30-11-2012, 04:04 PM
Combining Biometric ID Cards and Online Credit Card Transactions
1Combining Biometric.pdf (Size: 417.15 KB / Downloads: 21)
Abstract
Internet shopping, a strong alternative to
traditional “go, see, touch and buy” shopping, has been one of
the mostly used facilities of the Internet. Several online shopping
systems serve internet users all around the world and enable
people to get the products they need with a small effort. Internet
shopping can be considered as “see and buy” retailing. While
the “see” part is implemented by the expertise and imagination
of web designers, different payment schemes have been devised
for the “buy” part. The most used media are online credit card
transaction systems. Several different methodologies have been
developed for credit card transactions. However, research has
shown that most of internet users do not fully trust credit card
payment systems because of financial risks such as loss of
money. Various approaches have been performed in order to
gain the consumers’ trust in credit card transactions.
INTRODUCTION
Internet shopping is one of the most popular uses of the
internet. As internet technology evolves, more advanced
online systems are developed and uses of those systems
increase dramatically. Everyday Internet users all around
the globe browse merchant Web sites to buy products and
services [1]. Users browse the online stores and obtain
their needs with minimum effort compared to traditional
retailing systems. The difference occurs in the manner of
payment; while using a POS device to perform a payment
with their credit cards in offline retailing, consumers
provide their personal data together with credit card
details over the Internet in order to complete an online
payment. However, most people do not volunteer giving
such details because of financial risks. To calculate the
percentages of customers’ perceptions in different risks
for internet shopping, S. M. Forsythe and B. Shi [2] have
analyzed a data set taken from Graphic, Visualization,
and Usability (GVU) Center from Georgia Institute of
Technology. In the analysis of the public survey that has
been performed with 5645 participants, 23% of the
applicants have mentioned financial risk (i.e., risk
regarding loss from online credit card usage) [2] in
internet shopping. Spoofing, phishing, intrusion, possible
malicious changes to the data sent over wire, denial of
services (DOS), overcharging the customers [3] are
financial risks that discourage internet users from
performing online shopping using their credit cards.
PRIOR RESEARCH
The deficiency of the E-Commerce transactions has
enforced people to research new methodologies. One of
such methodologies is Visa’s “Verified by Visa” [7]
program, which has been then adopted by MasterCard as
“MasterCard SecureCode” [8] and by JCB International
as “J/Secure” [9]. This program introduces a password
protection mechanism to online credit card transactions.
The approach is based on a protocol called 3D Secure. In
this protocol, the credit card issuer bank approves the
fund transfer after authenticating the cardholder via a
previously defined password for which the user is
prompted during an online credit card transaction.
However, being an easy to use system especially for the
users, the strength the protocol offers by password
approach has also become the weakness because of
phishing and key loggers [10]. The side effect to the user
is keeping the password secret.
ADVANTAGES OF BIOMETRIC ID CARD IN CREDIT
CARD TRANSACTIONS
Biometric ID card provides multi-factor authentication
(MFA), a security system in which multiple
authenticators are used in order to increase the validity of
identity verification. Some of those authenticators are
passwords, tokens, keys, cards and biometrics.
Authentication factors for MFA are usually grouped into
these three categories: 1) what you know (e.g.,
password), 2) what you have (e.g., token), and 3) who
you are (e.g., biometric) [4]. Combination of these
categories decreases the vulnerability that arises when
each authenticator is used alone in an authentication
scenario. In other words, hacking one’s secret password
is easier than hacking the password and fingerprint
together. Thereby, multi-factor authentication provides a
more reliable infrastructure than a traditional password
authentication scheme.
Biometric ID card implements the three categories of
MFA as follows. 1) “What you know” is the PIN of the e-
ID card, 2) “What you have” is the smart card that is
issued by the government to the citizen, and 3) “Who you
are” is the biometric data of the citizen saved securely in
the smart card or a central database for biometric
authentication and play the key role in identification. As
being passwords that are physically bound to human and
not needed to be memorized, biometrics provides more
reliable identity verification (“Is this person who he
claims to be?”) [5]. Consequently, if the used biometric
verification system is powerful enough, it nearly becomes
impossible to perform an online transaction without the
customer’s knowledge, even if someone steals her card
and PIN somehow.
CONCLUSION
Security in online payment systems has been a wide
research area since the early days of the Internet and
several approaches have been devised by various
organizations. However, there has been no certain
solution overcome the deficiencies in these systems
completely.
Looking at the problem from a different mirror, we have
introduced a solution based on the rapidly developing
smart card based biometric ID systems; and given a
sample implementation on Turkish e-ID system. The
sample implementation is explained with a successful
purchase scenario.
The proposed framework might be used in countries that
use biometric ID card with some modifications according
the specific implementation details of their e-ID
solutions. Although the solution is not global because of
the e-ID system differences for each country, it provides
high security and safety for both the customer and the
merchant in local e-commerce systems.