CA1118098A - Identification system safeguarded against misuse - Google Patents
Identification system safeguarded against misuseInfo
- Publication number
- CA1118098A CA1118098A CA000285651A CA285651A CA1118098A CA 1118098 A CA1118098 A CA 1118098A CA 000285651 A CA000285651 A CA 000285651A CA 285651 A CA285651 A CA 285651A CA 1118098 A CA1118098 A CA 1118098A
- Authority
- CA
- Canada
- Prior art keywords
- identificand
- counterfeiting
- memory
- memories
- improvement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Abstract
ABSTRACT OF THE DISCLOSURE
The system is for effecting transections, such as manual or mechanical delivery of commodities, services and money, while using identificands, such as credit cards, check cards, cards for automatic machines, coded tokens, keys and the like, provided with visually and/or mechanically readable identification and/or processing data, and while using a personal identification number for checking the title of the user of the identificand. Each identificand has inaccessibly incorporated therein a miniaturized integrated circuit (IC), in the form of a "chip", including plural memories for entry and storage of information therein, including identifying data and securing data. The memories for the identifying and securing data are chargeable only once, and at least the contends of the memory for the personal identi-fication number are available only within the identificand.
The identificands are usable with either a checking device or an automatic machine including a source of potential, and the integrated circuit includes components activated, responsive to an input potential from the checking device or automatic machine, to effect internal checking of the identity and title of a user of the identificand. Input/output devices are included in the integrated circuit for establishing communication between the identificand and the verifying means. such as the checking device or automatic machine, and the identificand is constructed to prevent external access to the integrated circuit except through the input/output devices when connected to a verifier.
A protective code, in the form of a random number, is entered into a first memory and simultaneously is printed on a concealed paper. The user also receives the printed protective code and enters the code into the identificand where it is compared with the stored protective code so that, upon a positive result of the comparison, a release signal is produced for further processing. The user then selects a completely optional personal identification number and enters the same into a second memory in the identificand through the use of an encoder. The first and second memories are provided with input gates which are automatically destroyed after entry, respectively, of the protective code and the personal identification number. Various other required information is then fed into other memories of the integrated circuit, through gates which are then destroyed so that the identificand cannot be initialized a second time.
The system is for effecting transections, such as manual or mechanical delivery of commodities, services and money, while using identificands, such as credit cards, check cards, cards for automatic machines, coded tokens, keys and the like, provided with visually and/or mechanically readable identification and/or processing data, and while using a personal identification number for checking the title of the user of the identificand. Each identificand has inaccessibly incorporated therein a miniaturized integrated circuit (IC), in the form of a "chip", including plural memories for entry and storage of information therein, including identifying data and securing data. The memories for the identifying and securing data are chargeable only once, and at least the contends of the memory for the personal identi-fication number are available only within the identificand.
The identificands are usable with either a checking device or an automatic machine including a source of potential, and the integrated circuit includes components activated, responsive to an input potential from the checking device or automatic machine, to effect internal checking of the identity and title of a user of the identificand. Input/output devices are included in the integrated circuit for establishing communication between the identificand and the verifying means. such as the checking device or automatic machine, and the identificand is constructed to prevent external access to the integrated circuit except through the input/output devices when connected to a verifier.
A protective code, in the form of a random number, is entered into a first memory and simultaneously is printed on a concealed paper. The user also receives the printed protective code and enters the code into the identificand where it is compared with the stored protective code so that, upon a positive result of the comparison, a release signal is produced for further processing. The user then selects a completely optional personal identification number and enters the same into a second memory in the identificand through the use of an encoder. The first and second memories are provided with input gates which are automatically destroyed after entry, respectively, of the protective code and the personal identification number. Various other required information is then fed into other memories of the integrated circuit, through gates which are then destroyed so that the identificand cannot be initialized a second time.
Description
` ` : :
~ 9 8 FIELD ~ND BACKGROUND OF THE INV~NTIO~
This invention relates to a security system which protects against misuse and counterfeiting associated with banking transactions in particular, such as manuaL or automatic dis-pensing of money, by using identificands, such as credit cards~
check cards, ma~hine-read cards and the like~ which bear identification and card use data which can be read visually and by machine, and by utilizing an individual distinguishing device, such as a personal identification number (PIN), to check whether the user is entitled to use the identi~icand.
As the system of the invention ls not limited to the use of a card, but can also employ a key, a coded token, or the like, the generic term "identi~icand" consequently is used herelna~ter or the element usable with the system, and includes either a card of the mentioned type, a coded token, or a key, or the like.
In systems oE this general type, the intention is to protect the identi~icand from misuse and countereiting~ and ;
. such systPms have been the subject of many previous proposals, patented and others~se. Thus, some known systems of cash dispensing may use, for example, the account number as an identification and, for protection, a personal referen~e n~mber ~or personal iden~i~ica~ion n~mber which correlates with the ¦account number~ The user has ~o insert his card into a l~verifying means~ such as a machine~ and "key in" his personal
~ 9 8 FIELD ~ND BACKGROUND OF THE INV~NTIO~
This invention relates to a security system which protects against misuse and counterfeiting associated with banking transactions in particular, such as manuaL or automatic dis-pensing of money, by using identificands, such as credit cards~
check cards, ma~hine-read cards and the like~ which bear identification and card use data which can be read visually and by machine, and by utilizing an individual distinguishing device, such as a personal identification number (PIN), to check whether the user is entitled to use the identi~icand.
As the system of the invention ls not limited to the use of a card, but can also employ a key, a coded token, or the like, the generic term "identi~icand" consequently is used herelna~ter or the element usable with the system, and includes either a card of the mentioned type, a coded token, or a key, or the like.
In systems oE this general type, the intention is to protect the identi~icand from misuse and countereiting~ and ;
. such systPms have been the subject of many previous proposals, patented and others~se. Thus, some known systems of cash dispensing may use, for example, the account number as an identification and, for protection, a personal referen~e n~mber ~or personal iden~i~ica~ion n~mber which correlates with the ¦account number~ The user has ~o insert his card into a l~verifying means~ such as a machine~ and "key in" his personal
2.
^~ 9~
reference number (PIN) in crder to prove or check his right Ito use the iden~ifieand. Obviously, in such a case, evidence of tampering cannot be checked9 so that it is easy for a potential criminal to counterfeit ca~ds if he is able to decipher the correlation between the accoun-t number and ~he identification number. Decîphering is made easier by the fact that, in all ~nown machine cards, ~he personal identification~
number (PI~) entered on the identificand can bQ easily determined either visually or by machine reading, re~ardless of whether LO ~ it ls encoded Ir printed Moreover, the identificands car~y still other data whlch might be of interest to a crimi.nal, namely, use data. Use data includes the expiration ti.me or date, the amount of money available to the rightful owner o~ the ~denti~icand, such as a card, and the conditions of use of the identificand. Not only the ri~ht~ul owner of the card, but also a potential criminal, can easily change~ to his or her advantage~ thi~ ¦
use data~ especially i~ the use data is recorded on a magnetic strip, known to ~he art as "magstrip'l,on the card, such 2G magstxips being characteristic of machine-read cards on~y~ ¦
WhiLe the state of this art is eontained in volumes of technical literature, it is su~ficient to mentio~, in particular, German Offenlegun~sschrift No. 1~945~777, Uni~ed S~a~es patent Nos. 3,891,830, 3,868,057, 3 7 934,1~2, and 3,702,4~4, and also 1. British Paten~ No. 1~197~183D All the machine-read cards covered b~ the prior axt technical literature, however~ have
^~ 9~
reference number (PIN) in crder to prove or check his right Ito use the iden~ifieand. Obviously, in such a case, evidence of tampering cannot be checked9 so that it is easy for a potential criminal to counterfeit ca~ds if he is able to decipher the correlation between the accoun-t number and ~he identification number. Decîphering is made easier by the fact that, in all ~nown machine cards, ~he personal identification~
number (PI~) entered on the identificand can bQ easily determined either visually or by machine reading, re~ardless of whether LO ~ it ls encoded Ir printed Moreover, the identificands car~y still other data whlch might be of interest to a crimi.nal, namely, use data. Use data includes the expiration ti.me or date, the amount of money available to the rightful owner o~ the ~denti~icand, such as a card, and the conditions of use of the identificand. Not only the ri~ht~ul owner of the card, but also a potential criminal, can easily change~ to his or her advantage~ thi~ ¦
use data~ especially i~ the use data is recorded on a magnetic strip, known to ~he art as "magstrip'l,on the card, such 2G magstxips being characteristic of machine-read cards on~y~ ¦
WhiLe the state of this art is eontained in volumes of technical literature, it is su~ficient to mentio~, in particular, German Offenlegun~sschrift No. 1~945~777, Uni~ed S~a~es patent Nos. 3,891,830, 3,868,057, 3 7 934,1~2, and 3,702,4~4, and also 1. British Paten~ No. 1~197~183D All the machine-read cards covered b~ the prior axt technical literature, however~ have
3.
., I I
~the dis-dv Itage that th~ personaL identification number (PIW), even if not always easily deciphered, can be determined, and furthermore, the machine~read cards can also b~ misused b~ the rightful owner by changing the use dat~ In other woxds, the inormation contained in thase cards is externally accessible to either the rightful owner or to a potential criminal SUM~ARY OF THE INVENTIO~ 1-Accordingly, the objective of the invention is to provide a security system safeguarded against misuse and counter- ¦
-~0 feiting~ especially in the processing of banking transactions~
where the known disadvantages, mentioned above~ are eliminated~
It is a further objective o the invention to permit the identificand to be used for both machine-xead and conventional applications.
In accordance with the foregoing, the basic or underlying concept of the present invention is that all or part of the in~ormation to be stored in the identificand, and which is to be protected against misuse or counterfeiting, is fed into memories which can ba loaded only o~e time and permanently and, in addition, the fed-in information cannot be determined from outside tha ident~ficand or, in othex words, is not accessî~le external1~. In order to be able to utili3e these identiicands, ¦the identificands further include in~ernal memories and means to compare data, transmitted ~rom the exteriox, wi~h ~h stored data, and which are readabla only within the identificand, for example, for the purpose of checking identity and right of ¦use or entitlement. In identificands embodying the inYention and or use with machines, ~here are included9 in the ¦identificanA, further memories and circuitry elements which ma~e possibla communication with the machine, for example, through input~output devices for connection to the machine either electrically, magneticall y9 or otherwqse~
It is known from the prior art that memories have been develope.d in which only one entry can be made and from which nothing can be erased However3 such memories can and must be readable from outside (see U.S~ Paten~ Mo. 3,702,464 covering a ROS M~102Y). With the present invention, the system and the data protected in the identificand cannot be determined ~rom the exterior and so the system does n~t requira further secxecy measures. With the present invention, the potential criminal, or the rightful user attempting to misuse the identificand, may know all the specific~ but still will not be able to misuse the identificand or to b~eak into the- ¦
system with succe~s.
. '. I
As the invenl:ion requires a num~er G~ memories and con~rol circuits, it is practical to combine all o~ these elements into one integrated circuit ~IC3 or "chip" incorporated in the identificand. Such integrated circuits, moreover, încrease protection against tampering with the identificands themselves since 9 without considerable difficulty and expense9 a criminal would hardly e able to de~erm ne the layout of an IC and cupy it.
..
3 ~ -As a further security measure, the invention assuxes that~
when the identificand is first initiaLi~ed~ f~x example, by assigning a "neutral't identificand to a client through entering the account number and a personal identification ¦designation, such as a personal identification number (PIN), ¦no misuse is possible Prior to ~his~ during manufacture, a ¦protective code is entered into the identi~icand9 and this code can be read only under certain conditions, and only once.
Additionally, as an essential feature, the client is free to select his own personal identification number (PIN), and this number can then bs completely independent of other data in the identificand.
The system o the inven~ion has many advantages over curren~ systems and current caxds, Thus, the system o~ the invention permîts conventional as well as machine-xead cards ~o be used. FurthermorP, misuse of the system, by modifying or changing the use data, is as impossible by the rightful owner of the card as by an unauthorized parson. As ~he usPr himself is free to determine his own personal i~entifica~ion number tPDN), there is no need for additional safeguards in the system in order to maintain assigned code numbers secret.
Furth~rmore, an identiication card of the system of the present invention can be used with checking facilities used with existing credit caxds as weLl as being used with detection or authenticity checkîng apparatus developed by the present inventor.
rn checRing the ident~ficand, there are three thlngs to be checked:
~1~ whether the user is identical with the rightful owner of the card;
(~2) whether the account number has been altered in any respect; and ~3) whether or not the card is an authorized card.
This third check results inherently from the first and second checks. The three checks can 6e made with a device which is about the size, weight and cost of an ordinary pocket-type electronic calculator, such as presently in widespread use.
An object of the invention is to provide an improved security sy~stem protecting, against misuse and counterfeiting associated with banking transactions in particular.
Another object of the invention is to provide such a security system eliminating the known disadvantages of known security systems.
A further object of the invention is to provide such a security system in which the identificand can be usled for both machine-read and con~entional applications.
Thus, in accordance with one broad aspect of the invention, there is ~rovided, in a system, secured against misuse and counterfeiting, for effecting transactions, such as manual or mechanical delivery of ccmmodities, services and money while using identificands, such as credit cards, check cards, cards for automatic mac~ines, coded tokens, keys and the like, provided ~ith indentification data, processing data, or both which are readable visually, by a machine, or both, and while using a personal identifying design-ationj such as a personal ;dentification number (PIN~, for verifying the entltlemen~ of the user of the identificand: the improvement comprising, in combination, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying designation; at least the memory for entry , . .
- ~, : . ~ . . .
' . . : ' , ' ' and storage of the personal identifying designation being chargeable only once via gate means which is then made lnoperable, and at least the contents of the memory for the personal identifying designation being available only to data processing means within the identificand; verifying means operable to receive said identificand and apply an input thereto; said data processing means being activated in response to an input from said verifying means to effect checking of the identity and entitlement of a user of said identificand;
and input-output means included in said identificand for establishing communication between said identificand and said verifying means; said identificand including means preventing output from at least said memory for the personal identifying designation to said verifying means.
rn accordance with another broad aspect of the invention there is provided, for use in a system secured against misuse and counterfeiting, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying design-ation; at least the memory for entry and storage of the personal identifying designation being chargeable only once via gate means t~hich is then made inoperable, and at least the contents of the memory or the personal identify-ing designation being available only to circuitry within the identificand;
components included in said identificand and activated, responsive to an input to said identificand, to effect checking of the identity and entitle-ment of a user of said identificand; and input-output means included in said identificand for establishing communication between said identificand and a verifying means; said identificand including means preventing external access to information stored in said memories except through said input-output means when in communication with a verifying means.
For an understanding of the principles of the invention, reference is made to the following description of typical embodiments ~hereof as illustrated in the accompanying drawings.
-7a-~,3 ` '~ . ` :.
BRIEF DESC~IPTION OF THE DRAWIN~S
In the Drawings: ¦
Fig. 1 is a somewha~ diagrammatic plan view of an identi~icand, used with the system o the invention, in the orm of a card or the like;
Fig. 2 is a block diagram of the integra~ed circuit (IC) o the identiicand shown in Fig. l;
Fig. 3 is a block diagram of the IC shown in Fig. 1 expanded to include further integrated circui~ry;
Figs, 4 and 5 are pexspect:ive views o~ simple checking devices or verifiers usable ~ith the identiicand of the invention system;
Fig. 6 is a flow chart of the checlcing of identificands;
Fig. 7 is a block diagram o~ an identiEicand orming part of the system of the present invention and a machine, in which the identificand is inserted, and aLso embody-ing the present invention; and Fig. 8 is a f~ow chart of the machine checking process, related to Fig. 7, -~ DETAlL~ DESGEIPTIO~ OF TRE PREFEEF~ EMBODIU~TS
- ~ Referrîng first to Fig. 1, this fi~ure shows an identi-~icand 1 designed to be a credit card or Eurocheque card.
The identiicand 1 carries, in the area 2~ the nams of th~
owner, in the area 3, printed identi~ication or accoun~ !
numbers, in the area 4, a photo of the owner9 and, in the area .
~ ~ ~
5, the signature o the owner. The area 3 is planned ~or a shorter side of the card so that th~ accounk number remains readable when the card is introduced into a verifier or checking device.
S I In addition, ~he card 1 comprises an integrated circuit (IC) in area 6 and, in area 7, internal connectors for the power suppLy, as well as for data input and output. The integrated circuit or IC is invisibly implanted in the card, as b~ being enclosecl between outer layers of plastic or the like, such construction of cards with an innex in~ormatlon-carrying layer and outer closing layexs of plastic or the li~e being well-known to those skilled in the art.
A certain area surrounding the IC, indicated at 8~ is maintained ree of conductive Imaterial so that, when the card is introduced into a machine verifier, checks can be made as ~o whether or not there are connections to the circuitry o the card from a simulated circuit outside the machine~ As the to~al counter~eiting of a card with an identica~ IC cannot be regarded as feasible, in view of the hi~h financial invest-ment~kYw-llow requirements and risk conditions, this st2p serves to preven~ a po~ential criminal, even if he knows the mann~r in which the IC operates, from constructing a substitute Icircuit from discre~e components and connec~ing such substi~ute ~circui~, for example, with wires, to a card which, in ~his instan~e, works as an adapter. The machine furthermore checks whether connections of other kinds have been made across the ; , . ' `: ' ' ` ` `' . ' 7 .
area 8 or the like surrounding the integrated circuit or IC.
Fig. 2 is a block diagram o~ the IC 6, and all the individual parts illustrated in Fig. 2 are actually integra~ed into one monolithic circuit~ such as the well-known "chip".
Ths power supply and the data input and output are fed through connectors 9, which may be either galvanic type connectors or inductivs-type connectors I the feed is inductive, the connectors 9 are supplemented by the necQssary converters~
The integrated circuit, or IC, comprises ths -10 processing unit ( PU) 10, which is a special microprocessor~ ¦
which is controlled by a predetermined program stored in program memory 11. The PU 10 and the program memory 11 may, in a modifica~ion, be hard wired log:Lc within the integrated circui~
. The power is fed through integrated power supply 12, in which the outside power is converted into electrical values necessary for operation o~ ~PU L0. A consisten~ly high outside power supply is essential or the programming uni~ 19 of the IC to be able to pxogram the memories 13 through 17. For this reason, a chec:k is made, in power supply unit 1~, as to whe~her the powe~r supply is high enough to activa~e .PU 10 consistently, and whether such power supply is indeed su~icient to destxoy the IC in the case o~ cards which have been programmed to self-destruct wh~n misused. ~hen the power supply is too ¦low, the IC will not operate~
10.
r '; ~ - I
I The self-destruct device in the IC can7 for example ¦be implemented by swi~ching changes in the programming of gate 24. Normally, this gate remains open, and the use Idata can be read from memory 16. If, during the process of identification checking, it becomes necessary to bar use of the identificand, gate 24 will be closed automatically 50 that use data can no longer be readO PU 10 will, for example, operate only when use data can be read.
The self-destruct effect can be triggered by the card itself through a corresponding controL of the program memory 11, as w~ll as through a trigg~lring signal from the ex~erior.
In machine-read cards, such a triggering signal can be generated by the machine when additional checks in the machine demand such destruction.
All data in~u~ and output occurs through the input/output unit or device 18. PU 10 is programmed to perorm all of the functions described above When the supply v~ltage is appl~ed from the outside, the microprocessor of PU 10 starts running automatically and checks, as a first step, whether the supply ~0 voltage is high enouOh.
1 l After this, PU 10 performs further functîons through da~a inpu~, and which will-be described la~er. After rhecking the personal identification number (PIN) and other inormation~
¦ the output of return signals is supplied through input/output 29 unit or evi e 18. 11.
All the parts of the IC described above are integrated in one piece or "chip" during manufacture. The required memory units 13 through 17 are RRO~ls (~rogrammable Read Only ¦ Memories) and, during manuacture, can be integrated in~o the IC either as a whole or in parts, or can be preformed as separate ICs.
These PROM~ are fed various data at different times in the steps described hereinafter, to create a personalized identi~ication card from a "neutral" oner The memories 13 through 17 are treated in varioùs ways~ Some can be programmed only through gates 20 through 24r These progxam- ¦
ming-block circuits can be activated so that no later changes to the contents o these memories can be made. The memories difer individually as to their readability, for example, only certain predetermined memories can be read from the outside of the card and others cannot be read rom outside the card~ !
When, why and which parts are programmable or readable is explained hereinafter As already s~ated, the memory par~ o~ ~he integrated circuit or IC comprises the memories 13 thxough 17. ~lemory 13 contains the protective code safeguarding the card on its way be~ween the factory and the place of issuance, and is programmable onl~ as long as gate 20 is open and can be read only ln~ernall~, through gate 21.
~ -Memory 14 stores the personal reference number (PIN), which can be entered only when gate 22 is open. This number cannot be read from the card, but can bP made available in PU lO for comparison pt~poses.
~lemory 15 stores data for the identification o the respective card or the account owner. In~o memory 15~ there is fed the accoun~ number 7 or other information, including alpha-numerical information, or the identification of the account owner. It is only after such programming that the identificand is correlated to the individual client. This part of the memory is progr~mmable only when gate 23 is open and, after programming, gate 23 is destroyed or made inoperable~ i Despite thls, memory 15 remains readable to PU lO.
Memory 16 stoxes use data~ such as the length of the time period, the limit of the period, and per diem limits. This data can be entered through ~ate 24 only at the time thP card is issued, for exc~mple, at initializing of the card.
Into memor~ 17, there is stored, for each use data, such ¦as calendar date, number of mistrials allowed for inpu~ of ¦the personal reference number or PIN, account transactions, etc.
I I
The sntire procedure of initializing and using the card ¦will now be described~ using~ as an example, a monetary ¦ application.
1~.
~ ~ ~ao~
The last step in manufactuxe of the card is to enter~ -into memoxy 13~ a protective code in the foxm of a numeral, created ;n a random generator. At the same time, this protective code is printed on a separate sllp. After the protective code input, gate 20 is destroyed so that a change o the pro~ective;
code, or entering of another digit into memory 13, is no longer possible~ The printed slip is secretly and automaticaLly sealed into an envelope. The cards and envelopes are stored and handled separately. Up to this point~ the cards are still "neutral". Upon issuance of a card to a customer, the "neutral1' card is ~Imarried~ to the envelope bearing the same serial number on the outside. Then the envelope is opened, preferabL~
by the customer himself, and the visually readable protec~ive code is learned.
L5 The card is then introduced into the coding device or encoder at the place of issuance, so that the data specific to the customer can be entered. To effect this, the customer irst enters the protective code number, through the input/
output unit or device 18~ into PU 10, where a comparison is made with the protective code stored in memory 130 If the result is negative, then, after a pradetermined number of n~gative trials, self-destruction o the IC is triggered. If the result is positive 9 then the IC 6 transmits a "go'~ signal to the encoder 50 that the other data can be entered~
2~ l, Initiallyg the client o~ customer secretly enters the ¦personal referencQ rlumber or PIN which he himsel~ has chossn, . ~ . . t ` I
~ 8 0~ ~
and which is then again transerred to PU 10 and ~rom ~here ls stored in memory 14 through gate 22. ~fter such s~oring, ga~e 22 is automa~ic211y destroyed so that the PIN cannot be changed.
Following this, the data tc be used for the identification o the client or customer is fed into the XC Thus, the account number o~ the client is fed into memory 15 through gate 23, after which gate ~23 is automatically destroyed so that this data cannot be changed.
- 10 The conditions of use are ed into memory 16 through gate 24, and gate 24 is therea~tex automaticalLy destroyed. As a last step, the account start-up status can be fed into memory 17. AEter storage of this last: data, output gate 21 o~ memory 13 is des~royed so that the card cannot be initia~ized a second time with the protectiv~ code, since a check of such protective code is no longer possible. The card is now ready -~o hand over to the client or c~stomer.
If, a~ter expiration, a card is to be revalidated by being re~
initialiæed, furthex protecti~e codes are available which will be treated in a like manner. Thus, memory 13, together with gates 20 and 21, is provided several times~ or is multiplicated~ When the time limit for a card has expired~ or the amount of money or credit has been used up, the client goes to his bank with the Icard. The bank may hold, in addition to the first envelo~e, more sealed envelopes correlated to the customer's card, and which contain a second~ third, etc., protective codeO This ,1 . - .
~ 3g~ .
arrangement is shown in Fig. 3.
¦ The ca~d is now, as already described in connection with the first protective code, initialized again ater the input of the second protective code. At such second i m tiali~ing, gate 26 is destroyed so that no further data can be entered in the first transaction memory 17.
Now, gate 30 is opened by special programming so that transactions can be entered into "Account 2", memory 29 through gate 30. Gates 27 and 28 coxrespond, in their unctions, to gates 20 and 21, and the prot~ctive code-memory 41 corresponds to the protective code-memory 13. The second and all ur~h~r protective code memories are programmed, during the last step of manufacture, with protective code 2, code 3~ etc. This extension of fur~her protective codes and further account memories allows for a longer life and more economical utiliza-tion of the electronic parts of the card.
.
To use the card~ it is introduced into the reader, veriier or machine, whers the supply voltage is initia~ly checked as to needed value, particularly as ~o the possibili~y of self-destruction of the IC, if this is required~
Vexification of the user as to his ownership/user identity is effected through input o the personal reerence ¦number or PIN and comparison thereof with the PI~ stored in PU 10 : ~ :.
~ 9 ~
The PIN thus cannot be read from outside. If the feedback is positive9 the account number can be checked nex~, whexeby, at the nth mistrial, the IC is automatically destroyed. In add-ition~ the number of mistrials is entered on the card.
With conventionaL cards, the account number is printed on the face of the card so that it can be rea~ and then fed into the checking device. However, with the present inve~tion, the checking of the accou~t number takes place in the IC of the card Ltself, In this check, with the present invention~
at the nth mistrial, an alarm is triggered since one has to assume that the account number printed on the caxd has been changed to effect, for example, a debit to a diferent account Here again, the number of mistrials will be recorded.
In addition to, and/or in combination with, the a~ore-mentioned checks, further verification measures are taken, ~which require an arrangement of the function andlor memory circults, and which cannot be carried out by conventional integrated circuits, that is~ which have not been designed for this particular purpose~ This prevents criminals from simula~-ing a "go" si~nal by using conventional ICs in a counterfeit card without going through the above-mentioned additional checks.
After completion of aLl of these checks, the operation i~sel can be started~ or example, dispensing of money~ If the desired transaction is no~ allowed because the credit limi~
~ '3 ¦would be exceede~, that is, that too much money has been Irequested, the customer will automatically receive appropria~e ¦messages. The check as to whether a transaction is allowed lor not is effected in PU 10. If the account number on the card is also to be raadabLe by the verifying machine, program memory 11 has to contain a corresponding program The recording of transactions is ef~ected in memory 17~ by accumulating all transactions in succession, so that a reading can be taken at any time. Since the old transaction balances cannot be erased when new entries are made, the entire listing of the acco~lt is available. Thus, account statements can be . prepareda The invention is neither limited to banking transactions nor limited to the utilization of identi~icands in the orm of cards. Thus~ through the invention system, for example, entry into restricted areas can be protected by admitting only predetermined per;ons who bear genuins, valid and unfalsiied identificands, th~reby, proving themselves the rightful owners of these identificands Furthermore, ths identificands can be utilized to permit physical access to installations only by entitled persons, or to give certain personnel authorized access to information ~(data) for storage or retrieval purposes.
, 18.
109~
A special advantage is that, since use data is stored in an unalterable way, users are given prescribed boundaries to enable the system to be used in any potential "off-line"
applications.
Figs. 4 and 5 illustrate two examples of a simple checking device or veriying identi~icands using t'ne system of the present invention, and which identiicands work in the same manner as Eurocheque cards or credit cards. These simpli~ied checking devic~s, shown in Figs. 4 and 5, check the identity o the user/ownPr and determine whether the account num~er, printed on the outside, has been modified or not. The devices generally check the legitimacy of the card which, by implication, ch~ck whe~her or not the necessary IC is i~stalled therein.
The two illustrated devices difer only in the display 31 of the device shown in Fig. 4 and which, b~ comparing the identificationfaccount numbers, displays the number read automatically from the card so that it can be checked ~is-ually against the account number 3 printed on a~ exposed portion of the card 1. In the example shown in Fig. 5~ there is no display 31 of the account number~
The checking opexation, which compares the number printed lon the outside of the card 1, and which, in this case~ is ¦manually entered on keyboard 32 by the clerk, is effected l internally in the caxd through IC 6. ~ependîng on the result of the comparison~ IC 6 transmi~s a signal to the checking device, such as a verifier or reader, indicating '~got' or "correct" in position 33, or "alarm~' or "incorrect" in position 34.
The signals in positions 33 and 34 serve, in the same way, to compare the personal reference number or PIN~ Switch 35 puts the device into operation, while erase key 36 ter-minates check entries or wrong inputs.
.
In the simple identificand check which is possible with the verifying means shown in Figs. 4 and 5, the IC .
could be made to self-dest~uct after a predatermined number of mistrials in the input of the personaL identi~ication number (PX~) or the identificationlaccount number. The electr;cal power required for such a sel~-destruct mechanîsm is ~vailable in the checking device or veri~ying means.
With reference to the verifying devices shown in Figs.
., I I
~the dis-dv Itage that th~ personaL identification number (PIW), even if not always easily deciphered, can be determined, and furthermore, the machine~read cards can also b~ misused b~ the rightful owner by changing the use dat~ In other woxds, the inormation contained in thase cards is externally accessible to either the rightful owner or to a potential criminal SUM~ARY OF THE INVENTIO~ 1-Accordingly, the objective of the invention is to provide a security system safeguarded against misuse and counter- ¦
-~0 feiting~ especially in the processing of banking transactions~
where the known disadvantages, mentioned above~ are eliminated~
It is a further objective o the invention to permit the identificand to be used for both machine-xead and conventional applications.
In accordance with the foregoing, the basic or underlying concept of the present invention is that all or part of the in~ormation to be stored in the identificand, and which is to be protected against misuse or counterfeiting, is fed into memories which can ba loaded only o~e time and permanently and, in addition, the fed-in information cannot be determined from outside tha ident~ficand or, in othex words, is not accessî~le external1~. In order to be able to utili3e these identiicands, ¦the identificands further include in~ernal memories and means to compare data, transmitted ~rom the exteriox, wi~h ~h stored data, and which are readabla only within the identificand, for example, for the purpose of checking identity and right of ¦use or entitlement. In identificands embodying the inYention and or use with machines, ~here are included9 in the ¦identificanA, further memories and circuitry elements which ma~e possibla communication with the machine, for example, through input~output devices for connection to the machine either electrically, magneticall y9 or otherwqse~
It is known from the prior art that memories have been develope.d in which only one entry can be made and from which nothing can be erased However3 such memories can and must be readable from outside (see U.S~ Paten~ Mo. 3,702,464 covering a ROS M~102Y). With the present invention, the system and the data protected in the identificand cannot be determined ~rom the exterior and so the system does n~t requira further secxecy measures. With the present invention, the potential criminal, or the rightful user attempting to misuse the identificand, may know all the specific~ but still will not be able to misuse the identificand or to b~eak into the- ¦
system with succe~s.
. '. I
As the invenl:ion requires a num~er G~ memories and con~rol circuits, it is practical to combine all o~ these elements into one integrated circuit ~IC3 or "chip" incorporated in the identificand. Such integrated circuits, moreover, încrease protection against tampering with the identificands themselves since 9 without considerable difficulty and expense9 a criminal would hardly e able to de~erm ne the layout of an IC and cupy it.
..
3 ~ -As a further security measure, the invention assuxes that~
when the identificand is first initiaLi~ed~ f~x example, by assigning a "neutral't identificand to a client through entering the account number and a personal identification ¦designation, such as a personal identification number (PIN), ¦no misuse is possible Prior to ~his~ during manufacture, a ¦protective code is entered into the identi~icand9 and this code can be read only under certain conditions, and only once.
Additionally, as an essential feature, the client is free to select his own personal identification number (PIN), and this number can then bs completely independent of other data in the identificand.
The system o the inven~ion has many advantages over curren~ systems and current caxds, Thus, the system o~ the invention permîts conventional as well as machine-xead cards ~o be used. FurthermorP, misuse of the system, by modifying or changing the use data, is as impossible by the rightful owner of the card as by an unauthorized parson. As ~he usPr himself is free to determine his own personal i~entifica~ion number tPDN), there is no need for additional safeguards in the system in order to maintain assigned code numbers secret.
Furth~rmore, an identiication card of the system of the present invention can be used with checking facilities used with existing credit caxds as weLl as being used with detection or authenticity checkîng apparatus developed by the present inventor.
rn checRing the ident~ficand, there are three thlngs to be checked:
~1~ whether the user is identical with the rightful owner of the card;
(~2) whether the account number has been altered in any respect; and ~3) whether or not the card is an authorized card.
This third check results inherently from the first and second checks. The three checks can 6e made with a device which is about the size, weight and cost of an ordinary pocket-type electronic calculator, such as presently in widespread use.
An object of the invention is to provide an improved security sy~stem protecting, against misuse and counterfeiting associated with banking transactions in particular.
Another object of the invention is to provide such a security system eliminating the known disadvantages of known security systems.
A further object of the invention is to provide such a security system in which the identificand can be usled for both machine-read and con~entional applications.
Thus, in accordance with one broad aspect of the invention, there is ~rovided, in a system, secured against misuse and counterfeiting, for effecting transactions, such as manual or mechanical delivery of ccmmodities, services and money while using identificands, such as credit cards, check cards, cards for automatic mac~ines, coded tokens, keys and the like, provided ~ith indentification data, processing data, or both which are readable visually, by a machine, or both, and while using a personal identifying design-ationj such as a personal ;dentification number (PIN~, for verifying the entltlemen~ of the user of the identificand: the improvement comprising, in combination, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying designation; at least the memory for entry , . .
- ~, : . ~ . . .
' . . : ' , ' ' and storage of the personal identifying designation being chargeable only once via gate means which is then made lnoperable, and at least the contents of the memory for the personal identifying designation being available only to data processing means within the identificand; verifying means operable to receive said identificand and apply an input thereto; said data processing means being activated in response to an input from said verifying means to effect checking of the identity and entitlement of a user of said identificand;
and input-output means included in said identificand for establishing communication between said identificand and said verifying means; said identificand including means preventing output from at least said memory for the personal identifying designation to said verifying means.
rn accordance with another broad aspect of the invention there is provided, for use in a system secured against misuse and counterfeiting, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying design-ation; at least the memory for entry and storage of the personal identifying designation being chargeable only once via gate means t~hich is then made inoperable, and at least the contents of the memory or the personal identify-ing designation being available only to circuitry within the identificand;
components included in said identificand and activated, responsive to an input to said identificand, to effect checking of the identity and entitle-ment of a user of said identificand; and input-output means included in said identificand for establishing communication between said identificand and a verifying means; said identificand including means preventing external access to information stored in said memories except through said input-output means when in communication with a verifying means.
For an understanding of the principles of the invention, reference is made to the following description of typical embodiments ~hereof as illustrated in the accompanying drawings.
-7a-~,3 ` '~ . ` :.
BRIEF DESC~IPTION OF THE DRAWIN~S
In the Drawings: ¦
Fig. 1 is a somewha~ diagrammatic plan view of an identi~icand, used with the system o the invention, in the orm of a card or the like;
Fig. 2 is a block diagram of the integra~ed circuit (IC) o the identiicand shown in Fig. l;
Fig. 3 is a block diagram of the IC shown in Fig. 1 expanded to include further integrated circui~ry;
Figs, 4 and 5 are pexspect:ive views o~ simple checking devices or verifiers usable ~ith the identiicand of the invention system;
Fig. 6 is a flow chart of the checlcing of identificands;
Fig. 7 is a block diagram o~ an identiEicand orming part of the system of the present invention and a machine, in which the identificand is inserted, and aLso embody-ing the present invention; and Fig. 8 is a f~ow chart of the machine checking process, related to Fig. 7, -~ DETAlL~ DESGEIPTIO~ OF TRE PREFEEF~ EMBODIU~TS
- ~ Referrîng first to Fig. 1, this fi~ure shows an identi-~icand 1 designed to be a credit card or Eurocheque card.
The identiicand 1 carries, in the area 2~ the nams of th~
owner, in the area 3, printed identi~ication or accoun~ !
numbers, in the area 4, a photo of the owner9 and, in the area .
~ ~ ~
5, the signature o the owner. The area 3 is planned ~or a shorter side of the card so that th~ accounk number remains readable when the card is introduced into a verifier or checking device.
S I In addition, ~he card 1 comprises an integrated circuit (IC) in area 6 and, in area 7, internal connectors for the power suppLy, as well as for data input and output. The integrated circuit or IC is invisibly implanted in the card, as b~ being enclosecl between outer layers of plastic or the like, such construction of cards with an innex in~ormatlon-carrying layer and outer closing layexs of plastic or the li~e being well-known to those skilled in the art.
A certain area surrounding the IC, indicated at 8~ is maintained ree of conductive Imaterial so that, when the card is introduced into a machine verifier, checks can be made as ~o whether or not there are connections to the circuitry o the card from a simulated circuit outside the machine~ As the to~al counter~eiting of a card with an identica~ IC cannot be regarded as feasible, in view of the hi~h financial invest-ment~kYw-llow requirements and risk conditions, this st2p serves to preven~ a po~ential criminal, even if he knows the mann~r in which the IC operates, from constructing a substitute Icircuit from discre~e components and connec~ing such substi~ute ~circui~, for example, with wires, to a card which, in ~his instan~e, works as an adapter. The machine furthermore checks whether connections of other kinds have been made across the ; , . ' `: ' ' ` ` `' . ' 7 .
area 8 or the like surrounding the integrated circuit or IC.
Fig. 2 is a block diagram o~ the IC 6, and all the individual parts illustrated in Fig. 2 are actually integra~ed into one monolithic circuit~ such as the well-known "chip".
Ths power supply and the data input and output are fed through connectors 9, which may be either galvanic type connectors or inductivs-type connectors I the feed is inductive, the connectors 9 are supplemented by the necQssary converters~
The integrated circuit, or IC, comprises ths -10 processing unit ( PU) 10, which is a special microprocessor~ ¦
which is controlled by a predetermined program stored in program memory 11. The PU 10 and the program memory 11 may, in a modifica~ion, be hard wired log:Lc within the integrated circui~
. The power is fed through integrated power supply 12, in which the outside power is converted into electrical values necessary for operation o~ ~PU L0. A consisten~ly high outside power supply is essential or the programming uni~ 19 of the IC to be able to pxogram the memories 13 through 17. For this reason, a chec:k is made, in power supply unit 1~, as to whe~her the powe~r supply is high enough to activa~e .PU 10 consistently, and whether such power supply is indeed su~icient to destxoy the IC in the case o~ cards which have been programmed to self-destruct wh~n misused. ~hen the power supply is too ¦low, the IC will not operate~
10.
r '; ~ - I
I The self-destruct device in the IC can7 for example ¦be implemented by swi~ching changes in the programming of gate 24. Normally, this gate remains open, and the use Idata can be read from memory 16. If, during the process of identification checking, it becomes necessary to bar use of the identificand, gate 24 will be closed automatically 50 that use data can no longer be readO PU 10 will, for example, operate only when use data can be read.
The self-destruct effect can be triggered by the card itself through a corresponding controL of the program memory 11, as w~ll as through a trigg~lring signal from the ex~erior.
In machine-read cards, such a triggering signal can be generated by the machine when additional checks in the machine demand such destruction.
All data in~u~ and output occurs through the input/output unit or device 18. PU 10 is programmed to perorm all of the functions described above When the supply v~ltage is appl~ed from the outside, the microprocessor of PU 10 starts running automatically and checks, as a first step, whether the supply ~0 voltage is high enouOh.
1 l After this, PU 10 performs further functîons through da~a inpu~, and which will-be described la~er. After rhecking the personal identification number (PIN) and other inormation~
¦ the output of return signals is supplied through input/output 29 unit or evi e 18. 11.
All the parts of the IC described above are integrated in one piece or "chip" during manufacture. The required memory units 13 through 17 are RRO~ls (~rogrammable Read Only ¦ Memories) and, during manuacture, can be integrated in~o the IC either as a whole or in parts, or can be preformed as separate ICs.
These PROM~ are fed various data at different times in the steps described hereinafter, to create a personalized identi~ication card from a "neutral" oner The memories 13 through 17 are treated in varioùs ways~ Some can be programmed only through gates 20 through 24r These progxam- ¦
ming-block circuits can be activated so that no later changes to the contents o these memories can be made. The memories difer individually as to their readability, for example, only certain predetermined memories can be read from the outside of the card and others cannot be read rom outside the card~ !
When, why and which parts are programmable or readable is explained hereinafter As already s~ated, the memory par~ o~ ~he integrated circuit or IC comprises the memories 13 thxough 17. ~lemory 13 contains the protective code safeguarding the card on its way be~ween the factory and the place of issuance, and is programmable onl~ as long as gate 20 is open and can be read only ln~ernall~, through gate 21.
~ -Memory 14 stores the personal reference number (PIN), which can be entered only when gate 22 is open. This number cannot be read from the card, but can bP made available in PU lO for comparison pt~poses.
~lemory 15 stores data for the identification o the respective card or the account owner. In~o memory 15~ there is fed the accoun~ number 7 or other information, including alpha-numerical information, or the identification of the account owner. It is only after such programming that the identificand is correlated to the individual client. This part of the memory is progr~mmable only when gate 23 is open and, after programming, gate 23 is destroyed or made inoperable~ i Despite thls, memory 15 remains readable to PU lO.
Memory 16 stoxes use data~ such as the length of the time period, the limit of the period, and per diem limits. This data can be entered through ~ate 24 only at the time thP card is issued, for exc~mple, at initializing of the card.
Into memor~ 17, there is stored, for each use data, such ¦as calendar date, number of mistrials allowed for inpu~ of ¦the personal reference number or PIN, account transactions, etc.
I I
The sntire procedure of initializing and using the card ¦will now be described~ using~ as an example, a monetary ¦ application.
1~.
~ ~ ~ao~
The last step in manufactuxe of the card is to enter~ -into memoxy 13~ a protective code in the foxm of a numeral, created ;n a random generator. At the same time, this protective code is printed on a separate sllp. After the protective code input, gate 20 is destroyed so that a change o the pro~ective;
code, or entering of another digit into memory 13, is no longer possible~ The printed slip is secretly and automaticaLly sealed into an envelope. The cards and envelopes are stored and handled separately. Up to this point~ the cards are still "neutral". Upon issuance of a card to a customer, the "neutral1' card is ~Imarried~ to the envelope bearing the same serial number on the outside. Then the envelope is opened, preferabL~
by the customer himself, and the visually readable protec~ive code is learned.
L5 The card is then introduced into the coding device or encoder at the place of issuance, so that the data specific to the customer can be entered. To effect this, the customer irst enters the protective code number, through the input/
output unit or device 18~ into PU 10, where a comparison is made with the protective code stored in memory 130 If the result is negative, then, after a pradetermined number of n~gative trials, self-destruction o the IC is triggered. If the result is positive 9 then the IC 6 transmits a "go'~ signal to the encoder 50 that the other data can be entered~
2~ l, Initiallyg the client o~ customer secretly enters the ¦personal referencQ rlumber or PIN which he himsel~ has chossn, . ~ . . t ` I
~ 8 0~ ~
and which is then again transerred to PU 10 and ~rom ~here ls stored in memory 14 through gate 22. ~fter such s~oring, ga~e 22 is automa~ic211y destroyed so that the PIN cannot be changed.
Following this, the data tc be used for the identification o the client or customer is fed into the XC Thus, the account number o~ the client is fed into memory 15 through gate 23, after which gate ~23 is automatically destroyed so that this data cannot be changed.
- 10 The conditions of use are ed into memory 16 through gate 24, and gate 24 is therea~tex automaticalLy destroyed. As a last step, the account start-up status can be fed into memory 17. AEter storage of this last: data, output gate 21 o~ memory 13 is des~royed so that the card cannot be initia~ized a second time with the protectiv~ code, since a check of such protective code is no longer possible. The card is now ready -~o hand over to the client or c~stomer.
If, a~ter expiration, a card is to be revalidated by being re~
initialiæed, furthex protecti~e codes are available which will be treated in a like manner. Thus, memory 13, together with gates 20 and 21, is provided several times~ or is multiplicated~ When the time limit for a card has expired~ or the amount of money or credit has been used up, the client goes to his bank with the Icard. The bank may hold, in addition to the first envelo~e, more sealed envelopes correlated to the customer's card, and which contain a second~ third, etc., protective codeO This ,1 . - .
~ 3g~ .
arrangement is shown in Fig. 3.
¦ The ca~d is now, as already described in connection with the first protective code, initialized again ater the input of the second protective code. At such second i m tiali~ing, gate 26 is destroyed so that no further data can be entered in the first transaction memory 17.
Now, gate 30 is opened by special programming so that transactions can be entered into "Account 2", memory 29 through gate 30. Gates 27 and 28 coxrespond, in their unctions, to gates 20 and 21, and the prot~ctive code-memory 41 corresponds to the protective code-memory 13. The second and all ur~h~r protective code memories are programmed, during the last step of manufacture, with protective code 2, code 3~ etc. This extension of fur~her protective codes and further account memories allows for a longer life and more economical utiliza-tion of the electronic parts of the card.
.
To use the card~ it is introduced into the reader, veriier or machine, whers the supply voltage is initia~ly checked as to needed value, particularly as ~o the possibili~y of self-destruction of the IC, if this is required~
Vexification of the user as to his ownership/user identity is effected through input o the personal reerence ¦number or PIN and comparison thereof with the PI~ stored in PU 10 : ~ :.
~ 9 ~
The PIN thus cannot be read from outside. If the feedback is positive9 the account number can be checked nex~, whexeby, at the nth mistrial, the IC is automatically destroyed. In add-ition~ the number of mistrials is entered on the card.
With conventionaL cards, the account number is printed on the face of the card so that it can be rea~ and then fed into the checking device. However, with the present inve~tion, the checking of the accou~t number takes place in the IC of the card Ltself, In this check, with the present invention~
at the nth mistrial, an alarm is triggered since one has to assume that the account number printed on the caxd has been changed to effect, for example, a debit to a diferent account Here again, the number of mistrials will be recorded.
In addition to, and/or in combination with, the a~ore-mentioned checks, further verification measures are taken, ~which require an arrangement of the function andlor memory circults, and which cannot be carried out by conventional integrated circuits, that is~ which have not been designed for this particular purpose~ This prevents criminals from simula~-ing a "go" si~nal by using conventional ICs in a counterfeit card without going through the above-mentioned additional checks.
After completion of aLl of these checks, the operation i~sel can be started~ or example, dispensing of money~ If the desired transaction is no~ allowed because the credit limi~
~ '3 ¦would be exceede~, that is, that too much money has been Irequested, the customer will automatically receive appropria~e ¦messages. The check as to whether a transaction is allowed lor not is effected in PU 10. If the account number on the card is also to be raadabLe by the verifying machine, program memory 11 has to contain a corresponding program The recording of transactions is ef~ected in memory 17~ by accumulating all transactions in succession, so that a reading can be taken at any time. Since the old transaction balances cannot be erased when new entries are made, the entire listing of the acco~lt is available. Thus, account statements can be . prepareda The invention is neither limited to banking transactions nor limited to the utilization of identi~icands in the orm of cards. Thus~ through the invention system, for example, entry into restricted areas can be protected by admitting only predetermined per;ons who bear genuins, valid and unfalsiied identificands, th~reby, proving themselves the rightful owners of these identificands Furthermore, ths identificands can be utilized to permit physical access to installations only by entitled persons, or to give certain personnel authorized access to information ~(data) for storage or retrieval purposes.
, 18.
109~
A special advantage is that, since use data is stored in an unalterable way, users are given prescribed boundaries to enable the system to be used in any potential "off-line"
applications.
Figs. 4 and 5 illustrate two examples of a simple checking device or veriying identi~icands using t'ne system of the present invention, and which identiicands work in the same manner as Eurocheque cards or credit cards. These simpli~ied checking devic~s, shown in Figs. 4 and 5, check the identity o the user/ownPr and determine whether the account num~er, printed on the outside, has been modified or not. The devices generally check the legitimacy of the card which, by implication, ch~ck whe~her or not the necessary IC is i~stalled therein.
The two illustrated devices difer only in the display 31 of the device shown in Fig. 4 and which, b~ comparing the identificationfaccount numbers, displays the number read automatically from the card so that it can be checked ~is-ually against the account number 3 printed on a~ exposed portion of the card 1. In the example shown in Fig. 5~ there is no display 31 of the account number~
The checking opexation, which compares the number printed lon the outside of the card 1, and which, in this case~ is ¦manually entered on keyboard 32 by the clerk, is effected l internally in the caxd through IC 6. ~ependîng on the result of the comparison~ IC 6 transmi~s a signal to the checking device, such as a verifier or reader, indicating '~got' or "correct" in position 33, or "alarm~' or "incorrect" in position 34.
The signals in positions 33 and 34 serve, in the same way, to compare the personal reference number or PIN~ Switch 35 puts the device into operation, while erase key 36 ter-minates check entries or wrong inputs.
.
In the simple identificand check which is possible with the verifying means shown in Figs. 4 and 5, the IC .
could be made to self-dest~uct after a predatermined number of mistrials in the input of the personaL identi~ication number (PX~) or the identificationlaccount number. The electr;cal power required for such a sel~-destruct mechanîsm is ~vailable in the checking device or veri~ying means.
With reference to the verifying devices shown in Figs.
4 and 5, Fig. 6 is a self-explanatory flow chart illustrating ¦the checking of identificands as applied in the case of - ~ ......................... I
conventional credit or ~urocheque cards, or other non-machine uses, Thus, the identificand is introuduced into the ¦chec~ing device or vexifying means and the PIN is entered ¦in the checking deviceO A signal from tha identificand IC
then indicates whether the PIN is correct or not. If incorrect~
an alarm is provided. IE coxrect~ a "go" signal is provided. ~, The account o~ identification number, entered into the checking device, is then readout from the IC of the identi~icand to provide either a "correct" or "yes" signal or a "incorrect"
or "no" signal~ In the latter case, an alarm is gi~en, ~n - the former case, i~ there is a "yes" or "correc~" signal, a elease signal is provided Fig~ 7 is a block diagram illustrating a machine serving to store transactions in the identificand, and Fig~ 8 i.s a flow chart o~ the operation of the machine of Fig. 7u Tha machine shown in Fig, 7 incLudes, as a checking device, the reader 37 into which the identificand 1 is to be inserted, Reader 37 provides iden~ificand 1 with power and sends da~a toand receives dat;e from the identificand. The process- ¦
ing unlt PU L0, w~th the program memory 11, in identificand 1, contro~s the machine. Data input ~s entexed on the built-in keyboard 38~
During the checking operation, messages and alarms can b~ transmitted outside and, upon completion of the checking process, a "gl" signal can be transmitted to the opera. ons part ` ` : t ~:
- .~
.
of the machine to effect the desired transaction. Besides the transaction data stored in the identificand, such storage is provided in the machine in data memoxy 39. This data storage device is either physically transported, at times, to the host eomputer location and the information contained read out into the host computer for further processing or9 in "on-line" operations, is processed by a host computer~
j In addition, the machine shown in Fig. 7 contains a checking device 40 which ascertains whether or not there are connections to the outside o the reader or the machine from the area where the IC of the icLentificand is placed and by which the IC o~ the identificand is placed on legitimate cards.
The system is thus protected against criminals who might try to substitute the essential functions of the IC in the id~nti-icand with a simulation circuit composed of discrete components outside the identificand. The identificand also ~an be confiscated by the machine or o~herwise.
Introduction o~ the identiicand into a machine can be arranged in such a manner that, after the identificand is linserted by a user, a 1ap or cover can ba closed, either ¦manually by the user or automatically. The flap or cover is so designed that it can~ through a locking action, interrupt or physically cut any possible connections to the identiîcand Furthermore, such a 1ap or cover, combined with a shield ¦surrounding the reader part o the machine, protec~s the identificand, nserted in the machine, from any connections 9 ~
which do not depend on leads, such as electromagnetic or mechanical waves. This locking device is so designed that ¦the machins can work only when the hinged ~lap or cover is ¦tightly closed and stops when the flap or cover is open.
. Il I
~ Further checking is then done in a manner simil~r to ¦that employed for the simplified checking devices or verifying Imeans shown in ~igs. 4 and 5, and wherein, the personal ¦identification n~mber or PIN is entered into the machine. The IPIN is transmitted into the identificand and then checked i~3ternally for con~ormity.
The identificand transmits merely a conformity/non-con~ormity signal. If the PIN has been entered incorrectly, it is indicated. The input cam be repeated n times. In prac~ice, usually ~hree attemp~s are allowed~ After the nth input, an alarm signal is transmitted, the ~C in the identil~cand is eLectrically destroyed, and a record of the m~stxials is made in the idantificand.
If the p~;sonal identification number or PIN hes been entered correctly, thP user identiying data, stored i~ the ¦memories, wilL then be transmitted. Likewise~ the use and jtransaction data will be read and stored in the machine. ~~er ¦this data is read from the identiicand, the desired transastion jcan be entered into the machine. ~11 of this is indicated in the flow ehar~ of Fig, 3.
.
By means of the use and/or transaction data, it is verified whether the desired transaction can be permitted~ If the ~ransaction is not allowed or permitted, then a signal will be given to this effect, and a different transaction information has ~o be entered into ths machine. If the transaction is permissible~ the transaction data will then be stored in the identificand, in the machine and/or transmitted to the main central processing unit Following this, a '-gol' signal is given by the checking device of the machine and the transaction is processed.
In l'o~f-line'l opera-tions, the data s~orage device is exhcang~d at given times for empties, and the recorded infor-mation is fed into ~he host computer for processing. As a result, the host computer maintains iles on ~he account of the identiicand's owner so that, depending upon the cycles of data storage device e~change, the central office can ke~p up-to-date records.
It should be lmdexstood that the individual elements of the system of ~he invention, such as identificands, encoders, chec~ing devices and machines, can also be used in other systems.
Consequently, the patentable novelty of the present invention resides not only in the invention system but also in the individual elements o~ the system both per se or in co~bination.
~nile speci~ic embodiments of the invention have been shown and described in detail to illustrate the apptication o~ thP
1 24.
.
principles of the invention, it will be understood that the inve~tion may be embodied otherwise without departing from such principLes.
~5.
conventional credit or ~urocheque cards, or other non-machine uses, Thus, the identificand is introuduced into the ¦chec~ing device or vexifying means and the PIN is entered ¦in the checking deviceO A signal from tha identificand IC
then indicates whether the PIN is correct or not. If incorrect~
an alarm is provided. IE coxrect~ a "go" signal is provided. ~, The account o~ identification number, entered into the checking device, is then readout from the IC of the identi~icand to provide either a "correct" or "yes" signal or a "incorrect"
or "no" signal~ In the latter case, an alarm is gi~en, ~n - the former case, i~ there is a "yes" or "correc~" signal, a elease signal is provided Fig~ 7 is a block diagram illustrating a machine serving to store transactions in the identificand, and Fig~ 8 i.s a flow chart o~ the operation of the machine of Fig. 7u Tha machine shown in Fig, 7 incLudes, as a checking device, the reader 37 into which the identificand 1 is to be inserted, Reader 37 provides iden~ificand 1 with power and sends da~a toand receives dat;e from the identificand. The process- ¦
ing unlt PU L0, w~th the program memory 11, in identificand 1, contro~s the machine. Data input ~s entexed on the built-in keyboard 38~
During the checking operation, messages and alarms can b~ transmitted outside and, upon completion of the checking process, a "gl" signal can be transmitted to the opera. ons part ` ` : t ~:
- .~
.
of the machine to effect the desired transaction. Besides the transaction data stored in the identificand, such storage is provided in the machine in data memoxy 39. This data storage device is either physically transported, at times, to the host eomputer location and the information contained read out into the host computer for further processing or9 in "on-line" operations, is processed by a host computer~
j In addition, the machine shown in Fig. 7 contains a checking device 40 which ascertains whether or not there are connections to the outside o the reader or the machine from the area where the IC of the icLentificand is placed and by which the IC o~ the identificand is placed on legitimate cards.
The system is thus protected against criminals who might try to substitute the essential functions of the IC in the id~nti-icand with a simulation circuit composed of discrete components outside the identificand. The identificand also ~an be confiscated by the machine or o~herwise.
Introduction o~ the identiicand into a machine can be arranged in such a manner that, after the identificand is linserted by a user, a 1ap or cover can ba closed, either ¦manually by the user or automatically. The flap or cover is so designed that it can~ through a locking action, interrupt or physically cut any possible connections to the identiîcand Furthermore, such a 1ap or cover, combined with a shield ¦surrounding the reader part o the machine, protec~s the identificand, nserted in the machine, from any connections 9 ~
which do not depend on leads, such as electromagnetic or mechanical waves. This locking device is so designed that ¦the machins can work only when the hinged ~lap or cover is ¦tightly closed and stops when the flap or cover is open.
. Il I
~ Further checking is then done in a manner simil~r to ¦that employed for the simplified checking devices or verifying Imeans shown in ~igs. 4 and 5, and wherein, the personal ¦identification n~mber or PIN is entered into the machine. The IPIN is transmitted into the identificand and then checked i~3ternally for con~ormity.
The identificand transmits merely a conformity/non-con~ormity signal. If the PIN has been entered incorrectly, it is indicated. The input cam be repeated n times. In prac~ice, usually ~hree attemp~s are allowed~ After the nth input, an alarm signal is transmitted, the ~C in the identil~cand is eLectrically destroyed, and a record of the m~stxials is made in the idantificand.
If the p~;sonal identification number or PIN hes been entered correctly, thP user identiying data, stored i~ the ¦memories, wilL then be transmitted. Likewise~ the use and jtransaction data will be read and stored in the machine. ~~er ¦this data is read from the identiicand, the desired transastion jcan be entered into the machine. ~11 of this is indicated in the flow ehar~ of Fig, 3.
.
By means of the use and/or transaction data, it is verified whether the desired transaction can be permitted~ If the ~ransaction is not allowed or permitted, then a signal will be given to this effect, and a different transaction information has ~o be entered into ths machine. If the transaction is permissible~ the transaction data will then be stored in the identificand, in the machine and/or transmitted to the main central processing unit Following this, a '-gol' signal is given by the checking device of the machine and the transaction is processed.
In l'o~f-line'l opera-tions, the data s~orage device is exhcang~d at given times for empties, and the recorded infor-mation is fed into ~he host computer for processing. As a result, the host computer maintains iles on ~he account of the identiicand's owner so that, depending upon the cycles of data storage device e~change, the central office can ke~p up-to-date records.
It should be lmdexstood that the individual elements of the system of ~he invention, such as identificands, encoders, chec~ing devices and machines, can also be used in other systems.
Consequently, the patentable novelty of the present invention resides not only in the invention system but also in the individual elements o~ the system both per se or in co~bination.
~nile speci~ic embodiments of the invention have been shown and described in detail to illustrate the apptication o~ thP
1 24.
.
principles of the invention, it will be understood that the inve~tion may be embodied otherwise without departing from such principLes.
~5.
Claims (28)
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. In a system, secured against misuse and counterfeiting, for effecting transactions, such as manual or mechanical delivery of commodities, services and money while using identi-ficands, such as credit cards, check cards, cards for automatic machines, coded tokens, keys and the like, provided with indenti-fication data, processing data, or both which are readable visually, by a machine, or both, and while using a personal identifying designation, such as a personal identification number (PIN), for verifying the entitlement of the user of the identificand: the improvement comprising, in combination, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying designation; at least the memory for entry and storage of the personal identifying designation being chargeable only once via gate means which is then made inoperable, and at least the contents of the memory for the personal identifying designation being available only to data processing means within the identificand; verifying means operable to receive said identi-ficand and apply an input thereto; said data processing means being activated in response to an input from said verifying means to effect checking of the identity and entitlement of a user of said identificand; and input-output means included in said identificand for establishing communication between said identificand and said verifying means; said identificand includ-ing means preventing output from at least said memory for the personal identifying designation to said verifying means.
2. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said data processing means comprises a microprocessor controlling and actuating storage and processing operations.
3. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said data processing means comprises an electronic control device in which programs are contained in hard-wired logic.
4. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, including gates interposed between said data processing means and said memories capable of being automatically made inoperable after data have been entered into said memories for the first time.
5. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said personal identi-fying designation is a personal identification number which can be optional for the entitled owner of the identificand and which can be entered into the memory for entry and storage of the personal identifying designation; said memories including a memory for entry and storage of the identification data and a memory for entry and storage of conditions of use of the identi-ficand.
6. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which a protective code, in the form of a random number, is entered, during manufacture of the identificand, into a first memory which is chargeable only once via gate means which is then made inoperable and is available only to said data processing means within the identifi-cand, on the one hand, and also, on the other hand, as a readable number into a concealed information carrier; the identificand and the concealed information carrier are separately handled prior to delivery of the identificand to a user; the protective code is read from the concealed information carrier and entered into the identificand wherein it is compared internally with the stored protective code for identity; and, responsive to a positive result of such comparison, a release signal is produced by the data processing means for further processing of the identificand;
after which a personal identifying designation is entered into a second memory of the identificand.
after which a personal identifying designation is entered into a second memory of the identificand.
7. In a system secured against misuse and counterfeiting, the improvement claimed in claim 6, including a read-in gate and and read-out gate interposed between said first memory and said processing unit, and capable of being automatically made inoper-able following the initial read-in operation and initial read-out operation, respectively.
8. In a system secured against misuse and counterfeiting, the improvement claimed in claim 6, in which said identificand comprises a plurality of sets of said memories for entry and storage of information therein, including a personal identifying designation and securing data; said plurality of said sets of said memories being connected to said data processing means thereby making possible successive re-uses of said identificand by entering thereinto further protective codes and use inform-ation data.
9. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said memories are incorporated in a single integrated circuit with said data processing means.
10. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said memories are incorporated in respective integrated circuits additional to an integrated circuit containing said data processing means.
11. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which the geometric dim-ensions of electronic components of the identificand, including all the memories and said data processing means, have predetermin-ed maximum magnitude; said verifying means, upon insertion of an identificand thereinto, checking whether, outside the admissible area defined by these maximum geometric dimensions, there are connections for transmitting signals into or out of said admissible area.
12. In a system secured against misuse and counterfeiting, the improvement claimed in claim 11, in which, responsive to presence of said connections, said verifying means releases a signal disabling said electronic components.
13. In a system secured against misuse and counterfeiting, the improvement claimed in claim 11, in which, responsive to the presence of said connections, said verifying means releases a signal interrupting further checking operation of said verifying means.
14. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said verifying means is an automatic machine including a reader into which the identi-ficand is introduced; and screening means interposed between the identificand, in its inserted position, and the environment of said reader, screening the identificand against conduction-independent connections including electromagnetic and mechanical waves.
15. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which said verifying means is an automatic machine including a reader into which the identificand is inserted; and a mechanical closing device included in said machine and operable, responsive to insertion of an identificand into said reader, to interrupt any connections leading from the identificand to the exterior.
16. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, including protective coatings protecting components within said identificand against external wave energy.
17. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which components within said identificand are made inoperable responsive to opening of the identificand or peeling of layers thereof.
18. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which, responsive to non-observance of predetermined checking criteria during use of the identificand, components within said identificand are automatic-ally made inoperable.
19. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, in which, upon non-observance of checking criteria during use of the identificand, components within said identificand deliver a signal to said verifying means.
20. In a system secured against misuse and counterfeiting, the improvement claimed in claim 19, in which said verifying means, responsive to the delivery of said signal thereto from said identificand, prevents further functioning of the components within said identificand.
21. For use in a system secured against misuse and counter-feiting, an identificand having integrally incorporated therein memories for entry and storage of information therein, including a personal identifying designation; at least the memory for entry and storage of the personal identifying designation being chargeable only once via gate means which is then made inoperable, and at least the contents of the memory for the personal identi-fying designation being available only to circuitry within the identificand; components included in said identificand and acti-vated, responsive to an input to said identificand, to effect checking of the identity and entitlement of a user of said identificand; and input-output means included in said identifi-cand for establishing communication between said identificand and a verifying means; said identificand including means preventing external access to information stored in said memories except through said input-output means when in communication with a verifying means.
22. An identificand, as claimed in claim 21, further comprising a processing unit controlling and actuating the stor-age and processing operations.
23. An identificand, as claimed in claim 22, including gates interposed between said processing unit and said memories capable of being automatically made inoperable after the allocated data have been entered into said memories for the first time.
24. An identificand, as claimed in claim 21, in which said personal identifying designation is a personal identification number which can be optional for the entitled owner of the identificand and which can be entered into the memory for entry and storage of the personal identifying designation; said mem-ories including a memory for entry and storage of the identifi-cation data and a memory for entry and storage of the conditions of use of the identificand.
25. An identificand, as claimed in claim 22, in which a protective code, in the form of a random number, is entered, during manufacturing of the identificand, into a first memory which is chargeable only once via a gate means which is then made inoperable, the stored information being available only to circuitry within the identificand, said number also being pro-vided as a readable number on a concealed information carrier;
the identificand and the concealed information carrier being separately handled prior to delivery of the identificand to a user; the protective code being read from the concealed infor-mation carrier and entered into the identificand wherein it is compared internally with the stored protective code for identity;
and, response to a positive result of such comparison, a release signal being produced by the processing unit for further proces-sing of the identificand; after which a personal identifying designation is entered into a second memory of the identificand.
the identificand and the concealed information carrier being separately handled prior to delivery of the identificand to a user; the protective code being read from the concealed infor-mation carrier and entered into the identificand wherein it is compared internally with the stored protective code for identity;
and, response to a positive result of such comparison, a release signal being produced by the processing unit for further proces-sing of the identificand; after which a personal identifying designation is entered into a second memory of the identificand.
26. An identificand, as claimed in claim 25, comprising a plurality of sets of said memories for entry and storage of information therein, including a personal identifying designation and securing data; said plurality of said sets of memories being connected to said processing unit thereby making possible success-ive reuses of said identificand by entering thereinto further protective codes and use information data.
27. In a system secured against misuse and counterfeiting, the improvement claimed in claim 1, including means for counting the number of trials of using an incorrect personal identification designation and for preventing the verification of the entitle-ment of the user of the identificand after a predetermined number of said trials.
28. An identificand, as claimed in claim 21, further comprising means for counting the number of trials of using an incorrect personal identification designation and for preventing the verification of the entitlement of the user of the identi-ficand after a predetermined number of said trials.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU4A6599/76 | 1976-09-06 | ||
| AU659976 | 1976-09-06 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1118098A true CA1118098A (en) | 1982-02-09 |
Family
ID=3697153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000285651A Expired CA1118098A (en) | 1976-09-06 | 1977-08-29 | Identification system safeguarded against misuse |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA1118098A (en) |
-
1977
- 1977-08-29 CA CA000285651A patent/CA1118098A/en not_active Expired
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4105156A (en) | Identification system safeguarded against misuse | |
| AU577892B2 (en) | Card verification and validation | |
| US3971916A (en) | Methods of data storage and data storage systems | |
| US4734568A (en) | IC card which can set security level for every memory area | |
| Jurgensen et al. | Smart cards: the developer's toolkit | |
| EP0294397B2 (en) | Automated transaction system using microprocessor cards | |
| US4211919A (en) | Portable data carrier including a microprocessor | |
| US6547151B1 (en) | Currency note comprising an integrated circuit | |
| US5495531A (en) | Equipment which included electronics | |
| US4764666A (en) | On-line wagering system with programmable game entry cards | |
| US5185798A (en) | Ic card system having a function of authenticating destroyed data | |
| US5786587A (en) | Enhancement of chip card security | |
| US5520275A (en) | Method and device for servicing a terminal | |
| US5604343A (en) | Secure storage of monetary equivalent data systems and processes | |
| JPH03241463A (en) | Payment or information transfer system by maney card with electronic memory | |
| EP1316927B1 (en) | Game machine door locking apparatus control system | |
| KR100275638B1 (en) | Ic card and personal data identifying system operative therewith | |
| JP4737901B2 (en) | Method and apparatus for PIN code storage and retrieval | |
| CA1118098A (en) | Identification system safeguarded against misuse | |
| US6272475B1 (en) | Apparatus and method for the secure dispensing of bank papers | |
| US5675651A (en) | Method for transmitting information between a computerized control center and a plurality of electronic franking machines | |
| RU2103732C1 (en) | Device for processing payments and services using electronic card and logging transactions | |
| JPH10127930A (en) | System and method for preventing illegal use of card for pachinko game facility | |
| CA1335839C (en) | Automated transaction system with insertable cards for transferring account data | |
| US7681029B1 (en) | Method and device for controlling a portable object life cycle, in particular a smart card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |