BestHub
Sign in
Information Security 12 min read

How Offline Payment Codes Work: From OTP to Secure Transactions

This article explains the two main mobile payment methods, details the online and offline payment‑code schemes, describes the OTP generation algorithm based on HMAC‑SHA1 and BASE32, and discusses the security trade‑offs and practical considerations of offline payment codes.

Java Backend Technology
Java Backend Technology
Java Backend Technology
How Offline Payment Codes Work: From OTP to Secure Transactions

Payment Method Overview

Mobile payments via WeChat and Alipay use two common approaches: the user scans the merchant’s QR code (active scan) or the merchant scans the user’s payment code (passive scan). The active scan requires the client to be online, while the passive scan can work offline.

Online Code Scheme

When the client is online, the app requests a payment code from the backend, which generates the code, stores the association in a database, and returns it to the client. The code is valid for a limited time and can be refreshed without client updates, but it fails without network connectivity.

Offline Code Scheme

In offline scenarios, the client generates a payment code locally using a shared secret and a time‑based algorithm similar to OTP. The merchant’s backend validates the code by reproducing the same algorithm using the stored secret.

Dynamic OTP Principle

The OTP generation follows these steps:

original_secret = xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
secret = BASE32_DECODE(TO_UPPERCASE(REMOVE_SPACES(original_secret)))
input = CURRENT_UNIX_TIME() / 30
hmac = SHA1(secret + SHA1(secret + input))
four_bytes = hmac[LAST_BYTE(hmac):LAST_BYTE(hmac)+4]
large_integer = INT(four_bytes)
small_integer = large_integer % 1,000,000

The client sends the generated code to the server, which performs the same computation and compares the results to authorize the payment.

Disadvantages of Offline Scheme

Algorithm changes may require client updates and backward compatibility handling.

If the secret is compromised (e.g., via a rooted device), attackers can generate valid codes.

Collision risk: different users might generate the same code, leading to erroneous charges.

Conclusion

Payment‑code transactions rely on the merchant’s backend calling Alipay’s barcode payment API. Online schemes are safer and more flexible, while offline schemes enable payments without network connectivity at the cost of reduced flexibility and potential security concerns.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

securityOTPmobile paymentsoffline paymentpayment code
Java Backend Technology
Written by

Java Backend Technology

Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment