A Mobile Payment Scheme Using Biometric Identification with Mutual Authentication

TL;DR

This paper introduces a biometric-based mobile payment scheme that ensures mutual authentication, enhancing security against various attacks while minimizing hardware requirements and dependency on wireless connectivity.

Contribution

It presents a novel biometric authentication scheme with mutual verification, resistant to multiple attack vectors, and requiring minimal terminal hardware and no wireless connection during authentication.

Findings

Resistant to phishing, replay, relay, and presentation attacks

Requires minimal hardware on terminals

Does not depend on wireless connectivity during authentication

Abstract

Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.