FR2646263A1 - Device for payment by banker's card including an electronic system for authenticating the card and recognising the bearer - Google Patents

Abstract

The invention relates to a device for payment by banker's card including an electronic circuit allowing identification of the bearer and authentication of the card. On acquisition, the bearer inserts two codes c1 and c2, supplied by the authorised body, into two memories which become unmodifiable subsequently. In order to use his card, the bearer makes up his two codes, the comparison of which with those contained in the memory generates, or does not generate, the display of a message of the "valid" type, thus confirming his identity. In order to test the validity of the card, the shop keeper inserts three codes V0, V1 and V2 and compares what results therefrom with a fourth code V3 which is also supplied to him. The card is fitted with an overall circuit cutoff triggered by the succession of a preset number of attempts at introducing invalid codes C1, C2 or triplets V0, V1, V2. Deducing the code C1 knowing C2 or vice versa is made impossible since each card contains an adder systematically adding an unknown number to C1. Pirating of this card is made impossible by resin contacts in the circuit, being destroyed with the least damage to the housing. The card contains an internal battery inserted on manufacture serving as a relay to an interchangeable battery, the charge state of which allows operation of the circuit and possibly neutralisation of it by operating the circuit cutoff. The recording of the debit is done with the traditional "scraper" and withdrawal of money in automatic cash dispensers by virtue of the chip.

Description

 The present invention relates to a credit card payment device comprising an electronic card authentication and carrier recognition system.

 The credit card payment system currently in use does not have all the guarantees expected. Indeed, numerous replications of magnetic cards were possible on simple vision of the number and the name appearing on the card. In addition, the theft of a card still makes it possible to make purchases within the following hours from merchants not equipped with electronic terminals or entering the confidential code restricts fraud.

 The appearance of smart cards makes it almost impossible to reproduce cards. But this does not exclude the possibility remaining for a fraudster to observe the confidential code of an individual to then steal his card and then make purchases, if not withdraw money, because the exit from the smart card is accompanied by independent payment terminals placed at merchants. However, since these are no longer connected to a central computer, the information on the stolen cards no longer circulates and the fraudster is free to operate for a certain time.

 The device according to the invention overcomes all these drawbacks. Indeed, this electronic card identifies its bearer in front of the merchant and authenticates itself. In addition, it excludes the need for any electronic equipment to be placed with traders.

 The reproduction of this new card is also impossible because it requires at least the opening of the electronic card box and this causes the partial destruction of the internal circuits.

 This electronic card is of the calculator type with a liquid crystal screen on one side and has the usual smart card on the other side. It contains a circuit for performing validation operations. This circuit is powered by an interchangeable battery and another battery inserted inside the case during manufacture.

The validation process has two stages
- carrier recognition
- card authentication
The side presenting the usual smart card allows the recording of the debit at the merchant with the "traditional squeegee and carbon paper as well as the withdrawal of money in ATMs thanks to the electronic chip.

When the customer perceives his bank card, a couple # of four-digit codes Ct and C2 is sent to him. This customer begins by typing the code C1 then the code C2; if codes C1 and
C2 correspond via an algotithm ALGO1 then C1 and C2 enter respectively into two memories Meml and Mem2 which close immediately afterwards and definitively.

 From then on, the card holder will have to identify himself as the real owner by typing the codes C1 and C2 which are then compared with the two codes in memory. If the match is good, the screen displays "VALID" as a sign of recognition.

 The merchant must then verify that it is a card issued by the authorized group and not a replica having a function allowing to display "VALID". To do this, the merchant personally has four four-digit codes Vo, V1, Va, and V3. He begins by typing Vo and Vl, V1 enters the algorithm ALGO2 Oct the transformation is calculated according to the parameter Vo. The merchant then types VS which must correspond with the transformed code of V1 via ALGO2 configured by Vo. If the correspondence is good, the screen displays the four-digit number V3 transformed from V2 by ALGO2 always configured with Vo. This then proves that the card does contain the desired algorithm of which the donor organization is the sole holder.

 When recognizing the holder, or authenticating the card, each unsuccessful attempt is counted in a shift register and five consecutive bad attempts activate a circuit breaker putting the card out of service If a good validation appears before the fifth error, the counting of previous errors drops to zero.

The main elements of the circuit are
- Two algorithms ALGO1 and ALGO2 of the cryptosystem type based on revealed keys.

- An ADD adder on a number complemented by two adding a number between O and 9999 (Figure 13)
- Li flip-flops (Figure 5)
- LA and LB scales. (figure 2)
- CMPi comparators. (figure 9)
- DLTi shift registers of the type indicated in figure 8
- A general control circuit (figure 10)
- RS flip-flops (Figure 4 and Figure 10)
- A CpCi circuit breaker. (figure 11)
- A ReAl power relay. figure 3)
- A MULTI2 multiplexer for input control in AL6O2. (Figure 12)
- A buffer memory Bw for display (figure 7)
- A COM1 control block (figure 6)
- The BuDo data bus Figure 1)
The elements ALGOl, and ALGO2 cannot be developed here. If we want to preserve the efficiency of the system, which in no way interferes with the bic articulation of the assembly, which is presented in the following way (see Figure l) .

After putting the card on ON for the first time, the user enters their first code C1 and then presses C1
- C1 is entered by Li and LA.

 - C1 goes from LA in ADD then in ALGO1 and finally in COMPO.

 - C1 goes from LA to CMPI.

The user enters his second C2 code then presses C2
- C2 goes into L2 and Lg.

 - C2 goes into CMPO.

 - C2 goes from Lg in CMP2.

The outputs f of CMP1, 9 of CMP2 and k of CMP0 are connected by an OR and give z. If codes C1 and C2 correspond well via
ALGO1 then the output k of CMP0 is zero and activates the closing of
LA and LB via j.

Thus, at the next recognition operation, the codes Cl and
C2 only enter L1 and L2 respectively and are compared with the codes stored in LA and Lg. The results f and g of the two comparisons then equal zero or one and are always combined with the output k of CMP0 blocked at zero. If the recognition is good, the result gives -zero which commands the display "VALID" on the screen.

 If at initialization, the two codes C1 and C2 do not correspond, then the output k of CMP0 is worth one and prevents the closing of the flip-flops LA and LB. This allows new tests but the information of each bad test is recorded in the shift register DLT1. Thus, after five unsuccessful attempts, the card is put out of service by the CpCi circuit breaker.

 Similarly, in current use, (the storage of C1 and C2 having been made), each attempt at ~ unsuccessful recognition (zri) is recorded in the shift register DLT1. At the end of the fifth test, which is still bad, the output t of DLT1 switches to a which activates the circuit breaker CpCi. If the correct codes appear before a fifth consecutive unsuccessful attempt, then t is zero and previous errors are no longer taken into account.

However, even when the power is turned off, unsuccessful tests remain recorded in memory in the DLT1 shift register.
In current use, the user being recognized as being the owner of the card by typing the codes C1 and C2, a -Message "VALID" is displayed on the screen. Consequently, the output z = O allows the activation of the second control process operated by the merchant.

 The merchant enters his VO parameter code, then presses the Vo key.

 , VC) enters the LVo flip-flop and then into the memory of the ALGO calculation parameter.

 the output s 'of CMP3 being initially at 1 when the power is turned on, s = s' + z is equal to 1 therefore the command e of multi2 is at 1, the multiplexer MULTI2 lets pass the code V1 to come towards ALGD2 (the function of multi2 is: av2 + av1).

 The merchant then types V1 and then presses the V1 key.

VI enters the flip -LVî then in MULTI2 which lets pass V1 in ALGO.
~ V1 is transformed by ALGOL parameterized with VO to give V2 which enters the comparator CMP3.

 The merchant then types V2 and then presses the V2 key.

 ~ V2 enters the LV2 flip-flop then in CMP3.

 If the entered codes V1 and V2 correspond well via ALGO2 configured with VO then the output s 'of CMP3 is worth O and therefore s = s' + z is worth O, which commands the MULTI2 multiplexer via e to let V2 pass.

 ~ V2 goes from MULTI2 to ALGO2 configured with VO to give V3 at the output of ALGO2.

 The buffer memory Sw allows V3 to pass to the data bus.

 Meanwhile the validation of V1 and V2, by passing s from state 1 to state O has acted on the flip-flop RS which then gives a state e = O at output. This output, when it is worth 0, commands the display of the last number entered, in this case here V3.

 ~ V3 then enters CMP3 which then gives an output s' = 1.

 The command e = O due to the previous passage from s to state 0, allows the direct display of V3.

 The passage from s to the high state does not change the state of e which remains at O thanks to the rocker RS.

 The merchant then only has to verify that the number V3 displayed corresponds well with that expected. If this is the case, the card does contain the desired algorithm, so it comes from an organization authorized to issue it.

The card presents a defensive system against fraud attempts concerning the search for codes C1 and C2 which can between
untimely use with search for codes C1 and C2 in memory by entering codes at random. Each code entered does not correspond with Cl or C2 in memory gives a high state at output of CMP1 or CMP2, this state gives z = 1 which enters so in
DLT1.Whenever a pair of code (Cî, C2) is entered, the shift is made in DLT1 and five consecutive errors, five times z = 1, result in t = 1, which state high for t activates the cut -circuit CpCi which then condemns the card by preventing the entry of data. The probability of finding (C1FC2) fortuitously is therefore 5/100 000 000 000, that is to say almost zero.

 to prevent the deduction of the C1 code knowing C2 or vice versa, an adder ADD + is placed before entering ALGO1 and allows the addition of a number between O and 9999 a Cl.

 For a series of 10,000 bank cards an adder is added adding a given number, which for the same algorithm ALGO1 will give couples CC1, C2) different for each adder.

 Thus the card holder can always type one of the two codes being exposed to the views of those around them without it being possible to deduce the other code, even by knowing the ALGO1 algorithm.

any attempt to reset the circuits to zero is made impossible by the installation of a battery inside the case during manufacture. Current power is supplied by an interchangeable battery. When the latter is worn and goes below a certain voltage threshold, the internal battery takes over.
ReAl) and wear is indicated by a symbol on the liquid crystal display.

 Similarly, if the interchangeable battery is not replaced, the wear of the internal battery beyond a certain threshold activates the CpCi circuit breaker. Otherwise, once the internal battery is discharged, it would be enough to dare the interchangeable battery for resetting and clearing recorded errors.

 The card also has protection against hacking attempts of the ALGO2 authentication algorithm.

 indeed, the circuit as a whole will present resin contacts which make the opening of the case in vain - for an examination of the circuits therein.

 the authentication of the card made by the merchant requires three codes VO, Vî, V2, one of which is used as a calculation parameter for ALGO2. This process makes it possible to have 100,000,000 combinations to provide to merchants, say that only a small part of the combinations is provided to them and the remaining ones can be given their title later. This avoids an attempt to collect massive combinations followed by the manufacture of cards containing an adequate algorithm since these combinations can very well vary from day to day the next day for a trader gives last will check then that this possible false card does not release the new code V3 'corresponding to the new codes VO', V1 ', V2' which it will have recently received.

moreover, an attempt to collect combinations by entering codes VO, V1, V2 at random which give a certain number
V3 on display if the match is good is possible. But it is made extremely difficult by the fact that this search represents 1,000,000,000,000 possibilities to examine. In addition, each unsuccessful test gives a state 5 = 1 which return to
DLT2, which shift register after five bad attempts exits a high state which activates the circuit breaker. # This forces potential fraudsters to retype a good combination every five tries.

  we can also, as a remark, adapt a counter which limits the number of validations with VO, Vl, V2 to around 5000 per year which would force a possible fraudster to find 200,000,000 acolytes to examine the 1,000,000,000,000 of possibilities.

 The authentication part operated by ALGO2 therefore presents an almost total guarantee because if we can know a certain number of combinations (V0, V1, V2), obtaining the complete set is impossible. However, a partial knowledge of all the combinations does nothing for fraudsters.

Claims (7)

Claims 1) Payment device by bank card comprising an electronic card authentication and carrier recognition system characterized by a circuit comprising Two algorithms ALGO1 and ALGO2, an adder ADD, a multiplexer MULTI2, a buffer memory Bw, flip-flops Li, comparators CMPI, shift registers DLTi, a flip-flop RS, a power supply relay, a circuit breaker CpCi, command blocks, the BuDo data bus, all powered by interchangeable battery and internal battery in the box serving as a relay. This circuit makes it possible to compare two codes C1 and C2 entered by the user with two codes already in memory to validate the reconquest. then signified by the notched display of "VALID" if the correspondence is good and allows authentication of the card by the merchant by displaying a certain number V3 if three entered codes Vg, V1, V2 match well via the ALGO2 algorithm. 2) Device according to claim 1) characterized in that the codes CI and C2 are only definitively stored in memory if the correspondence between C1 and C2 via ALGO1 is good. (output from CMP0 to zero). 3) Device according to claim 1) and claim 2) characterized in that the adder adds a number -between O and 9999 not known to the code C1 preventing a systematic deduction of C1 as a function of C2 and vice versa. 4) Device according to claim 1) characterized in that the code Vo serves as a calculation parameter for the transformation of V1 by ALGO2 before the comparison with the code Vz, which comparison, if it is good, allows the display of a number V3 transformed from V2 by ALGO2 always parameterized by Vo. 5) Device according to claims 1), claim 2) and claim 4) characterized in that five consecutive incorrect tests of couples (C1, C2), just like five consecutive incorrect tests of triplets (Vo, V1tV2) operate the circuit breaker CpCi via shift registers.  6) Device according to claim 1) characterized in that the card housing contains an internal battery serving as a relay to the interchangeable battery and in that this same internal battery actuates the circuit breaker CpCi when it passes below a voltage threshold, in order to avoid possible reset of the circuit. 7) Device according to claim 1) characterized in that the circuit includes resin contacts which are destroyed when the case is opened to avoid any electronic piracy