Tag Digit Based Honeypot to Detect Shoulder Surfing Attack

  • Nilesh Chakraborty
  • Samrat Mondal
Part of the Communications in Computer and Information Science book series (CCIS, volume 467)


Traditional password based authentication scheme is vulnerable to shoulder surfing attack. So if an attacker sees a legitimate user to enter password then it is possible for the attacker to use that credentials later to illegally login into the system and may do some malicious activities. Many methodologies exist to prevent such attack. These methods are either partially observable or fully observable to the attacker. In this paper we have focused on detection of shoulder surfing attack rather than prevention. We have introduced the concept of tag digit to create a trap known as honeypot. Using the proposed methodology if the shoulder surfers try to login using others’ credentials then there is a high chance that they will be caught red handed. Comparative analysis shows that unlike the existing preventive schemes, the proposed methodology does not require much computation from users end. Thus from security and usability perspective the proposed scheme is quite robust and powerful.


Authentication Shoulder Surfing Attack Honeypot Partially Observable Scheme 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Banking- Personal Identification Number (PIN) Management and Security - Part 1: Basic Principles and Requirements for Online PIN Handling in ATM and POS Systems, Clause 5.4 Packaging Considerations, ISO 9564-1:2002 (2002)Google Scholar
  2. 2.
    Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: Loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Chakraborty, N., Mondal, S.: Color Pass: An intelligent user interface to resist shoulder surfing attack. In: 2014 IEEE Students’ Technology Symposium (TechSym), pp. 13–18 (2014)Google Scholar
  4. 4.
    Chakraborty, N., Mondal, S.: SLASS: Secure login against shoulder surfing. In: Martínez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014. CCIS, vol. 420, pp. 346–357. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Gardiner, S.: $217,000 ‘Skimmed’ from ATMs. The Wall Street Journal (June 2010)Google Scholar
  6. 6.
    Genc, Z.A., Kardas, S., Kiraz, M.S.: Examination of a new defense mechanism: Honeywords. IACR Cryptology ePrint Archive 2013, 696 (2013)Google Scholar
  7. 7.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Juels, A., and Ristenpart, T. Honey encryption: Security beyond the brute-force bound. IACR Cryptology ePrint Archive 2014, 155 (2014)Google Scholar
  9. 9.
    Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: ACM Conference on Computer and Communications Security, pp. 145–160 (2013)Google Scholar
  10. 10.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Kwon, T., Shin, S., Na, S.: Covert attentional shoulder surfing: Human adversaries are more powerful than expected. IEEE T. Systems, Man, and Cybernetics: Systems 44(6), 716–727 (2014)CrossRefGoogle Scholar
  12. 12.
    Mahansaria, D., Shyam, S., Samuel, A., Teja, R.: A fast and secure software solution [ss7.0] that counters shoulder surfing attack. In: 13th International Conference on Software Engineering and Application, pp. 190–195 (2009)Google Scholar
  13. 13.
    Skynews. ATM ‘shoulder surfing’ card fraud on rise (June 2013), http://news.sky.com/story/1100203/atm-shoulder-surfing-card-fraud-on-rise
  14. 14.
    Perković, T., Čagalj, M., Saxena, N.: Shoulder-surfing safe login in a partially observable attacker model. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 351–358. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: ACM Conference Computer Communication Security, pp. 236–245 (2004)Google Scholar
  16. 16.
    Wilfong, G.: Method and appartus for secure pin entry. Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, ed. United States (1999)Google Scholar
  17. 17.
    Zhao, H., Li, X.: S3PAS: A scalable shoulder-surfing resistant textual-graphical password authentication scheme. In: 21st International Conference on Advanced Information Networking and Applications Workshops, pp. 467–472 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Nilesh Chakraborty
    • 1
  • Samrat Mondal
    • 1
  1. 1.Computer Science and Engineering DepartmentIndian Institute of Technology PatnaPatnaIndia

Personalised recommendations