International Journal of Computer Network and Information Security (IJCNIS)
IJCNIS Vol. 16, No. 5, 8 Oct. 2024
Cover page and Table of Contents: PDF (size: 555KB)
Finding and Mitigating a Vulnerability of the Color Wheel PIN Protocol
PDF (555KB), PP.113-123
Views: 0 Downloads: 0
Author(s)
Index Terms
Authentication Protocol Vulnerability, ATM Security, NFC Smartphones, Attack Mitigation
Abstract
There is an increasing usage in the banking sector of Smartphones enabled with Near Field Communication (NFC), to improve the services offered for the customers. This usage requires a security enhancement of the systems that employ this technology like the Automated Teller Machines (ATMs). One example is the Color Wheel Personal Identification Number (CWPIN) security protocol designed to authenticate users on ATMs using NFC enabled smartphones without typing the PIN code directly. CWPIN has been compared in the literature to several other protocols and was considered easier to use, more cost-effective and more resistant to various attacks on ATMs such as card reader skimming, keylogger injection, shoulder surfing, etc. Nevertheless, we demonstrate in this paper that CWPIN is vulnerable to the multiple video recordings intersection attack. We do so through concrete examples and a thorough analysis that reveals a high theoretical probability of attack success. A malicious party can use one or two hidden cameras to record the ATM and smartphone screens during several authentication sessions, then disclose the user's PIN code by intersecting the information extracted from the video recordings. In a more complex scenario, these video recordings could be obtained by malware injected into the ATM and the user's smartphone to record their screens during CWPIN authentication sessions. Our intersection attack requires a few recordings, usually three or four, to reveal the PIN code and can lead to unauthorized transactions if the user's smartphone is stolen. We also propose a mitigation of the identified attack through several modifications to the CWPIN protocol and discuss its strengths and limitations.
Cite This Paper
Samir Chabbi, Djalel Chefrour, Nour El Madhoun, "Finding and Mitigating a Vulnerability of the Color Wheel PIN Protocol", International Journal of Computer Network and Information Security(IJCNIS), Vol.16, No.5, pp.113-123, 2024. DOI:10.5815/ijcnis.2024.05.09
Reference
[1]Giese D., Liu K., Michael Sun, Syed T. and Zhang L., “Security Analysis of Near-Field Communication (NFC) Payments”, ArXiv, 2019. DOI:10.48550/arXiv.1904.10623
[2]Merkus J., “Security evaluation of the NFC contactless payment protocol using Model Based testing”, Master's thesis, Open University of Nederland, 2018.
[3]Wadii, E. L., Boutahar, J., Ghazi, S. E., “NFC Technology for Contactless Payment Ecosystems”, International Journal of Advanced Computer Science and Applications, Vol.8, No.5, pp.391-397, 2017.
[4]Alqassab A., Hikmat Ismael Y., “EMV Electronic Payment System and its Attacks: A Review”, AL-Rafidain Journal of Computer Sciences and Mathematics, Vol.16, No.1, pp.23-29, 2022. DOI:10.33899/CSMJ.2022.174392
[5]Chanal P. M., Kakkasageri M. S., “Security and privacy in IOT: a survey”, Wireless Personal Communications, Vol.115, No.2, pp.1667-1693, 2020. DOI:10.1007/s11277-020-07649-9
[6]Alsuhibany S. A., “A Camouflage Text-Based Password Approach for Mobile Devices against Shoulder-Surfing Attack”, Security and Communication Networks, 2021. DOI:10.1155/2021/6653076
[7]Shin H., Sim S., Kwon H., Hwang S., Lee Y., “A new smart smudge attack using CNN”, International Journal of Information Security, Vol.21, pp.25-36, 2022. DOI:10.1007/s10207-021-00540-z
[8]Mohammed S., Kurnaz S., Mohammed A. H., “Secure Pin Authentication in Java Smart Card Using Honey Encryption”, In 2020 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), pp.1-4, 2020, IEEE. DOI:10.1109/HORA49412.2020.9152936
[9]Chen D., Zhao Z., Qin X., Luo Y., Cao M., Xu H., Liu A., “MAGLeak: A learning-based side-channel attack for password recognition with multiple sensors in IIoT environment”, IEEE Transactions on Industrial Informatics, Vol.18, No.1, pp.467-476, 2022. DOI: 10.1109/TII.2020.3045161
[10]Shang J., Wu J., “LightDefender: Protecting PIN Input using Ambient Light Sensor”, In 2020 IEEE International Conference on Pervasive Computing and Communications (PerCom), pp.1-10, IEEE, 2020. DOI: 10.1109/PerCom45495.2020.9127361
[11]Shammee T. I., Akter T., Mou M., Chowdhury F., Ferdous M. S., “A Systematic Literature Review of Graphical Password Schemes”, Journal of Computing Science and Engineering, Vol.14, No.4, pp.163-185, 2020. DOI: 10.5626/JCSE.2020.14.4.163
[12]Shubhra J., “ATM frauds: Detection & Prevention”, International Journal of Advances in Electronics and Computer Science, Vol.4, No.10, 2017.
[13]Guerar M., Migliardi M., Palmieri F., Verderame L., Merlo A., “Securing PINābased authentication in smartwatches with just two gestures”, Concurrency and Computation: Practice and Experience, Vol.32, No. 18, pp.e5549, 2020. DOI:10.1002/cpe.5549
[14]Kobayashi K., Oguni T., Nakagawa M., “A Series of PIN/Password Input Methods Resilient to Shoulder Hacking Based on Cognitive Difficulty of Tracing Multiple Key Movements”, IEICE TRANSACTIONS on Information and Systems, Vol.103, No.7, pp.1623-1632, 2020.
[15]Andrew A., Wamema J., “Towards an Improved Framework for E-Risk Management for Digital Financial Services (DFS) in Ugandan Banks: A Case of Bank of Africa (Uganda) Limited”, Journal of Information and Organizational Sciences, Vol.46, No.1, pp.103-127, 2022. DOI:10.31341/jios.46.1.6
[16]Chandrasekran Y., Ramachandiran C. R., Kuruvikulam C. A., “Adoption of Future Banking Using Biometric Technology in Automated Teller Machine (ATM)”, In 2022 IEEE International Conference on Distributed Computing and Electrical Circuits and Electronics (ICDCECE), 2022. DOI:10.1109/ICDCECE53908.2022.9793028
[17]Yadav K., Mattas S., Saini L., Jindal P., “Secure Card-less ATM Transactions”, In 2020 First IEEE International Conference on Measurement, Instrumentation, Control and Automation (ICMICA), pp.1-4, 2020. DOI: 10.1109/ICMICA48462.2020.9242713
[18]Groupe Speciale Mobile Association (GSMA). (2018) NFC Functions and Security Certification overview V1.0, 2018.
[19]Guerar Meriem, Benmohammed Mohamed, and Alimi Vincent. (2016 June). Color Wheel Pin: Usable and Resilient ATM Authentication. Journal of High Speed Networks, 22(3), pp. 231-240, 2016. DOI:10.3233/JHS-160545
[20]Smart payment association, “Biometrics in Payment: Breaking down barriers with high value payments”, 2018.
[21]Promontory, “Biometric authentication in payments: Considerations for Policymakers”, 2017.
[22]Chabbi S., Boudour R., Semchedine F., Chefrour D., “Dynamic Array PIN: A novel approach to secure NFC electronic payment between ATM and smartphone”, Information Security Journal: A Global Perspective, Vol.29, No.6, pp.327-340, 2020. DOI:10.1080/19393555.2020.1773583
[23]Kasat O. K., Bhadade U. S., “Revolving flywheel pin entry method to prevent shoulder surfing attacks”, in 2018 3rd IEEE International Conference for Convergence in Technology (I2CT), pp.1-5, 2018. DOI: 10.1109/I2CT.2018.8529758
[24]English R., “Simulating and modelling the effectiveness of graphical password intersection attacks”, Concurrency and Computation: Practice and Experience, Vol.27, No.12, pp.3089-3107, 2015. DOI:10.1002/cpe.3196
[25]Oya S., Troncoso C., Pérez-González F., “Meet the family of statistical disclosure attacks”, in IEEE Global Conference on Signal and Information Processing, pp. 233-236, 2013. DOI:10.1109/GlobalSIP.2013.6736858