Cashless payment systems offer many benefits over cash, but also have some drawbacks. Fake terminals, skimming, wireless connectivity, and relay attacks are persistent problems. Attempts to overcome one problem often lead to another - for example, some systems use QR codes to avoid skimming and connexion issues, but QR codes can be stolen at distance and relayed. In this paper, we propose a novel mobile payment scheme based on biometric identification that provides mutual authentication to protect the user from rogue terminals. Our scheme imposes only minimal requirements on terminal hardware, does not depend on wireless connectivity between the user and the verifier during the authentication phase, and does not require the user to trust the terminal until it has authenticated itself to the user. We show that our scheme is resistant against phishing, replay, relay, and presentation attacks.

翻译：无现金支付系统相较于现金支付具有诸多优势，但也存在一些缺陷。伪终端、侧录攻击、无线连接漏洞及中继攻击是长期存在的问题。解决某一问题的尝试常会引发新问题——例如，某些系统采用二维码来规避侧录和连接问题，但二维码可能被远距离窃取并转发。本文提出一种基于生物特征识别的新型移动支付方案，通过双向认证机制保护用户免受恶意终端侵害。该方案对终端硬件要求极低，在认证阶段不依赖用户与验证方之间的无线连接，且用户无需在终端完成自我认证前对其建立信任。我们证明该方案能有效抵御钓鱼攻击、重放攻击、中继攻击及呈现攻击。