One-Time Biometrics for Online Banking and Electronic Payment Authentication

Online banking and electronic payment systems on the Internet are becoming increasingly advanced. On the machine level, transactions take place between client and server hosts through a secure channel protected with SSL/TLS. User authentication is typically based on two or more factors. Nevertheless, the development of various malwares and social engineering attacks transform the user’s PC in an untrusted device and thereby making user authentication vulnerable. This paper investigates how user authentication with biometrics can be made more robust in the online banking context by using a specific device called OffPAD. This context requires that authentication is realized by the bank and not only by the user (or by the personal device) contrary to standard banking systems. More precisely, a new protocol for the generation of one-time passwords from biometric data is presented, ensuring the security and privacy of the entire transaction. Experimental results show an excellent performance considering with regard to false positives. The security analysis of our protocol also illustrates the benefits in terms of strengthened security. Keywords-e-payment, biometrics, online banking security, strong authentication.

[1]  Audun Jøsang,et al.  Extended HTTP Digest Access Authentication , 2013, IDMAN.

[2]  Steven J. Murdoch,et al.  Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication , 2010, Financial Cryptography.

[3]  Yvo Desmedt,et al.  How to Attack Two-Factor Authentication Internet Banking , 2013, Financial Cryptography.

[4]  Kjell Jørgen Hole,et al.  A Proof of Concept Attack against Norwegian Internet Banking Systems , 2008, Financial Cryptography.

[5]  John Daugman,et al.  New Methods in Iris Recognition , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[6]  Andreas Uhl,et al.  A survey on biometric cryptosystems and cancelable biometrics , 2011, EURASIP J. Inf. Secur..

[7]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[8]  Lynn Margaret Batten,et al.  E-commerce: protecting purchaser privacy to enforce trust , 2011, Electron. Commer. Res..

[9]  Audun Jøsang,et al.  The OffPAD: Requirements and Usage , 2013, NSS.

[10]  B. S. Manjunath,et al.  Texture Features for Browsing and Retrieval of Image Data , 1996, IEEE Trans. Pattern Anal. Mach. Intell..

[11]  Ahmad-Reza Sadeghi,et al.  hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers , 2011, Financial Cryptography.

[12]  A. Jøsang,et al.  User Centric Identity Management , 2005 .

[13]  Steven J. Murdoch,et al.  Optimised to Fail: Card Readers for Online Banking , 2009, Financial Cryptography.

[14]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[15]  Benny Pinkas,et al.  SCiFI - A System for Secure Face Identification , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Nalini K. Ratha,et al.  Biometric perils and patches , 2002, Pattern Recognit..

[17]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[18]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[19]  Huaxiong Wang,et al.  Formal analysis of card-based payment systems in mobile devices , 2006, ACSW.