Cylab Japan

A team of researchers at Carnegie Mellon CyLab Japan, an extension of the Carnegie Mellon CyLab Information Technology program here at the home campus, are probing into the practicality of cybersecurity — an everyday concern in what could safely be called the “The You-Tube era.”

Carnegie Mellon faculty member and CyLab Systems scientist Nicolas Christin, along with CyLab Japan graduate student Hirokazu Sasamoto and alumnus Eiji Hayashi, are exploring the idea of Internet and ATM security from the average human’s perspective.

“After a few years dealing mostly with technical issues, I became very aware that at the end of the chain, there is a human using the system that you, as an engineer, have designed,” Christin said.

The “human factor” defines the security decisions people make on a day-to-day basis and how these decisions influence the precautionary measures that computer scientists have already created.

For example, Christin explained, a scientist can design an innovative and highly secure door lock, convinced that no one will be able to pick it. However, buyers of the lock often end up replicating the keys for convenience and eventually losing them — increasing their risk of being robbed.

“You could blame users for being careless, but I’d say that you, as system designer, failed from a security standpoint, because you did not take into account the human factor — in that specific case, the desire for convenience,” said Christin.

According to a Carnegie Mellon press release, the team’s paper, “Undercover: Authentication Usable in Front of Prying Eyes,” has won tremendous acclaim and will be presented at the CHI 2008, an international conference that promotes and unveils discoveries in Computer-Human Interaction. Held annually, the conference will be held this year in Florence, Italy.

Since it is hard to predict how a potential technology could be used by human beings, applying advanced scientific techniques that work along the lines of the human thought-process will ensure tighter cybersecurity, Christin said.

“This is particularly true of the security field, where purely human factors like fear play important roles. People don’t necessarily act rationally when it comes to security,” he added.

The paper focuses on how to incorporate human factors into the design of systems such as ATM machines and other software that prompts for the entry of a code or PIN, to make the systems more sound and secure.

The research paper describes a situation in which such a system could be integrated into an ATM machine.

While withdrawing money, the person behind you can easily figure out what your PIN is just by observing you type it. Cunning thieves also add fake security cameras or even mini lenses adjacent to keypads.

To avert this, the system will generate a series of highly personalized prompts in order to maintain maximum security while the user performs the conventional ATM functions.

“At a high level, we ask a series of questions to the user, like ‘Does your PIN contain a 2?’ while secretly [giving] an instruction to the user to tell a lie or tell the truth. The secret instruction is conveyed by the movement of a tactile device. The user has to cover the device with their hand to figure its movement,” Christin said.

The system also uses images called “graphical passwords” and a combination of more complex secret questions, instead of PINs. Therefore, the system employs the unique ability of human beings to combine “different sensory signals” instantly to protect their privacy against an entire range of attacks.

As information systems become increasingly present in the 21st century, there is a rapidly growing user-base that may not be adequately trained to take the utmost security measures.

CyLab Japan’s new cybersecurity method poses an answer to computer scientists’ mounting information security concerns.

“Education helps, for sure, but as systems are getting increasingly complex, we need to make sure that security is something that comes naturally to most people, that they don’t even have to think about it,” Christin said.

CyLab Japan is a partnership with CMU’s Information Networking Institute, the Heinz School, and the Hyogo Prefectural Government, a governmental body of Japan situated in the Kinki region. CyLab Japan currently offers a Master of Science in Information Technology with an Information Security Track (MSIT-IS) in Kobe, Japan, as a graduate program of Carnegie Mellon.