body detection sensor to check if the watch is actually still on the user’s wrist. The two-level architecture tries to optimize energy consumption. To validate our system, various measurements were carried out with the aim of mapping the typical gestures of users who wear a smartwatch. The goal is therefore to be able to recognize certain movements, limit checks involving the optical sensors that are extremely energy hungry, and, thus, achieve a better battery recharge cycle
A Completely Automatic Public Physical test to tell Computers and Humans Apart: A way to enhance authentication schemes in mobile devices
No full text2GesturePIN: Securing PIN-Based Authentication on Smartwatches
No full textSmartwatches offer new capabilities to develop sophisticated applications that make daily life easier and more convenient for consumers and are becoming increasingly ubiquitous. The kind of services these devices are capable to provide include applications for mobile payment, ticketing, identification, access control, etc. While this makes modern smartwatches very powerful devices, it also makes them very attractive targets for attackers. PINs and Pattern Lock have been widely used in smartwatches for user authentication, however, those types of passwords are not robust against various forms of attacks, such as side channel, phishing, smudge, shoulder surfing, and videorecording attacks. In this work, we propose 2GesturePIN, a new authentication method that allows users to authenticate securely to their smartwatches and sensitive services through solely two gestures. It leverages the rotating bezel or the crown which are the most intuitive channels to interact with a smartwatch. 2GesturePIN enhances the resilience of the regular PIN to common attacks while maintaining a high level of usability
Blockchain-based risk mitigation for invoice financing
No full textThe market for invoice inancing has been steadily growing in the last few years and has been the third inancing market in size in 2016. Most solutions in this ield are based on private platforms and even the new proposals based on blockchain are mostly adopting a private, permissioned blockchain. In this paper, we propose an idea based on a public blockchain that allows both fully open and group-restricted auctioning of invoices. Furthermore, our proposal introduces a reputation system that is based on the past behavior of entities, as it is photographed by the public blockchain, to allow insurance companies modulate the cost of the insurance contracts they ofer. This combination guarantees the complete transparency and tamperproof-ness of a public blockchain, while it allows reducing insurance costs and fraud possibilities
- …
