A Mobile Payment Scheme Using Biometric

Identification with Mutual Authentication

Jack Sturgess and Ivan Martinovic

Department of Computer Science, University of Oxford, Oxford, UK

{firstname.lastname}@cs.ox.ac.uk

Abstract—Cashless payment systems offer many benefits over consumer devices satisfy these requirements and so can
cash, but also have some drawbacks. Fake terminals, skimming, be used as terminals; new tap-on-phone applications enable
arXiv:2409.17181v1 [cs.CR] 24 Sep 2024

wireless connectivity, and relay attacks are persistent problems. smartphones and tablet computers to accept NFC payments,
Attempts to overcome one problem often lead to another—for
example, some systems use QR codes to avoid skimming and increasing the number and diversity of potential terminals
connexion issues, but QR codes can be stolen at distance and and allowing the payment process to be integrated alongside
relayed. In this paper, we propose a novel mobile payment scheme other vendor services in all-in-one applications—e.g., some
based on biometric identification that provides mutual authen- restaurants use table management systems installed on tablets
tication to protect the user from rogue terminals. Our scheme that enable waiting staff to take orders, transfer orders to the
imposes only minimal requirements on terminal hardware, does
not depend on wireless connectivity between the user and the kitchen, and handle payments in the same application.
verifier during the authentication phase, and does not require The physical presence of a terminal can give a false
the user to trust the terminal until it has authenticated itself to perception of trust to users that the terminal is legitimate,
the user. We show that our scheme is resistant against phishing, but a rogue terminal or application can easily be dressed to
replay, relay, and presentation attacks. look genuine in order to execute a MITM (man-in-the-middle)
Index Terms—mobile payments, mutual authentication, visual
channel, biometrics, identification, authentication attack on unsuspecting victims. An effective countermeasure
to MITM attacks is mutual authentication, where the payment
system must authenticate itself to the user (inasmuch as it
I. I NTRODUCTION
must prove that it is a secure communication interface to a
Mobile payment systems have evolved rapidly over recent trusted server) before the user is asked to enter any secret
years, facilitated by advances in technology and driven information. This principle has been deployed in some smart-
by enhanced security and usability features [4]. One early phone applications [8] and online banking interfaces [16],
barrier to adoption was the need for specialised hardware, where a personalised greeting message is shown to the
where exclusionary business practices mandated the use of user before the system requires the password to be entered.
a dedicated point-of-sale terminal for each payment system. However, we are yet to see such a feature in point-of-sale
Merchants struggled to support them all, so brand loyalty terminals in the wild.
and local trends led consumer decisions. This was resolved It is difficult to prevent skimming and eavesdropping over
by the standardisation of NFC-enabled payments (near-field wireless channels. The use of NFC can allow payment
communication; for short-ranged connectivity); now, a single transactions to be initiated and information stolen without
terminal can accept payments made using any NFC-enabled the user knowing [7, 11] and attempts to limit its range to
device—whether it be a payment card, a hand-held device, or reduce the risk have been shown not to be reliable [3, 5].
a wearable device—across various payment systems. Some payment systems communicate over a visual channel
The size, shape, and capabilities of point-of-sale terminals between the user’s device and the terminal, giving the user
have also changed, and are continuing to change. Early more control over the exchange and making it difficult for
terminals had a slit where magnetic strip payment cards could an attacker to intercept without being noticed. However, these
be swiped to be read; these were replaced with slots where systems typically encode the information into barcodes or QR
Chip and PIN payment cards could be inserted to have their (quick response) codes that can be read and stolen at long
chip read and unlocked by the PIN (personal identification range using a camera with sufficiently high resolution and then
number; a short numerical password). Terminals typically have used in a relay attack. Furthermore, even though a wireless
a screen where the payment amount is displayed, a keypad or connexion is not required during the authentication phase, the
touchscreen where the PIN can be entered, and, for NFC- user’s device must frequently connect to the server at other
enabled terminals, a flat surface where the payment device is times to request new tokens since the communication with the
to be tapped to communicate with the NFC module. They need terminal over a visual channel is unidirectional.
a trusted execution environment where local cryptographic The use of biometrics is starting to replace the PIN to
materials can be handled and stored securely and a means to authenticate the user because it requires less effort from
connect securely to a back-end payment server. Many modern the user—in some cases directly, such as fingerprint-enabled
payment cards, and in other cases indirectly, where payment
visual channel secure channel
cards are provisioned to a virtual wallet on a smartphone
and the user must authenticate to the device using whatever 1
2
capabilities it offers to gain access to the virtual wallet. Some
systems [6, 9] are trying to phase out cards and devices 4 £10 3

altogether and instead use face recognition to identify the user 5

6
among registered users and then automatically bill the account
associated with the matched user. However, an unregistered User Terminal Verifier
attacker could abuse this by getting matched to a random user
and causing that user to get billed, so a smartphone application Fig. 1: The system model of our scheme during the authentication
is required to verify the match, meaning that the user must phase. The user presents his biometric trait(s) to the terminal ⃝, 1
carry a wirelessly-connected smartphone, which detracts from which extracts a feature vector and sends it to the verifier ⃝,
2 which
the potential usability gains that these systems hoped to offer. attempts to identify the user. The verifier returns the verification
message associated with the account of the nearest matching user
In this paper, we encapsulate these common problems into to the terminal ⃝,3 which displays it to the user to authenticate
a set of three system requirements and then we propose the terminal to the user ⃝.4 The user then enters his PIN to the
a novel payment scheme that satisfies them. Our scheme terminal ⃝,
5 which sends it to the verifier, which verifies the match
leverages biometric identification to maximise convenience for to authenticate the user and then authorises the payment ⃝. 6
the user and provides mutual authentication to protect the user
from rogue terminals. We show that our scheme meets these
requirements and that it is resistant against phishing, replay, and is assumed to be trusted and secure. We assume that the
relay, and presentation attacks. terminal is registered to the verifier and that these devices have
shared keys and established a secure channel over which to
II. S YSTEM D ESIGN communicate. We assume that all cryptographic materials are
A. System Requirements stored securely on their respective devices.
The purpose of a payment scheme is to authenticate a user During the enrolment phase, we assume that the user has
to a verifier via a point-of-sale terminal to authorise a payment. a user device, such as a smartphone, that he uses to enrol
In addition to this, we want our scheme to overcome the into the system and to administer his account. We assume
problems that are commonly found in existing mobile payment that there is a secure channel between the user device and
systems. To ensure that we meet this objective, we derive the the verifier over which they exchange materials. We assume
following three system requirements from these problems that that the user is able to access a trusted terminal, authenticated
our scheme must satisfy: using the aforementioned secure channel, to submit a number
• No specialised hardware: the system may only impose of biometric samples from which his initial user template can
hardware requirements on the terminal that can be be constructed. We assume that the biometric being used is
satisfied by typical smartphones and tablet computers, so face geometry, but other traits could be implemented with due
that the system is simple for merchants to deploy. consideration. The user adds a payment method to his account,
• No user-to-verifier connexion: the system must not chooses a PIN, and sets a verification message.
require any device of the user to communicate directly During the authentication phase, we assume that there is
with the verifier during the authentication phase, since a visual channel between the user and the terminal, and a
network connectivity cannot always be guaranteed. secure channel between the terminal and the verifier. The
• No expectation of trust: the user must not be expected to user interacts only with the terminal. The user initiates the
trust the terminal, and therefore must not be expected to protocol by presenting his biometric trait to the terminal.
reveal any secret information to it, until the terminal has We assume that the integrity of the biometric sample is
first authenticated itself (i.e., proved that it is legitimate) protected with appropriate liveness detection, as is standard
to the user. practise in biometric-based systems. The terminal extracts a
feature vector from the biometric sample and sends it to
B. System Model the verifier for identification. When the verifier identifies the
We consider a system model in which a user is making user, it retrieves the verification message associated with his
a payment at a point-of-sale terminal in a typical setting account and returns it to the terminal, which displays it to
(e.g., in a shop). The system consists of three components: a the user. The user verifies the message and enters his PIN
user (the prover), a point-of-sale terminal, and a verifier (the to the terminal, which passes it to the verifier. The verifier
back-end payment server that authorises the payment). The checks the PIN to verify that the identification was correct
terminal is a commercial off-the-shelf device that the merchant and to authenticate the user. The verifier can then authorise
is using to take the payment; it has a camera, a screen, an the payment using the payment method associated with the
input mechanism (e.g., a keypad or a touchscreen), and an account. We assume that the classifier used by the verifier has
installed application that implements our scheme. The verifier a low misclassification rate and that, when a user is correctly
is an authentication server maintained by the payment provider identified and authenticated, his template can be safely updated

2
 Known to or Stored on Stored on
Material Inherent to User Terminal Verifier Purpose
a (✓) (✓) × payment amount; known at start of session
b ✓ × (✓) biometric feature vector; identifies the user to the verifier by nearest match
m ✓ × ✓ short alphanumeric string; authenticates the terminal to the user
P IN ✓ × ✓ short numerical password; authenticates the user to the verifier
k × ✓ ✓ secret key; secures communication between the terminal and the verifier

TABLE I: Summary of the cryptographic materials used in our scheme.

using the latest feature vector to counter the effects of drift III. S YSTEM A RCHITECTURE
(where a biometric trait changes over time, such as due to
A. Cryptographic Materials
ageing). We assume that the verifier will reject simultaneous
authentication sessions that are identified to be of the same During the enrolment phase, the user account is created and
user to prevent crossover. A visualisation of the authentication the user exchanges some materials with the verifier that are
phase of our scheme is shown in Figure 1. stored securely and later used in the authentication phase. A
summary of these materials is shown in Table I.
C. Threat Model b is the biometric feature vector. During the enrolment
phase, the user submits a number of biometric samples to a
We consider an adversary that is attempting to make a
terminal, which extracts feature vectors and sends them to the
payment at the expense of a legitimate user. We assume that
verifier, which constructs a biometric template for the user.
the adversary can observe everything that is shared across
This template is stored as part of the user’s account. During
the visual channel. We assume that the adversary can deploy
the authentication phase, the user provides a biometric sample
rogue terminals and that these are dressed to look genuine.
to the terminal. The terminal extracts a feature vector b and
Our goal here is to authenticate the legitimate user without
sends it to the verifier to identify the user. It is best practice
leaking any secret information, to facilitate legitimate mobile
for biometric data to be processed locally on the device that
payment transactions, and to reject the adversary. We consider
collects it and for only the feature vector to be transferred, due
the following six types of attack:
to the irrevocable nature of biometric data and the impact that
• Phishing attack: the adversary has deployed a rogue theft may have on the security and privacy of the user (across
terminal to trick a legitimate user into revealing his PIN. this system and other systems).
• Replay attack: the adversary is attempting to make a new m is the verification message. During the enrolment phase,
payment by re-using (eavesdropped) messages that were the user chooses a recognisable string and submits it to the
previously sent between a legitimate user and the verifier. verifier. This message is stored as part of the user’s account.
• Relay attack (in-store): a legitimate user is attempting During the authentication phase, the verifier sends m to the
to make a payment at a rogue terminal that is passing terminal so that the terminal can authenticate to the user
his biometric trait (e.g., a captured image of his face) to before the user is asked to reveal any secret information.
an adversary who is attempting to use it to authorise a Since the adversary can see m when it is displayed, it
different payment at a legitimate terminal. must be changed after each use for mutual authentication
• Relay attack (skimming): while a legitimate user is not to hold. We assume that this is achieved by using seeded
involved in a transaction (e.g., he might be commuting random string generators to generate the same messages at
on public transport or walking on a busy street), regular intervals (e.g., every minute) on both the user device
the proximate adversary is attempting to capture his and the verifier to remove the need for any user-to-verifier
biometric trait using a concealed rogue terminal so as connexion—however, this requires the user to carry the user
to pass it to a distant accomplice who is attempting to device. We consider alternative implementations that prioritise
use it to authorise a payment at a legitimate terminal. usability in Section V.
• Presentation attack (particular victim): the adversary has P IN is the PIN. During the enrolment phase, the user
observed the PIN and biometric trait of a legitimate user chooses a short (e.g., 4 digits), memorable PIN and submits it
in a previous transaction and is attempting to make a to the verifier. This PIN is stored as part of the user’s account.
payment by impersonating that user. During the authentication phase, the user inputs P IN to
• Presentation attack (random victim): the adversary is authenticate to the verifier. More specifically, when the verifier
attempting to make a payment as a random user. has selected the candidate user that most closely matches b,
In this work, we concentrate on how the proposed scheme the P IN input by the user is used to verify the match. We
can be used to defend against these attacks. We do not consider assume that the user will enter P IN on the terminal over a
attacks that take place during the enrolment phase, attacks on physical channel. Alternative implementations might explore
the liveness detection system, attacks on the verifier, malware, the use of other channels to verify the match, such as having
or denial of service attacks. the user speak P IN over an audio channel, gesticulate P IN

3
over a visual channel, or provide some input in response to templates of all users registered on the system. When the
a challenge on a user device. In an ideal implementation of nearest match, b′ , is identified, the verifier retrieves the
the scheme, only salted hashes of P IN should be stored, account information of b′ and gets its verification message,
transferred, and compared in order to mitigate any damage m′ , and PIN, P IN ′ . The verifier sends m′ to the terminal,
from attacks against the verifier. which displays it to the user. The user verifies m′ by
k is a secret key shared between the terminal and the verifier. performing a string comparison against the expected message,
We assume that this is exchanged as part of the secure channel m. This demonstrates to the user that the terminal is securely
and is cryptographically secure. communicating with and trusted by the verifier and so authen-
ticates the terminal to the user before the user is required to
B. Biometric-based Identification reveal any secret information.
We exploit the property that biometrics can be classified Steps 13 to 18: User Authenticates to Verifier via
in a one-to-many manner (i.e., for identification purposes) Terminal. The user enters P IN on the terminal, which sends
to enable the user to bypass initially having to reveal any it to the verifier. The verifier verifies P IN against the expected
concrete information to the terminal. The user presents only P IN ′ . This authenticates the user as the identified user to the
his biometric trait to the terminal—in our case, this is his verifier and enables the verifier to process the payment of a
face, which is freely observable in public. The user’s account using the payment method associated with the identified user
information, such as his account number, is known only to account.
the user and the verifier and does not need to be transferred
during the authentication phase. IV. S ECURITY A NALYSIS
Biometric classification can result in false positives. If the
identification task performed by the verifier returns a false Our scheme meets all of the system requirements. It requires
positive, this will be caught when the user is presented with no specialised hardware: the terminal needs only a camera,
a message that does not match m. If the user tries to proceed a screen, and a touchscreen or keypad for input; these
anyway, he will fail because he does not know the PIN requirements can be satisfied by any modern smartphone or
associated with the mismatched account. For usability, one tablet, making it easily deployable. The user is identified and
approach to resolving this problem could be for the classifier authenticated to the verifier via the terminal, using a visual
to return a shortlist of candidate users ordered by how closely channel, without requiring a direct connexion between the user
they match b and for the subsequent message verification steps (or any user device) and the verifier. Finally, the authentication
to repeat, iterating through the list, until the correct m is protocol ensures that the terminal demonstrates to the user that
displayed and verified. However, this approach would enable it is connected to and trusted by the verifier before the user is
an attacker to collect verification messages of near-matching required to reveal P IN .
users that could be used in a phishing attack. Moreover, it Phishing Attack. For the phishing attack, the adversary
would train users to tolerate false matches. In either case, attempts to have a legitimate user reveal P IN by deploying
the mutual authentication property would be undermined. a rogue terminal. At Step 10, the terminal must display m
For security, the protocol should instead terminate if the to the user before the user reveals P IN . As long as m is
verification message is not as expected. The user can then changed after each use, the rogue terminal will not be able to
restart it by presenting to the terminal again to give the system achieve this. Therefore, our scheme provides resistance against
a fresh opportunity to identify him correctly. phishing attacks.
Replay Attack. For the replay attack, the adversary
C. Authentication Protocol attempts to authorise a repeat payment by re-sending encrypted
During the authentication phase, a visual channel between messages sent between the terminal and the verifier during a
the user and the terminal and a secure channel between previous transaction. Nonces are included in every encrypted
the terminal and the verifier are required for the system to message sent over the secure channel to enable their freshness
achieve mutual authentication. Figure 2 shows the authen- to be checked, so the attack will fail at Step 5. Therefore, our
tication protocol and the following steps describe it. scheme provides resistance against replay attacks.
Steps 1 to 2: User Presents Trait to Terminal. The user Relay Attack. For the in-store relay attack, the adversary
approaches the terminal to initiate a payment transaction in attempts to authorise a different payment by passing a copy
the amount of a. The user presents his biometric trait to the of the legitimate user’s biometric trait. For the skimming relay
terminal. The terminal samples the trait and extracts a feature attack, the adversary attempts to have an accomplice authorise
vector, b. a payment by capturing the biometric trait of an oblivious
Steps 3 to 12: Terminal Authenticates to User. The legitimate user. In each case, owing to the use of a visual
terminal sends a and b to the verifier over a secure channel. channel, the legitimate terminal being used by the accomplice
Nonces are used so that the freshness of messages can be is able to validate the authenticity of the user. The copied
verified by the receiver; we assume that these will take biometric will fail the liveness check and be rejected, so the
the form of timestamps. The verifier identifies the user by attack will fail at Step 2. Therefore, our scheme provides
performing a one-to-many lookup of b amongst the user resistance against relay attacks.

4
 visual channel secure channel

1 Present trait

2 Extract b

3 Generate nonce n1

4 Send {a + b + n1}k

5 Verify freshness of n1

6 Find nearest match, b’;

retrieve associated account
information; get m’ and PIN’

7 Generate nonce n2

8 Send {m’ + n2}k

9 Verify freshness of n2

10 Display m’

11 Read m’

12 Verify m’ == m

13 Enter PIN

14 Generate nonce n3

15 Send {PIN + n3}k

16 Verify freshness of n3

17 Verify PIN == PIN’

18 Charge a to account

Fig. 2: The authentication protocol of our scheme.

Presentation Attack. For the presentation attack on a adversary simply presents his own biometric trait, either
particular victim, the adversary knows the victim’s PIN and modified or not, so that the system matches him to a random
attempts to mimic his biometric trait so as to impersonate him victim in Step 6. We assume that the adversary is not registered
to a legitimate terminal. Biometric identification is weaker to the system and that a match is found, even with a tightened
than authentication inasmuch as the attacker only needs to decision threshold. The adversary does not know the PIN of
achieve being matched nearer to the intended victim than the random victim, so the attack will fail at Step 17. The
to some other user. We can minimise this discrepancy by adversary may attempt to perform a brute force guessing attack
tightening the decision threshold of the classifier to ensure that against the PIN by presenting in the same manner repeatedly to
the matching must meet a certain minimum accuracy, akin to generate the same victim each time. An ideal implementation
authentication. The tighter this is set, the more it will increase of the scheme should use common anomaly detection and
the FRR (i.e., the greater the gains in security, the greater throttling techniques to defend against guessing attacks.
the cost to usability). This will increase the effort required of The first of these attacks does not work at scale, because
the adversary. An implementation of the scheme can further the adversary must expend effort to obtain the victim’s PIN,
increase the effort required of the adversary by using multiple and is defeated by further increasing the effort (cost) required.
biometric traits, since he would need to achieve being the The second does work at scale, but is defeated by the PIN. In
nearest match for all of the traits simultaneously. each case, our scheme provides resistance against presentation
For the presentation attack on a random victim, the attacks.

5
 V. D ISCUSSION the timestamps used as nonces to strengthen the assertion
of freshness with an independent factor. A sophisticated
Convenience. Our scheme enables the user to make a adversary could still fabricate the entire environment, but each
payment without needing to carry any form of cash, payment step would increase the effort required of the adversary and
card, or user device (although he may need to consult his present a potential point of failure for an attack.
user device to verify m, depending on how it has been Privacy Risk Mitigation. The use of a visual channel—
implemented). Furthermore, since the user is identified as especially when collecting peripheral information—poses a
part of the process, any relevant status checks can be made risk to the privacy of the user. Any images sent to the verifier
automatically against the information held on record. This should have their utility weighed against their potential impact
means that the user does not need to carry loyalty cards, on privacy. Countermeasures to mitigate privacy leakage
discount coupons, or proof of age or membership—as these from images include reducing the resolution and blurring
can all be applied upon identification. unnecessary details before sending. To protect the biometric
For security, we have assumed that seeded random string data of the user, biometric traits should only be processed
generators on the user device and the verifier generate a fresh locally on the terminal and should be obscured from any
m every minute. To improve usability, an implementation images sent to the verifier.
of the scheme might consider ways to increase the size of
the interval between changes of m to free the user from VI. R ELATED W ORK
the requirement that he must carry a user device during the Identification-based Systems. With regard to the use of
authentication phase. This could include the use of message biometric identification as part of an authentication system,
templates, along with shapes or colours to increase the some payment providers have trialled the technique with
message space, so that what needs to be memorised is more the promise of improved convenience for the user. Smile-to-
user-friendly, rather than a random string. For example, the Pay [6], developed by Ant Financial for AliPay, uses a 3D
system might allow the user to create or select a rule pertaining camera to capture the user’s facial likeness, perform liveness
to the structure of an expected message that is valid for a day, detection, and identify the user within 2 seconds. The system
then the verifier would randomly generate a fresh string every then sends a verification request to the user’s smartphone
transaction that satisfies the rule so that the user only needs that requires a timely response to verify the match. Biometric
to verify that it fits the template (e.g., ‘a valid 5-letter word Checkout Program [9], developed by Mastercard, operates in
followed by a green triangle’). The user would then memorise a similar manner, allowing the user to identify himself to the
the rule before a shopping session and not need to further terminal over a visual channel using either his face or palm.
consult his user device. The adversary could replay such a Both of these systems require a user-to-verifier connexion to
message to perform a phishing attack, but not at scale, so the verify the match. To the best of our knowledge, we are the
gains in usability may be worth the risks to security. first to propose the use of biometric identification to facilitate
Asymmetrical Channel. The visual channel enables mutual authentication and to do so without requiring a user-
asymmetric communication, as the capabilities required for to-verifier connexion.
sending information are different to those required for Visual Channel. With regard to the use of a visual channel,
receiving it. Each party can either display to or read from the some existing mobile payment systems have explored the use
channel depending on its capabilities. This means that there are of a QR code to pass information between a user device
constraints on what each party can do to each other and parts of and the terminal. In Yoyo Wallet [18], the user must first
the system can be restricted to unidirectional communication. authenticate to a smartphone application using a PIN and
Our scheme leverages this property in Steps 1 and 2, where can then access a QR code that contains tokenised payment
the user presents his biometric trait and the terminal can only information. To make a payment, the QR code is shown to
read it, and in Steps 10 and 11, where the terminal displays the terminal over a visual channel and can be used up to
m′ and the user can only choose whether or not to verify it. three times before it expires. When the user’s smartphone next
Contextual Awareness. The capabilities that can be used connects to the Yoyo cloud server, where the user’s virtual
to read information from the visual channel can also collect wallet is stored, a new QR code is downloaded. The limited
incidental information from the surrounding environment. number of uses per QR code mitigates the damage from theft,
Depending on its position, the camera on the terminal can but makes this payment system more dependent than typical
capture additional information around the user that could be tap-and-pay systems on a user-to-verifier connexion between
used to facilitate advanced fraud detection techniques, such transactions. WeChat [17] and AliPay [1], both widely used
as verifying that the terminal is operating in the expected payment systems in China, support the use of QR codes
environment. An implementation of the scheme might leverage and barcodes to transfer information. VisAuth [15] embeds
this property by passing an image of the scene to the verifier; information into an image as a robust watermark to send it over
expected objects, markers, or lighting effects could be placed a visual channel. However, the system state on the user device
in the environment as a form of signature, or a clock could can become desynchronised from that on the verifier—while
be placed in the environment such that the time captured the authors describe this as a benefit, since it unavoidably
in the image could be extracted and cross-checked with draws attention to an attack, it can also happen if the protocol

6
is interrupted at various steps, providing plausible deniability ACKNOWLEDGEMENT
to an attacker and making the wider scheme impractical. All This work was supported by Mastercard and the
of these systems transfer confidential information over a visual Engineering and Physical Sciences Research Council [grant
channel, whereas we transfer authentication information. Our number EP/P00881X/1]. The authors would like to thank these
scheme makes broader use of the visual channel by observing organisations for their support.
the user’s biometric trait(s) to identify him to the verifier,
where his payment information is stored, rather than encoding R EFERENCES
the payment information directly into a visual token. [1] AliPay. https://wglobal.alipay.com/products/spot
Smart city transport networks, such as Oxford Smart- (https://archive.vn/NU14f), 2017.
[2] S. Dey, Q. Ye, and S. Sampalli. “AMLT: A Mutual Authentication
Zone [13], enable bus tickets to be purchased in advance and Scheme for Mobile Cloud Computing”, IEEE International Conference
delivered as QR codes to the user’s smartphone application. on Internet of Things (iThings), IEEE Green Computing and Commu-
Instead of buying a ticket from the driver, the user presents the nications (GreenCom), IEEE Cyber, Physical and Social Computing
(CPSCom), and IEEE Smart Data (SmartData), 2018.
QR code to a terminal on the bus to expedite boarding. In this [3] T. P. Diakos, J. A. Briffa, T. W. C. Brown, and S. Wesemeyer. “Eaves-
case, a product, rather than the user, is being authenticated, dropping Near Field Contactless Payments: A Quantitative Analysis”,
so the threat model primarily considers theft. The user can The Journal of Engineering, 2013.
[4] J. H. Huh, S. Verma, S. S. V. Rayala, R. B. Bobba, K. Beznosov, and
only be logged in to one device at a time to prevent account- H. Kim. “I Don’t Use Apple Pay Because It’s Less Secure...: Perception
sharing on multiple devices and the screen contains additional, of Security and Usability in Mobile Tap-and-pay”, Workshop on Usable
animated elements that are verified by the terminal to prevent Security (USEC), 2017.
[5] H. Kortvedt and S. Mjolsnes. “Eavesdropping Near Field Communica-
token-sharing using a screenshot. tion”, The Norwegian Information Security Conference (NISK), 2009.
Mutual Authentication. With regard to mutual authen- [6] A. Lee. “Alipay Rolls Out World’s First ‘Smile to Pay’
tication, related works in the field of mobile cloud computing Facial Recognition System at KFC Outlet in Hangzhou”,
https://www.scmp.com/tech/start-ups/article/2109321/alipay-
have focused on the mutual authentication of the user device rolls-out-worlds-first-smile-pay-facial-recognition-system-kfc
and the verifier in a general setting without consideration for (https://archive.vn/r0yTR), 2017.
any other components that might be involved in the system, [7] L. Francis, G. Hancke, K. Mayes, and K. Markantonakis. “On the
Security Issues of NFC-enabled Mobile Phones”, International Journal
such as the point-of-sale terminal in our case, that also need to of Internet Technology and Secured Transactions, 2010.
be authenticated before the user should be expected to reveal [8] C. Marforio, R. J. Masti, C. Soriente, K. Kostiainen, and S. Čapkun.
any secret information. Dey et al. [2] proposed a scheme “Evaluation of Personalized Security Indicators as an Anti-phishing
Mechanism for Smartphone Applications”, CHI Conference on Human
that relies on the location of the user device and the current Factors in Computing Systems (CHI), 2016.
time at the verifier, and so requires a persistent user-to-verifier [9] Mastercard. “With a Smile or a Wave, Paying in Store Just Got Per-
connexion. Other works [10, 12, 14] have proposed schemes sonal”, https://www.mastercard.com/news/press/2022/may/with-a-smile-
or-a-wave-paying-in-store-just-got-personal (https://archive.vn/Rm23Z),
in which mutual authentication is achieved via a trusted third 2022.
party. These schemes require there to be a persistent connexion [10] E. Munivel and A. Kannammal. “New Authentication Scheme to Secure
between the user device and the third party from the start of against the Phishing Attack in the Mobile Cloud Computing”, Security
and Communication Networks, 2019.
the transaction. We have sought to avoid this for the same [11] S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond. “Chip and PIN
reason that we avoid a user-to-verifier connexion. Is Broken”, IEEE Symposium on Security and Privacy (S&P), 2010.
[12] O. O. Olakanmi and S. O. Oke. “MASHED: Security and Privacy-
aware Mutual Authentication Scheme for Heterogeneous and Distributed
VII. C ONCLUSION Mobile Cloud Computing Services”, Information Security Journal: A
Global Perspective, Vol. 27, 2018.
In this paper, we proposed and analysed a novel mobile [13] Oxford Bus Company. “Mobile Ticketing Technology Launched for
Oxford SmartZone”, https://www.oxfordbus.co.uk/press-release-oxford-
payment scheme based on biometric identification that smartzone-app (https://archive.vn/IS3Vk), 2022.
operates over a visual channel. We showed that our scheme [14] A. T. Purnomo, Y. S. Gondokaryono, and C.-S. Kim. “Mutual Authen-
(i) requires no specialised hardware, imposing only minimal tication in Securing Mobile Payment System Using Encrypted QR Code
based on Public Key Infrastructure”, IEEE International Conference on
requirements on the terminal that can be satisfied by most System Engineering and Technology (ICSET), 2016.
commercially available smartphones and tablet computers, to [15] J. Sturgess and I. Martinovic. “VisAuth: Authentication over a Visual
ease deployment, (ii) requires no user-to-verifier connexion Channel Using an Embedded Image”, International Conference on
Cryptology and Network Security (CANS), 2017.
during the authentication phase, such that it remains usable [16] Tangerine. “DoubleSafe: Your Picture, Your Phrase”,
regardless of wireless connectivity, and (iii) mutually authen- https://www.tangerine.ca/en/security (https://archive.vn/rjbOp), 2017.
ticates the terminal and the verifier to the user before he is [17] WeChat. “WeChat Pay”, https://pay.weixin.qq.com/index.php/public/wechatpay
(https://archive.vn/nxbi3), 2017.
asked to reveal any secret information to authenticate himself. [18] Yoyo. https://www.yoyowallet.com/support.html
We explored the properties that a visual channel provides and (https://archive.vn/FYksa), 2017.
we showed that our scheme is extensible in various ways
depending on the needs of the wider system in which it is
implemented. Furthermore, our scheme provides a number
of conveniences to the user, such as not having to carry
any payment or loyalty cards, and provides resistance against
phishing, replay, relay, and presentation attacks.