A Secure and Authenticated Mobile Payment Protocol Against Off-Site Attack Strategy

Abstract

Mobile payment system has been expected to provide more efficient and convenient payment methods. However, compared to traditional payments, mobile payment issues related to the security of electronic accounts and payment apps present serious challenges. In this paper, we find the potential security risks by analyzing the commonly used tokenized mobile payment method and put forward the corresponding off-site attack strategy. In this scenario, the attackers are not only limited to malicious third parties but also can be illegal merchants. To address the off-site attack, especially the potential attackers who may be malicious merchants, we also propose SALP, a secure and authenticated payment protocol, using time and position as necessary conditions for the payment confirmation. Furthermore, we leverage identity-based signature (IBS) to prevent altering the information and reduce the overhead of the third-party authentication. We conduct case studies to demonstrate that the SALP can effectively prevent the off-site payment attack without a trusted hardware environment. In particular, we finally argue that SALP does not bring additional system overhead without degrading the convenience of mobile payment.