Skip to main content
Springer Nature Link
Log in

Authentication and Transaction Verification Using QR Codes with a Mobile Device

  • Conference paper
  • First Online:
Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10066))

  • 1583 Accesses

Abstract

User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In practice, we need to employ a CCA-secure public key encryption as part of the protocol.

References

  1. Barkan, E., Biham, E.: Conditional estimators: an effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 1–19. Springer, Heidelberg (2006). doi:10.1007/11693383_1

    Chapter  Google Scholar 

  2. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE Computer Society (2012)

    Google Scholar 

  3. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. Technical report 817, University of Cambridge Computer Laboratory (2012)

    Google Scholar 

  4. Chow, Y.-W., Susilo, W., Au, M.H., Barmawi, A.M.: A visual one-time password authentication scheme using mobile devices. In: Hui, L.C.K., Qing, S.H., Shi, E., Yiu, S.M. (eds.) ICICS 2014. LNCS, vol. 8958, pp. 243–257. Springer, Heidelberg (2015). doi:10.1007/978-3-319-21966-0_18

    Chapter  Google Scholar 

  5. Chow, Y.-W., Susilo, W., Yang, G., Phillips, J.G., Pranata, I., Barmawi, A.M.: Exploiting the error correction mechanism in QR codes for secret sharing. In: Liu, J.K.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9722, pp. 409–425. Springer, Heidelberg (2016). doi:10.1007/978-3-319-40253-6_25

    Chapter  Google Scholar 

  6. Clarke, D., Gassend, B., Kotwal, T., Burnside, M., Dijk, M., Devadas, S., Rivest, R.: The untrusted computer problem and camera-based authentication. In: Mattern, F., Naghshineh, M. (eds.) Pervasive 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002). doi:10.1007/3-540-45866-2_10

    Chapter  Google Scholar 

  7. Cronto Limited, Cronto. http://www.cronto.com/

  8. DeFigueiredo, D.: The case for mobile two-factor authentication. IEEE Secur. Priv. 9(5), 81–85 (2011)

    Article  Google Scholar 

  9. Denso Wave Incorporated. http://www.QRcode.com, http://www.qrcode.com/en/

  10. Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: Security analysis of mobile two-factor authentication schemes. Intel Technol. J., ITJ66 Identity, Biometrics, Authentication Ed., 18, 138–161 (2014)

    Google Scholar 

  11. Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, Consumer-friendly Web Authentication and Payments with a Phone, pp. 17–38. Springer, Heidelberg (2012)

    Google Scholar 

  12. Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the Kasumi cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  13. Grosse, E., Upadhyay, M.: Authentication at scale. IEEE Secur. Priv. 11(1), 15–22 (2013)

    Article  Google Scholar 

  14. Huang, C.-Y., Ma, S.-P., Chen, K.-T.: Using one-time passwords to prevent password phishing attacks. J. Netw. Comput. Appl. 34(4), 1292–1301 (2011)

    Article  Google Scholar 

  15. Jeun, I., Kim, M., Won, D.: Enhanced password-based user authentication using smart phone. In: Li, R., Cao, J., Bourgeois, J. (eds.) GPC 2012. LNCS, vol. 7296, pp. 350–360. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30767-6_30

    Chapter  Google Scholar 

  16. Lee, H.-C., Dong, C.-R., Lin, T.-M.: Digital watermarking based on JND model and QR code features. In: Pan, J.-S., Yang, C.-N., Lin, C.-C. (eds.) Advances in Intelligent Systems and Applications, vol. 2, pp. 141–148. Springer, Heidelberg (2013)

    Google Scholar 

  17. Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: a lightweight and low-cost e-banking solution against untrusted computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012). doi:10.1007/978-3-642-27576-0_19

    Chapter  Google Scholar 

  18. Liao, K.-C., Lee, W.-H.: A novel user authentication scheme based on QR-code. JNW 5(8), 937–941 (2010)

    Article  Google Scholar 

  19. Lu, J., Li, Z., Henricksen, M.: Time-Memory Trade-Off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU, pp. 350–369. Springer, Cham (2015)

    MATH  Google Scholar 

  20. Mannan, M., Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77366-5_11

    Chapter  Google Scholar 

  21. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy, pp. 110–124. IEEE Computer Society (2005)

    Google Scholar 

  22. Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.-P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 150–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_9

    Chapter  Google Scholar 

  23. Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006). doi:10.1007/11889663_1

    Chapter  Google Scholar 

  24. Pohlmann, N., Hertlein, M., Manaras, P.: Bring your own device for authentication (BYOD4A) - the Xign-system. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2015, pp. 240–250. Springer Fachmedien Wiesbaden, Wiesbaden (2015)

    Chapter  Google Scholar 

  25. RSA Security, RSA SecurID. https://www.rsa.com/en-us/products-services/identity-access-management/securid

  26. Schneier, B.: Two-factor authentication: too little, too late. Commun. ACM 48(4), 136 (2005)

    Article  Google Scholar 

  27. Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: secure mobile transaction authentication. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 578–583, March 2009

    Google Scholar 

  28. Subpratatsavee, P., Kuacharoen, P.: Transaction authentication using HMAC-based one-time password and QR code. In: Park, J.J., Stojmenovic, I., Jeong, H.Y., Yi, G. (eds.) Computer Science and its Applications, pp. 93–98. Springer, Heidelberg (2015)

    Google Scholar 

  29. Sun, H.-M., Chen, Y.-H., Lin, Y.-H.: oPass: a user authentication protocol resistant to password stealing and password reuse attacks. IEEE Trans. Inf. Forensics Secur. 7(2), 651–663 (2012)

    Article  Google Scholar 

  30. Vapen, A., Byers, D., Shahmehri, N.: 2-clickAuth optical challenge-response authentication. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 79–86, February 2010

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing and Information Technology, Centre for Computer and Information Security Research, University of Wollongong, Wollongong, Australia

    Yang-Wai Chow, Willy Susilo & Guomin Yang

  2. Department of Computing, The Hong Kong Polytechnic University, Kowloon, Hong Kong

    Man Ho Au

  3. Department of Computer Science, City University Hong Kong, Kowloon Tong, Hong Kong

    Cong Wang

Authors
  1. Yang-Wai Chow
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Willy Susilo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guomin Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Man Ho Au
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Cong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yang-Wai Chow .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Department of Computer Science, Colorado State University, Fort Collins, Colorado, USA

    Indrakshi Ray

  3. University of the West of Scotland, Paisley, Glasgow, United Kingdom

    Jose M. Alcaraz Calero

  4. Indian Institute of Information Technology and Management, Kerala (IIITMK), Trivandrum, Kerala, India

    Sabu M. Thampi

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Chow, YW., Susilo, W., Yang, G., Au, M.H., Wang, C. (2016). Authentication and Transaction Verification Using QR Codes with a Mobile Device. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10066. Springer, Cham. https://doi.org/10.1007/978-3-319-49148-6_36

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49148-6_36

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49147-9

  • Online ISBN: 978-3-319-49148-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics