Patent Grant
9215331
The present invention relates to electronic payment requests and more particularly to a method, system and computer program for authenticating an electronic payment request with an increased level of security during online, transactions.
Use of bank cards, credit cards, debit cards or cash cards for making payments is becoming more and more frequent. These payment systems are relatively secure because they employ extensive security mechanisms. Usually a secret code must be provided by a purchaser and authenticated by a bank, to authorise the movement of funds from the purthaser's account to the vendor. Recent years have seen rapid growth in the use of credit cards and/or debit cards to purchase merchandise at point-of-sale locations, through public telephones or over the Internet. During these purchase transactions, some personal data is publicly released, albeit in a very limited way.
However, in view of the inherently public nature of telephone networks and/or the Internet, this personal information is at risk of interception. Identity theft is recognised as an increasingly important crime, wherein, despite all of the security checks used to authenticate and protect personal information, a credit/debit card may be cloned and used by malicious persons to rob money from the bank account of a legitimate user. In fact, in view of the almost instantaneous nature of today electronic transactions, even temporary ownership of a credit (or other payment) card could allow a malicious user to make a large number of payments either particularly through Internet.
US patent application Publication No. 2006/0131390 describes a system for providing a notification of a pending transaction request and obtaining an authorisation therefore from a cardholder. The system includes a phone number of a mobile device assigned to receive an authorisation request for a respective account. When a transaction request is received, the system identifies the phone number of the mobile device assigned to receive authorisation request messages for the account requesting the transaction. The system generates and transmits an authorisation request message to the determined phone number; and a reply message is returned from the mobile device which explicitly indicates if the user of the mobile device approves or refuses this transaction.
In a similar vein, US patent application Publication No. 2004/0177040 describes a method for securing a card transaction using a mobile device which is capable of preventing the card from being embezzled and counterfeited.
Both US2006/0131390 and US2004/0177040 effectively use a mobile device to send an authorisation request and await a reply message to authorise a payment request. Thus, these systems require:
Other known prior art methods for enhancing the security of electronic payments are described in US applications Publication Nos. 2007/0080211 and 2007/0086469. However, these methods require some additional checks on shopping date, expense amount, user identity or supplementary secret code for payment authorization.
To solve the drawbacks of the prior art system, a co-pending application (same inventors, Filed in Europe as application number 08158820.4, also filed as U.S. application Ser. No. 12/486,073, entitled Authorizing An Electronic Payment Request) discloses a method and system for authenticating an electronic payment request made at a shop or point of sale with an additional layer of security being executed through an external device carried by the purchaser themselves. It would be desirable to extend a similar additional layer of security to those transactions which are completed through the web, without the need of a dedicated cash or sale terminal. It should be possible to complete these kinds of transactions from, for example, a home computer over the Internet.
According to the invention, there is provided a method for additional authorisation of an electronic payment request, during a main authorisation process of the electronic payment request for an online purchase by means of a browser, the browser running on a data processing device including proximity based transceiver means, the payment request being made with a payment card configured with details of at least one device in the possession of at least one owner of the card, the method comprising the steps of: suspending the main authorisation process; the proximity based transceiver means detecting the proximity of at least one portable device with whose details the payment card is configured; upon detection of at least one portable device establishing a communication session between the data processing device and the detected portable device; requesting a first code from the detected portable device; comparing the first code with a predetermined second code; resuming the main authorisation process in the event the first code substantially matches the second code.
An embodiment of the invention is herein described, by way of example, with reference to the accompanying figures in which:
With reference in particular to
The preferred embodiment ensures that the authentication of a debit/credit card is not solely reliant upon the card itself. Instead, the preferred embodiment provides an additional layer of security into an authentication process, wherein this additional layer of security is executed through an external device carried by the purchaser themselves, exploiting the existing communications facilities of the computer through which the purchaser is completing the online transaction.
The current authentication system can be unchanged and the new functionality simply plugged on existing ones and offered as new service by the bank. The preferred embodiment minimally interferes with the existing security structures of banks and/or vendors. The new functionality of the preferred embodiment can be simply plugged into an existing traditional security mechanism and sold as a new service by a bank.
In contrast, with the aforementioned prior art documents, the preferred embodiment can leverage the following technologies:
(a) RFID technology to read an authorisation profile from a user-owned tag;
(b) a Bluetooth connection that is capable of:
(c) Infra-red communication, or more particularly, an Infrared data association (IrDA) connection to read the authorisation code from a user-owned device/tag.
Moreover, the preferred embodiment can leverage any type of profile stored in a user's mobile device to perform a check on a payment transaction. In particular, the preferred embodiment can automatically check a specific payment against a defined user-profile (e.g. an expenditure threshold for a particular type of shopping or a daily expenditure threshold etc.).
As shown in
The preferred embodiment of the present invention provides a mechanism for solving the problem of identity theft by introducing a dual-layer authentication system for accessing the funds and/or credit through payment cards through the Internet, i.e. without the need of an interaction with a shop or a point of sale. For simplicity, credit, debit, bank and cash cards etc. will be generically known henceforth as “payment cards”. The users can conclude commercial or financial transactions from their own computers provided they are connected to the Internet, possibly through a secure connection. More particularly, the preferred embodiment provides an additional check regarding the identity of a card user to be included within a traditional security protocols for these cards, wherein the additional check is based on an authentication channel which is external to the user's card. To this end, the preferred embodiment leverages the use of a device (owned by the legitimate card owner) to certify that the user of the card at any given instant is the legitimate owner of the card and not someone else.
In support of the above, the preferred embodiment includes additional information into a traditional payment card. The additional information includes features that can be used to verify the identity of the registered owner of the card. For example, the additional information could include:
As shown in
If the authentication is successful, the payment is released, otherwise it is denied. Also if no device 307 is found in the proximity of the computer 301, the authorisation for the payment is not given. Optionally, the system can also alert the phone number about the failed payment attempt. The system can also be instrumented in such a way a payment receipt is downloaded to the authentication device using the same transport channel of authentication.
As an additional feature, if the second layer authentication fails, the owner can be alerted leveraging the additional cellular information. The preferred embodiment can also leverage a user's personal information (and user's external device) to advise a user of an authentication failure, thereby providing almost instantaneous warning to the user of a potential breach in their security.
Furthermore, the second security layer can be also profiled based on multiple factors:
Referring to
In this way, even if the information of the credit card are known by an unauthorized user, the system will not allow the use of such credit card. If the connection (e.g., the Bluetooth connection) does not give the expected results (or no Bluetooth phone is found in the range) the payment is refused, otherwise the usual authorisation process can continue.
Referring to step 407, those skilled in the art will appreciate that other ways of communications could be used as well, e.g., instead of a Bluetooth transmission an equivalent system could be implemented by using RFID tags. In such case the plug-in 305 will attempt to read the secret information or password stored in the RFID tag identified in the card used for making the payment request. Yet another example is the use of infra-red devices, e.g., IrDA devices.
Alterations and modifications may be made to the above without departing from the scope of the invention. Naturally, in order to satisfy local and specific requirements, a person skilled in the art may apply to the solution described above many modifications and alterations. Particularly, although the present invention has been described with a certain degree of particularity with reference to preferred embodiment(s) thereof, it should be understood that various omissions, substitutions and changes in the form and details as well as other embodiments are possible; moreover, it is expressly intended that specific elements and/or method steps described in connection with any disclosed embodiment of the invention may be incorporated in any other embodiment as a general matter of design choice.
For example, similar considerations apply if the computer has a different structure or includes equivalent units; in any case, it is possible to replace the computer with any code execution entity (such as a PDA, a mobile phone, and the like).
Similar considerations apply if the program (which may be used to implement each embodiment of the invention) is structured in a different way, or if additional modules or functions are provided; likewise, the memory structures may be of other types, or may be replaced with equivalent entities (not necessarily consisting of physical storage media). Moreover, the proposed solution lends itself to be implemented with an equivalent method (having similar or additional steps, even in a different order). In any case, the program may take any form suitable to be used by or in connection with any data processing system, such as external or resident software, firmware, or microcode (either in object code or in source code). Moreover, the program may be provided on any computer-usable medium; the medium can be any element suitable to contain, store, communicate, propagate, or transfer the program. Examples of such medium are fixed disks (where the program can be pre-loaded), removable disks, tapes, cards, wires, fibers, wireless connections, networks, broadcast waves, and the like; for example, the medium may be of the electronic, magnetic, optical, electromagnetic, infrared, or semiconductor type.
In any case, the solution according to the present invention lends itself to be carried out with a hardware structure (for example, integrated in a chip of semiconductor material), or with a combination of software and hardware.
| Number | Date | Country | Kind |
|---|---|---|---|
| 08165705 | Oct 2008 | EP | regional |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6128391 | Denno et al. | Oct 2000 | A |
| 6736313 | Dickson | May 2004 | B1 |
| 7003497 | Maes | Feb 2006 | B2 |
| 7603556 | Brown et al. | Oct 2009 | B2 |
| 7654204 | Forbes | Feb 2010 | B2 |
| 7707113 | DiMartino et al. | Apr 2010 | B1 |
| 7865738 | Buck et al. | Jan 2011 | B2 |
| 8255382 | Carpenter et al. | Aug 2012 | B2 |
| 8423466 | Lanc | Apr 2013 | B2 |
| 8577804 | Bacastow | Nov 2013 | B1 |
| 20020035539 | O'Connell | Mar 2002 | A1 |
| 20030154405 | Harrison | Aug 2003 | A1 |
| 20030220835 | Barnes | Nov 2003 | A1 |
| 20040010472 | Hilby et al. | Jan 2004 | A1 |
| 20040177040 | Shiu | Sep 2004 | A1 |
| 20050250473 | Brown et al. | Nov 2005 | A1 |
| 20060131390 | Kim | Jun 2006 | A1 |
| 20060173792 | Glass | Aug 2006 | A1 |
| 20060249574 | Brown et al. | Nov 2006 | A1 |
| 20060273158 | Suzuki | Dec 2006 | A1 |
| 20070011099 | Sheehan | Jan 2007 | A1 |
| 20070080211 | Chen | Apr 2007 | A1 |
| 20070086469 | Seo | Apr 2007 | A1 |
| 20070150416 | Friedman | Jun 2007 | A1 |
| 20070168282 | Giordano | Jul 2007 | A1 |
| 20070260547 | Little | Nov 2007 | A1 |
| 20080014947 | Carnall | Jan 2008 | A1 |
| 20080016003 | Hutchison et al. | Jan 2008 | A1 |
| 20080114678 | Bennett et al. | May 2008 | A1 |
| 20080255992 | Lin | Oct 2008 | A1 |
| 20090048971 | Hathaway et al. | Feb 2009 | A1 |
| 20090078777 | Granucci et al. | Mar 2009 | A1 |
| 20090094681 | Sadler et al. | Apr 2009 | A1 |
| 20090139428 | Forbes | Jun 2009 | A1 |
| 20090204457 | Buhrmann et al. | Aug 2009 | A1 |
| 20090319428 | Febonio et al. | Dec 2009 | A1 |
| 20120197803 | Febonio et al. | Aug 2012 | A1 |
| Entry |
|---|
| Febonio et al., “Method and System for Dual Layer Authentication for Electronic Payment Request in Online Transactions,” US. Appl. No. 13/442,450, filed Apr. 9, 2012, 20 pages. |
| Final Office Action, dated Dec. 20, 2013, regarding U.S. Appl. No. 13/442,450, 24 pages. |
| Office Action, dated Mar. 6, 2014, regarding U.S. Appl. No. 13/442,450, 13 pages. |
| Office action dated Sep. 7, 2012 regarding U.S. Appl. No. 13/442,450, 11 pages. |
| Notice of Allowance, dated Mar. 27, 2015, regarding U.S. Appl. No. 13/442,450, 17 pages. |
| Office Action, dated Aug. 28, 2014, regarding U.S. Appl. No. 13/442,450, 6 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20100088228 A1 | Apr 2010 | US |
