GB2518877A - Secure ID authentication - Google Patents

Secure ID authentication Download PDF

Info

Publication number
GB2518877A
GB2518877A GB1317575.7A GB201317575A GB2518877A GB 2518877 A GB2518877 A GB 2518877A GB 201317575 A GB201317575 A GB 201317575A GB 2518877 A GB2518877 A GB 2518877A
Authority
GB
United Kingdom
Prior art keywords
data
response
request
user module
transmits
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1317575.7A
Other versions
GB201317575D0 (en
Inventor
Nath Teji Tarlok
Keith Curran
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TECHNOLOGY BUSINESS MANAGEMENT Ltd
TECHNOLOGY BUSINESS MAN Ltd
Original Assignee
TECHNOLOGY BUSINESS MANAGEMENT Ltd
TECHNOLOGY BUSINESS MAN Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TECHNOLOGY BUSINESS MANAGEMENT Ltd, TECHNOLOGY BUSINESS MAN Ltd filed Critical TECHNOLOGY BUSINESS MANAGEMENT Ltd
Priority to GB1317575.7A priority Critical patent/GB2518877A/en
Publication of GB201317575D0 publication Critical patent/GB201317575D0/en
Priority to US14/238,780 priority patent/US9832649B1/en
Priority to PCT/GB2014/052998 priority patent/WO2015049540A1/en
Publication of GB2518877A publication Critical patent/GB2518877A/en
Priority to HK15109528.5A priority patent/HK1208985A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3229Use of the SIM of a M-device as secure element
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/325Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
    • G06Q20/3255Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks using mobile network messaging services for payment, e.g. SMS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A secure identification (ID) authentication system for authenticating over a cellular radio network that has a Universal Description Discovery and Integration (UDDI) network, a response from a user module comprising a Subscriber Identification Module (SIM) card to a request from an application programming interface (API) to authenticate a transaction, in which; a request is sent to an identity application server (IAS) holding a database of user module ID information associated with a USSD dedicated computer; the IAS transmits the request as a class 2 Short Message Service (SMS) message to the SIM card; the SIM card causes the request to be displayed on the user module; when a response is entered, the user module encrypts the response and associated data and transmits the encrypted data, via the USSD computer to an Over The Air (OTA) gateway to the IAS; and the IAS decrypts the data and transmits the response to the API.

Description

Secure ID Authentication This invention relaters to secure ID authentication procedures, particularly, hut not exclusively, for authenticating financial and other transactions over publicly accessible communications networks such as cdliular telephone networks.
An accepted authentication procedure for credit and debit card transactions involves the use of a PIN -a personal identification codes, usually consisting of a four digit number, 11) such as 7356 -that is known, or supposed to be known, only to the card holder. Not even the issuing bank or card company knows the user's PIN.
A payment card PIN is held on the card as an element of data in a magnetic strip. At a payment terminal connected in a communications network, the terminal reads the PIN I 5 Irom the magnetic strip and requests Ihe user to enter the PIN on a keypad. Ti they match, the transaction is authenticated. In this instance, there is no transmission of the PIN over the network. The module simply confirms that the payment is authorised.
Ilowever, in many other transactions between a user and a service module, which do not 21) usc a dedicated payment terminal with a facility for checking an entered PIN, the PIN would need to be stored on the service module, and checked there in order to authenticate the transaction.
Thc PIN is vulnerable, however, to discovery when transmitted over a publicly accessible network. Know-ledge oF the PIN could enable unauthorised access to the PIN holder's accounts and other restricted access information. It has been proposed to improve security by more complex procedures.
A common approach is to require a two-part identity check, one part being specific to the 31) instrument used to transmit the information to the service module, the other part being speci lie to the user. Ii Ihe instrument is a mobile phone, a combination ol phone ID and user ID is required. The phone will have a unique ID, being, of course, the telephone number as it appears on the SIM card. The industry mandates that there is only ever one SIM card wiLh any particular number. The user ID input mighi he the user's PIN number.
However, transmitting this information over a network is open to the risk of eavesdropping. It does not matter that the SIM card ID is unique -ii is on'y required to record and re-use the data stream to access the service module.
Simply encrypting the information is no help. It would, in any event, be the encoded information that is intercepted. It is not necessary to dc-encrypt it, just use it in the encrypted Format, to gain access.
Resort is had, therefore, to a one-time password. Interception is now pointless, as the same dala siream will not work a second time.
Examples of one-time password syslems are lound in W0201 OIl 01476, WOO 131840, and numerous other patent publications.
How-ever, one-time passwords require software on ihe user moduk to generate them, and corresponding software on the service module to verify them, and, in order to provide acceptable levels of sceurity, thc software and its usage are sometimes made deliberately complex, in some inslances requiring Lime-Umited passwords and random number generators, or costly ancillary equipment the present invention provides simpler approaches to the problem of secure ID authentication.
The invention comprises a secure ID authentication system for authenticating over a cellular radio network a response from a user module comprising a SIM card to a request Irom an application programming interface (API) to auLhenticate a Iransaclion, in which; a request is sent to an identity application server (lAS) holding a database of user module ID inlormaLion associated with a USSD dedicated computer; the lAS transmits the request as a class 2 SMS message to the S1M card; the SIM card causes the request to he displayed on the user module; when a response is entered, the user module enerypis Qe response and associated daia and Lransmits Lhe encrypted daLa, via Lhe USSD compuLer lo an OTA galeway to the lAS: and Lhe lAS decrypts (be daLa and transmits the response to the API.
GB2499360 proposes, in a similar system, to transmit the encrypted data using a [IDD1 (Universal Description Discovery and Integration) network. Such a system makes ii generally unattractive to hackers, as it requires a considerable effort to intercept messages for potentially uninteresting rewards.
A USSD (Unstructured Supplementary Service Data) protocol is used by cellular telephones to provide real time communication with the service provider's computers. it can he used to provide a call back service, Lo top up a balance on a pay-as-you-go SIM card and to deliver one time passwords and PIN codes. Its known use for such messages would suggest that it would be an obvious target for hackers.
Associating a 1TSSD dedicated computer with the lAS, however, provides a generally secure channd for the transmission of sensitive ID authenticaLion data, as Lhe USSD messaging protocol is non-standardised and under the control of the proprietor of the computer. Encrypting the response and associated data renders the service even more dilliculi to hack into, and even less worth Lhe el'forL ol trying.
The system may involve a user PTN request, and the system may then indude a PIN Lest server holding a database of encrypted user module ID and associated PIN data. The OVA gatcway thcn transmits thc cncryptcd data to thc PiN tcst servcr, which, if it has a match br user module TD and PIN data, transmits the data to the lAS, which decrypts ii and forwards he response to the API as being PIN authenticated.
Embodiments of the system will now he described will now he described with reference to the accompanying drawing, in which: Figure 1 is a block diagram; and Figure 2 is a blow chart.
the drawing illustrates a sccure ID authcntication system for authenticating over a I 5 cellular radio network a response from a user module, such as a mobile phone MP, comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction. I'he transaction may be one not requiring to be secured by a PIN, such as a subscription to a newsktter or one requiring a simple yes/no answer or a selection from a list of options, or one involving a payment or the provision of personal 21) information, that needs a PIN entry.
The request is sent -Step I, Figure 2 -to an identity application server (lAS) holding a database of user module ID information. l'he lAS is associated with a USSD dedicated computer (IJSSD-C). The lAS converts the request -Step II -to a Class 2 SMS message which it transmits -SLep III -over the Cellular Radio Network CM to the SIM card of the phone MP which displays the message on the phone VDU, with optional audio for visually impaired users, and requests an input.
The user enters the information requested at Step IV. The information is encrypted and sent -Step V -to an OTA gateway, such as a 03.48 gateway via the VSSD computer.
Encryption can he effected in any secure way, such as hash encryption. If the information contains a PIN -decision step VI -it is sent on to a PIN test server PTS, which contains a database of module ID information and associated PINs, where it is matched, Step VII, or not, with data stored in the database. lithe module user ID and associated PIN are found on the PTS, the message is forwarded -Step VIII -to the lAS, or the procedure terminated -Step Xl -perhaps with a "wrong PIN" message back, to Lhe phone MP.
If the message does not contain a PIN, it is sent straight from the GI'A gateway to the lAS. Messages that reach the lAS result -Step IX -in a "transaction approved" message sent back to the API and the procedure terminated at Step X. Ilaeking into any transaction requires access to the USSD channel and to be able to tie up a response sent thereover with the initial authentication request, which is thwarted by the response being encrypted.
In addilion Lu facilitating secure linancial transaclions, including payments by crediL or debit card or to and from hank accounts, the system can provide secure access to a personal databasc that might bc kept in thc API. The databasc might a virtual vault that securely slores personal data such as birth cerlificale and passport delails, purchase records, from which a personal profile might be built up which could he selectively available to rctailcrs, who might thereby recommend products and services, an addrcss hook, clearly, and a CV, as well as driving Ucence and insurance details. All this could he securely accessed hy, and added to or changed, from a mobile phone or like device

Claims (5)

  1. Claims: 1 A sccurc ID authentication system for authenticating over a cdllular radio network Ihat has a UDDI network a response from a user module comprising a SIM card to a request from an application programming interface (API) to authenticate a transaction, in which; a request is sent to an identity application server (lAS) holding a database of user module ID information associated with a USSD dedicated computer; the lAS transmits thc request as a class 2 SMS mcssage to thc S1M card; the SIM card causes the request to he displayed on the user module: I 5 when a response is entered, the user module encrypts the response and associated data and transmits the encrypted data, via the USSD computer to an OTA gateway to the lAS; and the lAS decrypts the data and transmits the response to the API. 21)
  2. 2 A system according to claim 1, which includes a PIN test server ho'ding a database of encrypted user module ID and associated PIN data.
  3. 3 A system according to claim 2, in which the ()TA gateway transmits the encrypted data to the PIN test server, which, ii it has a match br user module ID and PIN data, transmits the data to the lAS, which decrypts it and forwards he response to the API as being PIN authenticated.
  4. 4 A system according to any one of claims 1 to 4, in which encryption is hash encryption, S A system according to any one of claims 1 to 4, when used for authenticating financial transactions.6 A system for the secure storage of data, such as personal data, comprising an access system comprising a secure ID authentication systcm according to any one of claims 1 to
  5. 5.
GB1317575.7A 2011-10-12 2013-10-04 Secure ID authentication Withdrawn GB2518877A (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
GB1317575.7A GB2518877A (en) 2013-10-04 2013-10-04 Secure ID authentication
US14/238,780 US9832649B1 (en) 2011-10-12 2014-02-13 Secure ID authentication
PCT/GB2014/052998 WO2015049540A1 (en) 2013-10-04 2014-10-03 Secure id authentication
HK15109528.5A HK1208985A1 (en) 2013-10-04 2015-09-29 Secure id authentication id

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1317575.7A GB2518877A (en) 2013-10-04 2013-10-04 Secure ID authentication

Publications (2)

Publication Number Publication Date
GB201317575D0 GB201317575D0 (en) 2013-11-20
GB2518877A true GB2518877A (en) 2015-04-08

Family

ID=49630183

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1317575.7A Withdrawn GB2518877A (en) 2011-10-12 2013-10-04 Secure ID authentication

Country Status (2)

Country Link
GB (1) GB2518877A (en)
HK (1) HK1208985A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150248A1 (en) * 2007-12-10 2009-06-11 International Business Machines Corporation System for enhancing payment security, method thereof and payment center
WO2010140876A1 (en) * 2009-06-01 2010-12-09 Bemobile Sdn. Bhd. Method, system and secure server for multi-factor transaction authentication
GB2481587A (en) * 2010-06-28 2012-01-04 Vodafone Ip Licensing Ltd Generating one-time passwords (OTP) using a mobile phone
WO2012004640A1 (en) * 2010-07-08 2012-01-12 Entersect Technologies (Pty) Ltd. Transaction authentication
US20130166450A1 (en) * 2010-04-23 2013-06-27 Thandisizwe Ezwenilethu Pama Identity Verification System Using Network Initiated USSD
GB2499360A (en) * 2011-10-12 2013-08-21 Technology Business Man Ltd Secure ID authentication over a cellular radio network
US20130248596A1 (en) * 2012-03-23 2013-09-26 International Business Machines Corporation Mobile device financial transactions

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150248A1 (en) * 2007-12-10 2009-06-11 International Business Machines Corporation System for enhancing payment security, method thereof and payment center
WO2010140876A1 (en) * 2009-06-01 2010-12-09 Bemobile Sdn. Bhd. Method, system and secure server for multi-factor transaction authentication
US20130166450A1 (en) * 2010-04-23 2013-06-27 Thandisizwe Ezwenilethu Pama Identity Verification System Using Network Initiated USSD
GB2481587A (en) * 2010-06-28 2012-01-04 Vodafone Ip Licensing Ltd Generating one-time passwords (OTP) using a mobile phone
WO2012004640A1 (en) * 2010-07-08 2012-01-12 Entersect Technologies (Pty) Ltd. Transaction authentication
GB2499360A (en) * 2011-10-12 2013-08-21 Technology Business Man Ltd Secure ID authentication over a cellular radio network
US20130248596A1 (en) * 2012-03-23 2013-09-26 International Business Machines Corporation Mobile device financial transactions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Unstructured Supplementary Service Data" [online], Wikipedia. Available from: http://en.wikipedia.org/wiki/Unstructured_Supplementary_Service_Data [Accessed 08 March 2014] *

Also Published As

Publication number Publication date
GB201317575D0 (en) 2013-11-20
HK1208985A1 (en) 2016-03-18

Similar Documents

Publication Publication Date Title
CA3010336C (en) Secure information transmitting system and method for personal identity authentication
US10552823B1 (en) System and method for authentication of a mobile device
US10108963B2 (en) System and method for secure transaction process via mobile device
AU2013216868B2 (en) Tokenization in mobile and payment environments
RU2651245C2 (en) Secure electronic entity for authorising transaction
US10050791B2 (en) Method for verifying the identity of a user of a communicating terminal and associated system
JP2013514556A (en) Method and system for securely processing transactions
EP3244358A1 (en) Methods and systems for identity verification at self-service machines
WO2013054073A1 (en) System for secure id authentication
WO2015065249A1 (en) Method and system for protecting information against unauthorized use (variants)
KR20120108599A (en) Credit card payment service using online credit card payment device
US9832649B1 (en) Secure ID authentication
KR101754486B1 (en) Method for Providing Mobile Payment Service by Using Account Information
CN105574720A (en) Secure information processing method and secure information processing apparatus
WO2017196307A1 (en) Methods and systems for identity verification at self-service machines
CN111818028B (en) Identity authentication method and system
KR101795849B1 (en) Authentication apparatus and method for connectivity of fintech services, and computer program for the same
Dass et al. Security framework for addressing the issues of trust on mobile financial services
GB2518877A (en) Secure ID authentication
KR101879842B1 (en) User authentication method and system using one time password
GB2525426A (en) Secure token implementation
KR102705620B1 (en) Secure user two factor authentication method
WO2015049540A1 (en) Secure id authentication
US20140297541A1 (en) ID Authentication
GB2525422A (en) Secure token implementation

Legal Events

Date Code Title Description
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1208985

Country of ref document: HK

WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)
REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1208985

Country of ref document: HK