GB2505710A - Registration method and system for secure online banking - Google Patents

Registration method and system for secure online banking Download PDF

Info

Publication number
GB2505710A
GB2505710A GB1216147.7A GB201216147A GB2505710A GB 2505710 A GB2505710 A GB 2505710A GB 201216147 A GB201216147 A GB 201216147A GB 2505710 A GB2505710 A GB 2505710A
Authority
GB
United Kingdom
Prior art keywords
user
mobile device
online
passcode
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1216147.7A
Other versions
GB201216147D0 (en
Inventor
Jeremy Goldstone
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Barclays Bank PLC
Original Assignee
Barclays Bank PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Barclays Bank PLC filed Critical Barclays Bank PLC
Priority to GB1216147.7A priority Critical patent/GB2505710A/en
Publication of GB201216147D0 publication Critical patent/GB201216147D0/en
Priority to US14/426,500 priority patent/US10269013B2/en
Priority to EP13774766.3A priority patent/EP2896004A1/en
Priority to PCT/GB2013/052336 priority patent/WO2014041336A1/en
Publication of GB2505710A publication Critical patent/GB2505710A/en
Priority to ZA2015/01643A priority patent/ZA201501643B/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules

Abstract

A method of registering online payment transaction details in an online banking system 7 which comprises receiving data associated with an online payment transaction from a user, and storing data defining the online payment transaction after verifying the user's identity. In an initial mode of operation, the system enforces a restriction on the online transaction, and in a subsequent mode of operation, the system removes the restriction. A mobile handset 5 and first and second codes may be used to initiate the transaction and lift the restriction. Restrictions of the transaction can include a maximum value on the online transaction and a total number of transactions to a third party in a time period. A two-stage method of registering a user for access to an application on a mobile handset 5 is also provided, whereby access is initially restricted until subsequent re-authentication of the user.

Description

Registration Method and System for Secure Online Banking
Field of the Invention
[0001] This invention relates to an online financial transaction system, and more particularly to a method and system to enable efficient registration for and control of access to functionality provided by the system.
Background of the Invention
[0002] Online financial transaction systems. such as online banking and investment systems are generally known, in which a customer is able to log on to an online banking website via a web browser on a computer or smart phone, to perform various functions such as retrieving account balances, transferring funds between the customer's bank or credit card accounts, setting up third party payees to receive payment of funds from a customer's bank account, instructing payment of funds to from a customer's bank account to a third party. and purchasing of stocks and shares.
[0003] Conventional onfine banking systems typically require layers of security to ensure that access to customer banking details is restricted to authorised users. For example, a typical log on process will involve the customer entering identification details such as a username or account number together with an associated passcode and/or memoraNe word, or requested portions thereol The onfine banking system venfies the customer identification details before authorising access to the online banking functions. Another layer of security typically provided is to verify a unique and time sensitive one-time passcode that is generated by the customer using a hardware token or passcode generator software, as is known in the art.
[0004] What is desired is an improved online financial transaction system that facilitates more flexible and efficient functionality while maintaining security and assurance throughout.
I
Statements of the Invention
[0005] Aspects of the present invention are set out in the accompanying claims.
[0006] According to one aspect of the present invention, a method is provided of registering transaction details in an online financial transaction system, the method comprising receiving data associated with an online transaction from a user, and storing data defining the online transaction after verifying the user's identity. In an initial mode of operation, the system enforces a restriction on the online transaction by the user, and in a subsequent mode of operation, the system removes the restriction.
[0007] In another aspect. the present invention provides a method of registering a user for mobile authentication in an online financial transaction system, comprising authenticating a user of a mobile device by verifying a first registration code entered by the user to the mobile device, and storing data indicative of a restriction on online transactions by the user, and re-authenticating the user of the mobile device by verifying a second registration code entered by the user to the mobile device, and removing the IS restrictions on online transactions by the user.
[0008] In yet another aspect, the present invention provides a method of registering a user for access to functionality provided by an application on a mobile device, comprising authenticating a user of the mobile device by verifying a first registration code entered by the user to the mobile device, and storing data indicative of a restriction on functionality accessible by the user, re-authenticating the user of the mobile device by verifying a second registration code entered by the user to the mobile device, and removing the restriction on functionality accessible by the user.
[0009] In other aspects, there are provided systems arranged to execute any one of the above methods.
[0010] In another aspect, there is provided a computer program arranged to carry out the method when executed by suitable programmable devices.
Brief Description of the Drawings
[0011] There now follows, by way of example only. a detailed description of embodiments of the present invention, with references to the figures identified bdow.
[0012] Figure 1 is a block diagram showing the main components of an online banking environment according to an embodiment of the invention.
[0013] Figure 2, which comprises Figures 2a to 2c, is a flow diagram illustrating the main processing steps perfoimed by components of the system of Figure 1 according to an embodiment.
Detailed Description of Embodiments of the Invention Overview [0014] A specific embodiment of the invention will now be descnbed for a process of registering a transaction instruction using a two-stage customer authentication in an exemp'ary online banking environment. RefelTing to Figure 1, the exernplaiy online banking environment 1 includes a computer 3 and a mobile handset 5 associated with the customer wishing to log-on to an online banking system 7 of his/her financial institution via a data network 9, for example to set up a new online transaction. The online transaction may be one of many different forms of financial transaction, such as a payment transaction for an identified value of funds to be transferred from the customer's account to another account, or an order to purchase an identified number or value of shares. etc. A web server II in the online banking system 7 provides an online banking interface for the customer, for example via a web browser 13 on the customer's computer 3.
[0015] As will be described in detail below, an authentication application 15 in the mobile handset 5 communicates data with an authentication registration module 17 in the online banking system 7 to venfy the customer during the registration process. A payment transaction module 18 in the online banking system 7 facilitates registration of payment transaction detafis after verification of the customer. The onhne banking system 7 stores customer data in a database 19, including payment transaction data 21 identifying details of payment transactions registered by the customer using the online banking system 7, and authentication data 23 identifying whether or not the customer is registered for authentication via a mobile device as well as any restrictions that are in place for online transactions registered by the customer. The customer data a'so includes a mobile device number (MDN) associated with the customer and the mobile handset 5, typically provided when the customer's financial account was initially set up.
[0016] Additional modules may be provided in the online banking system 7 to facilitate payment transactions to and from the customer's financial accounts via the associated financial institution back-end systems (not shown), as well as other types of functionality that are known per se in such systems and need not be described further.
[0017] The computer 3 may be any form of computing device or platform suitable to execute web browser software, such as a personal desktop or laptop computer, a personal data assistant (PDA), a smart phone, a taHet device, or the like. The data network 9 may be any suitable data communication network or combination of known networks, such as a wireless network, a local-or wide-area network including an intranet or the Internet. using for example the TCP/IP protocol, or a ceflular communication network such as GPRS. EDGE or 3G. for example. Such communication protocols are of a type that are known per se in data networks and need not be described further. Electronic data communication by the computer 3, mobile handsetS and online banking system can be encrypted.
[0018] The mobile handset 5 can be a mobile srnartphone, tablet computer or portable computing device with cellular data communication capabilities, for receiving Short Message Service (SMS) messages from the online banking system 7 over a ceflular network communication path 25, and network data communication capabilities for communicating with the online banking system 7 via the data network 9. It will be appreciated that in some network configurations, the mobile network communication path 17 will be through the data network 7.
Registration Process [0019] A brief description has been given above of the components forming part of the online banking environment I of this exemplary embodiment. A more detailed descnption of the operation of these components in this embodiment will now be given with reference to the flow diagrams of Figure 2, for an example computer-implemented registration process using the computer 3 and mobile handset 5 in data communication with the online banking system 7.
[0020] As shown in Figure 2, the process begins at step S2-l where the computer 3 receives user input, via the web browser, of customer details to log on to the online banking website hosted by the web server 11. Typically, the log on process involves the customer entering identification details such as a username or account number together with an associated passcode and/or memoraNe word, or requested portions thereof. The online banking system verifies the customer's identification details before authorising access to online banking functions via the online banking interface. At step S2-3. the computer 3 receives user input selection of an option to set up a new payment transaction. A similar registration process is carried out for an instruction to set up a new third party payee for future online payment transactions.
[0021] Tn response to receiving the instruction to set up a new payment transaction, the online banking server 7 determines at step S2-5 if the customer is registered for authentication using an associated mobile handset. As will be described later, the authentication data 23 stored in the customer database 19 is updated as the customer proceeds with the two-stage mobile authentication, Accordingly, if the online banking server 7 determines from the stored authentication data 23 that the customer is not registered for mobile authentication, then at step S2-7, the online banking website on the computer 3 displays a notification to the user that registration for mobile authentication is required. and providing instructions for the customer to proceed with the two-stage mobile authentication.
[0022] Tn this exemplary embodiment, the first stage of the mobile authentication process is referred to as "lite" authentication registration, whereby the customer is authenticated in an expedient manner using the associated mobile handset, such that the customer is capable of registering the new online payment instruction with minimal delay. As will be explained below, authentication using this first "lite" stage inv&ves less technical processing by the online banking system 7 to carry out an initial verification of the customer making the request. At the same time, the financial institution may be provided with a lesser degree of security with this more efficient authentication process. Consequently, the customer is initially subject to restrictions on new online payment transactions made until the second stage of the mobile authentication process is completed, referred to as "full" authentication registration.
[0023] According'y, at step S2-9 the mobile handset 5 downloads and installs the authentication application 15, for example from a mobile application store accessible via the data network 9. Such mobile software download and installation functionality is of a type that is known per se in mobile handset operating systems and need not be described further. The installed authentication application 15 prompts the user to begin lite authentication registration and at step S2-1 1, the mobile handset 5 receives user input of details identifying the customer's account and transmits the input details to the online banking server 7. The authentication application 15 may also prompt the customer to set up a personal passcode for the application, to prevent unauthorized access to the application. At step S2-13, authentication registration module 17 in the online banking server 7 retneves the customer's mobile device number (MDN) associated with the received customer account details, from the customer database 19.
At step S2-15, the authentication registration module 17 generates and transmits a unique lite registration code to the mobile handset 5, for example as an SMS to the retrieved MDN via the cellular network communication path 25. The authentication registration module 17 stores a copy of the lite registration code for subsequent verification. The generated registration code may take any respective form, and may be composed of numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols.
[0024] At step S2-17, the authentication application 15 prompts the customer to input the lite registration code, as received by the mobile handset 5 in the SMS. At step S2- 19, the user input lite registration code is received by the authentication registration module 17 and compared to the stored copy for a match, thereby verifying that the customer is in possession of his or her mobile handset 5. Consequently, the authentication registration module 17 activates the customer for mobile authentication by updating the customer's authentication data 23 in the customer database 19. In particular, the authentication data 23 includes data indicating that the customer is registered for mobile authentication and data indicating that online payment transactions are restricted to a predefined maximum value. The authentication data 23 may also include data indicating that additional restrictions on online banking functions, such as a maximum frequency of online payment transactions that can be made to a particular third party within a predefined time window.
[0025] After lite authentication registration for the customer is completed at step S2-2l, the authentication application 15 may prompt the customer to return to the online banking website to complete registration of the new payment transaction. It will be appreciated that the online banking system 7 may include a time-out feature whereby the user is automatically logged out of the online banking website after a predetermined period of inactivity. Accordingly, processing may return to step S2-1 after the customer returns to the online banking interface on the computer 3, requiring the customer to log back on to the online banking website. However, at step S2-5, the online banking server 7 now determines that the customer is registered for mobile authentication, and in this exemplary embodiment, consequently prompt the customer at step S2-23 to enter a mobile authentication one-time passcode, for example in response to an authentication challenge from the payment tnrnsaction module 18.
[0026] At step S2-25, the customer once again loads the authentication application 15 on the mobile handset 5 and if necessary, provides user input to log on to the application, such as by venfication of the user-defined PIN or passcode. At step S2-27, the authentication application 15 generates a one-time passcode (OTP). The OTP is generated using known technology, and typically expires based upon the passing of a time penod set at the online banking system 7. The generated OTP may take any respective form, and may be composed of numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols. The generated OTP is displayed by the authentication application 15 and at step S2-29, the customer inputs the OTP to the online banking inteiface on the computer 3 for transmission as a challenge response to the online banking server 7. At step S2-31, the payment transaction registration module 18 verifies the received OTP response and confirms that mobile authentication is successful. Algorithms for generating and verifying OTPs are known per se in authentication systems and need not be described further.
[0027] It will be appreciated that the additional layer of customer verification provided by steps S2-23 to S2-31 is optional, and the onfine banking system does not need to involve generation and verification of such a code to enable access to the online banking functionality. As a further ahernati ye, additional customer verification after logging on to the online banking website can be provided in a more efficient manner by the mobile handset transmitting confirmation that the customer has access to the authentication application, for example after verification of successful log on to the authentication application at step S2-25.
[00281 At step S2-33, the payment transaction registration module 18 determines from the customer's authentication data 23 whether or not online payment transactions are to be restricted, as discussed above. In the present examp'e, the customer has only completed lite authentication registration and therefore restriction on the maximum transaction value is in place. Accordingly, at step S2-35, the payment transaction registration module 18 determines if the value of the new online payment transaction is less than the predefined limit. If the value of the new online payment transaction is within the restricted limit, then at step S2-37. the new online payment transaction data 27 is stored in the customer database 19, and subsequently processed by the financial institution back-end systems in the normal manner.
[0029] On the other hand, if the payment transaction registration module 18 determines at step S2-35 that the value of new payment transaction is greater than the predefined limit that is in place for the customer's online account, then at step S2-39, the instruction is declined and the online banking interface displays the declined decision to the customer at step S2-41. The online banking interface on the computer 3 may also display instructions to the customer, advising of the next steps required to obtain a full registration code in order to complete the second stage of authentication registration.
[0030] In this embodiment, there are a number of exemplary ways in which the online banking system 7 can implement more comprehensive and secure identification and verification (TD&V) of the customer before issuing a full registration code. One way is to request a full registration code from the financial institution to be sent by post to the customer's registered postal address. Another way is to use an Automated Teller Machine (ATM) configured with software to generate a full registration code after successful validation of the customer's card and PTN. Yet another way involves physica' in-branch ID&V before a member of staff at the bank branch provides a full registration code. It will be appreciated that all of these ID&V techniques involve additional processes compared to the lite authentication registration process, and thus involve additional delay to the customer and the registration process to provide for increased security to the financial institution and the customer.
[0031] After obtaining a full registration code, the customer once again loads the authentication application 15 on the mobile handset S and if necessaly, provides user input to log on to the application. The authentication application 15 may be configured to subsequently prompt the customer for input of the full registration code to complete the second stage of the process. At step S2-43, the authentication application 15 receives user input of the full registration code for transmission to the online banking system 7. At step S2-45, the authentication registration module 17 in the online banking system 7 receives and verifies the user input full registration code. After the full registration code is verified, the authentication registration module 17 updates the customer's authentication data 23 in the customer database 19 at step S2-47, to remove the restrictions on subsequent online payment transactions. Processing then returns to step S2-l where the customer is now able to utilise mobile authentication when registering new online payment transactions, without any restrictions being applied at step S2-33.
[0032] Tn embodiments described above, the computer and mobile handset are provided as separate entities associated with a customer. As those skilled in the art will appreciate, the functionality provided via the web browser of the computer may instead be provided via a web browser or online banking application of the mobile handset, and integrated with the functionality as provided by the authentication application.
Alternative Embodiments [0033] It will be understood that embodiments of the present invention are described herein by way of examp'e only, and that various changes and modifications may be made without departing from the scope of the invention.
[0034] For example, in the embodiment described above, the online banking system and web-based interface prompts the customer to input a one-time passcode after receiving an input instruction to set up a new online payment transaction. As an ahernative, the online banking website may be configured to determine whether the customer is registered for mobile authentication at initial log-on, and to prompt the user for input of a one-time passcode challenge response instead of, or in addition to, the typical log-on details.
[0035] In the embodiment described above, the two stage registration process is described in the context of an online banking system involving a web-based interface via a customer's browser application on a computer. As those skilled in the art will appreciate, the two stage registration process is also applicable non-browser interface forms of systems for financial services. For examp'e, a process for registering a customer for mobile banking using a software module or application on a smart phone can be adapted to include first and second registration stages, whereby authentication using the first "lite" stage involves less technical processing by the system to carry out an initial verification of the customer making the request. In this altemative embodiment, the system can be adapted to restrict predetermined functionality of the mobile banking application to certain predetermined online banking functions, such as retrieval of account balances. However, other predetermined online banking functions can be disabled or otherwise made unavailable to the user, such as the ability to issue new payment transaction instructions, until the second "full" stage of the mobile authentication process is completed. Once the user obtains the full registration code, as described in the embodiment above, the full registration code can be entered to the mobile application to enable unrestncted access to all of the application functions.
[0036] As another example, the two stage registration process may be applicable to registration for a software module or application on a mobile handset for a service that is provided solely to registered users, such as a discount members-only club that uses a mobile application. Similar to the example alternative embodiment described above, the two stage application registration process enables a restricted service to be provided initially by the mobile application to the users registered using the first "lite" stage, and subsequently to provide unrestricted access to all functions of the mobile application after completion of the second "full" stage of registration.
[0037] In the main embodiment described above, examples of initia' restrictions placed on online payment transactions after the first "lite" stage of registration are Umits placed on the value of an online transaction andlor the number of times an online transaction can be made to a particular third party within a predefined time window. As those skifled in the art will appreciate, other controls that can be applied in addition or instead of the above restrictions, for example enhanced activity monitoring, increased outbound alerts to registered customer contact data, etc. OO38j In the embodiment described above, the online banking system includes a plurality of modules, which may be implemented as hardware modules or computer programs or software in memory, which when executed, enable the system to implement embodiments of the present invention as discussed herein. As those skilled in the art will appreciate. the software may be stored in a computer program product 101 and loaded into the online banking system using any known instrument, such as removable storage disk or drive, hard disk drive, or communication interface, to provide some examples. Additionally, alihough the web server is illustrated as a single component within the online banking system for clarity, it will be appreciated that the web server may be implemented as a plurality of distributed components, whereby highly secured access to the critical customer database and modules of the online banking system can be provided by the distributed web server.
[00391 Alternative embodiments may be envisaged, which nevertheless fall within the scope of the following claims.

Claims (20)

  1. CLAIMS1. A method of registering online transaction details in an financial transaction system, the method compnsing receiving data associated with an online transaction from a user, and storing data defining the online transaction after verifying the user's identity; wherein in an initial mode of operation, the online transaction is checked for conformance with a predefined restnction, and in a subsequent mode of operation, the predefined restriction is removed.
  2. 2. The method of claim 1, wherein the predefined restriction is a maximum value of the online transaction from the user.
  3. 3. The method of claim I or 2, wherein the predefined restriction is a total number of online transactions from the user to a third party within a time penod.
  4. 4. The method of claim I, wherein verifying the user's identity comprises receiving data identifying a passcode generated using a passcode generator module on a mobile device and verifying the received passcode.
  5. 5. The method of claim 4, wherein the passcode comprises numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols.
  6. 6. The method of claim 4 or 5, further comprising registering the user for mobile identity verification using the passcode generator module on the mobile device by: verifying a first registration code entered by the user to the mobile device, and storing data indicative of said initial mode of operation; verifying a second registration code entered by the user to the mobile device, and storing data indicative of said subsequent mode of operation.
  7. 7. The method of any preceding claim, wherein the received data associated with the online transaction includes a transaction value.
  8. 8. The method of claim 7, wherein the received data associated with the online transaction further includes data identifying a third party payee.
  9. 9. The method of any preceding claim, further comprising, in the initial mode of operation, performing enhanced activity monitoring and transmitting a greater number of outbound alerts to said user, compared to the subsequent mode of operation.
  10. 10. A method of registering a user for mobile authentication in an online financial transaction system, comprising: authenticating a user of a mobile device by verifying a first registration code entered by the user to the mobile device, and storing data indicative of a restriction on online transactions by the user; re-authenticating the user of the mobile device by verifying a second registration code entered by the user to the mobile device, and removing the restriction on online transactions by the user.
  11. ii. The method of claim 10, wherein the authenticated user is registered with the system for subsequent verification of the user's identity using an authentication application on the mobile device.
  12. i2. A method of registering a user for access to functionality provided by an application on a mobile device, comprising: authenticating a user of the mobile device by verifying a first registration code entered by the user to the mobile device, and storing data indicative of a restriction on functionality accessible by the user; re-authenticating the user of the mobile device by verifying a second registration code entered by the user to the mobile device, and removing the restriction on functionality accessible by the user.
  13. 13. The method of claim 12, wherein access to said functionality is controlled for the registered user based on the stored data.
  14. 14. The method of any one of claims 6 to 13, wherein the first registration code is transmitted to the user via a first communication channel, and wherein the second registration code is transmitted to the user via a second communication channel different to the first communication channel.
  15. 15. The method of claim 14, wherein the first registration code is transmitted to the mobile device as an SMS message.
  16. 16. The method of any one of claims 6 to 15, wherein the registration code comprises numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols.
  17. 17. A system comprising means for performing the method of any one of claims I to 16.
  18. 18. A storage medium comprising machine readable instructions stored thereon for causing a computer system to perform a method in accordance with any one of daims I to 16.
  19. 19. A method substantially as hereinbefore described with reference to, or as illustrated in Figure 2 of the accompanying drawings.
  20. 20. An online barking system substantially as hereinbefore described with reference to, or as illustrated in Figure 1 of the accompanying drawings.Amendments to the claims have been filed as follows:CLAIMS1. A method for authentication using a mobile device in an online financial transaction system, the method compnsing: storing a verification appflcation on the mobile device, the verification application including a passcode generator module; registering, at a server, the user for mobile identity verification using the verification application, by: verifying a first registration code entered by the user to the mobile device, and storing data indicative of a first registration state of the registered user associated with a predefined restriction; and subsequently verifying a second registration code entered by the user to the mobile device, and storing data indicative of a second registration state of the registered user and removing the predefined restriction; and 0) 15 processing, at the server, data associated with an online transaction received O from the user, by: LCD determining that the user is registered for mobile identity verification; 0 verifying a passcode generated using the passcode generator module of the verification application; determining whether the registered user is in the first or second registration state; checking the online transaction for conformance with the predefined restriction when the registered user is determined to be in the first registration state; and storing data defining the online transaction after verifying the received passcode and checking for conformance with any restrictions.2. The method of claim 1, wherein the predefIned restriction is a maximum value of the onfine transaction from the user.3. The method of claim 1 or 2, wherein the predefined restriction is a total number of online transactions from the user to a third party within a time period.4. The method of any preceding claim, wherein the passcode comprises numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols.5. The method of any preceding claim, wherein the received data associated with the online transaction includes a transaction value.6. The method of claim 5, wherein the received data associated with the online transaction further includes data identifying a third party payee.7. The method of any preceding claim, further comprising, in the initial mode of operation, perfornñng enhanced activity monitoring and transmitting a greater number C') of outbound alerts to said user, compared to the subsequent mode of operation.0) 15 8. The method of any preceding claim, further comprising: displaying, by the verification application on the mobile device, the passcode generated by the passcode generator module; prompting the user to input the generated passcode; receiving user input of a passcode; and transmitting the input passcode to the server for verification.9. The method of claim 8, wherein the passcode is input and transmitted to the server via a browser application.10. The method of any preceding claim, further compnsing providing an application module on the mobile device for accessing said services, and controlling access to functionality provided by the application module, wherein: in the initial mode of operation, a restriction is applied to the functionality accessible by the user; and in the subsequent mode of operation, removing the restnction on the functionality accessible by the user.11. The method of any preceding claim, wherein the first registration code is transmitted to the user via a first communication channel, and wherein the second registration code is transmitted to the user via a second communication channel different to the first communication channel.12. The method of claim 11, wherein the first registration code is transmitted to the mobile device as an SMS message.13. The method of any preceding claim, wherein the registration code comprises numeric or alphabetic symbols, non-alphanumeric symbols, or a combination of such symbols. co14. A system comprising means for performing the method of any one of claims I to 0') 15 13.15. A storage medium comprising machine readable instmctions stored thereon for causing a computer system to perform a method in accordance with any one of claims 1 to 13.16. A method substantially as hereinbefore described with reference to, or as illustrated in Figure 2 of the accompanying drawings.17. An online banking system substantially as hereinbefore described with reference to, or as illustrated in Figure 1 of the accompanying drawings.
GB1216147.7A 2012-09-11 2012-09-11 Registration method and system for secure online banking Withdrawn GB2505710A (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
GB1216147.7A GB2505710A (en) 2012-09-11 2012-09-11 Registration method and system for secure online banking
US14/426,500 US10269013B2 (en) 2012-09-11 2013-09-06 Registration method and system for secure online banking
EP13774766.3A EP2896004A1 (en) 2012-09-11 2013-09-06 Registration method and system for secure online banking
PCT/GB2013/052336 WO2014041336A1 (en) 2012-09-11 2013-09-06 Registration method and system for secure online banking
ZA2015/01643A ZA201501643B (en) 2012-09-11 2015-03-10 Registration method and system for secure online banking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1216147.7A GB2505710A (en) 2012-09-11 2012-09-11 Registration method and system for secure online banking

Publications (2)

Publication Number Publication Date
GB201216147D0 GB201216147D0 (en) 2012-10-24
GB2505710A true GB2505710A (en) 2014-03-12

Family

ID=47137222

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1216147.7A Withdrawn GB2505710A (en) 2012-09-11 2012-09-11 Registration method and system for secure online banking

Country Status (5)

Country Link
US (1) US10269013B2 (en)
EP (1) EP2896004A1 (en)
GB (1) GB2505710A (en)
WO (1) WO2014041336A1 (en)
ZA (1) ZA201501643B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337216A1 (en) * 2013-05-13 2014-11-13 Ramalingam Krishnamurthi Anand Fraud prevention for transactions
JP6322976B2 (en) * 2013-11-29 2018-05-16 富士通株式会社 Information processing apparatus and user authentication method
US9064376B1 (en) 2014-06-06 2015-06-23 Aviel David Rubin Utilization of multiple devices to secure online transactions
US11838851B1 (en) * 2014-07-15 2023-12-05 F5, Inc. Methods for managing L7 traffic classification and devices thereof
US11895138B1 (en) 2015-02-02 2024-02-06 F5, Inc. Methods for improving web scanner accuracy and devices thereof
US10250594B2 (en) 2015-03-27 2019-04-02 Oracle International Corporation Declarative techniques for transaction-specific authentication
CN104881779A (en) * 2015-06-17 2015-09-02 恒宝股份有限公司 Device, system, and method for mobile convergence payment
US10225283B2 (en) 2015-10-22 2019-03-05 Oracle International Corporation Protection against end user account locking denial of service (DOS)
US10164971B2 (en) 2015-10-22 2018-12-25 Oracle International Corporation End user initiated access server authenticity check
US10257205B2 (en) 2015-10-22 2019-04-09 Oracle International Corporation Techniques for authentication level step-down
CN113918914A (en) 2015-10-23 2022-01-11 甲骨文国际公司 Password-free authentication for access management
US11165581B2 (en) * 2018-10-05 2021-11-02 Mimecast Services Ltd. System for improved identification and authentication
US11032275B2 (en) * 2018-10-05 2021-06-08 Mimecast Services Ltd. System for improved identification and authentication
CN109636571A (en) * 2018-10-25 2019-04-16 深圳壹账通智能科技有限公司 Risk analysis method, device, equipment and readable storage medium storing program for executing
US20220217136A1 (en) * 2021-01-04 2022-07-07 Bank Of America Corporation Identity verification through multisystem cooperation

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2351594A (en) * 1999-06-30 2001-01-03 Ncr Int Inc Portable terminal
DE10218210A1 (en) * 2002-04-24 2003-11-06 Deutsche Telekom Ag Security method for chip cards, mobile phones, etc., whereby different levels of security are provided by use of secret access codes or PINs for different levels of sensitive information or functions
US20040111367A1 (en) * 2000-08-15 2004-06-10 Yahoo' Inc. Systems and methods for implementing person-to-person money exchange
JP2006259854A (en) * 2005-03-15 2006-09-28 Bank Of Tokyo-Mitsubishi Ufj Ltd Server device and settlement method
KR100946410B1 (en) * 2005-09-23 2010-03-15 주식회사 한국사이버결제 Method and system for approval of another party mobile payment
US20110184840A1 (en) * 2010-01-27 2011-07-28 Ebay Inc. Systems and methods for facilitating account verification over a network
EP2495677A1 (en) * 2011-03-02 2012-09-05 Research In Motion Limited Password-based operation of a locked computing device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040034568A1 (en) * 2002-08-09 2004-02-19 Masahiro Sone System and method for restricted network shopping
US10943237B2 (en) * 2014-12-31 2021-03-09 Paypal, Inc. Authentication device that enables transactions with a payment instrument

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2351594A (en) * 1999-06-30 2001-01-03 Ncr Int Inc Portable terminal
US20040111367A1 (en) * 2000-08-15 2004-06-10 Yahoo' Inc. Systems and methods for implementing person-to-person money exchange
DE10218210A1 (en) * 2002-04-24 2003-11-06 Deutsche Telekom Ag Security method for chip cards, mobile phones, etc., whereby different levels of security are provided by use of secret access codes or PINs for different levels of sensitive information or functions
JP2006259854A (en) * 2005-03-15 2006-09-28 Bank Of Tokyo-Mitsubishi Ufj Ltd Server device and settlement method
KR100946410B1 (en) * 2005-09-23 2010-03-15 주식회사 한국사이버결제 Method and system for approval of another party mobile payment
US20110184840A1 (en) * 2010-01-27 2011-07-28 Ebay Inc. Systems and methods for facilitating account verification over a network
EP2495677A1 (en) * 2011-03-02 2012-09-05 Research In Motion Limited Password-based operation of a locked computing device

Also Published As

Publication number Publication date
ZA201501643B (en) 2016-08-31
US10269013B2 (en) 2019-04-23
EP2896004A1 (en) 2015-07-22
US20150242852A1 (en) 2015-08-27
WO2014041336A1 (en) 2014-03-20
GB201216147D0 (en) 2012-10-24

Similar Documents

Publication Publication Date Title
US10269013B2 (en) Registration method and system for secure online banking
US11836724B2 (en) Systems and methods for performing ATM fund transfer using active authentication
JP6257670B2 (en) Method and system for performing secure bank transactions
US9607293B2 (en) Method and system for account management and electronic wallet access on a mobile device
US10242362B2 (en) Systems and methods for issuance of provisional financial accounts to mobile devices
EP2873192B1 (en) Methods and systems for using derived credentials to authenticate a device across multiple platforms
US8060413B2 (en) System and method for making electronic payments from a wireless mobile device
US20120284195A1 (en) Method and system for secure user registration
US10432617B2 (en) One time passcode
US20140058951A1 (en) Mobile electronic device and use thereof for electronic transactions
US20150302409A1 (en) System and method for location-based financial transaction authentication
US20110213711A1 (en) Method, system and apparatus for providing transaction verification
US20150261948A1 (en) Two-factor authentication methods and systems
CN107690788A (en) Identification and/or Verification System and method
US20160012433A1 (en) Systems and methods for sending payment data using a mobile electronic device to transact with other computing devices
WO2016015054A1 (en) Mobile communication device with proximity based communication circuitry
WO2012042262A1 (en) Mobile payment system
JP2017530586A (en) System and method for authenticating a client to a device
US20160162893A1 (en) Open, on-device cardholder verification method for mobile devices
JP2014096140A (en) Method for payment processing, and system and electronic device for executing the same
EP2575099A1 (en) Electronic funds transfer
US20210272097A1 (en) Systems and methods for contactless card-based credentials
CN101131760A (en) Method and system for checking account security
WO2013152735A1 (en) Electronic cipher generation method, apparatus and device, and electronic cipher authentication system
KR101804182B1 (en) Online financial transactions, identity authentication system and method using real cards

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20181011 AND 20181017

R108 Alteration of time limits (patents rules 1995)

Free format text: EXTENSION APPLICATION

Effective date: 20201008

Free format text: EXTENSION ALLOWED

Effective date: 20201019

WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)