Biometric Security Mechanism
In Mobile Payments
Michael Gordon
Mona Institute of Applied Science, University of West Indies,
Kingston, Jamaica & Dr. Suresh Sankaranarayanan
Department of Computing, University of West Indies,
Kingston, Jamaica
Speaker: 碩資一甲 M9990212 林純智
1.Introduction


Mobile commerce (m-commerce) refers to
all purchases made using mobile wireless
devices such as smart phones and PDAs.
Already in countries like Japan cell phones
usage is a major purchasing method .
Individuals already purchase ringtones,
media and small applications from
manufactures such as apple.
1.Introduction


Mobile commerce can be done by using
applications that send TEXT-SMS towards a
payment or NFC near field communication
in which the phone is swiped against a
purchasing station.
one must satisfy the following requirements
viz. Identification, Non-repudiation, Data
Integrity and Confidentiality.
1.Introduction


Many PDAs and cell phones these days come
with finger print scanners. AuthenTec and
LG have created a cell phone LP3550
It is found that finger print is a powerful
mechanism in biometric authentication.
1.Introduction

Wireless network security protocols and
encryption methods are notoriously weak
and are easily cracked. It is suggested that
m-commerce channels be supported by VPN
or public key methods used to share
symmetric keys at the start of each session.
2.Security in Mobile Payment
Systems

The present security issues surround the
loss of personal information through the
theft of the cell phone. The use of biometrics
has virtually eliminated the possibility of
some one gaining access to a third party cell
phone directly.
2.Security in Mobile Payment
Systems

Similarly other authentication information
such as logins and passwords should not be
stored on the cell phone, but is gathered at
run time.
2.Security in Mobile Payment
Systems

The possibility of a man in the middle ,
attacking at NFC terminals or WAP gateways
is of great concern, as these wireless
protocols are known to be weak. The WAP
gateway provides encryption between the
gateway and the client, the gateway has to
be authenticated to prevent a fake gateway
being placed in a public hotspot by a
perpetrator.
2.Security in Mobile Payment
Systems

Similarly GSM networks which uses SIMs
are vulnerable as SIMs can be cloned, fake
base stations can be used to gather or adjust
packet communication.
2.Security in Mobile Payment
Systems

Security at the server is also paramount; a
fraudulent employee could remove or adjust
fingerprint templates, passwords or
customer information. It is important that
public and private keys be held in a secure
password protected location on the server.
3.Secured Finger Print based Mobile
Payment


Our solution involves the use a biometric
authentication mechanism. Our software
would be installed onto a device that has a
supporting finger print scanner.
The finger print template would be captured
on the phone and compared against a stored
template on a database server. A finger print
is unique to any one user and so it cannot be
easily duplicated.
3.Secured Finger Print based Mobile
Payment


We do not intend to store any
authentication or processing information on
the phone.
A PKI public key infrastructure provides the
strongest known method of security.
3.Secured Finger Print based Mobile
Payment

A hash will be created to ensure that a thief
will not be able to capture the finger print in
its raw form. Similarly finger prints are not
stored on the database in their raw form but
as hashes.
1.輸入信用卡資訊
2.創建指紋樣版
3.開啟SSL連結並
獲得公共金鑰
4.取得時間戳記和
數位簽暑
5.雜湊指紋樣版
6.加密雜湊樣版和信用卡
資訊與公共金鑰並發送
到伺服器
7.客戶身分驗證
8-1.顯示驗證失敗訊息
8-2.顯示驗證訊息
4.Implementation details
The implementation of biometric security
mechanism is targeted at Java enabled
platforms that support CLDC using MIDP
form.
 The tools used include the
• SUN Microsystems Java Wireless Toolkit.
• Bouncy Castle Lightweight Cryptography
package.

4.Implementation details









The information collected includes
• Firstname
• Lastname
• Address
• Credit Card Number
• Security Code
• Expiration Date
• Signature - this is an image file which is assumed to be
loaded onto the phone by the user or at the bank.
• The finger print is to be scanned using an embedded
finger print scanner or an attached device.
4.Implementation details

During a transaction, the credit card
information i.e. the credit card number,
security code and expiration date are
encrypted using a public key received from
the bank. As mentioned the finger print is
never stored on the phone but is hashed
directly into a class on the device using a
SHA digest of 512 block size. The signature
is also hashed using SHA of 512.
4.Implementation details


where there is a 97% match it is assumed
that this is the finger print of the client. The
signature is treated in a similar fashion.
If both finger print, signature match then
the purchase is authorized. The system will
be further secured with a login and
password.
5.Conclusion



For such mobile payments, we have being using
till now only information like credit card,
signature and so on. These security
mechanisms are still not secure.
So we here have introduced a biometric
mechanism- finger print that gives a better
level of security mechanism for mobile
payment systems.
In future we propose to interface the
fingerprint scanner with the mobile phone for
validating too.
Google Wallet

GOOGLE 26日（美國時間）對外宣布推出
手機電子錢包服務，使用Android系統智慧
型手機的消費者通過在收款台的終端機上
感應一下手機，即可實現購物支付或兌換
優惠券。
Google Wallet

根據一份美國加州高等法院文件，Google與
現任職於Google的二位前PayPal主管提倫妮
斯（Stephanie Tilenius）、貝迪爾（Osama
Bedier），涉嫌竊取行動支付科技的機密。
Google Wallet

PayPal與Google之前花了二年的時間，商討
Android平台手機的電子錢包應用程式，
Google故意設下障礙造成談判失敗，隨後雇
用了談判代表貝迪爾，設計出與PayPal競爭
的產品。
Google Wallet 簡介

Google的電子錢包技術，簡單地說，就是用
戶在智慧型手機中，利用「Google電子錢
包」，存入個人的信用卡資訊等，通過
「Google團購」的優惠活動，就可以收到商
家的各種折扣券。購物後，只需拿手機在
收費終端機前晃一晃，就可以完成折扣與
付款手續，還有紅利積點。
Google Wallet 簡介
Google Wallet 簡介
GoogleWallet 合作對象

目前Google錢包是與「花旗萬事達卡」合作，
透過萬事達卡現有付款平台購物。已經有
15家美國零售商，成為第一批「Google錢
包」合作商家，有包括百貨商店、快餐店
與藥房。
PAYPAL




擁有8700萬個活躍帳戶
第二季帳戶成長300萬個
淨利為8.17億美元
佔eBay營收37%
PAYPAL

PayPal看好「微型付款」 (micropayments)前
景，並打算推出新的服務，方便消費者在網上
購買低價電子商品，包括付費閱讀文章、網路
遊戲的虛擬物品等。PayPal總裁湯普森表示，
今年底即將推出這項服務，讓業者收取不到1
美元的微型付款。他指出，目前在網路上購買
一把49美分的虛擬寶劍，必須先購入5或10美
元額度之後再消費，PayPal計畫把微型消費整
合起來，累計至10美元再向消費者收款。
結論




手機必須有NFC(Near Field Communication)
晶片
新一代塑膠貨幣
帶給人們更便利的生活
Google Wallet on Youtube