US20160140565A1 - Refreshing a behavioral profile stored on a mobile device - Google Patents

Refreshing a behavioral profile stored on a mobile device Download PDF

Info

Publication number
US20160140565A1
US20160140565A1 US15/003,505 US201615003505A US2016140565A1 US 20160140565 A1 US20160140565 A1 US 20160140565A1 US 201615003505 A US201615003505 A US 201615003505A US 2016140565 A1 US2016140565 A1 US 2016140565A1
Authority
US
United States
Prior art keywords
mobile payment
payment device
mobile
behavioral
device user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/003,505
Inventor
Ori Einhorn
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Offla Selfsafe Ltd
Original Assignee
Offla Selfsafe Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Offla Selfsafe Ltd filed Critical Offla Selfsafe Ltd
Priority to US15/003,505 priority Critical patent/US20160140565A1/en
Publication of US20160140565A1 publication Critical patent/US20160140565A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/085Payment architectures involving remote charge determination or related payment systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • G06Q20/202Interconnection or interaction of plural electronic cash registers [ECR] or to host computer, e.g. network details, transfer of information from host to ECR or from ECR to ECR
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3226Use of secure elements separate from M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3227Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3229Use of the SIM of a M-device as secure element
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/325Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3674Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0201Market modelling; Market analysis; Collecting market data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention is directed to the use of mobile devices in offline transactions, and, more particularly, to a system, method and device for self-authentication of transactions.
  • the improved ability of mobile devices provides enhanced web capabilities (e.g. internet) and applications.
  • the user interface has improved and thus created a platform for applications, innovative initiatives and new opportunities.
  • the mobile device can be used in many processes, when payments by which (m-payments) are one category of financial transactions implemented by the mobile platform, along with financial services (m-services) and trade (m-commerce).
  • m-payments are one category of financial transactions implemented by the mobile platform
  • m-services financial services
  • m-commerce trade
  • Mobile payment a fee, set by the transfer of money in exchange for a product or service, wherein the mobile device is involved in both the initiation and the approval of the payment.
  • the payer can be present at the point of sale or “in movement” (“on the way”) and the infrastructure that supports the payment can change.
  • Payment can be processed by credit card or by Prepaid-wallet. (For example: money can be transferred and deducted from the amount paid in advance or can be collected by the MNO.)
  • Mobile order the mobile device is used for initiating an order but is not used for pay. (For example: ordering food via the mobile device from a restaurant and paying with cash on delivery).
  • Mobile delivery the mobile device is used for delivery of goods or services but not used for payment, for example, an event entrance card issued and delivered to the mobile device.
  • Mobile authentication the mobile device is used for authenticating the user details as part of the transaction or to allow access to information or other functionality. For example, code it sent to the mobile device which the user should key in online to confirm the user's identity.
  • Mobile banking access to bank functionality via mobile device, through the use of a browser or an application. For example: viewing account status and transaction history through the application. It should be noted that this process allows making a payment using the mobile device.
  • Mobile marketing includes loyalty campaigns, advertising and coupons.
  • the technologies that allow payment by mobile devices can usually be divided into two categories:
  • Remote payments the payer and the payment device are not present at the point of sale;
  • Proximity payments the presence of the payer and the payment device are required at the point of sale.
  • SMS communications protocol allows broadcasting messages not only between the two mobile devices, but also between the mobile device and a computer, and therefore allows m-payments.
  • the SMS communications protocol is inexpensive and relatively simple to use and is now the more accepted method of payment using mobile device, however, the user experience is not adequate.
  • Mobile payments derived by SMS allow transfer of funds from listed accounts or e-wallet.
  • USSD technology is a standard for transferring information over the GSM channels and is used primarily as a method for queries and information services and is associated with information in real time achieved by calling numbers that begin with “*” or “#”, and then a combination of numbers and asterisks and ending with “#”. There is no option to store and forward information, but the response time of USSD is better than SMS.
  • Interactive Voice Response Communication with a computer server via a telephone call over the cellular network, usually via dialogue menus by voice or phone keyboard input. This technology has limited user interface and user experience is not optimal.
  • Mobile internet is typically used for web browsing via small mobile devices as mobile phones.
  • NFC Near Field Communication
  • the NFC has number of variations e.g. NFC Stickers, microSD, integrated device.
  • QR Code Quadick Response Barcode
  • matrix barcode that can be read by a reader of QR Code and by a mobile device with a camera.
  • the encoded information can be text, URL or other form of data.
  • MNO's Mobile network operators
  • m-payments have the option to diversify the range of products and services that correspond to the client's needs and lifestyle.
  • Financial institutions Fis wanted to ‘stay in the game’ and maintain their status (e.g. profit) and relationship with the client even with the mobile payments environment as they do today in the physical payments environment, for example issuing “payment credentials”.
  • OEMs OEMs have the ability to decide which technologies to implement in the various devices and which uses to allow.
  • Success using the mobile phone as a payment method has the potential to influence towards significant sales increase of mobile phones to new customers as well as significant sales increase of mobile phones to customers upgrading existing devices to those enabling m-payments.
  • Trusted Service Managers third party neutral intermediary or a service provider providing a single integration point for all the cellular operators (MNOs), for all the financial institutions (Fis), transit authorities and retailers who want to provide mobile payment applications, ticketing applications or loyalty applications for their clients, characterized in that the applications are using NFC technology in the mobile devices. They are owners or managers of the “Secure Element”.
  • Main functions of the TSM include, among other things, engagement with mobile network operator and applicative service providers, ensuring the protection and security from end to end which includes ensuring compliance with security requirements for software, hardware, cell phones, chips and applications, risk management of scams. They are also responsible for customer service and support in the context of Secure Element, which include customer alerts for loss, theft and reporting fraudulent transactions. Additional tasks include updating user interfaces, customer database management, life cycle management of applications, management services that are “value-added” as reloading tickets and more.
  • SE chip manufacturers producing the smart card's chips which can host the payment application or the secure element (SE); SE Issuers—(secure element issuers) match the chip with the appropriate protection component; service providers offering services for end users, such as authentication services, and the TSM allows the service provider to use the secure element.
  • POS point of sale
  • Unmanned points of sale or remote points of sale can benefit from this form of payment by the reduction in costs. Also remote mobile payments are another channel with lower costs for merchants.
  • the mobile device has become an integral part of his life, the consumer carries it everywhere and it achieved a status that can be described as “permanent share of pocket”, i.e. with wallet and keys, it is always with the consumer. Moreover, as the consumers' confidence rises, they feel more comfortable to exercise more than one function of the device, and it is slowly turning into a multimedia device with many applications.
  • NFC technology designed to make a connection between different devices based on their physical proximity, simplifies the initiation of communication between devices, also making this a much more natural thing for a user, as part of the natural user interface (NUT) trend.
  • the technology began as a joint development of Sony and chip maker NXP back in 2002, and is based on RFID (Radio Frequency Identification) chips.
  • RFID tag contains (identification) information which it transmits as a response to a radio signal received from a reader as such.
  • the NEC technology differs from RFID in that it adds security and limits the communication range to 10-20 cm (approx. 4-8 inches) or less in reality, to ensure that only deliberate approximation of the tag to a scanner will share information.
  • it allows using the tag for other needs, such as a workplace identification tag, payment card for public transportation and substitute means for payment at the store.
  • One chip is a device with a power source and functions as a reader, while the other is a passive chip, with no power source, which is used as a tag containing information.
  • the active chip produces a limited field of radio waves, sufficient for the passive chip to send the information found on it, for example, Smart Poster.
  • Transaction payments transactions.
  • communication is between an active device connected to the banking system and active or passive chip that contains customer information.
  • this type of this interaction is a substitute for cash and credit cards, because it allows the transfer of money between compatible devices, provided that one of them is pre-loaded with any amount, or a transaction brokered with the credit card company.
  • Coupled occurs when both parties are active chips. In this case, two-way information transfer will occur between two devices using the Peer to Peer method, as in the Bluetooth technology.
  • Payment card fraud occurs when an element (e.g. person) creates financial or material gain by the use of payment means or payment means information to complete a transaction that is not approved by the legal account holder. Lack of approval of the account holder is an essential characteristic characterizing this phenomenon.
  • An approval system for payment card transactions sieves transactions to limit fraud. The system verifies the card, extracts the card's data and decides whether the transaction is subject to certain restrictions set by the issuer or merchant. It could be said that the system checks whether the transaction is in line with the known behavior of the card owner and if this is the case, then in most probability the transaction is being performed by the owner of the card.
  • Transition to electronic payments allows a number of channels to collect payment card data: mobile readers keep cards data; readers imposed over ATM (Skimming); Video Cameras that can capture and copy PIN numbers; utilizing the Internet—sending millions of email messages so a few recipients will expose the credit card data and their accounts (phishing); hackers can infiltrate computer systems and steal data volume from where it is stored or transmitted (data breaches), etc.
  • payment card data can also be collected in the ‘traditional way’ as a result of the card being lost or stolen.
  • EMV initials represent the names of the companies Europay, MasterCard and Visa, which were the original founders of the EMV standard.
  • EMV refers to specification of technical requirements for payment, usually payment cards type of Credit or Debit, in which microchips are embedded and is designed to combat fraud.
  • Chip plus PIN the most common
  • Chip plus Choice selection between signing and PIN as a cardholder identity verification
  • DPA VISA's Dynamic passcode authentication
  • CAP MasterCard's Chip Authentication Protocol
  • a reader device In remote transactions, were the card cannot be presented, a reader device is used. The customer enters a PIN. An application residing on the chip on the EMV card generates a one-time password (OTP), specific to the current transaction.
  • OTP one-time password
  • FIG. 1 An example for the system used nowadays is brought up in FIG. 1 .
  • the system comprises: the customer's credit card 60 ; the point of sale (POS) 70 where the customer makes a payment using the credit card 60 ; the clearing house 80 ; the issuer 90 which issued the credit card 60 .
  • POS point of sale
  • the issuer 90 which issued the credit card 60 .
  • FIG. 2 describes an exemplary method for approving a transaction using the system that was described in FIG. 1 .
  • step 510 the card 60 is used by the customer to initiate a transaction in the POS 70 .
  • the transaction details are sent in step 520 from the POS 70 to the clearing house 80 .
  • the clearing house 80 routes, in step 530 , the transaction to the card issuer 90 .
  • the issuer 90 generates in step 540 a response to the transaction.
  • the response could be one of the following:
  • Approve the transaction is approved. Decline—the transaction is declined. Kill—the credit card should be put out of use. Referral—the merchant or the customer who owns the card should call the issuer (i.e. credit card company) 90 .
  • the response is routed in step 550 from issuer 90 to the clearing house 80 .
  • the clearing house 80 routes the response to the POS 70 .
  • the transaction is committed or declined according to the response.
  • the prior art systems are based on a server in the issuer (e.g. bank) premises which does the fraud detection checks for millions or tens of millions of customers. This amounts to tens (or even more) of checks per second.
  • issuer e.g. bank
  • the amount of time per check should be less then tenth of a second.
  • the server has to retrieve all the needed information needed for processing and perform a large amount of complex mathematical calculations.
  • US patent application, publication no. 2010/0327056 discloses a payment approval system and a method for approving a payment for credit cards.
  • the method comprises obtaining fraud parameters by modeling a pattern of fraud usage and for self-authentication (offline approval).
  • self-authentication (offline approval) process estimates a possibility of fraud usage, online approval for more detailed statistical analysis processing is requested from a remote computer.
  • PCT publication no. WO/2006/012538 discloses a methods and apparatus for transaction completion using a proximity integrated circuit payment device i.e. smartcard.
  • the merchant system retrieves information from the smartcard and determines whether the transaction should be completed online or offline.
  • a system method and a device for offline authentication of transactions using mobile device based on, analytic engine such as behavioral pattern detection.
  • the behavioral pattern can be for a specific person, for group of people with similar characteristics, or a combination of the two.
  • the present invention has the advantage over the prior art centralized authentication and fraud detection systems in that it is more precise in identifying and preventing fraud in real time. The precision is better for both customer and merchant frauds.
  • the present invention also requires fewer investments in infrastructure and uses less communication traffic when compared to the prior art.
  • FIG. 1 is an exemplary prior art payment system
  • FIG. 2 is a flow chart of an exemplary method for transaction approval used with the prior art payment system
  • FIG. 3 is an exemplary payment system in accordance with the preset invention.
  • FIG. 4 is a flow chart of an exemplary method of secure purchase in accordance with the preset invention.
  • FIG. 5 is an exemplary mobile payment device in accordance with the preset invention.
  • FIG. 6 is an exemplary verification process in accordance with the preset invention.
  • FIG. 7 is an exemplary validation process for a merchant in accordance with the preset invention.
  • a processor or ISO will work with an acquiring bank, which is needed to officially accept payment on behalf of the merchant.
  • an association or a network requests an approval from the issuer (e.g. bank), on behalf of the merchant. Once a transaction is authorized, the association sends the approval to the merchant acquirer, who passes it along to the merchant. Then the customer can complete the purchase.
  • issuer e.g. bank
  • the issuer then prepares the information for the customer's statement.
  • PCI DSS Payment Cardholder Industry Data Security Standard
  • Europay MasterCard Visa a global standard for cards, POS, and ATM terminals in relation to credit and debit card payments.
  • Financial institution acts as an agent that provides financial services for its clients or members.
  • Financial institutions generally fall under financial regulation of a government authority.
  • Common types of financial institutions include banks, building societies, credit unions, stock brokerages, asset management firms, and similar businesses.
  • Financial institutions provide a service as intermediaries of the capital and debt markets. They are responsible for transferring funds from investors to companies, in need of those funds.
  • the ratio between the number of alerts to actual fraud detection is verified in hindsight. This is done by applying the statistical model to known transactions and counting how many of the alerts are actually real frauds.
  • MNO Mobile Network Operator
  • a device used for mobile payment which can be, but not limited to, a cellular phone, also known as mobile phone, or a credit card as long as the device has memory, processor for executing a program and the ability for data communication.
  • the data communication can be done for example, via cellular data communication (3G, 4G), Wi-Fi, Bluetooth, NFC or any combination thereof.
  • the payer may or may not be ‘mobile’ or ‘on the move’.
  • NFC Near Field Communication
  • a company that handles all or some of the functions of a credit or debit transaction, ranging from providing terminals to managing back-end settlement.
  • Security Element Physical place used for user authentication, authorization and stored credentials; it houses confidential information.
  • system, method and a device for self-authentication (offline approval) of transactions using mobile device, based on, analytic engine such as behavioral pattern detection are provided. This is in contrast to current central authentication systems as known in the prior art.
  • one of the steps in the method of the present invention is storing a profile of the customer on the customer's mobile payment device.
  • This profile (e.g. behavioral pattern), stores, for example, the behavior of the customer and the personal details of the customer.
  • the profile is updated when the customer travels to another country, or when the personal status of the customer changes (i.e. marriage, children).
  • the associations or financial institutions e.g. issuers
  • the best known models for fraud detection cannot be implemented.
  • many powerful processing units are needed, which would have resulted an investment which is not cost effective.
  • the fraud detection engine operates in the mobile payment device of the customer, it is now possible to put more stringent requirements, taking the risk of high levels of false positive alerts. This is made possible in the current invention since, in the case of alert, the customer can be prompted, for example, to enter a code or biometric data as a general rule or in case of doubt. All of this is being done offline, e.g. without accessing the associations or financial institutions, thus taking a load of them.
  • the customer's profile which stores for example the behavioral pattern of the customer, can be more complex and accurate.
  • the current invention also has the advantage that it avoids sending data from the POS to the central server and receiving confirmation or decline, thus avoiding the communication time which is required by the prior art.
  • the time spent by the current invention is the net time for calculating whether a transaction is fraudulent.
  • Another advantage of the invention over the prior art is that customer's profile can be updated per change (incremental) in real time, in contrast to the prior art where all the profiles of the customers are stored on a central location and due to the large volume of data updates are being done once in a while for all the records.
  • the mobile payment device will have the related software residing in a secure area and consuming relatively a small size. This part of the software will rarely by updated. Contrary to that, the file containing the behavioral pattern will be updated frequently. This file is also relatively large and encrypted, its decryption being done by the software residing in a secure area.
  • the exemplary system 100 includes the following elements:
  • an issuer 10 which in exemplary embodiment is the credit card company or a bank
  • server 20 which in exemplary embodiment can be one server or plurality of servers, residing at the issuer's premises or at separate location
  • mobile payment device 30 which in exemplary embodiment can be, but is not limited to, a mobile telephone device or a credit card, point of sale (POS) 40 , clearing house 50 .
  • POS point of sale
  • step 100 the issuer 10 sends the transactional data of the customer to the server 20 .
  • step 110 the server 20 computes a unique behavioral pattern of the customer. The behavioral pattern is sent to the mobile payment device 30 in step 120 .
  • the customer's mobile payment device 30 receives from the point of sale 40 the transaction details in step 130 .
  • the transactions details comprise the merchant ID, time of the transaction and the sum amount of the transaction.
  • step 140 the mobile payment device 30 computes whether the transaction can receive authorization, based on the behavioral pattern received in the mobile payment device, described in step 120 .
  • step 140 If the outcome of the computation in step 140 is negative, then the customer will be asked in step 150 to enter identification means. The mobile payment device 30 then verifies the identification means. If the verification fails, then the customer will not be able to perform the transaction.
  • Steps 140 and 150 will be referred to hereinafter as the verification process and will be further detailed later on.
  • transaction data is sent to in step 160 via the POS 40 to the clearing house 50 .
  • step 170 clearing house 50 sends the transaction data to the issuer 10 .
  • the exemplary mobile payment device 30 contains among other elements the following elements:
  • the Location receiver 31 for calculation of the mobile payment device location using data received.
  • the received data can be, and is not limited to, OPS (global positioning system) data received from orbiting satellites, position data received via base station e.g. TOA, triangulation, etc. or any combination thereof.
  • OPS global positioning system
  • base station e.g. TOA, triangulation, etc.
  • Methods for locating the position of a mobile device are well known in the art and will not be discussed further here.
  • Validity token 32 stores a token based in an exemplary embodiment on One Time Password (OTP), well-known to those skilled in the art.
  • OTP One Time Password
  • the validity token is received from the server 20 . It is replaced once every known period which in an exemplary embodiment could extend from a few minutes to a few days, depending on the needed level of security, to verify that the mobile payment device is in order and is not blocked.
  • the mobile payment device if the mobile payment device was stolen then it is considered not in order. In another exemplary embodiment, the mobile payment device will be blocked if the user had reached the allowed limit for accumulated transactions (credit limit), i.e. not Open To Buy (OTB). Another exemplary option for blocking the mobile payment device is if the user has entered incorrect identification means such as, but not limited to, wrong password. It will be understood by those skilled in the art that blocking the device due to wrong password can be activated after a predefined number of false retries. Replacing the token can take place for example either by SMS or WI-FI or voice communication, or mobile data.
  • the payment software will be ‘locked’, i.e. not usable, a procedure well known in the art.
  • the entire functionality of the mobile payment device will be halted. For example, if the mobile payment device is cellular phone, then it will not be able to make outgoing calls.
  • Behavioral pattern 33 is for example, an encrypted file or files or any other collection of data, received from the server 20 .
  • the file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules. This file does not necessarily need to reside in a secure area as opposed to the model 34 , because it is relatively large when compared to the model, and because it is encrypted. It can reside, for example, in the memory of the mobile payment device.
  • the behavioral pattern is unique for every customer. In an exemplary embodiment however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. In another exemplary embodiment, one mobile payment device can support two or more files representing different behavioral patterns of different cards from different issuers related to the same customer.
  • Model 34 is a software element implementing one or more algorithms.
  • the algorithm can be the logistic model. As known to those skilled in the art, this model is basing its predictions by the deviation from the regular behavior of the customer.
  • the algorithm can be the known in the art rule based engine related to the specific customer encrypted rules that were sent to element 33 form the server 20 .
  • the algorithm can be a data mining function implemented in the form of a decision tree or neural network engine as is known in the art.
  • the model resides inside a protected area, which is secure and not accessible for users after the initial installation.
  • the protected area can be located in a secure area inside the SIM card of the mobile device, as implemented for example by Google's Android operating system.
  • the protected area can be located in the memory of the device as implemented for example by Apple's iOS operating system.
  • the model 34 uses the data or rules that were stored with element 33 for rejecting or approving the transaction. This is done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details.
  • the outcome of the calculation by the model can be a request for higher level of security, implemented for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level.
  • the application 35 also resides in the protected area. As will be readily understood by those skilled in the art, the application communicates with the other elements of the mobile payment device and executes the different algorithms which are part of the various methods of the current invention.
  • step 140 and 150 in FIG. 2 an exemplary verification process in accordance with the present invention will be described.
  • step 405 the mobile payment device and the POS initiate communication.
  • the communication is short ranged in order to achieve security and avoid ears dropping. Examples of short range communication include, among others, NFC and Bluetooth, as is well known for those skilled in the art.
  • the mobile payment device identifies itself to the OOS either by key exchange or by a standard protocol as defined in the NPC specifications.
  • step 410 the POS 40 validates the validity token 32 .
  • This step is optional, since as described hereinabove, the functionality of the mobile payment device will halt in the case that a valid token does not exist.
  • step 420 the transaction details are transferred to the mobile payment device 30 from the POS.
  • the transaction details comprise merchant ID, time of the transaction and the sum amount of the transaction.
  • step 430 the model 34 , based on the behavioral pattern 33 approves or denies the transaction.
  • step 440 If the model in step 430 denied the transaction, then the customer will be asked in step 440 to enter identification means.
  • the identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof.
  • the mobile payment device 30 then verifies the identification means. If the verification fails, then the customer will not be able to perform the transaction. An update on the failure is sent to server 20 and from the server to the issuer 10 .
  • the issuer can consider blocking (i.e. lock) the customer from further use of the payment software as was previously described.
  • the server 20 will be updated with the transaction details and also with location data, so the server can update the profile of the customer.
  • the system can be used to track merchant fraud in addition to customer fraud that was described hereinabove. If, for example, there is suspicion that a certain transaction was not carried out by the customer, the mobile payment device could be interrogated for approving or denying that this transaction ever took place. It is to be understood by those skilled in the art that this embodiment requires the mobile payment device to keep track of the customer's transactions, as can be seen in element 36 of the mobile payment device 30 in FIG. 5 .
  • FIG. 7 describes in more detail an exemplary method for merchant verification.
  • step 610 the issuer 10 receives transaction data from the merchant.
  • step 620 the issuer 10 sends to the server 20 a request for transaction validation.
  • step 630 the server 20 sends a request to the mobile payment device 30 for the transaction details.
  • the mobile payment device sends the requested transaction details or a response that the details are not available, to the server 20 .
  • the server 20 validates the transaction and the merchant in step 650 if the transaction details are available and then sends the results of validation to the issuer 10 .

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Data Mining & Analysis (AREA)
  • Game Theory and Decision Science (AREA)
  • Marketing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Lock And Its Accessories (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)

Abstract

A system, method and a device for offline authentication of transactions using mobile device, based on, analytic engine such as behavioral pattern detection are provided. The behavioral pattern can be for a specific person, for group of people with similar characteristics, or a combination of the two. The invention has the advantage over the prior art centralized authentication and fraud detection systems in that it is more precise in identifying and preventing fraud in real time. The precision is better for both customer and merchant frauds. The present invention also requires fewer investments in infrastructure and uses less communication traffic when compared to the prior art.

Description

    FIELD OF THE INVENTION
  • The present invention is directed to the use of mobile devices in offline transactions, and, more particularly, to a system, method and device for self-authentication of transactions.
  • DESCRIPTION OF THE RELATED ART
  • Mobile devices nowadays are in widespread use. The mobile devices of today have many uses other than plain conversation and messaging. One of the emerging fields of use for the mobile devices is for transactions such as purchasing an item.
  • The improved ability of mobile devices provides enhanced web capabilities (e.g. internet) and applications. The user interface has improved and thus created a platform for applications, innovative initiatives and new opportunities.
  • In the context of financial transactions, the mobile device can be used in many processes, when payments by which (m-payments) are one category of financial transactions implemented by the mobile platform, along with financial services (m-services) and trade (m-commerce).
  • It is customary to distinguish between several key procedures wherein a mobile device is involved in financial transactions:
  • Mobile payment—a fee, set by the transfer of money in exchange for a product or service, wherein the mobile device is involved in both the initiation and the approval of the payment. The payer can be present at the point of sale or “in movement” (“on the way”) and the infrastructure that supports the payment can change.
  • Payment can be processed by credit card or by Prepaid-wallet. (For example: money can be transferred and deducted from the amount paid in advance or can be collected by the MNO.)
  • Mobile order—the mobile device is used for initiating an order but is not used for pay. (For example: ordering food via the mobile device from a restaurant and paying with cash on delivery).
  • Mobile delivery—the mobile device is used for delivery of goods or services but not used for payment, for example, an event entrance card issued and delivered to the mobile device.
  • Mobile authentication—the mobile device is used for authenticating the user details as part of the transaction or to allow access to information or other functionality. For example, code it sent to the mobile device which the user should key in online to confirm the user's identity.
  • Mobile banking—access to bank functionality via mobile device, through the use of a browser or an application. For example: viewing account status and transaction history through the application. It should be noted that this process allows making a payment using the mobile device.
  • Mobile marketing—includes loyalty campaigns, advertising and coupons.
  • Technology for Mobile Payments
  • The technologies that allow payment by mobile devices can usually be divided into two categories:
  • 1. Remote payments—the payer and the payment device are not present at the point of sale;
    2. Proximity payments—the presence of the payer and the payment device are required at the point of sale.
  • Technologies that Enable Remote Payment:
  • Text messaging via SMS & USSD—SMS communications protocol allows broadcasting messages not only between the two mobile devices, but also between the mobile device and a computer, and therefore allows m-payments. The SMS communications protocol is inexpensive and relatively simple to use and is now the more accepted method of payment using mobile device, however, the user experience is not adequate. Mobile payments derived by SMS allow transfer of funds from listed accounts or e-wallet.
  • USSD technology is a standard for transferring information over the GSM channels and is used primarily as a method for queries and information services and is associated with information in real time achieved by calling numbers that begin with “*” or “#”, and then a combination of numbers and asterisks and ending with “#”. There is no option to store and forward information, but the response time of USSD is better than SMS.
  • Interactive Voice Response (IVR)—Communication with a computer server via a telephone call over the cellular network, usually via dialogue menus by voice or phone keyboard input. This technology has limited user interface and user experience is not optimal.
  • Mobile internet—is typically used for web browsing via small mobile devices as mobile phones.
  • Technologies that Require the Presence of Payer at the Point of Sale (Proximity):
  • NFC (Near Field Communication)—technology that allows devices to perform contactless transactions at short-term distance (approx. 4 cm or 1.5 inch in practice), access digital information and link electronically between devices. The NFC has number of variations e.g. NFC Stickers, microSD, integrated device.
  • QR Code (Quick Response Barcode)—matrix barcode that can be read by a reader of QR Code and by a mobile device with a camera. The encoded information can be text, URL or other form of data.
  • Card acceptance on a mobile device—external devices to the mobile device allowing receipt of payment and/or credit card information charging/payment application, such as Square or “PayPal Here”
  • Mobile Payments (m-payments) ‘players’ point of view will now be described both from the supply side and the demand side.
  • Supply Side—Providers of Payments Service in Mobile:
  • Mobile network operators (MNO's)—MNO's have been striving to achieve a return on their investments in infrastructure during the last two decades, which resulted in part an increased use of air time and data transfer usage. For them, the m-payments have the option to diversify the range of products and services that correspond to the client's needs and lifestyle.
  • Financial institutions (Fis)—Fis wanted to ‘stay in the game’ and maintain their status (e.g. profit) and relationship with the client even with the mobile payments environment as they do today in the physical payments environment, for example issuing “payment credentials”.
  • Manufacturers of mobile phones—(Original Equipment Manufacturers a.k.a. OEMs)—OEMs have the ability to decide which technologies to implement in the various devices and which uses to allow.
  • Success using the mobile phone as a payment method has the potential to influence towards significant sales increase of mobile phones to new customers as well as significant sales increase of mobile phones to customers upgrading existing devices to those enabling m-payments.
  • Trusted Service Managers (TSMs)—third party neutral intermediary or a service provider providing a single integration point for all the cellular operators (MNOs), for all the financial institutions (Fis), transit authorities and retailers who want to provide mobile payment applications, ticketing applications or loyalty applications for their clients, characterized in that the applications are using NFC technology in the mobile devices. They are owners or managers of the “Secure Element”.
  • Main functions of the TSM include, among other things, engagement with mobile network operator and applicative service providers, ensuring the protection and security from end to end which includes ensuring compliance with security requirements for software, hardware, cell phones, chips and applications, risk management of scams. They are also responsible for customer service and support in the context of Secure Element, which include customer alerts for loss, theft and reporting fraudulent transactions. Additional tasks include updating user interfaces, customer database management, life cycle management of applications, management services that are “value-added” as reloading tickets and more.
  • Technology providers—mobile payments (m-payments), like any other technology, are driven by new developments, and hold great opportunities for manufacturers and suppliers of technology and system integration. Among those the following can be included:
  • chip manufacturers producing the smart card's chips which can host the payment application or the secure element (SE);
    SE Issuers—(secure element issuers) match the chip with the appropriate protection component;
    service providers offering services for end users, such as authentication services, and the TSM allows the service provider to use the secure element.
  • Demand Side:
  • Merchants—for them m-payment at point of sale (POS) can lead to higher capacity (throughput) in checkout and the ability to expand the use of, utilize the mobile platform and send marketing messages in real time. Unmanned points of sale or remote points of sale can benefit from this form of payment by the reduction in costs. Also remote mobile payments are another channel with lower costs for merchants.
  • Consumers—from the perspective of the end consumer, the mobile device has become an integral part of his life, the consumer carries it everywhere and it achieved a status that can be described as “permanent share of pocket”, i.e. with wallet and keys, it is always with the consumer. Moreover, as the consumers' confidence rises, they feel more comfortable to exercise more than one function of the device, and it is slowly turning into a multimedia device with many applications.
  • NPC (Near Field Communication) Technology
  • NFC technology, designed to make a connection between different devices based on their physical proximity, simplifies the initiation of communication between devices, also making this a much more natural thing for a user, as part of the natural user interface (NUT) trend.
  • The technology began as a joint development of Sony and chip maker NXP back in 2002, and is based on RFID (Radio Frequency Identification) chips.
  • RFID tag contains (identification) information which it transmits as a response to a radio signal received from a reader as such. The NEC technology differs from RFID in that it adds security and limits the communication range to 10-20 cm (approx. 4-8 inches) or less in reality, to ensure that only deliberate approximation of the tag to a scanner will share information. In addition, it allows using the tag for other needs, such as a workplace identification tag, payment card for public transportation and substitute means for payment at the store.
  • The Areas of NFC Use can be Divided into Three Types of Activities:
  • “Sharing”—transfer of information between two chips. One chip is a device with a power source and functions as a reader, while the other is a passive chip, with no power source, which is used as a tag containing information.
  • The active chip produces a limited field of radio waves, sufficient for the passive chip to send the information found on it, for example, Smart Poster.
  • “Transaction”—payment transactions. In this case communication is between an active device connected to the banking system and active or passive chip that contains customer information. In fact, this type of this interaction is a substitute for cash and credit cards, because it allows the transfer of money between compatible devices, provided that one of them is pre-loaded with any amount, or a transaction brokered with the credit card company.
  • “Coupling”—occurs when both parties are active chips. In this case, two-way information transfer will occur between two devices using the Peer to Peer method, as in the Bluetooth technology.
  • Payment Card Fraud
  • Payment card fraud occurs when an element (e.g. person) creates financial or material gain by the use of payment means or payment means information to complete a transaction that is not approved by the legal account holder. Lack of approval of the account holder is an essential characteristic characterizing this phenomenon. An approval system for payment card transactions sieves transactions to limit fraud. The system verifies the card, extracts the card's data and decides whether the transaction is subject to certain restrictions set by the issuer or merchant. It could be said that the system checks whether the transaction is in line with the known behavior of the card owner and if this is the case, then in most probability the transaction is being performed by the owner of the card.
  • In general terms, current systems for approval of payment card transactions use a statistical model (for example) for identification of fraudulent transactions. The efficiency of the statistical model is verified in hindsight. This is done by applying the statistical model to known transactions. If the statistical model alerts that 1000 transactions are suspected as fraud but only 10 transactions are actually fraudulent, then the fraud detection ratio of the statistical model is 1:100. If the statistical model alerts that 100 transactions are suspected as fraud but only 10 transactions are actually fraudulent, then the fraud detection ratio of the statistical model is 1:10. 1:100 is said to be a statistical model with lower fraud detection ratio then 1:10. The aim of the developers is to lower the amount of false alarms, without missing the detection of real fraudulent transactions.
  • However, since no statistical model is foolproof, in practice there is always a need to balance between two extremes: a model that will find almost every fraudulent transaction but with many errors (false positive) and a model that will not have many errors but will also miss on real fraud (false negative).
  • In the current systems it is impossible to check every suspected transaction because it will create an enormous load on the resources of the computing system.
  • As a result, current systems compromise and do not check every transaction, even though some transactions can be fraudulent.
  • Transition to electronic payments allows a number of channels to collect payment card data: mobile readers keep cards data; readers imposed over ATM (Skimming); Video Cameras that can capture and copy PIN numbers; utilizing the Internet—sending millions of email messages so a few recipients will expose the credit card data and their accounts (phishing); hackers can infiltrate computer systems and steal data volume from where it is stored or transmitted (data breaches), etc.
  • It should be noted that payment card data can also be collected in the ‘traditional way’ as a result of the card being lost or stolen.
  • Ongoing struggle with fraud drove their extent down. Among the factors that decreased the rate of fraud were the following:
      • Transition to EMV card with transactions at points of sale.
      • Use of Dual Factor Authentication and dynamic authentication (one-time passwords by token, SMS, software, etc.) for CNP (Card Not Present) transactions (mainly online).
      • PCI DSS—broad implementation of information security standards in the payment cards industry. The Payment Card Industry Data Security Standard is a common standard for credit companies since 2004.
      • Better intelligence of the credit card companies (network intelligence), risk evaluation, alerts to consumers in near real time.
      • Better sharing of fraud knowledge management by all parties in the industry.
    The EMV Standard
  • EMV initials represent the names of the companies Europay, MasterCard and Visa, which were the original founders of the EMV standard.
  • The term EMV refers to specification of technical requirements for payment, usually payment cards type of Credit or Debit, in which microchips are embedded and is designed to combat fraud.
  • These cards require a code to initiate a transaction, and are safer. There are several types of payments using these cards, including Chip plus PIN (the most common) and Chip plus Choice (selection between signing and PIN as a cardholder identity verification). Those kinds of security measures are known as VISA's Dynamic passcode authentication (DPA), and MasterCard's Chip Authentication Protocol (CAP).
  • In remote transactions, were the card cannot be presented, a reader device is used. The customer enters a PIN. An application residing on the chip on the EMV card generates a one-time password (OTP), specific to the current transaction.
  • Since the card was swiped through the reader and a PIN was entered, this amounts to Dual Factor Authentication.
  • However, it should be noted that this security measure is applied to all CNP transactions.
  • There is no enhanced scrutiny against a specific transaction suspected to be fraudulent.
  • PRIOR ART SYSTEM AND METHOD
  • An example for the system used nowadays is brought up in FIG. 1. The system comprises: the customer's credit card 60;
    the point of sale (POS) 70 where the customer makes a payment using the credit card 60; the clearing house 80;
    the issuer 90 which issued the credit card 60.
  • FIG. 2 describes an exemplary method for approving a transaction using the system that was described in FIG. 1.
  • In step 510 the card 60 is used by the customer to initiate a transaction in the POS 70.
  • The transaction details are sent in step 520 from the POS 70 to the clearing house 80. The clearing house 80 routes, in step 530, the transaction to the card issuer 90. The issuer 90 generates in step 540 a response to the transaction. The response could be one of the following:
  • Approve—the transaction is approved.
    Decline—the transaction is declined.
    Kill—the credit card should be put out of use.
    Referral—the merchant or the customer who owns the card should call the issuer (i.e. credit card company) 90.
  • The response is routed in step 550 from issuer 90 to the clearing house 80. In step 560 the clearing house 80 routes the response to the POS 70. At the POS 70, in step 570, the transaction is committed or declined according to the response.
  • It should be noted that in this prior art systems, small amount transactions are not always sent for approval. This is because the investment in infrastructure in order to verify small amount transactions would not be cost effective compared to the gain.
  • The prior art systems are based on a server in the issuer (e.g. bank) premises which does the fraud detection checks for millions or tens of millions of customers. This amounts to tens (or even more) of checks per second.
  • Therefore the amount of time per check should be less then tenth of a second.
  • It also should be noted that it takes time for the communication to pass from the POS to server and for the confirmation or decline of the transaction to travel back from the server to the POS.
  • During the check, the server has to retrieve all the needed information needed for processing and perform a large amount of complex mathematical calculations.
  • In practice, these servers are very expensive. Therefore the issuer compromises on the quality of the statistical models and the quantity of the checks.
  • The result is that the level of coverage and accuracy are insufficient and there are many mistakes:
  • classifying legitimate transactions as fraudulent (false positive);
    classifying fraudulent transactions as legitimate (false negative).
  • In practice, due to the low level of accuracy, transactions are rarely blocked.
  • US patent application, publication no. 2010/0327056, discloses a payment approval system and a method for approving a payment for credit cards. The method comprises obtaining fraud parameters by modeling a pattern of fraud usage and for self-authentication (offline approval). However, when self-authentication (offline approval) process estimates a possibility of fraud usage, online approval for more detailed statistical analysis processing is requested from a remote computer.
  • PCT publication no. WO/2006/012538 discloses a methods and apparatus for transaction completion using a proximity integrated circuit payment device i.e. smartcard. The merchant system retrieves information from the smartcard and determines whether the transaction should be completed online or offline.
  • None of the current technologies and prior art, taken alone or in combination, does not address the issue of offline authorization, self-authentication and fraud detection of a transaction, e.g. there is no handling of the security aspects of the transaction without requesting the bank or the credit card company for approval. There is also no solution to the issue of using a statistical model with lower suspicious rate then current statistical models without blocking the transaction or the card.
  • SUMMARY OF THE INVENTION
  • In one embodiment of the present invention, there is provided a system method and a device for offline authentication of transactions using mobile device, based on, analytic engine such as behavioral pattern detection.
  • The behavioral pattern can be for a specific person, for group of people with similar characteristics, or a combination of the two.
  • The present invention has the advantage over the prior art centralized authentication and fraud detection systems in that it is more precise in identifying and preventing fraud in real time. The precision is better for both customer and merchant frauds. The present invention also requires fewer investments in infrastructure and uses less communication traffic when compared to the prior art.
  • These and other features of the invention will be more readily understood upon consideration of the attached drawings and of the following detailed description of those drawings and the presently-preferred and other embodiments of the invention.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is an exemplary prior art payment system;
  • FIG. 2 is a flow chart of an exemplary method for transaction approval used with the prior art payment system;
  • FIG. 3 is an exemplary payment system in accordance with the preset invention;
  • FIG. 4 is a flow chart of an exemplary method of secure purchase in accordance with the preset invention;
  • FIG. 5 is an exemplary mobile payment device in accordance with the preset invention;
  • FIG. 6 is an exemplary verification process in accordance with the preset invention;
  • FIG. 7 is an exemplary validation process for a merchant in accordance with the preset invention.
  • DETAILED DESCRIPTION
  • The following terminology will be used throughout the description:
  • ACII
  • Short for “Automated Clearing House”, a nationwide electronic network for financial transactions. The network clears credit and debit transactions. Rules and regulations for the network are set by NACHA and the Federal Reserve.
  • Acquirer, Merchant Acquirer
  • Either a bank, a processor or independent sales organization (ISO) handling the merchant's card acceptance. A processor or ISO will work with an acquiring bank, which is needed to officially accept payment on behalf of the merchant.
  • AML/ATF Anti-Money Laundering/Anti-Terrorist Financing Associations, Also Referred to as “Payment Brands” or “Network”
  • In the world of credit and debit cards, this is a legacy term that referred to ownership of networks by groups of financial institutions. Today, the word is sometimes used to refer to companies such as MasterCard, Visa, American Express, Discover, STAR, NYCE and others which regulate card acceptance rules and interchange for their member financial institutions.
  • Authorization
  • The process by which an association or a network requests an approval from the issuer (e.g. bank), on behalf of the merchant. Once a transaction is authorized, the association sends the approval to the merchant acquirer, who passes it along to the merchant. Then the customer can complete the purchase.
  • Chargebacks
  • The refusal or reversal by the issuing bank of a transaction presented by the merchant acquirer. Chargebacks result when an issuer returns or charges back the purchase amount to the merchant.
  • Clearing
  • The process by which the merchant acquirer sends purchase information to the association or network, which in turn sends it along to the issuer (e.g. bank). The issuer then prepares the information for the customer's statement.
  • CNP
  • Card not present, transaction without the presence of the card, taking place over the mail or the phone or the internet (e-commerce)
  • Compliance
  • With respect to credit and debit cards, it refers to all the rules and regulations merchants must meet in order to have the right to accept electronic payments, adhering to formats such as the Payment Cardholder Industry Data Security Standard (PCI DSS).
  • Customer
  • Refers, but is not limited to, to the person who wishes to perform a transaction at a point of sale.
  • EFT Network
  • Short for “electronic-funds-transfer” network, a telecommunications and payments infrastructure that connects consumers, ATMs, merchants and banks. There are two types of transactions: those at ATMs and those from signature-debit cards at POS terminals.
  • EMV Standard
  • Europay MasterCard Visa, a global standard for cards, POS, and ATM terminals in relation to credit and debit card payments.
  • FI
  • Short for “Financial institution”. A financial institution acts as an agent that provides financial services for its clients or members. Financial institutions generally fall under financial regulation of a government authority. Common types of financial institutions include banks, building societies, credit unions, stock brokerages, asset management firms, and similar businesses. Financial institutions provide a service as intermediaries of the capital and debt markets. They are responsible for transferring funds from investors to companies, in need of those funds.
  • Fraud Detection Ratio
  • The ratio between the number of alerts to actual fraud detection. The statistical model, used for alerting suspicious transactions, is verified in hindsight. This is done by applying the statistical model to known transactions and counting how many of the alerts are actually real frauds.
  • Issuer
  • A term used to define who issues the credit or debit card. The issuer bears the risk, essentially vouching for the creditworthiness of the customer after approving the customer's transaction.
  • Mandate
  • In payments, the “mandate” is the authorization required.
  • Merchant
  • Merchants function as professionals who deal with trade, dealing in commodities that they do not produce themselves, in order to produce profit.
  • MNO
  • Short for “Mobile Network Operator”. MNO is a company that provides service and has its own frequency allocation of the radio spectrum. It also has the entire infrastructure required to provide mobile telephone service.
  • Mobile Payment Device
  • A device used for mobile payment, which can be, but not limited to, a cellular phone, also known as mobile phone, or a credit card as long as the device has memory, processor for executing a program and the ability for data communication. The data communication can be done for example, via cellular data communication (3G, 4G), Wi-Fi, Bluetooth, NFC or any combination thereof.
  • m-Payment, Mobile Payment
  • A payment where the mobile phone is involved in the initiation and/or confirmation of the payment. The payer may or may not be ‘mobile’ or ‘on the move’.
  • NFC
  • Near Field Communication (NFC) is a short-range high frequency wireless communication technology which enables the exchange of data between devices up to a ten or twenty centimeter (four or eight inches) distance in theory (less than that in practice). The technology is a simple extension of the ISO 14443 proximity-card standard that combines the interface of a smartcard and a reader into a single device.
  • Non-Cash Payments
  • Payments made with instruments other than notes and coins, i.e., using credit transfers, direct debits, credit or debit cards or checks.
  • PIN
  • Personal Identification Number.
  • PIN-Based Debit
  • A process where debit transactions are routed through EFT networks or Visa and MasterCard's online EFT networks, requiring a PIN. Electronic authorization of every transaction and the debits to a customer's checking account is reflected immediately. Also known as “online debit.”
  • POS
  • Short for “Point Of Sale”. The site where a customer makes payment via credit or debit cards. Generally terminals are at the cash register, the checkout counter in a retail shop, but mobile terminals at restaurants, theme parks, computer stores and other merchants are changing where transactions can be conducted.
  • Processor
  • A company that handles all or some of the functions of a credit or debit transaction, ranging from providing terminals to managing back-end settlement.
  • SE—Secure Element
  • Also known as Security Element. Physical place used for user authentication, authorization and stored credentials; it houses confidential information.
  • Settlement
  • Process by which the issuing bank sends payment to the association, which in turn sends it to the merchant acquirer. The acquirer then funds the merchant account.
  • In an exemplary embodiment of the present invention, system, method and a device for self-authentication (offline approval) of transactions using mobile device, based on, analytic engine such as behavioral pattern detection are provided. This is in contrast to current central authentication systems as known in the prior art.
  • In general terms, one of the steps in the method of the present invention is storing a profile of the customer on the customer's mobile payment device. This profile, (e.g. behavioral pattern), stores, for example, the behavior of the customer and the personal details of the customer. For example, the profile is updated when the customer travels to another country, or when the personal status of the customer changes (i.e. marriage, children).
  • As is known to those skilled in the art, the associations or financial institutions (e.g. issuers), currently store a profile of the customer in order to approve the transactions. However, due to the large volume of transaction approval requests that should be processed in fractions of a second, especially at peak times, the best known models for fraud detection cannot be implemented. In order to implement the best known models and process the transaction in the desired time, many powerful processing units are needed, which would have resulted an investment which is not cost effective.
  • Furthermore, even if those best models would have been implemented, they would still have produced large amounts of false positive (tagging and alerting legitimate transactions as fraudulent). Not only that, but these models would have missed fraudulent transactions as well (false negative). It is obvious that missing fraudulent transactions, as well as handling false identification, creates a toll on the financial institutions.
  • For the reasons described hereinabove, fraud detection ratio lower then 1:10 (1:11, etc.) is not dealt by the issuers as fraud. Such a ratio means that there would be too many false positives as there are frauds thus creating a load on the issuer to check all those transactions, and also the possibility of troubling many customers which have done nothing wrong.
  • In the present invention however, since the fraud detection engine operates in the mobile payment device of the customer, it is now possible to put more stringent requirements, taking the risk of high levels of false positive alerts. This is made possible in the current invention since, in the case of alert, the customer can be prompted, for example, to enter a code or biometric data as a general rule or in case of doubt. All of this is being done offline, e.g. without accessing the associations or financial institutions, thus taking a load of them.
  • Also, in the current invention there is no actual limit on the processing power, since the transaction authorization is performed on the personal mobile payment device of the customer. Instead of using a central server, processing is now distributed and this amounts to more processing power in comparison to the prior art central server.
  • Since more processing power is now available, the customer's profile, which stores for example the behavioral pattern of the customer, can be more complex and accurate.
  • The current invention also has the advantage that it avoids sending data from the POS to the central server and receiving confirmation or decline, thus avoiding the communication time which is required by the prior art. The time spent by the current invention is the net time for calculating whether a transaction is fraudulent.
  • Another advantage of the invention over the prior art is that customer's profile can be updated per change (incremental) in real time, in contrast to the prior art where all the profiles of the customers are stored on a central location and due to the large volume of data updates are being done once in a while for all the records.
  • As a result, the limitations of the prior art are overcome and the system is less prone to fraud abuse.
  • As will be described in greater detail hereinafter, in principle the mobile payment device will have the related software residing in a secure area and consuming relatively a small size. This part of the software will rarely by updated. Contrary to that, the file containing the behavioral pattern will be updated frequently. This file is also relatively large and encrypted, its decryption being done by the software residing in a secure area.
  • Referring to FIG. 3, an exemplary payment system 100 will be described. The exemplary system 100 includes the following elements:
  • an issuer 10 which in exemplary embodiment is the credit card company or a bank, server 20 which in exemplary embodiment can be one server or plurality of servers, residing at the issuer's premises or at separate location,
    mobile payment device 30 which in exemplary embodiment can be, but is not limited to, a mobile telephone device or a credit card,
    point of sale (POS) 40,
    clearing house 50.
  • It is to be understood that the elements of the system are connected to each other via standard communication lines, either wire line or wireless, as known in the art.
  • It should be understood that some elements are presented as separate elements for the sake of clarity only. In another exemplary embodiment, several elements from the group comprising the server, issuer and the clearing house could be grouped together to form one element.
  • Referring to FIG. 4, an exemplary method of secure purchase with self-authentication will now be described. In step 100, the issuer 10 sends the transactional data of the customer to the server 20. In step 110, the server 20 computes a unique behavioral pattern of the customer. The behavioral pattern is sent to the mobile payment device 30 in step 120.
  • When the customer wishes to perform a transaction, the customer's mobile payment device 30 receives from the point of sale 40 the transaction details in step 130. In an exemplary embodiment, the transactions details comprise the merchant ID, time of the transaction and the sum amount of the transaction.
  • In step 140 the mobile payment device 30 computes whether the transaction can receive authorization, based on the behavioral pattern received in the mobile payment device, described in step 120.
  • If the outcome of the computation in step 140 is negative, then the customer will be asked in step 150 to enter identification means. The mobile payment device 30 then verifies the identification means. If the verification fails, then the customer will not be able to perform the transaction.
  • Steps 140 and 150 will be referred to hereinafter as the verification process and will be further detailed later on.
  • However, if the transaction is authorized by the mobile payment device 30, either in step 140 or 150, then transaction data is sent to in step 160 via the POS 40 to the clearing house 50.
  • In step 170 clearing house 50 sends the transaction data to the issuer 10.
  • Referring now to FIG. 5, the exemplary mobile payment device 30 in accordance with the present invention will now be described.
  • The exemplary mobile payment device 30 contains among other elements the following elements:
  • Location receiver 31 for calculation of the mobile payment device location using data received. The received data can be, and is not limited to, OPS (global positioning system) data received from orbiting satellites, position data received via base station e.g. TOA, triangulation, etc. or any combination thereof. Methods for locating the position of a mobile device are well known in the art and will not be discussed further here.
  • Validity token 32 stores a token based in an exemplary embodiment on One Time Password (OTP), well-known to those skilled in the art. The validity token is received from the server 20. It is replaced once every known period which in an exemplary embodiment could extend from a few minutes to a few days, depending on the needed level of security, to verify that the mobile payment device is in order and is not blocked.
  • In an exemplary embodiment, if the mobile payment device was stolen then it is considered not in order. In another exemplary embodiment, the mobile payment device will be blocked if the user had reached the allowed limit for accumulated transactions (credit limit), i.e. not Open To Buy (OTB). Another exemplary option for blocking the mobile payment device is if the user has entered incorrect identification means such as, but not limited to, wrong password. It will be understood by those skilled in the art that blocking the device due to wrong password can be activated after a predefined number of false retries. Replacing the token can take place for example either by SMS or WI-FI or voice communication, or mobile data.
  • In the event that the valid validity token was not received in the mobile payment device, then the payment software will be ‘locked’, i.e. not usable, a procedure well known in the art. In another exemplary embodiment, the entire functionality of the mobile payment device will be halted. For example, if the mobile payment device is cellular phone, then it will not be able to make outgoing calls.
  • In another exemplary embodiment, it is possible to take immediate action for disabling the mobile payment device, without waiting for the token to expire. For example, if a transaction has exceeded the allowed limit, the mobile payment device can be instructed, by a remote command, to ‘lock’ the payment software. Another option is to initiate the ‘locking’ of the payment software by the customer and/or service representative, for example, in the case that the mobile payment device was stolen.
  • Behavioral pattern 33 is for example, an encrypted file or files or any other collection of data, received from the server 20. The file (or files) describes the behavior profile of the customer and similar customers. In an exemplary embodiment, the file can also describe the behavior profile of fraudulent persons or specific customer encrypted rules. This file does not necessarily need to reside in a secure area as opposed to the model 34, because it is relatively large when compared to the model, and because it is encrypted. It can reside, for example, in the memory of the mobile payment device. The behavioral pattern is unique for every customer. In an exemplary embodiment however, one mobile payment device can support two or more files representing different behavioral patterns of different users or customers. In another exemplary embodiment, one mobile payment device can support two or more files representing different behavioral patterns of different cards from different issuers related to the same customer.
  • Model 34 is a software element implementing one or more algorithms.
  • In an exemplary embodiment, the algorithm can be the logistic model. As known to those skilled in the art, this model is basing its predictions by the deviation from the regular behavior of the customer.
  • In another exemplary embodiment, the algorithm can be the known in the art rule based engine related to the specific customer encrypted rules that were sent to element 33 form the server 20.
  • In yet another exemplary embodiment, the algorithm can be a data mining function implemented in the form of a decision tree or neural network engine as is known in the art.
  • The model resides inside a protected area, which is secure and not accessible for users after the initial installation. In an exemplary embodiment, the protected area can be located in a secure area inside the SIM card of the mobile device, as implemented for example by Google's Android operating system. In another exemplary embodiment, the protected area can be located in the memory of the device as implemented for example by Apple's iOS operating system.
  • The model 34 uses the data or rules that were stored with element 33 for rejecting or approving the transaction. This is done by decrypting the encrypted behavioral pattern file or data or rules, and, when a transaction takes place, calculating the probability for fraud based on the behavioral pattern or data or rules and the transaction details. In another exemplary embodiment, the outcome of the calculation by the model can be a request for higher level of security, implemented for example by requesting the customer to enter one or more codes, in different lengths, as defined by the requested security level. The application 35 also resides in the protected area. As will be readily understood by those skilled in the art, the application communicates with the other elements of the mobile payment device and executes the different algorithms which are part of the various methods of the current invention.
  • Referring now to FIG. 6, an exemplary verification process ( steps 140 and 150 in FIG. 2) in accordance with the present invention will be described.
  • In step 405 the mobile payment device and the POS initiate communication. The communication is short ranged in order to achieve security and avoid ears dropping. Examples of short range communication include, among others, NFC and Bluetooth, as is well known for those skilled in the art. The mobile payment device identifies itself to the OOS either by key exchange or by a standard protocol as defined in the NPC specifications.
  • In step 410 the POS 40 validates the validity token 32. This step is optional, since as described hereinabove, the functionality of the mobile payment device will halt in the case that a valid token does not exist.
  • In step 420 the transaction details are transferred to the mobile payment device 30 from the POS. In an exemplary embodiment the transaction details comprise merchant ID, time of the transaction and the sum amount of the transaction.
  • In step 430 the model 34, based on the behavioral pattern 33 approves or denies the transaction.
  • If the model in step 430 denied the transaction, then the customer will be asked in step 440 to enter identification means. The identification means can be, and not limited to, password, biometric characteristic of the customer, or a combination thereof. The mobile payment device 30 then verifies the identification means. If the verification fails, then the customer will not be able to perform the transaction. An update on the failure is sent to server 20 and from the server to the issuer 10. The issuer can consider blocking (i.e. lock) the customer from further use of the payment software as was previously described.
  • If, however, the customer was successful in the verification of step 440, the server 20 will be updated with the transaction details and also with location data, so the server can update the profile of the customer.
  • In an exemplary embodiment, the system can be used to track merchant fraud in addition to customer fraud that was described hereinabove. If, for example, there is suspicion that a certain transaction was not carried out by the customer, the mobile payment device could be interrogated for approving or denying that this transaction ever took place. It is to be understood by those skilled in the art that this embodiment requires the mobile payment device to keep track of the customer's transactions, as can be seen in element 36 of the mobile payment device 30 in FIG. 5.
  • FIG. 7 describes in more detail an exemplary method for merchant verification.
  • In step 610 the issuer 10 receives transaction data from the merchant. In order to verify that the transaction indeed took place, in step 620 the issuer 10 sends to the server 20 a request for transaction validation. In step 630 the server 20 sends a request to the mobile payment device 30 for the transaction details. The mobile payment device, in turn, sends the requested transaction details or a response that the details are not available, to the server 20. The server 20 validates the transaction and the merchant in step 650 if the transaction details are available and then sends the results of validation to the issuer 10.
  • While the foregoing written description of the invention enables one of ordinary skill to make and use what is considered presently to be the best mode thereof, those of ordinary skill will understand and appreciate the existence of variations, combinations, and equivalents of the specific embodiment, method, and examples herein. The invention should therefore not be limited by the above described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention.

Claims (21)

1-28. (canceled)
29. A non-transitory computer readable medium storing instructions that, when executed by at least one processor, cause the at least one processor to perform operations comprising:
maintaining a plurality of behavioral profiles, the plurality of behavioral profiles being associated with a plurality of mobile payment device users, wherein each of the mobile payment device users has an associated mobile payment device;
transmitting to each of the mobile payment devices one of the plurality of behavioral profiles for storage on the mobile payment devices;
acquiring from the mobile payment devices new activity information;
after the transmitting, updating the plurality of behavioral profiles based on the acquired new activity information; and
sending to each of the mobile payment devices one of the plurality of updated behavioral profiles for use in offline fraud detection in financial transactions.
30. The non-transitory computer readable medium of claim 29, wherein the plurality of behavioral profiles are configured for use in offline fraud detection in financial transactions.
31. The non-transitory computer readable medium of claim 29, wherein the transmitting, acquiring, and updating, for each of the plurality of mobile payment devices, occur at differing times.
32. The non-transitory computer readable medium of claim 29, wherein timings of transmitting and acquiring, for each of the plurality of mobile payment devices, occur according to a common set of rules.
33. The non-transitory computer readable medium of claim 29, wherein the new activity information includes identification of a merchant that a mobile payment device user patronized.
34. The non-transitory computer readable medium of claim 29, wherein the new activity information includes a new geographic location associated with a mobile payment device user.
35. The non-transitory computer readable medium of claim 29, wherein the operations further comprise, based on acquiring new activity information associated with a first mobile payment device user, updating a behavioral profile of a second mobile payment device user.
36. The non-transitory computer readable medium of claim 35, wherein the new activity information from the first mobile payment device user is determined to be associated with fraudulent activity.
37. The non-transitory computer readable medium of claim 35, wherein the first mobile payment device user is determined to have behavioral similarities with the second mobile payment device user.
38. The non-transitory computer readable medium of claim 29, wherein transmitting to each of the mobile payment devices one of the plurality of behavioral profiles comprises sending a first validity token, and sending to each of the mobile payment devices one of the plurality of updated behavioral profiles comprises sending a second validity token, wherein the first validity token and the second validity token enable a mobile payment device to perform offline fraud detection processing.
39. A computer-implemented method for refreshing a behavioral profile stored on a mobile payment device comprising:
maintaining a plurality of behavioral profiles, the plurality of behavioral profiles being associated with a plurality of mobile payment device users, wherein each of the mobile payment device users has an associated mobile payment device;
transmitting to each of the mobile payment devices one of the plurality of behavioral profiles for storage on the mobile payment devices;
acquiring from the mobile payment devices new activity information;
after the transmitting, updating the plurality of behavioral profiles based on the acquired new activity information; and
sending to each of the mobile payment devices one of the plurality of updated behavioral profiles for use in offline fraud detection in financial transactions.
40. The computer-implemented method of claim 39, wherein the plurality of behavioral profiles are configured for use in offline fraud detection in financial transactions.
41. The computer-implemented method of claim 39, wherein the transmitting, acquiring, and updating, for each of the plurality of mobile payment devices, occur at differing times.
42. The computer-implemented method of claim 39, wherein timings of transmitting and acquiring, for each of the plurality of mobile payment devices, occur according to a common set of rules.
43. The computer-implemented method of claim 39, wherein the new activity information includes identification of a merchant that a mobile payment device user patronized.
44. The computer-implemented method of claim 39, wherein the new activity information includes a new geographic location associated with a mobile payment device user.
45. The computer-implemented method of claim 39, further comprising, based on acquiring new activity information associated with a first mobile payment device user, updating a behavioral profile of a second mobile payment device user.
46. The computer-implemented method of claim 45, wherein the new activity information from the first mobile payment device user is determined to be associated with fraudulent activity.
47. The computer-implemented method of claim 45, wherein the first mobile payment device user is determined to have behavioral similarities with the second mobile payment device user.
48. The computer-implemented method of claim 39, wherein transmitting to each of the mobile payment devices one of the plurality of behavioral profiles comprises sending a first validity token, and sending to each of the mobile payment devices one of the plurality of updated behavioral profiles comprises sending a second validity token, wherein the first validity token and the second validity token enable a mobile payment device to perform offline fraud detection processing.
US15/003,505 2013-04-25 2016-01-21 Refreshing a behavioral profile stored on a mobile device Abandoned US20160140565A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/003,505 US20160140565A1 (en) 2013-04-25 2016-01-21 Refreshing a behavioral profile stored on a mobile device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201361815798P 2013-04-25 2013-04-25
PCT/IL2014/000022 WO2014174506A1 (en) 2013-04-25 2014-04-24 Self authentication
US201514786633A 2015-10-23 2015-10-23
US15/003,505 US20160140565A1 (en) 2013-04-25 2016-01-21 Refreshing a behavioral profile stored on a mobile device

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
US14/786,633 Continuation US20160078445A1 (en) 2013-04-25 2014-04-24 Self authentication
PCT/IL2014/000022 Continuation WO2014174506A1 (en) 2013-04-25 2014-04-24 Self authentication

Publications (1)

Publication Number Publication Date
US20160140565A1 true US20160140565A1 (en) 2016-05-19

Family

ID=51791145

Family Applications (8)

Application Number Title Priority Date Filing Date
US14/786,633 Abandoned US20160078445A1 (en) 2013-04-25 2014-04-24 Self authentication
US15/003,505 Abandoned US20160140565A1 (en) 2013-04-25 2016-01-21 Refreshing a behavioral profile stored on a mobile device
US15/003,517 Abandoned US20160140551A1 (en) 2013-04-25 2016-01-21 Mobile device incremental behavioral profile updates
US15/003,594 Abandoned US20160196559A1 (en) 2013-04-25 2016-01-21 Mobile device detection of merchant fraud
US15/003,567 Abandoned US20160140538A1 (en) 2013-04-25 2016-01-21 Mobile device local interruption of transactions
US15/003,581 Abandoned US20160140560A1 (en) 2013-04-25 2016-01-21 Autonomous fraud interrogation by mobile device
US15/003,490 Active - Reinstated 2035-06-05 US10395251B2 (en) 2013-04-25 2016-01-21 Remotely generated behavioral profile for storage and use on mobile device
US15/003,448 Abandoned US20160140564A1 (en) 2013-04-25 2016-01-21 Mobile device fraud detection using locally stored behavioral information of others

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/786,633 Abandoned US20160078445A1 (en) 2013-04-25 2014-04-24 Self authentication

Family Applications After (6)

Application Number Title Priority Date Filing Date
US15/003,517 Abandoned US20160140551A1 (en) 2013-04-25 2016-01-21 Mobile device incremental behavioral profile updates
US15/003,594 Abandoned US20160196559A1 (en) 2013-04-25 2016-01-21 Mobile device detection of merchant fraud
US15/003,567 Abandoned US20160140538A1 (en) 2013-04-25 2016-01-21 Mobile device local interruption of transactions
US15/003,581 Abandoned US20160140560A1 (en) 2013-04-25 2016-01-21 Autonomous fraud interrogation by mobile device
US15/003,490 Active - Reinstated 2035-06-05 US10395251B2 (en) 2013-04-25 2016-01-21 Remotely generated behavioral profile for storage and use on mobile device
US15/003,448 Abandoned US20160140564A1 (en) 2013-04-25 2016-01-21 Mobile device fraud detection using locally stored behavioral information of others

Country Status (11)

Country Link
US (8) US20160078445A1 (en)
EP (1) EP2989603A4 (en)
JP (1) JP2016522925A (en)
CN (1) CN105339965A (en)
AU (1) AU2014258992A1 (en)
BR (1) BR112015026800A2 (en)
HK (1) HK1224407A1 (en)
MX (1) MX2015014917A (en)
RU (1) RU2016104534A (en)
SG (2) SG11201508369TA (en)
WO (1) WO2014174506A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11538063B2 (en) 2018-09-12 2022-12-27 Samsung Electronics Co., Ltd. Online fraud prevention and detection based on distributed system

Families Citing this family (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10395223B2 (en) 2012-03-07 2019-08-27 Early Warning Services, Llc System and method for transferring funds
US11593800B2 (en) 2012-03-07 2023-02-28 Early Warning Services, Llc System and method for transferring funds
WO2015084797A1 (en) * 2013-12-02 2015-06-11 Mastercard International Incorporated Method and system for secure tranmission of remote notification service messages to mobile devices without secure elements
US8990121B1 (en) 2014-05-08 2015-03-24 Square, Inc. Establishment of a secure session between a card reader and a mobile device
US20200137050A1 (en) * 2014-06-27 2020-04-30 Jpmorgan Chase Bank, N.A. Method and system for applying negative credentials
KR101952429B1 (en) * 2014-12-05 2019-02-26 장길훈 An electronic commerce service method using information from multiple buyers' service uses
US11068895B2 (en) * 2015-02-17 2021-07-20 Visa International Service Association Token and cryptogram using transaction specific information
US11049090B2 (en) * 2015-03-11 2021-06-29 Paypal, Inc. NFC application registry for enhanced mobile transactions and payments
US11423404B2 (en) 2015-05-13 2022-08-23 Mastercard International Incorporated System and methods for enhanced approval of a payment transaction
US11386410B2 (en) 2015-07-21 2022-07-12 Early Warning Services, Llc Secure transactions with offline device
US11593780B1 (en) 2015-12-10 2023-02-28 Block, Inc. Creation and validation of a secure list of security certificates
CN106940767A (en) * 2016-01-05 2017-07-11 阿里巴巴集团控股有限公司 A kind of application of IC cards safe verification method and device
CN105760767B (en) * 2016-03-04 2018-12-04 东信和平科技股份有限公司 A kind of method and system of file tracking and safety management
US10861019B2 (en) * 2016-03-18 2020-12-08 Visa International Service Association Location verification during dynamic data transactions
US10607224B2 (en) 2016-04-04 2020-03-31 Mastercard International Incorporated Systems and methods for secure authentication of transactions initiated at a client device
US10091007B2 (en) 2016-04-04 2018-10-02 Mastercard International Incorporated Systems and methods for device to device authentication
CN106875175B (en) * 2016-06-28 2020-07-24 阿里巴巴集团控股有限公司 Method and device convenient for payment subject expansion
US11144928B2 (en) * 2016-09-19 2021-10-12 Early Warning Services, Llc Authentication and fraud prevention in provisioning a mobile wallet
US9940612B1 (en) * 2016-09-30 2018-04-10 Square, Inc. Fraud detection in portable payment readers
US10803461B2 (en) 2016-09-30 2020-10-13 Square, Inc. Fraud detection in portable payment readers
CN108269084A (en) * 2017-01-03 2018-07-10 阿里巴巴集团控股有限公司 A kind of method and device for progress barcode scanning payment on the mobile apparatus
US10163084B2 (en) 2017-02-13 2018-12-25 Bank Of America Corporation Banking systems controlled by data bearing records
US11687929B2 (en) * 2018-03-23 2023-06-27 American Express Travel Related Services Co., Inc. Authenticated secure online and offline transactions
CN109102301A (en) * 2018-08-20 2018-12-28 阿里巴巴集团控股有限公司 A kind of payment air control method and system
US10528858B1 (en) * 2018-11-06 2020-01-07 Capital One Services, Llc Methods and arrangements to detect a payment instrument malfunction
US11935059B2 (en) * 2019-05-31 2024-03-19 Visa International Service Association System to reduce false declines using supplemental devices
US11151575B2 (en) * 2019-07-09 2021-10-19 Bank Of America Corporation Trusted pair authentication with edge-computing devices
US20210081949A1 (en) * 2019-09-12 2021-03-18 Mastercard Technologies Canada ULC Fraud detection based on known user identification
US11410194B1 (en) * 2019-10-18 2022-08-09 Wells Fargo Bank, N.A. Systems and methods for linking ATM to retailer transaction to preserve anonymity
US20210142328A1 (en) * 2019-11-13 2021-05-13 Early Warning Services, Llc System and method for preventing fraud in real-time payment transactions
US11317282B2 (en) 2019-12-19 2022-04-26 Bank Of America Corporation Intelligent method for sim-swap fraud detection and prevention
JP6955287B2 (en) * 2020-02-01 2021-10-27 Assest株式会社 Fraudulent Stock Trading Detection Program
KR102368422B1 (en) * 2020-06-17 2022-02-28 한국철도공사 System and method for preventing illegal ride by using big data
TWI743938B (en) * 2020-08-12 2021-10-21 一卡通票證股份有限公司 Offline verification method of transportation vehicle boarding voucher
US20230306496A1 (en) * 2022-03-24 2023-09-28 Bank Of America Corporation Multi-Computer System for Optimized Queue Management Based on Facial Recognition
WO2024076754A1 (en) * 2022-10-07 2024-04-11 Mastercard International Incorporated Artificial intelligence-based fraud and risk management methods and systems for acquirers

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002170063A (en) * 2000-12-01 2002-06-14 Ntt Communications Kk Electronic value transaction system, method, terminal device, and center device
KR100420600B1 (en) * 2001-11-02 2004-03-02 에스케이 텔레콤주식회사 METHOD FOR PROCESSING EMV PAYMENT BY USING IrFM
JP2006313440A (en) * 2005-05-09 2006-11-16 Ufj Nicos Co Ltd Terminal equipment for settlement of credit card, settlement system and settlement method
US20080223918A1 (en) * 2007-03-15 2008-09-18 Microsoft Corporation Payment tokens
JP2009069202A (en) * 2007-09-10 2009-04-02 Teac Corp Speech processor
US8104678B2 (en) * 2007-11-28 2012-01-31 Intelligent Wave, Inc. Payment approval system and method for approving payment for credit card
MX2011003043A (en) * 2008-09-22 2011-05-25 Visa Int Service Ass Over the air management of payment application installed in mobile device.
US8666893B1 (en) * 2009-01-05 2014-03-04 Bank Of America Corporation Electronic funds transfer authentication system
US9471920B2 (en) * 2009-05-15 2016-10-18 Idm Global, Inc. Transaction assessment and/or authentication
US8706556B2 (en) * 2009-11-06 2014-04-22 Mastercard International Incorporated Methods for risk management in payment-enabled mobile device
US20110202453A1 (en) * 2010-02-15 2011-08-18 Oto Technologies, Llc System and method for mobile secure transaction confidence score
US20110231305A1 (en) * 2010-03-19 2011-09-22 Visa U.S.A. Inc. Systems and Methods to Identify Spending Patterns
CN102096872B (en) * 2011-02-12 2015-07-29 中国工商银行股份有限公司 A kind of Web bank's payment information safety detection method and device
US10580049B2 (en) * 2011-04-05 2020-03-03 Ingenico, Inc. System and method for incorporating one-time tokens, coupons, and reward systems into merchant point of sale checkout systems
US9710821B2 (en) * 2011-09-15 2017-07-18 Stephan HEATH Systems and methods for mobile and online payment systems for purchases related to mobile and online promotions or offers provided using impressions tracking and analysis, location information, 2D and 3D mapping, mobile mapping, social media, and user behavior and
CN103049851A (en) * 2012-12-27 2013-04-17 中国建设银行股份有限公司 Transaction data-based anti-fraud monitoring method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11538063B2 (en) 2018-09-12 2022-12-27 Samsung Electronics Co., Ltd. Online fraud prevention and detection based on distributed system

Also Published As

Publication number Publication date
WO2014174506A1 (en) 2014-10-30
US20160140560A1 (en) 2016-05-19
MX2015014917A (en) 2016-06-02
US10395251B2 (en) 2019-08-27
US20160078445A1 (en) 2016-03-17
US20160140564A1 (en) 2016-05-19
US20160140551A1 (en) 2016-05-19
US20160162901A1 (en) 2016-06-09
US20160140538A1 (en) 2016-05-19
CN105339965A (en) 2016-02-17
AU2014258992A1 (en) 2015-11-26
AU2014258992A2 (en) 2016-04-21
SG10201704592XA (en) 2017-07-28
BR112015026800A2 (en) 2017-07-25
SG11201508369TA (en) 2015-11-27
EP2989603A1 (en) 2016-03-02
RU2016104534A (en) 2018-11-22
EP2989603A4 (en) 2017-02-01
JP2016522925A (en) 2016-08-04
HK1224407A1 (en) 2017-08-18
US20160196559A1 (en) 2016-07-07

Similar Documents

Publication Publication Date Title
US10395251B2 (en) Remotely generated behavioral profile for storage and use on mobile device
US20240013171A1 (en) Mobile telephone transfer of funds
CN103765861B (en) The payment of mobile device selects and authorizes
US11625708B2 (en) System and method for customer initiated payment transaction using customer's mobile device and card
US10055740B2 (en) Payment selection and authorization
US9947010B2 (en) Methods and systems for payments assurance
US20180053189A1 (en) Systems and methods for enhanced authorization response
US20150199679A1 (en) Multiple token provisioning
US20150120472A1 (en) Digital wallet system and method
US20120330788A1 (en) Payment selection and authorization by a mobile device
US12003959B2 (en) System and method for correlating diverse location data for data security
WO2015107442A1 (en) Systems and methods for issuing mobile payment cards via a mobile communication network and internet-connected devices
WO2001055984A1 (en) Flexible electronic system for conducting commercial transactions
US20210004806A1 (en) Transaction Device Management
US20180316687A1 (en) System and method for generating access credentials
US11438766B2 (en) Terminal type identification in interaction processing
US20180165679A1 (en) Method and system for transaction authentication
US20230342776A1 (en) Combined token and value assessment processing
Almuairfi et al. Anonymous proximity mobile payment (APMP)
EP4020360A1 (en) Secure contactless credential exchange
KR101692234B1 (en) Ict

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION