GB2519894A - Handling encoded information - Google Patents

Handling encoded information Download PDF

Info

Publication number
GB2519894A
GB2519894A GB1503007.5A GB201503007A GB2519894A GB 2519894 A GB2519894 A GB 2519894A GB 201503007 A GB201503007 A GB 201503007A GB 2519894 A GB2519894 A GB 2519894A
Authority
GB
United Kingdom
Prior art keywords
user
information item
message
server apparatus
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1503007.5A
Other versions
GB2519894B8 (en
GB2519894B (en
GB2519894A8 (en
GB201503007D0 (en
Inventor
Richard Heafield Harris
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ENSYGNIA Ltd
MATTHEW DEACON
Original Assignee
ENSYGNIA Ltd
MATTHEW DEACON
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ENSYGNIA Ltd, MATTHEW DEACON filed Critical ENSYGNIA Ltd
Priority to GB1503007.5A priority Critical patent/GB2519894B8/en
Priority claimed from GB1422939.7A external-priority patent/GB2519876B8/en
Publication of GB201503007D0 publication Critical patent/GB201503007D0/en
Publication of GB2519894A publication Critical patent/GB2519894A/en
Application granted granted Critical
Publication of GB2519894B publication Critical patent/GB2519894B/en
Publication of GB2519894B8 publication Critical patent/GB2519894B8/en
Publication of GB2519894A8 publication Critical patent/GB2519894A8/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3276Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being read by the M-device
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/30Individual registration on entry or exit not involving the use of a pass
    • G07C9/38Individual registration on entry or exit not involving the use of a pass with central registration
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • G07F19/203Dispensing operations within ATMs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Telephonic Communication Services (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A device obtains a computer readable radio frequency RF encoded information item and decodes it, or transmits the coded information to the server to be decoded. The device transmits a first message to first server apparatus, including the decoded information and a first identifier identifying the device or a user of the device. The server uses the identifier to establish the identity of the user of the device, and in response to establishing the identity of the user, performing an action based on the decoded information. The system may be used to validate ATM, self-service shopping or other check out transactions, or to allow access to a service or open secure doors to authorized people. The decoded information may be verification information, which is compared with reference data. The encoded information may be a smart tag, use radio RF information items or audio encoding . The system may reduce the risk of a man in the middle attack with tiered strengths of authentication for mobile banking and payments.

Description

I
Handling Encoded Information
Field of the Invention
The invention relates to the handling of encoded information
Background to the Invention
Identity cloning is an increasingly common phenomenon. Fraudsters use a wide variety of mechanisms to in order to illegally elicit personal information such as usernames, passwords, dates of birth and addresses with a view to cloning identities.
One such mechanism is where a fraudster provides a spoof (or clone) of a website, which to an unsuspecting user appears identical to the original. Believing that the website is the original, the user provides personal information, such as login details or credit card details, which are recorded by the fraudster. A more sophisticated approach is a "man-in-the-middle attack" in which a fraudster provides the done website and records the personal information, but also passes the personal information to the real website, which logs the user in as normal. In this way, the user does not notice anything different and the fraudster is able to obtain the personal information without alerting the user. This invention was made with a view to preventing these and other similar types of fraudulent activity.
Summary of the Invention
According to a first aspect, this specification describes a method comprising a device obtaining an encoded information item, decoding the encoded information from the encoded information item, and transmitting a first message to first server apparatus, the first message including the decoded information and a first identifier identifying the device or a user of the device; and the first server apparatus receiving the first message from the device, using the first identifier to establish the identity of the user of the device, and in response to establishing the identity of the user, performing an action based on the decoded information.
According to a second aspect, this specification describes a method comprising a device obtaining an encoded information item, and transmitting a first message to first server apparatus, the first message including the encoded information item and a first identifier identifying the device or a user of the device, and the first server apparatus receiving the first message from the device, decoding the encoded information from the encoded information item, using the first identifier to establish the identity of the user of the device, and in response to establishing the identity of the user, performing an action based on the decoded information.
According to a third aspect, this specification describes a system comprising a device configured to obtain an encoded information item, to decode the encoded Jo information from the encoded information item, and to transmit a first message to first server apparatus, the first message including the decoded information and a first identifier identifying the device or a user of the device, and first server apparatus configured to receive the first message from the device, to use the first identifier to establish the identity of the user of the device, and in response to establishing the identity of the user, to perform an action based on the decoded information.
According a fourth aspect, this specification describes a system comprising a device configured to obtain an encoded information item, and to transmit a first message to first server apparatus, the first message including the encoded information item and a first identifier identifying the device or a user of the device) and first server apparatus configured to receive the first message from the device, to decode the encoded information from the encoded information item, to use the first identifier to establish the identity of the user of the device, and in response to establishing the identity of the user, to perform an action based on the decoded information.
The device and the first server apparatus may be configured as described above by way of one or more processors operating under control of computer-readable code, option stored on one or more memory. The one or more memory may comprise one or more non-transitory memory media.
According to a fifth aspect, this specification describes computer-readable code, optionally stored on a non-transitory memory medium, which when executed by computing apparatus, causes the computing apparatus to perform the methods of either of the first and second aspects to be performed.
Brief Description of the Figures
For a more complete understanding of example embodiments of the present invention, reference is now made to the following description taken in connection with the accompanying drawings in which: Figure lisa schematic illustration of a system in which embodiments of the invention can be implemented; Figure 2 is a schematic illustration of a method according to embodiments of the invention; and FigureS is a schematic diagram illustration of a system and methods according to alternative embodiments of the invention.
Detailed Description of Embodiments of the Invention In the drawings and the following description, like reference numerals refer to like elements.
Figure lisa schematic illustration of a system in which embodiments of the invention can be implemented.
The system 1 comprises computing apparatus 10, a mobile device 12, a first server apparatus 14 and a second server apparatus 16. The first and second server apparatuses 14, 16 may be located in "the cloud" The mobile device 12 is operable to communicate wirelessly with the first server apparatus 14.
Wireless communication with the first server apparatus is carried out via a transceiver 124. The communication with the first server apparatus may be via a telephone network or a data network.
The mobile device 12 comprises a controller 120 and one or more memory 122. The controller 120 comprises at least one processor 120A. The controller 120 may also comprise at least one application specific integrated circuit (ASIC) not shown. The at least one memory 122 may comprise any suitable type of fixed or removable memory medium, such as but not limited to ROM, RAM or BEPROM. The at least one memory 120 has stored thereon computer-readable instructions 122A. The controller is operable to read the computer-readable instructions 122A and operate under the control of the computer-readable instructions 122A. The controller 20 is operable to control the other components of the mobile device 12.
The mobile device 12 comprises obtaining means 124 for obtaining encoded information items which are external to the device 12. The obtaining means 124 may comprise a camera or a scanner for obtaining graphical information or any other type of means suitable for obtaining encoded information items.
The mobile device 12 also comprises a user interface 126 for receiving user inputs. The mobile device may also comprise a display 128. In this example, the user interface 126 and display 128 form a touchscreen. It will be appreciated however, that the user interface 126 may be of any type. For example, it may comprise one or more or a hardware key or keys, a trackball, a touchpad, a scroll wheel etc. The first server apparatus 14 is operable to communicate with the mobile device 12. The first server apparatus 14 is operable also to communicate with the second server apparatus 16. The first server apparatus 14 comprises a controller 140 and one or more memory 142. The controller 140 comprises at least one processor 140A. The controller 140 may also comprise at least one application specific integrated circuit (ASIC) not shown. The at least one memory 142 may comprise any suitable type of fixed or removable memory medium, such as but not limited to ROM, RAM or EEPROM. The at least one memory 140 has stored thereon computer-readable instructions 142A.
The controller 140 is operable to read the computer-readable instructions 142A and to operate under their control.
The first server apparatus 14 comprises also one or more transceivers 146 for communicating with the mobile device 12 and the second server apparatus 16. The communication between the first and second server apparatuses 14, 16 may be carried out in any suitable manner.
The first server apparatus 14 may be located at a single location and may comprise one or more separate devices or machines. Alternatively, the first server apparatus 14 may be distributed over a plurality of locations.
The second server apparatus 16 is operable to communicate with the computing apparatus 10 and the first server apparatus 14 in any suitable manner. The second server apparatus 16 comprises one or more transceivers 164 for communicating with the computing apparatus 10 and the first server apparatus 14. The second server apparatus 16 comprises a controller 160 and one or more memory 162. The controller 160 comprises at least one processor 160A. The controller 160 may also comprise at least one application specific integrated circuit (ASIC) not shown. The at least one memory 162 may comprise any suitable type of fixed or removable memory medium, such as but not limited to RaM, RAM or BEPROM. The at least one memory 160 has stored thereon computer-readable instructions 1 62A. The controller 160 is operable to read the computer-readable instructions 162A and to operate under their control. The controller 160 is operable also under the control of the computer-readable code to control the other components of the second server apparatus 16.
The second server apparatus 16 may be located at a single location and may comprise one or more separate devices or machines. Alternatively, the second server apparatus 16 may be distributed over a plurality of locations.
The computing apparatus 10 is operable to receive signals from the second server apparatus 16 via a transceiver 106, to interpret the information contained therein and to display it on a display 104 for consumption by a user. The computing apparatus 10 may also comprise a user interface 108, such as but not limited to a -10 -mouse, a touch pad, or a keyboard via which a user input can be received.
The computing apparatus 10 comprises a controller 100 and one or more memory 102. The controller 100 comprises at least one processor bOA. The controller 100 may also comprise at least one application specific integrated circuit (ASIC) not shown. The at least one memory 102 may comprise any suitable type of fixed or removable memory medium, such as but not limited to ROM, RAM or EEPROM. The at least one memory 100 has stored thereon computer-readable instructions 102A. The controller 100 is operable to read the computer-readable instructions 102A and to operate under their control. The controller 100 is operable under the control of the computer-readable code to control the other components, such as the display 104 and the transceiver 106.
Figure 2 is a schematic illustration of a method according to a first embodiment of the invention.
In step 52-1, the second server apparatus 16, which is in this example a web server, provides the computing apparatus 10 with information. In this example, the information is web page information.
The provision of the web page information may be in response to a request received from the computing apparatus 10 following receipt at the computing apparatus 10 of a user input.
In step 52-2, the computing apparatus receives and displays the web page information. In this example, the webpage information comprises a "Login" page 110. The "Login" page 110 contains fields into which a user is able to provide details, in this example a username and password. The second server apparatus 16 is operable to verify these details and subsequently to allow the user to access services and content provided within the web page.
The web page comprises an encoded information item 112 which contains encoded Jo information.
In this example, the encoded information item 112 is a graphical object (GO) (which is depicted in the Figures as a "quick response" (OR) code). It will be appreciated that various other types of graphical object may instead he used. Examples of such are barcodes, fractal patterns and moving images.
The GO 112 comprises a GO address information item. The GO address information item comprises an address of the computer apparatus lOon or bywhich the GO 112 is displayed. The GO address information item may comprise a code, for example a numeric code or an alpha-numeric code, which identifies a route or a number of routes to the device. Examples of such codes are an IP address, a telephone number, a domain name and a Blackberry® PIN.
According to other embodiments, the GO address information item may not comprise address information per Se, but may instead comprise information which allows the address of the apparatus on which the GO 112 is displayed to be determined. This may include for example a code or number, such as but not limited to a hardware serial number, which can he used to determine the route to the computing apparatus (e.g. the IP address) from a look-up table.
In this example, the GO 112 also comprises a second server identification (SSID) information item for allowing the second server apparatus 1 6 to be identified. The SSID information item may comprise an address of the second server apparatus 16. Alternatively, the SSID information item may
S
comprise information allowing the application of the mobile device 12 or the first server apparatus 14 to be determined, for example from a look up table.
The GO 112 may also comprise a first server identification (FSID) information item for allowing the mobile device 12 to identify the first server apparatus 14 with which the GO 112 is associated. The FSID information item may comprise an address of the first server apparatus 14 or may instead comprise a data item such as a code which allows an application (which is described in more detail below) stored on the mobile device 12 to retrieve the address of the first server apparatus 14 from memory 122.
The GO 112 may also comprise a verification information item or items for allowing verification of the graphical object to ensure it is not a fraud.
The information required to display the GO 112 may be generated by the second server apparatus 16. Alternatively) part of the information of the GO 112, such as the 5510 and the ESID information items, may be generated by the second server apparatus 16 or the first server apparatus 14, and other information, such as the GO address information item, may be generated by the computing apparatus 10. The verification information item or items may be generated by the second server apparatus 16, in which case a copy the verification item or items is passed to, and stored in the memory 142 of, the first server apparatus 14. Alternatively, the verification item or items may be generated by the first server apparatus 14 and passed to the computing apparatus 10 via the second server apparatus 16.
According to some embodiments, the GO 112 may he displayed by computer program code embedded within the web page. Alternatively, the GO 112 may he displayed by computer program code stored on the computing apparatus 10, for example, during a registration process. The computer program code that is stored on the computer apparatus 10, and which generates the GO 112, may, when executed by the controller 100, be in direct communication with the second server apparatus 16. The computer program code may be configured such that the GO 112 is only displayed if direct communication with the second server apparatus 16 can be established. If direct communication is not possible, the GO 112 is not displayed and so cannot be used to access the service. The computer program may determine if it is in direct communication in any suitable way.
For example, the IF' address of the second server apparatus may be encoded into the computer program and this may be used to determine if communication is with the second server apparatus 16. If a proxy server is between the second server apparatus 16 and the computer apparatus 10, the computer program will recognise that the IF' address of the server with which it is communicating (i.e. that of the proxy server) is not the IF' address which it expects. The computer program thus determines that it is not in communication with the second server apparatus 16 and does not display the GO so 112. Alternatively, the computer program may send request to the second server apparatus for a token, which should be stored in memory of the second server apparatus 16. A proxy server will not have the token in memory and so will not be able to return it to the computer apparatus 10. In this way, the computer apparatus -13 -can determine that it is not in direct communication with the second server apparatus 16. Similarly, the computer program may send a request for evidence of a process that is expected to be running on the second server apparatus 1 6.
If the process is not running on the computer at which the request arrives, the computer program determines that it is not in communication with the second server apparatus 16. It will be appreciated that any suitable mechanism, including for example PKI, SSL or DNS pooling, may be used to make this determination.
Instep S2-3, the GO 112 is obtained by the mobile device 12. This may involve the user of the device 12 taking a photograph of the GO 112 with a camera of the device 12. Alternatively, any other type of scanner may be used to obtain the GO 112.
In step S2-4, an application decodes the encoded information from the obtained GO 112. The application is a dedicated portion of the computer-readable code 122A stored in the memory 122 of the device, which is able to decode the GO 112 and perform subsequent operations.
The application may have been stored on the mobile device 12 prior to, during or following a registration process between the mobile device 12 and the first server apparatus 14. Either way, the user of the device 12 must register with the first server apparatus 14 to allow the user to utilise the service provided by the first server apparatus 14.
During the registration process, the first server apparatus 14 may store in its memory 142 a user identification (DID) information item relating to the user. This may comprise, for example, a username or user number. Alternatively, the first server apparatus 14 may store device identification (DID) information item relating to the mobile device 12. This DID information item may comprise, for example, a telephone number of the device, an IP address of the device or a device ID code such as a serial number. The DID or the hID information item is stored in association with user registration information, such as a name, address etc. Thus, the DID and the hID information items are usable to allow identification of the user by the first server apparatus 14. A copy of the DID or UID information item is stored in the memory 122 of the mobile device 12.
In step S2-5, subsequent to decoding the obtained GO 112, the application prepares and transmits a first message (in this example, a login request) 314 to the first server apparatus 14.
The first message 214 is sent to the first server apparatus 14 using an address of the first server apparatus 14. The application may be configured to intemperate with just one first server apparatus 14 and thus whenever a GO 112 is obtained, the first message 214 is sent to the same first server apparatus 14 using an address stored in the memory 122. Alternatively, in embodiments in which the GO 112 includes an FSID information item, this may be used to send the first message 214 (either directly, when the FSID information item comprises an address of the first server information item, or indirectly by using the PSID information item to retrieve the address from memory 122). In other alternative embodiments, the first message 214 may be sent to an address selected by the user from a plurality of addresses stored on the device 12.
The first message 214 comprises a first information portion comprising the DID information or the UID information. The first message 214 also comprises a second information portion comprising the GO address information item. The first message 214 may also comprise the SSID information item.
In embodiments in which a verification information item is present in the GO 112, the application may, prior to preparing and sending the first message 214, check the verification information item against a reference information item received from the first server apparatus 14 to determine whether the GO 112 is genuine. If the GO 112 is determined not to be genuine, the application alerts the user of the device 12. If the GO 112 is determined to be genuine, the application prepares and transmits the first message 214 to the server apparatus 14. The reference information against which the verification object is checked may be updated periodically, following receipt of update messages from the first server apparatus 14. According to -15 -alternative embodiments, the application may not check the verification information item, but may instead include it in the first message 214.
Prior to preparing and sending the first message, the application may request security information to be entered by the user via the user interface 124 of the device 12 thereby to allow the identity of the user to be verified. The security information may comprise a pin or password, a disguised pin or password, a one-time code which has been sent to the user, a pattern drawn on the device, biometric information (such as face or fingerprint recognition), or any other suitable to mechanism by which the identity of the user of the device can he verified.
Next, in step 52-6, the first server apparatus 14 receives the first message 214 (login request) and uses the UID or DID information to establish the identity of the user of the device 12. Establishing the identity of the user comprises using the UID or DID information item to determine whether the user is registered with the first server apparatus 14. Thus, the first server apparatus 14 may check the UID or DID information against information stored in a database of registered users to establish the identity of the user. Subsequent to establishing the identity of the user, the first server apparatus proceeds to step 52-7.
In embodiments in which the first message 214 includes the verification information item, the first server apparatus 14 may, prior to either of steps 52-6 and 52-7, check the verification information item against a reference information item stored in memory 142. If there is identity between the reference information item and the verification item, the first server apparatus 14 proceeds to step 52-6 or 52-7 as appropriate. If there is not identity, the first server may send a message to the mobile device 12 to alert the user that the GO 112 is not genuine and may subsequently abort the method.
In step 52-7, the first server apparatus 14 prepares and sends a second message 216 to the second server apparatus 16. In this example, the second message 216 comprises authorisation information informing the second server apparatus 16 of the identity of the user and that the user is authorised to access the service provided -16 -by the second server apparatus 16. The second message 216 also comprises the GO address information item.
The second message 216 is sent on the basis of the SSID information item, either directly when the SSID information item is an address of the second server apparatus 16, or indirectly when the SSID information item enables the first server apparatus to retrieve the address of the second server apparatus 14 from memory 142.
In step 52-8, upon receipt of the second message 216 the second server apparatus 16 performs an action. In this example, the second server apparatus 16 is a web server and thus in response to receiving the authorisation information, the second server apparatus 1 6 logs the user into their account and subsequently uses the GO address information item to send a signal indicative of such to the computing apparatus 10.
In step 52-9, the computing apparatus 10 displays the received information which indicates that the user is now logged into the website.
According to some embodiments, step 52-6, in which the first server apparatus l4establishes the identity of the user may include additional steps for verifying the identity of the user. In embodiments in which the mobile device 12 is a mobile telephone, these steps may include the first server apparatus 14 responding to receipt of the first message 214 by initiating a voice call with the mobile device 12. During the voice call, the user is asked to provide information with which their identity can be verified. The information may comprise, for example, a pin number sent via DTMF, or a spoken password or any other information which allows the identity of the user to be established and verified. The information from the user may be compared with information stored in the memory 142 of the first server apparatus 14 and which is associated with the user. The voice call may be conducted using IVR, a human agent, or a combination of the two. In embodiments in which the mobile device 12 does not have telephony capabilities, the steps may be conducted using messages, such as instant messages, sent using internet protocol.
FigureS depicts an alternate system in which the invention can be implemented and illustrates a method according to the invention.
The example of Figure 3 is similar to that of Figures land 2, but differs in that it does not include the second server apparatus 16. Thus, the system comprises the computing apparatus 10, the mobile device 12 and the first server apparatus 14.
In the system 3 of Figure 3, the first server apparatus 14 is a web server and thus is operable to provide web page information to the computing apparatus 10 to display for consumption by the user.
A method according to the invention will now be described with reference to Figure 3.
In step S3-1, the first server apparatus 14 provides the computing apparatus 10 with web page information. The provision of the web page information may be in response to a request received from the computing apparatus 10 following receipt at the computing apparatus 10 of a user input.
In step S3-2, the computing apparatus 10 receives and displays the web page information. In this example, the web page information comprises a "Login" page 110. The "Login" page 110 is as described with reference to Figure 2 and comprises the encoded information item 312, which is in this example is a graphical object (GO), in particular a "quick response" (OR) code.
The GO 312 comprises a GO address information item. The GO address information item comprises an address of the computer apparatus lOon or bywhich the GO 312 is displayed. The GO address information item may comprise a code, for example a numeric code or an alpha-numeric code, which identifies a -18 -route or a number of routes to the computer apparatus 10. Examples of such codes are an IP address, a telephone number, a domain name and a Blackberry® PIN.
According to other embodiments, the GO address information item may not comprise address information perse, but may instead comprise information which allows the address of the apparatus on or by which the GO 312 is displayed to be determined. This may include for example a code or number, such as but not limited to a hardware serial number, which can be used to determine the route to the computing apparatus (e.g. the IP address) from a look-up table.
The GO 312 may also comprise a first server identification (ESID) information item allowing the mobile device to identify the first server apparatus 14 with which the GO 312 is associated. The ESID information item may comprise an address of the first server apparatus 14 or may instead comprise a data item which allows the application stored on the mobile device 12 to retrieve the address of the first server apparatus 14 from memory 122.
The GO 312 may also comprise a verification information item for allowing verification of the graphical object to ensure it is not a fraud.
The information required to display the GO 312 may he generated entirely by the first server apparatus 14. Alternatively, part of the information of the GO 312, such as the SSID and the ESID information items) may be generated by the first server apparatus 14, and other information, such as the GO address information item, may be generated by the computing apparatus 10. The verification information item or items are generated by the first server apparatus 14 and a copy of the verification item or items is retained in the memory 142 of the first server apparatus 14.
According to some embodiments, the GO 312 may be displayed by computer program code embedded within the web page. Alternatively, the GO 312 may be displayed by computer program code stored on the computing apparatus 10, for example, during a registration process. The computer program code that is stored on the computer apparatus 10, and which generates the GO 312, may, when executed by the controller 20, be in direct communication with the first server apparatus 14. The computer program code may be configured such that the GO 312 is only displayed if the direct communication with the first server apparatus 14 can be established. This may be determined in any suitable way, for example as described with reference to Figure 2 in respect of the second server apparatus 16.
In step 53-3, the GO 312 is obtained by the mobile device 12. This may involve the user of the device 12 taking a photograph of the GO 312 with a camera of the device 12. Alternatively, any other type of scanner may be used to obtain the GO 312.
In step 53-4, an application decodes the encoded information from the obtained GO 312. The application is a dedicated portion of the computer-readable code 122A stored in the memory 122, which is able to decode the GO 312 and perform subsequent operations.
The application may have been stored on the mobile device 12 prior to, during or following a registration process between the mobile device 12 and the first server apparatus 14. Either way, the user of the device 12 must register with the first server apparatus 14 to allow the user to utilise the service provided by the first server apparatus 14. Registration with the first server apparatus is as described with reference to Figure 2.
In step 53-5, subsequent to decoding the obtained GO 312, the application prepares and transmits a first message 314 to the first server apparatus 14.
The first message 314 is sent to the first server apparatus 14 using an address of the first server apparatus 14. The application may be configured to intemperate with just one first server apparatus 14 and thus whenever a GO 312 is obtained, the first message 314 is sent to the same first server apparatus 14 using an address stored in the memory 122. Alternatively, in embodiments in which the GO 312 includes an ESID information item, this may be used to send the first message 314 (either -20 -directly, when the FSID information item comprises an address of the first server information item, or indirectly by using the FSID information item to retrieve the address from memory 122). In other alternative embodiments, the first message may be sent to an address selected by the user from a plurality of addresses stored on the device 12.
The first message 314 comprises a first information portion comprising the DID information item or the UID information item. The first message 314 also comprises a second information portion comprising the GO address information item.
The first message may also comprise a verification information item. Alternatively, the application may) prior to preparing and sending the first message 314, check the verification information item against a reference information item received from the first server apparatus 14 to determine whether the GO 312 is genuine. If the GO 112 is determined not to be genuine, the application alerts the user of the device 12. If the GO 312 is determined to be genuine, the application prepares and transmits the first message 314 to the server apparatus 14.
Prior to preparing and sending the first message 314, the application may request security information to be provided by the user via the user interface 124 of the device 12, thereby to allow the identity of the user to be verified. The security information may comprise a pin or password, a disguised pin or password, a one-time code which has been sent to the user, a pattern drawn on the device, biometric information (such as face or fingerprint recognition), or any other suitable mechanism by which the identity of the user of the device can be verified.
Next, in step 53-6, the first server apparatus 14 receives the first message 314 and uses the UID or DID information item to establish the identity of the user of the device 12. Establishing the identity of the user comprises using UID or DID information item to determine whether the user is registered with the first server apparatus 14. Thus, the first server apparatus 14 may check the UID or DID information against information stored in a database of registered users to establish -21 -the identity of the user. Subsequent to establishing the identity of the user, the first server apparatus proceeds to step 53-7.
In embodiments in which the first message 314 includes the verification information item, the first server apparatus 14 may, prior to either of steps 53-6 and 53-7, check the verification information item against a reference information item stored in memory 142. If there is identity between the reference information item and the verification item, the first server apparatus proceeds to step S3- 6 or S3-7 as appropriate. If there is not identity, the first server may send a message to the mobile device 12 to alert the user that the GO 312 is not genuine and may abort the method.
In step 53-7, the first server apparatus 14, subsequent to establishing the identity of the user, performs an action. In this example, as the first server apparatus 14 is a web server, the first server apparatus 14 logs the user into their account. The first server apparatus 14 uses the GO address information item to send a signal indicative of such to the computing apparatus. In this example, the GO address information comprises the IP address of the computing apparatus 10 and so the first server apparatus 16 transmits information indicative of the user having been logged into their account to the computing apparatus 10.
In step S3-9, the computing apparatus 10 displays the received information which indicates that the user is now logged into the web page.
According to some embodiments, step 53-6 in which the first server apparatus 14 establishes the identity of the user may include additional steps to verify the identity of the user. These steps may be those as described above with reference to step 52- of Figure 2.
In the embodiments of Figures 2 and 3, the GO 112, 312 is displayed in conjunction with the fields into which a username and password can be entered. However, it will be appreciated that the GO 112, 312 alternatively may be displayed instead of the username and password fields. Also, although in the embodiments described -22 -with reference to Figures 2 and 3, the GO 112, 312 is used instead of a username and password to log the user into the web page, it will be understood the GO 112, 312 could be used in conjunction with a conventional login procedure using the username and password fields. This adds an extra layer of security both for the web server and the user.
It will be understood that the invention may be implemented within systems other that than those described above. Such implementations are described in brief below. Although these are described briefly, it will be understood that the operations may be substantially the same as those described above and may include the some or all of the same steps and features.
According to one alternative embodiment, the invention can be implemented in a building security system. In such an embodiment, the computing apparatus 10 may comprise an electronic door lock.
The encoded information item 112, 312, such as a GO as described above, may be displayed on a sign geographically proximate to the electronic door lock. Alternatively, the GO 112, 312 may be provided on an electronic display geographically proximate to the electronic door lock. In such embodiments, the encoded information item may be periodically updated following receipt of signals from the first server apparatus 14 (or from the second server apparatus 1 if the system is as shown in Figure 2). The GO 112, 312 includes a GO address information allowing the electronic door look to be identified. The encoded information item 112, 312 may also include an FSID information item as described above. Upon approaching the door, a user uses their mobile device 12 to obtain and decode the encoded information item 112, 312. Subsequently, optionally following the successful provision of security information by the user to the mobile device, a first message 214, 314 (including the GO address information object and the UID or DID information item) is sent to the first server apparatus 14. In this example, the first message 214, 314 comprises an "entry request".
In response to Jo receiving the entry request 214, 314, the first server apparatus 14 establishes the identity of the user using the UID or DID information item. Next, if the system does not comprise the second server apparatus, the first server apparatus 14 transmits a signal to the electronic door lock (using the GO address information -23 -item) authorising the electronic door look to open and thereby to allow the user to pass through the door. Alternatively, if the system does comprise the second server apparatus 16, the first server apparatus 14 transmits the second message 216 (including authorisation information indicating that the user is authorised to enter the door) to the second server apparatus 16 which responds by transmitting a signal to the electronic door lock (using the GO address information item), authorising the electronic door lock to open.
According to another alternative embodiment, the invention may be implemented so as to enable a shopper to pay for their goods at a checkout device. In this embodiment, the computing apparatus is a checkout device. Once the goods to be purchased have been scanned through the checkout device, the checkout device produces and displays an encoded information item 112, 312, in this example a GO. The GO 112, 312 comprises a GO address information item (as described above) which allows the checkout device to be identified, and a total price that is to be paid. The GO may also comprise an information item identifying (or allowing identification by the application of) a banking establishment to which the monies are to be paid. Optionally, following provision by the user of security information to the mobile device 12, the application of the mobile device 12 transmits the first message 214, 314 (a payment request) to the first server apparatus 14. The payment request 214, 312 includes the GO address information item, the hID or DID information item (as described previously), the price information and the information item identifying the payee banking establishment. The identity of the user is established by the first server apparatus 14 using the UID or DID information item. In response to establishing the identity of the user, the first server apparatus 14, which, for example, may be associated with a banking establishment, authorises payment from the user's account to the payee banking establishment of an amount identified by the price information. Next, if the system does not comprise the second server apparatus, the first server apparatus 14 transmits (using the GO address information item) a signal to the checkout device indicating that the balance has been paid. Alternatively, if the system does comprise the second server apparatus 16, the first server apparatus 14 transmits the second message 216 (indicating that the user is authorised to make this payment) to the second server apparatus 16 (which may be associated with payee banking establishment) which responds by transmitting the signal to the checkout device (using the GO address information item) indicating that the balance has been paid.
According to another alternative embodiment, the invention may be implemented within an ATM system. In this embodiment, the computing apparatus lOis an ATM. The user requests withdrawal of an amount of money from the ATM. In response to this the ATM produces and displays an encoded information item 112, 312, in this example a GO. The GO 112, 312 comprises a GO address information item to allow the ATM to he identified and information indicating the withdrawal amount. The GO 112 may also comprise a SSID information item. Following provision of security information, such as a pin etc., to the mobile device 12 by the user, the application of the mobile device 12 transmits the first message 214 (a withdrawal request) to the first server apparatus 14.
The withdrawal request 214 includes the GO address information item, the UID or DID information item identifying the device or the user, the withdrawal amount information and if applicable the SSID information item. The identity of the user is established by the first server apparatus 14 using the UID or DID information item, and in response to establishing the identity of the user, the first server apparatus 14, which in this example is associated with the a banking establishment, authorises the withdrawal and debits the user's account by the amount indicated by the withdrawal amount information. Next, if the system does not comprise the second server apparatus 1 6, the first server apparatus 14 transmits (using the GO address information item) a signal to the ATM authorising the ATM to dispense the requested amount.
Alternatively, if the system does comprise the second server apparatus 16, the first server apparatus 14 transmits (using the SSID information item) the second message 216 to the second server apparatus 16 (which may be associated with a banking establishment that owns the ATM, if this is not the same as the user's banking establishment) which responds transmits the signal (using the GO address Jo information item) to the ATM authorising the ATM to dispense the requested amount. -
-
According to another alternative embodiment, the invention can be implemented in a self-service shopping environment. In such an embodiment, an encoded information item 112, in this example a GO, may be provided on a smart tag of a product for sale. The user obtains the GO 112 using their mobile device 14. In this embodiment) the GO 112, 312 contains the GO address information item for allowing the smart tag to be identified (as described above) and a price of the product. The GO 112, 312 may also comprise an information item identifying (or allowing identification by the application of) a banking establishment to which the monies are to be paid. Optionally following provision by the user of security to information to the mobile device 12, the application of the mobile device transmits the first message 214 (a purchase request) which includes the GO address information item, the UID or DID information item and the price information to the first server apparatus. The identity of the user is then established by the first server apparatus 14 using the UID or DID and in response to establishing the identity of the user, the first server apparatus 14 authorises payment for an amount identified by the price information. Next, the first server apparatus 14 transmits the second message 216 to the second server apparatus 16, which may be an in-store security system. The second message 216 comprises the GO address information item and authorisation information indicating that the product has been paid for.
In response to receiving the second message 216, the second server apparatus uses the GO address information item to transmit a signal to the smart tag thereby to disable it, such that an alarm is not activated when the user attempts to leave the shop).
Although in the above embodiments the encoded information item 112, 312 has been described as a graphical object, it will be understood that this may instead be a different type of encoded information item. These may include, for example, an encoded audible information item, which may be emitted by the computing apparatus 10 and recorded and decoded by the mobile device 12.
Other types of encoded information item include encoded radio frequency (RE) information items.
In some embodiments, the encoded information item 112, 312 may comprise a sequence of numbers, letters or symbols. In such embodiments, the device 12 may -26 -obtain the encoded information item as a result of the user manually typing the sequence into the device using the user interface 126. In other alternative embodiments, the encoded information item may be obtained via a wired connection between the device 12 and the computing apparatus 10.
In some embodiments, the encoded information item 112, 312 may be changed periodically, for example, by updating the verification item. In such embodiments, when the verification item is not created by the same entity that is responsible for checking it, the verification item is transmitted to the checking entity each time it is updated.
In the embodiments described above, the encoded information object 312, 112 is decoded by the device prior to sending the first message 214 to the first server apparatus 14. However, in alternative embodiments the encoded information item 112, 312 may be transmitted in the first message 214 for decoding by the first server apparatus 14. In such embodiments, the device 12 has pre-stored the address of the first server apparatus. The application may be configured to send the first message 214 to that address when each time encoded information item 112, 312 is obtained.
Alternatively, the user may select the address to which the first message 214 is to be sent from a plurality of addresses stored in the device 12. In these embodiments in which the first message includes the encoded information item, it will be appreciated that, where the encoded information item includes a verification item, this will be verified by the first server apparatus 14 and not by the device 12.
In Figures 2 and 3, the mobile device 12 is depicted as a mobile telephone. However, it will be appreciated that it may be any other type of device comprising obtaining means 124 for obtaining an encoded information item in one or more of the aforementioned manners. The obtaining means 124 may comprise, for example, a physical interface for receiving from the computing apparatus loan encoded information item in the form of a computer-readable electrical signal, an RF transceiver for receiving an RE encoded information item as an RF signal, or an audio receiver for obtaining audible encoded data items. -27 -The mobile device 12 is depicted in Figure las a single unit. However, it will be appreciated that it may instead comprise plural separate units, for example a webcam and a laptop computer.
The invention provides a new and inventive way of providing secure access to services. The provision of the encoded information item reduces the possibility of a so-called "man-in-the-middle attack".
The invention is particularly effective in this respect in embodiments in which the computer program code for generating the encoded information item is stored on the computer apparatus 10 and is configured such that the encoded information item is only provided (i.e. displayed, emitted, output etc.) when direct communication with an application running on the web server 14; 16 is established. This is because, if a proxy server is placed between the computer apparatus 10 and the web server 14; 16 for intercepting communications between the two, direct communication between the computer program code running on the computer apparatus 10 and the application running on the web server cannot be established and so the encoded information item will not be provided. Thus, the user is unable access the service and so cannot divulge sensitive information to the fraudster operating the proxy server.
The use of a verification item by which the first server apparatus can verify the encoded data item, which may he changed periodically, reduces the chance of fraudsters being able to clone the encoded information item and thereby to clone service in order to elicit information illegally from a user. Moreover, the use of a mechanism according to the invention reduces the amount of personal information (such as usernames and passwords) that is required to be entered to the computing apparatus 10, the security of which may be compromised through the presence of viruses and the like.
The invention also allows for an expedited the log-in process as the user may not so need to spend time entering password and username information. Similarly, the invention may remove the need for users to remember many passwords to many different services etc. In some embodiments of the invention, in which the encoded information item need to be obtained and a password needs to be entered, an additional layer of security is introduced and so the system is safer for the users.
The invention also allows for tiered strengths of authentication to be applied based on risk, transaction value and/or user profile. For example for some websites simply being in possession of the mobile device 12 and obtaining the encoded data item may be sufficient to allow the user to access the services provided by the website. For other implementations such as payment and banking implementations, a more comprehensive collection of authenticating factors (for example, possession of the device and knowledge of a password) may be employed. If the device 12 is lost or stolen, the network provider (if the device is a mobile telephone) may disable the device, thereby preventing the thief or finder of the device being able to use the device and the application stored thereon to access the user's websites and services to which they are subscribed etc. Alternatively, the user may contact the owner or maintainer of the first service apparatus to instruct them to ensure that any requests from the lost or stolen device be denied. A new device subsequently can be associated with the user's registration at the first server apparatus 14.
In some embodiments of the invention, it may only be permitted for the user to register their device with the first server 14 if they have a monthly contract with a mobile telephone network provider.
Such contracts (as opposed to so-called "pay-as-you-go" tariffs) involve a stringent identification process, including the user providing proof of address and bank details etc. Therefore, for services for which security is important, such as banking and the like, it may only be possible to register to log in by way of the encoded information item if the user has a pay monthly contract and so their identity is known with more certainty.
Security advantages are achieved by using a separate device (i.e. the mobile device 12 and not the computer apparatus 10 with which the service is being accessed) to communicate with the server apparatus 14 which is configured to establish the identity of the user (see steps S2-6 and 53-6 of Figures 2 and 3 respectively). By taking the authentication process "out-of-band" in this way, the complexity of the system is increased. It is significantly more difficult and costly for a fraudster to detect, intercept or compromise the multiple communication channels (bands) and/or server apparatuses involved. Thus, the system is more secure.

Claims (35)

  1. CLAIMS1. A method involving a first server, a second server, a portable device and a computing apparatus, the method comprising: S generating a verification information item for inclusion in an encoded information item in the form of a computer-readable electromagnetic encoded information item, wherein a reference verification information item is stored on a first server apparatus and the computer-readable electromagnetic encoded information item comprising the verification information item is available in order to be obtained and decoded by a portable device;the portable device:obtaining the electromagnetic encoded information item; decoding the encoded information from the encoded information item; and transmitting a first message to the first server apparatus, the first message including the decoded information and a first identifier identifying the device or a user of the device, wherein the decoded information includes information to determine an apparatus identification information item for allowing identification of the computing apparatus; and the first server apparatus: receiving the first message from the device; establishing the identity of the user of the device, wherein establishing the identity of the user comprises using the first identifier to determine if the user is registered with the first server apparatus; in response to establishing the identity of the user, authorising the user to access a service; and sending a second message to the second server apparatus, the second message including the apparatus identification information item and indicating that the user is authorised to access the service provided by the second server apparatus, the second server apparatus responding to receipt of the second message by providing the service to the user via the computing apparatus using the apparatus identification information item.
  2. 2. A method involving a first server, a second server, a portable device and a computing apparatus, the method comprising: generating a verification information item for inclusion in an encoded information item in the form of a computer-readable electromagnetic encoded information item, wherein a reference verification information item is stored on a first server apparatus and the computer-readable electromagnetic encoded information item comprising the verification information item is available in order to be obtained by a portable device;the portable device:obtaining the electromagnetic encoded information; and transmitting a first message to the first server apparatus, the first message including the encoded information item and a first identifier identifying the device or a user of the device; and the first server apparatus: S receiving the first message from the device; decoding the encoded information from the encoded information item, wherein the decoded information includes information to determine an apparatus identification information item for allowing identification of the computing apparatus; establishing the identity of the user of the device, wherein establishing the identity of the user comprises using the first identifier to determine if the user is registered with the first server apparatus; in response to establishing the identity of the user, authorising the user to access a service; and sending a second message to the second server apparatus, the second message including the apparatus identification information item and indicating that the user is authorised to access the service provided by the second server apparatus, the second server apparatus responding to receipt of the second message by providing the service to the user via the computing apparatus using the apparatus identification information item.
  3. 3. The method of claim 1 or claim 2, the method further comprising the first server apparatus: comparing the verification information item included in the first message with a reference verification item; if there is identity between the verification information item and the reference verification item, sending the second message to the second server apparatus; and if there is not identity between the verification information item and the reference verification item aborting the method prior to, sending the second message to the second server apparatus.
  4. 4. The method of any preceding claims, wherein the encoded information comprises information to determine a second identifier, the second identifier identifying the second server apparatus.
  5. 5. The method of any preceding claims, wherein the encoded information comprises a third identifier, the third identifier identifying the first server apparatus, and wherein the first message is transmitted to the first server apparatus based on the third identifier.
  6. 6. A method of any preceding claim comprising: the portable device, including the apparatus identification information item for allowing identification of the computing apparatus within the first message; and the first server, including the apparatus identification information item contained within the first message within the second message.
  7. 7. A method of any preceding claim dependent on claim 6 wherein the portable device and computer apparatus are physically the same device.
  8. 8. The method of any preceding claim, comprising:the portable device:prior to transmitting the first message, receiving a user input; comparing the received user input to a stored reference input; and transmitting the first message, when it is determined that there is identity between the received user input and the stored reference user input.
  9. 9. The method of any preceding claim, wherein establishing the identity of the user of the device comprises: initiating a communication channel with the device based on the first identifier; receiving a user-provided information from the device via the communication channel; comparing the received user-provided information with stored reference user-provided information; and verifying, and thereby establishing, the identity of the user when it is determined that there is identity between the received user-provided information and the reference user-provided information.
  10. 10. The method of any preceding claim, wherein the electromagnetic encoded information item is displayed as a sequence of numbers, letters or symbols and comprises: the portable computer device: prior to transmitting the first message, obtaining the encoded information item as a result of the user manually typing in the sequence into the portable device using the user interface.
  11. 11. The method of any preceding claim, wherein the electromagnetic encoded information item is displayed on a sign or electronic display or emitted by a device proximate to the computing apparatus.
  12. 12. The method of any preceding claim, wherein the first message represents a payment request, the method comprising; the first server in response to receiving notification from the second server using information contained within the either of the first or second messages to authorise payment from the user's account to the payee.
  13. 13. The method of any preceding claims wherein the first message represents a payment request, the method comprising; the second server using information contained within the second message to authorise payment from the user's account to the payee.S
  14. 14. A method of any of the claims 1 to 13 wherein the encoded information item may be provided by a smart tag of a product for sale to enable the user to purchase the product.
  15. 15. A method of any of the claims 1 to 13 wherein the computer apparatus may comprise an electronic door lock to enable a person to access a room or building or secured storage.
  16. 16. A method of any of the claims 1 to 13 wherein the computer apparatus may comprise a checkout device such as a point of sale system to enable a shopper to pay for goods.
  17. 17. A method any of the claims 1 to 13 wherein the computer apparatus may comprise an ATM system to enable a user to access services and withdraw money.
  18. 18. A system involving a first server, a second server, a portable device and a computing apparatus, the system comprising: generating a verification information item for inclusion in an encoded information item in the form of a computer-readable electromagnetic encoded information item, wherein a reference verification information item is stored on a first server apparatus and the computer-readable electromagnetic encoded information item comprising the verification information item is available in order to be obtained and decoded by a portable device;the portable device:obtaining the electromagnetic encoded information item; decoding the encoded information from the encoded information item; and transmitting a first message to the first server apparatus, the first message including the decoded information and a first identifier identifying the device or a user of the device, wherein the decoded information includes information to determine an apparatus identification information item for allowing identification of the computing apparatus; and the first server apparatus: receiving the first message from the device; establishing the identity of the user of the device, wherein establishing the identity of the user comprises using the first identifier to determine if the user is registered with the first server apparatus; in response to establishing the identity of the user, authorising the user to access a service; and sending a second message to the second server apparatus, the second message including the apparatus identification information item and indicating that the user is authorised to access the service provided by the second server apparatus, the second server apparatus responding to receipt of the second message by providing the service to the user via the computing apparatus using the apparatus identification information item.S
  19. 19. A system involving a first server, a second server, a portable device and a computing apparatus, the system comprising: generating a verification information item for inclusion in an encoded information item in the form of a computer-readable electromagnetic encoded information item, wherein a reference verification information item is stored on a first server apparatus and the computer-readable electromagnetic encoded information item comprising the verification information item is available in order to be obtained by a portable device;the portable device:obtaining the electromagnetic encoded information; and transmitting a first message to the first server apparatus, the first message including the encoded information item and a first identifier identifying the device or a user of the device; and the first server apparatus: receiving the first message from the device; decoding the encoded information from the encoded information item, wherein the decoded information includes information to determine an apparatus identification information item for allowing identification of the computing apparatus; establishing the identity of the user of the device, wherein establishing the identity of the user comprises using the first identifier to determine if the user is registered with the first server apparatus; in response to establishing the identity of the user, authorising the user to access a service; and sending a second message to the second server apparatus, the second message including the apparatus identification information item and indicating that the user is authorised to access the service provided by the second server apparatus, the second server apparatus responding to receipt of the second message by providing the service to the user via the computing apparatus using the apparatus identification information item.
  20. 20. The system of claim 18 or claiml9, the system further comprising the first server apparatus being configured: to compare the verification information item included in the first message with a reference verification item; if there is identity between the verification information item and the reference verification item, to perform the action based on the decoded information; and if there is not identity between the verification information item and the reference verification item, to abort the system before prior to performing the action based on the decoded information.
  21. 21. The system of any of claims 18 to 20, wherein the encoded information comprises information to determine a second identifier, the second identifier identifying second server apparatus.
  22. 22. The system of any of claims 18 to 21, wherein the encoded information comprises a third identifier, the third identifier identifying the first server apparatus, and wherein the device is configured to transmit the first message to the first server apparatus based on the third identifier.
  23. 23. A system of any of the claims 18 to 22 comprising: the portable device, including the apparatus identification information item for allowing identification of the computing apparatus within the first message; and the first server, including the apparatus identification information item contained within the first message within the second message.
  24. 24. A system of any preceding claim dependent on claim 23 wherein the portable device and computer apparatus are physically the same device.
  25. 25. The system of any of claimsi 8 to 22, wherein the device is configured: prior to transmitting the first message, to receive a user input; to compare the received user input to a stored reference input; and to transmit the first message, when it is determined that there is identity between the received user input and the stored reference user input.
  26. 26. The system of any of claims 18 to 25, wherein the first server apparatus being configured to establish the identity of the user of the device comprises being configured: to initiate a communication channel with the device based on the first identifier; to receive a user-provided information from the device via the communication channel; to compare the received user-provided information with stored reference user-provided information; and to verify, and thereby to establish, the identity of the user when it is determined that there is identity between the received user-provided information and the reference user-provided information.
  27. 27. The system of any of the claims 18 to 26, wherein the electromagnetic encoded information item is displayed as a sequence of numbers, letters or symbols comprises: the portable computer device: prior to transmitting the first message, obtaining the encoded information item as a result of the user manually typing in the sequence into the portable device using the user interface.
  28. 28. The system of claim 27, wherein the electromagnetic encoded information item is S presented on a sign or electronic display proximate or emitted by a device to the computing apparatus.
  29. 29. The system of any of the claims 18 to 28, wherein the first message represents a payment request, the method comprising; the first server in response to receiving notification from the second server using information contained within the either of the first or second messages to authorise payment from the user's account to the payee.
  30. 30. The system of any of the claims 18 to 29 wherein the first message represents a payment request, the method comprising; the second server using information contained within the second message to authorise payment from the user's account to the payee
  31. 31. A system of any of the claims 18 to 3D wherein the encoded information item may be provided by a smart tag of a product for sale to enable the user to purchase the product.
  32. 32. A system of any of the claims 18 to 3D wherein the computer apparatus may comprise an electronic door lock to enable a person to access a room or building or secured storage.
  33. 33. A system of any of the claims 18 to 30 wherein the computer apparatus may comprise a checkout device such as a point of sale system to enable a shopper to pay for goods.
  34. 34. A system any of the claims 18 to 30 wherein the computer apparatus may comprise an ATM system to enable a user to access services and withdraw money.
  35. 35. Computer-readable code, which when executed by computing apparatus, causes the computing apparatus to perform the method of any of claims ito 17.
GB1503007.5A 2010-11-25 2010-11-25 Handling encoded information Active GB2519894B8 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1503007.5A GB2519894B8 (en) 2010-11-25 2010-11-25 Handling encoded information

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1503007.5A GB2519894B8 (en) 2010-11-25 2010-11-25 Handling encoded information
GB1422939.7A GB2519876B8 (en) 2010-11-25 2010-11-25 Handling encoded information

Publications (5)

Publication Number Publication Date
GB201503007D0 GB201503007D0 (en) 2015-04-08
GB2519894A true GB2519894A (en) 2015-05-06
GB2519894B GB2519894B (en) 2015-09-16
GB2519894B8 GB2519894B8 (en) 2016-02-24
GB2519894A8 GB2519894A8 (en) 2016-02-24

Family

ID=52812338

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1503007.5A Active GB2519894B8 (en) 2010-11-25 2010-11-25 Handling encoded information

Country Status (1)

Country Link
GB (1) GB2519894B8 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105279830A (en) * 2015-11-27 2016-01-27 深圳市美特瑞斯信息技术有限公司 Voice frequency access control system based on mobile equipment
CN105279831A (en) * 2015-11-27 2016-01-27 深圳市美特瑞斯信息技术有限公司 Method for controlling locking based on mobile equipment audio coding
CN106204810A (en) * 2015-05-07 2016-12-07 上海诚壹网络科技有限公司 A kind of intelligent access control system
SE1751576A1 (en) * 2017-11-02 2019-05-03 Crunchfish Proximity Ab C/O Crunchfish Ab Mobile identification using thin client devices
WO2019088909A1 (en) * 2017-11-02 2019-05-09 Crunchfish Proximity Ab Mobile identification using thin client devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040076128A1 (en) * 2002-10-17 2004-04-22 Far Eastone Telecommunications Co., Ltd. Wireless LAN authentication, authorization, and accounting system and method utilizing a telecommunications network
EP1821459A1 (en) * 2004-12-08 2007-08-22 NEC Corporation Authentication system, authentication method, and authentication information generation program
US20080208753A1 (en) * 2007-02-28 2008-08-28 Dong Hoon Lee Method and system for providing information on pre-purchase and post-purchase items using rfid and computer-readable storage media storing programs for executing the method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040076128A1 (en) * 2002-10-17 2004-04-22 Far Eastone Telecommunications Co., Ltd. Wireless LAN authentication, authorization, and accounting system and method utilizing a telecommunications network
EP1821459A1 (en) * 2004-12-08 2007-08-22 NEC Corporation Authentication system, authentication method, and authentication information generation program
US20080208753A1 (en) * 2007-02-28 2008-08-28 Dong Hoon Lee Method and system for providing information on pre-purchase and post-purchase items using rfid and computer-readable storage media storing programs for executing the method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106204810A (en) * 2015-05-07 2016-12-07 上海诚壹网络科技有限公司 A kind of intelligent access control system
CN105279830A (en) * 2015-11-27 2016-01-27 深圳市美特瑞斯信息技术有限公司 Voice frequency access control system based on mobile equipment
CN105279831A (en) * 2015-11-27 2016-01-27 深圳市美特瑞斯信息技术有限公司 Method for controlling locking based on mobile equipment audio coding
SE1751576A1 (en) * 2017-11-02 2019-05-03 Crunchfish Proximity Ab C/O Crunchfish Ab Mobile identification using thin client devices
WO2019088909A1 (en) * 2017-11-02 2019-05-09 Crunchfish Proximity Ab Mobile identification using thin client devices
US20200260270A1 (en) * 2017-11-02 2020-08-13 Crunchfish Proximity Ab Mobile Identificaton Using Thing Client Devices
US11778473B2 (en) * 2017-11-02 2023-10-03 Crunchfish Digital Cash Ab Mobile identification using thin client devices

Also Published As

Publication number Publication date
GB2519894B8 (en) 2016-02-24
GB2519894B (en) 2015-09-16
GB2519894A8 (en) 2016-02-24
GB201503007D0 (en) 2015-04-08

Similar Documents

Publication Publication Date Title
US11146561B2 (en) Handling encoded information
US20130013434A1 (en) Financial transaction processing using a mobile communications device
US20140297538A1 (en) System and Method for Data and Identity Verification and Authentication
US20140229388A1 (en) System and Method for Data and Identity Verification and Authentication
US10439813B2 (en) Authentication and fraud prevention architecture
US11470079B1 (en) User-level token for user authentication via a user device
JP2004508644A (en) Embedded synchronous random disposable code identification method and system
WO2011047331A2 (en) Anti-phishing system and method including list with user data
US20120303527A1 (en) Process and host and computer system for card-free authentication
US10440572B2 (en) Systems and methods for authenticating a user of a computer application, network, or device using a wireless device
KR20110033150A (en) Method and system for authenticating an electronic payment request
GB2489332A (en) Handling encoded information and identifying user
GB2519894A (en) Handling encoded information
US11100509B2 (en) Authentication and authorization with physical cards
GB2519876A (en) Handling encoded information
GB2491514A (en) Handling encoded information and identifying user
EP3559881A1 (en) Secure log-in or transaction procedure

Legal Events

Date Code Title Description
S117 Correction of errors in patents and applications (sect. 117/patents act 1977)

Free format text: REQUEST FILED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 05 JANUARY 2016

S117 Correction of errors in patents and applications (sect. 117/patents act 1977)

Free format text: CORRECTIONS ALLOWED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 05 JANUARY 2016, ALLOWED ON 17 FEBRUARY 2016

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20170223 AND 20170303