WO2010071904A2 - Security measures for credit card - Google Patents

Security measures for credit card Download PDF

Info

Publication number
WO2010071904A2
WO2010071904A2 PCT/ZA2009/000111 ZA2009000111W WO2010071904A2 WO 2010071904 A2 WO2010071904 A2 WO 2010071904A2 ZA 2009000111 W ZA2009000111 W ZA 2009000111W WO 2010071904 A2 WO2010071904 A2 WO 2010071904A2
Authority
WO
WIPO (PCT)
Prior art keywords
card
code
generating
related transactions
dynamic authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/ZA2009/000111
Other languages
French (fr)
Other versions
WO2010071904A9 (en
WO2010071904A3 (en
Inventor
Grant Paul Weideman
Selvanathan Narainsamy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Radio Surveillance Security SA Pty Ltd
Original Assignee
Radio Surveillance Security SA Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Radio Surveillance Security SA Pty Ltd filed Critical Radio Surveillance Security SA Pty Ltd
Priority to AU2009327344A priority Critical patent/AU2009327344A1/en
Priority to EP09813865A priority patent/EP2380122A2/en
Priority to CA2747249A priority patent/CA2747249A1/en
Priority to SG2011044435A priority patent/SG172224A1/en
Priority to CN200980151333.1A priority patent/CN102301384A/en
Publication of WO2010071904A2 publication Critical patent/WO2010071904A2/en
Publication of WO2010071904A3 publication Critical patent/WO2010071904A3/en
Publication of WO2010071904A9 publication Critical patent/WO2010071904A9/en
Priority to ZA2011/00774A priority patent/ZA201100774B/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Definitions

  • This invention relates to security measures for bank card related transactions.
  • 'card' as applied to card related transactions shall be understood to include any type of 'smartcard' which includes any form of electronic processor and/or electronic memory and/or electronic storage capacity.
  • the code is usually intercepted while being verified by a card reading machine. This may be accomplished by adding software to the machine (or another handheld device) which reads the card and intercepts/copies the code without otherwise affecting the transaction. The user is therefore unaware of this interception. It is an object of this invention to provide an alternative to the single programmed static authentication code on credit and debit cards or similar card related transactions.
  • a method of generating a dynamic authentication code for card related transactions includes the steps of loading algorithm generating software onto the card to generate a time and/or date specific code when used in combination with a card transaction machine, and synchronising the generated code with one similarly generated at a remote terminal.
  • suitable algorithm-generating and/or multifactor authentication software is loaded onto a card such as a credit card.
  • the software may be loaded onto the micro-chip or any similar storage means and/or memory of the card, or wherever suitable.
  • the software may be interpreted by a card reading machine such as an ATM or a card transacting terminal to generate a time and date specific code. This code may be sent to a remote terminal, on which the same software may be running and on which an identical code may be generated on similar terms.
  • a card reading machine such as an ATM or a card transacting terminal
  • This code may be sent to a remote terminal, on which the same software may be running and on which an identical code may be generated on similar terms.
  • the remote terminal may verify the authenticity of the card and allow the transaction to proceed as it would normally.
  • the software loaded onto the card may be any suitable multi factor authentication software.
  • the card transaction terminal transmits a signal to the remote terminal which responds by sending a time and/or the date according to the terminal or the time zone in which the remote terminal is located.
  • This signal and subsequent time and date ensures that the time and/or date on the remote terminal and the card transaction terminal are identical so that an identical or suitably matched code may be generated.
  • the method may be adapted to generate a new code for each new transaction, which may be valid for a specific time interval, for instance three minutes. This variation should negate any delays caused by time-and-date verification or similar communication interruptions and should ensure that the codes are always identical.
  • multi-factor authentication software 12 is loaded onto a credit or debit card 10.
  • multi factor authentication software is used but any suitable algorithm generating authentication software may be used.
  • the software may be loaded onto the microchip (not shown) of the card. It may be possible and necessary for the software to be loaded on other storage means in future depending on the evolution of card transactions.
  • the software is also loaded onto a remote terminal 20.
  • the card terminal transmits a signal or a 'ping' 18 to the remote terminal 20 located at a banking institution or the like (not shown).
  • the remote terminal responds by sending back a signal 18 containing the time and/or date to the card terminal
  • the reasoning behind this step is to ensure that the terminals are synchronised with regards to the time and date, irrespective of time zone differences or whether the machine's time and date are set accurately.
  • the card terminal In the next step that the card terminal reads the software from the card and interprets it, taking the time and date into account, to generate a code 24 unique to the card for that specific time and/or date. Once the card terminal has generated the code it transmits the code 28 to the remote terminal where it is decrypted and interpreted to verify whether it is valid or not. If the codes satisfies the necessary criteria the remote terminal transmits a signal for receipt by the card terminal to authorise the transaction.
  • this whole method takes place in a matter of seconds. It is however envisioned that a code may be time interval generated and that a code will be valid for a few minutes to ensure that communication delays or transaction traffic does not affect the generation and verification of codes.
  • This time interval may for instance be three minutes.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A method for generating a code on card related transactions such as credit card transactions includes loading multi-factor authentication software onto the card itself. The software is read by a card transaction terminal such as an ATM or a similar payment station which generates a time and/or date specific code which is verified with a code generated on a remote CPU running similar or identical multi-factor authentication software. The two codes need not be identical, but should be similar to a sufficient tolerance to ensure that there is no security breach. Once the code is verified the transaction may proceed as it would normally.

Description

SECURITYMEASURES FOR CREDIT CARD
TECHNICAL FIELD OF THE INVENTION
This invention relates to security measures for bank card related transactions.
For purposes of this specification the term 'card' as applied to card related transactions shall be understood to include any type of 'smartcard' which includes any form of electronic processor and/or electronic memory and/or electronic storage capacity.
BACKGROUNDART
Card related fraud is a well documented worldwide problem. In recent studies credit card fraud was estimated to amount to 52 billion US dollars in the United States in 2007.
Diverse methods have been devised to commit card fraud including intercepting the cards, copying the secure information contained on the card and using that information to either directly make purchases or clones the card.
One of the most important steps during this process is to obtain the confidential authorization code which verifies the authenticity and detail on the card with a card reading machine. This code is unique to each card and is stored in the magnetic strip or the electronic chip on the card.
Current practise is for the code to be programmed onto the card when it is issued, and for that code to remain unchanged during the lifetime of the card.
This unchanging or static code has many drawbacks, the most important being that once it is intercepted, a would-be fraudster is free to clone the card and is capable of validating the authenticity thereof for any transaction.
The code is usually intercepted while being verified by a card reading machine. This may be accomplished by adding software to the machine (or another handheld device) which reads the card and intercepts/copies the code without otherwise affecting the transaction. The user is therefore unaware of this interception. It is an object of this invention to provide an alternative to the single programmed static authentication code on credit and debit cards or similar card related transactions.
DISCLOSURE OF THE INVENTION
According to the invention a method of generating a dynamic authentication code for card related transactions includes the steps of loading algorithm generating software onto the card to generate a time and/or date specific code when used in combination with a card transaction machine, and synchronising the generated code with one similarly generated at a remote terminal.
In the preferred form of the invention, suitable algorithm-generating and/or multifactor authentication software is loaded onto a card such as a credit card. The software may be loaded onto the micro-chip or any similar storage means and/or memory of the card, or wherever suitable.
The software may be interpreted by a card reading machine such as an ATM or a card transacting terminal to generate a time and date specific code. This code may be sent to a remote terminal, on which the same software may be running and on which an identical code may be generated on similar terms.
The remote terminal may verify the authenticity of the card and allow the transaction to proceed as it would normally.
In the preferred form of the invention the software loaded onto the card may be any suitable multi factor authentication software.
In a refinement of the invention the card transaction terminal transmits a signal to the remote terminal which responds by sending a time and/or the date according to the terminal or the time zone in which the remote terminal is located.
This signal and subsequent time and date ensures that the time and/or date on the remote terminal and the card transaction terminal are identical so that an identical or suitably matched code may be generated.
The method may be adapted to generate a new code for each new transaction, which may be valid for a specific time interval, for instance three minutes. This variation should negate any delays caused by time-and-date verification or similar communication interruptions and should ensure that the codes are always identical.
BRIEF DESCRIPTION OF THE DRAWINGS
An embodiment of the invention is described below with reference to the accompanying flow diagram.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
In the drawing multi-factor authentication software 12 is loaded onto a credit or debit card 10. In this embodiment multi factor authentication software is used but any suitable algorithm generating authentication software may be used.
The software may be loaded onto the microchip (not shown) of the card. It may be possible and necessary for the software to be loaded on other storage means in future depending on the evolution of card transactions.
The software is also loaded onto a remote terminal 20.
When the card is used 14 with a card reading machine 16 such as an ATM or a credit card transaction terminal the following two steps occur:
Firstly the card terminal transmits a signal or a 'ping' 18 to the remote terminal 20 located at a banking institution or the like (not shown). The remote terminal responds by sending back a signal 18 containing the time and/or date to the card terminal
The reasoning behind this step is to ensure that the terminals are synchronised with regards to the time and date, irrespective of time zone differences or whether the machine's time and date are set accurately.
In the next step that the card terminal reads the software from the card and interprets it, taking the time and date into account, to generate a code 24 unique to the card for that specific time and/or date. Once the card terminal has generated the code it transmits the code 28 to the remote terminal where it is decrypted and interpreted to verify whether it is valid or not. If the codes satisfies the necessary criteria the remote terminal transmits a signal for receipt by the card terminal to authorise the transaction.
In the preferred form of the invention this whole method takes place in a matter of seconds. It is however envisioned that a code may be time interval generated and that a code will be valid for a few minutes to ensure that communication delays or transaction traffic does not affect the generation and verification of codes.
This time interval may for instance be three minutes.

Claims

1. A method of generating a dynamic authentication code for card related transactions characterised in that it includes the steps of loading algorithm generating software onto the card to generate a time and date specific code when used in combination with a card transaction machine, and synchronising the generated code with one similarly generated at a remote terminal.
2. A method of generating a dynamic authentication code for card related transactions according to claim 1 characterised in that algorithm-generating and/or multifactor authentication software is loaded onto a card such as a credit card.
3. A method of generating a dynamic authentication code for card related transactions according to claim 1 or 2 characterised in that the software is loaded onto the micro-chip memory of the card.
4. A method of generating a dynamic authentication code for card related transactions according to any of claims 1 to 3 characterised in that the software is interpreted by a card transacting terminal to generate a time and date specific code.
5. A method of generating a dynamic authentication code for card related transactions according to claim 4 characterised in that the card transaction terminal is an ATM (Automatic Teller Machine).
6. A method of generating a dynamic authentication code for card related transactions according to any of the above claims characterised in that the code is sent to a remote terminal, on which the same software is running and on which an identical code is generated on similar terms.
7. A method of generating a dynamic authentication code for card related transactions according to claim 6 characterised in that the code is negligibly similar to the code generated by the card transaction terminal.
8. A method of generating a dynamic authentication code for card related transactions according to any of the above claims characterised in that the remote terminal verifies the authenticity of the card and allows the transaction to proceed.
9. A method of generating a dynamic authentication code for card related transactions according to any of the above claims characterised in that the card transaction terminal transmits a signal to the remote terminal which responds by sending a time and/or the date according to the terminal or the time zone in which the remote terminal is located.
10. A method of generating a dynamic authentication code for card related transactions according to any of the above claims characterised in that method is adapted to generate a new code for each new transaction, which is valid for a specific time interval.
11. A method of generating a dynamic authentication code for card related transactions according to claim 10 characterised in that the time interval is three minutes.
PCT/ZA2009/000111 2008-12-17 2009-12-17 Security measures for credit card Ceased WO2010071904A2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
AU2009327344A AU2009327344A1 (en) 2008-12-17 2009-12-17 Security measures for credit card
EP09813865A EP2380122A2 (en) 2008-12-17 2009-12-17 Security measures for credit card
CA2747249A CA2747249A1 (en) 2008-12-17 2009-12-17 Security measures for credit card
SG2011044435A SG172224A1 (en) 2008-12-17 2009-12-17 Security measures for credit card
CN200980151333.1A CN102301384A (en) 2008-12-17 2009-12-17 Security Measures For Credit Card
ZA2011/00774A ZA201100774B (en) 2008-12-17 2011-01-31 Security measures for credit card

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA200810812 2008-12-17
ZA2008/10812 2008-12-17

Publications (3)

Publication Number Publication Date
WO2010071904A2 true WO2010071904A2 (en) 2010-06-24
WO2010071904A3 WO2010071904A3 (en) 2010-08-12
WO2010071904A9 WO2010071904A9 (en) 2010-11-11

Family

ID=42135951

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ZA2009/000111 Ceased WO2010071904A2 (en) 2008-12-17 2009-12-17 Security measures for credit card

Country Status (7)

Country Link
EP (1) EP2380122A2 (en)
CN (1) CN102301384A (en)
AU (1) AU2009327344A1 (en)
CA (1) CA2747249A1 (en)
SG (1) SG172224A1 (en)
WO (1) WO2010071904A2 (en)
ZA (1) ZA201100774B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3441926A1 (en) * 2017-08-09 2019-02-13 SSenStone Inc. System for payment based on store's intranet, mobile terminal including payment function based on store's intranet, method for providing payment service based on store's intranet, and program for performing the same

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330891A (en) * 2016-08-21 2017-01-11 上海林果实业股份有限公司 Smart card, verification code verifying method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7363494B2 (en) * 2001-12-04 2008-04-22 Rsa Security Inc. Method and apparatus for performing enhanced time-based authentication
CA2394742A1 (en) * 2002-01-17 2003-07-17 Michel Caron Portable device, activated by the fingerprint of the holder, that will provide a unique and different access code each time the holder uses it
WO2004051585A2 (en) * 2002-11-27 2004-06-17 Rsa Security Inc Identity authentication system and method
KR20060027347A (en) * 2003-06-19 2006-03-27 코닌클리케 필립스 일렉트로닉스 엔.브이. Method and apparatus for authenticating a password
KR100645401B1 (en) * 2006-05-01 2006-11-15 주식회사 미래테크놀로지 Time Synchronous OTP Generator in Mobile Phone
US8359630B2 (en) * 2007-08-20 2013-01-22 Visa U.S.A. Inc. Method and system for implementing a dynamic verification value

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3441926A1 (en) * 2017-08-09 2019-02-13 SSenStone Inc. System for payment based on store's intranet, mobile terminal including payment function based on store's intranet, method for providing payment service based on store's intranet, and program for performing the same
CN109389390A (en) * 2017-08-09 2019-02-26 森斯通株式会社 Clearing mobile terminal, system, method and program based on communication network in sales field
US11301921B2 (en) 2017-08-09 2022-04-12 SSenStone Inc. System for payment based on store's intranet, mobile terminal including payment function based on store's intranet, method for providing payment service based on store's intranet, and program for performing the same

Also Published As

Publication number Publication date
CA2747249A1 (en) 2010-06-24
CN102301384A (en) 2011-12-28
AU2009327344A1 (en) 2011-07-21
EP2380122A2 (en) 2011-10-26
WO2010071904A9 (en) 2010-11-11
WO2010071904A3 (en) 2010-08-12
SG172224A1 (en) 2011-07-28
ZA201100774B (en) 2011-10-26

Similar Documents

Publication Publication Date Title
JP7345509B2 (en) System and method for secure read-only authentication
RU2427917C2 (en) Device, system and method to reduce time of interaction in contactless transaction
KR101236957B1 (en) System for paying credit card using mobile otp security of mobile phone and method therefor
US20200286088A1 (en) Method, device, and system for securing payment data for transmission over open communication networks
US9984371B2 (en) Payment de-tokenization with risk evaluation for secure transactions
KR101330867B1 (en) Authentication method for payment device
Lacmanović et al. Contactless payment systems based on RFID technology
AU2012265824B2 (en) A transaction system and method for use with a mobile device
US11432155B2 (en) Method and system for relay attack detection
US20190362341A1 (en) Binding cryptogram with protocol characteristics
US10248947B2 (en) Method of generating a bank transaction request for a mobile terminal having a secure module
CA3047954A1 (en) Method for carrying out a transaction, corresponding terminal, server and computer program
WO2010071904A2 (en) Security measures for credit card
EP4179697B1 (en) Secure end-to-end pairing of secure element to mobile device
KR101190745B1 (en) System for paying credit card using internet otp security of mobile phone and method therefor
RU2736507C1 (en) Method and system for creating and using trusted digital image of document and digital image of document created by this method
Ion et al. Don’t trust POS terminals! Verify in-shop payments with your phone
WO2025045876A1 (en) Method for relay attack protection of monetary transactions
Barisani et al. Practical EMV PIN interception and fraud detection
HK40120918A (en) Systems and methods for secure read-only authentication
HK40048471B (en) Systems and methods for secure read-only authentication

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980151333.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09813865

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 2747249

Country of ref document: CA

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 1326/MUMNP/2011

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2009327344

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 2009813865

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2009327344

Country of ref document: AU

Date of ref document: 20091217

Kind code of ref document: A