GB2445181A - Partial PIN entry for authorisation - Google Patents

Partial PIN entry for authorisation Download PDF

Info

Publication number
GB2445181A
GB2445181A GB0625886A GB0625886A GB2445181A GB 2445181 A GB2445181 A GB 2445181A GB 0625886 A GB0625886 A GB 0625886A GB 0625886 A GB0625886 A GB 0625886A GB 2445181 A GB2445181 A GB 2445181A
Authority
GB
United Kingdom
Prior art keywords
characters
reader
pin
user
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0625886A
Other versions
GB0625886D0 (en
Inventor
George Evans
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0625886A priority Critical patent/GB2445181A/en
Publication of GB0625886D0 publication Critical patent/GB0625886D0/en
Publication of GB2445181A publication Critical patent/GB2445181A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/105Only a part of the PIN is required to be input
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1058PIN is checked locally
    • G07F7/1066PIN data being compared to data on card

Abstract

A method for authorising a transaction using a data carrying article such as a chip and pin card (or bankcard) at for example an ATM or Point of Sales. The method includes requesting that a user enters one or more, but not all, of the plurality of characters of a PIN, receiving an entry of one or more characters from the user, electronically reading data from the data carrying article, using the data to determine whether the one or more characters are valid and authorising a transaction if the one or more characters are valid. The invention also comprises a reader and software that causes a reader to operate in accordance with the method.

Description

IMPROVEMENTS IN OR RELATING TO AUTHORIZING A
TRANSACTION
This invention concerns improvements in or relating to authorizing a transaction using a data carrying article, such as a bankcard, and a personal identification number (PIN).
Conventionally, bankcards are authorised by a reader at the point of sale (POS) or by an automated teller machine (ATM). Bankcards of the "chip and pin" type can be authorised by the user inputting into the reader a secret PIN associated with the bankcard. If the PIN is correct the reader authorises a transaction.
However, a problem with this authorisation method is that third parties can obtain the secret pin by watching the user input the PIN into the reader, typically termed "shoulder surfing". These third parties can then steal the bankcard and authorize further transactions as they have knowledge of the PIN.
Efforts have been made to hinder third parties watching a user input his/her PIN into a reader, for example by providing a guard around the keypad or by providing exclusion areas around the reader. However, none of these methods guarantee that a third party cannot obtain the entire PIN by watching the user input the PIN into a reader.
According to a first aspect of the invention there is provided a method of authorising a transaction comprising requesting that the user enters one or more, but not all, of the plurality of characters of a PIN, receiving an entry of one or more characters from the user, electronically reading data from a data carrying article, using the data to determine whether the one or more characters are valid and authorising a transaction if the one or more characters are valid.
It will be understood that the use of the term "personal identification number" or "PIN" in relation to the invention means a sequence of characters that is not limited to numbers but may include other characters, such as letters, punctuation, or symbols, unless otherwise stated.
The invention is advantageous as, for any one transaction, when a user enters the requested characters of the PIN, at best, a third party will only be able to obtain the proportion of the PIN that has been entered.
Therefore, if the third party was to steal the article, such as the bankcard, he/she may not be able to use the article to authorise a subsequent transaction because different characters of the PIN may have to be entered to authorise the subsequent transaction. The method of the invention therefore provides increased security.
The method may comprise determining the one or more characters of the PIN the user is requested to enter randomly or at least pseudo-randomly.
This is an advantage as a third party wanting to steal the entire PIN does not know how many transactions have to be observed before he/she can piece together the whole PIN. The more transactions the third party has to observe, the more difficult it becomes to obtain the PIN surreptitiously.
Alternatively, the one or more characters of the PIN the user is requested to enter are those that are next in a predetermined sequence. The predetermined sequence may be to cycle through the characters of the PIN based on placement of the characters in the PIN, for example, the predetermined sequence may be for the first transaction the user is requested to enter the first character of the PIN, for the second transaction the user is requested to enter the second character of the PIN and so on until all the characters of the PIN are exhausted at which point the sequence begins again. It will be understood however that the predetermined sequence may not be a cycle through characters of the PIN by placement and other sequences are envisaged.
In this arrangement, the article may comprise means for storing an indication of a position in the predetermined sequence. Alternatively, the method may comprise determining a position in the predetermined sequence from a central server.
The invention is not limited to the user entering a single character of the PIN to auihorise a transaction but other arrangements are envisaged. For instance, the user may be requested to enter two or more, three or more or four or more characters of the PIN. It is generally expected that the entering of four numbers provide sufficiently low odds for a person to guess the required entry while allowing a user three attempts to enter the required numbers. However, in a situation where the pin comprises other characters, such as letters or punctuation, the entry of fewer characters
may be acceptable.
Accordingly, in one embodiment the PIN can comprise non-numeric symbols such as letters and/or punctuation. However, in an alternative embodiment, the PIN can only comprise numbers. This allows the method to be incorporated into current readers.
The PIN may comprise more than four characters, in particular the PIN may comprise five to seven characters. Five to seven characters are deemed appropriate because the average adult has a memory span that can obtain numerical sequences of the order of this length. PINs larger than this will become difficult to memorise. 1)
Preferably, the article is a bankcard and the transaction is a financial transaction.
According to a second aspect to the invention there is provided a computer readable medium having stored thereon instructions which when executed on a processor of a reader causes the reader to carry out the method of the first aspect of the invention.
According to a third aspect of the invention there is provided a reader comprising means for reading a data carrying article, a display and input means for a user to enter characters into the reader, wherein the reader is arranged to display a request for a user to enter one or more, but not all, of the plurality of characters of the PIN, to receive an entry of one or more characters from the input means, to read data from the data carrying article, to use the data to determine whether the one or more characters are valid and generate a signal authorising a transaction if the one or more characters are valid.
The reader may comprise means to receive a signal from a central server that determines the one or more characters the user is requested to enter.
The reader may be a bankcard reader, such as a reader at the point of sale or an ATM.
The article may be a bankcard and the PIN may be encoded on the bankcard by any suitable means, but in a preferred embodiment the bankcard is a "chip and pin" card comprising an embedded microchip having the PIN encoded thereon, the microchip being readable by a
suitable device. 3)
The one or more characters entered by the user will be found to be valid if they match the one or more characters of the PIN the user was requested to enter.
An embodiment of the invention will now be described, by example only, with reference to the accompanying drawings in which:-FIGURE 1 shows a schematic view of a bankcard reader according to the invention; and FIGURE 2 shows a flow chart of the steps of authorising a bankcard carried out by the bankcard reader in accordance with the invention.
Referring to Figures 1 and 2, a bankcard reader according to the invention comprises a microchip reader 1, a display 2 and a keypad 3 providing means for a user to enter characters (in this case numerical characters 0 to 9 and symbols * and #). Each of these devices 1, 2 and 3 are in two-way communication (as indicated by the arrows) with a control unit 4. The control unit 4 will typically comprise a processor and memory (not shown) that stores amongst other things, a computer program that causes the reader to operate in accordance with the invention, which will now be described with reference to Figure 2.
On being activated for a transaction, for example by a shopkeeper, the reader waits for a bankcard to be inserted in a slot of the microchip reader 1. On detecting a bankcard in step 101, the microchip reader is operated in step 102 to read data from the microchip embedded in the bankcard.
The nature of the transaction, such as the amount of money to be transferred, may be inputted into the reader before or after the bankcard has been inserted in to the slot of the microchip reader.
After reading the microchip of the bankcard, in step 103 the control unit 4 randomly determines which two numbers of the PIN the user is required to enter to authorise the transaction. It will be understood that in other embodiments, the number of numbers that need to be entered to authorize the transaction may be different. As the random determination is carried out by a computer processor, it will be understood that the determination may only be pseudo-random in so far as it is generated by a finite computation.
The control unit 4 then causes the display 3 to display a request that the user enters the required numbers of the PIN. The numbers that need to be entered are referred to by their position in the PIN. An illustration of such a display is shown in Figure 1. In response to the request, the user can enter numbers into the reader using the keypad 3.
Once the user has entered the number using the keypad 3, the characters are received via the control unit 4 and the control unit determines whether the numbers are valid using the data read from the microchip. For chip and pin bankcards the data will typically be encoded using triple DES. If the entered numbers match those of the PIN which the user was requested to enter then the entered numbers will be found to be valid. If the numbers are valid, then the processor generates a signal, which it sends via an external link 5 to a bank's electronic systems to complete authoi-isation of a transaction. The external link 5 may be wired or wireless and may be sent immediately after validation of the entered numbers or the authorisation of a series of transactions may be completed as a batch process at a later date.
The invention therefore provides the advantage that for any one transaction, a third party "shoulder surfing" can only obtain a portion of the PIN associated with the bankcard and if that third party was to subsequently steal the bankcard, there is no guarantee that he will be able to use that portion of the PIN to authorise a subsequent transaction.
It will be understood that other embodiments of the invention may achieve all, some or none of the advantages described. Furthermore, it will be understood that the invention is not limited to the described embodiment but the invention includes modification and alterations that fall within the scope of the invention defined herein.
For example, the keypad may comprise other keys beyond those described which may be required if the PIN comprises non-numerical characters, such as letters. In addition, the keypad is not limited to a keypad having a series of depressible buttons but could also be a touch screen or other suitable input device.
The reader comprises a microchip reader 1, however it will be understood that other card readers may be appropriate depending on how the PIN is encoded in the bankcard. For example, a radio frequency identification (RFID) tag reader or a magnetic strip reader.
The PIN may comprise a set of numbers between 0 and 99, for example a set of three numbers between 0 and 99, such as 12-14-82, and the user has to input the requested number to authorise the transaction. This system may be desirable as it allows a user to use common number sequences, such as dates, as their PIN that may be easier to memorise.

Claims (22)

1. A method of authorising a transaction comprising requesting that the user enters one or more, but not all, of the plurality of characters of a PIN, receiving an entry of one or more characters from the user, electronically reading data from a data carrying article, using the data to determine whether the one or more characters are valid and authorising a transaction if the one or more characters are valid.
2. A method according to claim 1, comprising determining the one or more characters of the PIN the user has to enter for the entry to be valid randomly, or at least pseudo-randomly.
3. A method according to claim 1, wherein the one or more characters of the PIN the user has to enter for the entry to be valid are those that are next in a predetermined sequence.
4. A method according to claim 3, wherein the predetermined sequence is to cycle through the characters of the PIN based on placement of the characters in the PIN.
5. A method of claim 3 or claim 4, wherein the article comprises means for storing an indication of a position in the predetermined sequence.
6. A method of claim 3 or claim 4, comprising determining the position in the predetermined sequence from a central server.
7. A method according to any preceding claim, wherein the user is requested to enter two or more, three or more or four or more characters of the PIN.
8. A method according to claim 7, wherein the user enters four numbers.
9. A method according to any preceding claim wherein the PIN comprises non-numeric symbols.
10. A method according to any one of claims 1 to 8, wherein the PIN only comprises numbers.
11. A method according to any preceding claim, wherein the PIN comprises more than four characters.
12. A method according to claim 11, wherein the PIN comprises five to seven characters.
13. A method according to any preceding claim, wherein the article is a bankcard and the transaction is a financial transaction.
14. A computer readable medium having stored thereon instructions which when executed on a processor of a reader causes the reader to carry out the method of any one of claims 1 to 13.
15. A reader comprising means for reading a data carrying article, a display and input means for a user to enter characters into the reader, wherein the reader is arranged to display a request for a user to enter one or more, but not all, of the plurality of characters of a PIN, to receive an entry of one or more characters from the input means, to read data from the data carrying article, to use the data to determine whether the one or more characters are valid and generate a signal authorising a transaction if the one or more characters are valid. I0
16. A reader according to claim 15, comprising means to receive a signal from a central server that determines the one or more characters the user is requested to enter.
17. A reader according to claim 15 or claim 16, wherein the reader is a bankcard reader.
18. A reader according to claim 17, wherein the reader is a reader at the point of sale.
19. A reader according to claim 17, wherein the reader is an ATM.
20. A reader according to any one of claims 15 to 19, wherein the article is a bankcard and the PIN is encoded on the bankcard.
21. A method substantially as described hereinbefore with reference to the accompanying drawings.
22. A reader substantially as described hereinbefore with reference to the accompanying drawings.
GB0625886A 2006-12-23 2006-12-23 Partial PIN entry for authorisation Withdrawn GB2445181A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0625886A GB2445181A (en) 2006-12-23 2006-12-23 Partial PIN entry for authorisation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0625886A GB2445181A (en) 2006-12-23 2006-12-23 Partial PIN entry for authorisation

Publications (2)

Publication Number Publication Date
GB0625886D0 GB0625886D0 (en) 2007-02-07
GB2445181A true GB2445181A (en) 2008-07-02

Family

ID=37759033

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0625886A Withdrawn GB2445181A (en) 2006-12-23 2006-12-23 Partial PIN entry for authorisation

Country Status (1)

Country Link
GB (1) GB2445181A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2379525A (en) * 2001-09-08 2003-03-12 Int Computers Ltd Electronic payment authorisation
US20040225880A1 (en) * 2003-05-07 2004-11-11 Authenture, Inc. Strong authentication systems built on combinations of "what user knows" authentication factors
WO2006013258A1 (en) * 2004-07-02 2006-02-09 Hsbc France Method for remotely authenticating a user

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2379525A (en) * 2001-09-08 2003-03-12 Int Computers Ltd Electronic payment authorisation
US20040225880A1 (en) * 2003-05-07 2004-11-11 Authenture, Inc. Strong authentication systems built on combinations of "what user knows" authentication factors
WO2006013258A1 (en) * 2004-07-02 2006-02-09 Hsbc France Method for remotely authenticating a user

Also Published As

Publication number Publication date
GB0625886D0 (en) 2007-02-07

Similar Documents

Publication Publication Date Title
US8836473B2 (en) Dynamic keypad and fingerprinting sequence authentication
US8910861B2 (en) Automatic teller machine (“ATM”) including a user-accessible USB port
EP2732579B1 (en) Event driven second factor credential authentication
US9892407B2 (en) Method and system for secure user identification
EP1599786B1 (en) Virtual keyboard
KR100805280B1 (en) Automated teller machine using a biometrics
US9196111B1 (en) Automated teller machine (“ATM”) dynamic keypad
JPH0670818B2 (en) Verification card and its authentication method
JP2014511047A (en) Smart card with verification means
CN107851148A (en) Coding method and system
JP2011113523A (en) User authentication device
WO2014111689A1 (en) Authentication device & related methods
EP3531380B1 (en) Multi-factor automated teller machine (atm) personal identification number (pin)
JP2009093273A (en) Method and system for personal identification, personal identification program for making computer execute same method, and personal identification program recording medium having same program recorded thereon
CA2574983A1 (en) A method and device for password pattern randomization
US11315122B2 (en) Authentication method for e-wallet carrier
JP2006178709A (en) Automatic teller machine
JP2006155636A (en) Ic card settlement device
WO2007017500A1 (en) Method and apparatus for secure insertion of an access code using an eye-tracking device
GB2445181A (en) Partial PIN entry for authorisation
CN101371269A (en) Information input apparatus and transaction processing system
JP2006277334A (en) Automatic teller machine
US9214051B1 (en) Dynamic touch screen for automated teller machines (“ATMs”)
CN112352237A (en) System and method for authentication code entry
KR20150072679A (en) Method of providing personal password input pad at ATM

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)