出版社:Academy & Industry Research Collaboration Center (AIRCC)
摘要:As the use of smart phones and tablet PCs has exploded in recent years, there are manyoccasions where such devices are used for treating sensitive data such as financial transactions.Naturally, many types of attacks have evolved that target these devices. An attacker can capturea password by direct observation without using any skills in cracking. This is referred to asshoulder surfing and is one of the most effective methods. There is currently only a crudedefinition of shoulder surfing. For example, the Common Evaluation Methodology (CEM)attack potential of Common Criteria (CC), an international standard, does not quantitativelyexpress the strength of an authentication method against shoulder surfing. In this paper, weintroduce a shoulder surfing risk calculation method that supplements CC. Risk is calculatedfirst by checking vulnerability conditions one by one and the method of the CC attack potentialis applied for quantitative expression. We present a case study for security-enhanced qwertykeypadand numeric-keypad input methods, and the commercially used mobile bankingapplications are analyzed for shoulder surfing risks.
