Abstract
Mobile payment systems are pervasive; their design is driven by convenience and security. In this paper, we identify five common problems in existing systems: (i) specialist hardware requirements, (ii) no reader-to-user authentication, (iii) use of invisible channels, (iv) dependence on a client-server connection, and (v) no inherent fraud detection. We then propose a novel system which overcomes these problems, so as to mutually authenticate a user, a point-of-sale reader, and a verifier over a visual channel, using an embedded image token to transport information, while providing inherent unauthorised usage detection. We show our system to be resilient against replay and tampering attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
www.emvco.com/about_emvco.aspx (last accessed: June 2017).
- 2.
www.apple.com/business/docs/iOS_Security_Guide.pdf (last accessed: June 2017).
- 3.
support.google.com/androidpay (last accessed: June 2017).
- 4.
www.samsung.com/us/support/answer/ANS00043790 (last accessed: June 2017).
- 5.
www.yoyowallet.com/support.html (last accessed: June 2017).
- 6.
pay.weixin.qq.com/index.php/public/wechatpay (last accessed: June 2017).
- 7.
global.alipay.com/products/spot (last accessed: June 2017).
- 8.
www.tangerine.ca/en/security (last accessed: Oct. 2017).
- 9.
An authenticated encryption algorithm should be chosen, such as AES-EAX.
References
British Retail Consortium: Debit Cards Overtake Cash to Become Number One Payment Method in the UK (2017)
Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP) (2014)
Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: ACM Conference on Computer and Communications Security (CCS) (2014)
Jupiter Research. Integrated Handsets: Balancing Device Functionality with Consumer Desires (2005)
Huh, J.H., Verma, S., Rayala, S.S.V., Bobba, R.B., Beznosov, K., Kim, H.: I Don’t Use Apple Pay because it’s less secure...: perception of security and usability in mobile tap-and-pay. In: Proceedings of the Workshop on Usable Security (USEC) (2017)
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (SP) (2010)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: On the security issues of NFC enabled mobile phones. Int. J. Internet Technol. Secur. Trans. 2, 336–356 (2010)
Kortvedt, H., Mjolsnes, S.: Eavesdropping near field communication. In: The Norwegian Information Security Conference (NISK) (2009)
Diakos, T.P., Briffa, J.A., Brown, T.W.C., Wesemeyer, S.: Eavesdropping near-field contactless payments: a quantitative analysis. J. Eng. 2013, 48–54 (2013)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s new security indicators. In: IEEE Symposium on Security and Privacy (2007)
Marforio, C., Masti, R.J, Soriente, C., Kostiainen, K., Čapkun, S.: Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. In: CHI Conference on Human Factors in Computing Systems, pp. 540–551 (2016)
Purnomo, A.T., Gondokaryono, Y.S., Kim, C.-S.: Mutual authentication in securing mobile payment system using encrypted QR code based on public key infrastructure. In: IEEE 6th International Conference on System Engineering and Technology (ICSET) (2016)
Biddle, R., Chiasson, S., Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. (CSULR) 44, 19 (2012)
Brassard, G., Chaum, D., Crepeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37, 156–189 (1988)
Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: USENIX Security Symposium 13, p. 11 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Sturgess, J., Martinovic, I. (2018). VisAuth: Authentication over a Visual Channel Using an Embedded Image. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-02641-7_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02640-0
Online ISBN: 978-3-030-02641-7
eBook Packages: Computer ScienceComputer Science (R0)