TY - GEN
T1 - Authentication and transaction verification using QR codes with a mobile device
AU - Chow, Yang Wai
AU - Susilo, Willy
AU - Yang, Guomin
AU - Au, Man Ho Allen
AU - Wang, Cong
PY - 2016/1/1
Y1 - 2016/1/1
N2 - User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions.
AB - User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions.
KW - Authentication
KW - Mobile device
KW - One-Time-Password (OTP)
KW - QR code
KW - Transaction integrity
KW - Transaction verification
KW - Transaction-Authentication-Number (TAN)
UR - http://www.scopus.com/inward/record.url?scp=84996798736&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-49148-6_36
DO - 10.1007/978-3-319-49148-6_36
M3 - Conference article published in proceeding or book
SN - 9783319491479
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 437
EP - 451
BT - Security, Privacy, andAnonymity inComputation, Communication, and Storage - 9th International Conference, SpaCCS 2016, Proceedings
PB - Springer Verlag
T2 - 9th International Conference on Security, Privacy, and Anonymity in Computation, Communication and Storage, SpaCCS 2016
Y2 - 16 November 2016 through 18 November 2016
ER -