Shoulder surfing attacks are an unfortunate consequence of entering passwords
or PINs into computers, smartphones, PoS terminals, and ATMs. Such attacks
generally involve observing the victim’s input device. This project studies
leakage of user secrets (passwords and PINs) based on observations of output
devices (screens or projectors) that provide “helpful” feedback to users in the
form of masking characters, each corresponding to a keystroke. To this end, we
developed a new attack called Secret Information Leakage from Keystroke Timing
Videos (SILK-TV). Our attack extracts inter-keystroke timing information from
videos of password masking characters displayed when users type their password
on a computer, or their PIN at an ATM or PoS. The paper detailing our attack is
available at this
link.
The dataset used in our work can be downloaded from this
link.
(Dataset SHA-256: 0df639e6f46fedc415463c2f2ec7f678f8feef792a031902152bd3e8f349bf1e
)
Terms
The New York Institute of Technology hereby grants to You a non-exclusive,
non-transferable, revocable license to use the PIN Dataset solely for Your
non-commercial, educational, and research purposes only, but without any right
to copy or reproduce, publish or otherwise make available to the public or
communicate to the public, sell, rent or lend the whole or any constituent part
of the PIN Dataset thereof. The PIN Dataset shall not be redistributed without
the express written prior approval of The New York Institute of Technology You
agree to respect the privacy of those human subjects whose smartphone usage
behavior data are included in the PIN Dataset. Do not attempt to reverse the
anonymization process to identify specific identifiers including, without
limitation, names, postal address information, telephone numbers, e-mail
addresses, social security numbers, and biometric identifiers. You agree not to
reverse engineer, separate or otherwise tamper with the PIN Dataset so that
data can be extracted and used outside the scope of that permitted in this
Agreement.
You agree to acknowledge the source of the PIN Dataset in all of Your
publications and presentations based wholly or in part on the PIN Dataset. You
agree to provide a disclaimer in any publication or presentation to the effect
that The New York Institute of Technology does not bear any responsibility for
Your analysis or interpretation of PIN Dataset.
You agree and acknowledge that The New York Institute of Technology may hold,
process, and store any personal data submitted by You for validation and
statistical purposes and for the purposes of the administration and management
of PIN Dataset. You agree that any personal data submitted by You is accurate
to the best of his or her knowledge.
The New York Institute of Technology provides the PIN Dataset “AS IS,” without
any warranty or promise of technical support, and disclaims any liability of
any kind for any damages whatsoever resulting from use of the PIN Dataset.
The New York Institute of Technology makes no warranties, express or implied
with respect to the PIN dataset, including any implied warranty of
merchantability or fitness for a particular purpose, which are hereby expressly
disclaimed.
Your acceptance and use of the PIN Dataset binds you to the terms and
conditions of this License as stated herein.