IES85150Y1 - Securing access authorisation - Google Patents
Securing access authorisationInfo
- Publication number
- IES85150Y1 IES85150Y1 IE2005/0147A IE20050147A IES85150Y1 IE S85150 Y1 IES85150 Y1 IE S85150Y1 IE 2005/0147 A IE2005/0147 A IE 2005/0147A IE 20050147 A IE20050147 A IE 20050147A IE S85150 Y1 IES85150 Y1 IE S85150Y1
- Authority
- IE
- Ireland
- Prior art keywords
- user
- series
- electronic resource
- access
- numerical value
- Prior art date
Links
- 230000000875 corresponding Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 5
- 238000000034 method Methods 0.000 description 5
- 230000003247 decreasing Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000002452 interceptive Effects 0.000 description 2
- 230000003287 optical Effects 0.000 description 2
- 241000283086 Equidae Species 0.000 description 1
- 206010037180 Psychiatric symptom Diseases 0.000 description 1
- 230000000295 complement Effects 0.000 description 1
- 230000001010 compromised Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 150000002500 ions Chemical class 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000003278 mimic Effects 0.000 description 1
Description
Securing Access Authorisation
Field of the Invention
This invention relates to securing access to an electronic data resource stored in a data
processing system. More particularly, this invention relates to a device for encrypting one or
more user identifiers in reference to numerical series and a corresponding method.
Background to the Invention
In the so—ca1led information age, an increasing amount of personal and/or user infomiation is
disseminated in either isolated or networked data processing tenninals, whether as a result of
user choice, for instance when registering for online banking services, or as a result of
procedural change, such as when government agencies upgrade to computerized systems and
records.
The value of this readily-accessible personal or user information is increasing in tandem with
the growing ubiquity of highly-distributed networks such as the Internet, as it allows
purveyors of goods or services to constantly refine their target markets and extract better
revenue from more accurate use of their advertising expenditure. More disturbingly, as the
value or nature of this infonnation expands, so it attracts third—party users willing and able to
make unauthorized use of all or a portion of this information and therefore the need to
implement access authentication methods and systems has long been recognized and many
such methods and systems exist in the prior art.
Password authentication schemes constitute the most widely-used methods of access
authentication for a user to access electronic data resources, such as her banking details
and/.or service provided over the Internet, and this despite growing problems associated with
theft of user information, particularly infomiation with an inherent financial value such as
credit card or user or bank account details. Indeed, password authentication schemes can be
compromised in numerous ways.
Trojan Horse Attacks and Spyware are the most classic and widespread types of attack. A
Trojan Horse is an application that is stealthily processed by a data processing system and
assists in the perfomiance of illicit transactions, unbeknownst to a user of the data processing
system. Trojan Horses may be used either on a standalone terminal sharing multiple
consecutive users, such as in a public library, but are more commonly used in highly-
distributed networks, such as the Internet, by remote unauthorised users and are configured to
stealthily load into a data processing system and then collate local data including keys
pressed, applications processed, electronic resources accessed over the network as well as
capture images of graphical user interfaces, for subsequently broadcasting this information
over the network, still unbeknownst to the user, to those remote unauthorised users. In this
context, Spyware is a colloquialism encompassing both legitimate and illegitimate forms of
Trojan Horse applications, which gather information about a user’s terminal and use thereof
and relay that information to remote users, such as marketing companies in legitimate cases or
unauthorised users in illegitimate circumstances.
Phishing Attacks are mounted by highly-organised unauthorised users and comprise large—
scale, carefully planned defrauding operations. Phishing is a method of using deceptive email
and intemet sites to retrieve authentication data from unsuspecting users. Such operations
typically begin with an electronic mail message addressed to a genuine user by an apparently
genuine sender, for instance the bank of that user or an Internet transaction website at which
said user is registered. The message is configured in wording, appearance and interactive
features, such as a pointer to a network address or Uniform Resource Locator, to lead the
recipient to an apparently genuine Internet page of this bank or transaction site, which is in
fact a false Internet page output by the data processing system of the unauthorized users, at
which point the user is requested to input her usemame and password, which are therefore
obtained by the afore-mentioned highly-organised unauthorized users when said user is
deceived.
Man-in-tlze—Midd1e Attacks are the hardest attack to carry out, as they need to be performed
whist a victim is connected to the network. Such attacks involve a particularly sophisticated
form of data processing procedure, colloquially known as hacking, which involves the illegal
misuse of Secure Socket Layer Certificates and Keys.
The negative impact of any successful attack is threefold: bad publicity for the provider of the
electronic resource, loss of confidence by users as a subsequent reaction and financial loss
from the attack itself to the provider and/or the users. Loss of customer confidence may
reflect not only on the image and tumover of a provider, but also on the Internet as a channel
for transacting with sensitive information. For obvious reasons, institutions are keen to reduce
their exposure to these risks. It is unfortunate that this type of unauthorized activity will
become more intense with the ongoing drive to facilitate the transacting of an ever-increasing
amount of goods and service over the Intemet.
An improved system and an improved method are therefore required to prevent unauthorized
users from obtaining user information, particularly access authentication data, by deception,
whether a user accidentally or unknowingly provides this information or whether such
unauthorized users deliberately attempt to obtain this information by deception.
Object of the Invention
It is an object of the present invention to improve the security of access authentication
required for a user to access an electronic resource, whether locally or via a network, by
decreasing the risk of compromising authentication data.
It is another object of the present invention to provide a method of securing access to an
electronic resource at a user terminal.
lt is a further object of the present invention to provide a system for securing access to an
electronic resource.
Summary of the Invention
According to an aspect of the present invention, a method of securing access to an electronic
resource is provided at a user terminal equipped with a display device, which comprises the
steps of
providing a user with at least first and second series of numerical values on a support;
storing a combination of a user reference and an electronic resource user access reference for
said user;
in response to said user requesting access to said electronic resource, generating a third series
of random numerical values and requesting user input ;
upon receiving said user input, comparing said user input and said electronic resource user
access reference; and
granting access to said electronic resource upon said comparison returning a match,
wherein said user input comprises at least one numerical value of said first series identified
with positioning said support relative to said display device and comparing corresponding
numerical value of said second series with corresponding numerical value of said third series.
support including at least first and second series of numerical values, said terminal comprising
storage means, processing means and display means, said storage means storing a
combination of a user reference and an electronic resource user access reference for at least
user requesting access to said electronic resource;
compare said user input and said electronic resource user access reference upon receiving said
user input; and
According to a further aspect of the present invention, a support is provided for securing
access to an electronic resource, said support comprising at least first and second series of
The first, second and third series of numerical values may number ten numerical values, each
of which is comprised between 0 (zero) and 9 (nine). The third series is advantageously
generated as a random series to uniquely encrypt the electronic resource user access reference
for every access authentication procedure. The first, second and third series of numerical
values are preferably equally spaced relative to one another both on the support and the
display device, to facilitate the comparison therebetween.
network, the electronic resource is a data resource stored locally or at a first remote terminal
and the combination of a user reference and an electronic resource user access reference for
said user is stored at a second remote terminal.
In yet another alternative embodiment of the present invention, the terminal is connected to a
network, the electronic resource is a data resource stored locally or at a first remote temiinal,
Brief Description of the Drawings
The above and other features and advantages of the present invention will be more clearly
understood from the following detailed description taken in conjunction with the
accompanying illustrations listed below:
Figure 1 illustrates an environment comprising a data processing terminal connected to a
network, at which a user with a support may request access authentication according to the
present invention;
Figure 2 details the data processing terminal of Figure 1, including a display;
Figure 3 details the support of Figure 1;
Figure 4 details processing steps perfonned by the terminal of Figures 1 and 2, including a
step of outputting a graphical user interface;
Figure 5 provides a graphical illustration of the interface of Figure 4;
Figure 6 provides a graphical illustration of the interface of Figure 4 overlaid with the support
ofFigures 1 and 3;
Figure 7 provides a graphical illustration of the interface of Figure 4 overlaid with the support
of Figures 1 and 3 according to an alternative embodiment of the present invention; and
personal computer located at the dwelling or workplace of user 101.
In an alternative embodiment of the present invention, user 101 may use a second computer
terminal 105, for instance if terminals 104 and 105 are made available to users in a public
access location, such as a library, or if terminals 104 and 105 are workplace terminals which
user 10] may use alternatively. In the alternative embodiment, terminal 104 is optionally
connected to tenninal 105 via a Local Area Network (LAN) 106, which may be implemented
as either a wired Ethernet connection or a wireless Ethernet connection (WLAN), known to
those killed in the art as a Wi-Fi network.
Terminal 104 is optionally connected to a Wide Area Network (WAN) such as the Internet
I07 via an lntemet Service Provider (ISP) 108, to which it connects via any of a low-
bandwidth dial-up modem connection or a high-bandwidth cable or Asynchronous Digital
likewise optionally connected to the Internet 107, for instance with sharing the connection
109 oftenninal 104 to ISP 108 over the LAN or WLAN 106.
In yet another alternative embodiment of the present invention, a terminal 110 is located at
support issuer 103 and is also connected to the Internet 107.
Therefore, depending upon the particular embodiment of the present invention, terminal 104
may be used as a local data processing system only, or as a locally network-connected (106)
data—processing system only, or as a data-processing system connected to a plurality of wide
and local networks (106, 107), in which embodiment terminal 104 may communicate data to
tenninal l 10 and receive data therefrom.
An example of the terminal 104 shown in Figure 1 is provided in Figure 2. In the example, the
respective architectures of terminals 104, 105 and 110 are substantially similar, for the sake of
not unnecessarily complicating the present description, but it will be readily apparent to those
skilled in the arts that the invention may not be limited to the example terminal described
below.
Temiinal 104 is a computer temiinal configured with a data processing unit 201, data
outputting means such as video display unit (VDU) 202, data inputting means such as a
dt f '~ - ~ .
33 mm and Wmmg data to magnetic data-carrying medium 206B, and a second
reader/writer 207A for reading data from and writing data to optical data canying m d‘
- e ium
by W3)’ of a Network Interface Card (NIC) 212 as a wired or wireless connection to terminal
105 and optionally to the Internet 107.
provided for legacy purposes.
All of the above devices are connected to a data input/output bus 215, to which said magnetic
data-carrying medium reader/writer 206A and optical data-carrying medium reader/writer
207B are also connected. A video adapter 216 receives CPU instructions over said bus 213 for
outputting processed data to VDU 202.
The support 102 issued to user 101 by support issuer 103 is further detailed in Figure 3. The
support 102 takes the form of a card, preferably made of a durable plastic material and the
dimensions of which are substantially identical to a standard credit card. In the preferred
embodiment of the present invention, support issuer 103 issues the card 102 with at least a
first series of numerical values 301 and a second series of numerical values 302.
In an alternative embodiment of the present invention shown as a card 102B, the card 102B is
configured with a see-through portion 303, located substantially between the first and second
series of numerical values 301, 302.
lower number. Each f th I
0 e va ues themselves are preferably randomly selected between 0
(Zero) and 9 (nine) and each of the series 301 302 is
’ , preferably generated as d '
of 10 randomly-selected values in the example a ran Om semis,
In the preferred embodiment of th ‘ ‘ - -
e present invention, the combination of the first and second
series 301, 302 forms an t‘ - .
with . f I CnCI"yp Ion and decryption key, stored in a database the terminal lO4
in omiation data of user 10], comprising at least
, shown as card lO2C, support
issuer 103 IS a financial institution and that the card 102C is configured for use as a
access authorization to an electronic resource stored therein. In the preferred embodiment,
tenninal 104 stores instructions in storage means 210 which are loaded into RAM 209 and
processed by CPU 208 when the user 101 inputs data via keyboard or pointing device 203,
204 to signify a request to access an electronic resource at step 401, for instance a database
stored in storage means 210 or an application to process same and likewise stored in storage
means 210 and which will be loaded into RAM 209 and processed by CPU 208 upon user 101
being granted the requested access authorization. The instructions comprise a system module
and a random number generator as well as processing user input and the previously-described
database, which retains key data and information data relating to user 101.
Upon receiving the user input of step 401, the system module is engaged and generates a third
series of random numbers with respective values between 0 and 9, using the random number
generator, at step 402. The third series preferably includes the same number of values as the
with reference now to Figure 5, output a user interface 501 at step 403. The interface 501
presents the third series of numbers 502 and a plurality of user-selectable buttons, some of
which are located in the interface to compliment the use of the support 102. Preferably, a
of the third series 502 and the respective configuration of the support 102 and the interface
505 complement one another in such a way as to likewise substantially vertically align each
number of the second series 302 with a corresponding button 503.
At step 404 still, the user recalls the first number of a respective electronic resource user
access reference and locates the corresponding number 601 in the first series 301. In the
example, the first number is “5” and, vertically adjacent to the number 5 is the corresponding
number 602 in the third series 502, which is “l".
Having identified the number “I”, the user 101 compares this number with the second series
302 to locate a number 603 having a corresponding ‘‘I’’ value therein and selects the button
503, 604 immediately above the number “I The button is preferably assigned a value other
than 1 within the system module. The user repeats this above sequence until the entire
electronic resource user access reference is input, e.g. all 10 numbers of the user’s respective
electronic resource user access reference have been enciphered. On completion of the
enciphering of the electronic resource user access reference, the user submits the screen to the
system module for processing by the instructions with selecting the “submit” button 504.
The instructions retrieve the usemame and ciphered password string presented by the user
101 via the software module and attempt to identify the validity of the usemame with
processing the database, resulting in a first question asked at step 405, as to whether the
usemame has been matched in said database. If the question of step 405 is answered
negatively, the instructions output an error message at step 409 and call upon the module to
output a new third series 502 and interface at step 402.
Altematively, the question of step 405 is answered positively, i.e. the usemame is valid, and
at step 406 the instructions select the value of the first element of the enciphered user access
reference, assign this value to a memory variable — offset and examine the first series 301 at
the index indicated by the offset variable, and retrieve the value contained therein from the
database. The retrieved value is recorded in the memory variable offsetl. The instructions
then examine the value contained in the second series 302 at index offsetl. This constitutes
the first deciphered number of the user access reference string. This process continues until
completion and the now-entirely deciphered user access reference string is compared against
the corresponding user access reference stored in the database, whereby a second question
asked at step 407, as to whether the user access reference has been matched in said database.
If the question of step 407 is answered negatively, the instructions output an error message at
step 409 and call upon the module to output a new third series 502 and interface at step 402.
Alternatively, the question of step 407 is answered positively, i.e. the user access reference
name is valid, and at step 408 the instructions route the user to the requested electronic
resource, i.e. the requested access to the electronic resource is granted.
An alternative embodiment of the present invention is illustrated in Figure 7, in which the
support 102 comprises a see-through portion 303 and the interface 501 is configured by the
module so that the third series 502 of values can be overlaid with the see-through portion 303
when the user manipulates the support 102 relative to VDU 202, so that each number 601 of
the first series 301 on support 102 is substantially vertically aligned with a corresponding
number 602 of the third series 502, which number 602 on display 202 is directly observable
relative to said corresponding number 601 through the transparent portion 303. Further
alternative embodiments contemplate respective see-through portions 303 for each number of
the third series 502.
An alternative embodiment of the present invention is shown in Figure 8, in which the
terminal 110 of support supplier 103 is a remote server and the key data 301, 302, user
reference and electronic resource user access reference are stored in a database which is itself
stored at said server 110. In the Figure, a portion of the processing steps previously described
in Figure 4 are perfonned by server 110, which is particularly useful when user 101 wants to
access a remote electronic resource, for instance over the hitemet 107, such as the website of
the bank at which said user holds an account and which account may be remotely interacted
with via said website, or the website of a retail concern at which said user may remotely effect
purchases. The processing steps respectively performed by terminal 104 operated by user 1
are therefore represented as grouped within a logical block 701 and the processing steps
respectively perfomied by server 110 upon user 101 inputting data at step 401 at terminal [04
to access a remote electronic resource are represented as grouped within a logical block 702.
In this alternative embodiment, the instructions are not stored at terminal 104 but are stored at
server 1 10 from which, alternatively, either the system module is downloaded by terminal 104
as any of a browser plug-in, an Active-X plug-in, a Java script, a HTML script or the like
further to user 101 performing step 401, or only the user interface 501 is downloaded by
terminal 104. The distributed system is described in Figure 8 with data exchanged between
remote temrinals 104 and 108 over the Internet 107, but it will be readily apparent to those
skilled in the art that the distributed system may equally be described in, and the invention
extending to, the context of any network, including the example LAN 106.
The present invention therefore improves the security of access authentication required for a
user to access an electronic resource, whether locally or via a network, by decreasing the risk
of compromising authentication data.with filtering a user access reference, such as a
password. The password is altered into another numeric state and this altered numeric state is
further interpreted, the interpreted result being entered into the user interface. A user
attempting to gain unauthorised access to a local or remote electronic resource, such as
personal information of a different user, would need to be in possession of all three factors,
the password, the support 102 and the interactive user interface 501 to gain successful access.
The present invention provides a Multiple Factor Authentication solution, which confers a
high level of confidence to password or PIN—based security. According to the present
invention, a user’s password is never directly transacted against, or disclosed over networks
such as the lntemet. The invention solves the problem of users being offered fake screens by
users practicing Phishing attacks. If an unauthorized user mimics the genuine interface 501,
this interface will offer no hint as to the password or construction of the support 102. If the
user is deceived into putting genuine data into an interface 501 developed by an unauthorized
user, then that data alone will not suffice to gain genuine access to the targeted electronic
l'€SOUl‘CC.
The present invention thus manages the security of the access authorization process without
regard or concern for the environment to which it is connected, namely a computer, or
through which it is communicated, namely a network.
The words “comprises/comprising” and the words “having/including” when used herein with
reference to the present invention are used to specify the presence of stated features, integers,
steps or components but does not preclude the presence or addition of one or more other
features, integers, steps, components or groups thereof.
Claims (5)
1. A method of securing access to an electronic resource at a user terminal equipped with a display device, the method comprising the steps of: providing a user with at least first and second series of numerical values on a support; storing a combination of a user reference and an electronic resource user access reference for said user; in response to said user requesting access to said electronic resource, generating a third series of random numerical values and requesting user input ; upon receiving said user input, comparing said user input and said electronic resource user access reference; and granting access to said electronic resource upon said comparison returning a match, wherein said user input comprises at least one numerical value of said first series identified with positioning said support relative to said display device and comparing corresponding numerical value of said second series with corresponding numerical value of said third series.
2. A method of requesting access to an electronic resource at a user terminal equipped with a display device, the method comprising the steps of: in response to said terminal outputting a third series of random numerical values on said display device and requesting user input, positioning a support having first and second series of random numerical values thereon relative to said first series of random numerical values on said display device; inputting at least one numerical value of said first series identified with comparing corresponding numerical value of said second series with corresponding numerical value of said third series; and submitting said input for requesting access to said electronic resource.
3. A system for securing access to an electronic resource comprising at least one data processing terminal and a support including at least first and second series of numerical values, said terminal comprising storage means, processing means and display means, said storage means storing a combination of a user reference and an electronic resource user access reference for at least one user and instructions which configure said processing means to generate a third series of random numerical values and request user input in response to said user requesting access to said electronic resource; I0 compare said user input and said electronic resource user access reference upon receiving said user input; and grant access to said electronic resource upon said comparison retuming a match, wherein said user input comprises at least one numerical value of said first series identified with positioning said support relative to said display device and comparing corresponding numerical value of said second series with corresponding numerical value of said third series.
4. A support for securing access to an electronic resource comprising at least first and second series of numerical values, said support being operationally positioned relative to the display device of a data processing terminal on which a third series of numerical values is displayed in response to a user requesting access to an electronic resource, wherein said user may compare corresponding numerical value of said second series of said support with corresponding numerical value of said third series and input at least one numerical value of said first series identified by said comparison for granting access to said electronic resource upon the comparison of said user input and an electronic resource user access reference returning a match.
5. A system as substantially hereinbefore described with reference to and/or as illustrated in the accompanying drawings.
Publications (1)
Publication Number | Publication Date |
---|---|
IES85150Y1 true IES85150Y1 (en) | 2009-03-04 |
Family
ID=
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8850519B2 (en) | Methods and systems for graphical image authentication | |
US8117458B2 (en) | Methods and systems for graphical image authentication | |
JP4274421B2 (en) | Pseudo-anonymous user and group authentication method and system on a network | |
AU2011313826B2 (en) | System and method of conducting transactions | |
US9519770B2 (en) | Transaction card for providing electronic message authentication | |
US20070162961A1 (en) | Identification authentication methods and systems | |
US20070043681A1 (en) | Online transactions systems and methods | |
US20080209223A1 (en) | Transactional visual challenge image for user verification | |
US8060447B2 (en) | Method of providing transactions employing advertising based verification | |
WO2001050396A1 (en) | Method and system for private shipping to anonymous users of a computer network | |
JP2009526321A (en) | System for executing a transaction in a point-of-sale information management terminal using a changing identifier | |
EP1287501A1 (en) | Method and apparatus for transferring or receiving data via the internet securely | |
US20110202762A1 (en) | Method and apparatus for carrying out secure electronic communication | |
JP2008537210A (en) | Secured data communication method | |
AU2010292125B2 (en) | Secure communication of payment information to merchants using a verification token | |
AU2005242135B1 (en) | Verifying the Identity of a User by Authenticating a File | |
US20170103395A1 (en) | Authentication systems and methods using human readable media | |
GB2377523A (en) | User identity verification system | |
WO2002071177A2 (en) | Method and system for substantially secure electronic transactions | |
IES20050147A2 (en) | Securing access authorisation | |
IES85150Y1 (en) | Securing access authorisation | |
THATCHER | Protecting E-Commerce Systems | |
FR2901080A1 (en) | Remote computer system`s resource e.g. website, access securing method, involves transmitting primary symbols to terminal e.g. mobile telephone, of user, and correspondingly connecting primary symbols with secondary symbols by user |