Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Mobile Payment Scheme Using Biometric Identification with Mutual Authentication

Jack Sturgess, Ivan Martinovic

TL;DR

This paper proposes a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals and shows that the scheme is resistant against phishing, replay, relay, and presentation attacks.

Abstract

Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.

A Mobile Payment Scheme Using Biometric Identification with Mutual Authentication

TL;DR

This paper proposes a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals and shows that the scheme is resistant against phishing, replay, relay, and presentation attacks.

Abstract

Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.
Paper Structure (13 sections, 2 figures, 1 table)

This paper contains 13 sections, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. System Design
  3. System Requirements
  4. System Model
  5. Threat Model
  6. System Architecture
  7. Cryptographic Materials
  8. Biometric-based Identification
  9. Authentication Protocol
  10. Security Analysis
  11. Discussion
  12. Related Work
  13. Conclusion

Figures (2)

  • Figure 1: The system model of our scheme during the authentication phase. The user presents his biometric trait(s) to the terminal ①, which extracts a feature vector and sends it to the verifier ②, which attempts to identify the user. The verifier returns the verification message associated with the account of the nearest matching user to the terminal ③, which displays it to the user to authenticate the terminal to the user ④. The user then enters his PIN to the terminal ⑤, which sends it to the verifier, which verifies the match to authenticate the user and then authorises the payment ⑥.
  • Figure 2: The authentication protocol of our scheme.