The present invention generally relates to so-called smart cards and, more particularly to alternative uses of highly secure credit cards as personal identification cards for controlling access to data, secured locations, machinery, personal or commercial articles, data processing equipment and the like.
2. Description of the Prior Art
Proliferation of fraudulent activities such as identity theft, often facilitated by streamlining of electronic financial transactions and the proliferation of credit and debit cards often used in such transactions, has led to great interest in techniques for improving security and authentication of the identity of a user of such credit and debit cards. Recent advances in semiconductor technology, particularly extremely thin substrates, has also allowed chips to be fabricated with substantial mechanical flexibility and robustness adequate for inclusion of electronic circuits of substantial complexity within conveniently carried cards physically similar to credit cards currently in use. Such technology has also allowed records of substantial information content to be similarly packaged and associated with various articles, animals or persons such as maintenance records for motor vehicles or medical records for humans or animals. In regard to increase of security for financial transactions however, various attempts to increase security through improved identity authentication or disablement in case of theft or other misuse, while large in number and frequently proposed have not, until recently, proven adequate for the purpose.
However, a highly secure credit or debit card design has been recently invented and is disclosed in U.S. Pat. No. 6,641,050 B2, issued Nov. 4, 2003, and assigned to the assignee of the present invention, the entire disclosure of which is hereby fully incorporated by reference for details of implementation thereof. In summary, the secure credit/debit card disclosed therein includes a keyboard or other selective data entry device, a free-running oscillator, an array of electronic fuses (e-fuses) or other non-volatile memory, a processor, a pair of linear feedback shift registers (LFSRs) and a transmitter/receiver to allow communication with an external card reader. The card is uniquely identified by a unique identification number and the programming of e-fuses which control feedback connections for each of the LFSRs, one of which is used as a reference and the other is used in the manner of a pseudo-random number generator. The card is activated only for short periods of time sufficient to complete a transaction by entry of a personal identification number (PIN) that can also be permanently programmed into the card. When the card is activated and read by a card reader, the two sequences of numbers generated by the LFSRs are synchronously generated and a portion thereof is communicated to a reader which not only authenticates the number sequences against each other and the card identification number but also rejects the portion of the sequence if it is the same portion used in a previous transaction to guard against capture of the sequences by another device. This system provides combined authentication of the holder/user and the card, itself, together with encryption of transaction information unique to each card which renders the card useless if stolen while providing highly effective protection against simulation and/or duplication of the card or capture of information from it and has proven highly effective in use.
However, since the secure credit card in accordance with the above-incorporated patent provides for authentication of the holder/user, it is basically inconsistent with some current preferred modes of use of a credit card such as allowing a spouse or child to possess and possibly use a particular credit card for emergency or other particular purposes. For example, regardless of the relationship between the holder (i.e. the person to whom the card is originally issued by a financial institution which normally maintains ownership of the card) of the card and a person the holder may wish to allow to use it, there may be a strong reluctance of the holder to reveal his own PIN number to such a person since, for example, the holder may use the same PIN number to control other accounts or access rights. Further, the holder of the card may have a relatively large line of credit and may wish to restrict the usage by another person to a much lower amount or a periodic total (e.g. number of dollars per month) commensurate with the contemplated or intended use or restrict use to certain merchants or service providers (hereinafter referred to collectively as merchants). If a card is to be regularly used by a number of persons such as employees of a business, the holder may wish to separately track usage by each person authorized to use the card. In any of these circumstances, even with the high level of security provided by the secure credit card, itself, it is desirable to have confirmation that each use is authorized.
It is therefore an object of the present invention to provide a secure credit card similar to that disclosed in U.S. Pat. No. 6,641,050, but accommodating a plurality of freely assignable PIN numbers which may be associated with authorized user profiles to control privileges of individual authorized users and identify their transactions using the secure credit card.
In order to accomplish these and other objects of the invention, a method of regulating privileges permitted using a secure credit card is provided comprising steps of providing a personal identification number (PIN) for a user in addition to a PIN identifying a holder of the secure credit card, associating a profile corresponding to the PIN provided for the user, and accessing the profile when the secure credit card is activated using the PIN provided for the user.
In accordance with another aspect of the invention, a secure credit card and secure financial transaction system is provided comprising a card body including a processor and associated storage for a stored program for operation of the processor, a communication interface, and a data entry arrangement, a non-volatile memory for storage of identification information for the secure credit card, a personal identification number (PIN) of a holder of said secure credit card and a PIN of at least one authorized user of the secure credit card, and encryption means for encoding transaction information and secure transaction codes in accordance with signals stored in the non-volatile memory, and an arrangement for distinguishing between the PIN of the holder and a PIN of an authorized user. The system usable with the secure credit card further comprises a card reader communicating with a server controlled by an issuer of the secure credit card, and an arrangement for receiving transaction information and secure transaction codes from the secure credit card and accepting or rejecting a transaction responsive to the transaction information and secure transaction codes.
The foregoing and other objects, aspects and advantages will be better understood from the following detailed description of a preferred embodiment of the invention with reference to the drawings, in which:
Referring now to the drawings, and more particularly to
The operation of the multiple user secure credit card system in accordance with the invention starts (100) with entry of a PIN number or password 101 that initiates a session on the card processor 500 (
It may be useful to an understanding of the present invention to summarize the constitution and operation of the secure credit card disclosed in the above-incorporated U.S. Pat. No. 6,641,050. A smart card credit card as disclosed in this U.S. Patent incorporates integrated electronics within it so that basic processing of information and transmission of information to and from the card may occur. In addition, this secure credit card also uses two linear feedback shift registers (LFSR) respectively referred to as a reference LFSR and a secure LFSR. These LFSRs are synchronized by common free running clock oscillator. The secure LFSR is customized to a unique configuration for each secure credit card. This combination of LFSRs is the key to generating a pseudo random binary string that is used to encrypt information. The generated binary string is a very large sequence sufficient for effective randomness. It is the state of the LFSRs, i.e., the binary sequences generated from the LFSRs and the card ID, that is transmitted to the issuing financial institution during a transaction whereby the institution can validate the authenticity of the card and the transaction. It is the configuration of the secure LFSR that gives the special uniqueness to each secure credit card. This configuration is very difficult and perhaps impossible for thieves to replicate as it cannot be read from the card itself. None of the memory configurations can be read or obtained from outside the secure card.
Unique LFSR configurations are accomplished by employing e-fuse technology within the card. E-fuse technology permits special memory arrangements to be created when the card is manufactured or when the card is issued. E-fuse technology uses writeable integrated fuses that can be “burned” after the card is assembled which in turn provides the unique configurations of the LFSRs and the card ID. There is a personalized identification number (PIN number) also burned into the card which the holder/user must enter to activate the secure card during each transaction.
The institution that issues the card must maintain a record of every card configuration. Whenever a secure credit card is involved in a transaction, the card ID permits the financial institution to retrieve the configuration data for the secure card involved in the transaction. From this configuration information, and the pseudo random number string returned from the secure credit card at the time of the transaction, the card and transaction can be authenticated.
When a holder/user wants to use the secure card, a PIN number must be entered directly into the card. If the PIN matches a PIN burned on the card, the secure credit card is activated and a pseudo random sequence is generated which is communicated to the financial institution authenticating the transaction. It is the nature of this combination of features of the secure credit card that makes it unlikely that no two transactions of a secure card will have the same pseudo random number sequences communicated outside the card.
A functional diagram of the secure card with associated sub-components is shown in
Referring now to
The character display array 620 shown in
The single key pad 610 and single character display 640 shown in
Returning now to
Once a registered PIN is recognized, it is determined at step 102 if the PIN corresponds to the holder or a user. This difference is preferably determined from the portion of the e-fuse or other PIN memory structure in which the matching PIN is found. Since a card will generally have only one holder, a unique, dedicated location is preferably provided for the PIN of the holder. If the PIN corresponds to a holder, the operation of the multi-user secure credit card branches to step 103 corresponding to the holders=s privileges of conducting a transaction as a holder with full privileges corresponding to the conditions of issuance of the card as described in the above-incorporated U.S. patent and/or the additional privilege in accordance with the present invention of functioning as an administrator for managing access, authorization and privileges of users. It is considered an important advantage of the present invention to accommodate administration by the holder and independently of the issuer, but those skilled in the art will appreciate that shared administration by the holder and the issuer may provide some additional security and/or flexibility of use in some circumstances.
While step 103 is depicted in
The steps following the entry 104 of a profile name provide for building or editing a profile for the authorized user. It should be noted that not all information which may be included in a profile need be provided and any omitted information will default to the holder=s privileges. However, it will generally be desired to enter some profile information to restrict the user=s privileges particularly when it is realized that granting full privileges of the holder other than for user profile administration reduces, however slightly, the security provided by the holder=s PIN. (That is, if full privileges of the card can be accessed from two PINs such as if the holder assigned an additional PIN number to himself (e.g. as a user), the possibility of an unauthorized person guessing a recognizable PIN, however small and which may be reduced by providing an increased number of digits of PINs, would be doubled. For the same reason, the number of users should be limited to a relatively small number relative to the number of possible PINs available and the profiles associated with additional PINs should be suitably restricted. However, the holder may wish to establish an additional PIN for himself as if he were a user in order to be alerted upon exceeding a monthly total or the like while allowing the holder to complete the transaction using his PIN as holder of the card with full privileges granted by the issuer.) Further, it should be recognized that, for illustrative purposes and enablement of practice of the invention, the user profile information is limited in this discussion and the illustration of
In the preferred sequence, the holder is first prompted to view or decline to view the amount specified in the user profile accessed by the profile name. If the holder declines to view the amount specified in the profile, the process branches to step 301 corresponding to processing of the next information field in the profile table; in this case, the merchant list. If the holder wishes to view the amount, the amount set in the profile table is displayed (106) and the holder is prompted at 107 to change the amount, if desired. If the amount is changed, the process branches to step 300 for entry of a new amount, after which the process proceeds with step 301 corresponding to the next profile information field, in this case, the merchant list. If no change is made, the process branches to step 301 directly, bypassing the step of entering a new amount. If step 301 determines that there is no merchant list entered for this particular profile, the user is prompted to build one, which, if declined (and no other profile fields are provided) the process branches to 205 of
If a merchant list exists as determined at step 301, the holder is prompted to update it at step 302 which also provides branching to 205, 206 for potential session termination. If the merchant list is to be updated, the currently stored merchant list is displayed at step 303 and merchants may be added or deleted by keyboard entry or the like at step 304, after which the holder is again given the option of terminating the session at 305. It should be noted that step 305 differs from step 205 by the step specified for the ANo@ branch: step 305 allowing the process to remain in the user profile administration process which can be exited at 103 as discussed above, whereas step 205 maintains the process in the transaction and privilege determination process, allowing the holder to enter the user profile administration process at step 102.
If the holder does not wish to terminate the session, the process branches to step 103, described above, which allows the holder to build or edit another user profile, if desired, or, if not, to perform a normal transaction as the card holder as described in the above-incorporated U.S. patent, as indicated at step 10. It is considered preferable, in this regard, to provide for the transaction time begun when the card was activated by entry of the holder=s PIN to be suspended during user profile administration or, perhaps more simply, to be started on a choice not to manage user profiles at step 103.
If a user=s PIN is entered at step 101, as detected at step 102, the above process for management of user profiles will not be available and the process will branch from step 102 to step 108 where a user profile corresponding to the recognized PIN will be accessed. The following process steps will examine the fields of the user profile in turn and grant or deny privileges in regard to a transaction in accordance therewith. Some of these operations may be done in different ways, possibly in combination, as will be evident to those skilled in the art in light of the following discussion. Again, more, fewer and/or different fields may be provided in the profile than are discussed or illustrated here for purposes of conveying an understanding of the invention sufficient to its practice.
The presence on a transaction amount limit is determined at step 109 and, if none, the process defaults to the holder=s limit for amount and checks the next user profile field, in this case, for a merchant restriction at 201. If there is an amount limit, that limit is either retrieved from the card for the transaction or entered into the card at step 110 or both. That is, the comparison of the limit amount with the transaction amount may be performed in the card reader or server by retrieving the amount from the card and such processing external to the card may simplify processing on the card prior to authentication and completion of the transaction and/or reduce some hardware requirements on the card particularly in regard to cumulative amount limits such as a limit on expenditures per month. On the other hand, it would be more secure and thus may be considered preferable in some circumstances to avoid reading information from the card and enter the transaction amount information into the card where the comparison would then be performed as an incident of authenticating the transaction. In such a case, cumulative amount limits could be administered by decrementing the amount limit in the user profile as transactions are performed (e.g. over a given time period). The transaction amount is then compared and, if not within limits, the transaction is terminated and the user is prompted whether or not to exit the process as described above. If the transaction amount is within limits, a check for merchant restrictions is made at 201. If there is no merchant restriction in the user profile (which could be either positive, i.e. authorized merchants, or negative, i.e. restricted, unauthorized merchants or a combination thereof and either by specific merchants or collective categories thereof such as sellers of particular types of goods or services) the process branches to 204 to generate the secure transaction codes as disclosed in the above-incorporated U.S. patent in the same manner as for the holder (as depicted at 10 of
If there is a merchant restriction, the merchant name is retrieved from the card (for external comparison or the name of the merchant to receive payment is entered into the card for internal comparison or both at step 202 is the same manner as described above in regard to the transaction amount. It should be appreciated that doing the comparison internally of the card for amount does not preclude the merchant name comparison from being performed externally to the card (as may be preferred) or vice-versa. In any case, a determination is made as to the acceptability of the merchant at step 203. As with the transaction amount, if the merchant is not acceptable, the option of exiting is provided at steps 205 and 206. Otherwise, the transaction is processed at step 204 and the option to exit is provided.
If the holder or user does not wish to exit the process, the process preferably branches to step 102 so that a holder may manage profiles subsequent to a transaction. This will allow a holder to, for example, generate a user profile for himself for another transaction to be separately tracked and reported or other useful functions which will become evident to those skilled in the art. It also allows another transaction time limit to be started for a holder or any user while preventing a user from accessing the profile management branch of the process. When the transaction is completed, if not earlier terminated, the holder/user may exit the process and deactivate the card or simply allow the transaction time to expire and automatically deactivate the multi-user secure credit card.
As either a variation of the invention or a perfecting feature thereof, the process illustrated in
If the process of
The transaction information and secure transaction codes are then evaluated at the server in steps 220 and 230 or others if additional information is provided and which can be performed in any order. If any of the transaction amount, merchant identification or other conditions (e.g. possibly including a mismatch of profile information between the card and information maintained by the issuer) are not acceptable to the issuer, the transaction is rejected and a message to that effect is returned to the card, causing direct exit 206 of the process described in regard to
In view of the foregoing, it is seen that the invention provides a secure credit card in which a high level of security may be maintained in regard to each of a plurality of users in addition to the holder and allows the holder to impose restrictions of any individual user=s use of the card and freely define and regulate the privileges which may be exercised using the card for each respective user.
While the invention has been described in terms of a single preferred embodiment, those skilled in the art will recognize that the invention can be practiced with modification within the spirit and scope of the appended claims.
Number | Date | Country | |
---|---|---|---|
Parent | 10905716 | Jan 2005 | US |
Child | 11843449 | Aug 2007 | US |