Public terminals are a very convenient tool for all kinds of services. They allow for service execution at any time while reducing costs for the service provider and increasing beneﬁts for the users. For instance, they can be used to buy snacks, drinks, tickets, or even gold. Users can beneﬁt from interacting with these machines in many ways. However, two main challenges can be identiﬁed: (1) at times, users have to wait in line before they can start interacting with the machine and (2) public terminals are prone for manipulations by attackers or shoulder surﬁng attacks. One option to address the ﬁrst challenge is to increase the number of terminals. However, this comes at considerable costs for the service provider. Thus, another versatile option is to provide mobile services based on the personal smartphone of the user. For instance, users can purchase ﬂight tickets, perform online check-ins and even present their boarding pass, all by using their smartphone. This way, both issues are addressed, as users do not have to wait in line and shoulder surﬁng attacks are signiﬁcantly harder to conduct. This approach is only applicable if the corresponding service does not require connection to physical objects. Thus, it is for instance, not an option for withdrawing cash from an automated teller machine (ATM). A connection between the physical service (thus the terminals) and the mobile service has the potential to provide the desired convenience and solve the previously mentioned problems.
In order to run a real world user study, we implemented an interaction concept which combines the advantages of mobile services on the smartphone and stationary service machines, such as ATMs. In short, the user creates a transaction token using the smartphone which contains all information about the service transaction. Then, this token is transmitted to the public terminal and the service items are delivered. For instance, if a user wants to withdraw cash from her bank account, she uses her mobile phone to prepare the transaction (see Figure 1(left)). After specifying the amount of money and authenticating (Figure 1(middle)), the user goes to the ATM terminal and transmits the transaction token (e.g. by means of near ﬁeld communication (NFC)). By doing so, the withdrawal is triggered (see Figure 1(right)). In addition, the whole transaction can also take place at the terminal only.
We present results of a four week long real world user study, in which we investigated whether hybrid approaches would actually be used. The results show that users accept the hybrid service as they understood that they could use down downtimes (like bus rides) to prepare the interaction with the public terminal. Our findings give novel insights about security relevant aspects such as where and when users interact with the mobile service before accessing the public terminal. So the preparation of the transaction on the mobile phone was often conducted much further away from the terminal than expected (81.0% with a distance greater than 400m) and earlier than expected (82.1% at least 5 minutes in advance).