EP2767065A1 - System for secure id authentication - Google Patents
System for secure id authenticationInfo
- Publication number
- EP2767065A1 EP2767065A1 EP12798337.7A EP12798337A EP2767065A1 EP 2767065 A1 EP2767065 A1 EP 2767065A1 EP 12798337 A EP12798337 A EP 12798337A EP 2767065 A1 EP2767065 A1 EP 2767065A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- data
- ias
- response
- user module
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/16—Payments settled via telecommunication systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/325—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
- G06Q20/3255—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks using mobile network messaging services for payment, e.g. SMS
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4012—Verifying personal identification numbers [PIN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/102—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce
Definitions
- This invention relaters to secure ID authentication procedures, particularly, but not exclusively, for authenticating financial and other transactions over publicly accessible communications networks such as cellular telephone networks.
- An accepted authentication procedure for credit and debit card transactions involves the use of a PIN - a personal identification codes, usually consisting of a four digit number, such as 7356 - that is known, or supposed to be known, only to the card holder. Not even the issuing bank or card company knows the user's PIN.
- a payment card PIN is held on the card as an element of data in a magnetic strip.
- the terminal reads the PIN from the magnetic strip and requests the user to enter the PIN on a keypad. If they match, the transaction is authenticated. In this instance, there is no transmission of the PIN over the network.
- the module simply confirms that the payment is authorised.
- the PIN is vulnerable, however, to discovery when transmitted over a publicly accessible network. Knowledge of the PIN could enable unauthorised access to the PIN holder's accounts and other restricted access information. It has been proposed to improve security by more complex procedures.
- a common approach is to require a two-part identity check, one part being specific to the instrument used to transmit the information to the service module, the other part being specific to the user.
- the instrument is a mobile phone
- a combination of phone ID and user ID is required.
- the phone will have a unique ID, being, of course, the telephone number as it appears on the SIM card.
- the industry mandates that there is only ever one SIM card with any particular number.
- the user ID input might be the user's PIN number.
- SIM card ID is unique - it is only required to record and re-use the data stream to access the service module. Simply encrypting the information is no help. It would, in any event, be the encoded information that is intercepted. It is not necessary to de-encrypt it, just use it in the encrypted format, to gain access.
- one-time passwords require software on the user module to generate them, and corresponding software on the service module to verify them, and, in order to provide acceptable levels of security, the software and its usage are sometimes made deliberately complex, in some instances requiring time-limited passwords and random number generators, or costly ancillary equipment.
- the present invention provides simpler approaches to the problem of secure ID authentication.
- the invention comprises a secure ID authentication system for authenticating over a cellular radio network that has a UDDI network a response from a user module comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction, in which; a request is sent to an identity application server (IAS) holding a database of user module ID information; the IAS transmits the request as a class 2 SMS message to the SIM card;
- API application programming interface
- the SIM card causes the request to be displayed on the user module; when a response is entered, the user module encrypts the response and associated data and transmits the encrypted data over the UDDI network to an OTA gateway to the IAS; and the IAS decrypts the data and transmits the response to the API.
- a UDDI (Universal Discovery Description and Integration) network is a network in which network service providers and businesses can be listed. It has its own servers under the control of service pro viders, and affords a more secure communication channel within networks used for mobile phone services.
- the system may involve a user PIN request, and the system may then include a PIN test server holding a database of encrypted user module ID and associated PIN data.
- the OTA gateway then transmits the encrypted data to the PIN test server, which, if it has a match for user module ID and ⁇ data, transmits the data to the IAS, which decrypts it and forwards he response to the API as being PIN authenticated.
- Figure 1 is a block diagram
- Figure 2 is a flow chart
- the drawing illustrates a secure ID authentication system for authenticating over a cellular radio network that has a UDDI network a response from a user module, such as a mobile phone MP, comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction.
- the transaction may be one not requiring to be secured by a PIN, such as a subscription to a newsletter or one requiring a simple yes/no answer or a selection from a list of options, or one involving a payment or the provision of personal information, that needs a PIN entry.
- the request is sent - Step I, Figure 2 - to an identity application server (IAS) holding a ⁇ database of user module ID information.
- IAS identity application server
- the IAS converts the request - Step II - to a Class 2 SMS message which it transmits - Step III - over the Cellular Radio Network CN to the SIM card of the phone MP which displays the message on the phone VDU, with optional audio for visually impaired users, and requests an input.
- the user enters the information requested at Step IV.
- the information is encrypted and sent - Step V - to an OTA gateway, such as a 03.48 gateway. Encryption can be effected in any secure way, such as hash encryption.
- PTS PIN test server
- the message is forwarded - Step VIII -to the IAS, or the procedure terminated - Step XI - perhaps with a "wrong PIN" message back, to the phone MP.
- the message does not contain a PIN, it is sent straight from the OTA gateway to the IAS. Messages that reach the IAS result - Step IX - in a "transaction approved" message sent back to the API and the procedure terminated at Step X.
- Hacking into any transaction requires access to the UDDI channel and to be able to tie up a response sent thereover with the initial authentication request, which is thwarted by the response being encrypted.
- the system can provide secure access to a personal database that might be kept in the API.
- the database might a virtual vault that securely stores personal data such as birth certificate and passport details, purchase records, from which a personal profile might be built up which could be selectively available to retailers, who might thereby recommend products and services, an address book, clearly, and a CV, as well as driving licence and insurance details. All this could be securely accessed by, and added to or changed, from a mobile phone or like device.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1117640.1A GB2499360B8 (en) | 2011-10-12 | 2011-10-12 | Secure ID authentication |
PCT/GB2012/000775 WO2013054073A1 (en) | 2011-10-12 | 2012-10-11 | System for secure id authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2767065A1 true EP2767065A1 (en) | 2014-08-20 |
Family
ID=45091952
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12798337.7A Withdrawn EP2767065A1 (en) | 2011-10-12 | 2012-10-11 | System for secure id authentication |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP2767065A1 (en) |
JP (1) | JP2015501572A (en) |
CN (1) | CN104429036A (en) |
GB (1) | GB2499360B8 (en) |
HK (1) | HK1208573A1 (en) |
WO (1) | WO2013054073A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2518877A (en) * | 2013-10-04 | 2015-04-08 | Technology Business Man Ltd | Secure ID authentication |
US9832649B1 (en) | 2011-10-12 | 2017-11-28 | Technology Business Management, Limted | Secure ID authentication |
CN103220648A (en) * | 2013-04-28 | 2013-07-24 | 先人掌信息科技(上海)有限公司 | Information interaction method, information interaction system and advertisement interaction method based on short message |
WO2015049540A1 (en) * | 2013-10-04 | 2015-04-09 | Technology Business Management Limited | Secure id authentication |
EP3059918B1 (en) * | 2015-02-23 | 2018-12-12 | Giesecke+Devrient Mobile Security GmbH | Method for accessing a security element |
GB2573262B (en) * | 2018-03-08 | 2022-04-13 | Benefit Vantage Ltd | Mobile identification method based on SIM card and device-related parameters |
CN114785860A (en) * | 2022-06-02 | 2022-07-22 | 深圳云创数安科技有限公司 | Data response method, device, equipment and medium based on encryption and decryption |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU1390395A (en) * | 1994-01-14 | 1995-08-01 | Michael Jeremy Kew | A computer security system |
FI19992343A (en) | 1999-10-29 | 2001-04-30 | Nokia Mobile Phones Ltd | A method and arrangement for reliably identifying a user on a computer system |
FI112286B (en) * | 2000-01-24 | 2003-11-14 | Smarttrust Systems Oy | Payment service apparatus and secure payment procedure |
AU2001245292A1 (en) * | 2000-04-14 | 2001-10-30 | Sun Microsystems, Inc. | Network access security |
US9406062B2 (en) * | 2001-08-21 | 2016-08-02 | Bookit Oy Ajanvarauspalvelu | Authentication method and system |
CA2363220A1 (en) * | 2001-11-23 | 2003-05-23 | Trustshield Technologies Inc. | Simcard authorization: online credit card transaction approval, privacy, authentication and non-repudiation |
CN100433617C (en) * | 2001-12-04 | 2008-11-12 | M概念有限公司 | System and method for facilitating electronic financial transactions using a mobile telecommunications device |
US20040019564A1 (en) * | 2002-07-26 | 2004-01-29 | Scott Goldthwaite | System and method for payment transaction authentication |
EP1807966B1 (en) * | 2004-10-20 | 2020-05-27 | Salt Group Pty Ltd. | Authentication method |
CN1897027A (en) * | 2005-04-08 | 2007-01-17 | 富士通株式会社 | Authentication services using mobile device |
GB0516616D0 (en) * | 2005-08-12 | 2005-09-21 | Vodafone Plc | Mobile account management |
JP2007094874A (en) * | 2005-09-29 | 2007-04-12 | Oki Electric Ind Co Ltd | Financial service providing system |
WO2007059183A2 (en) * | 2005-11-15 | 2007-05-24 | Clairmail Inc | Application access utilizing a message link |
EP1965596A1 (en) * | 2007-02-27 | 2008-09-03 | Gemplus | A personal token having enhanced communication abilities for a hosted application |
CN101458794A (en) * | 2007-12-10 | 2009-06-17 | 国际商业机器公司 | System for enhancing payment safety, method thereof and payment center |
ES2400398T3 (en) * | 2008-03-28 | 2013-04-09 | Vodafone Holding Gmbh | Procedure to update a smart card and smart card with update capability |
NO332479B1 (en) | 2009-03-02 | 2012-09-24 | Encap As | Procedure and computer program for verifying one-time password between server and mobile device using multiple channels |
TR200908280A2 (en) * | 2009-11-03 | 2011-02-21 | Kartek Kart Ve B�L���M Tekno.T�C.Ltd. �T�. | A highly secure mobile payment method and authorization system for this method |
GB2481587B (en) * | 2010-06-28 | 2016-03-23 | Vodafone Ip Licensing Ltd | Authentication |
DE102010041286A1 (en) * | 2010-09-23 | 2012-03-29 | Bundesdruckerei Gmbh | Method and server for providing user information |
-
2011
- 2011-10-12 GB GB1117640.1A patent/GB2499360B8/en not_active Expired - Fee Related
-
2012
- 2012-10-11 WO PCT/GB2012/000775 patent/WO2013054073A1/en active Application Filing
- 2012-10-11 EP EP12798337.7A patent/EP2767065A1/en not_active Withdrawn
- 2012-10-11 JP JP2014535159A patent/JP2015501572A/en active Pending
- 2012-10-11 CN CN201280061248.8A patent/CN104429036A/en active Pending
-
2015
- 2015-09-17 HK HK15109089.6A patent/HK1208573A1/en unknown
Non-Patent Citations (1)
Title |
---|
See references of WO2013054073A1 * |
Also Published As
Publication number | Publication date |
---|---|
GB2499360B (en) | 2015-03-04 |
JP2015501572A (en) | 2015-01-15 |
GB2499360B8 (en) | 2016-01-27 |
GB2499360A8 (en) | 2016-01-27 |
WO2013054073A8 (en) | 2014-12-11 |
GB201117640D0 (en) | 2011-11-23 |
HK1208573A1 (en) | 2016-03-04 |
CN104429036A (en) | 2015-03-18 |
GB2499360A (en) | 2013-08-21 |
WO2013054073A1 (en) | 2013-04-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112602300B (en) | System and method for password authentication of contactless cards | |
US20230162183A1 (en) | Systems and methods for cryptographic authentication of contactless cards | |
US11706212B2 (en) | Method for securing electronic transactions | |
KR102304778B1 (en) | System and method for initially establishing and periodically confirming trust in a software application | |
US10108963B2 (en) | System and method for secure transaction process via mobile device | |
RU2651245C2 (en) | Secure electronic entity for authorising transaction | |
US20200210988A1 (en) | System and method for authentication of a mobile device | |
AU2013216868A1 (en) | Tokenization in mobile and payment environments | |
WO2013054073A1 (en) | System for secure id authentication | |
WO2015044162A1 (en) | Method for securing over-the-air communication between a mobile application and a gateway | |
JP2013514556A (en) | Method and system for securely processing transactions | |
KR20120108599A (en) | Credit card payment service using online credit card payment device | |
WO2007138469A2 (en) | Ic card with otp client | |
US9832649B1 (en) | Secure ID authentication | |
KR20160092944A (en) | Online financial transactions, identity authentication system and method using real cards | |
KR101754486B1 (en) | Method for Providing Mobile Payment Service by Using Account Information | |
KR101879842B1 (en) | User authentication method and system using one time password | |
US20140297541A1 (en) | ID Authentication | |
WO2015049540A1 (en) | Secure id authentication | |
GB2518877A (en) | Secure ID authentication | |
JP2024513782A (en) | Transaction card-based authentication system and method | |
KR20150105160A (en) | Method and apparatus for check before trading for providing electronic payment and banking service using smart device and secure element | |
KR20100104319A (en) | The security connection system and method using hardware security module | |
WO2017108226A1 (en) | Data security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20140512 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: TARLOK TEJI Inventor name: KEITH CURRAN |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: TARLOK TEJI Inventor name: KEITH CURRAN |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: TECHNOLOGY BUSINESS MANAGEMENT LIMITED |
|
17Q | First examination report despatched |
Effective date: 20160729 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20170503 |