RU2301449C2 - Method for realization of multi-factor strict authentication of bank card holder with usage of mobile phone in mobile communication environment during realization of inter-bank financial transactions in international payment system in accordance to 3-d secure specification protocol and the system for realization of aforementioned method - Google Patents

Abstract

FIELD: engineering of devices for personal identification of clients during conduction of transactions with usage of mobile communication networks, in particular, invention may be used for authentication when making a payment with bank card using a mobile phone.

SUBSTANCE: during conduction of inter-bank financial transaction in international payment system in accordance to 3-D Secure specification protocol, four transaction phases are conducted successively with condition of multi-factor strict client authentication with usage of mobile phone in mobile communication environment: initiation of operation; generator and delivery of authentication request; generation and delivery of response to authentication request; execution of operation, generation and delivery of notification about operation results. During conduction of each phase, signal messages are transferred between system participants using 3-D Secure specification components.

EFFECT: ensured privacy of conducted operations.

3 cl, 2 dwg

Description

The technical field to which the invention relates.

The invention relates to means for personal authentication of clients during transactions, including payment, using mobile networks. In particular, the invention can be used for authentication when making a payment by credit card using a mobile phone.

The level of technology.

Especially for the Internet, the international payment system Visa has proposed the 3-D Secure security protocol. The introduction of this security protocol for payments via Visa bank cards over the Internet has significantly reduced the risk of fraudulent transactions.

Visa 3-D Secure protocol specifications were published by Visa in 2001.

3-D in the name of the protocol means “3-Domain” (three domains), reflecting the division of the financial transaction authentication process into three domains: Issuer Domain (domain of the issuing bank), Acquirer Domain (domain of the acquiring bank) and Interoperability Domain (security domain )

The Issuer Domain (domain of the issuing bank) includes, in particular, the issuing bank of the bank card and its Access Control Server (ACS) (access control server). ACS checks the ability to authenticate the cardholder using the Visa 3-D Secure protocol and the actual authentication of the client (cardholder).

Acquirer Domain (the domain of the acquiring bank), in particular, includes: a store server and Merchant Plug-In (MPI) - a store server plug-in that creates an authentication request and generates a message about the client's authentication result, the acquirer bank is a financial institution, which interacts with the authorization system of the payment system and transmits the authorization results to the store.

The Interoperability Domain, in particular, provides for the transfer of messages between the Issuer Domain and the Acquirer Domain in accordance with general protocols, in particular, forwarding service messages between banks.

A feature of the 3-D Secure protocol, in particular, is that the issuing bank is given greater freedom in choosing direct authentication methods and procedures. The protocol is very flexible and involves the development of new solutions.

The ability for issuing banks to authenticate customers during an online purchase increases the reliability and security of a financial transaction and reduces the possibility of fraudulent use of bank cards; authentication by the issuing bank is an additional and important element of protecting financial transactions.

VISA 3-D Secure authentication is performed as follows:

a connection is established between the client (holder of the payment card) and the issuing bank, the client informs the issuing bank with the bank card information and its own authentication data using the protocol protected from unauthorized access, the issuing bank checks the specified data, and then informs the payee the confirmation of the possibility and eligibility of payment . If the issuing bank confirms the authentication of the client, authorization of the payment transaction is initiated.

In more detail, the mechanism of payment over the Internet using the VISA 3-D Secure protocol is illustrated in Fig. 1. Processing of Internet payment using 3D-Secure technology. occurs as follows (see figure 1):

1. A bank card user forms an order basket on the store’s website, enters the card details and initiates the payment procedure.

2. The online store, using the Merchant Plug-in component installed on the acquirer bank server, sends an authorization request for the possibility of conducting a special format authentication in the Visa Directory Server. The Visa Directory Server checks if this card number is registered for participation in the Verified by Visa program (i.e. if the card holder has passed the registration procedure). At the same time, the Visa Directory does not have data on the most secret password, but can only determine if the card holder who initiated the transaction has it by sending a request to the issuing bank’s Access Control Server.

3. After the Merchant Plug-in receives a response from the Visa Directory stating that this card holder can make payments using 3D-Secure technology, the online store sends an authentication request to the issuing bank’s Access Control Server through the user's Internet browser.

4. The cardholder is routed to the Access Control Server of the issuing bank, where he enters the password.

5. Access Control Server sends an affirmative or negative authorization response to the Merchant Plug-in and simultaneously saves data about the result of authentication to the Authentication History Server - a payment system server that stores data on all transactions conducted using 3-D-Secure technology. Subsequently, these data can be used by participating banks in resolving customer complaints, as well as in arbitration of disputed transactions.

6. Merchant Plug-in accepts the Access Control Server response and, in the case of an affirmative answer of the issuing bank, sends an authorization request to the host of the acquiring bank.

7. Next, the processing of the authorization request occurs according to the standard scheme through the VisaNet payment system network.

The prior art payment system (see patent GB 2389693, IPC 7 G07F 19/00, published December 17, 2003), containing:

means for generating a unique cash amount identifier in response to a customer payment;

means for transmitting the above generated identifier to the client’s mobile phone;

means for storing the above generated identifier in a central data server;

means for obtaining an identifier transmitted from a client’s mobile phone, said identifier containing payment information;

means for comparing at least a portion of the identifier with at least a portion of the generated identifiers; and

means for indicating the above identifier.

The disadvantage of this system is the transmission of the identifier on an open communication channel without additional encoding.

The closest analogue (prototype) of the present invention is a transaction method using a mobile phone (or other wireless device, for example, a PDA) connected to a WAP or GPRS service (see application W003 / 047208 A1, IPC 7 H04L 29/06, published 06/05/2003). The method includes the following steps:

receiving transaction information via mobile phone;

transfer of transaction information to a processing server to verify the possibility of a transaction;

upon receiving from the processing server a positive result of checking the feasibility of a transaction - transfer of this information to a mobile phone,

while data transfer is carried out via the Internet.

The disadvantage of the closest analogue is the low confidentiality, since all information is transmitted in the clear in the Internet.

SUMMARY OF THE INVENTION

The objective of the present invention is to provide a method for multi-factorial authentication of a bank card holder using a mobile phone in a mobile communication environment, when conducting interbank financial transactions in an international payment system, based on existing 3-D Secure technology.

Another objective of the present invention is to provide a method for multifactor strong authentication of a bank card holder using a mobile phone in a mobile communication environment, when conducting interbank financial transactions in an international payment system using the 3-D Secure specification protocol, which can be implemented already in existing mobile (cellular) networks ) communication.

Another objective of the present invention is to provide a method for multifactor strong authentication of a bank card holder using a mobile phone in a mobile communication environment, when conducting interbank financial transactions in an international payment system, according to the 3-D Secure specification protocol, which comply with strict confidentiality requirements, in which secret information , for example, about a credit card (PAN code, expiry date) are not transmitted over an open communication channel.

An additional objective of the present invention is to provide a convenient and easy to use for customers of mobile (cellular) communication networks, a method of using bank cards as a means of payment.

The tasks for the system for implementing multi-factorial strong authentication of a client using a mobile phone in a mobile communication environment, when carrying out a financial transaction in an international payment system according to the 3-D Secure specification protocol, are solved due to the fact that the system contains:

the domain of ensuring interoperability of the international payment system that provides services to individuals using bank cards as a means of payment, hereinafter referred to as the collateral domain and the payment system;

domain of issuing banks of the payment system;

domain of payment system acquirer banks;

moreover, the domains of acquirer banks and issuing banks are connected to the collateral domain through computer communication networks;

at least one ACS component of the 3-D Secure payment system specification in the domain of issuing banks;

at least one component of MPI specification 3-D Secure payment system in the domain of acquiring banks,

wherein the system further comprises:

at least one GSM mobile cellular network provided by a GSM operator;

at least one GSM mobile phone connected to the GSM operator’s network, with a SIM card on which the standard information of the GSM operator is recorded, as well as at least one computer program — an applet that implements the functionality of the issuing bank component ;

interbank and mobile data exchange support unit - a MID unit connected via a computer communication network to at least one network of a GSM operator;

at least one block of the issuing bank is an i-MAP block connected via computer communication networks to the MID block and at least one ACS component;

at least one acquiring bank unit — an a-MAP unit connected via computer communication networks to a MID unit and at least one MPI component;

at least one payee server connected via a computer network to the MPI component,

wherein each MPI component is connected via a computer communication network to at least one payee server.

The tasks for the first version of the method of implementing multi-factorial authentication of a client using a mobile phone in a mobile communication environment during a financial transaction in an international payment system according to the 3-D Secure specification protocol are solved due to the fact that:

activate the computer program recorded on the SIM card of the client’s mobile phone, the applet, then initiate the financial transaction, determining the payment parameters using the corresponding applet menu items and in response to the applet’s requests;

using a mobile phone, SIM card and applet, they form and send a non-voice message to the GSM operator, addressed to the interbank and mobile data exchange unit — the MID unit, containing payment parameters, which include, in particular, the conditional identifier of the client in the client’s issuing bank, conditional the identifier of the customer’s bank payment card in the issuing bank of the client, as well as the parameters of the requested offer, which include, in particular, the identifier of the payee, the identifier of the paid item and or services, the amount intended for the payment of goods or services, the amount of the payment;

the received non-voice message and the phone number of the sender of the message are transmitted from the GSM operator to the MID unit;

in the MID block, the component of the issuing bank corresponding to this identifier is determined by the client’s identifier — the i-MAP block, which, in particular, implements the functionality of the interface with the ACS components of the 3-D Secure specification, form and transmit the request for receipt to the said i-MAP block Actual attributes of a client’s bank card required to conduct a financial transaction in accordance with the specifications of the payment system;

the relevant client identifier and the conditional identifier of the client’s bank card contained in the MID request received from the MID indicate the actual attributes of the client’s bank card in the said i-MAP block, form and transmit to the MID block the response containing the requested data;

the payee identifier in the MID block determines the component of the payee's acquiring bank corresponding to this identifier, the a-MAP unit, which, in particular, implements the interface functionality with MPI components of the 3-D Secure specification, generates and transmits a message to the a-MAP message containing the current attributes of the client’s bank card, the identifier of the payee and the parameters of the requested offer;

using the mentioned payee identifier in the a-MAP block, the MPI component corresponding to this identifier is determined and an authentication transaction is initiated according to the 3-D Secure specification, referring to this MPI;

the client authentication request generated by the MPI component according to the 3-D Secure specification is received in said a-MAP block, transmitted to the MID block and then transmitted from the MID block to the i-MAP block;

in the said i-MAP block, according to the data contained in the received client authentication request, the ACS component is determined and, referring to this ACS, they are generated, encrypted using the client’s personal bank secret keys, the request message containing the authentication message is signed and transmitted to the MID block request and offer;

in the MID block, a non-voice message addressed to the client’s mobile phone containing the received request message is generated and transmitted to the GSM operator;

after receiving a non-voice message by the client from the GSM operator by means of a mobile phone, SIM card and applet, the authenticity of the received message is checked and, if the message is authentic, an authentication request is displayed on the mobile phone display;

in case the client presents a personal password in response to an authentication request and subsequent acceptance of the offer by the client, confirmed by re-presenting a personal password, initiate the protected applet function;

by means of a mobile phone, SIM-card and the protected function of the applet, a non-voice message addressed to the MID block is encrypted and signed using the customer’s personal bank secret keys and sent to the GSM operator;

the received non-voice message and the phone number of the sender of the message are transmitted from the GSM operator to the MID unit;

in the MID block, a message containing the response to the authentication request is generated and transmitted to the i-MAP block;

in the said i-MAP block, referring to the mentioned ACS component, they verify the authentication result, namely, whether or not the response to the authentication request is a proof of the authenticity of the client’s decision to accept the offer, while the following number of factors are used to authenticate the client in the i-MAP block : establishing the fact of customer ownership of a mobile phone with a SIM card that has authentic identification and telephone numbers, establishing the fact of availability, authenticity and functionally correct integrity, record data on the issuing bank’s applet’s SIM card and the client’s personal secret bank keys and the fact that the client knows the personal password that acts as an access code to the functions of the applet protected from unauthorized use, and they use a positive result as evidence of the client’s authenticity and acceptance of the offer based on the totality of evidence establishing the above facts;

in said i-MAP block, a message is generated addressed to said a-MAP block containing the result of the authentication check;

from the i-MAP block, the authentication result is transmitted via the MID block to the said a-MAP block;

in the a-MAP block, using the received data, initiate an authorization transaction in the payment system, referring to the mentioned MPI component;

in the i-MAP block, the 3-D Secure specification of the payment system in the issuing bank’s domain interacting via a computer network with the mentioned MPI component of the 3-D Secure specification of the payment system in the acquiring bank’s domain is received from the mentioned ACS component, which is necessary and formed according to the specification and with the components of the payment system, a message to the client about the result of the authorization transaction from the issuing bank is generated, encrypted using the client’s personal bank secret keys and a message is transmitted to the MID unit, holding the result of authorization transactions;

in the MID block, a non-voice message addressed to the client’s mobile phone containing the received message is generated and transmitted to the GSM operator;

after receiving a non-voice message by the client from the GSM operator using a mobile phone, SIM card and applet, verify the authenticity of the message and if the message is authentic, the result of the authorization transaction is displayed on the client’s mobile phone display;

however, all information relating to the initiation of a financial transaction, authentication, authorization transaction and notification of the results of an authorization transaction is stored by means provided by the payment system and in accordance with the specification of the payment system.

The tasks for the second variant of the method of implementing multi-factorial authentication of a client using a mobile phone in a mobile communication environment during a financial transaction in an international payment system according to the 3-D Secure specification protocol are solved due to the fact that:

information and technical means of the payee initiate a financial transaction, referring to the corresponding MPI component of the payee, form a request for a financial transaction with the condition of authentication according to the 3-D Secure specification, and the request includes the payee ID, offer parameters, which include, in particular, the identifier of the goods or services to be paid, the number of goods or services offered for payment, the amount of payment, and the client’s address for delivering the offer to the client, who includes, in particular, the conditional identifier of the client in the issuing bank and / or the phone number of the client;

the request is sent through the appropriate component of the acquirer bank of the payee - the a-MAP unit, which, inter alia, implements the functionality of the interface with the MPI 3D Secure components, to the interbank and mobile data exchange support unit - the MID unit;

if the client’s address is incomplete, the conditional client identifier in the issuing bank or the client’s phone number corresponding to the client’s conditional identifier in the issuing bank is determined in the MID block by the client’s identifier, the component of the issuing bank corresponding to this identifier is determined — block i- MAPs, including those that implement the functionality of the interface with ACS 3-D Secure components, form and transmit to the aforementioned i-MAP unit a request for a financial transaction with the condition ay 3-D Secure authentication;

in the said i-MAP block, according to the data contained in the received request, the validity of the financial transaction is checked using the client’s mobile phone, the ACS component is determined, referring to this ACS, they are generated, encrypted using the client’s personal bank secret keys, signed and transmitted to the MID block - a request containing an authentication request and an offer;

in the MID block, a non-voice message addressed to the client’s mobile phone containing the received request message is generated and transmitted to the GSM operator;

after receiving a non-voice message by the client from the GSM operator by means of a mobile phone, SIM card and a computer program pre-recorded on the client’s SIM card, the applet checks the authenticity of the message and, if the message is authentic, displays an authentication request on the mobile phone display;

in case the client presents a personal password in response to an authentication request, the client determines the payment parameters using the corresponding applet menu items and does not set the payment recipient, and in response to the applet’s requests and subsequent acceptance of the offer by the client, confirmed by re-presenting the personal password, initiate the protected applet function;

by means of a mobile phone, a client’s SIM card and a secure applet function, a non-voice message containing an evidence of authenticity of the client’s decision to accept the offer and payment parameters addressed to the MID block is generated and sent to the GSM operator encrypted and signed using the client’s personal bank secret keys;

the received non-voice message and the phone number of the sender of the message are transmitted from the GSM operator to the MID unit;

in the MID block, a message containing said evidence of authenticity of the client’s decision on accepting the offer and payment parameters is generated and transmitted to the i-MAP block;

in the said i-MAP block, referring to the mentioned ACS component, they verify the authentication result, namely, they verify the authenticity of the client’s decision to accept the offer, and form a message addressed to the said a-MAP block containing the authentication verification result and payment parameters;

at the same time, taking into account that the 3-D Secure specification does not regulate the method of client authentication by the issuing bank, the following factors are used to verify the evidence of authenticity in the i-MAP unit: establishing the fact that the client owns a mobile phone with a SIM card that has authentic identification cards and telephone numbers, establishing the fact of availability, authenticity and functionally correct integrity recorded on the mentioned SIM-card of the applet of the issuing bank and personal secret bank keys of the client that, and the finding of a client personal knowledge of the password, perform the functions of an access code to secure from unauthorized use of a function of said applet and as a proof of the authenticity of the client and the client accepts the offer using a positive result, based on the totality of evidence establishing the facts mentioned;

from the said i-MAP block, the authentication result and payment parameters to the said a-MAP block are transmitted via the MID block;

in the a-MAP block, using the received data, initiate an authorization transaction in the payment system, referring to the mentioned MPI component;

in the i-MAP block, they receive from the said ACS component interacting over the computer communication network with the mentioned MPI component of the 3-D Secure specification of the payment system in the acquiring bank’s domain, the necessary and generated by the specification and payment system components message to the client about the result of the authorization transaction from the issuing bank is configured, encrypted using the client’s personal bank secret keys and the message is sent to the MID block containing the result of the authorization transaction;

in the MID block, a non-voice message addressed to the client’s mobile phone containing the received message is generated and transmitted to the GSM operator;

after receiving a non-voice message by the client from the GSM operator using a mobile phone, SIM card and applet, verify the authenticity of the message and if the message is authentic, the result of the authorization transaction is displayed on the client’s mobile phone display;

however, all information relating to the initiation of a financial transaction, authentication, authorization transaction and notification of the results of an authorization transaction is stored by means provided by the payment system and in accordance with the specification of the payment system.

The technical result from the use of the claimed invention is the creation of convenient and easy to use for customers mobile (cellular) communication networks of a method and system for conducting transactions with a guarantee of confidentiality of transactions. The required level of confidentiality of the transmitted data is ensured due to the fact that the claimed invention allows not to transmit secret credit card information, such as PAN code, Expiry Date, etc., when conducting transactions through an open communication channel. Transaction in accordance with the claimed invention it is possible using existing mobile (cellular) communication networks without the use of additional equipment by the mobile operator.

The technical result from the use of the invention is also that financial transactions can be made on the basis of existing and implemented 3-D Secure technology. The claimed system of financial transactions using a mobile phone is designed as an addition to the system operating under the 3-D Secure protocol (3-D Secure system), and the present invention allows the use of existing systems, which greatly reduces the cost of its construction.

Moreover, the claimed invention has wider functionality, since it can be used not only when conducting payment transactions, but in other cases when it is required to use strong authentication.

The achievement of the technical result for the claimed variants of the method and the claimed system is due to the fact that in order to ensure legitimacy and security during banking operations, reliable means of authentication are used as an integral part of the security policy.

One of the main problems in ensuring information security of electronic banking is the choice of a reliable and flexible authentication system for authorizing access to resources and services.

The usual password, the most common form of authentication, is weak one-factor authentication, the party may claim that the password has been guessed and deny their complicity in fraud, or reject the charge of negligence. Multifactor authentication is the identification of the user based on the fact that he knows what he owns and what he knows how to do or possess something that characterizes who he is, for example, a biometric characteristic - this authentication is called multifactor.

Compared with the traditional password, strong multi-factor authentication in the GSM GSM open cellular mobile telecommunications network, combining that the user knows the secret password, that he has a personalized SIM card for the mobile phone and that he can execute a specialized and tamper-resistant applet in combination with personalized identification information, it provides significantly strong and reliable protection in the field of information security, being Xia easy to use method of protection in which the other party may uniquely identify the person on the other end electronic transaction in an open telecommunications network.

The use of unified multifactor authentication makes it possible, without contradicting standards, to develop a controlled information security regime and expand the range of services provided, as well as to strengthen confidence in the party applying multifactor authentication in general.

Brief Description of the Drawings

The invention is illustrated by drawings.

Figure 1 shows a diagram of the processing of Internet payment technology 3-D-Secure.

Figure 2 shows the structural diagram of the claimed system.

The implementation of the invention

A system for implementing multi-factorial strong authentication of a client using a mobile phone in a mobile communication environment, when conducting a financial transaction in an international payment system, according to the 3-D Secure specification protocol according to the claimed method, consists, in particular, of the following newly introduced nodes:

1. The mobile phone of the client (subscriber of the cellular mobile network) with a SIM card on which are recorded:

a) standard information of the GSM operator;

b) a computer program - an applet that implements the functionality of a banking application, which is a banking component. This program is registered with the federal executive authority for intellectual property in accordance with the Law of the Russian Federation "On the legal protection of programs for electronic computers and databases", reg. No. 20055611132 dated May 16, 2005. Information about the program was published on the Internet at www.intervale.ru June 15, 2005.

Client’s information technology: a mobile phone, a client’s SIM card and an applet generate and send non-voice messages to the GSM operator, as well as process non-voice messages received from the GSM operator (the message protocol can be different, for example: SMS, MMS, USSD, WAP).

2. Mobile Interchange Directory, an interbank and mobile data exchange support unit connected via a computer communication network to a GSM operator’s network, hereinafter referred to as the MID unit. The MID block contains a database containing the conditional identifiers of customers registered in the system and the corresponding addresses of the interface blocks with the 3-D Secure specification component of the respective issuing bank, as well as a database containing the conditional identifiers of the payees and the corresponding addresses of the interface blocks with a component of the 3-D Secure specification of the corresponding acquirer bank.

3. Issuer Mobile Access Point - component of the issuing bank, including one that implements the functionality of the interface with 3-D Secure components - hereinafter referred to as i-MAP block. This block provides the exchange of message-signals containing the necessary information between the 3-D Secure component from the issuing bank and the MID block.

4. Acquirer Mobile Access Point - an acquiring bank component, including one that implements the functionality of the interface with 3D Secure components - hereinafter referred to as a-MAP unit. This unit provides the exchange of message-signals containing the necessary information between the 3-D Secure component from the acquiring bank and the MID unit.

The functions of the components of the claimed system are disclosed in more detail when describing how to implement multi-factor strong authentication of a client using a mobile phone in a mobile communication environment, when conducting a financial transaction in an international payment system, according to the 3-D Secure specification protocol.

When implementing the claimed method using the above-described multi-factor strong authentication system of a client using a mobile phone in a mobile communication environment, when carrying out interbank financial transactions in an international payment system, the 3-D Secure protocol uses a four-phase messaging protocol for conducting financial transactions with using components of the 3-D Secure specification.

The implementation of a financial transaction according to the claimed method, implemented by the claimed system, consists of four sequentially executed phases:

1) initiation of the operation;

2) generation and delivery of an authentication request;

3) generation and delivery of a response to an authentication request;

4) execution of the operation, generation and delivery of a notice of the results of the operation.

During each phase, messages are transmitted between the participants in the system.

Phase 1

Initiation of the operation.

In accordance with the first embodiment of the claimed method, the initiation can be carried out by the client, and in accordance with the second embodiment, by the payee.

If a client initiates a financial transaction, the client activates the applet (a computer program recorded on the client’s SIM card) from the mobile phone and, by selecting the appropriate menu items of the applet and determining payment parameters in response to the applet’s requests, initiates the financial transaction. In particular, the payment parameters can be: the conditional identifier of the client in the issuing bank of the client, the conditional identifier of the payment card of the client in the issuing bank of the client, offer parameters. In particular, the parameters of the offer can be: the identifier of the payee (a trading company or an enterprise selling services) to which the client intends to make a payment, the identifier of the goods (services) to be paid, the number of goods (services) to be paid for, the amount of payment, additional parameters offers. Information technology of a mobile phone, a SIM card of a client and an applet generates and sends a non-voice message to the GSM operator containing the initial parameters of the operation.

In the case of the initiation of a financial transaction by the payee, the offer parameters must be generated for the client by the payee. In particular, the client’s mobile phone number can be indicated as the address for the delivery of the offer, the mentioned number can either be known to the payee from the contract with the client (prescribed payment operations, for example, in the case of a monthly subscription), or communicated by the client to the payee in another way when preparing the offer by the payee.

Result of phase 1

The data on the customer’s payment card and the parameters of the requested offer that do not require strict confidentiality are communicated to the payee by the information and technical means of the parties involved in the system.

Phase 2

Generation and delivery of an authentication request and a request for acceptance (consent to conclude an agreement on the conditions specified in the offer of the payee) from the issuing bank to the client.

An authentication and acceptance request is generated and delivered by information and technical means of the parties to the system based on the data of the issuing bank and the data received from the payee.

The result of phase 2.

A non-voice message from the issuing bank with a request for acceptance subject to client authentication (client identification using a mobile phone, SIM card and applet) is delivered by information and technical means of the parties involved in the system to the client’s mobile phone, the client receives the necessary and formed according to specification 3 -D Secure authentication request from the issuing bank. An authentication request to the client is displayed on the mobile phone’s display, for example, the requirement to enter a password to verify that the client knows some personal secret known only to the client, while the secret password acts as an access code for the protected functions of the applet on the client’s SIM card.

Phase 3

Generation and delivery of a response to an authentication request.

In case of accepting the offer (acceptance), the client using a mobile phone presents a personal secret (for example, a secret password), then a non-voice message is generated and sent by means of a mobile phone, SIM card and applet - a response containing the authentication result and the decision to accept the offer itself . The VISA 3-D Secure specification does not regulate the procedure for client authentication by the issuing bank, the client authentication protocol can be unique for each issuing bank, authentication is performed according to the scheme adopted by the issuing bank. The entire message with the information and technical means of a mobile phone, SIM card and applet is signed with a digital signature of the client using personal bank secret keys recorded on the SIM card (SIM cards have built-in protection against unauthorized access to critical (key) information ( for example, technically protected from exposure to ultraviolet, infrared rays, physical penetration, heating, scanning with an electron microscope), the entire message or only the result The client’s authentication by means of a mobile phone, SIM card and applet is encrypted using personal secret keys. The information technology of the issuing bank used to verify the integrity and authorship of orders transmitted by the client can detect distortions in client messages and carry out proof of authorship of client messages when subject to client authentication.

The result of phase 3.

The decision on acceptance of the offer by the client, certified by the issuing bank of the client, is delivered by the information and technical means of the parties participating in the system to the payee.

Phase 4

Performing an operation, generating and delivering a notification of the results of an operation.

After the operation is completed, the customer is notified by the issuing bank of the results of the operation by the information and technical means of the parties to the system based on the data on the operation.

The result of phase 4.

Notification of the results of the operation is delivered to the client’s mobile phone by information and technical means of the parties participating in the system. The client receives from his issuing bank a message on the result of a financial transaction signed by an electronic digital signature of the issuing bank. Information and technical tools of the client (applet on the SIM card of a mobile phone) check the integrity and authorship of the message. In the case of evidence of customer confirmation of authorship of the message and the absence of distortion in the message, the result obtained in the message is displayed on the phone display.

In this case, all material information relating to the mentioned stages is stored by the means provided by the payment system and in accordance with the specification of the payment system.

Terminology used

Authorization transaction (Authorization) - a set of operations for obtaining permission or refusal provided by the issuing bank to conduct a transaction for a certain amount using a bank card, which generates the issuer's obligation to execute the operation for the said amount, the requested amount is blocked on the client’s account.

Applet (Applet) - a computer program that is characterized by a multi-platform solution that minimizes installation costs, usually used for rich interactive features of user interfaces.

Authentication transaction - a set of operations to certify the authenticity of data and subjects of information interaction.

Authentication - confirmation of the authenticity of data and subjects of information interaction solely on the basis of the data received themselves (in the case of information interaction, data is received from the declared sender and is not distorted).

Authenticity is a characteristic of data authenticity, meaning that the data was created by genuine participants in the information process and was not subjected to accidental or deliberate distortions.

Acquirer Bank (Acquirer) - a bank participating in the Payment System, a financial institution that has a contractual relationship with a trade and service company (Payee) for servicing in order to receive data on transactions made with bank cards, sends them to the Payment system for making settlements on these transactions.

The issuing bank (Issuer) is a participating bank of the Payment system, a credit and financial institution that issues (issues) bank cards, receives data on transactions made by Clients, authenticates the Client and authorizes the transaction, guarantees payment for transactions made by the Clients and relates the amounts transactions to customer accounts.

Cardholder (Cardholder) - an individual who uses the services of the issuing Bank for banking operations, has a bank account, is a bank card user on the basis of an agreement with the issuing bank.

Domain (Domain) - a group of computers connected through a computer network and using a common database, forming the area of responsibility.

Customer (Customer) - an individual, a bank card holder, having an agreement with a telecom operator on the provision of mobile communication services (being a subscriber of the GSM mobile network) and owning a mobile phone with a SIM card on which the standard information of the GSM operator is recorded, as well as special a computer program (applet) that allows you to use a mobile phone to carry out financial transactions and authenticate the client as a genuine bank card holder.

Offer (offer) - a message from a party (offer) to the other party (acceptor) about the proposal to conclude an agreement containing all the essential conditions of the agreement.

The seller’s offer to the buyer contains all the basic conditions of the seller for the proposed purchase and sale transaction: product name, quantity, price, etc.

Client’s personal password - confidential authentication information that implements the function of the access code presented for the implementation of password-protected operations, usually consisting of a sequence of characters.

Payment system - a system for the exchange of transactions and mutual settlements between the parties to the system using a combination of information technology of the parties to the parties that are subject to the general regulatory rules for the transfer of funds between banks and other credit and financial institutions, which are characterized by the presence of contractual and licensing bases, trademark, financial guarantees, internal operating rules and standards.

Payee (Merchant) - a legal entity or an individual who uses the services of a bank to conduct banking operations, a trading company (trade and service company, seller) selling goods and / or services, accepting purchase orders, creating an offer using MPI specifications 3 -D Secure to ensure and protect their interests in electronic commerce and commerce in open telecommunication networks.

(Financial) Transaction - a set of sequential operations initiated by the Customer or the Recipient of the payment performed by the participants of the Payment System to serve the Customers who hold bank cards (in particular, to access the account in order to obtain information about the status of the account, debiting, crediting the account, making financial settlements using a bank card). The main properties of a transaction: indivisibility (either the entire set of operations constituting the transaction must be performed, or the system must be returned to its original state), consistency (a canceled transaction does not violate the integrity of information in the system, for example, in databases of bank cards, accounts, balances, etc. .p.), isolation (a single transaction does not depend on others), reliability (a transaction incomplete due to a failure is restored).

3-D Secure (Three-Domain Secure protocol) - a protocol adopted by international payment systems, for example, VISA International and MasterCard International, for secure financial transactions in open telecommunication networks by holders of traditional bank cards, which does not regulate the method of authentication of a bank card holder by a bank by the issuer.

ACS (Access Control Server) - the trusted client side, a component of the 3-D Secure specification, the issuing bank's access control server, in particular, providing authentication of the Client when conducting a transaction on the card of the issuing bank.

MPI (Merchant Server Plug-in) is the trusted party of the payee, a component of the 3-D Secure specification that ensures the interests of the payee, in particular, verifies and authenticates the information received by the payee, can be integrated into the payee’s server or submitted to the payee in the form of a service, for example, the server of the acquirer bank.

Claims (3)

1. A system for implementing multi-factorial strong authentication of a client using a mobile phone in a mobile communication environment during a financial transaction in an international payment system according to the 3-D Secure specification protocol, containing a domain for ensuring interoperability of the international payment system that provides individuals with services using bank cards as means of payment, hereinafter referred to as the collateral domain and payment system, the domain of issuing banks of the payment system, domain ankk-acquirers of the payment system, and the domains of acquirer banks and issuing banks are connected to the provision domain through computer networks, at least one ACS component - access control server - 3-D Secure payment system specifications in the domain of issuing banks, according to at least one MPI component — a store server plug-in — specifications of a 3-D Secure payment system in the domain of acquiring banks, characterized in that the system further comprises at least one GSM-standard cellular mobile network provided by GSM- at least one GSM mobile phone connected to the GSM operator’s network, with a SIM card on which the standard information of the GSM operator is recorded, as well as at least one computer program applet that implements the functionality of a banking application and being a component of the issuing bank, the interbank and mobile data exchange support unit is a MID unit connected via a computer network to at least one GSM operator network, at least one issuing bank unit is an i-MAP unit, providing the exchange of messages-signals between the ACS server and the MID unit, connected via computer communication networks to the MID unit and at least one ACS server, at least one bank-acquirer unit - the a-MAP unit, which provides messaging - signals between the MPI server and the MID unit connected via computer communication networks to the MID unit and at least one MPI server, at least one payee server connected via the computer communication network to the MPI server, each MPI server being connected in the midst a computer communication network to at least one payee server. 2. A method for implementing multi-factor strong authentication of a client using a mobile phone in a mobile communication environment during a financial transaction in an international payment system according to the 3-D Secure specification protocol, which involves activating a computer program applet recorded on the client’s mobile phone’s SIM card , then initiate a financial transaction, defining payment parameters using the corresponding applet menu items and in response to applet requests, using a mobile phone, SIM mouths and applets form and send a non-voice message to the GSM operator, addressed to the interbank and mobile data exchange unit — the MID unit, containing payment parameters, which include, in particular, the conditional identifier of the client in the issuing bank of the client, the conditional identifier of the client’s bank payment card in the issuing bank of the client, as well as containing the parameters of the requested offer, which include, in particular, the identifier of the recipient of the payment, the identifier of the paid product or service, the amount of the proposed For payment of goods or services, the amount of payment, from the GSM operator transfers the received non-voice message and the phone number of the sender of the message to the MID unit, in the MID unit the component of the issuing bank corresponding to this identifier is determined - i-MAP unit, which, in particular, it implements the functionality of the interface with ACS servers of 3-D Secure specification; they form and transmit to the aforementioned i-MAP block a request for obtaining the current attributes of the client’s bank card necessary for conducting financial In accordance with the specifications of the payment system, according to the conditional client identifier and conditional identifier of the client’s bank card contained in the MID request received, the client’s bank card’s attributes are determined in the i-MAP block and the response containing the requested data is generated and transmitted to the block MID the payee’s identifier in the MID block determines the component of the payee’s acquiring bank corresponding to this identifier - the a-MAP block, which, in particular, is real It examines the functionality of the interface with MPI servers of 3-D Secure specification, generates and transmits to this a-MAP block a message containing the current attributes of the client’s bank card, the payee identifier and the parameters of the requested offer, using the aforementioned payee identifier in the a-MAP block determine the corresponding identifier MPI server and initiate an authentication transaction according to the 3-D Secure specification, referring to this MPI generated by the mentioned MPI server according to the 3-D Secure specification authentication request the client is received in the said a-MAP block, transmitted to the MID block and then transferred from the MID block to the said i-MAP block, in the said i-MAP block, the ACS server corresponding to this data is determined from the data contained in the received client authentication request and, referring to this ACS, generate, encrypt using the client’s personal bank secret keys, sign and transmit to the MID unit a request message containing an authentication request and an offer, in the MID unit form and transmit a non-voice message to the GSM operator, address data on the client’s mobile phone containing the received request message, after receiving the non-voice message by the client from the GSM operator using the mobile phone, SIM card and applet, verify the authenticity of the received message and, if the message is authentic, the authentication request is displayed on the mobile phone’s screen, in case of presentation by the client of a personal password in response to an authentication request and subsequent acceptance by the client of an offer, confirmed by re-presentation of a personal password, in they initiate the protected function of the applet, by means of a mobile phone, SIM card and the protected function of the applet, form and send to the GSM operator an encrypted and signed non-voice message with the personal bank secret keys of the client addressed to the MID unit, transmit the received non-voice message and phone number from the GSM operator the sender of the message to the MID block, in the MID block, a message containing the response to the authentication request is generated and transmitted to the i-MAP block, in the said i-MAP block, referring to to the removed ACS server, the authentication result is checked, namely, whether or not the response to the authentication request is a proof of the authenticity of the client’s decision to accept the offer, while for authenticating the client in the i-MAP unit, a combination of the following factors is used: establishing the fact of the client owning a mobile phone with SIM - a card having authentic identification and telephone numbers, establishing the fact of availability, authenticity and functionally correct integrity recorded on the mentioned SIM-card of the ban applet ka-issuer and client’s personal bank secret keys, and the fact that the client knows a personal password that acts as an access code to the functions of the applet protected from unauthorized use, and as a proof of the client’s authenticity and acceptance of the offer by the client, they use a positive result based on a combination of confirmations of the mentioned facts, in the said i-MAP block, a message is generated addressed to the said a-MAP block containing the verification result fiction, from the i-MAP block, the authentication result is transferred to the a-MAP block via the MID block, in the a-MAP block, using the received data, initiate an authorization transaction in the payment system, accessing the mentioned MPI server, in the i-MAP block are received from the ACS server specification 3-D Secure payment system in the domain of the issuing bank, interacting via a computer network with the mentioned MPI server specification 3-D Secure payment system in the domain of the acquiring bank, necessary and formed according to the specification and components of the payment system, a message to the client about the result of the authorization transaction from the issuing bank is generated, encrypted using the client’s personal bank secret keys and the message is sent to the MID block containing the result of the authorization transaction, the non-voice message addressed to the GSM operator is generated and transmitted to the GSM operator the client’s mobile phone containing the received message after receiving a non-voice message by the client from the GSM operator using a mobile phone, SIM card and the applet verify the authenticity of the message and in the case of authenticity of the message, the result of the authorization transaction is displayed on the client’s mobile phone display, while all information regarding the initiation of the financial transaction, authentication, authorization transaction and notification of the results of the authorization transaction is stored by the means provided by the payment system and according to the specification of the payment system. 3. A method of implementing multi-factorial strong authentication of a client using a mobile phone in a mobile communication environment, when conducting a financial transaction in an international payment system, according to the 3-D Secure specification protocol, which means that the payee uses the information technology to initiate a financial transaction by contacting to the corresponding MPI server of the payee, form a request for a financial transaction with an authentication condition according to the 3-D Secure specification, and the request is on includes the identifier of the payee, the parameters of the offer, which include, in particular, the identifier of the paid product or service, the number of goods or services offered for payment, the amount of payment, and the client’s address for delivering the offer to the client, which includes, in particular, a conditional identifier the client in the issuing bank and / or the client’s phone number, the request is sent through the appropriate component of the acquirer’s bank of the payee - the a-MAP unit, which, inter alia, implements the functionality of the interface with MPI 3D Secur servers e, to the inter-bank and mobile data exchange support unit - the MID unit, in case the client address is not complete, the conditional client identifier in the issuing bank or the client phone number corresponding to the conditional client identifier in the issuing bank is determined from the MID by the mentioned the customer’s identifier is determined by the component of the issuing bank — the i-MAP unit, including the one that implements the functionality of the interface with ACS 3-D Secure servers, which is formed and transmitted To the i-MAP block, a request for a financial transaction with the authentication condition according to the 3-D Secure specification, in the said i-MAP block according to the data contained in the received request, the validity of the financial transaction is checked using the client’s mobile phone, the ACS server corresponding to this data is determined by contacting to this ACS form, encrypt using the client’s personal bank secret keys, sign and send to the MID block a request message containing an authentication request and an offer, in the MID block they dig and transmit to the GSM operator a non-voice message addressed to the client’s mobile phone containing the received request message, after receiving the non-voice message by the client from the GSM operator using a mobile phone, SIM card and a computer applet previously recorded on the client’s SIM card, check the authenticity of the message and in the case of authenticity of the message, an authentication request is displayed on the display of the mobile phone, if the client presents a personal password in response to the authentication request, determination by the client of payment parameters not established by the payment recipient using the appropriate menu items of the applet and in response to requests from the applet and the subsequent acceptance of the offer by the client, confirmed by re-presenting the personal password, initiate the protected function of the applet by means of a mobile phone, SIM card of the client and the protected function the applet is formed and sent to the GSM-operator a non-voice message encrypted and signed using the client’s personal bank secret keys, The proof of authenticity of the client’s decision on accepting the offer and the payment parameters addressed to the MID unit are transmitted from the GSM operator to the received non-voice message and the phone number of the sender of the message to the MID unit, a message containing the above-mentioned proof of authenticity of the solution is generated and transmitted to the i-MAP unit the client about accepting the offer and payment parameters, in the said i-MAP block, referring to the mentioned ACS server, check the authentication result, namely, check the authentication evidence p the client’s decision to accept the offer, and form a message addressed to the a-MAP block containing the result of authentication verification and payment parameters, while considering that the 3-D Secure specification does not regulate the way the client is authenticated by the issuing bank to verify the evidence of authenticity in The i-MAP unit uses a combination of the following factors: establishing the fact of customer ownership of a mobile phone with a SIM card that has authentic identification and telephone numbers, establishing the fact of presence, authentic the integrity and functionally correct integrity of the applet of the issuing bank and personal secret bank keys of the client recorded on the SIM card and the fact that the client knows the personal password that acts as an access code to the functions of the applet protected from unauthorized use, and as evidence of the client’s authenticity acceptance of the offer by the client uses a positive result based on the totality of confirmations of the establishment of the mentioned facts from the said i-MAP Using the MID block, the authentication result and payment parameters are transferred to the a-MAP block, in the a-MAP block, using the received data, they initiate an authorization transaction in the payment system by accessing the MPI server, in the i-MAP block they receive from the mentioned ACS server that interacts via a computer communication network with the mentioned MPI server of the 3-D Secure specification of the payment system in the domain of the acquiring bank, a message is required and generated according to the specification and components of the payment system to the client about the result of the car A transaction from the issuing bank is generated, encrypted using the client’s personal bank secret keys, and a message is sent to the MID block containing the result of the authorization transaction, and a non-voice message addressed to the client’s mobile phone containing the received message is generated and transmitted to the MID operator , after receiving a non-voice message by the client from the GSM operator using the means of a mobile phone, SIM card and applet, the authenticity of the message is also checked in case of authenticity and the messages on the display of the client’s mobile phone display the result of the authorization transaction, while all information regarding the initiation of the financial transaction, authentication, authorization transaction and notification of the results of the authorization transaction is stored by the means provided by the payment system and in accordance with the specification of the payment system.

Images