WO2002019614A1 - Method and system for authenticating e-commerce transaction - Google Patents

Abstract

A method and system for authorizing/authenticating E-commerce transactions is provided. The process registers a user and service providers for conducting secured on-line electronic commerce transactions. To register the user, profile information is entered and a telephone call is initiated. The user is prompted to enter an authentication code and thereafter, the user enters the authentication code. The user specific authentication code is then stored in a database. Thereafter the registered user can request to conduct an E-commerce transaction with the service provider that is also registered with an authorization /authentication module. The authorization/authentication module generates a transaction identification number upon receiving the user's request and initiates a telephone call to the user. Thereafter the user is prompted to enter the authentication code and the transaction identification number for verifying user identity. The entered authentication numbers compared with stored authentication number.

Description

lylETHOD AND SYSTEM FOR AUTHENTICATING E- COMMERCE TRANSACTION

FIELD OF THE INVENTION

The invention relates to a method and system for authenticating E-commerce transaction.

Appendix "A" and "B" attached to this specification contain source code in HTML, Java, Java script, Visual basic programming language for programming a computer, are a part of the present disclosure, and are incorporated by reference in their entirety.

A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the patent and trademark office patent files or records, but otherwise reserves all copyright whatsoever.

The internet connects thousands of computers world wide through well-known protocols, for example, Transmission Control Protocol (TCPyinternet Protocol (IP), into a vast network. Information on the Internet is stored world wide as computer files, mostly written in the Hypertext Mark Up Language ("HTML"). The collection of all such publicly available computer files is known as the World Wide Web (WWW).

The WWW is a multimedia-enabled hypertext system used for navigating the Internet and is made up of hundreds of thousands of web pages with images and text and video files, which can be displayed on a computer monitor. Each web page can have connections to other pages, which may be located on any computer connected to the Internet.

A typical Internet user uses a client program called a "Web Browser" to connect to the Internet. A user can connect to the Internet via a proprietary network, such as America Online or CompuServe, or via an Internet Service Provider, e.g., Earthlink.

A Web Browser may run on any computer connected to the Internet. Currently, various browsers are available of which two prominent browsers are Netscape Navigator™ and Microsoft Internet Explorer™ . The Web Browser receives and sends requests to a web server and acquires information from the WWW. A web server is a program that, upon receipt of a request, sends the requested data to the requesting user.

A standard naming convention known as Uniform Resource Locator ("URL") has been adopted to represent hypermedia links and links to network services. Most files or services can be represented with a URL. URLs enable Web Browsers to go directly to any file held on any WWW server.

Information from the WWW is accessed using well-known protocols, including the Hypertext Transport Protocol ("HTTP"), the Wide Area Information Service ("WAIS") and the File Transport Protocol ("FTP"), over TCP/IP protocol. The transfer format for standard WWW pages is Hypertext Transfer Protocol (HTTP).

The advent and progress of the Internet has changed the way consumers shop. A consumer today can buy numerous products and services via the Internet. A typical electronic commerce transaction ("E-commerce") involves the following steps: (a) a consumer logs onto a merchant's website, (b) selects products and/or services, (c) pays via credit or debit card or other electronic means, and (d) the transaction is completed, and thereafter products and/or services are delivered and/or performed.

E-commerce transactions today have gained considerable popularity among consumers and businesses. However, the security for E-commerce transactions is still questionable. Typically, a consumer uses a user identification number ("user ID.") and user specified password to execute an E-commerce transaction. However, if an unauthorized user accesses the user ID and password, then the current security systems will fail to prevent an unauthorized E-commerce transaction. Hence consumers and businesses can potentially loose millions of dollars because the conventional security systems in E-commerce do not have an efficient authorization and authentication process.

Therefore, what is needed is a method and system for authenticating and authorizing E-commerce transactions that can enhance security for conventional E-commerce transactions.

SUMMARY

The present invention solves the foregoing drawbacks by providing a method and system for authorizing authenticating E-commerce transactions. Before allowing a user to proceed with an E-commerce transaction, the process registers the user with a central registry. The user enters user information, which is then received by the registry. The user may enter user information in a web browser and transmit the information to the registry via the Internet, the main channel for the E-commerce transaction.

After the registry receives the profile information, under the registration process, the registry initiates a call to a user designated personal device, for example, a mobile telephone or a land phone etc. It is noteworthy that the user designated device is based upon an alternate channel separate from the main E-commerce transaction channel. The user is prompted to enter an authentication code. The user enters the authentication code, which is then stored in the database, and the user is registered.

According to the present invention, the service provider that provides goods and/or services to the user is also registered with the registry. Under one aspect of the present system, a registered user can request an E-commerce transaction with a registered service provider. The registry receives a user transaction request to proceed with an E-commerce transaction. Such a request is received from the main E-commerce transaction channel, generally through a web browser. The registry generates a transaction identification number upon receiving the user's request. The transaction identification number is sent to the user via the main E-commerce transaction channel. The registry initiates a call to a user designated personal device, for example, a mobile telephone or a land phone etc. It is noteworthy that the user-designated device is based upon an alternate channel separate from the main E-commerce transaction channel. Thereafter the user is prompted to enter an authentication code and the transaction identification number for verifying user identity. A cell phone, a mobile telephone or a land phone may be used to receive the telephone call and enter the authentication code. Other devices for example a two-way pager and smart cards etc. may also be used to enter the authentication code.

The user enters the authentication code and the transaction identification number. User entered authentication code is compared with user specific stored authentication code. User entered transaction identification number is also compared with the generated transaction identification number. If both the numbers match, user identity is authenticated, and the user is authorized to proceed with the requested transaction. Authorization data including transaction identification number, date and time of transaction, and the IP address of the device that is connected to the main channel are stored.

One advantage of the present invention is that initiation and authentication of an E-commerce transaction requires two different channels The main channel provides security for the user to request a transaction and obtain a transaction identification number. The alternate channel assists in authentication. In order to breach the system of the present invention, one will have to know the user login identity and password on the main channel, personal device details, authentication code on the alternate channel, transaction identification number on the main channel and know the algorithm used for encrypting all the data during the transaction. The probability of simultaneously acquiring all the foregoing data is quite remote. Hence the present invention provides a secure system for E-commerce transactions.

Another advantage of the present process is that a user must enter an authentication code for registration via an alternative channel and device, e.g., a cell, mobile or land phone, two-way pager or smart cards etc. Hence even if user password is stolen, the authentication code is still required to proceed with a transaction. This additional channel (authentication code and transaction identification number) provides an extra layer of security for vulnerable E-commerce transactions.

Yet another advantage of the present system is that a user must enter two sets of numbers, one transaction specific, i.e., the transaction identification number, and another user specific, i.e., the authentication code. Since the user must be identified prior to any transaction by entering the authentication code via an alternate channel other than the main E-commerce transaction channel, it provides a degree of security that is much more stringent than identifying the user by merely a password.

Yet another advantage of the present system is that users can authenticate themselves via a mobile phone. Hence the system is flexible.

Yet another advantage of the present invention is that the authentication code is entered on a device (e.g. cell phone or land phone etc.) specified by the user. Yet another advantage of the present invention is that any transaction authorized by registry is stored for future reference. Hence any claims by the user or a third party against authorized transaction can be repudiated by the stored authorization data.

This brief summary has been provided so that the nature of the invention may be understood quickly. A more complete understanding of the invention can be obtained by reference to the following detailed description of the preferred embodiments thereof in connection with the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 illustrates a computing system to carry out the inventive technique.

Figure 2 is a block diagram of the architecture of the computing system of Fig. 1.

Figure 3 is a block diagram of the Internet Topology.

Figure 4 A is a block diagram of the architecture of a system, according to the present invention. Figure 4B is a block diagram of a registry module according to the present system.

Figure 4C is a block diagram of the architecture showing a Service point coupled to the registry module, according to the present invention.

Figure 5A is a flow diagram showing process steps for registering users.

Figure 5B is a flow diagram showing process steps for registering service providers.

Figure 6 is flow diagram of process steps for authorizing and authenticating an E-commerce transaction according to the present invention.

The use of similar reference numerals in different Figures indicates similar or identical items. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Figure 1 is a block diagram of a computing system 10 for executing computer executable process steps according to one embodiment of the present invention. A consumer conducting an E-commerce transaction may use the computing system of Figure 1. Computing system 10 is connected to the main E-commerce transaction channel (Internet). It is noteworthy that the Figure 1 block diagram is not limiting and merely illustrative. Other devices that allow E-commerce transactions may be used to implement the methods and systems of the present invention. For example, laptops, notebook computers, a handheld device like the Palm-Pilot™ , digital or WebTV T ™ or a remote wireless device that can be connected to the Internet or another computer network that allows E-commerce transactions may be used instead of the computing system of Figure 1. Computing System 10 may also be used to host the authorization/authentication system according to the present invention.

Figure 1 includes a host computer 10 and a monitor 11. Monitor 11 may be a CRT type, a LCD type, or any other type of color or monochrome display. Also provided with computer 10 is a keyboard 13 for entering text data and user commands, and a pointing device 14 for processing objects displayed on monitor 11.

Computer 10 includes a computer-readable memory medium such as a rotating disk 15 for storing readable data. Besides other programs, disk 15 can store application programs including web browsers by which computer 10 connects to the Internet and the systems described below, according to one aspect of the present invention.

Computer 10 can also access a computer-readable floppy disk storing data files, application program files, and computer executable process steps embodying the present invention or the like via a floppy disk drive 16. A CD-ROM interface (not shown) may also be provided with computer 10 to access application program files, audio files and data files stored on a CD-ROM.

A modem, an integrated services digital network (ISDN) connection, or the like also provides computer 10 with an Internet connection 12 to the World Wide Web (WWW). The Internet connection 12 allows computer 10 to download data files, audio files, application program files and conduct E-commerce transactions. Internet connection 12 provides access to the main E-commerce transaction channel.

Computer 10 is also provided with external audio speakers 17A and 17B to assist a consumer to listen to any audio files. It is noteworthy that a listener may use headphones instead of audio speakers 17A and 17B to listen to any audio files.

Figure 2 is a block diagram showing the internal functional architecture of computer 10. As shown in Fig. 2, computer 10 includes a CPU 201 for executing computer-executable process steps and interfaces with a computer bus 208. Also shown in Figure 2 are a WWW interface 202, a display device interface 203, a keyboard interface 204, a pointing device interface 205, an audio interface 209, and a rotating disk 15. Audio Interface 209 allows a listener to listen to music, On-line (downloaded using the Internet or a private network) or off-line (using a CD).

As described above, disk 15 stores operating system program files, application program files, web browsers, and other files. Some of these files are stored on disk 15 using an installation program. For example, CPU 201 executes computer-executable process steps of an installation program so that CPU 201 can properly execute the application program.

A random access main memory ("RAM") 206 also interfaces to computer bus 208 to provide CPU 201 with access to memory storage. When executing stored computer-executable process steps from disk 15 (or other storage media such as floppy disk 16 or WWW connection 12), CPU 201 stores and executes the process steps out of RAM 206.

Read only memory ("ROM") 207 is provided to store invariant instruction sequences such as start-up instruction sequences or basic input/output operating system (BIOS) sequences for operation of keyboard 13.

Figure 3 shows a typical topology of a computer network with computers similar to computer 10, connected to the Internet. For illustration purposes, three computers X, Y and Z are shown connected to the Internet 302 via Web interface 202 through a gateway 301, where gateway 301 can interface N number of computers. Web interface 202 may be a modem, network interface card or a unit for providing connectivity to other computer systems over a network using protocols such as X.25, Ethernet or TCP/IP, or any device that allows, directly or indirectly, computer-to-computer communications.

It is noteworthy that the invention is not limited to a particular number of computers. Any number of computers that can be connected to the Internet 302 or any other computer network may be used.

Figure 3 further shows a second gateway 303 that connects a network of web servers 304 and 305 to the Internet 302. Web servers 304 and 305 may be connected with each other over a computer network. Web servers 304 and 305 can also facilitate provide E-commerce transactions, according to the present invention. Web servers 304 and 305 can also host the present system that secures E-Commerce transactions. Also shown in Figure 3 is a client side web server 308 that can be provided by an Internet service provider.

Figure 4A is a block diagram of the architecture, according to one embodiment of the present invention. A user's terminal 401 communicates with a registry 402. Terminal 401 may be similar to computer 10, laptop computer, a notebook computer, digital TV or WebTV ™ a hand held device or similar device that can be connected to the Internet or another network.

Registry 402 may reside at a web server 304. A user inputs user specific information via terminal 401 and the user information is transferred to registry 402.

Figure 4B shows a block diagram of registry module 402 that includes receiving module 403A that receives requests from user terminal 401. Receiving module 403 A also communicates with a database 403B either to store user information or search for user information.

Receiving module 403A also communicates with interactive Voice Response System ("IVR") 903C that can contact the user via an alternate channel 403D (not shown). Alternate channel 403D may allow a connection to a mobile or land phone, or two way pagers, and/or other devices. One example of IVR 403 C is sold by Dialogic Corporation 1515 Route 10, Parsippany, NJ 07054, Part number D/21H, which is a High Performance 2 Port voice processing board. It is noteworthy that the invention is not limited to the foregoing IVR 403 as sold by Dialogic Corporation, other comparable or similar voice processing boards and/or software modules may be used to practice the embodiments under the present invention. IVR 403C is used to contact a user for authenticating an E-commerce transaction, as described below.

Figure 4C is a block diagram showing a service point 404 that communicates with registry 402. Service point 404 allows a user via user terminal 401 to conduct an E-commerce transaction. Service point 404 may be any commercial web site that can facilitate an E-commerce transaction.

Figure 5A is a flow diagram of executable process steps to register a user under the present invention.

The registration process starts in step S501.

In step S502, a user enters user specific information. Various fields may be used to develop and store user profiles. A user interface is provided to a user on a display device similar to display device 11. The user may be asked to enter first name, last name, middle initials, electronic mail ("email") address, user name, password, telephone number either land or mobile, pager number, fax number, user address, occupation, and a question that gives a user a hint to remember the user password etc. It is noteworthy that the present invention is not limited to a particular number of fields for creating user profiles. User profile information is sent to registry 402 in an encrypted form using Secure Socket Layer (SSL) technology. SSL is a 40/128 bit encryption process in the TCP/IP layer of web browsers, such as Netscape ™ and Internet Explorer ™, Profile information is stored in database 403B. Every user chooses a unique usemame and a password. It is noteworthy that a user can update user profile information subsequently.

In step S503, registry 402 sends an acknowledgement to the user that profile information has been received. Receiving module 403A receives input user information and sends an email or facsimile to the user acknowledging that user information has been received. Receiving module 403A may also send the acknowledgement via a pager etc.

In step S504, a validation process verifies user information sent in step S501. Various levels of security may be used for validation. A level 1 validation may request an acknowledgement from the user after step S503 via electronic mail, facsimile or a telephone call. A level 2 validation may require a user to provide documentary evidence to establish user identity, for example, a copy of a driver's license, social security number, passport, or birth certificate etc. A level 3 validation, may require a user to personally visit a specific authorization agent, for example, a notary or a service that can provide authorization services for validating and verifying user identity.

After user information is validated in step S504, in step S505, registry 402 places a telephone call to the user. Such telephone calls may be placed to the users cellular or mobile phone or a land phone. Registry 402 uses IVR 403 B to place the telephone call. The telephone call is placed to the latest telephone number provided by the user.

In step 506, IVR 403C provides a list of options to the user and prompts the user to select a mobile digital authentication code ("MDC")on a designated device. MDC is a user specific code. MDC is used to authenticate any future E-commerce transaction that may be requested by the user. MDC may be a combination of numeric, alpha numeric or special characters.

In step S507, the user enters the MDC on a designated device. The user previously enters information regarding such designated device, for example cell phone telephone number etc., in step S502. The designated device may be a cell or mobile phone. The invention is not limited to a cell or mobile phone. A regular land telephone system may be used to enter the MDC. Also other devices may be used to enter the MDC. For example, a two-way pager may be used to enter the MDC. A smart card may also be used to enter the MDC. The Smart Card Industry Association (accessible via the Internet at www.scia.org) provides a description of Smart card technology. One such description is provided in "Smart Cards " by Carol H. Fancher and is incorporated herein by reference, available at www.scia.org/knowledgebase/default.htm.

IVR 403C may also ask the user to confirm MDC more than once after the user has entered the MDC for the first time.

In step S508, MDC is transferred from the designated device to registry 402. MDC may be encrypted at the designated device before being transferred to registry 402. Various encryption techniques may be used to encrypt the MDC before being transferred to registry 402. Receiving module 403 A receives the MDC and links the MDC to user identification number. Thereafter the MDC is stored in an encrypted format in database 403E. Various encryption techniques may be used to encrypt MDC code and store the encrypted code at servers 304 and/or 305 as content 306 and/or 307. Figure 5B is a process flow diagram showing process steps for registering service point 404 such that a user may utilize the authentication/authorization system according to the present invention, while conducting E-commerce transactions.

In step S500A, service point 404 representative logs on to registry 402.

, In step S500B, via service point 404, a service point representative enters service point 402 information. Such information may include, name of the service point, address, telephone number, registration number, service point identification number, password and encrypting technique that the service point intends to use.

In step 500C, registry 402 sends an email acknowledging receipt of the registration information. The foregoing process registers a particular service point 404 to use the secured E-commerce transaction system of the present invention. Figure 6 is a process flow diagram describing the authorization authentication of an E-commerce transaction, according to the present invention.

In step S601, a user logs onto the website of service point 404(e.g., Amazon.com, a Registered Trademark). The user may use a computing system 10 to log on to service point 404. Service point 404 is previously registered with registry 402 of the present invention (Fig SB). The user sends a request to service point 404 to buy goods and/or services. The user transaction request is received by service point 404. User uses a user identification number and a password to initiate the transaction.

In step S602, service point 404 transfers the user request for the transaction to registry 402 and in particular to receiving module 403A.

In step S603, registry 402 identifies the user based upon user identification number and password stored in database 403B. Thereafter, receiving module 403A generates a transaction identification number that is displayed on service point 404's website. The transaction identification number is visible to the user on display device 11 while the user is conducting the transaction via service point 404's website.

In step S604, IVR 403s contacts a designated device. If the designated device is a telephone, then IVR 4038 triggers a telephone call to a telephone number provided by the user. It is noteworthy that a cell, mobile or land telephone may be used. Also other devices may used for contact between registry 402 and the user. For example, a two-way pager may be used. A smart card may also be used. The Smart Card Industry Association (accessible via the Internet at www.scia.org) provides a description of Smart card technology. One such description is provided in "Smart Cards " by Carol H. Fancher and is incorporated herein by reference, available at www.scia.org/knowledgebase/default.htm.

In step S605, IVR 403C prompts the user to enter user specific MDC along with the transaction identification number as seen on the service point 404's webpage.

In step S606, the user enters the MDC along with the transaction identification number. The user enters the MDC in a designated device. For example, a mobile or cell phone if the call in step S604 is placed to a cell or mobile phone. If the call in step S604 is placed to a land phone, then the user may enter the MDC via the land phone. As discussed above, other devices may also be used to enter the MDC.

In step S607, the designated device where the MDC is entered, transfers the MDC to registry 402. Again, as described in step S508 (Fig. SA), the MDC before being transferred may be encrypted.

In step S608, registry 402 compares user entered MDC with user specific MDC stored in database 403B. (Figure SA). Registry 402 also verifies the user entered transaction identification number after comparing it with the transaction identification number generated in step S603.

If the numbers in step S608 match, then in step S609, registry 402 authorizes the user requested E-commerce transaction request. The authorization data is stored in database 403B. Authorization data includes transaction number, date and time of transaction as linked to user identification number, password and MDC. This can assist service point 402 to repudiate any claims by a user that a specific transaction was unauthorized. One advantage of the present invention is that initiation and authentication of an E-commerce transaction requires two different channels. The main channel provides security for the user to request a transaction and obtain a transaction identification number. The alternate channel assists in authentication. In order to breach the system of the present invention, one will have to know the user login identity and password on the main channel, personal device details, authentication code on the alternate channel, transaction identification number on the main channel and know the algorithm used for encrypting all the data during the transaction. The probability of simultaneously of acquiring the foregoing data is quite remote. Hence the present invention provides a secure system for E-commerce transactions.

Another advantage of the present process is that a user must enter an authentication code for registration via an alternative channel and device, e.g., a cell, mobile or land phone, two-way pager or smart cards etc. Hence even if user password is stolen, the authentication code is still required to proceed with a transaction. This additional channel (authentication code and transaction identification number) provides an extra layer of security for vulnerable E-commerce transactions. Yet another advantage of the present system is that a user must enter two sets of numbers, one transaction specific, i.e., the transaction identification number, and another user specific, i.e., the authentication code. Since the user must be identified prior to any transaction by entering the authentication code via an alternate channel other than the main E-commerce transaction channel, it provides a degree of security that is much more stringent than identifying the user by merely a password.

Yet another advantage of the present system is that users can authenticate themselves via a mobile phone. Hence the system is flexible.

Yet another advantage of the present invention is that the authentication code is entered on a device (e.g. cell phone or land phone etc.) specified by the user.

Yet another advantage of the present invention is that any transaction authorized by registry is stored for future reference. Hence any claims by the user or a third party against authorized transaction can be repudiated by the stored authorization data. Microfiche appendix "A" that is attached hereto contain source code in HTML, Java, Java script, Visual basic programming language for programming a computer, are a part of the present disclosure, and are incorporated by reference in their entirety. The attached appendices provide two examples of implementing the foregoing aspects of the present invention. It is noteworthy that the invention is not limited to the examples in the attached appendices, other computer languages may be used to implement the foregoing aspects of the present invention.

Although the⁸ present invention has been described with reference to specific embodiments, these embodiments are illustrative only and not limiting. Many other applications and embodiments of the present invention will be apparent in light of this disclosure and the following claims.

Claims

1. A method for authenticating an electronic commerce transaction, comprising: generating a transaction identification number upon receiving a user request for the electronic commerce transaction; contacting a user requesting the electronic commerce transaction; and prompting the user to enter an authentication code for verifying user identity.

2. The method of claim 1, further comprising: prompting the user to enter the transaction identification number.

3. The method of claim 1, further comprising: entering the authentication code, wherein the authentication code is entered via a mobile telephone .

4. The method of claim 2, further comprising: entering the transaction identification number.

5. The method of claim 3, further comprising : comparing the entered authentication code with a previously stored authentication code.

6. The method of claim 4, further comprising: comparing the user entered transaction number to the generated transaction number.

7. A method for registering a user for conducting secured on-line electronic commerce transaction, comprising: entering user profile information; contacting the user whose profile information is entered; and prompting the user to enter an authentication code.

8. The method of claim 7, further comprising: entering the authentication code, wherein the authentication code is entered via a mobile phone; and storing the authentication code with user profile information.

9. A system for authorizing and authenticating electronic commerce transaction, comprising: a registry module that registers users to conduct electronic commerce transactions; and a authentication/authorization module, that initiates a telephone to verify user identity.

10. The system of claim 9, wherein the authorization/ authentication module includes a database for strong user identity data.

11. The system of claim 10, wherein the authorization/ authentication module includes a voice response system that provides a menu of options to users to enter user specific authentication code.

12. The method of Claim 3, wherein the authentication code is entered via a land phone.

13. The method of Claim 3, wherein the authentication code is entered via a two-way pager.

14. The method of Claim 1, wherein the user is contacted via a cell phone.

15. The method of Claim 1, wherein the user is contacted by a land phone.

16. The method of Claim 1, wherein the user is contacted via a two way pager.

17. The method of Claim 7, wherein the user is contacted via a cell phone.

18. The method of Claim 7, wherein the user is contacted by a land phone.

19. The method of Claim 7, wherein the user is contacted via a two way pager.

20. The method of Claim 8, wherein the authentication code is entered via a land phone.

21. The method of Claim 8, wherein the authentication code is entered via a two-way pager.

22. The method of Claim 8, wherein the authentication code is entered via a smart card.

23. The method of Claim 3, wherein the authentication code is entered via a smart card.

APPENDΓX "A"

AUTHENTICATION PROCESS FOR HOMETRADE.COM (A WEBSITE FOR E-COMMERCE

TRANSACTIONS)

TREE VIEW

Files

I l. www.espacctech.cora www. bometnιde.htαι | dispia random.jsp j homctradcjsp

I MerLogi java ( oyenok.mcr.MerLogin)

I MςrLogitclaM

I) HTML FILES

No. Name p<yripijiόn online) Where to be found

1. ' ww.espacctech.com http wwιr.espacetech.com online

2. www.hoinetrade.com nπp;//203.197.138.75/horr»ctrade.htm in GIFiO JPECl

No. Name. Where to be found online

o e e. ^•

33 disnlayrandom.isn

<script language="JavaScript"> function timer() { setTimeout("window.status-CIosing in 10 seconds'", 1000); setTiπjeoutfwindow. status- Closing jri 9 seconds'", 2000); setTirneout("window.status- Closing n 8 seconds'", 3000); setTimeout("window.status=^,Closing in 7 seconds'", 4000) setTimeout("window.status- Closing in 6 seconds'", 5000), setTιmeout("\vindow.status-CIosing in 5 seconds'", 6000); setTinieout("window.status- Closing in 4 seconds'", 7000) setTjmeoutf indow.staius^Closing in 3 seconds'", 8000); setTirηeout("window.status- Closing in 2 seconds'", 9000) setTimeout("window.status='Closing in 1 seconds'", 10000); setTιmeout("this.closeO", 11000);

<Vscript>

</head>

<body onLoad="timeτ0" center>

<font face="Arial">Your Transaction ID is <B><%^equest.getPararneter(^,,randomval")%>< B>< font>

</ceπter> < body> <html>

hoπ etrnde.isn

<html>

<head>

<title>OyeNo Auth. V<Λitle>

< head>

<jsρ:useBean id="user" scope="page" class»"oyenok.mer.MerLogiπ"> -^jsprsetProperty name="user" property⁵*"*" > <% if (luser.callUserO) { %>

34 <body>

Not a Registered User <% } else { %>

<body oru^ad="lo<»tion.href=^lhttp://www.hometrade.α)nVdefaΛilt.asp?M27PlU=HomePage&

ISPATCHER=HTS_HPG_004^,">

<center> You are successfully* authorized, you will be taken to hometrade.com < center> <% 1 %> < jsp:useBean> < body> < html>

MerLoein.java package oyenok.mer; import java.sql. public class MerLogin String name; String password; String random; public String getNameO { return name;

} public void setName(String name) { this, name = name;

} public void setPassword(String password) { this, password = password;

} public void setRandom(3tring random) { this.random - random; }

public boolean callUserO { try {

Class.forName("sun.jdbc.odbc db OdbcDriver");

Connection con =^» DriverMa ιager.getCorιnection("jdbc:odbc:oycnokDSN" sa",""); Statement st =^■ con.createStatementO;

35 String query = "SELECT creditho from USERJDETAILS WHERE userid-"¹ + name + "^•";

ResultSe rs = st.executeQuery(query); rs.nextO;

String ccID = rs.getString(l); oyenok.authenticate.AuthTeέt obj = new oyeπok. authenticate. Au thTesiQ; obj.setκandom(ccID, random, ""); return oDJ.authenCaU(ccID); }catch(Exception e) { return false; }

Result$et rs = st.executeQuery(query); rs.rie tO;

String ccID = rs.getString(l); query = "UPDATE USER_DETATLS SET randomno=^m + random + ^m WHERE userid='" + nime + "'"; st.executeUpdate query); oyenok.autnew.ClassJ ob ^ήull; try { ^'

String strArr[] * new String[l]; strA r{0] =^■ ccID; corn.ϊinar.jintegra,. Authlnfo auth nfα - new com.linar.jintegra.AuthlnfoCWorkgrpup", "Administrator", ""); obj = nejw oyenok.autnew.Classl("10.10.1.36", authlnfo); return obj.caHNumb(strArr); }catch(Exceρtion e) (

System.but.println(e); return false; }finally{ com.linar.jintegra.Cleancr.release(obj);

} }catch(Exception e) {

36 System.out.println(e); return false;

} public static void main(String agsfj) {

System, out. println(new MerLogin().callUserQ)

} } authentication.dll

Dim WithE vents VoiceBocxl As VoiccBocx

Dim Bag As Boolean

Dim ivrConn As ADODB.Conneciion

Dim ivrRs As ADODB.Recordscl

Dim temp As Integer

Private Sub ϊnitializεO

I S t VoiceBocxl * New VoiccBocx Hag = False

VoiceBocxl. Log - LOG_Detai d Set chConn * CrεateCtject("ADODB.Connection") Set chRs - Cιeateθ3J< t("ADODB.Recόrdset") chConn-Opαi "sa DSN", "sa", "" "

Set VoiceBocxl ^» New VoiccBocx

' Set the Logging level to 'Detailed' VoiceBoc l. og = LOG_Dctailed

' Assign the TninkChannel from the command line argument (if any) If n(Cornrnand) > 0 Then

VoiceBocxl. TrunkChannci = Val(Command) Else

¹ The default channel is the 1st channel (numccr zero.)

VoiceBocxl. TrunkChannel = 0 End If

Private Sub Tcrmina eQ

Set VoiceBocxl = Nothing ivxConaGose

Set ivrRs * Nothing

37 Set ivrConn = Nothing

End Sub

Private Sub HandlcOutboundCallQ

Dim random, llnput, .Number As String Dim ccNo, telnp, autld As String Dim flagl As Boolean

If VoiceBocx 1.HangupIsRunUmeError = True Then • MsgBox "Caller H^'urigUP" flagl ^■ False Flag ^■ False End If

If flagl = False Then

•MsgBox ("Playing Welcome Message.")

VoiceBocxl. PlayFile {"C:\messages\wclcornc7.vox )

VoiceBocxl .PlayFile ("C:\messages\transId.vox") llnput = VoiceBocxl.GetDigits(13, 20, 15, "#")

Dim Length _% Length - Lcnfllnput) Length - Length - 1 llnput - Midfllnput, 1, Length)

Dim tempi tempi - ivrRs.Ficlds(7) & ivrRs.Fields(10)

If llnput - Val(te pl) Then VciccBocxLPlayFile ("C:\-nessages\thanks0.vox ) •MsgBox "the User is Authenticated" Flag = True Else

MsgBox The user is Invalid"

VoiceBocxl.PlayFile ("C:\messages\notautherror.vpx )

Flag - False End If

ErrorTrap: • If it is a hangup, exit normally .^

If VoiceBocxl .TninkStateName - "RemoteDtsconnected men

' MsgBox ("Caller hung up.") Call VoiceBocx l.DisconnectCall Call Terminate End If

End If End Sub

38 Set ivrGonn - CreateObject("ADODB Connection") Set ivrRs » CreateObjcctC ADOD B.Recordset") ivxConaOpen "chDSN", "sa", ""

"MsgBox "Inside Testing Again" Call Initialize sql = "Select * from user_dctails where credimo =" & _

"^•" & ccNum & "" ivrRs.Opcn sql, ivrConn, adOpenD}τιamic,|adLockOptimistιc phoneNumbcrS = ivrRs.Fields(4)

Call VoiceBoc l.MakcCall(phoneNumber$, True)

Select Case (VoiccBocx LTrunkStateName) Case "Connected" If (VoicejBocxl.GlareDetccted) Then

' MsgBox "Glare - Connected Inbound" Call VoiceBocx l.DisconnectCall Call Terminate End lf

' MsgBox "Connected Outbound" Call HaiidleOutboundCall

Case ^•NoConncct" ' MsgBox "NoConnect" End Select ivrRs. Close

Call Terminate DialNumb = Flag

End Function

39 APPENDIX ^»B"

AUTHENTICATION PROCESS FOR BirVBOOK.COM ⁽A WEBSITE FOR E-COMMERCE

TRANSACTIONS)

TREE V EW

Filca

1. buybook.htm

I 1. displayrandom.jsp

I 2. 2u.thcnticate.jsp

1. Evcntupdate.class.-i- Evcπtupdattjava (oycnok-authcnticatcEvcntupdate)

I ) HTML FILES

No. Name Descrintion Where tp be f niinj i. buy ook.htm The stimulated Buy Book Site \examples\oycnok\

irn jsp FILES

No. Name. Where to be nhced

1. displayrandom.jsp \cxampIes\oycnck\

2. authcnticatc.jsp \examples\oyenok\

TV) JAVA BE ANsf Source files)

No. Name. Extension Descrintion Where to be obced

1. Eventupdatc Java \cla55CS^l.oyeimk\autheaticate\

40 Buvbook.htm

<html>

<head>

<meta httr>^q^,uiv="Conteήt-Language" coηteht="en-us">

<meta http-equiv="Content-Type" content="text html; charset=windows-1252">

<titIe>ABC Book Stall< titie>

<s ript language=^Hjavascript > function creditcheck()

{

}

< script>

< head>

<body> .

<table width="91%" border="0" cellpadding="0" cellspacing="0" height="576^w>

<td width="100%" height="140" valign="top" align="left"ximg border="0"

<tr> <td width="100%'' height="2rx/td>

<tr> <td wid

<table idth=" 100%" border="0" cellpaddiήg="0" cellspacing="0">

<td idth="10%"x/td> <Λr> <ΛabIe> </td> </tr>

41 <tr>

<td width=" 100%" height="33">

<tabie width=^κ 100%" border=^H0" ceilpadding='^'^, ceHspacing="0 > <tr> <td width=" 12%">&nbsp;</td> <td width=^H7S%^H bgcolor=^H#C0C0C0^M <p align="center">Library </td>

<td width=^M 10%">&nbsp;</td> </tr> < table> < td> </tr> <tr>

<td width=^H 100%" height=^N33^M> <table width="101%" border="0" cellpadding^O" cellspacing="0"> <tr>

<td width=^H12%^M>&nbsp;</td> <td width="76%" bgcolor="#C0C0C0"> <p align="center">Research < tdi>

<td width=ⁿ13%">&nbsp;</td> < tr> </table> < td> </tr> <tr>

<td width=" 100%" height="33^M> <table idth="100%^H border="0" cellpadding=^M0^M cellspacing=="O^w> <tr> <td width=^H12%">&nbsρ;< td> <td width="77%" bgcolor="#C0C0C0^h> <p align="c nter">Online Notes </td>

<td width=" l l%">&nbsp;< td> </tr> <ΛabJe> </td> </tr> <tr>

<tr> <td vvidth=^H 13%^H>&ιιbsp;</td> <td vvidih="7()^J/o^H bgcolor=^H#C0C0C0"> <p align=^Mcenier">Security

42 </td>

<td idth=" l l%"></td> ^■-Λr> </table> </td> </tr> <tr>

<td width=" 100%" height="33"> <table width=" 100%" border="0" cellpadding="0" cellspacing="0"> <tr>

<td width=" 13%">&nbsp;</td> <td width="76%" bgcolor="#C0C0C0">

<p align- ^,center">Author^Js Notes </td>

<td width="l l%">&nbsp;</td> </tr> < table> < td> </tr> <tr>

<tr>

<td width="100%" height=^M21">&nbsp;</td> </tr> <tr> <td width--" 100%" height="21">&nbsp;</td> < tr> <tr>

<td width="100%" height="21 ^M>&nbsp;< td> </tr> <tr>

<td idth=" 100%" height="21 "></td> </tr> <tr> <td width-" 100%" height- '2rx/td> </tr> </tabl > </td>

<td width="8 - ό" valign="top" align=^Mleft^M height="540"> <table width "99%" bordcr=^H0" cellρadding="0" eellspacing="ϋ" hcight="463">

<tr>

<td width-- -"04%" hεight=^H58" valign= baseline^tt align="center"ximg border=^H0"

43 </tr> <tr>

<tJ width="247^H><forif face=verdana,arial,helvetica size=-l><b>Shopping Cart Items— To Buy Now<yb></t nt></td> <td width="26^B>

</td>

<td width="52">&nbsp;</td> <td width=^M 161">&nbsp;</td> < tr> <tr> <td width="24^H valign=^MTOP^M>

<img alt=^HIcon" border="0" src=^Himages/icon-vhs.giP width="22" height="22"> </td>

<td bgcolor=^H#FFFFFF" width="247">

<a href=7exec/obidos ASIN/B00000K02F/l 04-7652825-2097546^Hxem>Prenatal Yoga with Colette Crawford< em>< a>

<br> <b>VHS b>

<br>

Usually ships in 24 hours^BR> <Λd>

<td align=ccnter bgcolor="#FFFFFF" width="26">

<input type^'- 'text" narne=quantity.B00000K02F size=4 maxlength=4 value=l

</td>

<td width="52" b-color="#FFFFFF"> f;mt size . face=vcrdaπa,arial,helvetica color=#000000> NUβK.—-b Uι:r Price: <font color=#990000>$24.95</font vbX NOBRxbr>

44 </font> </td> <td a!ign=right width="161^H>

<input border="0" name=^Hsubrnit.rnove-to-save.B00000K02F" src="images sbutton- save-for-later.gif" type="image" value="Save item" width="70" height=^H14"> <p>

<input align="right^M border=^H0^M name=^!"submit.delete.B00000K02F" src="images sbutton-de!ete.gir type="image" vaIue="Delete item" width="42" height=" 16">

< td> </tr> <tr> <td colspan=5 width="467^M> < td>

</tr> <tr> <td width="24" valign="TOP">

<img ah "Icon^M border="0" src^images/icon-books.gif' width="22" height="22ⁿ> < td>

<td bgcolor="#FFFFFF^H width=^M247^M>

<a href=7exec/obidos/ASIN/0130893404/I04-7652825-2097546" em>Core Servlets and JavaServer Pages (JSP)< em></a>

<br>

Marty Hall;

<b>Paperback</b>

<br>

Usually ships in 24 hours<BR> < td>

<ld nlign=ccnu:r hvcolor=7>FFFFFF^M widιh=^M ό"> <inpu. type- 'text" naιr.e=--quaniity.0130S93404 size=4 maxlength=4 value=l>

</td>

<td width="52^M bgcolor="#FFFFFF"> <fυnt size=2 iace-vcruj a_rarial, helvetica co r---#000000>

45 <NOBR>List Price: <strike $42.99< strike></NOBRXbr> ,'CCPv><b>Our Price. <font co!or=#9900Q0>S34 </font></b></NOBR><br> :NOBR>You Save: <font coior=#990000>$8.60 (20%)</font></NOBR>

< font> <Λd>

<td align=right width=^H 61 ^M>

< td> < tr> <tr>

<td colspan=5 width="467"> </td>

</tr> <tr> <td width="24" valign="TOP">

<img border=0 width=22 height— 22 src=images/icon-vhs.gif alt=Icon> </td>

<td bgcolor="#FFFFFF^M width="247^H>

<a href=7exec/obidos/ASlN/0783222955/104-7652825-2097546"Xem>To Kill a Mockingbird</emx/a>

(19o )

<br"'

GJ ι.-ιory Peck;

<b VHS< b ; Widescreen

<br>

Uό' !.y ships in 24 hours^<~BR> -Vld>

46 <td align=center bgco or=^H#FFFFFF" width="26"> <input .ype="text" name=quantity.0783222955 size=4 maxlength=4 value=l>

< td> <tdwidth=" 2^H bgcolor="#FFFFFF">

<font size=2 face=verdana,arial,heivetica color=#000000>

<NOBR>List Price: <strike>$19.98</strjkex/NOBR br>

<NOBR><b>Our Price: <font color=#990000>$13₁.99< fόnt><Λx NOBRXbr>

<NOBR>You Save: <font color=#990000>$5.99 (30%)</fontx NOBR> < font>

</td>

<td align=right width="16P>

<Λd>

< tr>

<tr>

<td colspan=5 width="467"> <Vtd>

</tr>

<tr> <td align=right cplspan=2 valign=middle width="273^,'> If you changed any quantities, please start again. <Λd> ^' ' ^'

<td valign=middle width="26">

</td>

47 <td colsρan=2 width="2l5">

<font face=verdana,arial,helvetica size=-lxb>Subtotal: <font co]or=#990000>$73.33&nbsp;&nbsp;</fontx/oxp>

</font>

&nbsp;

< td>

</tr: <tr> <td align=right co!span=5 vajign=middle width="513">

<form name="transact^H methbd="post" action=""> <tr>

<td width="18"><inρut type=" adio" value="new-card" name="payment-method" checked></td> <td width="145"><select name="issuer^H> <option value^V^Visa <option value="M">MasterCard option value="A^M> American Express <oρtion value=^H >Diners Club <option value-"D^H>Discover option vaiue="J">JCB ^selectx td> <td width="221"xinput type="text" size="3" narne^cardP pnblui="creditcheck()"=

48 <option vaIue="04^H>04 <option value="05">05 <option value="06">06 <option value="07">07 <option value="08">08 <option value==^M09">09 <optioπ value="10">10 <op oπ value=^Ml 1 ">11 option value="12">12 seiect><seiect name="cc-exp-year"> <option value=^Λ20O0">200O

<tr>

<td width="18" valign="top"xinρut type="radio" value="check" name="payment- method"x/td>

<td valign="toρ" cols an="4" width="658"xfont face="verdana,ariai,helveticd" size= ">Pay

49 by check or money order</font>&nbsp; <fom >ace="verdana,arii^j,helvetica" size="-2">(or check funds on account)</foπtxtd> <tr> <table>

,</td> <tr> </form>

<table> </td>

<td width="36%V height="442" valign="top" align="left"> &nbsp;

<table border=0" width=^HlQ0%" cellspacing="0" cellpadding="0" height="458"> <tr> <td width="5%" height="458" valign="top" align='^*left"> <table borde 'O* width=^Hl%" bgcoJor="#9A9CB4^H cellspacing=^M0" ce!lpadding="0"> <tr>

<td width="100%">&nbsp;

<ρ>&nbsρ;</p> <p>&nbsp;</ρ> <ρ>&nbsρ; /p> <p>&nbsp;</ρ> <p>&nbsp;</p> <p>&nbsp;< p> <ρ>&nbsρ;</p>

<p>&nbsp;<p> <ρ>&nbsp;<p> <p>&nbsp; ρ><p>&nbsp;vp-* <p>&nbsp;<7p> <ρ>&πbsp; p> <td> <tr> <table <td>

50 <p>&nbsp; < td> </tr> </table> < td> <7tr> <tr>

<td wιdth="64%" height="l" valign="top" align="left">

< tr> Λable> < td> </tr> <tr>

<td width="83%" valign="baseline" align="left" height="36"> <p align="center"xfoπt face="Gararnond" size=' ">Home | Library | Research"! Online notes | Security | Author's notes< fontx p <Λd> <Λr> </table>

</body>

< html>

autfaenticatcisp

<html> <body>

<jsp:useBean id="authenid" scoρe="page" class=^!"oyenok.aut.AuthTest"> <% authenid.setRandom(request.getParameter("creditcardno"), request.getParameter("randomvar)); %>

<% if ( authenid.authenCal (request.getParameter("creditcardno")) ) {%>

You are Successfully Authenticated <% } else { %>

Sorry, the Authentication failed <% } %> < jsp:useBean> body> < html>

51 disolayrandom.isn

<html> <head> ,<scriρt language=^HJavaScript"> function timer() { setTimeout("window.status- Closing in 10 seconds'", 1000); setTimeout("window.status- Closing in 9 seconds'", 2000) setT!meout("window.status='Closing in 8 seconds'", 3000) setTimeout("window.status-CIosing in 7 seconds'", 4000) setTimeoutC indow.status^Closing in 6 seconds'", 5000) setTimeout("window.status='CIosiπg in 5 seconds'", 6000) setTimeoutfvvindow.status^Closing in 4 seconds'", 7000) setTimeoutCwindow.status^Closjng in 3 seconds'", 8000) setTimeout("window.statu5=^,CIosing in 2,seconds'", 9000) setTιmeout("window.status=^,Closing in 1 seconds'", 10000); setTimeout("this.closeO", 11000); }

</scririt>

<Λιead>

<body onLoad="timer()">

<center>

Your Transaction ID is < cr=request.getParameter("randomval")%>

< center> < body> <html>

Evt-nfrupdatciayri package rangoyenok.authenticate; import java.io.*; import Java. utij.*; import java.sql.*; public class Eventupdate {

String eventid,event,prc κ^userid,time,status,servertime;

public EventupdateQl }

52 public void setEventid(String eventid) { this.eventid = eventid;

} public void setEveπt(String event) { this, event - event;

> I public void setProcess(String process) { this, process = event;

} public void setUserid(Striπg userid) { this.userid = userid;

} public void setTime(String tjrne) { this.time = time;

} public void setStatus(String status) { this.staius = status;

} public void setServertime(String servertime) { this, servertime = servertime;

>' public boolean setEventsO { try {

Class.forName("sun.jdbc.όdbc.JdbcOdbcDriver");

Connection con = DriverManager.getCor ection("jdbc:c^bc:OyenokDSNYsaY^M);

Statement st = con,createSiatement();

ervertiιne+ "; st.executeUpdate(query);

}catch(Exception e) { System, out. printing); } return true;

}

53 public static void maiπ(String s[]){ Eventupdate objeventupdate - new EventupdateO; try { objcventupdatβ.setEventec'eveiiOV

1 " "l'V12 99"V

} catch(Exception e) {Svstem.out.println(e);j

} */

}

//String eventid, String event, String process, String userid,String time, String status,

//String servertime

aiifhenticatt n.dll

Dim WithSvetUSt VoiceBocxl As VoiceBocx

Dim Flag As Boolean

Din. ivt€onn As ADODB.Connection

Dim ivrRs As ADODB.Recordsct

Dim tetnp As Integer

Private Sub InitializeO

¹ 1

Set VoiceBocxl - New VoiceBocx

Hag •* False

VoiceBocxl. Log - LOG_Detailcd Set chConn - CitatcObjcrtCADODB.Connection") S t cfa s « Create(^ject("ADODB.Rccordset") chConαOpen "samDSN", "sa", ""

Set VoiceBocxl * New VoiccBocx

⁰ Set the Logging level to 'Detailed' VoiceBoc l. Log ^a LOG_DctaiIed

' Assign the TrunkChanncI from the command line argument (if any) If L:n(Command; > 0 Then

VoiccBocx i.TrunkChannel ^» Val(Command)

Else ' The default channel is the 1st channel (number zero.) VoiceBocxl.TrunkChannci ^» 0

End If

End SA

54 Private Sub Ter inate)

Set VoiceBocxl - Nothing iγτCρnxι. Close Set ivrRs * Nothing Set ivrConn - Nothing End Sub

Private Sub HandleCitbυundCallO Dim random, llnput, INumber As String Dim cs o, tcno,' autld As String Dim flagl As Boolean

If VoiceBocx KangupIsRunti eError = True Then

' MsgBox "Caller HuπgUP" flagl * False

Dim Length Length-* Lcn(llnput) Length * Length - 1 llnput = MiclInput, 1, Length) Dim tempi ^' tempi = ivτRs.Ficids<7) & ivrRs.Fields<10)

MsgBox ^**πsc user is Invalid" Voic Bccxl .PlayFile (T:\messagκι tauι cj7cr.γox") Flag = False End if

Eτα.r^''^'π.p;

' 1 f it is a hangup, exit normally

If VofccBccxl.TriinxStatcNajic -

r. , ' MsgBox f Caller hung up. ")

Cail VocsSixsl isconήc :Call

Call Terminate End If

55 End If End Sub

Public Function DiaINumb(ccNum As String) As Boolean

Set ivrConn * CxeatcObjcct("ADODB. Connection") Set ivrRs - CrcalcObjccϊ(^•ADODB.Recordscl^,,) ivrConn. Open "chDSN", "sa\ ""

TdsgBox "Inside Testing Again" Call Initialize sql * "Sciecl * from uscr_dctaiis where crcditno *" & _ "" & ccNum &. ~ ivrRs. Open sql, ivrConn, adOpcnDj-namic, adLoc Optimistic phoneNumbcr$ - ivrRs.FicIds(4)

Call Vo cB««l. akcCali(ρhoneHunιberS, True)

1 Select Case VoiccBocx I. TninkStateName) Case "Connected" If (VoicsBocxl.GlareDetected) Then

MsgBox 'Glare - Connected Inbound" Call VoiccBocx 1.DisconncctCali Call Terminate End If

MsgBox "Connected Outbound" Call HaΛdlcOϋtboundαil

Case "NoConne "

MsgBox ^■NoConncct" End Select ΓVTRS. Close

Call Tcrmiiπiatc DialNumb = Flag

End Function

56