Researchers at Ben Gurion University of the Negev have developed a security model based on how users touch their device’s screen.
Most people are confident that locking their smartphone with a password is protection enough, but past studies have proven that such passwords can be fairly easily broken since most people choose familiar passwords that are easy to guess. Therefore a need exists to identify who is using a device in real time in a way that is hard to counterfeit. Ben-Gurion University of the Negev researchers have developed a verification method according to how the user presses the touch screen that can identify a thief in 14 seconds. The research was released to coincide with CyberTech 2017, which is currently underway in partnership with the university at the Tel Aviv Convention Center.Mobile devices have assumed an important role in our lives. Studies have shown that on average a person uses their smartphone 4.7 of the 15 hours they are awake. We store a tremendous amount of personal information on our devices that we do not want revealed to others. In 2013, 3.1 million people in the US were the victims of smartphone theft, and 68% testified that they subsequently had not succeeded in restoring all of the information that was stolen.Researcher Liron Ben Kimon, under the supervision of Prof. Bracha Shapira, Prof. Lior Rokach and Israel Mirsky of the Department of Software and Information Systems Engineering, tested the model on information gathered from 20 users over a two week period. The model is based on how the users touch the screen while using the device (where they touch the screen and how much of the finger touches the screen). In addition, the model accounts for the application that was being used, since how one presses on the screen is different for each application – for example, typing in WhatsApp, as opposed to scrolling in the browser. Moreover, since a regular user accidentally touches the screen on occasion, the model classifies a group of touches to identify the user, as opposed to each touch separately. Another factor that the model computes is the history of each touch –what was done on the device 30 seconds before the current touch, and specifically, which areas of the screen the user touched, which buttons they pressed and what the electricity consumption was during that time.
The findings showed that unauthorized users can be identified in less than 14 seconds, or in less than 35 touches of the screen (on average, a user touches the screen 35 times in 13.8 seconds). A thief who wants to steal information from the device will almost certainly touch the screen more than 35 times to reach the information, since the thief is not as familiar with the device as the owner is and therefore will have to search for the information on the device by touching the screen more often.
Differentiating the user according to how they touch the screen is a verification method that is hard to imitate, since a thief cannot steal another user’s behavior.
Liron Ben Kimon recently completed her MSc in Data Mining and Business Intelligence in the Honors Track in the Department of Software and Information Systems Engineering and now works as a data scientist at PayPal in the Advanced Technologies Park in Beer-Sheva.