A Mobile Payment Scheme Using Biometric Identification with Mutual Authentication

Jack Sturgess,Ivan Martinovic
2024-09-24
Abstract:Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.
Cryptography and Security
What problem does this paper attempt to address?
This paper aims to solve some key problems existing in mobile payment systems. These problems include but are not limited to false terminals, data theft, security risks of wireless connections, and relay attacks, etc. Specifically: 1. **False Terminals and Man - in - the - Middle Attacks**: Current mobile payment systems are vulnerable to malicious devices that pretend to be legitimate terminals. These devices can carry out man - in - the - middle attacks and steal users' sensitive information. 2. **Security of Wireless Connections**: Many payment systems rely on wireless connections to complete transactions, which increases the risk of interception. For example, although NFC payment is convenient, the limitation of its signal range is not always reliable, and there is a possibility of being eavesdropped from a long distance. 3. **Security of QR Codes**: Some systems use QR codes to avoid data theft and connection problems, but QR codes can also be remotely stolen and used for relay attacks. 4. **Users' Trust in Terminals**: Existing systems often require users to input sensitive information without verifying the legality of terminals, which increases the risk for users. To solve the above problems, the paper proposes a new biometric - based authentication scheme, which has the following features: - **Two - way Authentication**: Ensure that the terminal proves its legality to the user before requesting the user to input any secret information. - **Minimum Hardware Requirements**: The scheme does not require the terminal to have special hardware. Ordinary smart phones and tablets can meet the requirements. - **No Need for Direct Connection between Users and Verifiers**: During the authentication phase, the user device does not need to communicate directly with the verifier, thus reducing the risks brought by wireless connections. - **Users Do Not Need to Trust Terminals**: Users will not disclose any sensitive information before confirming the legality of terminals. Through these designs, the scheme proposed in the paper aims to provide a more secure and convenient mobile payment environment and effectively resist various threats such as phishing attacks, replay attacks, relay attacks, and presentation attacks.