CC BY
0ANALYSIS OF ISSUES RELATED TO BIOMETRIC AUTHENTICATION IN PAYMENT
Agzamova M.
Phd student of Tashkent University of Information Technologies named after Muhammad al-
Khwarizmi, Tashkent, Uzbekistan https://doi.org/10.5281/zenodo.14029625
Abstract. Biometric authentication is becoming increasingly popular in payment systems due to its ability to provide high security and convenience for users. However, the use of biometric authentication methods comes with a range of vulnerabilities and risks that can compromise the security of both individual users and the system as a whole. This paper examines key issues related to biometric authentication in payment systems, including vulnerabilities, security challenges, and potential solutions for enhancing system resilience against cyberattacks.
Keywords: biometric authentication, payment systems, security vulnerabilities, spoofing attacks, biometric data theft, false acceptance, false rejection, replay attacks, man-in-the-middle attacks, privacy concerns, security protocols.
Introduction.
As technology continues to advance, biometric authentication is playing an increasingly critical role in payment systems. With the growth of mobile and digital payment platforms, such as Google Pay, Samsung Pay, and Apple Pay, biometrics provides a secure and convenient method for users to authenticate transactions. However, the reliance on biometric authentication raises several security concerns and challenges. The inherent uniqueness and immutability of biometric data (e.g., fingerprints, facial features) introduce significant risks if these data are compromised.
2. Theoretical Background
According to recent reports, fraud levels in retail transactions increased from 1.4% in 2014 to 2.7% in 2021, underscoring the need for enhanced security measures in electronic payment systems. Table 1 provides a comparative analysis of key payment systems and highlights their security measures and vulnerabilities [1].
Table 1. Vulnerabilities in Electronic Payment Systems
Payment Attack Security Measures Compatibility Availability
System Frequency (2021)
Google Pay 52% (mobile Tokenization, PIN, Android, Wear 80+
devices) fingerprint, pattern OS countries
Samsung 45% Tokenization, MST, iris Samsung 32 countries
Pay scan, fingerprint devices
Apple Pay 48% Face ID, Touch ID, tokenization Apple devices 80+ countries
2.1 Biometric data theft Problem description
Biometric data, such as fingerprints, facial geometry, or voice characteristics, are
permanent and unique identifiers of individuals. In the event of a breach, users cannot reset or
change these identifiers like they can with passwords or PINs. This introduces a long-term risk as attackers may exploit stolen biometric data to gain unauthorized access [2].
Causes of Vulnerability
Permanence of Biometric Data: Once compromised, biometric data cannot be replaced or changed.
Storage Vulnerabilities: Biometric data are often stored on devices in secure areas (e.g., Apple Secure Enclave, Android Trusted Execution Environment). However, physical access or exploitation of vulnerabilities can allow attackers to extract this data.
Cloud Storage Risks: Though not common, some systems store biometric templates on cloud servers, increasing the risk of leaks and cyberattacks [3].
Possible Solutions
Local Storage with Hardware Encryption: Storing biometric data in secure modules with robust encryption can help mitigate the risk of data theft.
Cancelable Biometrics: Techniques that allow biometric data to be "reset" or transformed in case of a leak.
Multi-Factor Authentication (MFA): Combining biometric authentication with other authentication factors (e.g., passwords, tokens) to enhance security.
2.2. Spoofing Attacks
Problem Description
Spoofing attacks involve an attacker deceiving a biometric system by using fake biometric data. For example, attackers may use photos, video recordings, or 3D masks to bypass facial recognition systems or create fake fingerprints to trick fingerprint scanners [4].
Causes of Vulnerability
Insufficient Liveness Detection: Some systems lack mechanisms to verify that the biometric data comes from a live person.
Technological Limitations: Less advanced systems may struggle to differentiate between real and fake biometric data due to limited sensor capabilities.
Possible Solutions
Enhanced Liveness Detection: Implementing methods like microcirculation detection, pupil reaction, and facial micro-movements can prevent spoofing.
Multispectral Sensors: Sensors that operate in various spectral ranges make it harder to spoof biometric data.
Hardware and Software Updates: Regular updates to both hardware and software are crucial to counter new spoofing techniques [5].
2.3. False Acceptance and False Rejection
Problem Description
Biometric systems may encounter errors such as false acceptance (FAR) or false rejection (FRR). False acceptance occurs when the system incorrectly grants access to an unauthorized individual, while false rejection denies access to a legitimate user.
Causes of Vulnerability
Similarity of Biometric Traits: Close relatives or identical twins may have similar biometric data, leading to incorrect identification.
Quality of Equipment and Algorithms: Low-resolution sensors or poorly designed algorithms can increase the likelihood of errors.
Possible Solutions
High-Precision Sensors: Utilizing more sensitive equipment to reduce the likelihood of
errors.
Improved Recognition Algorithms: Employing machine learning and neural networks to enhance recognition accuracy.
Personalized Systems: Adapting systems to individual users' unique traits and adding supplementary biometric parameters [6].
2.4. Replay Attacks and Man-in-the-Middle (MitM) Attacks
Problem Description
Replay attacks involve intercepting and reusing biometric data to gain unauthorized access. In MitM attacks, an attacker intercepts and modifies data transmission between the user and the authentication server [7].
Causes of Vulnerability
Weak Data Encryption: Insufficient encryption protocols can allow attackers to intercept and modify biometric data.
Vulnerable Network Infrastructure: Insecure Wi-Fi networks or vulnerable access points can be exploited for MitM attacks.
Possible Solutions
Modern Encryption Protocols: Using up-to-date encryption standards (e.g., TLS 1.3) to secure data transmission.
Digital Signatures and Certification: Verifying device and server authenticity through digital certificates.
Session-Based Authentication: Introducing one-time tokens or time stamps for each authentication session to prevent replay attacks.
2.5. Attacks on Biometric Templates
Problem Description
Attackers may attempt to access biometric templates stored on devices or servers and reverse-engineer them to extract original biometric data, which they can then use to bypass authentication [8].
Causes of Vulnerability
Insecure Template Storage: Storing templates using reversible algorithms or weak encryption.
Weak Key Management: Poor management of cryptographic keys used to secure templates.
Possible Solutions
One-Way Functions: Using hash functions with added salt to store templates, making it impossible to recover original biometric data.
Key Management Systems: Implementing robust key management practices to ensure secure handling and rotation of cryptographic keys.
Isolation of Storage Systems: Physically and logically separating the biometric data storage from other system components.
2.6. Device and Sensor Manipulation
Problem Description
Physical access to a device allows an attacker to manipulate biometric sensors, bypassing the authentication system by tampering with the hardware.
Causes of Vulnerability
Insufficient Hardware Protection: Lack of tamper detection mechanisms in devices.
Vulnerable Sensors: Low-quality sensors can be easily manipulated or replaced.
Possible Solutions
Hardware Protection Methods: Incorporating tamper detection sensors and secure enclosures to prevent physical manipulation.
Monitoring Device Integrity: Implementing systems that monitor for changes in hardware configuration and alert users to potential tampering.
Certified Hardware: Using certified devices that have undergone rigorous security testing.
2.7. Presentation Attacks and Liveness Detection Issues
Problem Description
Attackers may use high-quality masks, artificial fingerprints, or other fabricated biometric data to trick the authentication system, especially if it lacks robust liveness detection mechanisms [9].
Causes of Vulnerability
Ineffective Liveness Detection: Systems may fail to differentiate between real and fake biometric data.
Advancement of Attack Techniques: New technologies allow attackers to create highly realistic biometric forgeries.
Possible Solutions
Multiparametric Liveness Detection: Verifying multiple signs of life, such as heat patterns, blood flow, or micro-movements.
AI and Machine Learning: Leveraging advanced algorithms to detect even the smallest inconsistencies characteristic of forgeries.
Regular Security Updates: Updating security systems to counter evolving attack techniques.
2.8. Cross-Device and Cross-Application Risks
Problem Description
Biometric data synchronization between devices or third-party access to biometric functions increases the risk of data compromise.
Causes of Vulnerability
Cloud Synchronization: Transmitting biometric data over the internet exposes it to interception.
Insufficient Access Control: Third-party applications may gain unauthorized access to biometric data due to weak access control settings.
Possible Solutions
Local Data Storage: Avoid transmitting biometric data over networks; store it only locally on the device.
Strict Access Control: Implement permission models that grant minimal necessary access to applications.
Audit and Monitoring: Regularly review access logs and perform security audits of applications.
2.9. Privacy Concerns and Surveillance Threats
Problem Description
The use of biometric data can lead to privacy violations if the data is used for surveillance or shared with third parties without consent [10].
Causes of Vulnerability
Lack of Legal Restrictions: Inadequate laws regulating the use of biometric data.
Commercial Exploitation: Companies may use biometric data for marketing or share it with third parties.
Possible Solutions
Data Minimization Principle: Collect and store only the minimum amount of biometric data necessary.
Transparency and User Consent: Clearly explain data usage policies and obtain informed consent from users.
Compliance with Legal Frameworks: Adhere to regulations such as GDPR, CCPA, and other data protection laws.
Conclusion
Biometric authentication offers a powerful tool for securing payment systems, but it comes with significant vulnerabilities. Addressing these challenges requires a comprehensive approach involving technical, organizational, and legislative measures. Key recommendations include:
Technical Measures: Implementing advanced liveness detection technologies, high-precision sensors, neural networks, and up-to-date cryptographic methods.
Organizational Measures: Developing and adhering to strict security and privacy policies, performing regular security audits.
Legislative Measures: Ensuring compliance with international and national data protection laws, and participating in the development of security standards.
REFERENCES
1. Agzamova M.Sh. Development of a software module implementing a proposed facial biometric authentication algorithm and evaluation of solution effectiveness. SCIENCE AND INNOVATION INTERNATIONAL SCIENTIFIC JOURNAL VOLUME 2 ISSUE 7 JULY 2023, pp. 51-57, https://doi.org/10.5281/zenodo.81507542.
2. Dalal S., Vishwakarma V. P., Kumar S. Feature-based Sketch-Photo Matching for Face Recognition //Procedia Computer Science. - 2020. - Т. 167. - С. 562-570.
3. Taskiran M., Kahraman N., Erdem C. E. Face recognition: Past, present and future (a review) //Digital Signal Processing. - 2020. - Т. 106. - С. 102809.
4. Xiaoou Tang, Xiaogang Wang. Face Sketch Recognition. IEEE transactions on circuits and systems for video technology, vol. 14, no. 1, lanuary 2014.
5. Agzamova Mohinabonu. 2023. "CONTRASTIVE CONVOLUTION IN FACE RECOGNITION: ADVANCEMENTS IN ACCURACY". Next Scientists Conferences 1 (01):3-5. https://nextscientists.com/index.php/science-conf/article/view/135
6. Брилюк Д., Старовойтов В. Распознавание человека по изображению лица и нейросетевые методы. 2002. URL: http://daily.sec.ru/publication.cfm?Pid=4425 (дата обращения: 10.02.2012).
7. Congcong Zhu, , Xintong Wan, Shaorong Xie, Xiaoqiang Li, Yinzheng Gu. Occlusion-robust Face Alignment using A Viewpoint-invariant Hierarchical Network Architecture. URL: https://openaccess.thecvf.com/content/CVPR2022/papers/Zhu_Occlusion-Robust_Face_Alignment_Using_a_Viewpoint-Invariant_Hierarchical_Network_Architecture_CVPR_2022_paper.pdf
8. Agzamova M.Sh., Irgasheva D.Y. Analysis of non-cryptographic methods for software binding to facial biometric data of user identity. International Journal of Advance Scientific Research, 3(07), 38-47. https://doi.org/10.37547/ijasr-03-07-08.
9. Agzamova M.Sh., Irgasheva D.Y. Analysis of facial authentication systems for neural network modification of raw biometric data. Innovative Technologica: Methodical Research Journal, 2(07), 16-28. https://doi.org/10.17605/OSF.IO/RZMFB.
10. Agzamova M.Sh., Irgasheva D.Y. A comprehensive review of the use of data mining algorithms in facial recognition systems for payment systems. Bulletin of TUIT: Management and Communication Technologies № 3(12)2023.
