A Multi-Factor Security Protocol for Wireless Payment - Secure Web Authentication using Mobile Devices

Previous Web access authentication systems often use either the Web or the Mobile channel individually to confirm the claimed identity of the remote user. This paper proposes a new protocol using multifactor authentication system that is both secure and highly usable. It uses a novel approach based on Transaction Identification Code and SMS to enforce extra security level with the traditional Login/password system. The system provides a highly secure environment that is simple to use and deploy, that does not require any change in infrastructure or protocol of wireless networks. This Protocol for Wireless Payment is extended to provide two way authentications.

💡 Research Summary

The paper addresses the growing security concerns in web‑based e‑commerce and mobile payment systems, where traditional single‑factor authentication (username and password) is increasingly vulnerable to phishing, key‑logging, and credential reuse attacks. To strengthen authentication without requiring changes to existing network infrastructure, the authors propose a multi‑factor protocol that combines three elements: (1) conventional web login, (2) a Transaction Identification Code (TIC) issued by the bank, and (3) an SMS confirmation step.

A TIC is a short, pseudo‑random, one‑time code (8‑16 bits) generated by the financial institution and stored securely on the user’s mobile device. Unlike typical OTPs that must be typed manually, the user simply selects an unused TIC from a pre‑loaded list, reducing input errors and the risk of shoulder‑surfing. After the user logs in to the merchant’s web site, the server requests a TIC. The selected TIC is encrypted on the client side using a session‑specific symmetric key, which itself is protected by a secret derived from the user’s 64‑bit PIN (hashed with SHA‑1). The encrypted TIC and transaction data are sent to the server, where the server validates the TIC against its database, marks it as used, and discards it to prevent replay.

If the TIC validation succeeds, the server sends an SMS to the user’s registered mobile number. The user replies “YES” to approve or “NO” to reject the transaction. Only a “YES” response triggers the final commitment of the payment. This two‑channel approach (web + mobile) provides “something you know” (password/PIN) and “something you have” (the mobile device receiving the SMS), achieving a higher level of assurance than single‑factor methods.

The protocol also incorporates a hybrid encryption scheme. Public‑key cryptography is used only for the initial exchange of a symmetric session key; the bulk of the data (including the TIC and transaction details) is encrypted with the symmetric key for efficiency. The server generates a fresh secret key for each session, encrypts it with the client’s PIN, and transmits it to the client. The client decrypts the secret key locally and uses it to encrypt the TIC and transaction payload. This design balances security and performance, making it suitable for the limited bandwidth and processing power of mobile devices.

Beyond one‑way authentication (user → server), the authors extend the architecture to support two‑way authentication, where the merchant’s identity is also verified. The merchant presents a digital certificate, and the server validates it before proceeding, thereby mitigating man‑in‑the‑middle attacks and ensuring that the user is interacting with a trusted service provider. This addresses a key weakness of the Secure Electronic Transaction (SET) protocol, which was designed for wired networks and does not provide robust mutual authentication in wireless contexts.

The paper reviews related work, including mobile payment classifications (account‑based vs. POS‑based), the SET protocol, and prior SMS‑based authentication schemes. It highlights that while SET offers strong cryptographic guarantees, it assumes wired infrastructure and lacks adequate user authentication. Existing SMS‑only solutions, on the other hand, do not incorporate a one‑time transaction code, leaving them vulnerable to replay attacks.

Implementation challenges are acknowledged. Secure distribution and storage of TIC lists require a trusted initial provisioning channel; loss or theft of the mobile device could expose the stored TICs and PIN, necessitating revocation mechanisms. SMS delivery may be delayed or blocked, potentially causing transaction timeouts. The server must maintain a reliable, tamper‑proof database of issued TICs and manage secret keys for each session, which becomes a critical security boundary.

In conclusion, the proposed protocol offers a practical, deployable solution that leverages existing web authentication mechanisms and ubiquitous mobile communication (SMS) to achieve multi‑factor security for wireless payments. It improves usability by allowing users to select pre‑stored TICs rather than typing complex codes, and it enhances resistance to common attacks such as phishing and key‑logging. Future work suggested includes automating TIC provisioning, exploring alternative out‑of‑band channels (e.g., push notifications or dedicated authentication apps) to replace SMS, and standardizing certificate management for the two‑way authentication component.