scispace - formally typeset
Search or ask a question

Showing papers on "Password published in 2007"


Proceedings ArticleDOI
08 May 2007
TL;DR: The study involved half a million users over athree month period and gets extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site.
Abstract: We report the results of a large scale study of password use andpassword re-use habits. The study involved half a million users over athree month period. A client component on users' machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.

1,068 citations


Journal ArticleDOI
TL;DR: This paper demonstrates several methods to generate multiple cancelable identifiers from fingerprint images to overcome privacy concerns and concludes that feature-level cancelable biometric construction is practicable in large biometric deployments.
Abstract: Biometrics-based authentication systems offer obvious usability advantages over traditional password and token-based authentication schemes. However, biometrics raises several privacy concerns. A biometric is permanently associated with a user and cannot be changed. Hence, if a biometric identifier is compromised, it is lost forever and possibly for every application where the biometric is used. Moreover, if the same biometric is used in multiple applications, a user can potentially be tracked from one application to the next by cross-matching biometric databases. In this paper, we demonstrate several methods to generate multiple cancelable identifiers from fingerprint images to overcome these problems. In essence, a user can be given as many biometric identifiers as needed by issuing a new transformation "key". The identifiers can be cancelled and replaced when compromised. We empirically compare the performance of several algorithms such as Cartesian, polar, and surface folding transformations of the minutiae positions. It is demonstrated through multiple experiments that we can achieve revocability and prevent cross-matching of biometric databases. It is also shown that the transforms are noninvertible by demonstrating that it is computationally as hard to recover the original biometric identifier from a transformed version as by randomly guessing. Based on these empirical results and a theoretical analysis we conclude that feature-level cancelable biometric construction is practicable in large biometric deployments

884 citations


Book ChapterDOI
24 Sep 2007
TL;DR: This work proposes and examines the usability and security of Cued Click Points (CCP), a cued-recall graphical password technique, and suggests that CCP provides greater security than PassPoints because the number of images increases the workload for attackers.
Abstract: We propose and examine the usability and security of Cued Click Points (CCP), a cued-recall graphical password technique. Users click on one point per image for a sequence of images. The next image is based on the previous click-point. We present the results of an initial user study which revealed positive results. Performance was very good in terms of speed, accuracy, and number of errors. Users preferred CCP to PassPoints (Wiedenbeck et al., 2005), saying that selecting and remembering only one point per image was easier, and that seeing each image triggered their memory of where the corresponding point was located. We also suggest that CCP provides greater security than PassPoints because the number of images increases the workload for attackers.

352 citations


Journal ArticleDOI
TL;DR: A molecular device that mimics the operation of an electronic keypad lock, e.g., a common security circuit used for numerous applications, in which access to an object or data is to be restricted to a limited number of persons.
Abstract: This paper describes a new concept in the way information can be protected at the molecular scale. By harnessing the principles of molecular Boolean logic, we have designed a molecular device that mimics the operation of an electronic keypad lock, e.g., a common security circuit used for numerous applications, in which access to an object or data is to be restricted to a limited number of persons. What distinguishes this lock from a simple molecular logic gate is the fact that its output signals are dependent not only on the proper combination of the inputs but also on the correct order by which these inputs are introduced. In other words, one needs to know the exact passwords that open this lock. The different password entries are coded by a combination of two chemical and one optical input signals, which can activate, separately, blue or green fluorescence output channels from pyrene or fluorescein fluorophores. The information in each channel is a single-bit light output signal that can be used to auth...

339 citations


Proceedings ArticleDOI
18 Jul 2007
TL;DR: EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input by selecting from an on-screen keyboard using only the orientation of their pupils, making eavesdropping by a malicious observer largely impractical.
Abstract: Shoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input.With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.

328 citations


Proceedings ArticleDOI
18 Jul 2007
TL;DR: A model to identify the most likely regions for users to click in order to create graphical passwords in the PassPoints system is developed and it is shown that user choice can be modeled and that expansions of the model and the experiments are a promising direction of research.
Abstract: We develop a model to identify the most likely regions for users to click in order to create graphical passwords in the PassPoints system. A PassPoints password is a sequence of points, chosen by a user in an image that is displayed on the screen. Our model predicts probabilities of likely click points; this enables us to predict the entropy of a click point in a graphical password for a given image. The model allows us to evaluate automatically whether a given image is well suited for the PassPoints system, and to analyze possible dictionary attacks against the system. We compare the predictions provided by our model to results of experiments involving human users. At this stage, our model and the experiments are small and limited; but they show that user choice can be modeled and that expansions of the model and the experiments are a promising direction of research.

240 citations


Proceedings ArticleDOI
28 Oct 2007
TL;DR: This paper investigates the novel idea of introducing background images to the DAS scheme, where users were initially supposed to draw passwords on a blank canvas overlaid with a grid, and finds that a positive effect was observed with respect to the memorability of the more complex passwords encouraged by the background images.
Abstract: Draw a secret (DAS) is a representative graphical password scheme. Rigorous theoretical analysis suggests that DAS supports an overall password space larger than that of the ubiquitous textual password scheme. However, recent research suggests that DAS users tend to choose weak passwords, and their choices would render this theoretically sound scheme less secure in real life.In this paper we investigate the novel idea of introducing background images to the DAS scheme, where users were initially supposed to draw passwords on a blank canvas overlaid with a grid. Encouraging results from our two user studies have shown that people aided with background images tended to set significantly more complicated passwords than their counterparts using the original scheme. The background images also reduced other predictable characteristics in DAS passwords such as symmetry and centering within the drawing grid, further improving the strength of the passwords. We estimate that the average strength of successfully recalled passwords in the enhanced scheme was increased over those created using the original scheme by more than 10 bits. Moreover, a positive effect was observed with respect to the memorability of the more complex passwords encouraged by the background images.

235 citations


Proceedings Article
06 Aug 2007
TL;DR: The results suggest that these graphical password schemes appear to be at least as susceptible to offline attack as the traditional text passwords they were proposed to replace.
Abstract: Although motivated by both usability and security concerns, the existing literature on click-based graphical password schemes using a single background image (e.g., PassPoints) has focused largely on usability. We examine the security of such schemes, including the impact of different background images, and strategies for guessing user passwords. We report on both short- and long-term user studies: one lab-controlled, involving 43 users and 17 diverse images, and the other a field test of 223 user accounts. We provide empirical evidence that popular points (hot-spots) do exist for many images, and explore two different types of attack to exploit this hot-spotting: (1) a "human-seeded" attack based on harvesting click-points from a small set of users, and (2) an entirely automated attack based on image processing techniques. Our most effective attacks are generated by harvesting password data from a small set of users to attack other targets. These attacks can guess 36% of user passwords within 231 guesses (or 12% within 216 guesses) in one instance, and 20% within 233 guesses (or 10% within 218 guesses) in a second instance. We perform an image-processing attack by implementing and adapting a bottom-up model of visual attention, resulting in a purely automated tool that can guess up to 30% of user passwords in 235 guesses for some instances, but under 3% on others. Our results suggest that these graphical password schemes appear to be at least as susceptible to offline attack as the traditional text passwords they were proposed to replace.

228 citations


Proceedings ArticleDOI
26 Dec 2007
TL;DR: It is shown that Wong et al.'s scheme is vulnerable to the replay and forgery attacks, and a lightweight dynamic user authentication scheme for WSNs is proposed that retains all the advantages but enhances its security by withstanding the security weaknesses and allows legitimate users to change their passwords freely.
Abstract: Over the last few years, many researchers have paid a lot of attention to the user authentication problem. However, to date, there has been relatively little research suited for wireless sensor networks. Recently, Wong et al. proposed a dynamic user authentication scheme for WSNs that allows legitimate users to query sensor data at every sensor node of the network. We show that Wong et al.'s scheme is vulnerable to the replay and forgery attacks and propose a lightweight dynamic user authentication scheme for WSNs. The proposed scheme not only retains all the advantages in Wong et al.'s scheme but also enhances its security by withstanding the security weaknesses and allows legitimate users to change their passwords freely. In comparison with the previous scheme, our proposed scheme possesses many advantages, including resistance of the replay and forgery attacks, reduction of user's password leakage risk, capability of changeable password, and better efficiency.

216 citations


Patent
17 Oct 2007
TL;DR: In this paper, a mobile wallet and network system using onetime passwords for authentication is disclosed according to one embodiment of the invention, in which a onetime password may be generated at the mobile wallet server and transmitted to the mobile device.
Abstract: A mobile wallet and network system using onetime passwords for authentication is disclosed according to one embodiment of the invention. A onetime password may be generated at a mobile wallet server and transmitted to the mobile device. The onetime password may then be used to authenticate the user of the mobile wallet when completing a transaction. Authentication may require entry of the onetime password and confirmation that the onetime password entered matches the onetime password sent by the mobile wallet server. In other embodiments of the invention, a mobile wallet and a mobile wallet server are in sync and each generate the same onetime password at the same time. These onetime passwords may then be used to authenticate the user of the mobile wallet.

210 citations


Patent
20 Jul 2007
TL;DR: In this article, the authors provided a method for user authentication, the method including receiving a username/password pair associated with a user; requesting one or more responses to a first Reverse Turing Test (RTT) and granting access to the user if a valid response to the first RTT is received and the username/ password pair is valid.
Abstract: Systems and methods are provided for authentication by combining a Reverse Turing Test (RTT) with password-based user authentication protocols to provide improved resistance to brute force attacks. In accordance with one embodiment of the invention, a method is provided for user authentication, the method including receiving a username/password pair associated with a user; requesting one or more responses to a first Reverse Turing Test (RTT); and granting access to the user if a valid response to the first RTT is received and the username/password pair is valid.

Journal ArticleDOI
TL;DR: Imposing password restrictions alone did not necessarily lead to more secure passwords, however, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure password that were more memorable.
Abstract: Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username-password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable.

Patent
22 Aug 2007
TL;DR: In this paper, a method and apparatus for password management and single signon (SSO) access based on trusted computing (TC) technology is presented. But the method is not suitable for single sign-on access.
Abstract: A method and apparatus for password management and single sign-on (SSO) access based on trusted computing (TC) technology. The methods implement the Trusted Computing Group (TCG)'s trusted platform module (TPM), which interacts with both proxy SSO unit and web-accessing applications to provide a secure, trusted mechanism to generate, store, and retrieve passwords and SSO credentials. The various embodiments of the present invention allow a user to hop securely and transparently from one site to another that belong to a pre-identified group of sites, after signing on just once to a secured proxy residing at the user's device.

Proceedings ArticleDOI
21 May 2007
TL;DR: S3PAS seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-camera and spyware attacks, and shows significant potential bridging the gap between conventional textual password and graphical password.
Abstract: The vulnerabilities of the textual password have been well known. Users tend to pick short passwords or passwords that are easy to remember, which makes the passwords vulnerable for attackers to break. Furthermore, textual password is vulnerable to shoulder-surfing, hidden-camera and spyware attacks. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder-surfing. In this paper, we propose a Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme (S3PAS). S3PAS seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-camera and spyware attacks. It can replace or coexist with conventional textual password systems without changing existing user password profiles. Moreover, it is immune to brute-force attacks through dynamic and volatile session passwords. S3PAS shows significant potential bridging the gap between conventional textual password and graphical password. Further enhancements of S3PAS scheme are proposed and briefly discussed. Theoretical analysis of the security level using S3PAS is also investigated.

Book ChapterDOI
27 Aug 2007
TL;DR: Benefits of the proposed password-based hardening technique include template revocability, prevention of cross-matching, enhanced vault security and a reduction in the False Accept Rate of the system without significantly affecting the False Reject Rate.
Abstract: Security of stored templates is a critical issue in biometric systems because biometric templates are non-revocable. Fuzzy vault is a cryptographic framework that enables secure template storage by binding the template with a uniformly random key. Though the fuzzy vault framework has proven security properties, it does not provide privacy-enhancing features such as revocability and protection against cross-matching across different biometric systems. Furthermore, non-uniform nature of biometric data can decrease the vault security. To overcome these limitations, we propose a scheme for hardening a fingerprint minutiae-based fuzzy vault using password. Benefits of the proposed password-based hardening technique include template revocability, prevention of cross-matching, enhanced vault security and a reduction in the False Accept Rate of the system without significantly affecting the False Reject Rate. Since the hardening scheme utilizes password only as an additional authentication factor (independent of the key used in the vault), the security provided by the fuzzy vault framework is not affected even when the password is compromised.

Journal ArticleDOI
TL;DR: This paper proposes a new simple three-party password based authenticated key exchange protocol that does not require any server's public key, but can resist against various known attacks.

Proceedings ArticleDOI
28 Oct 2007
TL;DR: Two locked same-origin policies for web browsers are proposed, one of which can be deployed today and interoperate seamlessly with the vast majority of legacy web servers, and the other a simple incrementally deployable opt-in mechanism for legacy servers using policy files.
Abstract: We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.

Proceedings Article
01 Jan 2007
TL;DR: Security Evaluation of Scenarios Based on the TCG's TPM Specification and Towards Modeling Trust Based Decisions: A Game Theoretic Approach.
Abstract: Invited Lecture.- Trustworthy Services and the Biological Analogy.- Security Architecture and Secure Components I.- Security of Multithreaded Programs by Compilation.- Efficient Proving for Practical Distributed Access-Control Systems.- Maintaining High Performance Communication Under Least Privilege Using Dynamic Perimeter Control.- Access Control I.- Pragmatic XML Access Control Using Off-the-Shelf RDBMS.- Conditional Privacy-Aware Role Based Access Control.- Satisfiability and Resiliency in Workflow Systems.- Applied Cryptography I.- Completeness of the Authentication Tests.- SilentKnock: Practical, Provably Undetectable Authentication.- Generalized Key Delegation for Hierarchical Identity-Based Encryption.- Change-Impact Analysis of Firewall Policies.- Fragmentation and Encryption to Enforce Privacy in Data Storage.- Information Confinement, Privacy, and Security in RFID Systems.- Formal Methods in Security I.- A Logic for State-Modifying Authorization Policies.- Inductive Proofs of Computational Secrecy.- What, Indeed, Is Intransitive Noninterference?.- Traceability and Integrity of Execution in Distributed Workflow Management Systems.- Dynamic Information Flow Control Architecture for Web Applications.- Cloak: A Ten-Fold Way for Reliable Covert Communications.- Applied Cryptography II.- Efficient Password-Based Authenticated Key Exchange Without Public Information.- Improved Anonymous Timed-Release Encryption.- Encryption Techniques for Secure Database Outsourcing.- Access Control II.- Click Passwords Under Investigation.- Graphical Password Authentication Using Cued Click Points.- Obligations and Their Interaction with Programs.- Applied Cryptography III.- On the Privacy of Concealed Data Aggregation.- Synthesizing Secure Protocols.- A Cryptographic Model for Branching Time Security Properties - The Case of Contract Signing Protocols.- Security Architecture and Secure Components II.- Security Evaluation of Scenarios Based on the TCG's TPM Specification.- Analyzing Side Channel Leakage of Masked Implementations with Stochastic Methods.- Insider Attacks Enabling Data Broadcasting on Crypto-Enforced Unicast Links.- Towards Modeling Trust Based Decisions: A Game Theoretic Approach.- Extending the Common Services of eduGAIN with a Credential Conversion Service.- Incorporating Temporal Capabilities in Existing Key Management Schemes.- A Policy Language for Distributed Usage Control.- Countering Statistical Disclosure with Receiver-Bound Cover Traffic.- Renewable Traitor Tracing: A Trace-Revoke-Trace System For Anonymous Attack.- Formal Methods in Security III.- Modular Access Control Via Strategic Rewriting.- On the Automated Correction of Security Protocols Susceptible to a Replay Attack.- Adaptive Soundness of Static Equivalence.

Patent
Hiroshi Koga1
21 Aug 2007
TL;DR: In this paper, an automatic authentication method and system in a print process is presented, which can obviate the need for user's input operations of the user ID and password and can improve security since authentication is automatically done based on print information embedded in a file or information from an application program.
Abstract: This invention provides an automatic authentication method and system in a print process, which can obviate the need for user's input operations of the user ID and password and can improve security since authentication is automatically done based on print information embedded in a file or information from an application program without any user's input. In a print process that requires user authentication, a printer driver extracts information related to an application and/or a document for the print process as attribute information, and user authentication is made by comparing the attribute information with information stored in a user registration information database of a server. If user authentication has succeeded, the printer driver controls a printer to print, and the server manages and stores accounting information and the like for respective departments in a department management information database.

Proceedings Article
07 Aug 2007
TL;DR: It is found that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.
Abstract: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

Patent
19 Jun 2007
TL;DR: In this article, a number of secondary passwords can be encrypted with a primary password and stored in a credential vault, and an encrypted secondary password from the credential vault can be decrypted using the primary password, provided the secondary password to an application.
Abstract: A number of secondary passwords can be encrypted with a primary password and stored in a credential vault. An encrypted secondary password from the credential vault can be decrypted using the primary password and provided the secondary password to an application. Encrypted secondary passwords can be updated when the primary password changes.

Patent
26 Jul 2007
TL;DR: In this paper, a password management process handles passwords at a remote service that operates as an intermediary between a user and a web service, such as a proxy or a proxy server.
Abstract: A password management process handles passwords at a remote service that operates as an intermediary between a user and a web service.

Proceedings ArticleDOI
29 Apr 2007
TL;DR: A qualitative user study of banking and money management in Australia suggests design criteria for banking security systems, based on observed social and cultural practices of password and PIN number sharing.
Abstract: Current systems for banking authentication require that customers not reveal their access codes, even to members of the family. A study of banking and security in Australia shows that the practice of sharing passwords does not conform to this requirement. For married and de facto couples, password sharing is seen as a practical way of managing money and a demonstration of trust. Sharing Personal Identification Numbers (PINs) is a common practice among remote indigenous communities in Australia. In areas with poor banking access, this is the only way to access cash. People with certain disabilities have to share passwords with carers, and PIN numbers with retail clerks. In this paper we present the findings of a qualitative user study of banking and money management. We suggest design criteria for banking security systems, based on observed social and cultural practices of password and PIN number sharing.

Journal ArticleDOI
TL;DR: Results indicate that passphrase users experienced a rate of unsuccessful logins due to memory recall failure similar to that of users of self-generated simple passwords and stringent passwords, however, passphrase Users had more failed login attempts due to typographical errors than did users of either simple or highly secure passwords.
Abstract: In developing password policies, IT managers must strike a balance between security and memorability. Rules that improve structural integrity against attacks may also result in passwords that are difficult to remember. Recent technologies have relaxed the 8-character password constraint to permit the creation of longer pass-''phrases'' consisting of multiple words. Longer passphrases are attractive because they can improve security by increasing the difficulty of brute-force attacks and they might also be easy to remember. Yet, no empirical evidence concerning the actual usability of passphrases exists. This paper presents the results of a 12-week experiment that examines users' experience and satisfaction with passphrases. Results indicate that passphrase users experienced a rate of unsuccessful logins due to memory recall failure similar to that of users of self-generated simple passwords and stringent passwords. However, passphrase users had more failed login attempts due to typographical errors than did users of either simple or highly secure passwords. Moreover, although the typographical errors disappeared over time, passphrase users' initial problems negatively affected their end-of-experiment perceptions.

Patent
13 Jun 2007
TL;DR: In this article, a communication system and method are configured for mutual authentication and secure channel establishment between two parties, where a first party (110) generates a first one-time password and sends it to a second party (120).
Abstract: A communication system and method are configured for mutual authentication and secure channel establishment between two parties. In one embodiment a first party (110) generates a first one-time password and sends it to a second party (120). The second party authenticates the first party by generating a one-time password using the same algorithm, secrets and parameters and matching it with the received first one-time password. If the received first one-time password matches with a generated password, the second party generates a consecutive one\- time password, and establishes a secure channel to the first party using the consecutive one\- time password. The first party generates a consecutive one-time password and authenticates the second party by successfully communicating with the second party using the secure channel.

Book ChapterDOI
12 Feb 2007
TL;DR: The proposed protocol (MP-Auth) is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security to foil session hijacking.
Abstract: Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users' financial accounts. Most existing or proposed solutions are vulnerable to session hijacking attacks. We propose a simple approach to counter these attacks, which cryptographically separates a user's long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets. The user's long-term secret (typically short and low-entropy) is input through an independent personal trusted device such as a cellphone. The personal device provides a user's long-term secrets to a client PC only after encrypting the secrets using a pre-installed, "correct" public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security to foil session hijacking. We report on a prototype implementation of MP-Auth, and provide a comparison of web authentication techniques that use an additional factor of authentication (e.g. a cellphone, PDA or hardware token).

Patent
05 Jan 2007
TL;DR: In this article, a mobile device is provided with user selectable activity levels of the secure chip to reduce security risks/concerns associated with such a terminal, which can be used for contactless transactions with external short range wireless RF communication devices, for example at a point of sales.
Abstract: A mobile device provided with a secure chip and a short-range wireless RF communication module, which can be used for contactless transactions with external short-range wireless RF communication devices, for example at a point of sales. The mobile device is provided with user selectable activity levels of the secure chip to reduce security risks/concerns associated with such a terminal. The user selectable activity levels may include levels in which the secure chip is deactivated by default, and only temporarily activated upon user confirmation or the entry of a password or PIN.

Patent
James Ashfield1
13 Nov 2007
TL;DR: In this article, a method and apparatus for using at least a portion of a one-time password as a dynamic card verification value (CVV) are disclosed, where a card-based financial transaction can be authorized in accordance with the use of a dynamic CVV by receiving a transaction authorization request for a specific credit/debit card.
Abstract: Method and apparatus for using at least a portion of a one-time password as a dynamic card verification value (CVV) are disclosed. A credit/debit card is able to generate a dynamic card verification value (CVV). Such a card may also include an indication that the dynamic CVV is to be used as a security code for purchasing or other transactions. A card-based financial transaction can be authorized in accordance with the use of a dynamic CVV by receiving a transaction authorization request for a specific credit/debit card, wherein the transaction authorization request includes a dynamic CVV. The dynamic CVV can be compared to at least a portion of a one-time password generated for the specific credit/debit card, and a transaction authorization can be sent to the merchant or vendor when the dynamic CVV matches all or a portion of the one-time password.

01 Jan 2007
TL;DR: In this article, the authors proposed MP-Auth, which cryptographically separates a user's long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets.
Abstract: Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users' financial accounts. Most existing or proposed solutions are vulnerable to session hijacking attacks. We propose a simple approach to counter these attacks, which cryptographically separates a user's long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets. The user's long-term secret (typically short and low-entropy) is input through an independent personal trusted device such as a cellphone. The personal device provides a user's long-term secrets to a client PC only after encrypting the secrets using a pre-installed, "correct" public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security to foil session hijacking. We report on a prototype implementation of MP-Auth, and provide a comparison of web authentication techniques that use an additional factor of authentication (e.g. a cellphone, PDA or hardware token).

Patent
30 Jan 2007
TL;DR: In this paper, a password related to a control command for indicating a facsimile communication function is encrypted and set in the destination field or the main body of the received electronic mail.
Abstract: In an Internet fax, to receive an electronic mail document for fax transfer, if a password related to a control command for indicating a facsimile communication function is encrypted and set in the destination field or the main body of the received electronic mail, the encrypted password is decrypted and using the decrypted password, facsimile transfer of the electronic mail document is executed following the control command.