Peer-to-peer Mobile Payment

Abstract

With the rapid growth of popularity and customer acceptance, more merchants are willing to accept mobile payment at their stores, allowing users to make contactless commerce transaction at a point-of-sale (POS) terminal, a.k.a. a Business-to-Customer (B2C) mobile payment. While these payment applications are broadly accepted in today’s commerce environment, most of the mobile payment applications require a POS terminal to work with. However, for many small-scale businesses like small restaurants, boutiques, food stalls, tuck shops, or pop-up stores, the cost of setting up a mobile payment available POS terminal may make them hesitate. Hence, this project aims to develop a secure QR-code-based peer-to-peer(P2P) mobile payment system, which can also be used by merchants to receive payment only using a mobile phone, as an integration of B2C and P2P payment. QR code-based payment is a popular and most compatible P2P payment compare to NFC-based. However, incidents and attacks on QR code-based payment system are repeatedly happen. In particular a Synchronized Token Lifting and Spending (STLS) attack discovered by Prof. Kehuan Zhang and his Security Research Team from Chinese University. Which an attacker can sniff the QR code token, alter and block the original transaction, and then spend the QR code token while it is still valid (fresh). Time-based QR code is adopt by many QR code-based payment application, however, if the attacker’s attack is fast enough, attacker can still perform the attack. Prof. Zhang and his team purposed a POSAUTH solution, which make the specific token can only be used for this terminal. Attacker will not be able to spend the token at the same terminal before the ongoing transaction is completed, which means the original payer is there. And because the token is one-time, attacker is also not be able to use it later at the same store. The POSAUTH is a very good approach to prevent STLS attack from succeed by binding a one-time token with desire transaction or terminal, and the PID QR code generated and printed by the merchant is not likely being tampered. However, it is more suitable for a B2C situation that payer present the QR code token. In P2P situation, payer presenting QR token or payee presenting a bill QR token. It will requires a extra function to show your UID QR code for the others to generate a token, and if the UID QR code is generated on a mobile phone screen, it becomes more vulnerable to be tampered by malicious software on phone, e.g. attacker’s UID, then the token generated by the opponent is now vulnerable to STLS attack as it can be spent on other transaction. To make binding the QR code to only one transaction suitable for P2P payment, this project proposed to encrypt the QR code token with an Time-based One-Time-Pad (TOTP), which generated on both devices by the user completing certain gesture on both device using two fingers of the same hand simultaneously (gesture-based TOTP generation). The TOTP will has freshness, QR code token can only be used on desire transaction and all data are encrypted. Since most QR code-based offline-payment scheme application on the market only rely on one-time QR code to have reasonable security level, making exchanging a one time key not possible via network. STLS attack will be possible if the QR code is not bind to a single transaction. By the gesture-based TOTP generation, it is an out-of-band way to establish a TOTP on two devices without any key transmission, making the TOTP extra safe. Hence, the gesture-based TOTP generation methodology will be the focus in this project, and it is a creative methodology to be tested. Four gesture-based TOTP generation methodologies are tested in this project, they are the Swirl-Gesture OTP generation, the One-Tap-Timestamp TOTP generation, the Tap-Rhythm TOTP generation, and the Tap-Rhythm-Interval TOTP generation. After implementation and testing back to back, the Tap-Rhythm-Interval TOTP generation is chosen to be the workable and the best approach. Which user needs to use two fingers from the same hand, tap on both device (payer & payee) in a random rhythm. System will record the timestamp, the interval between each tap and the first tap, to create a TOTP. The timestamp can provide freshness as the key cannot be reused or generated afterwards, and it also allow an acceptance window (half of the minimum tapping duration required) to reduce touch response problems. System test and penetration test (shoulder-surfing attack against the gesture-based TOTP generation) are completed on the implemented P2P application, TAP wallet. Result shows that the application is fully functional, and the gesture-based TOTP generation methodology is secure enough to guard against shoulder-surfing attack as it is nearly impossible to follow the tapping rhythm live, and due to timestamp, attacker cannot remember the whole rhythm then perform it neither. Yet, result shows that it is user-friendly enough to give high matching rate for legitimate user.