Transaction authentication using HMAC-based one-time password and QR code

Abstract

Conducting financial transactions over the Internet has been widely adopted due to the convenience and usability. However, conducting financial transactions via the Internet may be subjected to many types of attacks including password attacks, malware, phishing, and other unauthorized activities. Many banks have enhanced their security by using One-Time Password (OTP) as another authentication method in addition to traditional username and password. The OTP may be sent to the mobile phone number of the account owner via SMS. Even with the enhanced security measure, internet banking is still vulnerable to different types of attacks such as online phishing. We propose, design, and implement a transaction authentication scheme using HMAC-based mobile OTP and QR Code. Our scheme is resilient to known attacks including, but not limited to, eavesdropping, replay, message modification, and phishing.