[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP3446274A1 - Method and device for authorizing mobile transactions - Google Patents

Method and device for authorizing mobile transactions

Info

Publication number
EP3446274A1
EP3446274A1 EP17718882.8A EP17718882A EP3446274A1 EP 3446274 A1 EP3446274 A1 EP 3446274A1 EP 17718882 A EP17718882 A EP 17718882A EP 3446274 A1 EP3446274 A1 EP 3446274A1
Authority
EP
European Patent Office
Prior art keywords
mobile device
key
verification value
value
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP17718882.8A
Other languages
German (de)
French (fr)
Inventor
Thierry Huque
Gerd THYS
Karel WOUTERS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bancontact Payconiq Co
Original Assignee
Bancontact Payconiq Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bancontact Payconiq Co filed Critical Bancontact Payconiq Co
Priority to EP23150154.5A priority Critical patent/EP4177810A1/en
Publication of EP3446274A1 publication Critical patent/EP3446274A1/en
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the present disclosure relates to the field of transactions performed using mobile devices, and in particular to a mobile contactless payment solution.
  • mobile communication devices such as mobile telephones
  • electronic payment transactions is becoming increasingly popular, and has the potential to one day entirely replace most card payments .
  • NFC Near-Field-Communication
  • Such functionality for example enhances the mobile device, by allowing it to be used for various applications, for example as an electronic wallet allowing payments to be made for accessing services such as transport networks.
  • a Mobile Contactless Card Application is an application running on a mobile device which can run in different environments, depending on the Mobile Contactless Payment Solution.
  • the two major categories are:
  • Mobile Contactless Card Application is running in a secure element, either embedded in the mobile device or on a UICC (Universal Integrated Circuit Card) ; - Host Card Emulation (HCE) solutions in which the Mobile Contactless Card Application is part of a payment application running in the mobile OS (operating system) .
  • UICC Universal Integrated Circuit Card
  • HCE Host Card Emulation
  • the Mobile Contactless Card Application is provisioned to and running in a hardware secure element (chip) with the security characteristics comparable to a payment chip card.
  • HCE solutions are more openly exposed to threats.
  • the Mobile Contactless Card Application runs as part of a mobile application in the x rich' mobile OS (operating system) , and like any mobile application, it is vulnerable to security breaches. Even though there are a growing number of measures to harden the mobile application against security breaches, there is a need for a simple solution providing additional security for HCE based solutions.
  • a method of transaction authorization comprising: deriving, by a first server, a first key based on a mobile PIN value associated with a mobile device; encrypting, by the first server based on the derived key, a verification value to generate an encrypted verification value; transmitting, by the first server, the encrypted verification value to the mobile device; receiving, by the first server or by a second server, a further verification value generated by the decryption of encrypted verification value using a second key derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; and authorizing the transaction based on a verification of the further verification value .
  • the transaction is a payment .
  • the user authentication operation is a fingerprint verification.
  • the verification value is generated based on one or more credentials.
  • generating the verification value comprises: generating an authentication code using a third key and based on at least one of an ATC (Application Transaction Counter) value and a token representing a sensitive identifier.
  • ATC Application Transaction Counter
  • the transaction is a card payment and the sensitive identifier is a PAN (primary account number) associated with the card.
  • PAN primary account number
  • the first key and the second key are derived using a same key derivation function, the same key derivation function being further based on a nonce value received by the mobile device from the first server.
  • the encrypted verification value is transmitted to the mobile device as part of a set of single use credentials further comprising: an ATC (Application Transaction Counter) ; and a nonce value (NoncepiN) for use in deriving the second key ( ⁇ ' ) .
  • ATC Application Transaction Counter
  • NoncepiN nonce value
  • a transaction authorization system comprising: a first server adapted to: derive a first key based on a mobile PIN associated with a mobile device; encrypt, based on the first key, a verification value to generate an encrypted verification value; and transmit the encrypted verification value to the mobile device, wherein the first server or a second server is further adapted to: receive a further verification value generated by the decryption of the encrypted verification value using a second key derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation.
  • the transaction is a payment .
  • the first server and/or the second server and/or one or more further servers are adapted to authorize the transaction based on a verification of the further verification value.
  • a method of transaction authorization comprising: receiving by a mobile device an encrypted verification value; deriving, by the mobile device, a key based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; decrypting the encrypted verification value by the mobile device based on the key to generate a further verification value; and transmitting the further verification value to a server for verification.
  • a mobile device comprising one or more circuits adapted to: receive an encrypted verification value; derive a key based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; decrypt the encrypted verification value based on the derived key to generate a further verification value; and transmit the further verification value to a server to initiate an electronic transaction.
  • the electronic transaction is a card payment.
  • Figure 1 schematically illustrates a payment system according to an example embodiment of the present disclosure
  • Figure 2 schematically illustrates a mobile device of Figure 1 in more detail according to an example embodiment of the present disclosure
  • Figure 3 schematically illustrates part of the payment system of Figure 1 in more detail according to an example embodiment of the present disclosure
  • Figure 4 is a flow diagram illustrating operations in a method of generating a single use key according to an example embodiment
  • Figure 5 is a flow diagram illustrating operations in a method of generating an encrypted verification value according to an example embodiment
  • Figure 6 is a flow diagram illustrating operations in a method of generating a further verification value according to an example embodiment
  • Figure 7 is a flow diagram illustrating operations in a method of verifying a further verification value according to an example embodiment.
  • Figure 8 is a flow diagram illustrating operations in a method of generating a further verification value according to an alternative embodiment to that of Figure 6.
  • the electronic transaction could be any of a range of electronic services provided between a mobile device and a transaction terminal, such as a non-card payment, the establishment of a direct payment facility such as an E-mandate, document or contract signature, data verification, such as an address or age check, and/or authentication check of the mobile device or of a user of the mobile device.
  • An E-mandate is for example an agreement authorizing a merchant to receive one or more direct debit payments from a customer.
  • Mobile PIN PIN entered on the mobile device, to authenticate a cardholder.
  • NFC Near Field A set of communication protocols that Communication enable two electronic devices, one of which (NFC) is usually a portable device such as a
  • Secure Element Tamper-resistant platform typically a (SE) one chip secure microcontroller
  • SE Secure Element Tamper-resistant platform
  • Issuer Token identifies a physical card.
  • ownership of the payment card account is aka cardholder validated by the card Issuer.
  • identification cardholder within the context of a payment transaction, generally followed by user authentication .
  • the present disclosure describes a Mobile Contactless
  • PPSE Proximity Payment Systems Environment
  • the PPSE application and payment application together emulate a Contactless Card.
  • Figure 1 schematically illustrates a contactless payment system 100 according to an example embodiment of the present disclosure .
  • the system 100 for example comprises a mobile device (MOBILE DEVICE) 102 capable of wireless communications, and of performing an electronic payment.
  • the mobile device 102 is a mobile telephone, smart phone, tablet computer, digital media player or the like.
  • the mobile device 102 is shown in communication with a transaction terminal 104, which is for example a point-of-sale (POS) .
  • POS point-of-sale
  • the communication between the mobile device 102 and the transaction terminal 104 is at least partially via a wireless interface, such as an NFC interface, a wireless data connection via a telecommunications network, a Bluetooth interface or a wireless local area network (WLAN) .
  • a wireless interface such as an NFC interface, a wireless data connection via a telecommunications network, a Bluetooth interface or a wireless local area network (WLAN) .
  • WLAN wireless local area network
  • the transaction terminal 104 may communicate with the mobile device 102 using a camera of the mobile device 102.
  • the transaction terminal 104 may comprise a display for displaying a barcode such as a QR-code (quick response code) , which may be captured by the camera and interpreted using a suitable application loaded on the mobile device 102.
  • QR-code quick response code
  • the transaction terminal 104 could be incorporated within the mobile device 102.
  • the mobile device 102 may store and run a merchant application implementing the transaction terminal 104.
  • the transaction terminal 104 for example communicates with other circuitry of the mobile device by generating an intent, such as a URL-intent (universal resource locator-intent) .
  • an intent is a digital message passed from an application being run on a mobile device to the operating system of the mobile device, that causes a certain application to be called, and passes information, such as a parameter, to that application.
  • one type of intent may cause a web browser of the mobile device to access a specific location.
  • the intent-URI universal resource identifier
  • https ://web_address activates the browser application of a mobile device and directs the browser to the location identified by the web address.
  • the transaction terminal 104 is for example positioned at an entry barrier of a restricted area, such as a transport network, or at a point of sale in a shop or restaurant.
  • the mobile device 102 is for example in relatively close proximity to the transaction terminal 104, and the communication between the mobile device and the transaction terminal is for example by NFC, the mobile device emulating a wireless transponder.
  • NFC wireless local area network
  • other forms of wireless communication between the mobile device 102 and the transaction terminal 104 would be possible, such as a wireless connection via Bluetooth or via a wireless local area network (WLAN) .
  • WLAN wireless local area network
  • the mobile device 102 could be remote from the transaction terminal 104, and the communication between the mobile device and the transaction terminal could be via one or more intervening networks, such as a data network of a telecommunications network and/or the internet.
  • the transaction terminal 104 could correspond to a remote server of a merchant.
  • the system 100 further comprises, in addition to the mobile device 102 and the transaction terminal 104, an acquirer (ACQUIRER) 106, an authentication system (AUTHENTICATION) 108 in communication with a token service provider (TSP) 110 and an issuer system (ISSUER) 112.
  • acquirer ACQUIRER
  • AUTHENTICATION authentication system
  • TSP token service provider
  • ISSUER issuer system
  • the acquirer 106 is for example a server providing an interface between the transaction terminal 104 and the authentication system 108 and/or issuer system 112.
  • the acquirer may correspond to an entity that facilitates transactions made using a mobile device.
  • the authentication system 108 for example provides a level of security between the issuer system 112 and the mobile device 102, by implementing a tokenization scheme with online PIN verification, as will be described in more detail below.
  • the issuer system 112 for example corresponds to the system associated with the payment card issuer, and this entity for example has the capacity to execute a payment to a merchant from the account of the mobile user.
  • the mobile device 102 is for example issued with a token (TOKEN) by the TSP 110, or alternatively by a TSP (ISSUER PROCESSOR TSP) 114 forming part of the issuer system.
  • TSP ISSUER PROCESSOR TSP
  • the link between the token and the original (funding) Card PAN is for example securely stored by the TSP 110.
  • Tokenization when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
  • the token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system.
  • the term “token” is used to designate a value that replaces the original (or Funding) PAN that uniquely identifies a physical payment card.
  • the definition of Token matches the EMVCo definition of a payment token.
  • the token could replace any type of account number or identifier that is to be kept secret.
  • the token for example has the same format as a PAN and will serve the same purpose during EMV cryptography. Under normal circumstances, the token is for example static in a sense that it does not change for a Card Application instance. However, in some embodiments, a Token may be changed in case of a lost or stolen card.
  • the token is for example used to uniquely identify a digitized card, which can be one of several digitized cards linked to a single physical card.
  • a digitized card can be one of several digitized cards linked to a single physical card.
  • a payment card, identified by its PAN can therefore exist in a digitized form in one or more of these mobile contactless solutions on the same device and even on multiple devices of a user/cardholder (since the cardholder can decide to digitize the same card in two smart phones, or even wearables) .
  • each digitized card is a virtual card; or - assigning a token to each digitized card.
  • the mobile device for example provides the hardware to perform a contactless payment transaction at protocol level.
  • the card payment application logic is for example handled by the digitized card.
  • This digitized card may reside in different components embedded in or accessible by the mobile device.
  • the digitized card is:
  • HCE Host Card Emulation
  • an embedded hardware secure element This embedded SE is under control of the device manufacturer who determines the technology on how a card application is provisioned and how it is accessible from the Mobile OS. This is often via a x Wallet' application.
  • a solution for example concerns Apple and Samsung wallets (the names “Apple” and “Samsung” may correspond to registered trademarks) ; - installed and running in the UICC card next to the SIM application.
  • SWP specific hardware link being available between the NFC Controller hardware on the mobile device and the UICC.
  • the UICC is under control of the Mobile Network Operator (MNO) and the card provisioning technology is standardized by international organisations (e.g. GlobalPlatform) . This option is a viable solution for Android and Microsoft Windows Mobile OS .
  • MNO Mobile Network Operator
  • the mobile device 102 when a payment transaction is to be initiated, the mobile device 102 for example enters into communication with the transaction terminal 104, and transmits the token to it.
  • the transaction terminal 104 in turn passes the token to the authentication system 108 via the acquirer 106.
  • the authentication system 108 uses the TSP 110 to retrieve the PAN associated with the token.
  • the PAN can then be passed to the issuer system 112 such that the payment can be processed.
  • the mobile device 102 also for example stores a limited set of single use credentials, each valid for one transaction, as will be described in more detail below.
  • Figure 2 schematically illustrates the mobile device 102 in more detail according to an example embodiment.
  • the device 102 for example comprises a contactless front-end integrated circuit (CLF) 202, which will be referred to herein as an NFC router.
  • CLF contactless front-end integrated circuit
  • the NFC router 202 is coupled to an NFC antenna 204, and together the router 202 and antenna 204 provide NFC circuitry for emulating the behaviour of an NFC transponder .
  • the NFC router 202 is also for example coupled to a host processing device (P) 206 of the mobile device 102.
  • the processing device 206 for example comprises one or more processors under the control of instructions stored in an instruction memory (INSTR MEM) 208.
  • the NFC router 202 is also for example coupled to a secure element (SE) 210, which is for example an embedded SE (eSE) , and/or to a SIM or universal SIM circuit 212.
  • SE secure element
  • eSE embedded SE
  • the circuit 212 is for example additionally coupled to the processing device 206.
  • the processing device 206 may perform host card emulation (HCE) , meaning that NFC communications are routed to the host processing device 206, which emulates the behaviour of an NFC secure element. This permits secure NFC transactions to be performed directly by the processing device 206 without requiring the presence of a secure element within the mobile device 102.
  • HCE host card emulation
  • the processing device 206 is also for example coupled to: an antenna 214 permitting telecommunications within a cellular network; to an antenna 215 permitting wi-fi (wireless fidelity) communications; and/or to an antenna 216 permitting ultra wideband (U B) RF communications.
  • the mobile device 102 may comprise only one or some of the antennas 214, 215 and 216.
  • the mobile device 102 further comprises a user interface 218, for example comprising a display, keypad and/or touch screen, coupled to the processing device 206.
  • the mobile device 102 also for example comprises an image capture device 220, comprising an image sensor for capturing digital images.
  • the image capture device 220 is capable of capturing machine-readable codes such as QR-codes, and the mobile device 102 stores a suitable software application for interpreting the machine readable code.
  • the image capture device 220 or a separate image sensor is capable of capturing biometric samples such as a finger print, finger vein or retina scan.
  • the mobile device 102 comprises a trusted execution environment (TEE) 222 that for example comprises a memory device 224 storing one or more software applications and an allocation of the processing resources of the processing device 206 for execution of the software applications in isolation from the execution of other software applications stored in the instruction memory.
  • TEE trusted execution environment
  • the trusted executed environment 222 is used for the execution of sensitive software applications, such as an application for PIN (personal identification number) entry and/or for capturing a biometric sample.
  • the embedded secure element (eSE) and/or trusted execution environment are typically used to store the card payment application (s) . This includes the credentials related to card(s), such as EMV card master keys .
  • the memory 208 of the mobile device 102 for example stores a Proximity Payment Systems Environment (PPSE) application and a payment application, or Mobile Contactless Card Application which will be referred to hereafter simply as "card application”. These applications are for example executed when a payment transaction is to be initiated. In particular, when implementing a mobile contactless payment solution using host card emulation, these two applications emulate the contactless payment card.
  • PPSE Proximity Payment Systems Environment
  • card application Mobile Contactless Card Application
  • the mobile device 102 provides additional means to perform cardholder authentication. These are referred to as Consumer Device Cardholder Verification Methods (CDCVM) .
  • CDCVM covers multiple methods, such as:
  • biometric verification at mobile OS, or device level
  • the following operations are for example performed between the mobile device 102 and the transaction terminal 104.
  • 102 and for example includes a form of cardholder verification that falls under the general term of a CDCVM;
  • the terminal 104 selects the Proximity Payment Systems Environment (PPSE) using the SELECT command via NFC; c) the mobile device 102 is tapped towards the terminal
  • PPSE Proximity Payment Systems Environment
  • the card application stored on the mobile device 102 for example responds with a list of the supported AIDs (application identifiers) , for example included in the File Control Information (FCI);
  • FCI File Control Information
  • the terminal 104 selects the AID of the card application, which is for example an application supported by both the card and the terminal, and issues the SELECT command with this AID;
  • FCI Control Information
  • PDOL Processing Options Data Object List
  • the terminal 104 for example issues the GET PROCESSING OPTIONS command. Since there is no PDOL, the terminal for example uses the command data field ⁇ 8300' ;
  • the card application for example returns the Application Interchange Profile (AIP) and the Application File Locator (AFL) ;
  • the terminal 104 for example issues multiple READ RECORD commands to retrieve the generic card application data, the Issuer Public Key and the ICC Public Key;
  • the terminal 104 performs risk management, such as checking the card expiry date, the terminal floor limit, etc., and the terminal 104 for example makes a first decision to decline the transaction or to complete it online. This decision is for example based upon the Terminal Verification Results (TVR) , the issuer action preferences and acquirer action preferences .
  • the terminal 104 issues the GENERATE AC command requesting an ARQC; k) based on the CDOL1 related data included in the data field of the GENERATE AC command, the card application for example performs its own card risk management.
  • the card application responds with an ARQC; 1) the terminal 104 goes online, sending the authorization message to the issuer. This message for example includes the ARQC for online card authentication.
  • FIG 3 schematically represents hardware and software components of the contactless payment system 100 of Figure 1 according to an example embodiment.
  • a dashed line 302 shows the division between those elements forming part of the host infrastructure, and in particular the acquirer 106, the authentication system 108, the TSP 110 and the issuer system 112 of Figure 1, and those elements forming part of the mobile device 102.
  • the host infrastructure will be referred to hereafter as the host server, even if this may comprise more than one server.
  • the mobile device 102 for example comprises the card application (CARD APPLICATION) 304, which for example includes a component 306 corresponding to a mobile component of the HCE implementation and including an application programming interface (API) provided to the card application within which it is embedded.
  • the card application 304 also for example includes a component 308 reserved for example for mobile network operators and also including a corresponding API.
  • the mobile device 102 comprises an embedded secure element (eSE) 310 and a wallet application (WALLET) 311 running on the mobile device.
  • eSE embedded secure element
  • WALLET wallet application
  • the host server for example includes an authentication host mobile (AUTH HOST MOBILE) 312, which for example provides authentication of the cardholder, and an HCE server component (HCE SERVER COMP) 314 that interacts with the HCE mobile component 306.
  • AUTH HOST MOBILE authentication host mobile
  • HCE SERVER COMP HCE server component
  • the host server also for example comprises a personalization component (PERSO COMP) 315, a trusted service manager (SP-TSM) 316 associated with the service provider, and a trusted service manager (MNO-TSM) 318 associated with the mobile network operator.
  • PERSO COMP personalization component
  • SP-TSM trusted service manager
  • MNO-TSM trusted service manager
  • the host infrastructure also for example includes the token service provider (TSP) comprising a token vault (TOKEN VAULT) 320 in communication with the authentication host mobile 312, and a stand-in cryptographic component (STAND-IN CRYTPO) 322 in communication with a communications switch (SWITCH) 323.
  • Further elements include a secure element trusted service manager (SEI-TSM) 324, which for example communicates with the secure element 310 of the mobile device 102, and a notification service/mobile gateway (NOTIF SERVICE/MOBILE GW) 326, which for example communicates with the wallet application 311 and with the authentication host mobile 312.
  • SEI-TSM secure element trusted service manager
  • NOTIF SERVICE/MOBILE GW notification service/mobile gateway
  • the trusted service manager 324 is for example adapted to provision, personalize and manage the lifecycle of the digitized cards on the eSE 310.
  • the notification service/mobile gateway 326 is for example adapted to handle the wallet application lifecycle, and requests to enroll cards and to manage
  • the token service provider (TSP) component for example intervenes during card provisioning and payment authorization and clearing for Mobile Contactless payments.
  • the TSP manages tokens, tokenizes PANs and detokenizes tokens.
  • the token vault 320 is a memory that for example securely stores the token-PAN links.
  • the TSP described herein complies with the specifications listed in Chapter 5 of the EMVCo Payment Tokenization Specification Technical Framework, version 1.0, March 2014, the contents of which is hereby incorporated by reference to the extent permitted by the law.
  • a token request will typically contain information on the PAN, expiry date and the Token Requestor ID (card application, Bank application or OEM Wallet) .
  • the Token Requestor ID allows the TSP to assign per Issuer different Token BIN ranges for the different mobile solutions (Token Requestor ID) .
  • the time to handle a tokenization request by the TSP for example allows for near real-time card provisioning.
  • the TSP for example has a secure, real-time connection with the issuer system 112.
  • the issuer system 112 and TSP are for example mutually authenticated.
  • the PAN and token data is for example exchanged in an encrypted form.
  • the TSP for example interfaces with the switches 323 and will for example:
  • the TSP for example relies on a HSM (hardware security module) containing the EMV issuer master keys (IMK) that is kept synchronous, through a key ceremony, with the IMK as present in the issuer system 112.
  • HSM hardware security module
  • IMK EMV issuer master keys
  • the processing overhead related to the detokenization and EMV cryptogram validation at the TSP is for example limited to a maximum of 100 ms .
  • the connection between the Switch (es) 323, and potentially the Issuer System 112 and the TSP is for example a permanent link.
  • implementation of the HCE solution involves, between the authentication host mobile 312 and the HCE server component 314, requests for:
  • notification messages are for example transmitted relating to changes in the HCE mobile component state, in the digitized card state and relating to replenishments .
  • the wallet solution for example involves notification of provisioning requests between the authentication host mobile 312 and the wallet notification service 326. Furthermore, transaction history requests are for example provided from the wallet application 311 to the TSP 320, 322.
  • the wallet solution and SIM based solution for example involve, between the authentication host mobile 312 and the TSM personalization component 315, requests for:
  • PAN - tokenization requests PAN - token
  • the mobile device 102 for example stores single use credentials.
  • Single use credentials are specific for one single payment transaction and serve two purposes:
  • ARQC authority request cryptogram
  • the server component provides a mechanism to replenish the single use credentials on the mobile component.
  • Each single use credential for example comprises:
  • - a single use key (SUK) , which is the session key derived from a card master key using the ATC.
  • This value is used to compute a standard application cryptogram for a single transaction; - eSEALATC ⁇ A single-use encrypted hexadecimal value, for example of 16 bytes, created and stored by the HCE server component. The value is for example different for each ATC value.
  • the eSEALA C values are used to generate cardholder verification proofs on the mobile phone. Such proofs are later checked by the TSP.
  • NoncepiN A single-use arbitrary 16 byte hexadecimal value created and stored by the HCE server component. The value is different for each ATC value. NoncepiN values are for example random values that are treated as key material, and thus stored in a protected space on the mobile device.
  • the maximum number of single use credentials in a set for a single HCE mobile component is for example configurable, and a threshold number of remaining single use credentials for example determines when the HCE mobile component should attempt to contact the HCE server component to replenish the set of single use credentials.
  • FIG 4 is a flow diagram illustrating an example of the derivation of the single use key (SUK) from a card master key and the issuer master key.
  • the issuer master key (IMF) and the token are for example applied as inputs to a key derivation function (KDF) in order to generate the card master key (CMK) .
  • KDF key derivation function
  • CMK card master key
  • the card master key, and the ATC are then for example applied as inputs to a further key derivation function in order to generate the single use key SUK.
  • Figure 5 illustrates an example of operations in a method of generating an encrypted verification value eSEALATC-
  • This method is for example implemented by the host system, for example by the authentication system 108.
  • the method involves the use of a PIN, which is for example an online mobile PIN in the sense that the PIN is known and verified by the host system.
  • the PIN can for example only be set and changed when the device has a mobile internet connection with the host system.
  • the PIN is at the level of the application, and not at the level of the card, which means that from an end user perspective, the PIN is the same for all cards enrolled in a given card application.
  • a PIN Master Key, from which a PIN Single Use Key SUKPIN is derived, is for example synchronized between the HCE Server Component and the TSP.
  • the SeedMAC value is for example a random unique for a token. It is for example generated by the TSP at the moment the token is created and passed to the HCE server component at the moment the digitized card is personalized. For a given digitized card identified by a token and token sequence number and used in a given transaction identified by a given ATC, the host server for example derives the PIN single use key SUKPIN from the PIN master key in a similar fashion to the SUK derivation from the card master key.
  • the inputs are for example the ATC, the token (Token) , the token sequence number (Token Seq Nr) , the value SeedMAC the SUKPIN, the PIN (Ref. PIN Block), and the NoncepiN-
  • a MAC (message authentication code) algorithm is for example applied to the ATC, token, token Sequence number and the value SeedMAC / using as the key, the value SUKPIN.
  • the output is a MAC value MACATC- A portion of the value MACATC f° r example corresponding to the leftmost 8 bytes, are for example taken to form a verification value SEALATC-
  • a secure random nonce NoncepiN is for example generated and a key derivation function is used to derive a key KEYpiN from the PIN, the Token and the NoncepiN-
  • the PIN entry is included in the form of an ISO-0 encoding of the
  • PIN Personal Identification Number (PIN) management and security - Part 2 : Approved algorithms for PIN encipherment
  • the key KeypiN is then for example used to encrypt (ENC) the verification value SEALATC in order to generate the encrypted verification value eSEALATC- Before encryption, the value SEALATC is for example padded up to the encryption block size with random numbers .
  • the PIN specific single use credentials NoncepiN and eSEALA C are f° r example transmitted to the mobile device, and in particular to the HCE solution mobile component.
  • Figure 6 is a flow diagram representing operations in a method of generating, by the mobile device, a further verification value SEALATC' based on a candidate PIN entered by a user of the mobile device.
  • a mobile contactless payment transaction starts with the mobile user, presumed to be the cardholder, entering the candidate PIN.
  • This PIN is used to derive a key keypiN' in the same manner as the key KeypiN described above, and using the same key derivation function, but based on the candidate PIN (Candidate PIN block) rather than the reference PIN, and based on the nonce NoncepiN received from the host system, this value for example forming part of the single use credentials.
  • the key KeypiN' is then used to decrypt (DEC) the encrypted verification value eSEALATC i n order to generate a value X.
  • the value SEALATC' is f° r example extracted from this value X, and for example corresponds to the first 8 bytes of X.
  • the value SEALATC' is provided by the mobile device to the terminal 104 along with the ARQC, and is then forwarded by the terminal 104 to TSP for verification.
  • the value of the ARQC provided by the mobile device 102 to the terminal 104 is based on the value SEALATC' ⁇
  • the value SEALATC' forms part of the Issuer Discretionary Data of Issuer Application Data
  • the ARQC is for example a MAC that provides integrity control of the data from which it is generated, thereby allowing the integrity of the value SEALATC' to be verified.
  • FIG. 7 is a flow diagram illustrating operations in a method of PIN verification.
  • the TSP Prior to validating the cardholder verification proof, the TSP for example performs a standard ARQC validation using the SUK, which it can derive from the token and the ATC.
  • the value of SeedjAC is f° r example retrieved.
  • the PIN single use key SUKPIN can be derived.
  • the host system verifies the correct transmission of the verification value SEALATC' ⁇
  • SEALATC' is f° r example extracted from the Issuer Application Data (Tag 9F10) sent in the transaction.
  • the same MAC algorithm as applied in the method of Figure 5 is for example used to regenerate the value SEALATC ⁇ based for example on the same inputs as the algorithm in Figure 5.
  • SEALATC is for example then compared to the value SEALATC' received from the mobile device 102. If there is a match, the PIN can be considered to be successfully verified. A mismatch however indicates that the candidate PIN was incorrect.
  • Figure 8 is a flow diagram representing operations in a method of generating the further verification value SEALATC' AS an alternative to the method represented in Figure 6.
  • the method of Figure 8 is for example based on a PIN value, for example selected randomly, that is stored in a fingerprint protected part of the mobile device (STORED UNDER FINGERPRINT) , and can thus only be unlocked by a fingerprint verification .
  • the HCE server for example decides on a random number, having a length of 14 bits in the example of Figure 8, and that is stored as the user's PIN at the server side.
  • the random PIN is stored during the enrolment of the application in fingerprint-protected storage.
  • the nonce value Noncepi N is stored in a secured storage, for example in the same storage as the random PIN.
  • a mobile contactless payment transaction starts with the cardholder performing a fingerprint scan. This unlocks the PIN and Noncepi N values. This PIN is used to derive the key keypi N ' ⁇ The key keypi N ' is then used to decrypt (DEC) the encrypted verification value eSEAL AT C i n order to generate a value X. The value SEALATC' is then for example extracted from the value X in the same manner as the MACATC described above, for example by taking its leftmost 8 bytes. The rest of the fingerprint-based cardholder verification proof generation is for identical to the PIN-based case as described in relation to Figure 7.
  • fingerprint verification could be implemented in a different manner. For example, it could involve generating a key Keypi N at random for each SUK at the host server side, and storing it directly in fingerprint-protected space of the mobile device 102. As a further example, it could involve storing plain SEALATC values in fingerprint-protected space of the mobile device 102.
  • An advantage of the embodiments described herein is that PIN verification for a contactless transaction can be performed in a simple manner, without requiring an internet connection between the mobile device and the host server.
  • PAN directly, or a variant of the PAN, such as a protected PAN.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention concerns a method of transaction authorization comprising: deriving, by a first server, a first key based on a mobile PIN value associated with a mobile device; encrypting, by the first server based on the derived key, a verification value to generate an encrypted verification value (eSEALATC) ' transmitting, by the first server, the encrypted verification value to the mobile device; receiving, by the first server or by a second server, a further verification value (SEALATC') generated by the decryption of encrypted verification value using a second key (ΚΕΥΡΙΝ') derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; and authorizing the transaction based on a verification of the further verification value.

Description

METHOD AND DEVICE FOR AUTHORIZING MOBILE TRANSACTIONS
FIELD
The present disclosure relates to the field of transactions performed using mobile devices, and in particular to a mobile contactless payment solution.
BACKGROUND
Using mobile communication devices, such as mobile telephones, to perform electronic payment transactions is becoming increasingly popular, and has the potential to one day entirely replace most card payments .
As one form of payment mechanism, mobile telephones and other types of mobile devices are increasingly being equipped with NFC (Near-Field-Communication) interfaces, which enable them to perform electromagnetic transponder functions in addition to their other functions. In particular, such devices are able to emulate the functions of an electromagnetic transponder, which could be of the contactless card type. Such functionality for example enhances the mobile device, by allowing it to be used for various applications, for example as an electronic wallet allowing payments to be made for accessing services such as transport networks.
Historically, chip cards exclusively interacted with Point-of-Sale (POS) equipment over a contact interface, requiring a card to be inserted in a slot. In around 2005, the first cards having an additional contactless communications interface were launched. In particular, the contactless EMV (Europay, MasterCard, Visa) solution is based on the ISO-14443 specifications (the names "Europay", "MasterCard" and "Visa" may correspond to registered trademarks) . The same ISO-14443 specifications were integrated in the NFC (Forum) specifications to allow for NFC enabled devices to be interoperable with existing contactless card infrastructure. Alignment of NFC and EMV specifications paved the path for EMV Mobile Contactless Payments.
A Mobile Contactless Card Application is an application running on a mobile device which can run in different environments, depending on the Mobile Contactless Payment Solution. The two major categories are:
- Secure Element (SE) based solutions in which the
Mobile Contactless Card Application is running in a secure element, either embedded in the mobile device or on a UICC (Universal Integrated Circuit Card) ; - Host Card Emulation (HCE) solutions in which the Mobile Contactless Card Application is part of a payment application running in the mobile OS (operating system) .
In SE based solutions, the Mobile Contactless Card Application is provisioned to and running in a hardware secure element (chip) with the security characteristics comparable to a payment chip card.
Compared to SE based solutions, HCE solutions are more openly exposed to threats. The Mobile Contactless Card Application runs as part of a mobile application in the xrich' mobile OS (operating system) , and like any mobile application, it is vulnerable to security breaches. Even though there are a growing number of measures to harden the mobile application against security breaches, there is a need for a simple solution providing additional security for HCE based solutions. SUMMARY
It is an aim of embodiments of the present description to at least partially address one or more needs in the prior art.
According to one aspect, there is provided a method of transaction authorization comprising: deriving, by a first server, a first key based on a mobile PIN value associated with a mobile device; encrypting, by the first server based on the derived key, a verification value to generate an encrypted verification value; transmitting, by the first server, the encrypted verification value to the mobile device; receiving, by the first server or by a second server, a further verification value generated by the decryption of encrypted verification value using a second key derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; and authorizing the transaction based on a verification of the further verification value .
According to one embodiment, the transaction is a payment .
According to one embodiment, the user authentication operation is a fingerprint verification.
According to one embodiment, the verification value is generated based on one or more credentials.
According to one embodiment, generating the verification value comprises: generating an authentication code using a third key and based on at least one of an ATC (Application Transaction Counter) value and a token representing a sensitive identifier.
According to one embodiment, the transaction is a card payment and the sensitive identifier is a PAN (primary account number) associated with the card.
According to one embodiment, the first key and the second key are derived using a same key derivation function, the same key derivation function being further based on a nonce value received by the mobile device from the first server.
According to one embodiment, the encrypted verification value is transmitted to the mobile device as part of a set of single use credentials further comprising: an ATC (Application Transaction Counter) ; and a nonce value (NoncepiN) for use in deriving the second key (ΚΕΥΡΙΝ ' ) .
According to a further aspect, there is provided a transaction authorization system comprising: a first server adapted to: derive a first key based on a mobile PIN associated with a mobile device; encrypt, based on the first key, a verification value to generate an encrypted verification value; and transmit the encrypted verification value to the mobile device, wherein the first server or a second server is further adapted to: receive a further verification value generated by the decryption of the encrypted verification value using a second key derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation.
According to one embodiment, the transaction is a payment .
According to one embodiment, the first server and/or the second server and/or one or more further servers are adapted to authorize the transaction based on a verification of the further verification value.
According to a further aspect, there is provided a method of transaction authorization comprising: receiving by a mobile device an encrypted verification value; deriving, by the mobile device, a key based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; decrypting the encrypted verification value by the mobile device based on the key to generate a further verification value; and transmitting the further verification value to a server for verification.
According to yet a further aspect, there is provided a mobile device comprising one or more circuits adapted to: receive an encrypted verification value; derive a key based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; decrypt the encrypted verification value based on the derived key to generate a further verification value; and transmit the further verification value to a server to initiate an electronic transaction.
According to one embodiment, the electronic transaction is a card payment.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other features and advantages will become apparent from the following detailed description of embodiments, given by way of illustration and not limitation with reference to the accompanying drawings, in which:
Figure 1 schematically illustrates a payment system according to an example embodiment of the present disclosure;
Figure 2 schematically illustrates a mobile device of Figure 1 in more detail according to an example embodiment of the present disclosure;
Figure 3 schematically illustrates part of the payment system of Figure 1 in more detail according to an example embodiment of the present disclosure;
Figure 4 is a flow diagram illustrating operations in a method of generating a single use key according to an example embodiment;
Figure 5 is a flow diagram illustrating operations in a method of generating an encrypted verification value according to an example embodiment;
Figure 6 is a flow diagram illustrating operations in a method of generating a further verification value according to an example embodiment;
Figure 7 is a flow diagram illustrating operations in a method of verifying a further verification value according to an example embodiment; and
Figure 8 is a flow diagram illustrating operations in a method of generating a further verification value according to an alternative embodiment to that of Figure 6.
DETAILED DESCRIPTION
In the following description, example embodiments are described relating to an electronic payment based on a physical payment card having a PAN (primary account number) . However, it will be apparent to those skilled in the art that the principles described herein could be applied to other forms of electronic transactions not directly relating to a card payment. For example, the electronic transaction could be any of a range of electronic services provided between a mobile device and a transaction terminal, such as a non-card payment, the establishment of a direct payment facility such as an E-mandate, document or contract signature, data verification, such as an address or age check, and/or authentication check of the mobile device or of a user of the mobile device. An E-mandate is for example an agreement authorizing a merchant to receive one or more direct debit payments from a customer.
The following table provides a list of definitions of terms and abbreviations used in the present disclosure.
Term or Definition
Abbreviation
Card A method to verify that a card is in
Authentication fact genuine .
Mobile PIN PIN, entered on the mobile device, to authenticate a cardholder.
Near Field A set of communication protocols that Communication enable two electronic devices, one of which (NFC) is usually a portable device such as a
smartphone or chip card, to establish
communication by bringing them within around 4 cm of each other.
Secure Element Tamper-resistant platform (typically a (SE) one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data (e.g.
symmetric keys management) .
Transaction The process in which the Issuer, or a authorization processor on the Issuer's behalf, approves or denies a card transaction. Token (or Surrogate value that replaces the
Payment Token or original (or Funding) PAN that uniquely
Issuer Token) identifies a physical card.
User/cardholder The process by which cardholder
authentication, ownership of the payment card account is aka cardholder validated by the card Issuer.
verification
User/cardholder The process of identifying a
identification cardholder, within the context of a payment transaction, generally followed by user authentication .
The present disclosure describes a Mobile Contactless
Payment Solution involving a Proximity Payment Systems Environment (PPSE) application and a mobile device payment application, installed on a mobile device.
When implementing a Mobile Contactless Payment solution using Host Card Emulation, the PPSE application and payment application together emulate a Contactless Card.
Contactless payments described herein for example conform to the EMV (Europay, MasterCard, Visa) standard. The EMV standard is for example defined in the following publications, which are hereby incorporated by reference to the extent permitted by the law:
- EMV Integrated Circuit Card Specifications for Payment Systems, Book 1, Application Independent ICC to Terminal Interface Requirements, Version 4.3, November 2011;
- EMV Integrated Circuit Card Specifications for Payment Systems, Book 2, Security and Key Management, Version 4.3, November 2011;
- EMV Integrated Circuit Card Specifications for Payment Systems, Book 3, Application Specification, Version 4.3, November 2011;
- EMV Integrated Circuit Card Specifications for Payment Systems, Book 3, Cardholder, Attendant, and Acquirer Interface Requirements, Version 4.3, November 2011; and - EMV - Book C-2 - Kernel 2 Specification, Version 2.5 March 2015.
The following publication describes PIN (personal identification number) management and security, and is also incorporated by reference to the extent permitted by the law:
- ISO 9564-2:2014 - Personal Identification Number (PIN) management and security — Part 2 : Approved algorithms for PIN encipherment .
Figure 1 schematically illustrates a contactless payment system 100 according to an example embodiment of the present disclosure .
The system 100 for example comprises a mobile device (MOBILE DEVICE) 102 capable of wireless communications, and of performing an electronic payment. For example, the mobile device 102 is a mobile telephone, smart phone, tablet computer, digital media player or the like.
The mobile device 102 is shown in communication with a transaction terminal 104, which is for example a point-of-sale (POS) . In some embodiments, the communication between the mobile device 102 and the transaction terminal 104 is at least partially via a wireless interface, such as an NFC interface, a wireless data connection via a telecommunications network, a Bluetooth interface or a wireless local area network (WLAN) .
Alternatively, the transaction terminal 104 may communicate with the mobile device 102 using a camera of the mobile device 102. For example, the transaction terminal 104 may comprise a display for displaying a barcode such as a QR-code (quick response code) , which may be captured by the camera and interpreted using a suitable application loaded on the mobile device 102.
In alternative embodiments, the transaction terminal 104 could be incorporated within the mobile device 102. For example, the mobile device 102 may store and run a merchant application implementing the transaction terminal 104. In such a case, the transaction terminal 104 for example communicates with other circuitry of the mobile device by generating an intent, such as a URL-intent (universal resource locator-intent) . As will be known by those skilled in the art, an intent is a digital message passed from an application being run on a mobile device to the operating system of the mobile device, that causes a certain application to be called, and passes information, such as a parameter, to that application. For example, one type of intent may cause a web browser of the mobile device to access a specific location. For example, the intent-URI (universal resource identifier) https ://web_address activates the browser application of a mobile device and directs the browser to the location identified by the web address.
The transaction terminal 104 is for example positioned at an entry barrier of a restricted area, such as a transport network, or at a point of sale in a shop or restaurant. In such cases, the mobile device 102 is for example in relatively close proximity to the transaction terminal 104, and the communication between the mobile device and the transaction terminal is for example by NFC, the mobile device emulating a wireless transponder. Alternatively, other forms of wireless communication between the mobile device 102 and the transaction terminal 104 would be possible, such as a wireless connection via Bluetooth or via a wireless local area network (WLAN) .
In other embodiments, the mobile device 102 could be remote from the transaction terminal 104, and the communication between the mobile device and the transaction terminal could be via one or more intervening networks, such as a data network of a telecommunications network and/or the internet. In such a case, the transaction terminal 104 could correspond to a remote server of a merchant.
The system 100 further comprises, in addition to the mobile device 102 and the transaction terminal 104, an acquirer (ACQUIRER) 106, an authentication system (AUTHENTICATION) 108 in communication with a token service provider (TSP) 110 and an issuer system (ISSUER) 112.
The acquirer 106 is for example a server providing an interface between the transaction terminal 104 and the authentication system 108 and/or issuer system 112. For example, the acquirer may correspond to an entity that facilitates transactions made using a mobile device.
The authentication system 108 for example provides a level of security between the issuer system 112 and the mobile device 102, by implementing a tokenization scheme with online PIN verification, as will be described in more detail below.
The issuer system 112 for example corresponds to the system associated with the payment card issuer, and this entity for example has the capacity to execute a payment to a merchant from the account of the mobile user.
In operation, the mobile device 102 is for example issued with a token (TOKEN) by the TSP 110, or alternatively by a TSP (ISSUER PROCESSOR TSP) 114 forming part of the issuer system. The link between the token and the original (funding) Card PAN is for example securely stored by the TSP 110.
"Tokenization", when applied to data security, is the process of substituting a sensitive data element with a non- sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system. In the present disclosure, and in the context of a card payment, the term "token" is used to designate a value that replaces the original (or Funding) PAN that uniquely identifies a physical payment card. As such, the definition of Token matches the EMVCo definition of a payment token. In alternative embodiments, the token could replace any type of account number or identifier that is to be kept secret.
The token for example has the same format as a PAN and will serve the same purpose during EMV cryptography. Under normal circumstances, the token is for example static in a sense that it does not change for a Card Application instance. However, in some embodiments, a Token may be changed in case of a lost or stolen card.
The token is for example used to uniquely identify a digitized card, which can be one of several digitized cards linked to a single physical card. Thus there may be a one-to-many relationship between PANs and tokens, since a card can be digitized in multiple mobile solutions, such as in various applications and wallets, on one or more of the cardholder's mobile devices. A payment card, identified by its PAN, can therefore exist in a digitized form in one or more of these mobile contactless solutions on the same device and even on multiple devices of a user/cardholder (since the cardholder can decide to digitize the same card in two smart phones, or even wearables) .
To allow for this multiplication of digitized cards all linked to the same account, there are two main approaches:
- assigning a Virtual Card PAN to each Digitized Card.
In this way, on the issuer's card management system, each digitized card is a virtual card; or - assigning a token to each digitized card.
In mobile contactless payments, the mobile device for example provides the hardware to perform a contactless payment transaction at protocol level. The card payment application logic is for example handled by the digitized card. This digitized card may reside in different components embedded in or accessible by the mobile device. For example the digitized card is:
- integrated in a mobile application running in the xrich' mobile OS. This option, referred to as xHost Card Emulation (HCE) ' is for example a viable solution for Android and Microsoft Windows Mobile OS (the names
"Android" and "Microsoft Windows" may correspond to registered trademarks) ;
- installed and running in an embedded hardware secure element (SE) . This embedded SE is under control of the device manufacturer who determines the technology on how a card application is provisioned and how it is accessible from the Mobile OS. This is often via a xWallet' application. Such a solution for example concerns Apple and Samsung wallets (the names "Apple" and "Samsung" may correspond to registered trademarks) ; - installed and running in the UICC card next to the SIM application. This for example involves a specific (SWP) hardware link being available between the NFC Controller hardware on the mobile device and the UICC. The UICC is under control of the Mobile Network Operator (MNO) and the card provisioning technology is standardized by international organisations (e.g. GlobalPlatform) . This option is a viable solution for Android and Microsoft Windows Mobile OS .
With reference again to Figure 1, when a payment transaction is to be initiated, the mobile device 102 for example enters into communication with the transaction terminal 104, and transmits the token to it. The transaction terminal 104 in turn passes the token to the authentication system 108 via the acquirer 106. The authentication system 108 uses the TSP 110 to retrieve the PAN associated with the token. The PAN can then be passed to the issuer system 112 such that the payment can be processed.
In addition to the token, the mobile device 102 also for example stores a limited set of single use credentials, each valid for one transaction, as will be described in more detail below.
Figure 2 schematically illustrates the mobile device 102 in more detail according to an example embodiment.
As illustrated, the device 102 for example comprises a contactless front-end integrated circuit (CLF) 202, which will be referred to herein as an NFC router. The NFC router 202 is coupled to an NFC antenna 204, and together the router 202 and antenna 204 provide NFC circuitry for emulating the behaviour of an NFC transponder .
The NFC router 202 is also for example coupled to a host processing device (P) 206 of the mobile device 102. The processing device 206 for example comprises one or more processors under the control of instructions stored in an instruction memory (INSTR MEM) 208. The NFC router 202 is also for example coupled to a secure element (SE) 210, which is for example an embedded SE (eSE) , and/or to a SIM or universal SIM circuit 212. The circuit 212 is for example additionally coupled to the processing device 206. Additionally or alternatively, the processing device 206 may perform host card emulation (HCE) , meaning that NFC communications are routed to the host processing device 206, which emulates the behaviour of an NFC secure element. This permits secure NFC transactions to be performed directly by the processing device 206 without requiring the presence of a secure element within the mobile device 102.
The processing device 206 is also for example coupled to: an antenna 214 permitting telecommunications within a cellular network; to an antenna 215 permitting wi-fi (wireless fidelity) communications; and/or to an antenna 216 permitting ultra wideband (U B) RF communications. In some embodiments, the mobile device 102 may comprise only one or some of the antennas 214, 215 and 216. The mobile device 102 further comprises a user interface 218, for example comprising a display, keypad and/or touch screen, coupled to the processing device 206.
The mobile device 102 also for example comprises an image capture device 220, comprising an image sensor for capturing digital images. For example, the image capture device 220 is capable of capturing machine-readable codes such as QR-codes, and the mobile device 102 stores a suitable software application for interpreting the machine readable code. Furthermore, in some embodiments, the image capture device 220 or a separate image sensor is capable of capturing biometric samples such as a finger print, finger vein or retina scan.
In some embodiments, the mobile device 102 comprises a trusted execution environment (TEE) 222 that for example comprises a memory device 224 storing one or more software applications and an allocation of the processing resources of the processing device 206 for execution of the software applications in isolation from the execution of other software applications stored in the instruction memory. For example, the trusted executed environment 222 is used for the execution of sensitive software applications, such as an application for PIN (personal identification number) entry and/or for capturing a biometric sample. The embedded secure element (eSE) and/or trusted execution environment are typically used to store the card payment application (s) . This includes the credentials related to card(s), such as EMV card master keys .
The memory 208 of the mobile device 102 for example stores a Proximity Payment Systems Environment (PPSE) application and a payment application, or Mobile Contactless Card Application which will be referred to hereafter simply as "card application". These applications are for example executed when a payment transaction is to be initiated. In particular, when implementing a mobile contactless payment solution using host card emulation, these two applications emulate the contactless payment card.
The mobile device 102 provides additional means to perform cardholder authentication. These are referred to as Consumer Device Cardholder Verification Methods (CDCVM) . CDCVM covers multiple methods, such as:
- entering a PIN on the mobile device with verification by the mobile application;
- entering a PIN on the mobile device with verification by the (issuer) host;
- biometric verification (at mobile OS, or device level) ;
- other device unlocking capabilities (PIN, pattern,...) In the present disclosure, two CDCVM algorithms are defined for HCE based solutions. One is based on entering a PIN on the mobile device 102 with verification by the issuer system 112. This algorithm assumes that the card application has been launched and the PIN has been entered prior to the start of the EMV transaction, in other words prior to the xtap' . The other CDCVM is fingerprint verification, resulting in the same logical flow. These processes will be described in more detail below.
When a payment is to be initiated, the following operations are for example performed between the mobile device 102 and the transaction terminal 104.
a) the card application is launched on the mobile device
102, and for example includes a form of cardholder verification that falls under the general term of a CDCVM;
b) the terminal 104 selects the Proximity Payment Systems Environment (PPSE) using the SELECT command via NFC; c) the mobile device 102 is tapped towards the terminal
104;
d) the card application stored on the mobile device 102 for example responds with a list of the supported AIDs (application identifiers) , for example included in the File Control Information (FCI);
e) the terminal 104 selects the AID of the card application, which is for example an application supported by both the card and the terminal, and issues the SELECT command with this AID;
f) The card application for example responds with the File
Control Information (FCI) . The Processing Options Data Object List (PDOL) is for example not present;
g) the terminal 104 for example issues the GET PROCESSING OPTIONS command. Since there is no PDOL, the terminal for example uses the command data field λ8300' ;
h) the card application for example returns the Application Interchange Profile (AIP) and the Application File Locator (AFL) ;
i) the terminal 104 for example issues multiple READ RECORD commands to retrieve the generic card application data, the Issuer Public Key and the ICC Public Key;
j) the terminal 104 performs risk management, such as checking the card expiry date, the terminal floor limit, etc., and the terminal 104 for example makes a first decision to decline the transaction or to complete it online. This decision is for example based upon the Terminal Verification Results (TVR) , the issuer action preferences and acquirer action preferences . The terminal 104 issues the GENERATE AC command requesting an ARQC; k) based on the CDOL1 related data included in the data field of the GENERATE AC command, the card application for example performs its own card risk management. The card application then responds with an ARQC; 1) the terminal 104 goes online, sending the authorization message to the issuer. This message for example includes the ARQC for online card authentication.
Figure 3 schematically represents hardware and software components of the contactless payment system 100 of Figure 1 according to an example embodiment. A dashed line 302 shows the division between those elements forming part of the host infrastructure, and in particular the acquirer 106, the authentication system 108, the TSP 110 and the issuer system 112 of Figure 1, and those elements forming part of the mobile device 102. The host infrastructure will be referred to hereafter as the host server, even if this may comprise more than one server.
The mobile device 102 for example comprises the card application (CARD APPLICATION) 304, which for example includes a component 306 corresponding to a mobile component of the HCE implementation and including an application programming interface (API) provided to the card application within which it is embedded. The card application 304 also for example includes a component 308 reserved for example for mobile network operators and also including a corresponding API. Furthermore, the mobile device 102 comprises an embedded secure element (eSE) 310 and a wallet application (WALLET) 311 running on the mobile device.
The host server for example includes an authentication host mobile (AUTH HOST MOBILE) 312, which for example provides authentication of the cardholder, and an HCE server component (HCE SERVER COMP) 314 that interacts with the HCE mobile component 306.
The host server also for example comprises a personalization component (PERSO COMP) 315, a trusted service manager (SP-TSM) 316 associated with the service provider, and a trusted service manager (MNO-TSM) 318 associated with the mobile network operator.
The host infrastructure also for example includes the token service provider (TSP) comprising a token vault (TOKEN VAULT) 320 in communication with the authentication host mobile 312, and a stand-in cryptographic component (STAND-IN CRYTPO) 322 in communication with a communications switch (SWITCH) 323. Further elements include a secure element trusted service manager (SEI-TSM) 324, which for example communicates with the secure element 310 of the mobile device 102, and a notification service/mobile gateway (NOTIF SERVICE/MOBILE GW) 326, which for example communicates with the wallet application 311 and with the authentication host mobile 312. The trusted service manager 324 is for example adapted to provision, personalize and manage the lifecycle of the digitized cards on the eSE 310. The notification service/mobile gateway 326 is for example adapted to handle the wallet application lifecycle, and requests to enroll cards and to manage transaction history updates .
The token service provider (TSP) component for example intervenes during card provisioning and payment authorization and clearing for Mobile Contactless payments. The TSP manages tokens, tokenizes PANs and detokenizes tokens. The token vault 320 is a memory that for example securely stores the token-PAN links.
For example, the TSP described herein complies with the specifications listed in Chapter 5 of the EMVCo Payment Tokenization Specification Technical Framework, version 1.0, March 2014, the contents of which is hereby incorporated by reference to the extent permitted by the law.
A token request will typically contain information on the PAN, expiry date and the Token Requestor ID (card application, Bank application or OEM Wallet) . The Token Requestor ID allows the TSP to assign per Issuer different Token BIN ranges for the different mobile solutions (Token Requestor ID) . The time to handle a tokenization request by the TSP for example allows for near real-time card provisioning.
The TSP for example has a secure, real-time connection with the issuer system 112. The issuer system 112 and TSP are for example mutually authenticated. The PAN and token data is for example exchanged in an encrypted form. During authorization of the payment transaction, the TSP for example interfaces with the switches 323 and will for example:
- validate the EMV cryptogram generated by the digitized card during the payment transaction at the transaction terminal 104;
- look up the funding PAN related the token; and
- provide the EMV cryptogram validation result, token and funding PAN to the switch 323, which will forward it to the issuer system 112.
For the EMV cryptogram validation, the TSP for example relies on a HSM (hardware security module) containing the EMV issuer master keys (IMK) that is kept synchronous, through a key ceremony, with the IMK as present in the issuer system 112. With respect to the integration with the switches 323, the processing overhead related to the detokenization and EMV cryptogram validation at the TSP is for example limited to a maximum of 100 ms . To achieve this and the strict security requirements, the connection between the Switch (es) 323, and potentially the Issuer System 112 and the TSP, is for example a permanent link.
With reference again to Figure 3, in operation, implementation of the HCE solution for example involves, between the authentication host mobile 312 and the HCE server component 314, requests for:
- registration, activation and deactivation of HCE mobile component;
- provisioning of a digitized card;
- changes in card state (enable/disable/delete) ;
- update card data; and
- replenishment with new Single Use credentials.
Furthermore, between the HCE server component 314 and the authentication host mobile 312, notification messages are for example transmitted relating to changes in the HCE mobile component state, in the digitized card state and relating to replenishments .
The wallet solution for example involves notification of provisioning requests between the authentication host mobile 312 and the wallet notification service 326. Furthermore, transaction history requests are for example provided from the wallet application 311 to the TSP 320, 322.
The wallet solution and SIM based solution for example involve, between the authentication host mobile 312 and the TSM personalization component 315, requests for:
- provisioning of a digitized card;
- changes in card state (enable/disable/delete) ; and
- update card data.
Furthermore, for all solutions, the following communications for example occur:
- tokenization requests (PAN - token) during card provisioning between the authentication host mobile 312 and the TSP 320, 322;
- detokenization and EMV crypto validation between the switch 323 and the TSP 320, 322, including mobile PIN verification during authorization; and
- card provisioning requests between the card application and the authentication host mobile 312.
As described above, the mobile device 102 for example stores single use credentials. Single use credentials are specific for one single payment transaction and serve two purposes:
- generating an ARQC (authorization request cryptogram) for the transaction; and
- generating a cardholder verification proof. This is used to prove that the cardholder entered a correct mobile PIN or presented a correct fingerprint for the transaction.
The server component provides a mechanism to replenish the single use credentials on the mobile component.
Each single use credential for example comprises:
- an ATC (Application Transaction Counter) ;
- a single use key (SUK) , which is the session key derived from a card master key using the ATC. This value is used to compute a standard application cryptogram for a single transaction; - eSEALATC ~ A single-use encrypted hexadecimal value, for example of 16 bytes, created and stored by the HCE server component. The value is for example different for each ATC value. The eSEALA C values are used to generate cardholder verification proofs on the mobile phone. Such proofs are later checked by the TSP.
- NoncepiN - A single-use arbitrary 16 byte hexadecimal value created and stored by the HCE server component. The value is different for each ATC value. NoncepiN values are for example random values that are treated as key material, and thus stored in a protected space on the mobile device.
The maximum number of single use credentials in a set for a single HCE mobile component is for example configurable, and a threshold number of remaining single use credentials for example determines when the HCE mobile component should attempt to contact the HCE server component to replenish the set of single use credentials.
Figure 4 is a flow diagram illustrating an example of the derivation of the single use key (SUK) from a card master key and the issuer master key. These operations are performed by the host server, for example by the authentication system 108. The issuer master key (IMF) and the token are for example applied as inputs to a key derivation function (KDF) in order to generate the card master key (CMK) . The card master key, and the ATC are then for example applied as inputs to a further key derivation function in order to generate the single use key SUK.
Figure 5 illustrates an example of operations in a method of generating an encrypted verification value eSEALATC-
This method is for example implemented by the host system, for example by the authentication system 108.
The method involves the use of a PIN, which is for example an online mobile PIN in the sense that the PIN is known and verified by the host system. The PIN can for example only be set and changed when the device has a mobile internet connection with the host system. For example, the PIN is at the level of the application, and not at the level of the card, which means that from an end user perspective, the PIN is the same for all cards enrolled in a given card application.
A PIN Master Key, from which a PIN Single Use Key SUKPIN is derived, is for example synchronized between the HCE Server Component and the TSP.
The SeedMAC value is for example a random unique for a token. It is for example generated by the TSP at the moment the token is created and passed to the HCE server component at the moment the digitized card is personalized. For a given digitized card identified by a token and token sequence number and used in a given transaction identified by a given ATC, the host server for example derives the PIN single use key SUKPIN from the PIN master key in a similar fashion to the SUK derivation from the card master key.
In order to generate the encrypted verification value eSEALATC the inputs are for example the ATC, the token (Token) , the token sequence number (Token Seq Nr) , the value SeedMAC the SUKPIN, the PIN (Ref. PIN Block), and the NoncepiN-
With reference to Figure 5, a MAC (message authentication code) algorithm is for example applied to the ATC, token, token Sequence number and the value SeedMAC/ using as the key, the value SUKPIN. The output is a MAC value MACATC- A portion of the value MACATC f°r example corresponding to the leftmost 8 bytes, are for example taken to form a verification value SEALATC- Furthermore, a secure random nonce NoncepiN is for example generated and a key derivation function is used to derive a key KEYpiN from the PIN, the Token and the NoncepiN- For example, the PIN entry is included in the form of an ISO-0 encoding of the
PIN, which is for example described in the above referenced publication entitled "Personal Identification Number (PIN) management and security - Part 2 : Approved algorithms for PIN encipherment" .
The key KeypiN is then for example used to encrypt (ENC) the verification value SEALATC in order to generate the encrypted verification value eSEALATC- Before encryption, the value SEALATC is for example padded up to the encryption block size with random numbers .
The PIN specific single use credentials NoncepiN and eSEALA C arer example transmitted to the mobile device, and in particular to the HCE solution mobile component.
Figure 6 is a flow diagram representing operations in a method of generating, by the mobile device, a further verification value SEALATC' based on a candidate PIN entered by a user of the mobile device. For example, a mobile contactless payment transaction starts with the mobile user, presumed to be the cardholder, entering the candidate PIN. This PIN is used to derive a key keypiN' in the same manner as the key KeypiN described above, and using the same key derivation function, but based on the candidate PIN (Candidate PIN block) rather than the reference PIN, and based on the nonce NoncepiN received from the host system, this value for example forming part of the single use credentials. The key KeypiN' is then used to decrypt (DEC) the encrypted verification value eSEALATC in order to generate a value X. The value SEALATC' is f°r example extracted from this value X, and for example corresponds to the first 8 bytes of X.
Because the output of the decryption operation has no structure, validation of SEALATC' is for example not performed locally. For example, the value SEALATC' is provided by the mobile device to the terminal 104 along with the ARQC, and is then forwarded by the terminal 104 to TSP for verification. Furthermore, in some embodiments, the value of the ARQC provided by the mobile device 102 to the terminal 104 is based on the value SEALATC' · For example, in one embodiment the value SEALATC' forms part of the Issuer Discretionary Data of Issuer Application Data
(Tag 9F10) . As such, it is part of the input to calculate the ARQC. The ARQC is for example a MAC that provides integrity control of the data from which it is generated, thereby allowing the integrity of the value SEALATC' to be verified.
Verification of the value SEALATC' by the TSP will now be described with reference to Figure 7. Figure 7 is a flow diagram illustrating operations in a method of PIN verification.
Prior to validating the cardholder verification proof, the TSP for example performs a standard ARQC validation using the SUK, which it can derive from the token and the ATC.
For a given digitized card identified by a token and a token sequence number, the value of SeedjAC is f°r example retrieved. For a transaction with this digitized card, identified by the ATC, the PIN single use key SUKPIN can be derived. By validating the ARQC, the host system verifies the correct transmission of the verification value SEALATC' · The value SEALATC' is f°r example extracted from the Issuer Application Data (Tag 9F10) sent in the transaction.
The same MAC algorithm as applied in the method of Figure 5 is for example used to regenerate the value SEALATC^ based for example on the same inputs as the algorithm in Figure 5.
The value of SEALATC is for example then compared to the value SEALATC' received from the mobile device 102. If there is a match, the PIN can be considered to be successfully verified. A mismatch however indicates that the candidate PIN was incorrect.
It will be noted that the reference PIN and the nonce NoncepiN are not necessary to validate the candidate PIN.
Figure 8 is a flow diagram representing operations in a method of generating the further verification value SEALATC' AS an alternative to the method represented in Figure 6. Rather than being based on a candidate PIN entered by a user of the mobile device, the method of Figure 8 is for example based on a PIN value, for example selected randomly, that is stored in a fingerprint protected part of the mobile device (STORED UNDER FINGERPRINT) , and can thus only be unlocked by a fingerprint verification .
Thus instead of a user-supplied PIN, the HCE server for example decides on a random number, having a length of 14 bits in the example of Figure 8, and that is stored as the user's PIN at the server side. For example, the random PIN is stored during the enrolment of the application in fingerprint-protected storage. During SUC replenishment, the nonce value NoncepiN is stored in a secured storage, for example in the same storage as the random PIN.
A mobile contactless payment transaction starts with the cardholder performing a fingerprint scan. This unlocks the PIN and NoncepiN values. This PIN is used to derive the key keypiN' · The key keypiN' is then used to decrypt (DEC) the encrypted verification value eSEALATC in order to generate a value X. The value SEALATC' is then for example extracted from the value X in the same manner as the MACATC described above, for example by taking its leftmost 8 bytes. The rest of the fingerprint-based cardholder verification proof generation is for identical to the PIN-based case as described in relation to Figure 7.
In alternative embodiments to that of Figure 8, fingerprint verification could be implemented in a different manner. For example, it could involve generating a key KeypiN at random for each SUK at the host server side, and storing it directly in fingerprint-protected space of the mobile device 102. As a further example, it could involve storing plain SEALATC values in fingerprint-protected space of the mobile device 102.
An advantage of the embodiments described herein is that PIN verification for a contactless transaction can be performed in a simple manner, without requiring an internet connection between the mobile device and the host server.
Having thus described at least one illustrative embodiment, various alterations, modifications and improvements will readily occur to those skilled in the art. For example, while a token-based implementation has been described, it will be apparent to those skilled in the art that the principles described herein would also be application to implementations involving the
PAN directly, or a variant of the PAN, such as a protected PAN.

Claims

1. A method of transaction authorization comprising: deriving, by a first server (108, 110) , a first key
(KEYPIN) based on a mobile PIN value associated with a mobile device (102) ;
encrypting, by the first server based on the derived key, a verification value (SEALATC) to generate an encrypted verification value (eSEALATC) 1
transmitting, by the first server, the encrypted verification value to the mobile device;
receiving, by the first server or by a second server, a further verification value (SEALATC') generated by the decryption of encrypted verification value using a second key (ΚΕΥΡΙΝ') derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation; and
authorizing the transaction based on a verification of the further verification value.
2. The method of claim 1, wherein the transaction is a payment .
3. The method of claim 1 or 2, wherein the user authentication operation is a fingerprint verification.
4. The method of any of claims 1 to 3, wherein the verification value (SEALATC) is generated based on one or more credentials (ATC, Token, Token Sequence Number, SeedMAC) ·
5. The method of claim 4, wherein generating the verification value (SEALATC) comprises:
generating an authentication code (MACATC) using a third key (SUKPIN) and based on at least one of an ATC (Application Transaction Counter) value and a token representing a sensitive identifier.
6. The method of claim 5, wherein the transaction is a card payment and the sensitive identifier is a PAN (primary account number) associated with the card.
7. The method of any of claims 1 to 6, wherein the first key (KEYPIN) and the second key (KEYPIN') are derived using a same key derivation function, said same key derivation function being further based on a nonce value (NoncepiN) received by the mobile device from the first server.
8. The method of any of claims 1 to 7, wherein the encrypted verification value (eSEALATc) is transmitted to the mobile device as part of a set of single use credentials further comprising: an ATC (Application Transaction Counter) ; and a nonce value (NoncepiN) for use in deriving the second key (KEYPIN' ) .
9. A transaction authorization system comprising:
a first server adapted to:
derive a first key (KEYPIN) based on a mobile PIN associated with a mobile device (102) ;
encrypt, based on the first key, a verification value (SEALATC) to generate an encrypted verification value (eSEALATc) ; and
transmit the encrypted verification value to the mobile device, wherein the first server or a second server is further adapted to:
receive a further verification value (SEALATC') generated by the decryption of the encrypted verification value using a second key (KEYPIN') derived based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation.
10. The transaction authorization system of claim 9, wherein the transaction is a payment.
11. The transaction authorization system of claim 9 or 10, wherein the first server and/or the second server and/or one or more further servers are adapted to authorize the transaction based on a verification of the further verification value (SEALATC') .
12. A method of transaction authorization comprising: receiving by a mobile device (102) an encrypted verification value (eSEALATc) ; deriving, by the mobile device, a key (ΚΕΥΡΙΝ') based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation;
decrypting the encrypted verification value by the mobile device based on the key to generate a further verification value (SEALATC ' ) and
transmitting the further verification value to a server for verification.
13. A mobile device comprising one or more circuits adapted to :
receive an encrypted verification value (eSEALATc) derive a key (ΚΕΥΡΙΝ') based on a candidate PIN value entered into the mobile device or based on a PIN stored by the mobile device and released after a user authentication operation;
decrypt the encrypted verification value based on the derived key to generate a further verification value (SEALATC') ; and
transmit the further verification value to a server to initiate an electronic transaction.
14. The mobile device of claim 13, wherein the electronic transaction is a card payment.
EP17718882.8A 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions Ceased EP3446274A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP23150154.5A EP4177810A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1653394 2016-04-18
PCT/EP2017/059073 WO2017182411A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions

Related Child Applications (1)

Application Number Title Priority Date Filing Date
EP23150154.5A Division EP4177810A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions

Publications (1)

Publication Number Publication Date
EP3446274A1 true EP3446274A1 (en) 2019-02-27

Family

ID=58609391

Family Applications (2)

Application Number Title Priority Date Filing Date
EP17718882.8A Ceased EP3446274A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions
EP23150154.5A Pending EP4177810A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions

Family Applications After (1)

Application Number Title Priority Date Filing Date
EP23150154.5A Pending EP4177810A1 (en) 2016-04-18 2017-04-14 Method and device for authorizing mobile transactions

Country Status (2)

Country Link
EP (2) EP3446274A1 (en)
WO (1) WO2017182411A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11562351B2 (en) * 2019-08-09 2023-01-24 Its, Inc. Interoperable mobile-initiated transactions with dynamic authentication
US20240235841A1 (en) * 2023-01-06 2024-07-11 Capital One Services, Llc System and method for parallel manufacture and verification of one-time-password authentication cards

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1742450A2 (en) * 2005-07-05 2007-01-10 Sony Ericsson Mobile Communications Japan, Inc. Method and mobile terminal device with biometric encrypted personal identification number
EP2587400A1 (en) * 2008-12-01 2013-05-01 Research In Motion Limited Simplified multi-factor authentication

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0246823A3 (en) * 1986-05-22 1989-10-04 Racal-Guardata Limited Data communication systems and methods
EP0952564A3 (en) * 1998-04-16 2003-09-17 Citicorp Development Center, Inc. System and method for alternative encryption techniques
US6880079B2 (en) * 2002-04-25 2005-04-12 Vasco Data Security, Inc. Methods and systems for secure transmission of information using a mobile device
US8870084B2 (en) * 2011-09-13 2014-10-28 Sca Promotions Method and system for the generation and validation of personal identification numbers
US10185957B2 (en) * 2012-06-12 2019-01-22 Square, Inc. Software pin entry
US20150073995A1 (en) * 2013-09-10 2015-03-12 The Toronto Dominion Bank System and method for authorizing a financial transaction
RU2663319C2 (en) * 2013-12-02 2018-08-03 Мастеркард Интернэшнл Инкорпорейтед Method and system of safe authenticating user and mobile device without safety elements
EP3089091B1 (en) * 2014-05-02 2020-03-11 Barclays Execution Services Limited Transaction authentication
US20160012408A1 (en) * 2014-07-09 2016-01-14 Pay(Q)R, LLC Cloud-based mobile payment system
US11257074B2 (en) * 2014-09-29 2022-02-22 Visa International Service Association Transaction risk based token

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1742450A2 (en) * 2005-07-05 2007-01-10 Sony Ericsson Mobile Communications Japan, Inc. Method and mobile terminal device with biometric encrypted personal identification number
EP2587400A1 (en) * 2008-12-01 2013-05-01 Research In Motion Limited Simplified multi-factor authentication

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"EMV - Integrated Circuit Card Specifications for Payment Systems. Book 2: Security and Key Management", INTERNET CITATION, 1 June 2008 (2008-06-01), pages 176pp, XP007913922, Retrieved from the Internet <URL:http://www.iro.umontreal.ca/~salvail/securite/notes2010/EMVv4.2Book2.pdf> [retrieved on 20100714] *
ANONYMOUS: "Challenge-response authentication - Wikipedia, the free encyclopedia", 7 September 2012 (2012-09-07), XP055101700, Retrieved from the Internet <URL:http://en.wikipedia.org/w/index.php?title=Challenge%E2%80%93response_authentication&oldid=511227391> [retrieved on 20140212] *
See also references of WO2017182411A1 *
VAPEN A ET AL: "2-clickAuth Optical Challenge-Response Authentication", AVAILABILITY, RELIABILITY, AND SECURITY, 2010. ARES '10 INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 15 February 2010 (2010-02-15), pages 79 - 86, XP031652960, ISBN: 978-1-4244-5879-0 *

Also Published As

Publication number Publication date
WO2017182411A1 (en) 2017-10-26
EP4177810A1 (en) 2023-05-10

Similar Documents

Publication Publication Date Title
US11720943B2 (en) Trusted remote attestation agent (TRAA)
US10917405B2 (en) Methods and systems for providing FIDO authentication services
CN112602300B (en) System and method for password authentication of contactless cards
US10699277B2 (en) Security for mobile payment applications
KR102477453B1 (en) Transaction messaging
US9467292B2 (en) Hardware-based zero-knowledge strong authentication (H0KSA)
Yang Security Enhanced EMV‐Based Mobile Payment Protocol
JP6704919B2 (en) How to secure your payment token
JP2022504072A (en) Systems and methods for cryptographic authentication of contactless cards
US20160104154A1 (en) Securing host card emulation credentials
US20090307140A1 (en) Mobile device over-the-air (ota) registration and point-of-sale (pos) payment
JP2022502888A (en) Systems and methods for cryptographic authentication of non-contact cards
CN112889046A (en) System and method for password authentication of contactless cards
EP3186739B1 (en) Secure on device cardholder authentication using biometric data
CN113168631A (en) System and method for password authentication of contactless cards
JP2022501861A (en) Systems and methods for cryptographic authentication of non-contact cards
US20180240113A1 (en) Determining legitimate conditions at a computing device
EP4177810A1 (en) Method and device for authorizing mobile transactions
WO2015162276A2 (en) Secure token implementation
US20180240111A1 (en) Security architecture for device applications
US10248947B2 (en) Method of generating a bank transaction request for a mobile terminal having a secure module
GB2525426A (en) Secure token implementation
KR101078953B1 (en) System and Method for Processing Scrap Public Certificate of Attestation and Recording Medium
GB2525422A (en) Secure token implementation

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20181107

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20190906

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20221119