1. Field
This application provides a set of functional and technical concepts, as well as proposed methods, all related to secure remote access and remote payment via modern mobile devices such as smartphones. The required additional security is achieved by combining a secure powered display card that can wirelessly communicate with the mobile device when brought into proximity.
2. Background of the Technology
Networked mobile devices provide great flexibility in remote access and remote payment, by their ability to be connected to the internet via the mobile network or any available wireless network such as WiFi, and at the same time provide a variety of dedicated applications for the user, making use of this connectivity for easy remote payment-oriented transactions. Examples can include online shops, public transportation systems, parking, vending machines, as well as transactions and operations performed directly to the bank account. It is also known that smartphones from leading vendors will feature near field communication (NFC) as a general purpose proximity interface. Remote payment with mobile devices such as smart phones, however, has some inherent security weaknesses. Mobile devices, as permanently online terminals, are subjected to common hacker threats such as malicious software (viruses, Trojan horses, spyware etc.) that can easily be installed ‘over the air. As devices in mobile networks smartphones can also be exposed to fake cellular ‘networks’, presenting fake payment and merchant sites. Any authentication mechanism provided by the smartphone itself is inherently weak, since its secret keys must reside in the mobile device's main memory, hence can be easily accessed by the above mentioned hacking methods.
Mobile phones are typically not kept safe by customers in the same manner as credit cards and tend to be lost or stolen frequently.
The payment market is gradually migrating to using mobile devices as smart payment tools, either locally (NFC) or remotely. Therefore a solution for the inherent security weaknesses is essential.
The chip-based credit card is known as a secured device since it is not connected to any network and has a long history of protection against hacking. As described herein, such a card can be used in conjunction with the mobile device in order to provide strong yet simple to operate authentication mechanism to the transaction, and in some cases even to perform the transaction itself, the mobile device being the network terminal only.
A system for secure remote transactions, access and payments via mobile devices is provided. The system comprises:
a powered card with an electronic circuit, which comprises a secure chip, a display, a Near Field Communication (NFC) compliant interface, and a battery, wherein the secure chip contains an authentication tool and, optionally, payment protocols;
a mobile device, wherein the mobile device includes a payment application and an NFC interface that enables proximity communication between the mobile device and the card;
an authentication entity that store's personal data of the user and authentication keys, and that can be used for remote online authentication; and
a remote payment entity, wherein the mobile device's payment application can communicate with the remote payment entity;
wherein the card can be used as an authentication tool.
Remote online authentication can be accomplished by password generation or any other selected authentication mechanism.
A method for secure remote payment is provided which comprises:
activating a powered display card and locating it in proximity to the mobile device so that the NFC interface can be active.
performing an authentication cycle between the card and a remote authentication entity, the mobile device being a network gateway;
presenting the authentication result on the mobile device and/or on the display of the card; and
performing a payment transaction by the mobile device's application, based on the authentication result.
The card used in the method can be a powered card as described above. The authentication transaction can be a simple OTP, or a more complex one-way or two-way challenge response mechanism.
According to some embodiments, the card also has payment capabilities, such as defined by EMV (Europay, MasterCard and Visa) global standard for inter-operation of integrated circuit cards). In such cases the payment itself can also be performed by the card, while communication with the remote payment entity via the mobile device.
These and other features of the present teachings are set forth herein.
The skilled artisan will understand that the drawings, described below, are for illustration purposes only. The drawings are not intended to limit the scope of the present teachings in any way.
A method of adding a security level to mobile payment devices by using a secured display card is provided. The secured display card is used with a mobile device such as a smart phone to enable secured mobile payment, without sacrificing ease of use or adding significant complexity to the payment process.
According to some embodiments, the secured display card is a fully functional payment card that can be used as is in card-present situations, and potentially a fully functional authentication token that makes use of its display for secure remote access.
According to some embodiments, the mobile device is a payment device holding the owner's payment data. The secured display card is used in the process of payment and acts as an automatic authentication device. A system of this type is shown in
The Secured Display Card as an Authentication Device
According to this embodiment, the mobile device is used as the paying device. Accordingly, the mobile device can have an installed payment application and transaction data, including a set of the owner's banking details, for performing remote payment transactions with the bank or the clearing system. The secured display card acts as a strong authentication device, enhancing the overall security level of the transaction by adding one way or two way authentication cycles prior to the payment itself. This is done by communication between the secured display card and the mobile communication device using the NFC interface.
As an authentication device, the card can hold a personal authentication secret or key (i.e., seed) in a highly secured embedded memory. This key, just like any authentication token, can be programmed into the card as part of the process of issuing the card to its holder.
An authentication process is carried out with a remote authentication server, a separate entity in the bank or the clearing system that has a secure database of all the keys of all the issued tokens. The mobile phone has no access to this key, and it only provides connectivity to the authentication server.
Just like any OTP token, the secured display card providing automatic or semi-automatic authentication to a mobile communication device is not a payment device and hence does not require any certification.
Payment Description
Stage 1: Secured Display Card Activation
The secured display card can be activated automatically (e.g., by detecting the NFC field of the mobile communication device) or manually (e.g., by pressing a button on the card or by typing a PIN on the card's keypad).
Stage 2: Authentication—
Authentication can be a separate application manually activated on the mobile communication device or part of the payment application. At this stage, the mobile communication device acts as a communication gateway and connects to the card via the NFC interface and to the remote Authentication Server via the phone network. The card holder's authentication data (e.g. ID) is transferred to the remote authentication server for seed extraction. The authentication can be a simple OTP such as the Initiative for Open Authentication (OATH) Time-based One-time Password Algorithm or OATH TOTP generated by the card and transferred to the Authentication Server, with a confirmation message transferred back. The authentication can also be a more complex one-way or two-way challenge-response mechanism such as the OATH Challenge/Response Algorithm or OCRA), where both sides confirm each other. In both cases, data exchange between the card and the server via the phone can be completely automatic. The authentication result is then presented on the card's display and/or on the phone.
Stage 3: Payment—
The actual payment can now be executed. At this stage, the mobile device acts as a payment device, providing the owner's payment data to the bank or clearing system. If manual association is in use, the owner manually activates or cancels the payment transaction according to the authentication result presented on the card. If automatic association is in use, the phone's payment application automatically performs or cancels this stage of the process accordingly.
A high level of security can be achieved using this process, particularly if the card is turned off and carried separate from the phone and the authentication is time based. This prevents any ‘trojan horse’ or other malicious application on the phone from performing any transaction without the knowledge of the owner.
According to further embodiments, the card is activated by locating the card near the smart device NFC field without pressing button. The card detects the field and activates automatically to complete the required operation.
According to some embodiments, a method can be used for payment wherein a mobile device acts as an on-line payment terminal and holds no payment data. The secured display card, now being used as the payment device, makes use of the mobile device's connectivity for securely connecting to the banking clearing infrastructure and executing the transaction. A system of this type is shown in
The Secured Display Card as a Payment and Authentication Device
In this method, it is assumed that the paying device, which is the secured display card, runs an EMV certified payment application. This application holds the owner's banking details, and can either act with an external payment terminal (such as a cash register or an ATM) or with a mobile communication device that provides payment terminal functionality.
When operating in conjunction with a smartphone, the phone's application provides network access and connectivity, as well as interactive tools for flexibility and easy operation, while the actual payment is performed by the secured display card.
The payment application on the secured display card is an extended one, performing authentication with a remote authentication server prior to the actual payment, as a tool to overcome otherwise unavoidable security issues in a cellphone-based terminal. Both the authentication seed and the payment data are securely kept in the secured display card, and are used in the various stages of the transaction mechanism. The user only works with the phone's application, unaware of the fact that the paying device is in fact the attached card.
Payment Description
Stage 1: Secured Display Card Activation
The secured display card is activated by pressing a button on the card, and optionally typing a PIN on the card's keypad. The card then communications with the mobile communication device via the NFC interface.
Stage 2: Activating the Payment Application on the Phone
The user can manage the payment application as an interactive process on the smartphone. The phone acts as an on-line terminal throughout the process till reaching the actual payment stage (i.e., ‘store checkout’).
Stage 3: Authentication
Upon activating the ‘payment’ stage on the mobile device, the mobile device becomes a communication gateway and requests the secured display card to perform the actual payment. The secured display card connects to the remote authentication server via the mobile communication device and performs the authentication process automatically. The authentication can be a simple OTP or any challenge-response mechanism, as previously described.
Stage 4: Payment—
Payment can now be executed automatically, via the mobile communication device's gateway operation, now with the bank or clearing system servers. The EMV protocol messages are conveyed both ways by the mobile communication device over the mobile network and the NFC interface accordingly.
While the foregoing specification teaches the principles of the present invention, with examples provided for the purpose of illustration, it will be appreciated by one skilled in the art from reading this disclosure that various changes in form and detail can be made without departing from the true scope of the invention.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US13/64951 | 10/15/2013 | WO | 00 |
Number | Date | Country | |
---|---|---|---|
61713701 | Oct 2012 | US |