Because biometric data can prove identity with a relatively high level of assurance it is becoming widely accepted as a method of authentication. Biometric solutions based on specific traits of a person can distinguish between an authorized individual and an impostor. Advantageously, biometric authentication systems do not require passwords or tokens. However, because one physiological or behavioral characteristic can be the sole basis for accessing multiple systems and gaining physical entries the integrity of biometric data is paramount.
With the global volume of mobile payments expected to increase dramatically, e.g., possibly exceeding a trillion U.S. dollars in the next three years, there is growing concern about the need to develop authentication solutions which are less vulnerable to cybersecurity threats. While there is interest in applying biometric technologies to authentication of mobile payment processes, the reality is that biometric systems are vulnerable. At the same time, use of portable devices to provide physical and logical access to mobile payment processes can result in authentication systems having additional vulnerabilities to spoofs and replay attacks. A vulnerable aspect of mobile device use results from the nature of transmission which must occur in the link between the origin of sensor data (e.g., a camera) at the point of image generation and a remote unit which, for example, performs the authentication processing or accesses a biometric data base. Specifically, data transmission links may be the most difficult segments of a mobile authentication process to shield from imposter attacks. By way of example, encrypted frames of image data may be intercepted and reused as inputs to an authentication system in order to gain access.
The potential vulnerability results, in part, because, when data transmissions are encrypted, an attacker may generate large numbers of data segments (e.g., image frames) to reverse engineer and use the encryption technique. If this is successful, the intercepted data may be inserted in the same transmission link without detection in order for an imposter to gain access, i.e., a replay attack, where the transmission link is compromised and imposter data segments are inserted be received for authentication processing.