DE102011013424A1 - Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner - Google Patents
Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner Download PDFInfo
- Publication number
- DE102011013424A1 DE102011013424A1 DE102011013424A DE102011013424A DE102011013424A1 DE 102011013424 A1 DE102011013424 A1 DE 102011013424A1 DE 102011013424 A DE102011013424 A DE 102011013424A DE 102011013424 A DE102011013424 A DE 102011013424A DE 102011013424 A1 DE102011013424 A1 DE 102011013424A1
- Authority
- DE
- Germany
- Prior art keywords
- transaction
- user
- partner
- display
- transaction partner
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3823—Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3227—Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/385—Payment protocols; Details thereof using an alias or single-use codes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/42—Confirmation, e.g. check or permission by the legal debtor of payment
- G06Q20/425—Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
Abstract
Description
In der heutigen modernen und vernetzten Welt werden Transaktionen mit Geschäftspartnern oder Banken bevorzugt online abgewickelt. Dabei ist es allgemein üblich, TAN-Verfahren (Transaktions-Nummern) und gegebenenfalls digitale Signaturverfahren einzusetzen.In today's modern and connected world, transactions with business partners or banks are preferred online. It is common practice to use TAN procedures (transaction numbers) and possibly digital signature procedures.
Eine Vielzahl von verschiedenen Eingabegeräten und Betriebssystemen sollen dazu verwendbar sein. Wesentliche Aufgabe und Herausforderung ist dabei die Gewährleistung der Sicherheit und Authentizität der Transaktionen. Im Allgemeinen sind die verwendeten Kommunikationskanäle (Internet, mobile oder kabelgebundene Netzwerke) nicht als vertrauenswürdig einzustufen. Insbesondere die Endgeräte (zum Beispiel Laptop, PC, Mobiltelefon) können durch Viren oder Schadsoftware (z. B. Trojaner) kompromittiert sein. Auch Passwörter können durch Phishing-Attacken oder Keylogger oder andere Methoden potentiell entwendet werden.A variety of different input devices and operating systems should be usable. The main task and challenge is to ensure the security and authenticity of the transactions. In general, the communication channels used (Internet, mobile or wired networks) are not trustworthy. In particular, the terminals (for example, laptop, PC, mobile phone) may be compromised by viruses or malware (eg, Trojans). Also passwords can potentially be stolen by phishing attacks or keyloggers or other methods.
Zusätzlich muss ein verwendetes System kompatibel mit beispielsweise bei Banken üblichen Prozeduren und Standards sein, um die flächendeckende Einführung eines neuen Systems zu erleichtern.In addition, a system used must be compatible with, for example, bank-standard procedures and standards to facilitate the widespread introduction of a new system.
Stand der TechnikState of the art
Ein wesentliches Problem bei Transaktionen ist die Gewährleistung, dass die dem Nutzer von einem Gerät angezeigte, vom Nutzer vermeintlich autorisierte Transaktion auch tatsächlich die gegenüber einem Transaktionspartner (zum Beispiel einer Bank) zur Autorisierung freigegebene Transaktion ist. Dies kann zum Beispiel wie in [1] durch ein mobiles Gerät mit einer integrierten Anzeige sichergestellt werden, wobei die Anzeige nur vom Kommunikationspartner verschlüsselte Informationen anzeigt und keine Möglichkeit zur Installation von Schadsoftware oder Viren bietet. Der in [1] beschriebene Stand der Technik reduziert durch eine Reihe von Maßnahmen die Angreifbarkeit eines mobilen Transaktionssystems und stellt die Übereinstimmung zwischen angezeigter und tatsächlich autorisierter Information sicher. Für die vereinfachte Integration in bankenübliche Systeme und Prozesse sind jedoch zusätzlich die Kombination mit weiteren Merkmalen und Verfahrensabläufen sinnvoll, welche in der vorliegenden Erfindung offenbart werden.A key problem with transactions is the assurance that the user's allegedly authorized transaction displayed to the user by a device is actually the transaction released to a transaction partner (for example, a bank) for authorization. This can be ensured, for example, as in [1] by a mobile device with an integrated display, the display only displaying information encrypted by the communication partner and not offering the possibility of installing malicious software or viruses. The prior art described in [1] reduces the vulnerability of a mobile transaction system by a number of measures and ensures the correspondence between displayed and actually authorized information. However, for the simplified integration into customary banking systems and processes, the combination with further features and procedures, which are disclosed in the present invention, also makes sense.
Beschreibung der ErfindungDescription of the invention
In der vorliegenden Erfindung wird, vergleichbar zu [1] wie in
Der Transaktionspartner (
Für eine zusätzliche Erhöhung der Sicherheit und eine vereinfachte Integration in aktuell übliche Systeme wird im Folgenden die erfindungsgemäße Kombination der oben beschriebenen Hardware-Anordnung mit einem auf Transaktionsnummern (TAN) basierenden System beschrieben. Die TAN-Prozedur ist bereits in verschiedenen Ausprägungen im Einsatz. Eine TAN repräsentiert einen nur einmal gültigen Autorisierungscode, welcher für eine Transaktion bzw. deren Freigabe verwendet wird. Varianten sind die dem Nutzer auf einem Mobilgerät zur Verfügung gestellte TAN (mTAN). Ebenfalls üblich sind dem Nutzer überlassene TAN-/iTAN-Listen, welche jedoch neuerdings aufgrund von Sicherheitsproblemen nicht mehr Verwendung finden.For an additional increase in security and a simplified integration into currently customary systems, the combination according to the invention of the hardware arrangement with a transaction number (TAN) -based system described above is described below. The TAN procedure is already in use in various forms. A TAN represents a once-only authorization code that is used for a transaction or its release. Variants are the TAN (mTAN) provided to the user on a mobile device. Also common to the user are left TAN / iTAN lists, which, however, lately no longer find use due to security problems.
Im Folgenden wird ein erfindungsgemäßes Verfahren auf der oben beschriebenen Hardware in seinen Einzelschritten erläutert. Ein Nutzer (
Erfindungsgemäß hängt der Transaktionspartner (
Das Gerät (
Im Zuge der weiteren Miniaturisierung kann das Gerät (
Zitierte PatentliteraturCited patent literature
-
[1]
DE 10 2008 007 367 64 DE 10 2008 007 367 64
Claims (3)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102011013424A DE102011013424A1 (en) | 2011-03-09 | 2011-03-09 | Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102011013424A DE102011013424A1 (en) | 2011-03-09 | 2011-03-09 | Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner |
Publications (1)
Publication Number | Publication Date |
---|---|
DE102011013424A1 true DE102011013424A1 (en) | 2012-09-13 |
Family
ID=46705375
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
DE102011013424A Ceased DE102011013424A1 (en) | 2011-03-09 | 2011-03-09 | Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner |
Country Status (1)
Country | Link |
---|---|
DE (1) | DE102011013424A1 (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102008007367A1 (en) | 2008-02-01 | 2009-08-06 | Novosec Aktiengesellschaft | Method and device for secure mobile electronic signature |
-
2011
- 2011-03-09 DE DE102011013424A patent/DE102011013424A1/en not_active Ceased
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102008007367A1 (en) | 2008-02-01 | 2009-08-06 | Novosec Aktiengesellschaft | Method and device for secure mobile electronic signature |
Non-Patent Citations (2)
Title |
---|
Chipkartenleser - eine kleine Übersicht. Initiative Geldkarte e.V., EURO Kartensysteme GmbH, Frankfurt. September 2005 * |
Online-Banking mit chipTAN: Funktionsweise, Vorteile. Kreissparkasse Heinsberg, Heinsberg, 24.11.2010 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3574610B1 (en) | Method for carrying out a two-factor authentication | |
EP2533172B1 (en) | Secure access to data in a device | |
DE102012219618B4 (en) | A method of creating a soft token, computer program product, and service computer system | |
DE102011082101B4 (en) | A method of creating a soft token, computer program product, and service computer system | |
DE102011089580B3 (en) | Method for reading e.g. attribute stored in passport, for electronic-commerce application, involves examining whether attribute of security assertion markup language response fulfills criterion as premiss for contribution of service | |
DE102009052389A1 (en) | Method for secure interaction with a security element | |
CN106453243B (en) | The verification method of server, terminal and its authorization code | |
DE102011108069A1 (en) | Procedure for securing a transaction | |
DE102016105936A1 (en) | Electronic device and method for running applications in different security environments | |
WO2007073842A1 (en) | Method for the preparation of a chip card for electronic signature services | |
EP1027784B2 (en) | Method for digital signing of a message | |
EP2199944A2 (en) | Method for authenticating a person for an electronic data processing assembly with an electronic key | |
EP2434424A1 (en) | Method for increasing the security of security-relevant online services | |
CN102025492B (en) | WEB server and data protection method thereof | |
DE102011013424A1 (en) | Method for secure authorization of transactions by user opposite to transaction partner by device, involves requesting authorized transaction with transaction partner | |
EP3449655A1 (en) | Method for the secure interaction of a user with a mobile terminal and a further entity | |
EP1924945B1 (en) | Method for improving the trustworthiness of electronic devices and data carrier therefor | |
EP3361436B1 (en) | Method for releasing a transaction | |
DE102012215630A1 (en) | Method for Personalizing a Secure Element (SE) and Computer System | |
DE102017128807A1 (en) | Method and arrangement for triggering an electronic payment | |
EP3026842B1 (en) | Method and system for signature creation | |
EP2883182B1 (en) | Device assembly for carrying out or releasing an electronic service and method for securely entering authorization data | |
DE102005008966A1 (en) | Periphery device access controlling method, involves examining access authorization of peripheral device, before accessing device on computer, where device is attached to computer over universal interface | |
EP2487857B1 (en) | Method for providing secure internet access | |
EP2819077A1 (en) | Method for activating at least one service in an e-wallet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
R012 | Request for examination validly filed | ||
R016 | Response to examination communication | ||
R002 | Refusal decision in examination/registration proceedings | ||
R003 | Refusal decision now final | ||
R003 | Refusal decision now final |
Effective date: 20140627 |