WO2002060209A1 - Date source authentication comprising transmission of positional information - Google Patents
Date source authentication comprising transmission of positional information Download PDFInfo
- Publication number
- WO2002060209A1 WO2002060209A1 PCT/GB2002/000339 GB0200339W WO02060209A1 WO 2002060209 A1 WO2002060209 A1 WO 2002060209A1 GB 0200339 W GB0200339 W GB 0200339W WO 02060209 A1 WO02060209 A1 WO 02060209A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- user
- position information
- identity
- authentication device
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01S—RADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
- G01S5/00—Position-fixing by co-ordinating two or more direction or position line determinations; Position-fixing by co-ordinating two or more distance determinations
- G01S5/0009—Transmission of position information to remote stations
- G01S5/0018—Transmission from mobile station to base station
- G01S5/0027—Transmission from mobile station to base station of actual mobile position, i.e. position determined on mobile
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3224—Transactions dependent on location of M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/363—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes with the personal data of a user
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/22—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
- G07C9/23—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0866—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means by active credit-cards adapted therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0873—Details of the card reader
- G07F7/088—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
- G07F7/0886—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/52—Network services specially adapted for the location of the user terminal
Definitions
- This invention relates to data transaction authentication. It is particularly, though not exclusively, applicable to financial transaction authentication.
- the Internet is an inherently open environment. This medium is a highly adaptable and convenient way for businesses, or merchants and customers, to trade using electronic funds transfer as the payment mechanism.
- the open nature of the Internet means that security has to be invested in the data that is sent.
- the system creates a hash of some or all of the transaction data which is sent to the transaction verification site. If the hash does not match the data at the transaction verification site, it is an indication that an attempt at tampering with the transaction information has taken place or a bogus transaction has been attempted.
- Secure transmission by use of a hash of the information to be sent is well-known. It is a form of encryption using public and/or private keys. However, it is not impregnable. It is possible to mimic the source of a financial transaction and, thus, derive financial gain by unauthorised use of financial transaction data. As the dependence on electronic funds transfer in its many forms grows, the techniques for overcoming the security measures put in place to protect the data transmitted become more sophisticated.
- TAD Trusted Authentication Device
- the TAD comprises a site box for enabling secure transactions across an open network that is designed to counter hostile software loaded on the server or computer by which the TAD is connected to the Internet. While the TAD processes the transaction itself, the procedures by which the transaction data is communicated across the Internet are conducted by the server or computer to which it is linked. It has a swipe card reader, a keypad by which the user enters their personal identification number (PIN) and an interface for connection to the personal computer. The personal computer is loaded with software by which the data is communicated from the TAD, over the Internet, to the payment gateway/financial systems to which the user is contracted.
- PIN personal identification number
- the inventors of the present invention have recognised that the ability to attack the integrity of the user systems for data transactions, and thereby make fraudulent use of the information, is based on breaking the encrypted data and accessing the identification information unique to the user. As long as the electronic address of the merchant site can be imitated, the actual geographical location is irrelevant in such conventional systems.
- the present invention aims, in one embodiment, to provide an enhancement to secure electronic transactions based on >the geographical location of the originator of the transaction or a form of identity location verification itself.
- the present invention aims to provide an enhancement to secure electronic transactions based on an additional check on the identity of the user via a separate channel of identification from that used in the transaction.
- a data source authentication device comprising a transmitter for transmitting data, a position information determining apparatus for deriving position information relative to the location of the device, and a position information transmitter' for transmitting position information.
- the transmitter for transmitting data is a cellular telephone, or an electronic network, such as the Internet.
- the position information transmitter is a position fixing system, such as a global positioning system.
- the data source authentication device further comprises an encoder for encoding the data transmitted, and a decoder for decoding the encoded data.
- the data source authentication device for authenticating the identity of a user further comprises identification apparatus for receiving information relevant to the identity of the user, verification apparatus for verifying the identity of the user, authorisation apparatus for authorising release of details relating to the user.
- the data source authentication device for authenticating the identity of a user further comprises a receiver for receiving the details relating to the user.
- the position information determining apparatus is connected to the receiver for receiving the details relating to the user.
- the position information determining apparatus is connected to the transmitter for transmitting data.
- the position information determining apparatus is part of a cellular network.
- the invention comprises a financial transaction system comprising a data authentication device defined above.
- a method of data authentication comprising storing authorising data specific to a particular user, requesting and receiving user identification data, comparing the requested user identification data with the stored authorising data, requesting and receiving data identifying the geographical location of the user, determining if the received geographical location data is within authorised limits stored in the authorising data specific to the particular user, and verifying the identity of the user based on a matching of the user identification data with the stored authorising data.
- the method further comprises approving release of data specific to the particular user in response to verification of the identity of the user.
- a data authentication system comprising a data authentication device operable to generate the data and position information relevant to the location of the device, and to transmit position information, the system further comprising a receiver for receiving the position information, a store for storing information on the location of the device, and comparison apparatus for comparing the received position information with the stored information in order to verify the source of the data.
- the data authentication device comprises a transmitter for transmitting data
- the transmitter is a cellular telephone, or an electronic network, such as the Internet.
- the data authentication device comprises a position information transmitter
- the position information transmitter is a position fixing system, such as a global positioning system.
- the data authentication system further comprises an encoder for encoding the data transmitted, and a decoder for decoding the encoded data, and in a further embodiment, may comprise identification apparatus for receiving information relevant to the identity of the user, verification apparatus for verifying the identity of the user, authorisation apparatus for authorising release of details relating to the user.
- the data authentication system for authenticating the identity of a user further comprises a receiver for receiving the details relating to the user.
- the data authentication device comprises a position information determining apparatus, and the position information determining apparatus is connected to the receiver for receiving the details relating to the user, or to the transmitter for transmitting data, or is part of a cellular network.
- a financial transaction system comprising a data authentication system as defined above.
- data source authentication device comprising means for transmitting data, means for deriving position information relevant to the location of the device, and means for transmitting the position information.
- the means for transmitting the position information is a mobile device, or an electronic network, such as the Internet.
- the means for transmitting the position information is a position fixing system, such as a global positioning system.
- the data source authentication device for authenticating the identity of a user further comprises identification apparatus for receiving information relevant to the identity of the user, verification apparatus for verifying the identity of the user, authorisation apparatus for authorising release of details relating to the user.
- the data source authentication device further comprises a receiver for receiving the details relating to the user.
- the means for transmitting the position information is connected to the receiver for receiving the details relating to the user, or to the means for transmitting data, or is part of a cellular network.
- a data authentication system comprising a data authentication device operable to generate the data and position information relevant to the location of the device, and to transmit position information, the system further comprising means for receiving the position information, means for storing information on location of the device, and means for comparing the received position information with the stored information in order to verify the source of the data.
- the invention provides an enhancement to existing security measures or a security measure in itself. It is applicable to position information derived dynamically from a position fixing system, such as the Global Positioning
- GPS Global System
- fixing or position locating information can be derived from other sources, such as the United States Coast Guard Loran-C system or the cell location information used in cellular radio systems.
- Figure 1 is a schematic diagram of a system according to a first embodiment
- Figure 2 illustrates a site device according to the invention
- Figure 3 is a schematic diagram of a further embodiment according to the invention.
- Figure 4 is a flow diagram of an embodiment of the invention.
- a data transaction system comprises a trusted authentication device (TAD) 10 which is connected, via a USB datalink, to a personal computer 12.
- TAD trusted authentication device
- the computer 12 is connected via a fire wall 14 to the Internet 16, and a further gateway fire wall 18 to secure a B3 assured security server 20.
- the fire walls are not essential to the system as the TAD is resistant to attacks over the Internet because commands cannot be sent to the device by that means.
- the security server 20 is, in turn, connected to a global positioning system (GPS) verification secure database server 22 and an authentication infrastructure facility 24.
- GPS global positioning system
- the verification server 22 holds location information on subscriber sites which are preloaded when the subscriber contracts with the system provider. These are in the form compatible with location .information received from the TAD site when data transaction authentication is sought, as described below.
- the Trusted Authentication Device includes a financial data input module, providing known means for reading smart cards via a reader, and magnetic cards via a swiping slot 26.
- the module also comprises a four line/twenty character liquid crystal display 28 and a personal identification number (PIN) trusted entry pad which is connected via a trusted path (ie a direct pin-connected pad/processor assembly) to the module processor (not shown).
- PIN personal identification number
- the housing for the module is attack resistant and the TAD processor is hardened against infiltration by its limited instruction set and in that instructions cannot be issued to it from outside the device.
- the processor 10 and the personal computer 12 are loaded with software by which data in respect of a purchase, wager or other financial transaction entered into the module through the keypad is transmitted to the personal computer on receipt of a correctly entered PIN associated with the data read from the smart card or magnetic card, and the user pushing an authorisation key on the keypad.
- the computer is arranged to send data received from the module over the Internet.
- the USB port allows fast data connection to the personal computer and also for power to be drawn by the TAD.
- the chip card reader supports both public key infrastructures (PKI), for example PKCS#11 (Public Key Cryptography Standard) smart cards and other conventional credit card/debit card secret key encryption technology.
- PKI public key infrastructures
- PKCS#11 Public Key Cryptography Standard
- smart cards and other conventional credit card/debit card secret key encryption technology.
- TAD functionality of the TAD described thus far is based on the TAD manufactured by Enterprises Solutions, Inc. referred to above.
- GPS global positioning system
- the GPS processor is connected with an external amplified GPS antenna through a radio frequency BNC connector 32 and RG174 cable.
- Typical GPS specifications provide information in a choice of positional coordinates, including latitude/longitude, map references, UTM UPS, Maidenhead and MGRS, for example.
- the GPS processor is programmed with data on the location of satellites from which co-ordinate information to provide a positional fix can be derived.
- GPS relies on triangulation between the data transmitted by at least 3 of the GPS satellites.
- the distances of a point on earth from each of the satellites from which the data is read represent a unique combination by which the fix can be derived.
- the GPS system is well-known to the person of ordinary skill in the art and will not be described in further detail here. It has an accuracy of 5°.
- the module 10 has a differential-ready GPS receiver 32 having 12 parallel satellite information channels which continuously track the satellites to provide positional information with an accuracy of 5° and a resolution of +/-1 0 .
- the GPS system is typically accurate to between 10 and 100 feet depending on the number of satellites from which data is received at any one time, with a resolution of 1 foot.
- the GPS processor can derive altitude information in the range minus to plus 30,000 feet.
- the specifications for the external GPS antenna 36 include a frequency range of 1.57542GHz plus or minus 10MHz. Satellite information is received as right- hand circularly polarised transmissions. The gain of the aerial is 4.0dBic at antenna zenith. Radio frequency cable losses at 1.57542GHz are in the range of 3.5dB per ft. for the RG174 cable.
- the built-in antenna amplifier gain is 27dB +/- 2dB with a noise figure of 1.15dB.
- the output voltage standing wave ratio is less than 1.5:1.
- the invention is applicable to data transmission requiring authentication at a remote site of the data originator. This may be financial or other data.
- GPS co-ordinates for example latitude and longitude
- the GPS verification secure database 22 for a subscriber.
- the B3 assured security server 20 On receipt of position information from the module GPS unit, transmitted over the Internet by the computer together with a GPS data id field, the B3 assured security server 20 which accesses the main payment gateway and financial systems, recognises the GPS id field and accesses the GPS verification secure database 22 which passes relevant latitude and longitude information according to the identity of the alleged source of the data.
- the security server 20 decodes the latitude and longitude position information as transmitted and the GPS verification secure database 22 attempts to match the decoded position information to its own stored co-ordinates for the module site.
- the result of the attempt at matching is either success or failure of authorisation. If the result is failure, the data transfer is barred from the payment gateway and financial systems.
- Successful matching of stored coordinate data with that decoded from the transmitted data allows the security server 20 to pass the transaction data through the payment gateway.
- an attempt to send data from the source is initiated by transmission of the GPS latitude/longitude data from the security server 20 which then seeks a match with the GPS verification secure database 22. Only in the event of a successful match between the stored and received positional data is authorisation information passed back to the GPS TAD through the transaction computer to allow completion of the data transaction.
- the position information is sent with the position information. If a successful match of the position information transmitted with that received is achieved, the security server 20 allows the financial data on to the payment gateway. For particularly sensitive data, extra user verification can be performed as part of the transaction by requiring the GPS TAD user to enter additional credentials. These credentials may be part of a public key infrastructure by which the data is encrypted, such that the GPS TAD is required to send the public key for decryption in the authentication infrastructure database 24 for submission to the security server 20. Other forms of authentication can take the place of the public key infrastructure as will be apparent to the person skilled in the art. However, the position information can form the basis of a basic authentication system on its own.
- an e-wallet is a system in which the payment details, for example credit card details, are held in a secure environment rather than being transmitted directly from the person making the payment, whether this be over the Internet or mobile phone or other mobile device such as a Personal Digital Assistant (PDA).
- PDA Personal Digital Assistant
- FIG. 3 shows apparatus comprising the data source authentication system according to a preferred embodiment and in Figure 4 which shows the steps involved in implementing the system illustrated in Figure 3.
- step 1 the shopper 50 registers location information with the e-wallet (or the payment provider) defining the geographical areas in which purchases are authorised to be made using the shopper's payment details. Subsequently, if the shopper 50 decides to make a purchase, the shopper 50, having selected the goods to be purchased proceeds, in step 2, to the check-out where he may decide to pay by e-wallet. In step 3, the shopper 50 is then transferred to the e-wallet and is asked by the e-wallet supplier to provide identification to the identification apparatus 51 of the e- wallet supplier.
- This request may be passed, for example, by SMS message to the shopper's mobile phone 52 whose number has been registered by the subscriber to the e-wallet with the e-wallet provider/supplier.
- the SMS message may require a user ID, for example a PIN to be entered.
- the shopper 50 in step 4, then enters the PIN which is then transmitted to the e-wallet, by either the mobile device 52, or example a mobile phone, or via the Internet, where it is processed in step 5 by the verification apparatus 53 of the e-wallet provider.
- the e-wallet determines if the user ID, such as the PIN number is correct.
- step 7 if the user does not submit the requested user UD or if the submitted data is incorrect, the transaction will be denied in step 7.
- the e-wallet also determines, in step 8, the location of the mobile device 52 being used in connection with the transaction from information obtained from a position determining system 54. If the location of the mobile device 52 is determined to be outside an authorised area, the transaction is denied in step 9. If the PIN number is verified as correct and the location of the mobile device 52 is determined to be in an authorised area, a password specific to the transaction concerned is issued, in step 10, to the shopper, by the authorisation apparatus 55 of the e-wallet provider. In step 11, the shopper 50 then enters the password, preferably via the original payment channel, for example, by phone 52 or the Internet.
- the verification apparatus 53 verifies that the correct password has been entered in step 12. If an incorrect password has been entered, the transaction is denied. If it is determined that the correct password has been entered, this is taken as confirmation that the shopper 50 is the registered subscriber or authorised representative thereof having knowledge of the correct PIN and password. The card details of the shopper are then released in encrypted form to the vendor, in step 13, or through the payment provider thereby instructing payment to be made to the vendor. The transaction is then completed and payment made in step 14.
- the position information providing the geographical information of the mobile device 52 being used by the shopper 50 in a particular transaction may be derived dynamically from a position fixing system 54, such as the global positioning system (GPS) or from other sources as described above with regard to the other embodiments of the invention. In particular, it may be obtained either from the phone company providing the service to the mobile phone 52, from a GPS receiver incorporated in the mobile device 52, or from a GPS receiver incorporated in the point of sale terminal 56.
- GPS global positioning system
- Verification of the shopper's PIN is conducted in the same manner as described above with respect to the earlier described embodiments.
- the shopper 50 may specify that he will only use the mobile device 52, for example, his mobile phone, for transactions in a particular location.
- the location information of the mobile device 52 being used in the transaction could be obtained from, for example, the phone company by dialling a special number. The accuracy of the location information obtained in this manner will depend upon the location concerned and the telephone company operator, but this system allows transactions to be carried out using mobile devices not having a GPS receiver.
- a shopper 50 may register more than one geographical zone, enabling transactions to be carried out from more than one location, for example, at home and at work.
- use may be limited to a particular country and, in a preferred embodiment, default zones may be set, permitting use, for example, only in the shopper's home country unless the shopper 50 defines other countries in which use is to be permitted.
- the shopper 50 may chose to register use in large geographical zones, such as Greater London, or in as small a geographical area as he wishes.
- the use of this zoning using position information systems 54 can improve the security of transactions by preventing transactions being made unless the mobile device 52 be within an area specified by the shopper/card holder 50.
- all that may be necessary to complete the transaction is for the user 50 to send a confirmation message approving the transaction from his mobile device 52, assuming the positional data is transmitted or obtained automatically from the position determining system 54. Furthermore, the entire transaction may be conducted using the mobile device 52 ("m-commerce").
- the advantage of the above method is that security is enhanced as the card details of the shopper are not provided by the user 50 over a potentially insecure medium, but at least two forms of identification are used, for example, a PIN, and a verification that the shopper 50 is in an approved geographical location from which transactions may be made. This is submitted to the e-wallet, and, upon verification, the e-wallet retrieves the card details of the user 50 and payment is completed.
- the shopper's card details and approved geographical transaction locations may be pre-stored and held by the e-wallet.
- the SMS message could be generated directly by the internet payment provider and the user 50 replies to the SMS message, for example, by inserting a PIN which, if correct, confirms that the mobile user 50 is the authorised shopper or his authorised representative.
- step 3 when the shopper 50 is requested to identify himself to the e-wallet, he could enter his mobile phone number into the payment page instead of his card number by which payment is to be made.
- An encrypted message may be transmitted via the user's mobile phone 52 to the e-wallet to provide the card details.
- the e- wallet verifies with the phone company that the specified mobile phone number is actually that being used in a particular transaction (caller line identification).
- a third party e-wallet provider could hold payment details and mobile phone numbers and trigger the transmission of an SMS message, in stage 4, whenever a payment is initiated using the e-wallet.
- the SMS message may demand a reply before the transaction is finalised, for example, the submission of a password or PIN.
- the SMS message may act as an independent receipt of the transactions.
- a card issuer could be the provider of the SMS message in step 4 rather than the e-wallet provider.
- the identification used in step 4 to identify the shopper 50 may be a Personal Digital Assistant (PDA) arranged to capture an electronic image of a card holder's signature to confirm a transaction, or a mobile device used in conjunction with various recognition methods such as voice or retina, to confirm identification.
- PDA Personal Digital Assistant
- an e-wallet may be incorporated in the mobile device 52 which may be used as the payment instrument, using for example, PKI encryption.
- the phone line charges incurred during the transaction may then be charged to the user.
- the identification of the user in step 4 is conducted at a fixed site by the user's mobile phone.
- the shopper's mobile device may constitute the payment instrument and communicates in-store with an EFTPOS terminal using, for example, infrared connection or Bluetooth short-range radio technology.
- the mobile device 52 could act as a virtual wallet.
- the identification to the e-wallet in step 4 may require a PIN to be entered at the EFTPOS terminal or may require other identification such as voice and/or retina identification which is conducted at the EFTPOS terminal. Whilst the above systems have been described in relation to financial transactions, it will be appreciated that similar methods could be used to secure transactions involving confidential data such as medical records, as well as financial transactions.
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP02715578A EP1354492A1 (en) | 2001-01-24 | 2002-01-24 | Date source authentication comprising transmission of positional information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0101836.5 | 2001-01-24 | ||
GBGB0101836.5A GB0101836D0 (en) | 2001-01-24 | 2001-01-24 | Data transaction authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2002060209A1 true WO2002060209A1 (en) | 2002-08-01 |
Family
ID=9907419
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2002/000339 WO2002060209A1 (en) | 2001-01-24 | 2002-01-24 | Date source authentication comprising transmission of positional information |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1354492A1 (en) |
GB (1) | GB0101836D0 (en) |
WO (1) | WO2002060209A1 (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2383924A (en) * | 2001-11-29 | 2003-07-09 | Nec Corp | Retrieving position information of another portable terminal after being sent a password to be used, from that terminal |
GB2468349A (en) * | 2009-03-06 | 2010-09-08 | Timothy John Bell | Securing devices against unauthorized use |
CN102819917A (en) * | 2011-06-10 | 2012-12-12 | Lg电子株式会社 | Mobile terminal and control method thereof |
WO2012168940A1 (en) * | 2011-06-09 | 2012-12-13 | Accells Technologies (2009), Ltd. | A transaction system and method for use with a mobile device |
GB2500212A (en) * | 2012-03-13 | 2013-09-18 | Validsoft Uk Ltd | Method for location based authentication of transaction |
US9098850B2 (en) | 2011-05-17 | 2015-08-04 | Ping Identity Corporation | System and method for transaction security responsive to a signed authentication |
US9781105B2 (en) | 2015-05-04 | 2017-10-03 | Ping Identity Corporation | Fallback identity authentication techniques |
US9830594B2 (en) | 2011-05-17 | 2017-11-28 | Ping Identity Corporation | System and method for performing a secure transaction |
US9886688B2 (en) | 2011-08-31 | 2018-02-06 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
US10108963B2 (en) | 2012-04-10 | 2018-10-23 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4860352A (en) * | 1985-05-20 | 1989-08-22 | Satellite Financial Systems Corporation | Satellite communication system and method with message authentication suitable for use in financial institutions |
US4993067A (en) * | 1988-12-27 | 1991-02-12 | Motorola, Inc. | Secure satellite over-the-air rekeying method and system |
US5754657A (en) * | 1995-08-31 | 1998-05-19 | Trimble Navigation Limited | Authentication of a message source |
US5757916A (en) * | 1995-10-06 | 1998-05-26 | International Series Research, Inc. | Method and apparatus for authenticating the location of remote users of networked computing systems |
EP0848360A1 (en) * | 1996-12-11 | 1998-06-17 | BRITISH TELECOMMUNICATIONS public limited company | Electronic funds transfer authentication system |
WO1998030297A1 (en) * | 1997-01-10 | 1998-07-16 | Silicon Gaming, Inc. | Method and apparatus for providing authenticated, secure on-line communication between remote locations |
US5794151A (en) * | 1995-12-22 | 1998-08-11 | Motorola, Inc. | Frequency allocation for shared spectrum transmitter based on location |
WO1998047116A1 (en) * | 1997-04-15 | 1998-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Tele/datacommunications payment method and apparatus |
-
2001
- 2001-01-24 GB GBGB0101836.5A patent/GB0101836D0/en not_active Ceased
-
2002
- 2002-01-24 EP EP02715578A patent/EP1354492A1/en not_active Withdrawn
- 2002-01-24 WO PCT/GB2002/000339 patent/WO2002060209A1/en not_active Application Discontinuation
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4860352A (en) * | 1985-05-20 | 1989-08-22 | Satellite Financial Systems Corporation | Satellite communication system and method with message authentication suitable for use in financial institutions |
US4993067A (en) * | 1988-12-27 | 1991-02-12 | Motorola, Inc. | Secure satellite over-the-air rekeying method and system |
US5754657A (en) * | 1995-08-31 | 1998-05-19 | Trimble Navigation Limited | Authentication of a message source |
US5757916A (en) * | 1995-10-06 | 1998-05-26 | International Series Research, Inc. | Method and apparatus for authenticating the location of remote users of networked computing systems |
US5794151A (en) * | 1995-12-22 | 1998-08-11 | Motorola, Inc. | Frequency allocation for shared spectrum transmitter based on location |
EP0848360A1 (en) * | 1996-12-11 | 1998-06-17 | BRITISH TELECOMMUNICATIONS public limited company | Electronic funds transfer authentication system |
WO1998030297A1 (en) * | 1997-01-10 | 1998-07-16 | Silicon Gaming, Inc. | Method and apparatus for providing authenticated, secure on-line communication between remote locations |
WO1998047116A1 (en) * | 1997-04-15 | 1998-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Tele/datacommunications payment method and apparatus |
Non-Patent Citations (1)
Title |
---|
VAN THANH D: "Security issues in mobile ecommerce", DATABASE & EXPERT SYSTEMS APPLICATIONS, DEXA, WIEN, AT, 4 September 2000 (2000-09-04), pages 412 - 425, XP002158270 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2383924A (en) * | 2001-11-29 | 2003-07-09 | Nec Corp | Retrieving position information of another portable terminal after being sent a password to be used, from that terminal |
GB2383924B (en) * | 2001-11-29 | 2005-10-12 | Nec Corp | Portable telephone system containing portable telephone terminal |
US7092704B2 (en) | 2001-11-29 | 2006-08-15 | Nec Corporation | Portable telephone system containing portable telephone terminal |
GB2468349A (en) * | 2009-03-06 | 2010-09-08 | Timothy John Bell | Securing devices against unauthorized use |
US9830594B2 (en) | 2011-05-17 | 2017-11-28 | Ping Identity Corporation | System and method for performing a secure transaction |
US9098850B2 (en) | 2011-05-17 | 2015-08-04 | Ping Identity Corporation | System and method for transaction security responsive to a signed authentication |
WO2012168940A1 (en) * | 2011-06-09 | 2012-12-13 | Accells Technologies (2009), Ltd. | A transaction system and method for use with a mobile device |
CN103733212A (en) * | 2011-06-09 | 2014-04-16 | 奥赛尔斯科技(2009)有限公司 | A transaction system and method for use with a mobile device |
US8626657B2 (en) | 2011-06-10 | 2014-01-07 | Lg Electronics Inc. | Mobile terminal and control method thereof |
EP2533183A1 (en) * | 2011-06-10 | 2012-12-12 | LG Electronics | Mobile terminal and control method thereof |
CN102819917B (en) * | 2011-06-10 | 2015-08-19 | Lg电子株式会社 | Mobile terminal and control method thereof |
CN102819917A (en) * | 2011-06-10 | 2012-12-12 | Lg电子株式会社 | Mobile terminal and control method thereof |
US9886688B2 (en) | 2011-08-31 | 2018-02-06 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
GB2500212A (en) * | 2012-03-13 | 2013-09-18 | Validsoft Uk Ltd | Method for location based authentication of transaction |
US10108963B2 (en) | 2012-04-10 | 2018-10-23 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
US9781105B2 (en) | 2015-05-04 | 2017-10-03 | Ping Identity Corporation | Fallback identity authentication techniques |
Also Published As
Publication number | Publication date |
---|---|
EP1354492A1 (en) | 2003-10-22 |
GB0101836D0 (en) | 2001-03-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20100138345A1 (en) | Financial transaction system having location based fraud protection | |
US10373161B2 (en) | Offline mobile phone payments | |
KR101188397B1 (en) | A mobile commerce authentication and authorization system | |
US6847816B1 (en) | Method for making a payment secure | |
US20080217400A1 (en) | System for preventing fraudulent purchases and identity theft | |
RU2651245C2 (en) | Secure electronic entity for authorising transaction | |
AU2012265824B2 (en) | A transaction system and method for use with a mobile device | |
MXPA04009725A (en) | System and method for secure credit and debit card transactions. | |
US11734673B2 (en) | Physical card enabling utilization based on location | |
WO2005073934A1 (en) | Method and system for authenticating credit transactions | |
KR100497223B1 (en) | Method and System for Providing Location-Based Credit Card Authentication Service | |
US20130166410A1 (en) | Payment agency system, user terminal and market server | |
WO2002060209A1 (en) | Date source authentication comprising transmission of positional information | |
US20140258046A1 (en) | Method for managing a transaction | |
KR20010085115A (en) | The payment system by using the wireless terminal | |
KR101834365B1 (en) | Service providing system and method for payment based on electronic tag | |
US11880840B2 (en) | Method for carrying out a transaction, corresponding terminal, server and computer program | |
AU2015337266B2 (en) | System and method for providing payment service | |
KR20040009428A (en) | Apparatus and method for mobile banking | |
WO2001048648A1 (en) | Communication system and communication terminal used therefor | |
KR102196337B1 (en) | Cloud Type Operating Method for Certificate | |
WO2005066907A1 (en) | Transaction processing system and method | |
US11620646B2 (en) | Method for carrying out a transaction, terminal, server and corresponding computer program | |
US20220343314A1 (en) | Processing using machine readable codes and secure remote interactions | |
KR20060016381A (en) | System and method for settling accounts using the payment terminal communitatting with a mobile terminal by radio frequency |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2002715578 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2002715578 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2002715578 Country of ref document: EP |