Abstract
Online banking and electronic payment systems on the Internet are becoming increasingly advanced. On the machine level, transactions take place between client and server hosts through a secure channel protected with SSL/TLS. User authentication is typically based on two or more factors. Nevertheless, the development of various malwares and social engineering attacks transform the user’s PC in an untrusted device and thereby making user authentication vulnerable. This paper investigates how user authentication with biometrics can be made more robust in the online banking context by using a specific device called OffPAD. This context requires that authentication is realized by the bank and not only by the user (or by the personal device) contrary to standard banking systems. More precisely, a new protocol for the generation of one-time passwords from biometric data is presented, ensuring the security and privacy of the entire transaction. Experimental results show an excellent performance considering with regard to false positives. The security analysis of our protocol also illustrates the benefits in terms of strengthened security.
Chapter PDF
Similar content being viewed by others
References
Visa corporate (1958), http://corporate.visa.com/index.shtml
Mastercard worldwide (1966), http://www.mastercard.com/
Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How to attack two-factor authentication internet banking. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 322–328. Springer, Heidelberg (2013)
Antoniou, G., Batten, L.: E-commerce: protecting purchaser privacy to enforce trust. Electronic Commerce Research 11(4), 421–456 (2011)
Bolle, R.M., Connell, J.H., Ratha, N.K.: Biometric perils and patches. Pattern Recognition 35(12), 2727–2738 (2002)
European Commission. Directive 2000/31/ec of the european parliament and of the council of 8 june 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market (’directive on electronic commerce’) (2000)
European Commission. Directive 2007/64/ec of the european parliament and of the council of 13 november 2007 on payment services in the internal market amending directives 97/7/ec, 2002/65/ec, 2005/60/ec and 2006/48/ec and repealing directive 97/5/ec (2007)
European Payments Council. Sepa - single euro payment area (2007), http://www.sepafrance.fr/
Daugman, J.: New methods in iris recognition. IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics 37(5), 1167–1175 (2007)
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to fail: Card readers for online banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
Espelid, Y., Netland, L.–H., Klingsheim, A.N., Hole, K.J.: A proof of concept attack against norwegian internet banking systems. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 197–201. Springer, Heidelberg (2008)
MasterCard International. Chip authentication program functional architecture (September 2004)
Jøsang, A., Pope, S.: User centric identity management. In: AusCERT Asia Pacific Information Technology Security Conference, p. 77. Citeseer (2005)
Juels, A., Sudan, M.: A fuzzy vault scheme. In: ISIT, p. 408 (2002)
Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM Conference on Computer and Communications Security, pp. 28–36 (1999)
Klevjer, H., Varmedal, K.A., Jøsang, A.: Extended http digest access authentication. In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds.) IDMAN 2013. IFIP AICT, vol. 396, pp. 83–96. Springer, Heidelberg (2013)
Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: A lightweight and low-cost e-banking solution against untrusted computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012)
Manjunath, B.S., Ma, W.Y.: Texture features for browsing and retrieval of image data. IEEE Transactions on Pattern Analysis and Machine Intelligence 18, 37–42 (1996)
Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: Or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010)
Osadchy, M., Pinkas, B., Jarrous, A., Moskovich, B.: Scifi - a system for secure face identification. In: IEEE Symposium on Security and Privacy (2010)
Pasupathinathan, V., Pieprzyk, J., Wang, H., Cho, J.Y.: Formal analysis of card-based payment systems in mobile devices. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research, vol. 54, pp. 213–220. Australian Computer Society, Inc. (2006)
Ratha, N.K., Connell, J.H., Bolle, R.: Enhancing security and privacy in biometrics-based authentication system. IBM Systems J. 37(11), 2245–2255 (2001)
Rathgeb, C., Uhl, A.: A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. on Information Security, 3 (2011)
S.E.T. Secure electronic transaction specification. Book 1: Business Description. Version, 1 (2002)
Teoh, A.B.J., Ngo, D., Goh, A.: Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition, 40 (2004)
Varmedal, K.A., Klevjer, H., Hovlandsvåg, J., Jøsang, A., Vincent, J., Miralabé, L.: The offpad: Requirements and usage. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 80–93. Springer, Heidelberg (2013)
Visa. 3D secure protocol specification, core functions (July 16, 2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Plateaux, A., Lacharme, P., Jøsang, A., Rosenberger, C. (2014). One-Time Biometrics for Online Banking and Electronic Payment Authentication. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds) Availability, Reliability, and Security in Information Systems. CD-ARES 2014. Lecture Notes in Computer Science, vol 8708. Springer, Cham. https://doi.org/10.1007/978-3-319-10975-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-10975-6_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10974-9
Online ISBN: 978-3-319-10975-6
eBook Packages: Computer ScienceComputer Science (R0)