ABSTRACT
Research has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present the results of a user survey (N=174) in which we investigate actual stories about shoulder surfing on mobile devices from both users and observers. Our analysis indicates that shoulder surfing mainly occurs in an opportunistic, non-malicious way. It usually does not have serious consequences, but evokes negative feelings for both parties, resulting in a variety of coping strategies. Observed data was personal in most cases and ranged from information about interests and hobbies to login data and intimate details about third persons and relationships. Thus, our work contributes evidence for shoulder surfing in the real world and informs implications for the design of privacy protection mechanisms.
- Anne Adams and Martina Angela Sasse. 1999. Users Are Not the Enemy. Commun. ACM 42, 12 (1999), 40--46. DOI: http://dx.doi.org/10.1145/322796.322806 Google ScholarDigital Library
- Mohammed Eunus Ali, Anika Anwar, Ishrat Ahmed, Tanzima Hashem, Lars Kulik, and Egemen Tanin. 2014. Protecting Mobile Users from Visual Privacy Attacks. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication (UbiComp '14 Adjunct). ACM, New York, NY, USA, 1--4. DOI: http://dx.doi.org/10.1145/2638728.2638788 Google ScholarDigital Library
- Florian Alt, Stefan Schneegass, Alireza Sahami Shirazi, Mariam Hassib, and Andreas Bulling. 2015. Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 316--322. DOI:http://dx.doi.org/10.1145/2785830.2785882 Google ScholarDigital Library
- Andrea Bianchi, Ian Oakley, Vassilis Kostakos, and Dong Soo Kwon. 2011. The Phone Lock: Audio and Haptic Shoulder-surfing Resistant PIN Entry Methods for Mobile Devices. In Proceedings of the Fifth International Conference on Tangible, Embedded, and Embodied Interaction (TEI '11). ACM, New York, NY, USA, 197--200. DOI: http://dx.doi.org/10.1145/1935701.1935740 Google ScholarDigital Library
- Matthias Böhmer, Brent Hecht, Johannes Schöning, Antonio Krüger, and Gernot Bauer. 2011. Falling Asleep with Angry Birds, Facebook and Kindle: A Large Scale Study on Mobile Application Usage. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services (MobileHCI '11). ACM, New York, NY, USA, 47--56. DOI: http://dx.doi.org/10.1145/2037373.2037383 Google ScholarDigital Library
- Barry Brown, Moira McGregor, and Donald McMillan. 2014. 100 Days of iPhone Use: Understanding the Details of Mobile Device Use. In Proceedings of the 16th International Conference on Human-computer Interaction with Mobile Devices & Services (MobileHCI '14). ACM, New York, NY, USA, 223--232. DOI: http://dx.doi.org/10.1145/2628363.2628377 Google ScholarDigital Library
- Frederik Brudy, David Ledo, Saul Greenberg, and Andreas Butz. 2014. Is Anyone Looking? Mitigating Shoulder Surfing on Public Displays Through Awareness and Protection. In Proceedings of the International Symposium on Pervasive Displays (PerDis '14). ACM, New York, NY, USA, Article 1, 6 pages. DOI: http://dx.doi.org/10.1145/2611009.2611028 Google ScholarDigital Library
- Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2012. Increasing the Security of Gaze-based Cued-recall Graphical Passwords Using Saliency Masks. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 3011--3020. DOI: http://dx.doi.org/10.1145/2207676.2208712 Google ScholarDigital Library
- Ted Byrt, Janet Bishop, and John B. Carlin. 1993. Bias, Prevalence and Kappa. Journal of clinical epidemiology 46, 5 (1993), 423--429. Google ScholarCross Ref
- Jacob Cohen. 1960. A Coefficient of Agreement for Nominal Scales. Educational and Psychological Measurement 20, 1 (1960), 37--46. Google ScholarCross Ref
- Alexander De Luca, Marian Harbach, Emanuel von Zezschwitz, Max-Emanuel Maurer, Bernhard Ewald Slawik, Heinrich Hußmann, and Matthew Smith. 2014. Now You See Me, Now You Don't: Protecting Smartphone Authentication from Shoulder Surfers. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '14). ACM, New York, NY, USA, 2937--2946. DOI: http://dx.doi.org/10.1145/2556288.2557097 Google ScholarDigital Library
- Alexander De Luca, Katja Hertzschuch, and Heinrich Hußmann. 2010. ColorPIN: Securing PIN Entry Through Indirect Input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 1103--1106. DOI: http://dx.doi.org/10.1145/1753326.1753490 Google ScholarDigital Library
- Michael E. Dewey. 1983. Coefficients of Agreement. The British Journal of Psychiatry 143, 5 (1983), 487--489. Google ScholarCross Ref
- Malin Eiband, Emanuel von Zezschwitz, Daniel Buschek, and Heinrich Hußmann. 2016. My Scrawl Hides It All: Protecting Text Messages Against Shoulder Surfing With Handwritten Fonts. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '16). ACM, New York, NY, USA, 2041--2048. DOI: http://dx.doi.org/10.1145/2851581.2892511 Google ScholarDigital Library
- Alvan R. Feinstein and Domenic V. Cicchetti. 1990. High Agreement but Low Kappa: The Problems of Two Paradoxes. Journal of Clinical Epidemiology 43, 6 (1990), 543--549. Google ScholarCross Ref
- John C. Flanagan. 1954. The Critical Incident Technique. Psychological Bulletin 51, 4 (1954), 327--360. Google ScholarCross Ref
- Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security:History, Themes, and Challenges. Morgan & Claypool. 124-- pages. DOI: http://dx.doi.org/10.2200/S00594ED1V01Y201408SPT011 Google ScholarCross Ref
- Jan Gugenheimer, Alexander De Luca, Hayato Hess, Stefan Karg, Dennis Wolf, and Enrico Rukzio. 2015. ColorSnakes: Using Colored Decoys to Secure Authentication in Sensitive Contexts. In Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI '15). ACM, New York, NY, USA, 274--283. DOI: http://dx.doi.org/10.1145/2785830.2785834 Google ScholarDigital Library
- Kevin A. Hallgren. 2012. Computing Inter-rater Reliability for Observational Data: An Overview and Tutorial. Tutorials in Quantitative Methods for Psychology 8, 1 (2012), 23--34. Google ScholarCross Ref
- Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception. In Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, Menlo Park, CA, 213--230. https://www.usenix.org/conference/soups2014/proceedings/presentation/harbachGoogle ScholarDigital Library
- Brian Honan. 2012. Visual Data Security White Paper. (2012).Google Scholar
- Roberto Hoyle, Robert Templeman, Denise Anthony, David Crandall, and Apu Kapadia. 2015. Sensitive Lifelogs: A Privacy Analysis of Photos from Wearable Cameras. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1645--1648. DOI: http://dx.doi.org/10.1145/2702123.2702183 Google ScholarDigital Library
- Ponemon Institute. 2016. Global Visual Hacking Experimental Study: Analysis. (2016). multimedia.3m.com/mws/media/1254232O/ global-visual-hacking-experiment-study-summary. pdfGoogle Scholar
- Iron Mountain. 2013. Protecting sensitive company information from the commuter snoopers. (2013). http://www.ironmountain.co.uk/Company/Company-News/News-Categories/Press-Releases/2013/October/8.aspxGoogle Scholar
- Amy K. Karlson, A. J. Brush, and Stuart Schechter. 2009. Can I Borrow Your Phone? Understanding Concerns When Sharing Mobile Phones. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). ACM, New York, NY, USA, 1647--1650. DOI: http://dx.doi.org/10.1145/1518701.1518953 Google ScholarDigital Library
- Mohamed Khamis, Florian Alt, Mariam Hassib, Emanuel von Zezschwitz, Regina Hasholzner, and Andreas Bulling. 2016. GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '16). ACM, New York, NY, USA, 2156--2164. DOI: http://dx.doi.org/10.1145/2851581.2892314 Google ScholarDigital Library
- J. Richard Landis and Gary G. Koch. 1977. The Measurement of Observer Agreement for Categorical Data. Biometrics 33, 1 (1977), 159--174. DOI: http://dx.doi.org/10.2307/2529310 Google ScholarCross Ref
- Shiguo Lian, Wei Hu, Xingguang Song, and Zhaoxiang Liu. 2013. Smart Privacy-preserving Screen Based on Multiple Sensor Fusion. IEEE Transactions on Consumer Electronics 59, 1 (2013), 136--143. DOI: http://dx.doi.org/10.1109/TCE.2013.6490252 Google ScholarCross Ref
- Linda Little and Pam Briggs. 2009. Private Whispers/Public Eyes: Is Receiving Highly Personal Information in a Public Place Stressful? Interacting with Computers 21, 4 (2009), 316--322. DOI: http://dx.doi.org/10.1016/j.intcom.2009.06.002 Google ScholarDigital Library
- Diogo Marques, Tiago Guerreiro, and Luis Carriço. 2014. Measuring Snooping Behavior with Surveys: It's How You Ask It. In CHI '14 Extended Abstracts on Human Factors in Computing Systems (CHI EA '14). ACM, New York, NY, USA, 2479--2484. DOI: http://dx.doi.org/10.1145/2559206.2581240 Google ScholarDigital Library
- Diogo Marques, Ildar Muslukhov, Tiago Guerreiro, Luís Carriço, and Konstantin Beznosov. 2016. Snooping on Mobile Phones: Prevalence and Trends. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 159--174. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/marquesGoogle ScholarDigital Library
- Ildar Muslukhov, Yazan Boshmaf, Cynthia Kuo, Jonathan Lester, and Konstantin Beznosov. 2013. Know Your Enemy: The Risk of Unauthorized Access in Smartphones by Insiders. In Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services (MobileHCI '13). ACM, New York, NY, USA, 271--280. DOI: http://dx.doi.org/10.1145/2493190.2493223 Google ScholarDigital Library
- Delroy L. Paulhus and Vazire Simine. 2009. The Self-report Method. In Handbook of Research Methods in Personality Psychology, Richard W. Robins, R. Chris Fraley, and Robert F. Krueger (Eds.). Guilford Press, 224--239.Google Scholar
- George Probst. 2000. Analysis of the Effects of Privacy Filter Use on Horizontal Deviations in Posture of VDT Operators. Ph.D. Dissertation. Virginia Polytechnic Institute and State University.Google Scholar
- Volker Roth, Kai Richter, and Rene Freidinger. 2004. A PIN-entry Method Resilient Against Shoulder Surfing. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). ACM, New York, NY, USA, 236--245. DOI: http://dx.doi.org/10.1145/1030083.1030116 Google ScholarDigital Library
- Hirokazu Sasamoto, Nicolas Christin, and Eiji Hayashi. 2008. Undercover: Authentication Usable in Front of Prying Eyes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '08). ACM, New York, NY, USA, 183--192. DOI: http://dx.doi.org/10.1145/1357054.1357085 Google ScholarDigital Library
- Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms. In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia (MUM '12). ACM, Ulm, Germany. DOI: http://dx.doi.org/10.1145/2406367.2406384 Google ScholarDigital Library
- Jeremy Schiff, Marci Meingast, Deirdre K. Mulligan, Shankar Sastry, and Ken Goldberg. 2009. Respectful Cameras: Detecting Visual Markers in Real-Time to Address Privacy Concerns. Springer London, London, 65--89. DOI: http://dx.doi.org/10.1007/978-1-84882-301-3_5 Google ScholarCross Ref
- Stefan Schneegass, Frank Steimle, Andreas Bulling, Florian Alt, and Albrecht Schmidt. 2014. SmudgeSafe: Geometric Image Transformations for Smudge-resistant User Authentication. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, New York, NY, USA, 775--786. DOI: http://dx.doi.org/10.1145/2632048.2636090 Google ScholarDigital Library
- Desney S. Tan, Pedram Keyani, and Mary Czerwinski. 2005. Spy-resistant Keyboard: More Secure Password Entry on Public Touch Screen Displays. In Proceedings of the 17th Australia Conference on Computer-Human Interaction (OZCHI '05). Computer-Human Interaction Special Interest Group (CHISIG) of Australia, Narrabundah, Australia, 1--10. http://dl.acm.org/citation.cfm?id=1108368.1108393Google Scholar
- Peter Tarasewich, Jun Gong, and Richard Conlan. 2006. Protecting Private Data in Public. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (CHI EA '06). ACM, New York, NY, USA, 1409--1414. DOI: http://dx.doi.org/10.1145/1125451.1125711 Google ScholarDigital Library
- Roger Tourangeau and Ting Yan. 2007. Sensitive Questions in Surveys. Psychological bulletin 133, 5 (2007), 859--883. DOI: http://dx.doi.org/10.1037/0033-2909.133.5.859 Google ScholarCross Ref
- Shari Trewin, Cal Swart, Larry Koved, and Kapil Singh. 2016. Perceptions of Risk in Mobile Transaction. In 2016 IEEE Security and Privacy Workshops (SPW). 214--223. DOI: http://dx.doi.org/10.1109/SPW.2016.37 Google ScholarCross Ref
- Wouter van Eekelen, John van den Elst, and Vassilis-Javed Khan. 2014. Dynamic Layering Graphical Elements For Graphical Password Schemes. In Proceedings of the Chi Sparks 2014 Conference: HCI Research, Innovation, and Implementation. The Hague University of Applied Sciences, The Hague, The Netherlands, 65--73.Google Scholar
- Emanuel von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hußmann. 2015a. SwiPIN: Fast and Secure PIN-Entry on Smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1403--1406. DOI: http://dx.doi.org/10.1145/2702123.2702212 Google ScholarDigital Library
- Emanuel von Zezschwitz, Alexander De Luca, Philipp Janssen, and Heinrich Hußmann. 2015b. Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)Lock Patterns. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 2339--2342. DOI: http://dx.doi.org/10.1145/2702123.2702202 Google ScholarDigital Library
- Emanuel von Zezschwitz, Sigrid Ebbinghaus, Heinrich Hußmann, and Alexander De Luca. 2016. You Can't Watch This!: Privacy-Respectful Photo Browsing on Smartphones. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI '16). ACM, New York, NY, USA, 4320--4324. DOI: http://dx.doi.org/10.1145/2858036.2858120 Google ScholarDigital Library
- Yang Wang, Huichuan Xia, Yaxing Yao, and Yun Huang. 2016. Flying Eyes and Hidden Controllers: A Qualitative Study of Peoples Privacy Perceptions of Civilian Drones in the US. Proceedings on Privacy Enhancing Technologies 2016, 3 (2016), 172--190. DOI: http://dx.doi.org/10.1515/popets-2016-0022 Google ScholarCross Ref
- Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. 2006. Design and Evaluation of a Shoulder-surfing Resistant Graphical Password Scheme. In Proceedings of the Working Conference on Advanced Visual Interfaces (AVI '06). ACM, New York, NY, USA, 177--184. DOI: http://dx.doi.org/10.1145/1133265.1133303 Google ScholarDigital Library
- Oliver Wiese and Volker Roth. 2015. Pitfalls of Shoulder Surfing Studies. In NDSS Workshop on Usable Security 2015 (USEC'15). Internet Society, 1--6. Google ScholarCross Ref
- Christian Winkler, Jan Gugenheimer, Alexander De Luca, Gabriel Haas, Philipp Speidel, David Dobbelstein, and Enrico Rukzio. 2015. Glass Unlock: Enhancing Security of Smartphone Unlocking Through Leveraging a Private Near-eye Display. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15). ACM, New York, NY, USA, 1407--1410. DOI: http://dx.doi.org/10.1145/2702123.2702316 Google ScholarDigital Library
- Lorette K. Woolsey. 1986. The Critical Incident Technique: An Innovative Qualitative Method of Research. Canadian Journal of Counselling 20, 4 (1986), 242--254.Google Scholar
- Yi Xu, Jared Heinly, Andrew M. White, Fabian Monrose, and Jan-Michael Frahm. 2013. Seeing Double: Reconstructing Obscured Typed Input from Repeated Compromising Reflections. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 1063--1074. DOI: http://dx.doi.org/10.1145/2508859.2516709 Google ScholarDigital Library
- Huiyuan Zhou, Vinicius Ferreira, Thamara Alves, Kirstie Hawkey, and Derek Reilly. 2015. Somebody Is Peeking! A Proximity and Privacy Aware Tablet Interface. In Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems (CHI EA '15). ACM, New York, NY, USA, 1971--1976. DOI: http://dx.doi.org/10.1145/2702613.2732726 Google ScholarDigital Library
Index Terms
- Understanding Shoulder Surfing in the Wild: Stories from Users and Observers
Recommendations
Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing SystemsWe evaluate the efficacy of shoulder surfing defenses for PIN-based authentication systems. We find tilting the device away from the observer, a widely adopted defense strategy, provides limited protection. We also evaluate a recently proposed defense ...
Reducing shoulder-surfing by using gaze-based password entry
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and securityShoulder-surfing -- using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information -- is a problem that has been difficult to overcome. When a user enters information using a ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Comments