Patent Application
20120095919
The present invention relates generally to authentication systems, and more specifically to systems and methods for authenticating aspects of an online transaction using a secure peripheral device having a message display and/or user input.
The security of personal financial and identification information is an important concern for consumers. Such information is commonly stored on data cards and includes account numbers, expiration dates, the names of card users, identification numbers, or other such information. Often phishing and spoofing scams are designed to acquire the personal financial information of everyday consumers from their personal data cards by fraud or by other deceptive means. Many of these schemes rely on the ability to intercept data travelling between a user instrument such as a personal computer and a server conducting financial transactions.
Users of personal computers, web servers and networks connecting the two computing devices are susceptible to a multitude of attacks including phishing or spoofing scams, browser redirects (e.g., pharming), fake websites, key stroke loggers, man-in-the-middle, man-in-the-browser, and other similar attacks. While conventional security tactics have attempted to prevent many of these attacks, man-in-the-middle and man-in-the-browser attacks can easily defeat many of these tactics. In particular, man-in-the-middle and man-in-the-browser attacks allow thieves to modify transactions and transaction details. For example, thieves can use such attacks to change payee account data, change transactions amounts, insert an unauthorized payee, insert unauthorized transactions, or other unscrupulous actions. As such, a system for conducting secure online transactions despite the multitude of dangerous schemes and attacks that plague users of personal computers, web servers, and connecting networks, would be highly desirable.
Aspects of the invention relate to systems and methods for authenticating aspects of an online transaction using a secure peripheral device having a message display and/or user input. In one embodiment, the invention relates to a system for establishing a secure communication channel between a computer peripheral device and a host, the system including a host, a computer coupled to the host via an unsecured communication channel, and a peripheral device coupled to the computer and including a display configured to display one or more messages received from the host, at least one input configured to receive information from a user; and processing circuitry configured to establish a secure communication channel with the host using a mutual authentication process, receive the messages from the host via the computer using the secure communication channel, and send the user information to the host via the computer using the secure communication channel.
In another embodiment, the invention relates to a method for establishing a secure communication channel between a computer peripheral device and a host, the method including responding to requests to authenticate the peripheral device, authenticating the host, receiving one or more messages from the host, displaying the one or more messages on a display of the peripheral device, receiving user input in response to the one or more messages, sending the user response to the host.
Referring now to the drawings, embodiments of peripheral devices having a secure messaging display are illustrated. The peripheral devices can be coupled to a user PC and configured to establish a secure communication channel with a web server or trusted authentication server using preselected encryption keys stored in the peripheral device, or generated using appropriate algorithms executing on the peripheral device, that are also known to the web server or trusted authentication server. The peripheral devices are also capable of performing various mutual authentication processes to verify the peripheral device's authenticity or to confirm the authenticity of either or both of the web server or trusted authentication server.
The peripheral devices can have one or more user inputs to capture user feedback often related to messages displayed on the secure messaging display. In this way, several embodiments of the peripheral devices effectively provide secure dynamic messaging and secure dynamic response. Conceptually, embodiments of the system can provide a secure communication channel within an unsafe communication medium such as the internet by using encrypted communications between highly secure endpoints. In several embodiments, the quality of the secure communication channel is similar to an out-of-band type communication channel, though it remains within band.
In several embodiments, the peripheral device is a card reader capable of reading data from one or more data cards. Conventional point of sale (POS) type card readers do not provide a secure communication channel for messages to a card reader display that can be used for authentication. Instead, conventional POS card readers include hardware, firmware and/or software that generally store a finite number of messages which can be displayed. However, these messages are not originated at a web server or a trusted authentication server, nor do they include specific transaction details or authentication details.
In operation, a user may conduct a financial transaction using the user PC 102 and a web server 104 typically operated by a merchant or a bank. The attacker 108 may use any number of different methods to steal information from the user or to modify the transaction for the benefit of the attacker. For example, the attacker 108 may attempt to change the payee account data to re-route funds to another account, change the amount of the transaction, insert an unauthorized payee for the transaction, and/or insert unauthorized transactions. Typically, the attacker 108 would gain access to the transaction by having compromised the security of the user PC 102. In one such case, the attacker 108 might have stolen a password and/or an encryption key stored on the user PC 102 or entered by the user while a key logger was present. However, in order for the attacker to use any of the man-in-the-middle or other attacks, the attacker will generally have compromised the security of the user PC 102 or web server 104. In some embodiments, the attacker 108 may have control of the web server 104.
The card reader 110, however, does not use a hardware and software platform with the security flaws of the user PC 102. In several embodiments, the card reader 110 does not have a mechanism allowing for third party applications to be installed or downloaded. In some embodiments, the card reader 110 does not allow firmware updates without physical removal of one or more semiconductor chips. In one embodiment, the card reader 110 does not allow firmware updates at all. In some embodiments, the card reader 110 allows firmware updates but only after the components involved in the update, including the devices and new firmware, have been authenticated. In several embodiments, the card reader 110 includes a tamper resistant security housing that substantially prevents unauthorized access to components of the card reader. Embodiments of readers having tamper resistant housings are described in U.S. Pat. No. 7,703,676, the entire contents of which is incorporated by reference herein.
In order to avoid the potential attacks by the attacker 108, the card reader 102 and web server 104 can engage in a mutual authentication process. Once the card reader 102 has been authenticated, the web server 104 can send secure messages to the card reader 102 using encryption keys pre-loaded in the card reader 102 at the time of manufacturing. Those keys can be stored at the trusted authentication server 106 and provided to the web server 106 after the web server has been authenticated. The secure messages can be displayed on the display 114 of the card reader. The messages can be used to authenticate a data card, such as a magnetic stripe card or other suitable data card. The secure messages can also be used to authenticate transaction details such as account numbers, amounts, payees or other suitable transaction details.
A user input button 116 is also included on the card reader 110 for confirming information displayed on the card reader display 114. In a number of embodiments, the user can be prompted to confirm whether transaction details presented on the user PC screen match those details presented on the card reader display. In this way, a secure communication channel is provided to the user independent of the threats present on the user PC and on the network (e.g., internet). The user PC will not have knowledge of the card reader's encryption keys and will therefore not have access to the secure messages in an unencrypted form. In the embodiment of the card reader illustrated in
In some embodiments, a pin pad is displayed on the card reader display and the input enables selection of digits for a personal identification number (PIN) corresponding to the data card and/or card user. In some embodiments, the selection of PIN digits is made from a randomized list of numbers (e.g., linear scatter gram or a multi-dimensional scatter gram). In such case, the user can scroll from left to right (e.g., horizontally) and select the appropriate digits which are then displayed on a line above or below the randomized lists of numbers. In such case, no conventional pin pad button array is needed. In some embodiments, the web server can provide a set of multiple PINs, including one PIN that is the user's actual PIN while the other PINs are randomized fakes. In such case, the user can scroll to their PIN and make their selection. In some embodiments, the web server can securely provide a single use protection code to a requestor/user. In such case, the user can use the protection code for a subsequent transaction such as a purchase or automatic teller machine (ATM) transaction.
In the embodiment illustrated in
In the embodiment illustrated in
In operation, the card reader 200 can engage in a mutual authentication process with a web server or other entity to authenticate itself. The card reader 200 can also store one or more encryption keys or algorithms capable of generating encryption keys that are also known to a trusted authentication server. Once the mutual authentication process has verified authenticity of the card reader and/or web server, the web server can send messages and/or display commands to the card reader. The reader can display the messages and receive user feedback to the messages via the user input. The reader can encrypt the user response and send it to the web server.
The card reader can also perform a number of functions common to card readers. For example, in several embodiments, magnetic sensor 204 reads analog magnetic information stored on the magnetic stripe of a data card (such as the type commonly used for credit cards) and outputs an analog representation of this magnetic information to the ADC 206. The ADC 206 converts the analog information received from the magnetic sensor into a digital representation and transmits the digital representation of the magnetic data to processor 208. Processor 208 stores the digital information in memory 212. Processor 208 is configured to communicate via I/O port 214, which allows the card reader to communicate with the computer and/or other external devices over a data connection such as RS 232, RS 422, RS 485, EIA 530, Ethernet, USB, Bluetooth, WiFi, or another protocol for connecting communications equipment, as is well known in the art. In one embodiment, the I/O port is configured to communicate using a data connection to a computing device such as a smart phone via a headset input on the smart phone. In other embodiments, other suitable interfaces can be used to couple the card reader to a computer.
The indicator 213 can provide feedback to the user regarding actions related to the operation of the card reader. In one embodiment, for example, the indicator provides indication of a successful swipe of a data card. The indicator can be one or more light emitting diodes (e.g., LED matrix), a speaker, or another audible transducer. In one such case, the card reader can receive messages including audio content and output the audio content to the speaker. For example, in one embodiment, an audio message could notify the user of a particular code or password that is relevant to the user. The indicator can also be or include a tactile transducer.
In some embodiments of the invention, magnetic sensor 204 and ADC 206 may be a single unit which performs both the functions of sensing the magnetic strip and converting the analog data into a digital representation.
The processor 208 may be any sort of microprocessor suitable for use in an embedded system, such as a Z80 or an x86-based processor, as are well known in the art. In other embodiments, the ADC 206, the processor 208, the memory 212, and the I/O unit 214 or some subset of these may be appear in a single microcontroller chip such as a PIC, AVR, or ARM chip, as is well known in the art. In some embodiments, the processor can be a secure microcontroller. The secure microcontroller can include protection services and features such as tamper detection, memory clearing corresponding to detected tampering or other security related events, and other helpful tamper protection services.
In some embodiments, the card reader may additionally include a discrete unit for encryption, which, for the purposes of
In several embodiments, the user input includes one or more buttons. In other embodiments, other user input devices can be used. For example, in one embodiment, the user input can include a depressible scrolling ball for selecting from items in a list, a track ball, a touch screen and/or another tactile input(s). In some embodiments, no buttons are used and confirmation is indicated by a swipe of a data card. In some embodiments, an audio sensor such as a microphone that is capable of sensing a voice is used. In such case, the audio sensor can be capable of receiving voices and recognizing commands.
In some embodiments, a virtual pin pad is displayed on the card reader display and the input enables selection of digits for a personal identification number (PIN) corresponding to the data card and/or card user. In some embodiments, the selection of PIN digits is made from a randomized list of numbers (e.g., linear scatter gram or multi-dimensional scatter gram). In such case, the user can scroll from left to right (e.g., horizontally) and select the appropriate digits which are then displayed on a line above or below the randomized lists of numbers.
In some embodiments, the user input can include systems for biometric identification using fingerprints, voice, retinal identification and/or other characteristics. In several embodiments, the biometric identification systems can acquire the characteristics using devices such as a microphone, a fingerprint scanner, a retinal scanner, or other suitable devices.
The display can be a liquid crystal display, a full graphics display or another display suitable for a peripheral computing device as is known in the art. In several embodiments, the display is configured to display text messages, graphical symbols, icons, graphic messages or other such messages. In such case, the user input can include appropriate selection devices to enable the user to select and/or confirm these types of messages.
In some embodiments, for example, the data card is a magnetic stripe card and the process extracts both the intrinsic magnetic characteristics or magnetic fingerprint and the card data from the magnetic stripe of the card. Systems and methods for reading and generating magnetic fingerprint information are described in U.S. Pat. Nos. 6,098,881, 6,308,886, 7,478,751, 7,210,627, and 7,377,433, and U.S. patent application Ser. Nos. 11/949,722 and 12/011,301, the entire content of each document is incorporated herein by reference. The magnetic fingerprint information can provide dynamic data per transaction which can be authenticated using correlation techniques. More specifically, the stochastic nature of the magnetic fingerprint can provide a level of security in the transaction making it more difficult for financial data associated with a card based transaction to be stolen or otherwise compromised.
After authenticating (308) the card data stored on the data card, the process can authenticate (310) the user. In several embodiments, the process authenticates the user by verifying one or more characteristics of the user such as a password, PIN, other identification number, fingerprint or optical scan, or other suitable authentication method. The process can then authenticate (312) the transaction. In several embodiments, the process authenticates the transaction using secure dynamic messaging and secure dynamic response. More specifically, the process can use secure messaging and the display and user input of the peripheral device (e.g., card reader) to authenticate transaction details and/or facilitate authentication of other aspects of the process (e.g., authenticating the card, etc.).
In one embodiment, the process can perform the sequence of actions in any order. In another embodiment, the process can skip one or more of the actions. In other embodiments, one of more of the actions are performed simultaneously. In some embodiments, additional actions can be performed.
The process then can receive (406) message information from the web server indicative of one or more messages to be displayed and/or display commands for the card reader or other peripheral device. The process then can display (408) the message information on the card reader display. The message information can include text messages, graphical symbols, icons, graphic messages or other such messages. In some embodiments, the messages include information notifying the user of a particular access code, username, or password (e.g., passcodes, user codes, one time password, and the like) associated with that user.
The process can then receive (410) user input in response to the message information displayed. In one embodiment, for example, a number such as a transaction amount is displayed on the display and the user is asked to confirm that the amount is correct. In such case, the user input may include information indicative of a single confirmation button press. The process can then send (412) the user input response information to the web server.
In one embodiment, the process can perform the sequence of actions in any order. In another embodiment, the process can skip one or more of the actions. In other embodiments, one of more of the actions are performed simultaneously. In some embodiments, additional actions can be performed.
The process can then encrypt (512) message information including, for example, transaction details to be confirmed. In other embodiments, the message information can include other information. In one embodiment, the message information includes authentication details to be confirmed (e.g., a PIN to be confirmed). The process sends (514) the message information to the card reader, often via a web browser application running on the user PC. The process determines whether (516) the user confirmed the transaction details or other message information. If not, the process terminates (518) the transaction. In one embodiment, the process allows a preselected number of attempts for confirmation before terminating the transaction. If the user confirmed the transaction details, the process facilitates (520) the transaction.
In one embodiment, the process can perform the sequence of actions in any order. In another embodiment, the process can skip one or more of the actions. In other embodiments, one of more of the actions are performed simultaneously. In some embodiments, additional actions can be performed.
If the mutual authentication process is not successful (608), then the process returns to allowing the user to establish (604) a connection to a website. If the mutual authentication process is successful (608), then the process informs (610) the user that a secure connection with an authentic website has been established. Once the connection is established, the user and/or card reader can execute (612) secure communications and/or transactions. The process can then determine whether the card reader and/or website wishes to terminate (614) the connection. If neither the card reader or website desires to terminate the connection, then the process can execute (612) additional secured communications and/or transactions. If either the website or card reader desires to terminate the connection, then the process can return to waiting for the user to establish (604) a new connection to a server or website.
In several embodiments, the user is informed (610) using an indicator associated with the magnetic stripe card reader. In some embodiments, the user is informed by a message on the user PC or on the card reader display. In some embodiments, the user is informed using both the indicator and one or more messages on the terminal. In one embodiment, the user is instructed to check the indicator or card reader display by a message on the terminal. Visual cues from the reader and website can thus instruct the user of a secure connection with an authentic website. Phishing and other consumer deception schemes can thus be reduced and/or prevented.
In one embodiment, secure transactions that can be established and protected also include transactions relating to non-financial websites that require confidential information such as a driver's license number, a date of birth, a social security number, medical information or other confidential information. In such secure transactions, the card reader can act in essence like a security feedback system that is transparent to the user.
In one embodiment, the process can perform the sequence of actions in any order. In another embodiment, the process can skip one or more of the actions. In other embodiments, one of more of the actions are performed simultaneously. In some embodiments, additional actions can be performed.
The process can begin when a customer using the reader/PC client visits (711) the website of the website server. The website can respond by sending (712) a challenge request to the reader. In a number of embodiments, the reader can respond to the challenge request issued by the website by sending the challenge request back to the website in an encrypted form using a common encryption key. The reader then transmits (713) a challenge to the authentication server. The authentication server decrypts (714) the reader's challenge and formulates an encrypted response. The authentication server then sends (715) the formulated response to the reader. The reader validates (716) the response. A blinking LED or message on the display of the reader can indicate a valid website.
The customer enters (717) the customer's username/password and swipes the data card through the reader. The reader sends (718) triple DES (3DES) DUKPT encrypted card data to the website. The website validates (719) the customer's username/password. The website then sends (720) the encrypted card data to the authentication server. The authentication server decrypts (721) the card data including magnetic fingerprint data and authenticates the magnetic fingerprint data. The authentication server then returns (722), to the website, the decrypted card data and a score indicative of the degree of correlation between the magnetic fingerprint data read from the data card during the transaction and a stored value. The website uses (723) the decrypted data to authenticate the customer and/or customer transaction. The website can then complete (724) the services requested by the customer using standard procedures, including, for example, sending messages to be displayed on the secure display of the card reader.
In one embodiment, the process can perform the sequence of actions in any order. In another embodiment, the process can skip one or more of the actions. In other embodiments, one of more of the actions are performed simultaneously. In some embodiments, additional actions can be performed.
In several embodiments, the username can be an identifier intended for one time use. In such case, the identifier can include the magnetic fingerprint of the data card engaged in the current transaction. In one embodiment, the password can be a value intended for one time use. In such case, the password value can include the magnetic fingerprint of the data card engaged in the current transaction. In another embodiment, the username, password and magnetic fingerprint of the data card engaged in the current transaction can be combined to form a digital signature intended for one time use.
In one embodiment, the reader is configured to output encrypted data including card track data, magnetic fingerprint data, sequence counter data and cyclic redundancy check (CRC) data. In another embodiment, the reader is configured to output unencrypted or clear text data including key serial number data, DUKPT counter data, masked data, CRC data, and reader serial number data.
In another embodiment, the trusted authentication server is integrated with the user PC or transaction terminal. In such case, authentication of a card can take place at the transaction terminal. In this example of localized authentication, the card authentication information including the intrinsic magnetic characteristics of the data card can be stored in an encoded form (stored reference fingerprint) on the data card. The transaction terminal can receive the intrinsic magnetic characteristic of the card (transaction fingerprint) and stored information including the stored reference fingerprint from the card reader. Using this information, the terminal can perform the scoring process at the terminal. A score indicative of the degree of correlation of the fingerprint read from the card and the stored fingerprint can be generated. Based on the score, the terminal can determine whether or not the card is authentic.
In another embodiment, the data card reader includes a remote key loading feature which enables a remote server or other computing device to load an encryption key onto the reader. In one embodiment, the authentication system, including the authentication server and/or the trusted scoring system, can enable remote key loading. In one such case, a data card reader can include a secure mode for securely loading encryption keys. Special information provided to the reader can cause the reader to enter the secure mode. In another embodiment, the data card reader can include multiple levels of security. In such case, each level can correspond to a different degree of security and a level of encryption used. In one embodiment, the highest level of security can require that all data received and sent by the reader is encrypted.
In one embodiment, a remote computing device can use an existing encryption key, one that is generally used for encrypting data read by the data card reader, in conjunction with a security sequence to enter the secure mode and remotely load one or more encryption keys. In another embodiment, the remote computing device can use a special manufacturing encryption key in conjunction with a security sequence to enter the secure mode and remotely load one or more encryption keys. In such case, the remotely loaded keys can replace the existing encryption keys. In several embodiments, the encryption keys used are DUKPT encryption keys. In some embodiments, the manufacturing key can be known only by the card reader itself and the manufacturer of the reader. Additional embodiments of systems capable of remote loading encryption keys are described in U.S. Provisional Patent Application No. 61/382,436, the entire content of which is incorporated herein by reference.
In a number of embodiments, the data card reader is equipped with a means of providing audio, visual or tactile feedback to the user. In a number of embodiments, the feedback can relate to whether the card reader has been authenticated and/or whether a swiped data card has been authenticated. In a number of embodiments, the visual feedback can be conveyed using one or more light emitting diodes (LEDs). In one embodiment, the audio feedback is conveyed using a speaker.
While the above description contains many specific embodiments of the invention, these should not be construed as limitations on the scope of the invention, but rather as examples of specific embodiments thereof. Accordingly, the scope of the invention should be determined not by the embodiments illustrated, but by the appended claims and their equivalents.
In several embodiments, the card reader and/or web server are authenticated using various mutual authentication techniques. In other embodiments, the card reader and/or web server are authenticated using other suitable authentication techniques.
In several embodiments, the peripheral device with a secure messaging display is used in conjunction with a user PC. In some embodiments, the peripheral device with a secure messaging display can be used without the user PC. In several embodiments, the peripheral device with a secure messaging display is used with a handheld computer such as a smart phone or another similar computing device.
The present application claims the benefit of Provisional Application No. 61/393,810, filed Oct. 15, 2010, entitled “SYSTEMS AND METHODS FOR AUTHENTICATING ASPECTS OF AN ONLINE TRANSACTION USING A SECURE PERIPHERAL DEVICE HAVING A MESSAGE DISPLAY AND/OR USER INPUT”, the entire content of which is incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 61393810 | Oct 2010 | US |
