1 / 14

Towards Understanding ATM Security – A Field Study of Real World ATM Use

Towards Understanding ATM Security – A Field Study of Real World ATM Use. Yan Qiang, 2011-06-15. Conference & Authors. SOUP ’10 University of Munich, Germany Alexander De Luca Heinrich Hussmann University of Lugano, Switzerland Marc Langheinrich. Outline.

speranza-arkins
Download Presentation

Towards Understanding ATM Security – A Field Study of Real World ATM Use

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Understanding ATM Security – A Field Study of Real World ATM Use Yan Qiang, 2011-06-15

  2. Conference & Authors • SOUP ’10 • University of Munich, Germany • Alexander De Luca • Heinrich Hussmann • University of Lugano, Switzerland • Marc Langheinrich

  3. Outline • Gap between laboratory experiment and field test • Field test methodology • Findings & Implications • Interaction time • Distraction • Input error • Queuing behavior • Observable security measures • Conclusion

  4. Gap between laboratory experiment and field test • Usability test is important in designing a “better” authentication systems. • Evaluated by controlled laboratory experiments • More memorable • Faster/less error rate • Positive feedback from interview/questionnaire • The narrow definition of “better” is insufficient. • Traditional arguments could be biased. • Questionnaire/Interview is inducing. • Real situations are affected by more factors.

  5. Field test methodology • Two field observations • Six locations in two cities (Munich, Delft) • Choose ATMs that allows unobtrusively observation • visible from public outdoor seating areas • 360 valid observations (199 male, 161 female) for interaction time and observable security measures • One public interview • 25 full interview (all questions answered) for attitudes towards security concern and queuing.

  6. Interaction time • PIN entry takes only 4% during 1-minute ATM interaction on average. • It is questionable to ask the user to spend much more time on security task (just a minor task).

  7. Distraction • Distraction are not unusual. • Talk with the companies (e.g. family, friend) • Look after a baby pram/pet/shopping bag • Sometimes hindered so that only one hand can be used

  8. Input error • Input errors are rare, but ... • More than twice the average time of a session without a failed authentication (even not significant). • In a observation, a user failed when shielding the PIN entry. After her first attempt failed, she gave up shielding and the was able to type PIN correctly. • cannot see the keyboard after shielding • In 4 observations, the users forgot the PIN. After their first failed attempt, they pull out a notebook or a piece of paper from their purses (where they kept their ATM cards). • Memory factor is still significant, considering that a user may hold many ATM/membership cards.

  9. Queuing behavior • Big queues did not occur during observation. • 251/360: No one queuing • 1/360: four people in a queue (max length) • Why not queue? • 11/25: queue only when they urgently need cash • Acceptable queue length <= 3 • Go to another ATM nearby • 1 user said “she would not queue if there are strange people nearby”. • Queue length will increase with authentication time, which raise more concerns about queuing.

  10. Observable security measures • Big gap between observation and interview • About 2/3 users did NOT observably secure their input in any obvious way. • Surprisingly, 19/25 participants stated that they would actually take security precautions.

  11. False senses of security • More than 50% were not afraid of the risk of PIN theft. • One of them even mentioned “the bank puts up cameras, so I am safe". • “I would hide my PIN entry with my body.” • “I usually tried to choose an ATM inside a building, or always choose the same ATM as a security measure.” • “If there was no one in sight, I would not hide the input.” • Unaware of hardware-based attacks.

  12. Social compatibility • Social factors may lead insecure behaviors • Hiding behavior may be misinterpreted as mistrust. • 9/25: not hide input while in company • “I would not protect it since I trust my friends.” *Only one user that was watched by her companions applied security measures.

  13. Why do people behave so different in field tests? • People attempt to behave “correctly” while they are being watched. • Interview/questionnaire • laboratory experiments • People usually perform “worse” than they claimed to be. • 89%of the participants stated that they would use security measures, while only 34% are really observed to do so.

  14. Implications for usability test • Usability is the most important concern. More common influence factors should be considered • Time pressure • Distraction level • Hindered condition • Social norm • Without considering these factors, • The usability and security results would both be overestimated.

More Related