research-article

Towards understanding ATM security: a field study of real world ATM use

Authors:

Alexander De Luca,

Marc Langheinrich,

Heinrich HussmannAuthors Info & Claims

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

Article No.: 16, Pages 1 - 10

https://doi.org/10.1145/1837110.1837131

Published: 14 July 2010 Publication History

Abstract

With the increase of automated teller machine (ATM) frauds, new authentication mechanisms are developed to overcome security problems of personal identification numbers (PIN). Those mechanisms are usually judged on speed, security, and memorability in comparison with traditional PIN entry systems. It remains unclear, however, what appropriate values for PIN-based ATM authentication actually are. We conducted a field study and two smaller follow-up studies on real-world ATM use, in order to provide both a better understanding of PIN-based ATM authentication, and on how alternative authentication methods can be compared and evaluated. Our results show that there is a big influence of contextual factors on security and performance in PIN-based ATM use. Such factors include distractions, physical hindrance, trust relationships, and memorability. From these findings, we draw several implications for the design of alternative ATM authentication systems, such as resilience to distraction and social compatibility.

References

[1]

A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, 1999.

Digital Library

[2]

L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. In SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security, pages 64--75, New York, NY, USA, 2007. ACM.

Digital Library

[3]

S. Chiasson, P. C. V. Oorschot, and R. Biddle. Graphical password authentication using cued click-points. In 12th European Symposium On Research In Computer Security (ESORICS), 2007. Springer-Verlag, 2007.

Digital Library

[4]

L. Coventry, A. De Angeli, and G. Johnson. Usability and biometric verification at the atm interface. In CHI '03: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 153--160, New York, NY, USA, 2003. ACM.

Digital Library

[5]

A. De Luca, M. Denzel, and H. Hussmann. Look into my eyes! can you guess my password? In SOUPS '09: Proceedings of the 5th symposium on Usable privacy and security. ACM, 2009.

Digital Library

[6]

A. De Luca, B. Frauendienst, S. Boring, and H. Hussmann. My Phone is my Keypad: Privacy-Enhanced PIN-Entry on Public Terminals. In Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group (CHISIG) of the Human Factors and Ergonomics Society of Australia (HFESA), Melbourne, Australia, Nov. 2009. ACM, Nov. 2009.

Digital Library

[7]

A. De Luca, E. von Zezschwitz, and H. Hussmann. Vibrapass - secure authentication based on shared lies. In 27th ACM SIGCHI Conference on Human Factors in Computing Systems. ACM, Apr. 2009.

Digital Library

[8]

A. Forget, S. Chiasson, and R. Biddle. Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In Proceedings of the 28th ACM International Conference on Human Factors in Computing Systems - CHI 2010, Atlanta, Georgia, USA, Apr. 2010. ACM, Apr. 2010.

Digital Library

[9]

E. Hayashi, R. Dhamija, N. Christin, and A. Perrig. Use your illusion: secure authentication usable anywhere. In SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security, pages 35--45, New York, NY, USA, 2008. ACM.

Digital Library

[10]

E. M. Huang, A. Koster, and J. Borchers. Overcoming assumptions and uncovering practices: When does the public really look at public displays?. In J. Indulska, D. J. Patterson, T. Rodden, and M. Ott, editors, Pervasive, volume 5013 of Lecture Notes in Computer Science, pages 228--243. Springer, 2008.

Digital Library

[11]

C. Jackson, D. R. Simon, D. S. Tan, and A. Barth. An evaluation of extended validation and picture-in-picture phishing attacks. In In Proceedings of Usable Security (USEC07), 2007.

Digital Library

[12]

D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, and P. Olivier. Multi-touch authentication on tabletops. In Proceedings of the 28th ACM International Conference on Human Factors in Computing Systems - CHI 2010, Atlanta, Georgia, USA, Apr. 2010. ACM, Apr. 2010.

Digital Library

[13]

L. Little. Attitudes towards technology use in public zones: the influence of external factors on atm use. In CHI '03: CHI '03 extended abstracts on Human factors in computing systems, pages 990--991, New York, NY, USA, 2003. ACM.

Digital Library

[14]

W. Moncur and G. Leplâtre. Pictures at the atm: exploring the usability of multiple graphical passwords. In CHI '07: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 887--894, New York, NY, USA, 2007. ACM.

Digital Library

[15]

P. Peltonen, E. Kurvinen, A. Salovaara, G. Jacucci, T. Ilmonen, J. Evans, A. Oulasvirta, and P. Saarikko. It's mine, don't touch!: interactions at a large multi-touch display in a city centre. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 1285--1294, New York, NY, USA, 2008. ACM.

Digital Library

[16]

V. Roth, K. Richter, and R. Freidinger. A pin-entry method resilient against shoulder surfing. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 236--245, New York, NY, USA, 2004. ACM.

Digital Library

[17]

H. Sasamoto, N. Christin, and E. Hayashi. Undercover: authentication usable in front of prying eyes. In CHI '08: Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 183--192, New York, NY, USA, 2008. ACM.

Digital Library

[18]

A. Whitten and J. D. Tygar. Why johnny can't encrypt. In In Proceedings of the 8th USENIX Security Symposium, 1999.

Digital Library

[19]

S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In AVI '06: Proceedings of the working conference on Advanced visual interfaces, pages 177--184, New York, NY, USA, 2006. ACM.

Digital Library

Cited By

Yang JYu JKong LZhu YDai H(2024)OpenAuth: Human Body-Based User Authentication Using mmWave Signals in Open-World Scenarios2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00125(1330-1341)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00125
Alabdulatif ASamarasinghe RThilakarathne N(2023)A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment TransactionsApplied Sciences10.3390/app13191074313:19(10743)Online publication date: 27-Sep-2023
https://doi.org/10.3390/app131910743
Kredina ANurymova SSatybaldin AKireyeva A(2022)Assessing the relationship between non-cash payments and various economic indicatorsBanks and Bank Systems10.21511/bbs.17(1).2022.0617:1(67-79)Online publication date: 10-Feb-2022
https://doi.org/10.21511/bbs.17(1).2022.06
Show More Cited By

Index Terms

Towards understanding ATM security: a field study of real world ATM use
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

A performance model of partial packet discard and early packet discard schemes in ATM switches

In this paper, we develop a concise performance model of partial packet discard (PPD) and early packet discard (EPD) schemes in ATM switches. We study the performance of PPD and EPD with heterogeneous traffic sources. The sources included Poisson, and ...
A new signature scheme without random oracles

Digital signature is commonly used for authentication of a user or data. In order to ensure the security of a signature scheme, it is important to design a signature scheme with a security proof. In 1999, Gennaro et al. and Cramer et al. respectively ...
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an insecure communication channel. Currently, smart card-based remote user authentication schemes have been widely adopted due to their low ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

July 2010

236 pages

ISBN:9781450302647

DOI:10.1145/1837110

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2010 Copyright is held by the author/owner.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOUPS '10

Sponsor:

Carnegie Mellon University

SOUPS '10: Symposium on Usable Privacy and Security

July 14 - 16, 2010

Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
963
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang JYu JKong LZhu YDai H(2024)OpenAuth: Human Body-Based User Authentication Using mmWave Signals in Open-World Scenarios2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00125(1330-1341)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00125
Alabdulatif ASamarasinghe RThilakarathne N(2023)A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment TransactionsApplied Sciences10.3390/app13191074313:19(10743)Online publication date: 27-Sep-2023
https://doi.org/10.3390/app131910743
Kredina ANurymova SSatybaldin AKireyeva A(2022)Assessing the relationship between non-cash payments and various economic indicatorsBanks and Bank Systems10.21511/bbs.17(1).2022.0617:1(67-79)Online publication date: 10-Feb-2022
https://doi.org/10.21511/bbs.17(1).2022.06
Mathis FO'Hagan JVaniea KKhamis MBottoni PPanizzi E(2022)Stay Home! Conducting Remote Usability Evaluations of Novel Real-World Authentication Systems Using Virtual RealityProceedings of the 2022 International Conference on Advanced Visual Interfaces10.1145/3531073.3531087(1-9)Online publication date: 6-Jun-2022
https://dl.acm.org/doi/10.1145/3531073.3531087
Watson KBretin RKhamis MMathis F(2022)The Feet in Human-Centred Security: Investigating Foot-Based User Authentication for Public DisplaysExtended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491101.3519838(1-9)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3491101.3519838
Mathis FVaniea KKhamis M(2022)Can I Borrow Your ATM? Using Virtual Reality for (Simulated) In Situ Authentication Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00049(301-310)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00049
Mathis FO'Hagan JKhamis MVaniea K(2022)Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)10.1109/VR51125.2022.00048(291-300)Online publication date: Mar-2022
https://doi.org/10.1109/VR51125.2022.00048
Valenzuela RMoquillaza APaz F(2022)Usability in Automated Teller Machines Interfaces: A Systematic Literature ReviewDesign, User Experience, and Usability: UX Research, Design, and Assessment10.1007/978-3-031-05897-4_20(275-294)Online publication date: 16-Jun-2022
https://doi.org/10.1007/978-3-031-05897-4_20
Jain SDabola SBinjola SJindal R(2021)AlignPIN: Indirect PIN Selection For Protection Against Repeated Shoulder Surfing2021 11th International Conference on Cloud Computing, Data Science & Engineering (Confluence)10.1109/Confluence51648.2021.9377176(594-599)Online publication date: 28-Jan-2021
https://doi.org/10.1109/Confluence51648.2021.9377176
Mathis FVaniea KKhamis M(2021)Prototyping Usable Privacy and Security Systems: Insights from ExpertsInternational Journal of Human–Computer Interaction10.1080/10447318.2021.194913438:5(468-490)Online publication date: 5-Aug-2021
https://doi.org/10.1080/10447318.2021.1949134
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents