[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2005022474A1 - A method of, and a system for, inhibiting fraudulent online transactions - Google Patents

A method of, and a system for, inhibiting fraudulent online transactions Download PDF

Info

Publication number
WO2005022474A1
WO2005022474A1 PCT/ZA2004/000085 ZA2004000085W WO2005022474A1 WO 2005022474 A1 WO2005022474 A1 WO 2005022474A1 ZA 2004000085 W ZA2004000085 W ZA 2004000085W WO 2005022474 A1 WO2005022474 A1 WO 2005022474A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
verifying
verifying code
remote computer
customer
Prior art date
Application number
PCT/ZA2004/000085
Other languages
French (fr)
Inventor
Gerrit Johan Rosseau Ferreira
Original Assignee
Ip Works (Proprietary) Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ip Works (Proprietary) Limited filed Critical Ip Works (Proprietary) Limited
Publication of WO2005022474A1 publication Critical patent/WO2005022474A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes

Definitions

  • THIS INVENTION relates to a method of, and a system for, inhibiting fraudulent online transactions.
  • the present invention seeks to provide a method and a system for preventing unauthorized operation of an account.
  • a method of conducting an electronic transaction which comprises: connecting a remote computer of the customer to an authentication server to open up an authorization and data transmission channel; generating, upon said connection being made, a code which is unique to the connection established; generating a first verifying code derived from raw data comprising said unique code and the ID of the remote computer and the date and time; transmitting said first verifying code to the customer along a communication channel other than said authorization and data transmission channel; generating a second verifying code and storing this on the authentication server, the second verifying code being encoded and derived from said unique code, the ID of the remote computer and the time and date; entering said first verifying code at said remote computer; transmitting said first verifying code from said remote computer to said authentication server along said authorization and data transmission channel; transmitting both said first and second codes from the authentication server to a means for decoding the second verifying code to recreate the raw data and then using the re-created raw data to create a third
  • Said second verifying code can be in the form of a global unique identifier; and the first verifying code in the form of a number with, for example, five digits. According to a further aspect of the present invention there is provided a system for enabling an online transaction as defined above to be undertaken.
  • the transaction commences when the customer uses his computer 10 to log on to the authentication server 12 of the financial institution at which his current account, savings account or other bank account is held.
  • the customer logs on via the transmission line 14.
  • Logging on occurs in the conventional manner by the insertion of one or more codes known only to the customer.
  • the client authentication server 12 of the financial institution authenticates the information provided by the customer as the log on procedure takes place. This establishes an authentication and data communication channel between the customer 10 and the financial institution.
  • the authentication server 12 has stored therein information pertaining to the customer which the financial institution has previously requested and the customer has provided.
  • the information can take many forms but should include at least: (a) information pertaining to a second communication channel from the financial institution to the customer which the customer wishes the financial institution to use; and (b) information pertaining to when establishment of a data transmission channel is allowed, and how long the authentication and data communication channel may remain connected.
  • the information provided under (a) is hereinafter referred to as the customer's "notification profile" and can comprise, for example, the number of a cellular phone to which a text message can be sent or an email address to which a message can be sent.
  • the information provided under (b) will be referred to hereinafter as the customer's "expiry policy" and can, for example, specify that no connection before 8am, or after 5pm, is valid and that the transmission channel should be closed after a specified time.
  • the information under (a) and (b) is in XML format.
  • an identification code is generated by the server 12 which is unique to the connection which has been established.
  • a new, unique identification code is allocated. This code will be referred to hereinafter as the "request ID”.
  • the data available for use now comprise the customer's notification profile, the customer's expiry policy, the customer's computer ID, the request ID and the time and date that the transaction commenced.
  • the request ID, the customer's computer ID and the time and date (the
  • raw ticket uid are used by a secure server 16 to generate a global unique identifier which is a thirty two character number. This is generated using a protocol which is the industry standard worldwide. This number, in the present context, is referred to as a "ticket uid". "uid” is a shorthand way of writing "global unique identifier”.
  • the ticket uid is transmitted along path 18 to the server 12 and stored in the memory of the server 12.
  • the "raw ticket uid" is hashed in the secure server 16 to provided a number of, say, five digits in length which is referred to hereinafter as the "token ID”.
  • the token ID is sent to the customer along the communication channel 22 specified in the customer's notification policy as stored on the server 12.
  • the customer is prompted on the screen of the computer 10 to enter the token ID received, and the token ID is then transmitted to the financial institution's authentification server 12 along the previously established authentication and data transmission channel.
  • the authentification server 12 Upon receipt of the entered token ID, the authentification server 12 transmits the token ID and the ticket uid to the secure token server 16.
  • the server decodes the ticket uid to recreate the raw ticket data and then produces a further identification number (referred to as a "match ID"). This is compared with the token ID. Only if there is a match between the token ID and the match ID can the transaction proceed. In the event of a mismatch the transaction is not permitted to proceed.
  • the ticket uid By using the ticket uid to produce the match ID, there is assurance that it is the correct authorization server 12 that is communicating with the secure server 16. More specifically, the token ID is produced directly from the "raw ticket uid". The match ID is produced from the ticket uid which is also based on the raw ticket data but which has been stored on the server.
  • Reference numeral 24 designates the financial institution's computer on which all the client's financial information is stored.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides a method of conducting an electronic transaction. The steps of the method are: connecting a remote computer of the customer to an authentication server to open up an authorization and data transmission channel; generating, upon said connection being made, a code which is unique to the connection established; generating a first verifying code derived from raw data comprising said unique code and the ID of the remote computer and the date and time; transmitting said first verifying code to the customer along a communication channel other than said authorization and data transmission channel; generating a second verifying code and storing this on the authentication server, the second verifying code being encoded and derived from said unique code, the ID of the remote computer and the time and date; entering said first verifying code at said remote computer; transmitting said first verifying code from said remote computer to said authentication server along said authorization and data transmission channel; transmitting both said first and second codes from the authentication server to a means for decoding the second verifying code to recreate the raw data and then using the re-created raw data to create a third verifying code; and comparing the first and third verifying codes.

Description

A METHOD OF. AND A SYSTEM FOR. INHIBITING FRAUDULENT ONLINE TRANSACTIONS
FIELD OF THE INVENTION THIS INVENTION relates to a method of, and a system for, inhibiting fraudulent online transactions.
BACKGROUND TO THE INVENTION Fraud on the Internet has reached unacceptable levels and financial and other institutions are expending vast sums and employing significant manpower in trying to make bank accounts and other records secure against "hackers".
Internet banking is now taking over from cheque writing as the method of choice for those who have payments to make. Conventionally a password, or possibly two passwords, are required to access a bank account. However, applicants are aware of techniques that make the protection allegedly offered by passwords almost useless. Bypassing these passwords and gaining access to accounts presents no serious problem to a competent "hacker". >
The present invention seeks to provide a method and a system for preventing unauthorized operation of an account.
BRIEF DESCRIPTION OF THE INVENTION According to one aspect of the present invention there is provided a method of conducting an electronic transaction which comprises: connecting a remote computer of the customer to an authentication server to open up an authorization and data transmission channel; generating, upon said connection being made, a code which is unique to the connection established; generating a first verifying code derived from raw data comprising said unique code and the ID of the remote computer and the date and time; transmitting said first verifying code to the customer along a communication channel other than said authorization and data transmission channel; generating a second verifying code and storing this on the authentication server, the second verifying code being encoded and derived from said unique code, the ID of the remote computer and the time and date; entering said first verifying code at said remote computer; transmitting said first verifying code from said remote computer to said authentication server along said authorization and data transmission channel; transmitting both said first and second codes from the authentication server to a means for decoding the second verifying code to recreate the raw data and then using the re-created raw data to create a third verifying code; and comparing the first and third verifying codes.
Said second verifying code can be in the form of a global unique identifier; and the first verifying code in the form of a number with, for example, five digits. According to a further aspect of the present invention there is provided a system for enabling an online transaction as defined above to be undertaken.
BRIEF DESCRIPTION OF THE DRAWING For a better understanding of the present invention, and to show how the same may be carried into effect, reference will now be made, by way of example, to the accompanying drawing in which the single figure is a flow diagram illustrating the system in accordance with the present invention.
DETAILED DESCRIPTION OF THE DRAWINGS The transaction commences when the customer uses his computer 10 to log on to the authentication server 12 of the financial institution at which his current account, savings account or other bank account is held. The customer logs on via the transmission line 14. Logging on occurs in the conventional manner by the insertion of one or more codes known only to the customer. The client authentication server 12 of the financial institution authenticates the information provided by the customer as the log on procedure takes place. This establishes an authentication and data communication channel between the customer 10 and the financial institution.
The authentication server 12 has stored therein information pertaining to the customer which the financial institution has previously requested and the customer has provided. The information can take many forms but should include at least: (a) information pertaining to a second communication channel from the financial institution to the customer which the customer wishes the financial institution to use; and (b) information pertaining to when establishment of a data transmission channel is allowed, and how long the authentication and data communication channel may remain connected.
The information provided under (a) is hereinafter referred to as the customer's "notification profile" and can comprise, for example, the number of a cellular phone to which a text message can be sent or an email address to which a message can be sent.
The information provided under (b) will be referred to hereinafter as the customer's "expiry policy" and can, for example, specify that no connection before 8am, or after 5pm, is valid and that the transmission channel should be closed after a specified time.
The information under (a) and (b) is in XML format.
Upon the authentication and data transmission channel being opened, an identification code is generated by the server 12 which is unique to the connection which has been established. Each time a customer establishes an authentication and data transmission channel between himself and the institution, a new, unique identification code is allocated. This code will be referred to hereinafter as the "request ID".
The data available for use now comprise the customer's notification profile, the customer's expiry policy, the customer's computer ID, the request ID and the time and date that the transaction commenced.
The request ID, the customer's computer ID and the time and date (the
"raw ticket uid") are used by a secure server 16 to generate a global unique identifier which is a thirty two character number. This is generated using a protocol which is the industry standard worldwide. This number, in the present context, is referred to as a "ticket uid". "uid" is a shorthand way of writing "global unique identifier".
The ticket uid is transmitted along path 18 to the server 12 and stored in the memory of the server 12.
The "raw ticket uid" is hashed in the secure server 16 to provided a number of, say, five digits in length which is referred to hereinafter as the "token ID". The token ID is sent to the customer along the communication channel 22 specified in the customer's notification policy as stored on the server 12.
The customer is prompted on the screen of the computer 10 to enter the token ID received, and the token ID is then transmitted to the financial institution's authentification server 12 along the previously established authentication and data transmission channel. Upon receipt of the entered token ID, the authentification server 12 transmits the token ID and the ticket uid to the secure token server 16. The server decodes the ticket uid to recreate the raw ticket data and then produces a further identification number (referred to as a "match ID"). This is compared with the token ID. Only if there is a match between the token ID and the match ID can the transaction proceed. In the event of a mismatch the transaction is not permitted to proceed. By using the ticket uid to produce the match ID, there is assurance that it is the correct authorization server 12 that is communicating with the secure server 16. More specifically, the token ID is produced directly from the "raw ticket uid". The match ID is produced from the ticket uid which is also based on the raw ticket data but which has been stored on the server.
Reference numeral 24 designates the financial institution's computer on which all the client's financial information is stored.

Claims

CLAIMS:
1. A method of conducting an electronic transaction which comprises: connecting a remote computer of the customer to an authentication server to open up an authentication and data transmission channel; generating, upon said connection being made, a code which is unique to the connection established; generating a first verifying code derived from raw data comprising said unique code and the ID of the remote computer and the date and time; transmitting said first verifying code to the customer along a communication channel other than said authentication and data transmission channel; generating a second verifying code and storing this on the authentication server, the second verifying code being encoded and derived from said unique code, the ID of the remote computer and the time and date; entering said first verifying code at said remote computer; transmitting said first verifying code from said remote computer to said authentication server along said authentication and data transmission channel; transmitting both said first and second codes from the authentication server to a means for decoding the second verifying code to recreate the raw data and then using the re-created raw data to create a third verifying code; and comparing the first and third verifying codes.
2. A method as claimed in claim 1 , wherein said second verifying code is in the form of a global unique identifier and the first verifying code is in the form of a multi-digited number.
PCT/ZA2004/000085 2003-08-27 2004-07-26 A method of, and a system for, inhibiting fraudulent online transactions WO2005022474A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA03/6668 2003-08-27
ZA200306668 2003-08-27

Publications (1)

Publication Number Publication Date
WO2005022474A1 true WO2005022474A1 (en) 2005-03-10

Family

ID=34275065

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ZA2004/000085 WO2005022474A1 (en) 2003-08-27 2004-07-26 A method of, and a system for, inhibiting fraudulent online transactions

Country Status (1)

Country Link
WO (1) WO2005022474A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1840814A1 (en) * 2006-03-17 2007-10-03 Hitachi Software Engineering Co., Ltd. Verification system
EP2086658A4 (en) * 2006-11-15 2011-01-05 Cfph Llc Systems and methods for determining that a gaming device is communicating with a gaming server
US9590965B2 (en) 2006-11-15 2017-03-07 Cfph, Llc Determining that a gaming device is communicating with a gaming server
US9685036B2 (en) 2006-11-15 2017-06-20 Cfph, Llc Verifying a gaming device is in communications with a gaming server by passing an indicator between the gaming device and a verification device
US9767640B2 (en) 2006-11-15 2017-09-19 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US9875341B2 (en) 2006-11-15 2018-01-23 Cfph, Llc Accessing information associated with a mobile gaming device to verify the mobile gaming device is in communications with an intended server
US10068421B2 (en) 2006-11-16 2018-09-04 Cfph, Llc Using a first device to verify whether a second device is communicating with a server
US10525357B2 (en) 2006-11-15 2020-01-07 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US10810823B2 (en) 2006-11-15 2020-10-20 Cfph, Llc Accessing known information via a devicve to determine if the device is communicating with a server
US11213773B2 (en) 2017-03-06 2022-01-04 Cummins Filtration Ip, Inc. Genuine filter recognition with filter monitoring system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2769446A1 (en) * 1997-10-02 1999-04-09 Achille Joseph Marie Delahaye Identification and authentication system for users of data network
FR2771875A1 (en) * 1997-11-04 1999-06-04 Gilles Jean Antoine Kremer INFORMATION TRANSMISSION METHOD AND COMPUTER SERVER IMPLEMENTING IT

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2769446A1 (en) * 1997-10-02 1999-04-09 Achille Joseph Marie Delahaye Identification and authentication system for users of data network
FR2771875A1 (en) * 1997-11-04 1999-06-04 Gilles Jean Antoine Kremer INFORMATION TRANSMISSION METHOD AND COMPUTER SERVER IMPLEMENTING IT

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1840814A1 (en) * 2006-03-17 2007-10-03 Hitachi Software Engineering Co., Ltd. Verification system
US10525357B2 (en) 2006-11-15 2020-01-07 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US10212146B2 (en) 2006-11-15 2019-02-19 Cfph, Llc Determining that a gaming device is communicating with a gaming server
US9685036B2 (en) 2006-11-15 2017-06-20 Cfph, Llc Verifying a gaming device is in communications with a gaming server by passing an indicator between the gaming device and a verification device
US9767640B2 (en) 2006-11-15 2017-09-19 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US9875341B2 (en) 2006-11-15 2018-01-23 Cfph, Llc Accessing information associated with a mobile gaming device to verify the mobile gaming device is in communications with an intended server
US11710365B2 (en) 2006-11-15 2023-07-25 Cfph, Llc Verifying whether a device is communicating with a server
US10181237B2 (en) 2006-11-15 2019-01-15 Cfph, Llc Verifying a gaming device is in communications with a gaming server by passing an indicator between the gaming device and a verification device
US9590965B2 (en) 2006-11-15 2017-03-07 Cfph, Llc Determining that a gaming device is communicating with a gaming server
EP2086658A4 (en) * 2006-11-15 2011-01-05 Cfph Llc Systems and methods for determining that a gaming device is communicating with a gaming server
US10810823B2 (en) 2006-11-15 2020-10-20 Cfph, Llc Accessing known information via a devicve to determine if the device is communicating with a server
US10991196B2 (en) 2006-11-15 2021-04-27 Cfph, Llc Verifying a first device is in communications with a server by storing a value from the first device and accessing the value from a second device
US11083970B2 (en) 2006-11-15 2021-08-10 Cfph, Llc Storing information from a verification device and accessing the information from a gaming device to verify that the gaming device is communicating with a server
US10068421B2 (en) 2006-11-16 2018-09-04 Cfph, Llc Using a first device to verify whether a second device is communicating with a server
US11213773B2 (en) 2017-03-06 2022-01-04 Cummins Filtration Ip, Inc. Genuine filter recognition with filter monitoring system

Similar Documents

Publication Publication Date Title
US8132243B2 (en) Extended one-time password method and apparatus
US8079082B2 (en) Verification of software application authenticity
US9699183B2 (en) Mutual authentication of a user and service provider
US9231944B2 (en) Method and apparatus for the secure authentication of a web site
US6829711B1 (en) Personal website for electronic commerce on a smart java card with multiple security check points
US7730321B2 (en) System and method for authentication of users and communications received from computer systems
US20110047605A1 (en) System And Method For Authenticating A User To A Computer System
EP1615097A2 (en) Dual-path-pre-approval authentication method
US20090307141A1 (en) Secure Card Services
WO2012167941A1 (en) Method to validate a transaction between a user and a service provider
WO2013148364A1 (en) Secure atm transactions with a mobile device
EP1904920A2 (en) System and method for security in global computer transactions that enable reverse-authentication of a server by a client
KR20100054757A (en) Payment transaction processing using out of band authentication
US20010034721A1 (en) System and method for providing services to a remote user through a network
EP2533486A1 (en) Method to validate a transaction between a user and a service provider
WO2005022474A1 (en) A method of, and a system for, inhibiting fraudulent online transactions
US20060059111A1 (en) Authentication method for securely disclosing confidential information over the internet
US20160105798A1 (en) Process for authenticating an identity of a user
KR100517441B1 (en) Method for portrait mutual certification and computer readable record medium on which program therefor is recorded
KR101493057B1 (en) How to provide one-off codes
WO2008084435A1 (en) Security arrangement
KR20070076576A (en) Payment Approval Process
KR20070076575A (en) How to handle customer authentication
KR100782012B1 (en) Auto call system using telephone in internet banking and financial transaction method using the system
KR20090114528A (en) How to provide withdrawal service using one-time password

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase