978-1-4799-2764-7/13/$31.00 ©2013 IEEE 1699 2013 6th International Congress on Image and Signal Processing (CISP 2013) Biometrics for Securing Mobile Payments: Benefits, Challenges and Solutions Wencheng Yang, Jiankun Hu* School of Engineering and Information Technology University of New South Wales at Canberra Canberra, Australia Song Wang School of Engineering and Mathematical Sciences La Trobe University Victoria, Australia Jucheng Yang College of Computer Science and Information Engineering Tianjin University of Science and Technology Tianjin, China Lei Shu Lab. of Petrochemical Equipment Fault Diagnosis Guangdong University of Petrochemical Technology Guangdong, China Abstract—In this paper, we aim to shed some light on the benefits and challenges brought about by using biometrics for securing mobile payments. Some potential solutions to address the challenges are also proposed and analyzed. Based on our analysis, it is shown that biometric cryptosystems are the suitable choice for providing security protection to biometric templates and enabling a seamless integration with the existing password-based payment systems. Moreover, the employment of stable feature sets or multimodal biometrics is able to improve the recognition accuracy of biometric-based mobile payment systems. Finally, to provide security for mobile payment systems, we propose a secure mobile payment infrastructure which combines a biometric cryptography modal with a time-synchronized one- time password (TOTP) encryption modal. Keywords-Mobile payments, biometric authentication, fingerprint, template protection, system integration I. INTRODUCTION A. Mobile Payments Since mobile devices such as smart phones are no longer only playing the role of simple voice or short message communication but also are developed to be more powerful than ever, more and more people, especially youths, equip themselves with a smart phone, e.g., iphone, and cannot leave the phone off their hand in most of their daily life. With wireless network technology evolving into 4G and LTE techniques it can offer faster data transmission speed and network stability. Consumers can purchase goods they want by just tapping their mobile phone on a reader. Mobile payments are being used worldwide and there is even speculation that a combined market for all types of mobile payments may exceed that of the wire line commerce in the foreseeable future. B. Traditional Authentication in Mobile Payments In mobile payments, the core is authentication, which will become a critical concern in mobile wireless environment. In traditional authentication methods, authentication is based on “what you know”, e.g., passwords or PINs, and/or “what you have”, e.g., tokens. The user of a mobile device would be admitted access when he/she input a correct password or tap a genuine token. However, both methods suffer some weaknesses [1-3]: • First, passwords are hard to be managed. A short password is easy to recall but also easy to be guessed or broken down by the adversary via brute force attacks. While a long password can provide strong security, it is difficult to remember, especially when there are different passwords for different accounts. • Second, tokens can be lost or stolen. Most importantly, both methods cannot tell whether a presenter of the password or token is the genuine user or not. C. Biometric Authentication in Mobile Payments Biometric authentication uses some unique biometric features, e.g., fingerprint, finger vein, face, palm print, gait, to achieve authentication in a more trustworthy manner. In a standard biometric authentication system, two stages are required, namely, enrollment stage and authentication stage. To be specific, in the enrollment stage, some high quality feature data are extracted and stored in the database or smartcard as templates; in the authentication stage, the query data are also extracted and compared with the template data stored in the database or smartcard to output a match or non- match decision. Biometrics in mobile payments is considered to be the next generation technique and biometrics-embedded mobile devices are becoming increasingly popular. For instance, Apple, one of the largest smart phone makers, has incorporated a fingerprint scanner in its lasted release, Iphone 5S and another smart phone maker, Samsung also included a facial recognition modal in its Galaxy Nexus phones. In addition to directly building a biometric authentication modal into the smart phone, accessories that can add a biometric scanner, e.g., fingerprint scanner, have been proven to be popular. FingerQ, which is a company located in Hong Kong, *Corresponding author (Email: J.Hu@adfa.edu.au)