Better the Devil You Know: Using Lost-Smartphone Scenarios to Explore user Perceptions of Unauthorised Access
Pages 86 - 96
Abstract
Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes.
References
[1]
[1] Aviv, A.J., Budzitowski, D. and Kuber, R. 2015. Is bigger better? Comparing user-generated passwords on 3x3 vs. 4x4 grid sizes for android's pattern unlock. ACM International Conference Proceeding Series. 7-11-Decem, (2015), 301–310.
[2]
[2] Aviv, A.J., Davin, J.T., Wolf, F. and Kuber, R. 2017. Towards baselines for shoulder surfing on mobile authentication. ACM International Conference Proceeding Series (2017), 486–498.
[3]
[3] Aviv, A.J., Gibson, K., Mossop, E., Blaze, M. and Smith, J.M. 2010. Smudge attacks on smartphone touch screens. 4th USENIX Workshop on Offensive Technologies, WOOT 2010 (2010).
[4]
[4] Ben-Asher, N., Kirschnick, N., Sieger, H., Meyer, J., Ben-Oved, A. and Möller, S. 2011. On the need for different security methods on mobile phones. Mobile HCI 2011 - 13th International Conference on Human-Computer Interaction with Mobile Devices and Services (2011), 465–473.
[5]
[5] Bonneau, J., Preibusch, S. and Anderson, R. 2012. A birthday present every eleven wallets? The security of customer-chosen banking PINs. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 7397 LNCS, (2012), 25–40.
[6]
[6] Casimiro, M., Segel, J., Li, L., Wang, Y. and Cranor, L.F. 2020. A Quest for Inspiration: How Users Create and Reuse PINs. WAY (2020).
[7]
[7] Cellebrite - Digital Intelligence For A Safer World: https://cellebrite.com/en/home/. Accessed: 2023-01-24.
[8]
[8] Chin, E., Felt, A.P., Sekar, V. and Wagner, D. 2012. Measuring user confidence in smartphone security and privacy. SOUPS 2012 - Proceedings of the 8th Symposium on Usable Privacy and Security (2012).
[9]
[9] Egelman, S., Jain, S., Portnoff, R.S., Liao, K., Consolvo, S. and Wagner, D. 2014. Are you ready to lock? Understanding user motivations for smartphone locking behaviors. Proceedings of the ACM Conference on Computer and Communications Security (2014), 750–761.
[10]
[10] Fulton, K.R., Gelles, R., Mckay, A., Roberts, R., Abdi, Y., Mazurek, M.L., Clara, S., Fulton, K.R., Gelles, R., Mckay, A., Roberts, R., Abdi, Y. and Mazurek, M.L. 2019. The Effect of Entertainment Media on Mental Models of Computer Security This paper is included in the Proceedings of the The Effect of Entertainment Media on Mental Models of Computer Security. (2019).
[11]
[11] Gaetano, J. 2018. Holm-Bonferroni sequential correction: An Excel Calculator (1.3).
[12]
[12] GrayKey Cell Phone Forensics Tool: https://www.grayshift.com/graykey/. Accessed: 2023-01-24.
[13]
[13] Great Britain: online banking use 2020: 2020. https://www.statista.com/statistics/286273/internet-banking-penetration-in-great-britain/. Accessed: 2022-05-09.
[14]
[14] Harbach, M., von Zezschwitz, E., Fichtner, A., Luca, A. De and Smith, M. 2016. It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. SOUPS ’14: Proceedings of the Tenth Symposium On Usable Privacy and Security. (2016), 213–230.
[15]
[15] De Luca, A., Hang, A., Von Zezschwitz, E. and Hussmann, H. 2015. I feel like i'm taking selfies all day! towards understanding biometric authentication on smartphones. Conference on Human Factors in Computing Systems - Proceedings (2015), 1411–1414.
[16]
[16] Markert, P., Bailey, D. V., Golla, M., Durmuth, M. and Avig, A.J. 2020. This PIN can be easily guessed: Analyzing the security of smartphone unlock PINs. Proceedings - IEEE Symposium on Security and Privacy. 2020-May, (2020), 286–303.
[17]
[17] Marques, D., Guerreiro, T., Carriço, L., Beschastnikh, I. and Beznosov, K. 2019. Vulnerability & Blame: Making sense of unauthorized access to smartphones. Conference on Human Factors in Computing Systems - Proceedings (2019).
[18]
[18] Marques, D., Muslukhov, I., Guerreiro, T., Beznosov, K. and Carriço, L. 2019. Snooping on mobile phones: Prevalence and trends. SOUPS 2016 - 12th Symposium on Usable Privacy and Security (2019), 159–174.
[19]
[19] Mobile E-commerce is up and Poised for Further Growth: 2018. https://www.statista.com/chart/13139/estimated-worldwide-mobile-e-commerce-sales/. Accessed: 2022-05-09.
[20]
[20] Munyendo, C.W., Markert, P., Nisenoff, A., Grant, M., Korkes, E., Ur, B. and Aviv, A.J. 2022. “The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits. Proceedings of the 31st USENIX Security Symposium, Security 2022 (2022), 4023–4040.
[21]
[21] Muslukhov, I., Boshmaf, Y., Kuo, C., Lester, J. and Beznosov, K. 2013. Know your enemy: The risk of unauthorized access in smartphones by insiders. MobileHCI 2013 - Proceedings of the 15th International Conference on Human-Computer Interaction with Mobile Devices and Services (2013), 271–280.
[22]
[22] Ofcom 2015. The Communications Market Report (2015).
[23]
[23] Potocký, S. and Štulrajter, J. The human interface device (hid) attack on android lock screen non-biometric protections and its computational complexity. Science & Military. 1, 2022.
[24]
[24] Rogers, R. and Prentice-Dunn, S. 1997. Protection motivation theory. Handbook of health behavior research 1: Personal and social determinants. (1997), 113–132.
[25]
[25] Schneegass, S., Saad, A., Heger, R., Delgado, S., Poguntke, R. and Alt, F. 2022. An Investigation of Shoulder Surfing Attacks on Touch-Based Unlock Events. Proceedings of the ACM on Human-Computer Interaction. 6, MHCI (2022).
[26]
[26] Set up Touch ID on iPhone: https://support.apple.com/en-gb/guide/iphone/iph672384a0b/ios. Accessed: 2023-06-05.
[27]
[27] Setting up the Biometrics and Security: 2022. https://www.samsung.com/au/support/mobile-devices/setup-biometrics-and-security/. Accessed: 2023-06-07.
[28]
[28] Smart phone thefts rose to 3.1 million in 2013: 2014. https://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm. Accessed: 2022-06-20.
[29]
[29] Taylor, B.Y.K. and Silver, L. 2019. Smartphone Ownership Is Growing Rapidly Around the World, but Not Always Equally.
[30]
[30] Thielman, S. 2016. Apple v the FBI: what's the beef, how did we get here and what's at stake? . The Guardian.
[31]
[31] Thompson, N., McGill, T.J. and Wang, X. 2017. “Security begins at home”: Determinants of home computer and mobile device security behavior. Computers and Security. 70, (Sep. 2017), 376–391.
[32]
[32] Tu, Z., Turel, O., Yuan, Y. and Archer, N. 2015. Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination. Information and Management. 52, 4 (2015), 506–517.
[33]
[33] Wright, S. 2012. The symantec smartphone honey stick project. Symantec Corporation, Mar.
[34]
[34] Yardley, E. 2021. Technology-Facilitated Domestic Abuse in Political Economy: A New Theoretical Framework. Violence Against Women. 27, 10 (2021), 1479–1498.
Index Terms
- Better the Devil You Know: Using Lost-Smartphone Scenarios to Explore user Perceptions of Unauthorised Access
Index terms have been assigned to the content through auto-classification.
Recommendations
Detecting repackaged smartphone applications in third-party android marketplaces
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and PrivacyRecent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized ...
The effect of developer-specified explanations for permission requests on smartphone user behavior
CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsIn Apple's iOS 6, when an app requires access to a protected resource (e.g., location or photos), the user is prompted with a permission request that she can allow or deny. These permission request dialogs include space for developers to optionally ...
Authorized! access denied, unauthorized! access granted
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksExisting access control systems are mostly identity-based. However, such access control systems impose risks because recognized identity is not essentially an interpretation of good intentions of access. On the other hand, an un-identified individual ...
Comments
Information & Contributors
Information
Published In
October 2023
364 pages
ISBN:9798400708145
DOI:10.1145/3617072
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EuroUSEC 2023
EuroUSEC 2023: The 2023 European Symposium on Usable Security
October 16 - 17, 2023
Copenhagen, Denmark
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 51Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)1
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format