FR2819067A1 - Method for controlling access to a secure system, such as an automatic teller machine, using a keyboard for PIN entry, where the values of the keys displayed on a touch screen are changed in a random manner to prevent fraud - Google Patents

Abstract

Method for increasing system access security that can be accessed by a secret code, such as a PIN. Accordingly in an access terminal a touch screen (3) is used with contact zones that change in a random manner when each system access is made. The touch screen is used with a display screen (4). An Independent claim is made for an interface device (2) allowing access to a secure system (1). The device has a touch screen (3) with a display (4), the display making a group (5) of symbols appear on the touch screen corresponding to a group (6) of contact zones on the display screen with a temporary random association between them.

Description

<Desc / Clms Page number 1>

Method for managing access to a sensitive system, its access console and its associated use.

 The present invention relates to a method for managing access to a sensitive system. It also relates to an access desk and associated uses. It applies more particularly to smart card readers such as in ATMs or more generally in smart card payment devices, these devices generally comprising a keyboard. It also applies to all systems to which a user can access by means of a code activated via a keyboard. In addition to those previously mentioned, this is also the case for devices for accessing sensitive premises such as a building, a warehouse, etc. In these latter cases, these are devices which allow or not to authorize a passage. from a first place with a first level of security to a second place with a second level of security more stringent than the first. The sensitive adjective indicates that access to one of these devices or premises must be controlled.

 Currently, to access these sensitive systems or premises to which access is restricted, it is generally necessary to inform an access control interface using a code, the interface for this purpose comprising a keyboard with keys or a touch screen with contact surfaces. In addition, this code can possibly be associated with the use of a card, the interface consequently comprising a smart card reader.

 Securing access to these systems is becoming increasingly complex. However, this complexity only benefits in cases where a third party would try to implement a means making it possible to deceive the system access control device such as a false card for example.

However, there is a simpler route that is a security hole.

<Desc / Clms Page number 2>

 Indeed, it may be that the third party has stolen a card and knows the secret code or that he had access to the access code to a sensitive room. In this case, the only solution is to make this card or access code unusable by filling in the appropriate database or by changing the access code.

However, the period between the moment when you become aware of the theft and the time when the card and / or code is inactive is generally long enough for the thief to have time to use the card or enter the place. with restricted access as appropriate. In addition, this way of doing things is much less restrictive for thieves than that which consists in trying to break an encryption algorithm. This therefore constitutes an increasingly preferred route for accessing a secure system.

 This is why interface devices with sensitive systems present problems. When a user fills in an access control interface with his code, he successively presses a set of keys or contact surfaces and then validates this code.

This makes it easy for a third party to view the entered sequence or even to view the code directly. Once the sequence is visualized, it is just as easy to deduce the code.

 In places with high traffic such as shopping centers, restaurants, concert halls etc ... It is common to see queues or groups forming around payment places. Payments by bank cards are frequent. Generally, payment can be made, and this is often the case, via a remote keyboard, whether or not including an integrated smart card reader. Confidentiality cannot be effectively guaranteed due to the proximity effect due to these groups of people. Thus, the keyboard is found within sight of third parties.

 An improvement in confidentiality is often accompanied by a sharp decrease in terms of ease of access to the keyboard. Indeed, an achievement often consists in placing the keyboard in a place difficult to access visually. However, this difficulty in visual access is accompanied by

<Desc / Clms Page number 3>

 generally a physical difficulty of access. The place is cramped, which sometimes leads to a vicious effect, which consists in seeking a position as comfortable as possible and which most often corresponds to a position once again allowing visual access to the code or the gestural sequence making it possible to deduct the secret code.

 The problem is the same with regard to controlling access to places where access is limited, such as premises containing dangerous or precious products, military premises, private premises such as buildings, companies or warehouses, etc. ... or simply premises to which you wish to restrict access.

 In addition, the use of a touch screen is known, the viewing angle of which is small. A viewing angle corresponds to an angle formed between a position along a normal to the viewing surface, for which one is facing, and an eccentric position, for which one is on the side. If this angle is small then a display of information displayed on the screen is impossible directly when one is beyond this eccentric position. Thus, you can only view the code if you are in front of the screen.

 However, a problem with the known key layout persists. Indeed, one can easily determine, a posteriori, the access code. To do this, it suffices to locate a position of the contact surfaces selected by a user. It is also common to see users having their cards stolen once the code viewed or determined a posteriori. It only remains for the thief to find a distributor to complete the next step in his package and enter the code to access the sensitive system. This is all the easier since generally there are several attempts to enter a correct code, and therefore a fortiori the thief too.

 The only solution currently found to reduce this risk is to affix an indication around the interface of the type "compose your code away from prying eyes". This has

<Desc / Clms Page number 4>

 consequence of making users uncomfortable because they become anxious at the idea that someone other than them can know their secret code and as well as the access which they believed secure was no longer. In addition, it is the user who becomes responsible for this intelligence phase for which a level of security will therefore depend on the behavior of the user facing the control interface.

 The object of the invention is to solve these problems by proposing a method making it possible to make a link between a contact surface and an associated value unintelligible. This is achieved by making variable an association between a layout of the keys or contact surfaces and a code value. The invention thus provides a control console for implementing the method of the invention, as well as a use mainly in the field of payment chip card readers.

une suite personnalisée de symboles, selon lequel : - on renseigne, pour une demande d'accès, un moyen d'interface avec une suite de symboles à l'aide de zones de contacts chacune associée à un symbole, le moyen d'interface coopérant avec un moyen de contrôle permettant d'autoriser cette demande d'accès au système sensible si la suite de symboles entrés est valide, caractérisé en ce que : - on produit aléatoirement et ou temporairement, pour une demande d'accès, une association entre un symbole et une zone de contact. The subject of the invention is therefore a method of securing access to a sensitive system, accessible by a secret code, a secret code being

a personalized series of symbols, according to which: - information is given, for an access request, by an interface means with a series of symbols using contact zones each associated with a symbol, the cooperating interface means with a control means making it possible to authorize this request for access to the sensitive system if the sequence of symbols entered is valid, characterized in that: - an association is created randomly and or temporarily for an access request symbol and a contact area.

 It relates to an interface device allowing access to a sensitive system characterized in that it comprises a touch screen associated with a display, the display showing a keyboard with a group of symbols and the touch screen comprising a group of contact zones and in that each contact zone is associated randomly and or temporarily with a symbol.

<Desc / Clms Page number 5>

 It also relates to use in a keyboard for accessing a sensitive system.

 The invention will be better understood on reading the description which follows and on examining the figures which accompany it. These are presented for information only and in no way limit the invention. The figures show: - Figure 1: A representation in a simplified form of an architecture of a sensitive system implementing the invention.

 - Figure 2a: An example of screen representation before an access request.

 - Figure 2b: An example of screen representation during an access request.

 Figure 1 shows a sensitive system 1. This system 1 is, in one example, a cash dispenser. However, system 1 could also be a room to which access must be restricted (dangerous room, private, etc.). More generally, the system 1 represents any set for which access is subject to the entry of an identification code, by means of a keyboard. Access to this system 1 is controlled by an interface device 2 hereinafter called interface 2. The interface 2 is shown in a simplified and exploded form.

 The interface 2 thus comprises a touch screen 3 associated with a display 4 showing a group 5 of symbols. Screen 3 includes a group 6 of contact zones. Each contact zone is associated with an opposite symbol broadcast by the display 4. Thus, an authorization to access the system 1 is subject to the reading of a secret code by the interface 2 and to its validation. To inform the interface 2, it suffices to dial a code by selecting, by pressing for example, the contact zones on the screen 3 associated with the symbols forming this secret code. Authorization to access system 1 is subject to prior checking of the validity of an access request.

 Thus, the association between the screen 3 and the display 4 forms a man-machine interface in the sense that the display 4 makes it possible to broadcast a

<Desc / Clms Page number 6>

 visual information such as a keyboard image and screen 3 allows parameters such as a code to be entered. Generally, the screen 3 and the display 4 are superimposed and pressed one against the other, the display 4 thus diffusing an image through the screen 3 which is of transparent structure. A principle of assembly of the screen 3 and the display 4 is known from the state of the art. Thereafter, a touch screen will be called the assembly formed by a screen or even touch support and a display of the liquid crystal type for example.

 The interface 2 therefore includes a microprocessor 7 controlled by an access control means 8. This means 8 takes the form, in one example, of a program 8 saved in a program memory 9 of the interface 2 for example. In addition, an activation of a contact zone on the screen 3 is detected by means of a decoder 10. This decoder 10 is responsible for determining the coordinates of the activated zone. These coordinates can for example be a pair of x values, y representing the central point of the area considered, the x and y values then being able to be a row number and a column number respectively.

chaque information de localisation est sauvegardée dans un champ 13~1, 13~2 à 13n. De plus, chaque champ 13~1 à 13n est associé avec un champ 14~1 à 14n respectivement, chaque champ 141 à 14~n comportant une information permettant d'identifier un symbole. On obtient ainsi une table 15 de définition du clavier occupant une partie de la mémoire 12. En outre, Thus, a means 11 is responsible for managing the decoding of the information supplied by the decoder 10. This means 11 takes the form, in one example, of a program 11, this program 11 being saved in the memory 9 for example. The program 11, with the help of the microprocessor 7, determines to which contact zone these coordinates relate. For this, the interface 2 includes a memory 12 for saving location information, in the interface 2 for example, making it possible to know the location of a contact area and therefore the symbol associated with this contact area. In an example of memory organization 12,

each location information is saved in a field 13 ~ 1, 13 ~ 2 to 13n. In addition, each field 13 ~ 1 to 13n is associated with a field 14 ~ 1 to 14n respectively, each field 141 to 14 ~ n comprising information making it possible to identify a symbol. A keyboard definition table 15 is thus obtained occupying part of the memory 12. In addition,

<Desc / Clms Page number 7>

 the interface 2 includes a means 16 for managing the display on the screen 4, in particular of the group 5 of symbols. This means 16 takes the form, in one example, of a program 16 saved in memory 9 for example.

 Thus, the program 16 controls the microprocessor 7 to display on the screen 4 a symbol in the form of a value, for example using also a display management device 17. This value is found next to a contact area depending on the association between a contact area and a display area according to table 15.

 The programs saved in the memory 9 control the microprocessor 7 and supply data to the devices 10 and 17 using a bus 18 of data, commands and addresses. In addition, a bus 19 of data, commands and addresses connects the decoder 10 and the screen 3. Finally, a bus 20 of data, commands and addresses connects the device 17 and the screen 4.

 Screen 3 is a tactile support for which different technologies are candidates. One can indeed use a so-called infrared technology based on a group of optical switches, a so-called acoustic wave technology, a so-called capacitive technology, or even a so-called resistive technology. The choice of one of these technologies, or even another, depends in particular on the environment in which the touch screen 3 is placed (temperature, dust, humidity, etc.) but also on the use to which it is intended (frequency of use ...).

 The decoder 10 includes all the elements necessary for decoding and identifying a contact area when the screen is pressed. Likewise, the device 4 includes all those necessary for controlling a screen d 'display such as the screen 4. These elements are not shown as known and useless for understanding the invention. An embodiment of the display 4 is obtained using any type of device allowing the visual diffusion of an image such as a liquid crystal display for example.

<Desc / Clms Page number 8>

champs 131 à 13~n et un contenu des champs 141 à 14n. Cette modification intervient à chaque demande d'accès. The interface 2 includes a means 21 for securing a use of this interface 2. This means 21 is, in one example, in the form of a program 21 saved in the memory 9 for example. One operation of this program 9 consists in randomly and or temporarily producing, for an access request, an association between a symbol and a contact area. This thus amounts to modifying, according to a procedure managed by program 21, an association between the content of the

fields 131 to 13 ~ n and the content of fields 141 to 14n. This modification occurs at each access request.

 There are systems, such as cash dispensers, for which multiple attempts, three in this example, are allowed. Indeed, in this kind of system, several attempts are authorized for a user because the latter may very well make an error when entering his secret code using the interface 2. In this case, two possibilities are possible. offer to the invention either the association is changed with each new entry or the association is only changed for each new access request. Thus, with this last preferred possibility, the user will not be disturbed by this modification which will therefore not take place during the last two input possibilities.

 In the example of a cash dispenser, the interface 2 also comprises a smart card reader 22 of known embodiment. Thus, the system 1 then corresponds to the part of the distributor where a reserve of money is stored and where personal information on the holder of the account associated with a chip card 23 is stored.

131 à 13n avec un contenu des champs 141 à 14~n. Pour cela, le programme 21 utilise une procédure spécifique d'association. In an example of operation of this cash dispenser, the card holder 23 inserts the latter into the reader 22. The reader 22 then transmits the access request to the program 8. Consequently, the latter calls on program 21 responsible then for associating a content of the fields

131 to 13n with the content of fields 141 to 14 ~ n. For this, the program 21 uses a specific association procedure.

<Desc / Clms Page number 9>

 An example of a procedure can consist of the use of an algorithm making it possible to calculate positions by following either a random law or a pseudo-random law. A random law can be obtained by using a function allowing to produce a random value ie unknown a priori. This random value makes it possible to select a value from among several, for example a value between 0 and 9. The value thus obtained is associated with the content of the field 14 ~ 1 to 14 ~ n considered. The operation is repeated until the available values are exhausted, a selected value being removed from the list.

 Other procedures can be envisaged, for example the selection of a list of predefined associations from among several. In this case a random selection will be more efficient than a sequential selection also called pseudo-random. The random term is understood as the fact for the program 21 to have no a priori knowledge of the selected value. Thus, and in a simple example, we alternate, randomly or not, between two configurations (1,2, 3 ...) or (9,8, 7 ...) which are known and which people have the used to use. We can also predefine a certain number of configurations and we select, randomly preferably, one configuration each time from those available. Indeed, if the selection is not random then it suffices to know the previous one to deduce that proposed at a given time to a user requesting access.

 The term temporarily is understood to mean that the association between a contact area and a displayed symbol is variable and is not definitive after the installation of the interface 2 in order to ensure access control to the system 1.

 Once the association phase is complete, the program 8 calls on the program 16 which will control the display device 17 as a function of the association thus memorized in the memory 12. Then the program 8 controls the program 11 which is waits for a press on the touch screen 3. Thus, the program 11 decodes a series of presses on

<Desc / Clms Page number 10>

 the screen 3 and transmits this series through the bus 18 to the program 8. The program 8 then uses an authentication procedure using in particular the generally encrypted data present in the card 23.

 If the access request is valid then the program 8 uses a navigation program 24 among the various services that can be offered to card holders 23. These services can be, for example, a request to withdraw a sum of money or a consultation of personal information. This program 25 thus offers services offered by the operator managing the distributor, a bank for example.

 The interface 2 can also be a mobile device or not associated with a payment terminal. These types of devices are found mainly in points of sale. Thus, the interface 2 is generally mobile and connected to the payment terminal by a wired, infrared or other link. In this case the system 1 includes in particular the payment terminal but also an access to a center responsible for authorizing or not said payment.

 In these last two examples, the operator can choose to authorize or not three tests before invalidating the access request. In the case where system 1 is a place of access, the same procedure can be respected but the procedure will be preferred to a single test. Thus, in the latter case, after entering an incorrect code, with or without pressing a validation key, the program 8 commands a new association, several incorrect entries being able to lead to the emission of a message of alarm.

 Once the access is authorized, the program 8 commands the deletion of the association in court, this to avoid that a third party has access to the position of the values and thus to the code if it has identified the contact areas which have been pressed. . Thus, an activation of the display of a group of values on the screen 4 can be triggered by the insertion of the card 23 for example or by a key on the screen 3.

 In a variant for managing the display of a screen waiting for an access request, values are displayed instead, generally 0 to

<Desc / Clms Page number 11>

 9, a series of symbols unrelated to these values. For example, when the interface 2 is waiting for an access request, the program 8 commands the display of a symbol such as the symbol * and this in place of each of the values. For this, the program 8 controls the association of the content of each field 13 ~ 1 to 13n with the content of fields 14 ~ 1 to 14 ~ n the symbol *. FIG. 2a shows an example of display on the screen 4 before an access request.

Figure 2b shows an example of screen representation during an access request. Figures 2a and 2b further show the presence of zones 25, 26 and 27 for validation, correction and cancellation respectively. These keys in particular allow the user to have control over the navigation proposed by the program 24 when one is in the case of a bank distributor. However, a position of these keys can perfectly be constant. In fact, these keys 25, 26 and 27 do not affect security as regards a request for access to the system 1.

In a variant, the associations between the fields 13 ~ 1 to 13 ~ n and the content of the fields 14 ~ 1 to 14n are kept constant. However, it is the content of fields 13 ~ 1 to 13 ~ n which changes, ie the location information of the contact areas. Thus, a relative position of group 5 is variable on screen 4. Consequently, an association between a contact area and a symbol is constant. However, securing the access request is much weaker. Indeed, the order being constant one can find, all the more easily that one is authorized with a high number of attempts, a sequence of symbols by having memorized the movement of the hand of the user who enters the code secret.

 In a preferred alternative embodiment of the screen 4, a radiation pattern, or even narrow angle of view, is ensured during the manufacture of the latter. This angle of view is measured relative to a normal to the surface of the screen 4. Thus, one obtains, by revolution around the normal, a

<Desc / Clms Page number 12>

 cone whose apex is on the screen 4. In an exemplary embodiment, this angle of view is less than 30. More generally, this angle is of a value such that a third, next to the user, is outside the cone thus defined. In addition, a brightness of this screen 4 is set to the lowest. That is to say that the length of the normal is of finite length, for example of the order of a meter. Thus, a third party placed next to or behind the user will not see the information displayed on the screen 4.

 In a variant, the card 23 is personalized with user identification information. This variant provides the same level of security for people with vision problems in particular. This information is transmitted to the program 8 after insertion of the card 23 into the reader 22. Following the presence of this information in the card 23, the program 8 commands a display on the screen 4 of a group 5 whose organization is known. of the user. In addition, in this variant, the screen 3 comprises on its contact surface a tactile reference means. This way of marking, a relief for example, allows the visually impaired person to find their way and thus to know more precisely where the symbols useful for the secret code are.

 Thus, the invention finds a very particular use in a bank type distributor or in a system 1 for which the interface 2 is mobile and or detached from the sensitive system. More generally, the invention is used in keyboards for accessing sensitive systems as defined above.

 In addition, the means 8, 9, 11, 16 can be produced using specialized circuits such as one or more ASICs (Application Specific Integrated Circuits in English for integrated circuits of specific application) or even using simple electronic circuits. In addition, access to these different means can advantageously be controlled by passwords and other encryption keys.

Claims (9)

 1-Method for securing access to a sensitive system (1), accessible by a secret code, a secret code being a personalized series of symbols, according to which: - a means (for an access request) 2) interface with a series of symbols using contact zones each associated with a symbol, the interface means cooperating with an access control means (8) making it possible to authorize this access request to the sensitive system if the sequence of symbols entered is valid, characterized in that: - an association between a symbol and a contact area is produced randomly and or temporarily, for an access request. 2-A method according to claim 1 characterized in that: - any association between a contact area and a symbol between two access requests is deactivated. 3-A method according to claim 1 or 2 characterized in that: - the interface means is produced with a touch screen (3) and a display (4); in that: - a representation of a keyboard is displayed on the display with a group (5) of symbols displayed opposite each of a zone of

 touch screen contact; and in that: - the interface means are informed by acting on a series of contact zones as a function of the symbols constituting the series of symbols to be entered. 4-A method according to claim 3 characterized in that: - a fixed arrangement is kept between two erroneous codes; <Desc / Clms Page number 14>  and in that: a position of the assembly formed by the group of symbols and their contact area associated with each new code is moved.

5-Device (2) for interface allowing access to a sensitive system (1) characterized in that it comprises a touch screen (3) associated with a display (4), the display showing a keyboard with a group (5) of symbols and the touch screen comprising a group (6) of contact zones and in that each contact zone is associated randomly and or temporarily with a symbol. 6-interface device according to claim 5 characterized in that a radiation pattern of the display is narrow and or reduced brightness. 7-interface device according to claim 6 characterized in that an emission angle relative to a normal to the surface of the display is less than 30 degrees. 8-Interface device according to one of claims 5 to 7 characterized in that it comprises a tactile marker means for locating by touch a position of the contact areas. 9- Use of the method according to one of claims 1 to 4 and or of the interface device according to one of claims 5 to 8 in an access keyboard to a sensitive system.