Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /

International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622

www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815
Online Banking Authentication System Using QR-code and
Mobile OTP
Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar,
Chaitali Devade
Sinhgad College of Engineering, Department of Information Technology, University of Pune, Pune-411041.

ABSTRACT
This paper explains implementation based on traditional password based model, no
details of online banking authentication system. mutual authentication between user and bank
Security is an important issue for online server which leads to threats like phishing(stealing
banking application which can be implemented passwords and using them for transactions),
by various internet technologies and gap intercepting communication lines, database
between real world and virtual world can be hacking, etc.. To make transactions
filled up. While implementing online banking more secure but also keeping them easy for user,
following authentication system can be useful.
system, secure data transfer need can be
fulfilled by using https data transfer and
database encryption techniques for secure In our proposed scheme, we assume the
storage of sensitive information. To eliminate secure communication between the user (PC) 
threat of phishing and to confirm user identity, service providers and service providers
QR-code which would be scanned by user certification authority. The proposed
mobile device can be used and weakness of authentication system ensures the user
traditional password based system can be authentication and digital signatures using
improved by one time password (OTP) which authorized certificates by using https
can be calculated by user transaction communication between user and server. Using
information and data unique at user side like user’s transfer information (TI), requested
transfer time (T) and the serial number (SN) of
imei number of the user mobile device.
user’s mobile device instead of security card, we
generate QR-code, display it on user screen and
Keywords: banking application, security, QR-
decode it with user’s mobile device to generate
code, one time password (OTP), mobile device.
OTP. OTP is generated on server side also and
OTP generated by user device and by server are
1. INTRODUCTION verified to proceed [1]. User database should also
Despite of wide use of current online be encrypted to prevent data leakage. The
banking system, it has many security holes as it’s authentication process of proposed system is shown
below:

1810 | P a g e
 Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /
International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622
www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815

Fig. 1. Working scenario for online banking system

1] User uses his/her own public certificate to login information of transfer (TI) and the requested time
and then transfer information to start the transfer of transfer (T).
transaction.
3] Certification authority (CA) generated the OTP
Transfer Information (TI)= TB||T||ATM by received the transfer information (TI), the
TB: Transfer_Bank (Bank code) requested time of transfer (T) and the user’s hashed
TA: Transfer_Account serial number (SN).
TM: Transfer_Money
4] User will convert the QR-code on the screen
2] Server indicates and then converted the using their mobile device and it is divided into two
information to a QR-code with random value (RN`) phases. First, user uses their mobile device
on the screen using user enters the transfer (phones) to read the random value (RN) which
information (TI), the requested time of transfer (T) show on the screen to verify the random value
and random value (RN). At the same time, the (RN`). If the random value is accurate, user will
server sent it to certification authority (CA) to proceed to the next step. And then confirm the
inputted converted the information of transfer. If the
information is accurate, user will generate OTP
code in the mobile device. If the information does hashed serial number (SN) of user’s mobile device
not match, the transfer will be canceled are shared with the certification authority (CA).
And output the generated OTP on the screen of
5] When user execute the generated OTP, mobile mobile devices.
device generate the OTP by reads the transfer
information (TI), perceived value of time (T) and

1811 | P a g e
 Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /
International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622
www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815
6] User input the generated OTP code from mobile Fig. 2. OTP creation and validation
device on the screen.
We can get data string from QR code; append it
7] Server (Bank) sent OTP to certification authority with imei number which can be obtained from
(CA) to received OTP from user. mobile device. Then hashing function like SHA-
256 is used to create hashed string of that data.
8] Certification authority (CA) compared by Other hashing algorithms also can be used. But
received OTP code (OTP1) and generated the OTP longer the hash code, more it is difficult to guess
code the OTP for an attacker. Hashed string comprised
(OTP2), sent to server (Bank) to for OTP code of both digits and characters. We will select any 6
approval. or 8 digits/character or both of generated hash and
use it as OTP.
9] When the server (Bank) received approve of Same hash of the data will be created on server side
OTP from certification authority (CA), it will also and compared for equivalence, ensuring
verify the entered OTP code with user consistent mutual authentication. If both OTPs are same,
value and user digital signature. If the approve of transaction is permitted.
OTP value does not receive, the transfer will be Advantages of using hashing algorithm
canceled. OTP is displayed on mobile screen and like SHA is same hash is never generated for same
user types it into desktop application. Desktop data in consecutive attempts, so intercepting data
client then sends this OTP to server. and calculating hash won’t be possible for an
attacker.
10] Authorized user signed his certificates to SHA-256("The quick brown fox jumps over the
complete the transfer. lazy dog")
0xd7a8fbb307d7809469ca9abcb0082e4f8d5651e4
11] Server (Bank) to verify the digital signature 6d3cdb762d02d0bf37c9e592
and final approve of transfer.
SHA-256("The quick brown fox jumps over the
2. RELATED WORK lazy dog.")
2.1 Calculation of OTP: 0xef537f25c895bfa782526529a9b63d97aa631564d
One-Time-Password (OTP) can be used. One time 5d789c2b765448c8635fb6c
password system can be solution for this weakness
which would generate new password every So as per system, OTP for above will be:
transaction and is based on two important factors: 53725895 (using first 8 digits).
(a) a PIN to unlock the OTP generator (something And timestamp ensures that OTP for transaction
you know) (b) the OTP smart card itself generated at different times will be different. This
(something you have)[1]. OTP can also be called HOTP as hashing technique
Here in this system, QR code generated by is used. We can also use H-MAC codes but it
bank server is displayed on client screen and is would need an extra input to generate output.
decoded by user mobile device. QR code is
embedded with the information regarding current 2.2 Database encryption:
transaction, timestamp and data unique for every One of the major security holes in many
user device like imei-number. critical systems is database security. Though
attacker gets invalid access to database, one more
level of security can be added by encrypting
database. While displaying contents we’ll decrypt
data and send it to user. Any of the available
encryption algorithms can be used but as there will
be many database requests for banking application,
encrypting-decrypting every time might put large
overhead on the application. So care should be
taken to choose an algorithm which would provide
sufficient security with little overhead.
Base-64 is one of the choices. Algorithm
converts data in byte-code. Standard data
representation is of 8-bits. We can take 6-bit groups
and convert them into characters and replace the
original data. Padding can be added in the end of
data if necessary. It would represent data by
2^6=64 possible characters, so named base-64[13].

1812 | P a g e
 Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /
International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622
www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815
Along with security, another advantage of can be used for this purpose. It embeds HTTP data
base 64 is that many internet system don’t allow all [11] in SSL (Secure Socket Layer) packets. SSL
128 characters in 8-bit representation so, base-64 group data into small chunks compresses them and
can be beneficial. then encrypts using asymmetric keys [12].
Asymmetric keys provide high level of security for
communication as one key is used for encryption
and another for decryption. For management of
keys, digital certificates are used which legitimate
documents are provided by certification authority
(CA) containing user information and keys.
For asymmetric key generation, RSA
(Rivets-Shamir-Adelman) algorithm is used. Public
keys are embedded in digital certificates of each
end. Data is sent by encrypting it with public key of
receiver but can be decrypted only with private key
of receiver which is kept secret, thus providing
high level of security [9].
Fig.3. Base-64 working
2.4 QR-code processing:
2.3 Secure Communication Channels: The features of this code symbol are large capacity,
As important as application security, small printout size and high speed scanning. QR
secure communication channels also of equal code comprised of following patterns:
importance. Most promising way to do this would finder pattern, timing pattern, format information,
be use of digital certificates using PKI architecture alignment pattern, and data cell.
for application. PKI provides an additional
encryption and signature. HTTPS communication

Fig. 4. Structure of QR-code

Use of QR code ensures that data will be decoded 4.Kanji Mode

by legitimate user only as decoding device will be Each of the modes has got different conversion
required to decode it. functions to convert data into binary format.
(II)Appending error correction codewords:
2.4.1 QR-code is generated using transaction Divide the codeword sequence into the required
information, timestamp, random number using number of blocks to enable the error correction
following steps[5]: algorithms to be processed. Generate the error
(I)Conversion into binary format: correction codewords for each block, appending the
First we select mode in which QR-code to be error correction codewords to the end of the data
generated depending on type of data: codeword sequence.on of the 4 levels of error
Extended Channel Interpretation (ECI) Mode recovery(L,M,Q,H) is chosen to generate
1.Numeric Mode codewords.
2.Alphanumeric Mode (III)Codeword placement in matrix:
3.8-bit Byte Mode

1813 | P a g e
 Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /
International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622
www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815
Data blocks are arranged into QR-code according g(x)=(x-α)(x-α2)….(x-αt)=g0+g1x+……+gt-1xt-1+xt
to chosen strategy: either into rectangular blocks or
irregular blocks which can accommodate more The transmitter sends the N − 1 coefficients
data. of S(x)=p(x)g(x), and the receiver can
(IV)Masking: use polynomial division by g(x) of the received
Data is XORed with predefined bit-string to polynomial to determine whether the message is in
encode, for dark and light modules to be arranged error; a non-zero remainder means that an error was
in a well-balanced manner in the symbol. detected. Let r(x) be the non-zero remainder
(V)Appending format information: polynomial, then the receiver can evaluate r(x) at
The Format Information is a 15 bit sequence the roots of g(x), and build a system of equations
containing 5 data bits, with 10 error correction bits that eliminates s(x) and identifies which
calculated using the (15, 5) BCH code. coefficients of r(x) are in error, and the magnitude
(VI)Appending version information: of each coefficient's error.
The Version Information is an 18 bit sequence
containing 6 data bits, with 12 error correction bits 2.4.2 Scanning of QR-code:
calculated using the (18, 6) BCH code. The processing of QR-code detection consists of
For error detection and correction “reed- five procedures starting from image captured from
soloman” codes of data are also embedded in QR camera to data extraction. Thing that makes this
code. It gives error correction up to 30%.The task challenging is that captured image may not be
generator polynomial g(x) is defined by having α, of good quality or might be deformed either by
α2, ..., αt as its roots, i.e., limitation of device or naïve user.
.

Fig. 5. Steps in QR-code

scanning
Scanning can be done by using following
five steps: Where u, v coordinates is original image coordinate
(I)Pre-processing: which is deformed and x, y coordinate is the
The gray level histogram calculation is adopted. normalized coordinate. In the above equations,
(II)Corner marks detection: coefficients c0 ∼c7 can be obtained from the
Three marked corners are detected using the finder following four point pairs,
pattern.
(III)Fourth corner estimation:
A(x0, y0) ⇔A_ (u0, v0),
The fourth corner is detected using the special
algorithm. B(x1, y1) ⇔B_ (u1, v1),
(IV) Inverse perspective transformation: C(x2, y2) ⇔C_ (u2, v2),
Inverse transformation is adopted based on the D(x3, y3) ⇔D_ (u3, v3)
obtained corner geometry positions to normalize
the size of the code. (C) QR-code decoding:
(V) Scanning of code: QR-code is encoded with encryption key, which is
Sample the inside of code and output the then decoded by private key at user and data is
normalized bi-level code data to host CPU. obtained. Decoding would be the exact opposite of
The input image has a deformed shape the encoding scanning different sections according
because of being captured from the embedded to format of QR-code, checking data with error
camera device, and we use the inverse perspective correction codes, recovering lost data from
transformation to normalize the code shape. This redundant locations is done while decoding
equation is shown as follows: Random number is matched with the
number sent along with the message and if they
u =c0x+c1x+c2
c6x+c7y+1

v =c3x+c4x+c5 1814 | P a g e
c6x+c7y+1
 Jaideep Murkute, Hemant Nagpure, Harshal Kute, Neha Mohadikar, Chaitali Devade /
International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622
www.ijera.com
Vol. 3, Issue 2, March -April 2013, pp.1810-1815
match, message is valid. Timestamp is read from For any system, security it provides and
the message to get synchronized with the server. system overhead are two sides of a coin and should
From information in QR-code like TI and be considered equally while developing critical
T and imei-number of the mobile device, OTP is information of transfer (TI) and the requested time
generated in the device and displayed to user. User of transfer (T).
then will enter it into desktop application and is
sent to CA where also OTP for current transaction REFERENCES
is generated and matched with the one sent by user 1] Young Sil Lee, Nack Hyun Kim, Hyotaek
application. If they are same transaction is Lim, HeungKuk Jo, Hoon Jae Lee,”
completed. Online Banking Authentication System
Other functionalities required by any using Mobile-OTP with QR-code”,
banking application should be added into the Page(s): 644 – 648, Nov. 30 2010-Dec. 2
applicant like user registration, managing user 2010, E-ISBN : 978-89-88678-30-5.
accounts, viewing transaction summary, etc. and 2] IETF RFC 4226, HOTP: An HMAC-
application confirming authentic, secure Based One-Time Password Algorithm,
transaction, storage and communication can be Dec. 2005.
developed. 3] AntiPhishingGroup, “Phishing Activity
Trends Report”, from:
3. SECURITY ANALYSIS http://www.antiphishing.org, dec. 2008.
A malicious user can not analyze the 4] Mohammad Mannan, P. C. Van Oorschot,
content of communications as our propose system “Security and Usability: The Gap in Real-
use the camera of mobile device to recognize of World online Banking”, NSPW’07, North
QR code. Also the user and Certification Authority Conway, NH, USA, Sep. 18-21, 2007.
(CA) has been shared the hashed serial number 5] Eisaku Ohbuchi, Hiroshi Hanaizumi, Lim
(SN) of user’s mobile device through a secure Ah Hock,” Barcode Readers using the
process in the initial registration phase. If altered Camera Device in Mobile Phones”, IEEE
the PIN, the OTP value is change. paper.
In our proposed system, the user to 6] Aidong Sun, Yan Sun, Caixing Liu,” The
prevent Phishing attacks by identifying the value of QR-code reorganization in illegible
random number (RN) before to verify the snapshots taken by mobile phones”, IEEE
information of transaction in the conversion of QR paper
code. 7] D. M'Raihi, M. Bellare, F. Hoornaert, D.
Our proposed system require a Naccache, O. Ranen ,”HOTP: An HMAC-
prerequisite input of transaction information using Based One-Time Password Algorithm” , ,
QR code and authorized authentication by the RFC 4226, December 2005.
public certificate for the generation of OTP. 8] Teoh Chin,Yew Mazleena,Salleh Subariah
Therefore it can identify the legitimate users and Ibrahim, ”Spatial Resource Analysis of
can block the use of malicious user. As we used the Two Dimensional Barcodes”, IEEE
user’s requested time of transfer, the time value Paper.
used to generate the OTP code is not possible to 9] R.L. Rivest, A. Shamir, and L.
change arbitrarily. Adleman,"A Method for Obtaining Digital
Signatures and Public-Key
4. CONCLUSION Cryptosystems",http://people.csail.mit.edu
Now a days, use of online banking /rivest/Rsapaper.pdf.
application are increased. Security is an important 10] Robert P. McEvoy, Francis M. Crowe,
issue for handling such services. Current system Colin C. Murphy, William P.
provide security card based facility to authenticate Marnane,"Optimisation of the SHA-2
user but this is not much more secure and will not Family of Hash Functions on FPGAs".
be available for any time or situation. To overcome 11] R. Fielding, J. Gettys, J. C. Mogul, H.
such type of issues we propose online banking Frystyk, L. Masinter, P. Leach, T.
authentication system using QR-code and OTP. Berners-Lee,"Hypertext Transfer Protocol
The bank generates the QR-code using user input -- HTTP/1.1",Network Working Group,
transfer information and then user need to Request for Comments: 2616
recognize as to read the code using their mobile 12] David Wagner, Bruce Schneier,"Analysis
phone, after generate the OTP code using transfer of the SSL 3.0
information and the hashed user’s mobile device protocol",http://www.schneier.com/paper-
number in their mobile phone. Finally, terminate ssl.pdf.
the transfer by user typing of generated OTP code 13] Randy Charles Morin,"How to
on the screen. Base64",www.kbcafe.com.

1815 | P a g e