2009 International Conference on Availability, Reliability and Security (2009)
Fukuoka Institute of Technology, Fukuoka, Japan
Mar. 16, 2009 to Mar. 19, 2009
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ARES.2009.96
The security of electronic transactions depends on the security of the user's terminal. An insecure terminal may allow an attacker to create or manipulate transactions. Several techniques have been developed that help to protect transactions performed over insecure terminals. TAN codes, security tokens, and smart cards prevent an attacker who obtained the user's password from signing transactions under the user's identity. However, usually these techniques do not allow a user to assert that the content of a transaction has not been manipulated. This paper contributes with the QR-TAN authentication technique. QR-TANs are a transaction authentication technique based on two-dimensional barcodes. Compared to other established techniques, QR-TANs show three advantages: First, QR-TANs allow the user to directly validate the content of a transaction within a trusted device. Second, validation is secure even if an attacker manages to gain full control over a user’s computer. Finally, QR-TANs in combination with smart cards can also be utilized for offline transactions that do not require any server.
secure transactions, transaction authentication, QR codes, TAN codes, trusted device
Guenther Starnberger, Lorenz Froihofer, Karl M. Goeschka, "QR-TAN: Secure Mobile Transaction Authentication", 2009 International Conference on Availability, Reliability and Security, vol. 00, no. , pp. 578-583, 2009, doi:10.1109/ARES.2009.96