Secure OTP and Biometric Verification Scheme for Mobile Banking

Abstract

Recently, according to the emerging development of smart mobile phones and tablet PC, mobile e-commerce has dramatically increased due to the reason that the function of smart mobile phone and tablet PC are combined together. M-banking is thus become more convenient, effective and timely through the new mobile communication systems. In order to raise the security of M-banking, some banks adopt the one-time password (OTP) to remedy the possible M-banking stealing risk. In the past, the OTP is sent to personal mobile phone. But, currently most of the smart mobile phone can performing M-banking easily. Thus, it gains higher risk of information security due to mobile phone hacking. In order to provide a reliable and secure M-banking process without decrease the convenience concurrently, in the paper one-time password (OTP) and personal biometric have been combined with personal identification and password for verification while M-banking. As the client side initiates a request for M-banking to the server side of a bank that provides M-banking service, the server side will generate an OTP with limited period for registration the M-banking and transmit to the client side. After receiving the OTP message, the client side must verify if the OTP message is validation and provided by the desired real server side. After then, the client side will register the on-line M-banking with the OTP in the specified short period. After receiving the service request, the server side will then request the client side to capture personal biometric such as fingerprint, iris, photo, and etc. immediately for further verification with the existed data stored in the server side to prevent the M-banking embezzling. If the personal biometric has been verified as an old one, the M-banking will immediately terminated by the server side. As the verification is finally done by the server side, the client side then can perform transaction via M-banking smoothly. The proposed scheme not only can provide secure M-banking, but also can clearly define the process. Therefore, if there are any M-banking arguments occurred due to Internet hacking or mobile phone stealing for M-banking, both of the server side and client side could protect their rights and interests.