DE10162084A1 - Preventing unauthorized use of secret such as PIN or PAN in online transactions by refusing settlement of transaction if there is one or repeated differences in hardware-specific data sent to server - Google Patents

Abstract

The PC of a supposed first party establishes a connection to a server of a control authority via a protected channel, whenever the secret is used. At the server hardware-specific data from the PC are used to derive a check value. The check value is compared with a value of a first or early check value stored on the server. If there is one or repeated differences in the hardware-specific data, the settlement of the transaction is refused.

Description

The invention relates to a method for largely preventing one repeated misuse of a secret, such as a PIN, a PAN or the like, which is used to carry out completely electronic (online) processed legal transactions is used. The invention relates preferably on legal transactions of the type mentioned, which are carried out on the Internet become.

Nowadays legal transactions are common, especially on the Internet completely electronically. Basically, this concerns legal transactions of any kind, but relates in particular to the sale of goods or Services. Examples of this are the purchase of pieces of music or films in the form of Streaming audio or video through an online payment system and Use of a PIN or PAN. Even if the following representations are in the However, it is essentially related to electronic sales processes Invention not limited to this, but also in connection with others, in comparable way, ie using a secret Legal transactions applicable.

When it comes to the electronic processing of legal transactions via the Internet, there are mostly three parties involved in the execution of the legal transaction. This is the customer who has an online connection to purchase, For example, a commodity that builds up over the internet to the merchant who builds the commodity its electronic systems - for example in the form of those to be downloaded there Files - and a mediation and control body, which for example, maintains a payment system and with regard to payment transactions in the Acts as a mediator. When purchasing the goods, the customer must use a previously provided to him by the intermediary and control body Secret, usually a PIN or PAN, to the payment system identify. The intermediary and supervisory authority will specify the one specified PiK or PAN on their authenticity and one under this secret for the customer managed account to cover the purchase of the desired goods checked.

As a result of this check, the dealer or his electronic system receives a message as to whether it is a valid PIN or PAN and whether that Account has the necessary credit to purchase the goods. That from the customer the trader himself will not be informed of the secret used. This receives rather, only in the form of the information mentioned, an indication of whether he is the may or may not conclude the desired legal transaction. Especially on the Internet Tracing any misuse of customer confidentiality often very difficult. This is partly due to the fact that Mechanisms are known, the IP address through which contact with such Sales system was made to disguise. It is also special for criminals on the Internet very easily, with improper use of a PiK or PAN within to carry out a large number of legal transactions in the shortest possible time and thus to the customer, whose secret has been spied upon to inflict considerable damage. Just think in this case, for example, to the misuse of access data for Online services.

The object of the invention is therefore to provide a method by means of which misuse of a secret, such as a PIN, PAN or the like, at least largely prevented to carry out electronic legal transactions can be. In particular, repeated misuse, if not completely excluded, but at least be made significantly more difficult.

The object is achieved by a method which is defined by the main claim or the claim 7 is characterized. Advantageous training and development of the The inventive method are given by the subclaims.

The basic described by the independent claims Process variants, the consideration is common, before processing a legal transaction from the electronic system used for this (preferably and therefore also hereinafter mostly PC, but also including laptops, handhelds, PDAs or similar) via one, preferably protected, an (additional) connection to the server of the channel Establish mediation and control authority and based on one on the server or a control value stored on the PC and a secret value corresponding to a secret misuse of the secret that has just occurred or has occurred previously determine and in such a case the execution of the legal transaction refuse and preferably store information on the server which enable later traceability. Regardless of its specific design The procedure always refers to legal transactions that are online, mainly via the Internet, and where the respective legal transaction, preferably a purchase contract, in a manner known per se, between a first one Contracting party (secret user), preferably a buyer or customer, and a second party, preferably a seller or a dealer, under Use of an intermediary and control body, preferably one Payment system operator, secret issued, the legitimation of the first contracting party to Completion of legal transaction supporting information (secret) completed becomes. This is done in a well-known manner before the completion of each Legal transaction from a server of the mediation and control authority to that of the second contracting party to carry out the legal transactions System (service server) information about the at least apparently existing or non-existent legitimation of the first contracting party and via the Admissibility or inadmissibility of the legal transaction transmitted. So far that electronic legal transaction relates to the purchase of a good or service the question of admissibility, for example, on the review of coverage in a Correspondence to the respective secret for a customer's credit account. The wording chosen in the claims "for extensive prevention" is intended just to express that of course also when using the here presented procedure does not completely misuse a secret can be excluded. On the contrary, it is the case that at all first-time use of a secret generally does not immediately result in abuse can be determined and prevented. The process prevents repeated Abuse and in this respect at least limits the damage. It also offers according to advantageous embodiments, the possibility of tracking a if applicable (and based on the reviews carried out in accordance with the procedure to support effectively any suspected abuse at first. How already emphasized, comes the one stored corresponding to a secret Control value is of central importance, with its storage and review using the connection between the server of the intermediary and Supervisory authority and the PC a first to use a secret (supposedly lawful) Contracting party (buyer), depending on the process variant happens in different ways or takes place under different aspects. Based on this, two differentiated basic process variants.

According to the first variant, each time the secret is used, it is included electronic system (PC) used to carry out the legal transaction supposed first contracting party, preferably via a protected channel, a Connection (for example an https connection) to the server of the switching and Supervisory body established. Hardware-specific data from the PC's derived a control value according to a certain algorithm. This Control value is matched with at least one corresponding one, at first or earlier Use of the secret derived and related (corresponding) to Secret value compared to the control value stored on the server. If there is one resulting from changes in hardware-specific data, one-time or Repeatedly different types of deviation will be the conclusion of the Legal transaction denied. According to a preferred embodiment of this The hardware-specific features of one on the PC of the current contracting party and for this purpose, preferably by means of a corresponding plug-ins extended browser in the form of an, optionally anonymous, unique identification feature transmitted.

Now it would be less practical to have a customer participate in one To impede the implementation of the online payment system provided by that the conclusion of a legal transaction for a minor Changing the hardware he uses would be made impossible just because of this Change leads to changed hardware-specific data. Hence the procedure preferably designed so that the evaluation of changed from hardware-specific data resulting deviations of the compared control values under Heuristic methods are used. The use of heuristic methods must however, do not relate exclusively to the evaluation of the comparison, but is also possible when deriving the control value itself, d. H. the control value can even after the kind of fuzzy logic as fuzzy, within a certain Band moving value can be set.

For example, it is conceivable to combine different hardware components To weight PC systems differently with regard to a possible change, For example, the processor that represents the "heart" of the PC system is a higher one Assign weight as the motherboard or the RAM and the Motherboard in turn to give a higher weight than the graphics card, etc. It is also in the sense of the invention, if a denial of the legal transaction - like in principle already expressed above - not necessarily for everyone found Deviation occurs. After all, it is conceivable that the customer to do his Legal transactions, for example, between two different hardware platforms (desktop and laptop or business and private PC). So far one sees special design of the procedure that the legal transaction only in repeated lie outside of a predefinable bandwidth in different ways Discrepancies is denied, while otherwise in a determined, but in each case same deviation of the control value from the original stored control value the latter replaced by the new one, or the new current one Control value is also stored in the system. In the latter case, a later use of the secret of course also the additional stored control value can be used for the check. According to one Further development of this process variant are in the determination of a inadmissible deviation of the compared control values on the server of the Mediation and control instance information saved, which later a Tracing the suspected misuse of the secret allow.

The second variant of the method according to the invention is based on the use of so-called Cookies off. The procedure is as follows. Every time you use the As in the first variant of the method, secrecy is changed from one to another Execution of the legal transaction used the supposed customer's PC, again preferably via a protected channel, a connection to the server of the Mediation and control body established. On the server, the from the Customer given secret derived a control value. This control value is in the form of a cookie on the PC which is supposed to be (supposedly because it is too At this point it is not yet clear whether it is to carry out a legal transaction comes or whether it is an authorized person) first contracting party stored, the storage of such a cookie always or however at least always occurs if the control value in question is not already containing cookie was previously saved on the PC. At the same time be under Use of the established connection on the PC, if any, already saved Cookies accessed and checked whether the control values contained therein in a on the Servers of the mediation and control authority held negative list are included. is if this is the case, the intended legal transaction is refused. The negative list will created due to abuses reported by the legitimate users of the secrets and supplemented by these users using their respective abuse Report the secret and the one derived or with the secret in each case corresponding control value is included in the negative list.

As already stated, the control value is preferably the secret itself derived. The control value can, for example, also be one trade consecutive serial number. However, every control value is clearly a secret assigned, whereas - as will be explained later - quite a secret several control values can be assigned. It should be emphasized that there is none Participants (except, if desired, the mediation and control body) it is possible to deduce the secret from the control value since the corresponding Linking in a way that is not transparent to those involved electronic system of the intermediary and control body takes place.

According to a further development of those based on the use of cookies In the case of refusal of the legal transaction, i.e. one suspected abuse, information on the origin of the cookie on the server of the Mediation and control instance saved, which may be a later one Tracing any misuse of the secret enable. A further embodiment of this method serves to prevent that Potential fraudsters undermine its effectiveness by regularly using all cookies delete on the PC used for this purpose, this configuration also being effective comes when on the PC of a buyer in connection with the implementation of the Procedure no cookies have yet been saved - for example, because it is the first time would like to carry out the corresponding legal transaction. The (supposedly authorized) Buyers prior to approving the legal transaction to take further action its identification, preferably to fill out an electronic form asked to use the information in this case if necessary Being able to track abuse later. According to a practical one In addition to the control values in the cookies on the PC, a further development of the method is one supposedly first contracting party also of the currently used secret assigned control value compared with the negative list.

As already mentioned, depending on the specific process design, can be a secret several control values can also be assigned. So it is conceivable for a starting credit certain size a maximum possible number of transactions with one set the minimum amount per transaction and for each of these transactions to determine a new control value. It is even possible to use the algorithm for Example by parameterizing each time a control value is derived change or basically use a completely different algorithm. in the in the latter case, for example, there could be an agreement with the first Transaction to use the algorithm "a", in the second the algorithm "b", in the third "c" u. s. w. In any case, the control value is determined using the Secret or derived from it itself. In the event of abuse, the If possible, specify the injured customer in addition to the secret, according to which transaction he has executed in an admissible manner in accordance with his Findings of abuse (he may be able to do so based on him See balance information). Of course you have to go to the Negative list several, based on the information received from the customer again derived control values are included, namely the one with the abuse presumably related and all control values following it. Even if according to such a procedural regime, the communication effort in the event of abuse is higher than if only one control value is uniquely assigned to each secret this possibility can also be encompassed by the invention.

The derivation of the control value or values from the secret can be carried out accordingly possible process design happen by a control value from the Encryption of the key received is used. Another It is possible to use a hash function, by means of which the Secret a hash value serving as a control value is generated.

According to a particularly advantageous embodiment of the use of The process variant based on cookies will be done on the customer's PC stored cookie by a cryptographic checksum or a message Authentication code (NLAC) secured against manipulation.

Even if the method according to the invention is primarily based on the extensive It could prevent misuse of secrets nevertheless, as already mentioned above, be useful in the case of one support the attempted traceability. According to A further development of the method according to the invention therefore provides for a unique address of the with the server of the mediation and control authority in Connected PCs, usually their IP address, in the case of an accepted one Abuse possibly in connection with another comprehensive data Save the log on the server.

Without reference to a drawing, the invention according to the invention is intended at this point The method will be explained again by way of example.

First of all, it should be noted that both process variants are normally (from the Exception: under certain conditions, an additional run Identification routine apart) run unnoticed by the buyer. According to the In the first variant, the process is structured as follows, for example.

The customer establishes an IP connection to a service server using his PC a dealer who, for example, charges audio streams for Offers download over the Internet. The customer searches in the usual way, guided by Menus on the relevant website of the provider, one or more music tracks which he would like to purchase. These become a virtual shopping basket assigned. At the end of the transaction, the customer is asked to enter a PIN asked under which a previously acquired credit is managed in an account becomes. At the same time, there is no protection of the customer via a protected channel (e.g. an https connection) a connection to the server of the Payment system operator set up. Certain are made via this connection Hardware data of the customer's PC transferred to the server of the operator and control instance. The transmission of this data as well as the structure of the data protected channel-guided connection, for example, by a plug-in on the Client PC running browser initiated. But it is also conceivable that only the Connection is established by this plug-in while querying the hardware data by means of a Java script, an Active-X control or the like from the server of Mediation and control body is initiated. Regardless, eventually by a corresponding routine running on the server according to a specified one Algorithm determines a control value from the hardware-specific data. The control value comes with one when using the secret earlier in the same way determined and stored in correspondence to the secret (PIN) on the server Control value compared. In the event of exceeding one considered admissible Deviation, the system assumes that the secret is not of this authorized user is used. In this case, the legal transaction is refused. The circumstances under which the legal transaction is refused by the server determined by the algorithm used on this system. It is advantageous the system is tolerant in a certain range. That means, for example, that a minor change to the hardware made on the customer PC immediately leads to the refusal of the legal transaction. Rather, through use heuristic methods achieved that such minor changes are tolerated. The mechanisms of such heuristic systems are known to the person skilled in the art and are not Subject of this application. In addition to the tolerant behavior of the Systems can also be provided that the use of another PC with other hardware parameters is considered permissible. So it is conceivable that Refuse legal transaction only when it is determined that the secret is up constantly changing hardware platforms is used. In this way, the Example to be avoided by an unauthorized third party who kept the secret has spied this out using PCs in so-called internet cafes (what if the abuse was found it would make it almost impossible to investigate) starts. If the server of the intermediary and control authority has a match the characteristic values or a deviation lying within the permissible range, that runs Legal transaction in the usual way. That means it is only checked whether this is for the Customers with a PN account have the cover necessary to purchase the goods and in the positive case executed the legal transaction. With a first time Use of the secret is, for example, the one used Hardware configuration either generally accepted (in this context, of course, a Abuse cannot be ruled out) or the customer needs to do so in an appropriate manner undergo a further unique identification procedure.

As already explained, the second method variant uses so-called cookies. The procedure here is as follows, for example. The customer builds like the one before explained variant a connection, generally an IP connection, to the server of the dealer. In an analogous manner, the latest at the moment of intend to enter into a legal transaction via a protected channel to the server of the mediation and control authority. The customer becomes Conclusion of the legal transaction, as usual, prompted for a secret. Through the server of the intermediary and control authority, this is from the customer used secret, preferably derived from this control value assigned and using the connection established via the protected channel stored on the customer's PC. Preferably, the cookie file on the Customer PC secured by cryptographic mechanisms. At the same time, is initiated by the server of the intermediary and control authority, on this PC after earlier stored cookies searched, which contain control values. These control values will thereupon checked whether they are in a held on the server, due to reported Abuses created and constantly completed negative list are included. Is this not the case, the legal transaction (as far as the other conditions - e.g. cover of the account managed under the secret - are fulfilled). Otherwise it will denied the legal transaction. In addition, the IP address under which the Connection to the server was established in a suitable way on the server saved. This and any other, for example in the manner of a Information saved in the log can be used for later tracking of the Abuse the relevant authorities to support the investigation be communicated.

If a customer uses the system for the first time and therefore does not yet have cookies on his PC are saved or he previously deleted cookies previously stored, will be saved before Go through an additional security routine for approval of a legal transaction. in this connection the customer will, for example to confirm his legitimation again Completion of an online form requested.

Claims (15)

1. Procedure for the extensive prevention of the misuse of a Secret, such as a PIN, a PAN or the like, for performing completely electronically (online), preferably processed via the Internet Legal transactions in which the respective legal transaction, preferably a Purchase contract, between a first contracting party (secret user), preferably a buyer or customer, and a second contracting party, preferably one Seller or dealer, using an intermediary and control body, preferably a payment system operator, secret issued, the legitimation of the first contracting party to conclude the legal transaction Information (secret) takes place and before the legal transaction is concluded by one Server of the mediation and control authority to the legal transaction executing service server of the second party information about the existing or non-existent legitimation of the first contracting party and the independent legal admissibility or inadmissible are transmitted, each time the secret is used by the user Implementation of the legal transaction used electronic system (preferably and also PC) of a supposed first contracting party, preferably over a protected channel, a connection to the server of the mediation and Control authority set up, there from hardware-specific data of the PC Control value derived, this with at least one corresponding, at the first time or an earlier use of the secret and in Relation to the secret control value stored on the server compared as well if there is a result of changes in the hardware-specific data one-off or repeated different types of deviation the completion of the Legal transaction is denied. 2. The method according to claim 1, characterized in that the transmission hardware-specific data by a running on the PC of the first contracting party and for this purpose, preferably by means of an appropriate plug-in extended browser in the form of an, optionally anonymous, unique Identification feature takes place. 3. The method according to claim 1 or 2, characterized in that the evaluation of Deviations of the. resulting from changed hardware-specific data Control value against the original with reference to a secret stored control value using heuristic methods. 4. The method according to claim 1 or 2, characterized in that the derivation of the Control value even using heuristic methods. 5. The method according to claim 3 or 4, characterized in that the legal transaction in the case of one repeated in different ways outside of a predefinable one Bandwidth deviation is denied, while in the case of a versus the repeated first use of the secret found same deviation the original control value is replaced by a new one or another additional control value related to the secret is saved becomes. 6. The method according to claim 1 or 2, characterized in that in the case of an as Inadmissibly recognized deviation of the compared control values and a so far suspected misuse of a secret information about the for the Establishment of the connection from the supposedly first contracting party PC the server of the intermediary and control authority are saved with which if necessary, a later tracing of those that have possibly been misused Use is possible. 7. Procedure for the extensive prevention of the misuse of a Secret, such as a PIN, a PAN or the like, for performing completely electronically (online), preferably processed via the Internet Legal transactions in which the respective legal transaction, preferably a Purchase contract, between a first contracting party (secret user), preferably a buyer or customer, and a second contracting party, preferably one Seller or dealer, using an intermediary and control body, preferably a payment system operator, secret issued, the legitimation of the first contracting party to conclude the legal transaction Information (secret) takes place and before the legal transaction is concluded by one Server of the mediation and control authority to the legal transaction executing service server of the second party information about the existing or non-existent legitimation of the first contracting party and the independent legal admissibility or inadmissible are transmitted, each time the secret is used by the user Implementation of the legal transaction used electronic system (preferably and also PC) of a supposed first contracting party, preferably over a protected channel, a connection to the server of the mediation and Control body established, there the secret preferably from this derived control value and assigned this control value, at least if this is not for the same control value in a previous connection has already happened, in the form of a cookie on the PC, the supposedly first Contracting party is stored as well as cookies already stored on this PC accessed and the control value contained in them checked accordingly whether he is in a server on the server of the mediation and control authority, in each case in the event of reporting an abuse by one with the abusive used secret linked control value supplemented negative list is included, so that if the comparison is affirmative, the conclusion of the legal transaction is denied. 8. The method according to claim 7, characterized in that in the case of refusal of the legal transaction due to suspected abuse, information on the origin the cookie on the server of the intermediary and control authority , which may require later tracing of an abusive Allow use of a secret. 9. The method according to claim 7 or 8, characterized in that the supposed first contracting party before approval of the legal transaction for execution further actions to identify them, preferably to complete a electronic form is requested, provided on the by you for the Legal transaction used PC no cookie has been saved or possibly previously saved cookies have been deleted. 10. The method according to claim 7 or 8, characterized in that the secret a new control value is assigned to each legal transaction, so that one Several control values are assigned to the secret, preferably the server the mediating and supervisory authority in the event of abuse by the first Contracting party is to be notified in addition to the secret at which how many legal transactions the abuse occurred. 11. The method according to claim 7 or 8, characterized in that in addition to the Control values in the cookies on the PC of the supposedly first contracting party also the control value assigned to the currently used secret with the Negative list is compared. 12. The method according to claim 7 or 8, characterized in that as a control value a, by means of a running on the server of the mediation and control instance Encryption method, key derived from the secret used becomes. 13. The method according to claim 7 or 8, characterized in that as a control value a, through the use of a hash function on the server of the intermediary and Control authority, calculated hash value is used. 14. The method according to claim 7 or 8, characterized in that the on the PC a first contract party deposited cookies by a cryptographic Checksum or a message authentication code (MAC) against manipulation be secured. 15. The method according to any one of claims 6 or 8, characterized in that in the case an abusive ascertained or suspected based on the control value Use of a secret for later tracing on the server of the Mediation and control authority a unique address, preferably the IP address of the one connected to the server via the protected channel PCs, possibly in connection with a further comprehensive data Protocol that is saved.