WO2010043974A1 - System for secure contactless payment transactions - Google Patents

System for secure contactless payment transactions Download PDF

Info

Publication number
WO2010043974A1
WO2010043974A1 PCT/IB2009/007364 IB2009007364W WO2010043974A1 WO 2010043974 A1 WO2010043974 A1 WO 2010043974A1 IB 2009007364 W IB2009007364 W IB 2009007364W WO 2010043974 A1 WO2010043974 A1 WO 2010043974A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
server
rfid
rfid reader
otp
Prior art date
Application number
PCT/IB2009/007364
Other languages
French (fr)
Inventor
Christian Richard
Original Assignee
Christian Richard
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Christian Richard filed Critical Christian Richard
Publication of WO2010043974A1 publication Critical patent/WO2010043974A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/073Special arrangements for circuits, e.g. for protecting identification code in memory
    • G06K19/07309Means for preventing undesired reading or writing from or onto record carriers
    • G06K19/07318Means for preventing undesired reading or writing from or onto record carriers by hindering electromagnetic reading or writing
    • G06K19/07336Active means, e.g. jamming or scrambling of the electromagnetic field
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/352Contactless payments by cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0873Details of the card reader
    • G07F7/0893Details of the card reader the card reader reading the card in a contactless manner
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/40Jamming having variable characteristics
    • H04K3/43Jamming having variable characteristics characterized by the control of the jamming power, signal-to-noise ratio or geographic coverage area
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K3/00Jamming of communication; Counter-measures
    • H04K3/80Jamming or countermeasure characterized by its function
    • H04K3/82Jamming or countermeasure characterized by its function related to preventing surveillance, interception or detection
    • H04K3/825Jamming or countermeasure characterized by its function related to preventing surveillance, interception or detection by jamming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04KSECRET COMMUNICATION; JAMMING OF COMMUNICATION
    • H04K2203/00Jamming of communication; Countermeasures
    • H04K2203/10Jamming or countermeasure used for a particular application
    • H04K2203/20Jamming or countermeasure used for a particular application for contactless carriers, e.g. RFID carriers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Abstract

The present invention is directed to a system that includes a transaction unit that includes a microchip having a computer readable medium configured to store a unit identifier (UI) and at least one one-time-password (OTP) therein. The UI and the at least one OTP comprising transaction authentication data. The transaction unit is configured to transmit the transaction authentication data in response to receiving a predetermined signal. A reader device is configured to transmit the predetermined signal to interrogate the transaction unit and read the transaction authentication data. The reader device is configured to generate at least one authentication indicia in response to receiving an authentication signal. A server is coupled to the reader device. The server includes a database having at least one server OTP related to at least one unit identifier stored therein, the at least one server OTP and the at least one unit identifier comprising transaction verification data. The server is configured to compare the transaction authentication data with the transaction verification data. The server also is configured to transmit the authentication signal to the reader device if the transaction authentication data matches the transaction verification data.

Description

SYSTEM FOR SECURE CONTACTLESS PAYMENT TRANSACTIONS
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of priority under 35 U. S. C. § 119(e) and 35 U.S.C. §365, to U.S. Provisional Patent Application Serial No. 61/136,945, filed on October 16, 2008, the content of which is relied upon and incorporated herein by reference in its entirety.
BACKGROUND OF THE INVENTION
1. Field of the Invention
[0002] The present invention relates generally to RFID systems, and particularly to a method and system for secure contactless payment transactions.
2. Technical Background
[0003] Contactless "smartcards" have been used for payment for many years. Smartcards and other such contactless payment schemes were originally promoted for use in a category of payment defined as micropayment. The smartcard typically included an RFID chip disposed therein. The RFID chip included memory for storing the payment information. The payment information was accessed by a reader. Micropayment was originally created for the purchase of products under a given price, e.g., $50, without any receipt. Micropayment was originally contemplated as a means for simplifying payment for small items such as newspapers, fast food and other similar purchases. The card may, for example, be issued by a merchant and include a $50 credit amount recorded in memory.
[0004] In another example, Paypass ™ is a smart credit card system adopted by various credit card companies. In fact, approximately 80 million credit cards with a contactless inlay using the ISO 14443A or B protocols were released into the stream of commerce. When the credit card is read through its RFID chip, the information that is transmitted to the bank is the same as the standard credit card track A and B data. The system attempted to protect the sensitive financial data using the Texas Instruments ™ Digital Signal Transponder (DST) 24 to 40 bits protocol. One drawback with this method is that is vulnerable to "sniffing" attacks. Sniffing refers to a technique wherein a thief surreptitiously captures the transmissions between the smart card and the reader. This may be accomplished, for example, by hiding an unauthorized read in close proximity to the authorized reader. This technique often resulted in the fraudulent acquisition of many credit card numbers in a short span of time. For example, it was widely reported that one hacker was able to sniff thousands of credit cards using the contactless payment system over a span of a few hours using a $150 device. [0005] What is needed, therefore, is a system for improving the security of contactless payment transactions.
SUMMARY OF THE INVENTION
[0006] The present invention addresses the needs described above by providing a system for improving the security of contactless payment transactions. [0007] One aspect of the present invention is directed to a system that includes a transaction unit having a microchip that includes a computer readable medium. The computer readable medium is configured to store a unit identifier (UI) and at least one one-time-password (OTP) therein. The UI and the at least one OTP comprising transaction authentication data. The transaction unit is configured to transmit the transaction authentication data in response to receiving a predetermined signal. A reader device is configured to transmit the predetermined signal to interrogate the transaction unit and read the transaction authentication data. The reader device is configured to generate at least one authentication indicia in response to receiving an authentication signal. A server is coupled to the reader device. The server includes a database having at least one server OTP related to at least one unit identifier stored therein, the at least one server OTP and the at least one unit identifier comprising transaction verification data. The server is configured to compare the transaction authentication data with the transaction verification data. The server also is configured to transmit the authentication signal to the reader device if the transaction authentication data matches the transaction verification data.
[0008] Another aspect of the present invention is directed to a system that includes a contactless transaction unit having an RFID assembly disposed therein. The RFID assembly includes an RFID coupler and a microchip having a computer readable medium configured to store transaction authentication data. The RFID coupler includes a detuned inlay, the detuned inlay including an LC circuit having a resonant frequency calculated to correspond to a sub-harmonic of the main frequency of a predetermined signal. The transaction unit is configured to transmit the transaction authentication data in response to receiving the predetermined signal. A contactless RFID reader device is configured to transmit the predetermined signal when the transaction unit is disposed within a predetermined distance from the reader device to thereby interrogate the contactless transaction unit and read the transaction authentication data. The contactless RFID reader device is configured to generate at least one authentication indicia in response to receiving an authentication signal. A server is coupled to the contactless RFID reader device. The server includes a database having transaction verification data stored therein. The server is configured to compare the transaction authentication data with the transaction verification data. The server is configured to transmit the authentication signal to the contactless RFID reader device if the transaction authentication data matches the transaction verification data. [0009] Yet another aspect of the present invention is directed to a system that includes a transaction unit having an RFID assembly disposed therein. The RFID assembly includes an RFID coupler and a microchip having a computer readable medium. The computer readable medium is configured to store transaction authentication data. The transaction unit is also configured to transmit the transaction authentication data in response to receiving the predetermined signal. An RFID reader device is configured to transmit the predetermined signal when the transaction unit is disposed within a predetermined distance from the RFID reader device to thereby interrogate the transaction unit and read the transaction authentication data. The RFID reader includes a jammer coupler disposed proximate a reader coupler such that the RFID reader device includes a sensing zone wherein the RFID reader device interrogates the transaction unit and a jamming zone wherein the RFID reader device transmits a jamming signal substantially outside of the sensing zone. The RFID reader device is also configured to generate at least one authentication indicia in response to receiving an authentication signal. A server is coupled to the RFID reader device, the server including a database having transaction verification data stored therein. The server is configured to compare the transaction authentication data with the transaction verification data. The server is configured to transmit the authentication signal to the RFID reader device if the transaction authentication data matches the transaction verification data.
[0010] Additional features and advantages of the invention will be set forth in the detailed description which follows, and in part will be readily apparent to those skilled in the art from that description or recognized by practicing the invention as described herein, including the detailed description which follows, the claims, as well as the appended drawings.
[0011] It is to be understood that both the foregoing general description and the following detailed description are merely exemplary of the invention, and are intended to provide an overview or framework for understanding the nature and character of the invention as it is claimed. The accompanying drawings are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification. The drawings illustrate various embodiments of the invention, and together with the description serve to explain the principles and operation of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0012] Figure 1 is a block diagram of a secure contactless payment transaction according to an embodiment of the present invention
[0013] Figure 2 is a schematic view of a contactless payment card inlay; [0014] Figure 3 is an example of a second harmonic of a signal having a main frequency of 13.56 MHz; [0015] Figure 4 is a schematic view of a reader coupler with a concentric jammer; and
[0016] Figures 5 A and 5B are schematic views of the reader coupler field and the reader coupler field combined with the concentric jammer field, respectively.
DETAILED DESCRIPTION
[0017] Reference will now be made in detail to the present exemplary embodiments of the invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. An exemplary embodiment of the system of the present invention is shown in Figure 1, and is designated generally throughout by reference numeral 100.
[0018] As embodied herein, and depicted in Figure 1, a diagrammatic depiction of a secure contactless payment transaction system 100 in accordance with one embodiment of the present invention is disclosed. System 100 may be configured as a hierarchical computer and software system implemented in the well known client-server model with at least one secure database for storing secure data. System 100 may include a server 60, middle layer computer processing nodes associated with the networks 40, 42 and RFID readers 30 at the lowest level. System 100 may also include an RFID card 50, an RFID token 52 and/or an RFID equipped electronic devices 54, e.g., a mobile near field communications (NFC) device 54. Each of these devices may be read by an RFID reader 30 in accordance with the present invention. These devices are coupled to a central transaction management server 60 by way of low speed network 40, high speed network 42, switched network 44, or some combination thereof. Secure data may include cytological keys used to authenticate computer processing nodes and sensors in the network. Of course, one-time passwords (OTPs) are used to authenticate and verify RFID cards 50, tokens 52 and NFC devices 54.
[0019] The switched network 44 may include the public switched telephony network (PSTN) or a packet switched network or a combination thereof. Network 44 may be, for example, the global packet data communication network now commonly referred to as the "Internet." The World Wide Web (WWW) is a system of server computers that is supported and interconnected by the Internet. In the client- server model, the server computer(s) comprising the transaction manager server 60 may provide graphical "web pages" that are provided to a client computers that supports a given RFID reader 30 via the web. The client computer includes a graphical interface which provides an easily understood display that facilitates the POS transaction. Some of the information being served to the client is dynamically retrieved by the server from one or more databases. The graphical interface may allow the sales personnel to perform an identity check of the customer. The identification information may be provided to server along with the OTP data obtained by reader 30. [0020] In one embodiment of the present invention, RFID reader 30 includes a secure contactless sensor that employs a 13.56 MHz microcircuit. The 13.56 MHz microcircuit is bidirectional and is characterized by a controllable range. Reader 30, therefore, exchanges data with the RFID device (50, 52, 54) at a reasonable speed. Reader 30 may be configured as a low power reader that employs the ISO 14443A protocol. Contactless payment cards are easily read at a range of 12 inches (30.48 cm). This range can be extended up to 3 feet (91.44 cm) when equipped with larger sensors. The RFID reader 30, depending on its sophistication at the point of sale (POS), may be include application programming configured to interact with POS personnel. The application programming may provide access to information retained in the Server databases and also to provide control over the RFID reader 30.
[0021] RFID reader 30 also includes a network interface to couple RFID reader 30 to external computer networks 40, 42, and/or 44. The communication interface may be of any suitable type such as a Universal Serial Bus (USB) interface, cable modem, a digital subscriber line (DSL) card or modem, an integrated services digital network (ISDN) card, a telephone modem, or any other communication interface to provide a data communication connection to a corresponding type of communication line. As another example, communication interface may be a local area network (LAN) or wide area network (WAN) card (e.g. for Ethernet™ or an Asynchronous Transfer Model (ATM) network) to provide a data communication connection to a compatible LAN or WAN. Wireless links can also be implemented. In any such implementation, communication interface may send or receive electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information. [0022] The term "computer-readable medium" as used herein refers to any medium that participates in providing data and/or instructions to a processor associated with either the RFID reader 30 or the transaction manager server 60 for execution. Such media may take many forms, including but not limited to non- volatile media, volatile media, and transmission media. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM, CDRW, DVD, any other optical medium, punch cards, paper tape, optical mark sheets, any other physical medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read. Transmission media may include coaxial cables, copper wire and/or optical fiber. Transmission media can also take the form of acoustic, optical, or electromagnetic waves, such as those generated during radio frequency (RF) and infrared (IR) data communications. Any of the various forms of computer-readable media described above may be involved in providing instructions to the table computers 210 for execution.
[0023] The transaction manager server 60 refers to both the physical server computers configured to run and manage the various system applications, and the software that resides on the physical server computers. The server manages the proper reading and writing of data in the database. The server also manages the contactless payment sequence enabled by the RFID card 50. The server stores, receives and dispatches alarms over the networks to the clients in the event that an authentication fails.
[0024] One of the drawbacks associated with conventional smartcard systems relates to the use of customer tracking information during the data exchange. It is understood that the use of this data reduces the burden on the merchant by requiring fewer changes to current conventional systems. However, this design makes it very easy and very attractive for thieves to hack these relatively unprotected smart cards. [0025] The transaction manager server 60 may be configured to generate the onetime pass word and read/write to/from the database using symmetric security keys. The new OTP is written into the chip by the OTP module via the server. Client/server communications may be encrypted using a secure sockets layer (SSL). As will be explained in detail below, the OTP is a security system that changes a secret data key inside the RFID card 50 each time it is read. If the server validates the retrieved OTP, the transaction is written into the database, and a new OTP is retrieved in accordance with a predetermined sequence.
[0026] To generate the one-time password (OTP), a "seed" is provided by the transaction manager server 60 or by an authorized card issuing authority. The seed is combined with a static user password and a user card ID using a hash function. The hash value of the user's static password the session one-time password and the compressed data is used as input to the digital signature algorithm. This guarantees that the one-time password significantly determines the communication stream between the client and the server for each session. The transaction manager server 60 or the authorized card issuing authority computes a set S of independent one-time passwords that are stored in a password file in a database coupled to the transaction manager server 60.
[0027] The RFID card 50, token 52 or NFC device 54 stores the initial one time password word together with the corresponding index. In one embodiment, either the entire set (S) or a small subset (S') of S is stored on the card 50 before issuance in a secure way. At login time, upon presentation of the RFID tag, the transaction server issues a challenge to the tag. The challenge is merely one of the indices selected at random. Of course, the selected index is used by the card to retrieve the one-time password out of the subset S' of one-time passwords that corresponds to the selected index. Once retrieved, the RFID card (50, 52, 54) sends the one-time password stored in memory that corresponds to the challenge I, in response to the challenge. If this onetime password transmitted by the card matches the one stored in the password file at index i, the transaction is authorized. If not, the authentication fails. This approach is not vulnerable to over-the-shoulder attacks since the passwords are stored in the RFID tag. Further, since the one-time passwords are selected at random and the subset S' can be chosen to be small enough to allow frequent refresh of the passwords stored in the RFID tag, a passive eavesdropper that monitors the communication between the RFID tag and the central controller will not be able to predict the next one-time password that the card will send.
[0028] In another embodiment, card 50, token 52 or device 54 is equipped with computing power, and the initial OTP is employed to generate additional passwords by applying a series of iterations of the cryptographic functions f to the initial OTP. In one embodiment, the memory of the contactless payment card would include a 64 bit permanent unique identifier (UIO) and at least one 16 to 63 bit one-time password (OTP) in the read/write memory using a fast encryption algorithm based on, for example, an exponential Certicom keying system. The memory would also include a class of service bits and optional challenge complement bits. In order to authenticate to the system, the user applies an iteration of the cryptographic function (f) to the initial OTP. The encrypted information is transmitted to the server 60 via the reader 30. The server 60 verifies the correctness of the information by decoding the encrypted data provided by the RFID card 50, token 52 or device 54. The decoded result is compared to the value previously stored in the server 60. If there is a match, authentication succeeds and the new value of i together with the next iteration of the cryptographic function (f) are stored in the controller. Otherwise, authentication fails and the value of i is discarded.
[0029] In both implementations, the one-time password can be used to secure subsequent communications between the client and the transaction manager server 60. The user password is never transmitted in plain text to the central controller. A slight modification of this approach allows also for server authentication to the client card 50, token 52 or NFC device 54. The set of one-time passwords computed by the client or the server can be either based on Elliptic Curves or on the RSA scheme or on any other pseudo random function. [0030] The present invention envisions several classes of OTP service. The first class (Class 1 OTP) is referred to as close loop fast access. In this embodiment, an OTP server is on site and it facilitates a full OTP exchange. In other words, if the RFID card 50 includes one OTP, the server may cryptographically generate a new OTP and write it into the inlay 10 memory. This approach requires a relatively high speed central server to be efficient. Thus, this approach is particularly efficient in environments such as shopping centers, airports and subways in which the speed of the connection to a central server is not a issue. The second class (Class 2 OTP) is referred to as fast access OTP. In this embodiment, an OTP server may be easily accessible but is not required for every transaction. The third class of service (Class 3 OTP) does not have immediate access to the transaction manager server 60 and relies on the hand shaking key to secure the transaction. It is envisioned that Class 3 OTP would be employed in remote locations. The "hand shaking sequence" would require the reader 30 to have a key to access the data in the RFID card (50, 52, 54), based on the specific time of the transaction. Thus, only an authorized reader can read the RFID card 50, token 52 or NFC device 54 based on the authentication process described. To complement the transaction, human interaction may be required to complete the secure transaction, for example a cashier asking for a picture identification. [0031] Accordingly, the present system eliminates the drawbacks associated with existing contactless payment systems whereby the RFID microchip can be read at a distance by an unauthorized sensor. Further, an unauthorized sensor placed within or underneath a counter, or within a doorway gate cannot be used to illegally read the data in the RFID card (50, 52, 54) of the present invention. For example, recently conducted tests showed that on low power reader using the ISO 14443A protocol can easily read conventional contactless payment cards at a range of 12 inches (30.48 cm). As noted, this range can be up to 3 feet (91.44 cm) with larger sensors. The OTP of the present invention eliminates this threat. As another example, the 40 bit key used in certain conventional cards has been broken and made public on the Internet. In fact, a group of students from the University of Baltimore, and sponsored by RSA, showed that a particular algorithm could be broken in a few minutes. Again, the OTP of the present invention eliminates this threat.
[0032] One benefit of the present invention relates to the use of a 13.56 MHz RFID reader 30 that is based on the ISO 14443 protocol. Most payment or secure transaction contactless systems commonly use the 13.56 MHz reader. The ISO 14443 protocol (or its ISO 18000 equivalent) was created for secured RF transaction at 13.56 MHz. Thus, the present invention presents certain advantages vis a vis certain conventional systems such as conventional systems employing 125 KHz tokens. At a 6 Kbits/sec throughput, these tokens do not provide for bidirectional exchanges of data at a sufficient speed. There are higher frequency range systems but they also suffer from various deficiencies. For example, the Wall Mart ™ EPC 915 MHz system and the upcoming 915 MHz from EM Marin do not include enough memory capacity. Another issue in the 915 MHz frequency systems relates to the relative inability to control the range and the cross talk. In view of these drawbacks, many security experts prefer the 13.56 MHz system as the frequency of choice for secure applications.
[0033] As noted above, the present invention includes RFID equipped electronic devices 54, such as those configured in accordance with near field communications (NFC) technologies. Those of ordinary skill in the art will understand that NFC employs short-range high frequency wireless communication technology for contactless bidirectional transmission of data between devices separated by approximately 10 centimeters, which is about 4 inches. NFC may be thought of as an application or extension of the ISO/IEC 14443 RFID proximity-card standard (described above) in that it incorporates a so-called smart card into a hand held electronic device. NFC is primarily aimed at usage in mobile phones and may be employed in blackberries and other such devices. NFC may also combine the interface of a smartcard and a reader into a single device. An NFC device of this type can, therefore, communicate with both existing ISO/IEC 14443 smartcards and readers, as well as with other NFC devices. One of the benefits of NFC devices is that they are compatible with existing contactless infrastructure already in use for public transportation and payment. For example, NFC devices communicate by way of magnetic field induction over the globally available and unlicensed RF-ISM band of 13.56 MHz, with a bandwidth of 14 kHz. As alluded to above, the RFID devices (50, 52, 54) may operate in a passive mode or in an active mode. In the passive RFID mode the RFID reader 30 provides a near magnetic field to interrogate the RFID Device (50, 52, 54). The RFID Device (50, 52, 54) typically employs an LC circuit that is excited by the near field such that the RFID device obtains its operating power from the near field. In the active mode, both the RFID device (50, 52, 54) and the reader 30 communicate by generate their own near field to transmit and deactivate their near field during the receive portion of the communication cycle. As noted above, the RFID device (50, 52, 54) requires a power supply to operate in this mode. Thus, the NFC RFID device 54 is well suited for this application. [0034] It should be noted that conventional NFC devices may employ the ISO 14443 standard or newer 13.56 MHz implementations, e.g., the SONY™ FELICA™ system. There may be other private protocols being used in the U.S. Each of these protocols recognize the benefits of attaching a NFC chip to a mobile device. Cell phones are ubiquitous and one so equipped would essentially function as an electronic wallet, or an "e-wallet." However, the conventional devices briefly described above have drawbacks because the "sniffing" problem remains. Further, the "near field" is not specifically defined. As a matter of fact, this umbrella specification makes it very difficult for RFID chip makers because of the various protocols (e.g., NFC, ISO 14443 and ISO 15693) that must be supported in the same die. The sniffing issue is substantially eliminated by the present invention by use of the OTP, hardware range reduction and jamming of the chips beyond specific reading zone. [0035] As embodied herein and depicted in Figure 2, a schematic view of a contactless payment card 10 is disclosed. In this embodiment, the inlay 10 is an LC circuit composed of the chip (microchip) and mainly its capacitance (Cl) and the inductance (Li) of the winding 12 attached to the die 14. This combination creates a resonant circuit resonating at a particular frequency. The basic ISO specification is very narrow at 13.56 MHz, +/- 500 KHz. This also applies to the NFC or any radio frequency (RF) payment system. [0036] An effective technique for providing a sorter reading range without affecting the data rate is to detune the inlay of the contactless payment card. To detune the inlay 10, the resonance frequency of the LC circuit is calculated on one of the secondary harmonics of the main frequency, namely:
Fdetuned
Figure imgf000015_0001
(Equation 1)
[0037] As previously discussed, controlling the range at which contactless payment cards may be read is one of the features of the present invention that eliminates the sniffing problem. As noted, the operating frequency of the device may be in the HF RFID band at 13.56 MHz, employing inductive coupling to communicate with the RFID reader 30. RFID inlay 10 may include a read/write memory of at least 500 bits. In another embodiment, the memory size is about 2 K bits.
[0038] Referring to Figure 3, an example of a near field signal 20 in accordance with the present invention is depicted. Note that signal 20 includes a second harmonic 22 that has a main frequency of 13.56 Mhz. By detuning the inlay 10 in accordance with Equation 1, only the secondary harmonic will be used in the near field RFID communications between the RFID device (50, 52, 54) and the RFID reader 30. This drastically reduces the range of the reader 30 because only a fraction of the power is transmitted to the LC circuit in RFID card inlay 10. This range may be controlled with a relatively high precision at 13.56 MHz. One benefit of this technique is that is simple to realize. Only the inlay 10 must be detuned for the resultant RFID cards (50, 52, 54) to operate with existing readers. If the OTP is employed in conjunction with the range reduction features described immediately above, the probability of sniffing being an issue is quite low.
[0039] If the present invention is employed in higher frequency range systems (e.g., at 915 MHz or Wi-Fi ), the RFID reader 30 may require redesign. Further, the OTP would be required. Another technique that may be employed in high frequency systems employs a predetermined geometric configuration of RFID readers 30. The geometric arrangement of readers 30 provides a means for physically locating the RFID card (50, 52, 54). If the RFID card (50, 52, 54) is deemed to be in an authorized location, the transaction is authorized to proceed.
[0040] As embodied herein and depicted in Figure 4, a schematic view of a reader coupler 30 with a concentric jammer is disclosed. In this embodiment, the RFID reader 30 includes a jammer coupler 32 disposed within a perimeter formed by the reader coupler 34. The jammer coupler 32 is shown slightly offset from the center of the reader coupler 34 to compensate for various factors, such as the presence of metal or other conductors, and to provide separation from the reader power input 36. Jamming is a technique whereby potential communications between the contactless RFID card (50, 52, 54) and an unauthorized reader disposed outside of the reading zone of an authorized reader 30 are disturbed and/or interrupted. This is implemented in accordance with the present invention by the jamming coupler 32 which is configured to generate white noise centered around 13.56 MHz. This technique substantially prevents sniffers or hackers from monitoring RFID signals within the reading zone of reader 30.
[0041] Figures 5 A and 5B are schematic views of the reader coupler field and the reader coupler field combined with the concentric jammer field, respectively. In Figure 5A, a field 35 generated by the reader coupler 35 is depicted. Figure 5B shows the combination of the field 35 generated by the reader coupler 34 and the field 33 generated by the jammer coupler 32. Figure 5B, therefore, illustrates the coverage of the jammer coupler field 33 relative to the reading zone of RFID reader 30. For example, a reader coupler 34 with a diameter of 6" will have a range of approximately 8.5". If the RFID reader 30 employs a jammer coupler 32 having a diameter of about 70% of that of the reader coupler 34, i.e. 4.2", reader 30 will have a range of about 6". [0042] The above described techniques may be applied individually or collectively to contactless payment transaction systems in order to enhance the security of such transactions. These techniques may also be applied to any wireless transactions but particularly to payment transactions such as the NFC token system used in cellular phones. As for the OTP technique, it may also be applied to contact payment card systems or to other type of transaction system such as M-commerce, ticket purchase or payment at video terminals.
[0043] All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.
[0044] The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms "comprising," "having," "including," and "containing" are to be construed as open-ended terms (i.e., meaning "including, but not limited to,") unless otherwise noted. The term "connected" is to be construed as partly or wholly contained within, attached to, or joined together, even if there is something intervening.
[0045] The recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the specification as if it were individually recited herein.
[0046] All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., "such as") provided herein, is intended merely to better illuminate embodiments of the invention and does not impose a limitation on the scope of the invention unless otherwise claimed. [0047] No language in the specification should be construed as indicating any non- claimed element as essential to the practice of the invention.
[0048] It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit and scope of the invention. There is no intention to limit the invention to the specific form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention, as defined in the appended claims. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.

Claims

What is claimed is:
1. A system comprising: a transaction unit including a microchip having a computer readable medium configured to store a unit identifier (UI) and at least one one-time- password (OTP) therein, the UI and the at least one OTP comprising transaction authentication data, the transaction unit being configured to transmit the transaction authentication data in response to receiving a predetermined signal; a reader device configured to transmit the predetermined signal to interrogate the transaction unit and read the transaction authentication data, the reader device being configured to generate at least one authentication indicia in response to receiving an authentication signal; and a server coupled to the reader device, the server including a database having at least one server OTP related to at least one unit identifier stored therein, at least one server OTP and the at least one unit identifier comprising transaction verification data, the server being configured to compare the transaction authentication data with the transaction verification data, the server being configured to transmit the authentication signal to the reader device if the transaction authentication data matches the transaction verification data.
2. The system of claim 1, wherein transaction unit includes an RFID assembly disposed therein, the RFID assembly including an RFID coupler configured to operate at a predetermined frequency, and wherein the reader device is configured as an RFID reader operating at the predetermined frequency.
3. The system of claim 2, wherein the transaction unit is configured as a card, a token or as a mobile communications device.
4. The system of claim 3, wherein the mobile communications device includes a graphical user interface (GUI) coupled to at least one microprocessor, the mobile communications device being configured to transmit the transaction authentication data to the server via at least one network by manipulating the GUI.
5. The system of claim 2, wherein the contactless RFID reader includes a jammer coupler disposed proximate a reader coupler such that the RFID reader includes a sensing zone wherein the RFID reader interrogates the contactless payment unit and a jamming zone wherein the RFID reader transmits a jamming signal substantially outside of the sensing zone.
6. The system of claim 1, wherein the predetermined signal is carried by a near field magnetic field, and wherein the RFID coupler includes a detuned inlay, the detuned inlay including an LC circuit having a resonant frequency calculated to correspond to a sub-harmonic of the main frequency of the predetermined signal such that the predetermined distance is less than or equal to approximately eight (8) inches.
7. The system of claim 1, wherein the transaction unit and the reader device are configured to communicate at a frequency substantially equal to 13.56 MHz in accordance with an ISO 14443 standard.
8. The system of claim 1, wherein the transaction authentication data includes timing authentication data and the transaction verification data includes timing verification data.
9. The system of claim 1, wherein the at least one authentication indicia includes a visual indicator or an aural indicator, the visual indicator including an LED indicator configured to provide a color coded response indicative of authentication or authentication denial, or wherein the visual indicator is transmitted by way of a graphical user interface coupled to the RFID reader.
10. The system of claim 1, wherein the server is configured to generate the at least one OTP using a predetermined encryption algorithm, the predetermined encryption algorithm is selected from a group of methods that include an Elliptical Curve Cryptography (ECC) encryption method, an Advanced Encryption Standard (AES) encryption method, a Temporal Key Integrity Protocol (TKIP) method, or a Counter- Mode/CBC-Mac protocol (CCMP) method.
11. The system of claim 1, wherein the at least one OTP includes a plurality of one time passwords, each one time password of the plurality of one time passwords being associated with a corresponding index number, and wherein the computer readable medium is configured as a first in first out memory that is configured to store either the plurality of one time passwords or a subset of the plurality of one time passwords.
12. A system comprising: a contactless transaction unit including an RFID assembly disposed therein, the RFID assembly including an RFID coupler and a microchip having a computer readable medium configured to store transaction authentication data, the RFID coupler including a detuned inlay, the detuned inlay including an LC circuit having a resonant frequency calculated to correspond to a sub-harmonic of the main frequency of a predetermined signal, the transaction unit being configured to transmit the transaction authentication data in response to receiving the predetermined signal; a contactless RFID reader device configured to transmit the predetermined signal when the transaction unit is disposed within a predetermined distance from the reader device to thereby interrogate the contactless transaction unit and read the transaction authentication data, the contactless RFID reader device being configured to generate at least one authentication indicia in response to receiving an authentication signal; and a server coupled to the contactless RFID reader device, the server including a database having transaction verification data stored therein, the server being configured to compare the transaction authentication data with the transaction verification data, the server being configured to transmit the authentication signal to the contactless RFID reader device if the transaction authentication data matches the transaction verification data.
13. The system of claim 12, wherein the computer readable medium is configured to store a unit identifier (UI) and at least one one-time-password (OTP) therein, the UI and the at least one OTP comprising the transaction authentication data.
14. The system of claim 12, wherein the transaction verification data comprises at least one server OTP related to at least one unit identifier.
15. The system of claim 12, wherein the contactless RFID reader includes a jammer coupler disposed proximate a reader coupler such that the RFID reader includes a sensing zone wherein the RFID reader interrogates the contactless payment unit and a jamming zone wherein the RFID reader transmits a jamming signal substantially outside of the sensing zone.
16. The system of claim 12, wherein the predetermined distance is less than or equal to approximately eight (8) inches.
17. A system comprising: a transaction unit including an RFID assembly disposed therein, the RFID assembly including an RFID coupler and a microchip having a computer readable medium configured to store transaction authentication data, the transaction unit being configured to transmit the transaction authentication data in response to receiving the predetermined signal; an RFID reader device configured to transmit the predetermined signal when the transaction unit is disposed within a predetermined distance from the RFID reader device to thereby interrogate the transaction unit and read the transaction authentication data, the RFID reader includes a jammer coupler disposed proximate a reader coupler such that the RFID reader device includes a sensing zone wherein the RFID reader device interrogates the transaction unit and a jamming zone wherein the RFID reader device transmits a jamming signal substantially outside of the sensing zone, the RFID reader device being configured to generate at least one authentication indicia in response to receiving an authentication signal; and a server coupled to the RFID reader device, the server including a database having transaction verification data stored therein, the server being configured to compare the transaction authentication data with the transaction verification data, the server being configured to transmit the authentication signal to the RFID reader device if the transaction authentication data matches the transaction verification data.
18. The system of claim 17, wherein the RFID coupler includes a detuned inlay, the detuned inlay including an LC circuit having a resonant frequency calculated to correspond to a sub-harmonic of the main frequency of the predetermined signal.
19. The system of claim 17, wherein the predetermined distance is less than or equal to approximately eight (8) inches.
20. The system of claim 17, wherein the computer readable medium is configured to store a unit identifier (UI) and at least one one-time-password (OTP) therein, the UI and the at least one OTP comprising the transaction authentication data, and wherein the transaction verification data is comprised of at least one server OTP related to at least one unit identifier.
PCT/IB2009/007364 2008-10-16 2009-10-16 System for secure contactless payment transactions WO2010043974A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13694508P 2008-10-16 2008-10-16
US61/136,945 2008-10-16

Publications (1)

Publication Number Publication Date
WO2010043974A1 true WO2010043974A1 (en) 2010-04-22

Family

ID=42106283

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2009/007364 WO2010043974A1 (en) 2008-10-16 2009-10-16 System for secure contactless payment transactions

Country Status (1)

Country Link
WO (1) WO2010043974A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012106778A1 (en) * 2011-02-10 2012-08-16 Beam Headquarters Pty Ltd Mobile communication device services
WO2013034681A1 (en) * 2011-09-08 2013-03-14 Ehrensvaerd Jakob Devices and methods for identification, authentication and signing purposes
WO2013054072A1 (en) * 2011-10-12 2013-04-18 Technology Business Management Limited Id authentication
WO2014060266A1 (en) * 2012-10-17 2014-04-24 Bundesdruckerei Gmbh Method for generating a one-time-password (otp)
WO2014060265A1 (en) * 2012-10-17 2014-04-24 Bundesdruckerei Gmbh Method for authentication by means of a token
KR101425937B1 (en) 2012-09-27 2014-07-31 주식회사 엘지유플러스 Device server and controlling method thereof, and mobile banking system using thereof
WO2015103031A1 (en) * 2013-12-31 2015-07-09 Vasco Data Security, Inc. A method and apparatus for securing a mobile application
WO2016138194A1 (en) * 2015-02-25 2016-09-01 Avery Dennison Corporation Document or object tracking system
EP2933772A4 (en) * 2012-12-12 2016-09-28 Shinhancard Co Ltd Method for generating one-time card number
US9734505B2 (en) 2014-07-25 2017-08-15 Avery Dennison Corporation Consumer authentication systems and methods
WO2019135201A1 (en) * 2018-01-06 2019-07-11 Mandar Agashe A dummy card based transaction processing system and method thereof
US11620634B2 (en) 2013-03-15 2023-04-04 Cardware, Inc. Multi-function smart tokenizing electronic payment device

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020140215A1 (en) * 1992-05-05 2002-10-03 Breed David S. Vehicle object detection system and method
WO2005125078A1 (en) * 2004-06-16 2005-12-29 Qualtech Technical Sales Inc. A network security enforcement system
WO2006037220A1 (en) * 2004-10-01 2006-04-13 Ubitrak Inc. Security system for authenticating gaming chips
WO2007057786A2 (en) * 2005-05-27 2007-05-24 Dpd Patent Trust Rfid reader with multiple interfaces
WO2007073609A1 (en) * 2005-12-29 2007-07-05 Axsionics Ag Security token and method for authentication of a user with the security token
US20070194889A1 (en) * 2006-02-03 2007-08-23 Bailey Daniel V Security Provision in Standards-Compliant RFID Systems
US20070194931A1 (en) * 2006-02-14 2007-08-23 Ubitrak, Inc. RFID - Sensor System for Lateral Discrimination
WO2007123895A2 (en) * 2006-04-25 2007-11-01 Verisign, Inc. Privacy enhanced identity scheme using an un-linkable identifier
WO2007149775A2 (en) * 2006-06-19 2007-12-27 Visa U.S.A. Inc. Consumer authentication system and method
US20080014867A1 (en) * 2004-11-16 2008-01-17 Advanced Microelectronic And Automation Technology Ltd. Portable Identity Card Reader System For Physical and Logical Access
US7387260B1 (en) * 2004-03-15 2008-06-17 Kovio, Inc. MOS electronic article surveillance, RF and/or RF identification tag/device, and methods for making and using the same
US20080238676A1 (en) * 2007-03-30 2008-10-02 Symbol Technologies, Inc. Location based security data provisioning and management via RFID tags
WO2009075434A1 (en) * 2007-12-11 2009-06-18 Electronics And Telecommunications Research Institute Communication data protection method based on symmetric key encryption in rfid system, and apparatus for enabling the method
US20090200371A1 (en) * 2007-10-17 2009-08-13 First Data Corporation Onetime passwords for smart chip cards
US20090224058A1 (en) * 2008-03-05 2009-09-10 Commissariat A L'energie Atomique Contactless communication device

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020140215A1 (en) * 1992-05-05 2002-10-03 Breed David S. Vehicle object detection system and method
US7387260B1 (en) * 2004-03-15 2008-06-17 Kovio, Inc. MOS electronic article surveillance, RF and/or RF identification tag/device, and methods for making and using the same
WO2005125078A1 (en) * 2004-06-16 2005-12-29 Qualtech Technical Sales Inc. A network security enforcement system
WO2006037220A1 (en) * 2004-10-01 2006-04-13 Ubitrak Inc. Security system for authenticating gaming chips
US20080014867A1 (en) * 2004-11-16 2008-01-17 Advanced Microelectronic And Automation Technology Ltd. Portable Identity Card Reader System For Physical and Logical Access
WO2007057786A2 (en) * 2005-05-27 2007-05-24 Dpd Patent Trust Rfid reader with multiple interfaces
WO2007073609A1 (en) * 2005-12-29 2007-07-05 Axsionics Ag Security token and method for authentication of a user with the security token
US20070194889A1 (en) * 2006-02-03 2007-08-23 Bailey Daniel V Security Provision in Standards-Compliant RFID Systems
US20070194931A1 (en) * 2006-02-14 2007-08-23 Ubitrak, Inc. RFID - Sensor System for Lateral Discrimination
WO2007123895A2 (en) * 2006-04-25 2007-11-01 Verisign, Inc. Privacy enhanced identity scheme using an un-linkable identifier
WO2007149775A2 (en) * 2006-06-19 2007-12-27 Visa U.S.A. Inc. Consumer authentication system and method
US20080238676A1 (en) * 2007-03-30 2008-10-02 Symbol Technologies, Inc. Location based security data provisioning and management via RFID tags
US20090200371A1 (en) * 2007-10-17 2009-08-13 First Data Corporation Onetime passwords for smart chip cards
WO2009075434A1 (en) * 2007-12-11 2009-06-18 Electronics And Telecommunications Research Institute Communication data protection method based on symmetric key encryption in rfid system, and apparatus for enabling the method
US20090224058A1 (en) * 2008-03-05 2009-09-10 Commissariat A L'energie Atomique Contactless communication device

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012106778A1 (en) * 2011-02-10 2012-08-16 Beam Headquarters Pty Ltd Mobile communication device services
WO2013034681A1 (en) * 2011-09-08 2013-03-14 Ehrensvaerd Jakob Devices and methods for identification, authentication and signing purposes
US10177816B2 (en) * 2011-09-08 2019-01-08 Yubico Ab Devices and methods for identification, authentication and signing purposes
US9954578B2 (en) 2011-09-08 2018-04-24 Yubico Inc. Devices and methods for identification, authentication and signing purposes
US20140357187A1 (en) * 2011-09-08 2014-12-04 Yubico Inc. Devices and Methods for Identification, Authentication and Signing Purposes
WO2013054072A1 (en) * 2011-10-12 2013-04-18 Technology Business Management Limited Id authentication
US9805364B2 (en) 2011-10-12 2017-10-31 Technology Business Management Limited ID authentication
KR101425937B1 (en) 2012-09-27 2014-07-31 주식회사 엘지유플러스 Device server and controlling method thereof, and mobile banking system using thereof
WO2014060266A1 (en) * 2012-10-17 2014-04-24 Bundesdruckerei Gmbh Method for generating a one-time-password (otp)
WO2014060265A1 (en) * 2012-10-17 2014-04-24 Bundesdruckerei Gmbh Method for authentication by means of a token
EP2933772A4 (en) * 2012-12-12 2016-09-28 Shinhancard Co Ltd Method for generating one-time card number
US11620634B2 (en) 2013-03-15 2023-04-04 Cardware, Inc. Multi-function smart tokenizing electronic payment device
US9510192B2 (en) 2013-12-31 2016-11-29 Vasco Data Security, Inc. Method and apparatus for securing a mobile application
JP2017503427A (en) * 2013-12-31 2017-01-26 ヴァスコ データ セキュリティ インターナショナル ゲゼルシャフト ミット ベシュレンクテル ハフツング Method and apparatus for securing mobile applications
WO2015103031A1 (en) * 2013-12-31 2015-07-09 Vasco Data Security, Inc. A method and apparatus for securing a mobile application
US9734505B2 (en) 2014-07-25 2017-08-15 Avery Dennison Corporation Consumer authentication systems and methods
WO2016138194A1 (en) * 2015-02-25 2016-09-01 Avery Dennison Corporation Document or object tracking system
WO2019135201A1 (en) * 2018-01-06 2019-07-11 Mandar Agashe A dummy card based transaction processing system and method thereof

Similar Documents

Publication Publication Date Title
WO2010043974A1 (en) System for secure contactless payment transactions
US10991062B2 (en) Secure authorization system
JP5519754B2 (en) System and method for secure account number in proximity device
Lacmanović et al. Contactless payment systems based on RFID technology
CA2639662C (en) System and method for sensitive data field hashing
US9379841B2 (en) Mobile device prevention of contactless card attacks
US8152057B2 (en) Method of authorising a transaction between a computer and a remote server and communications system, with improved security
US9542630B2 (en) Method of securely reading data from a transponder
US10134033B2 (en) Payment system and method using IC identification card
CN110249586B (en) Method for securely storing sensitive data on a smart card and smart card
US10262378B2 (en) Transaction identification and recognition
US20130254117A1 (en) Secured transaction system and method
JP2016170801A (en) Track data encryption
US20110010289A1 (en) Method And System For Controlling Risk Using Static Payment Data And An Intelligent Payment Device
JP2009507308A5 (en)
WO2010135154A2 (en) Device including encrypted data for expiration date and verification value creation
KR101968156B1 (en) Mobile terminal, transaction terminal, and method for carrying out a transaction at a transaction terminal by means of a mobile terminal
Alhothaily et al. A novel verification method for payment card systems
KR20000012607A (en) certification system using radio communication device
CN105354518B (en) Virtual chip card system based on mobile intelligent terminal soft excitation electromagnetic near field mutual inductance
KR100646361B1 (en) financial transaction system using mobile with banking IC card and method thereof
Mahmood et al. Is RFID technology secure and private?
Rizvi et al. Smart Cards: The Future Gate
JP2002318903A (en) Authenticaton method, authentication system and authenticaton tool
Srivatsa et al. RFID & mobile fusion for authenticated ATM transaction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09820329

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09820329

Country of ref document: EP

Kind code of ref document: A1