WO2005109360A1 - Secure pin entry using personal computer - Google Patents

Secure pin entry using personal computer

Info

Publication number
WO2005109360A1
WO2005109360A1 PCT/IB2004/050628 IB2004050628W WO2005109360A1 WO 2005109360 A1 WO2005109360 A1 WO 2005109360A1 IB 2004050628 W IB2004050628 W IB 2004050628W WO 2005109360 A1 WO2005109360 A1 WO 2005109360A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
pin
user
transaction
secure
computer
Prior art date
Application number
PCT/IB2004/050628
Other languages
French (fr)
Inventor
Hani Girgis
Nader Iskander
Original Assignee
Hani Girgis
Nader Iskander
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/346Cards serving only as information carrier of service
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Abstract

It is a process that allows a user to make secure PIN-based transactions using his personal computer. The steps are: a) Preparing transaction data b) Storing it in non-volatile memory, c) Restarting or hibernating the computer, d) Booting into a secure, un-networked, environment from a bootable media or device; this bootable media or device must be sufficiently difficult to counterfeit and sufficiently difficult to tamper with the data stored in it and optionally difficult to copy, e) Securely launching the secure PIN entry software, f) Loading transaction data from the non-volatile memory, g) Presenting the transaction data to the user and optionally allowing the user to modify and/or complete it, h) Secure PIN entry resulting in an encrypted PIN block and/ or enabling the use and/or the generation of the appropriate keys for creating message au­thentication code(s) and/or cryptogram(s) and/or digital signature(s) according to the transaction security standards; The user can also enter a password to enable secure access to password encrypted secret keys, private keys and confidential data; The user can also enter secure in­formation to update his records in the server side system, like a user choosable CVV2/CVC2 or new 3D Secure password , i) Storing the secured transaction request in non-volatile memory, j) Restarting the computer back to normal operation, k) Loading the secured transaction request from non-volatile memory, 1) Sending the transaction for authorization, m) Receiving the response, n) Presenting the response to the user and optionally storing it. The process radically protects the user from any malicious software that might affect the security of PIN entry; it dra­matically reduces the user responsibilities to physical security considerations only, like those in ATM transactions. The user should use a personal computer that he is knows that it does not contain malicious hardware; this could easily be his own notebook or PC at home. He should still quickly check that there is no external hardware key logger attached to the computer. The process enables non-repudiation in e-commerce transactions. The process is also an ideal solution for securing the use of smartcards on personal computers. The ability for the user to specify the CVV2/CVC2 that will be used in the next Internet e­commerce transaction is invaluable because it allows for extermely secure e-commerce without requiring any change in the merchant system, acquirer bank system and the card transactions network, like VISA and MasterCard. In the case where the personal computer by default boots into a system that fulfills the security requirements mentioned, like an MIDP2.0 Java mobile phone for example, then the personal computer, which is the mobile phone, is already secure, hence a stripped down version of the process is the only thing needed. A Java mobile phone is secure because it either allows the application to run in the sand-box model or the application must be digitally signed to execute with the requested privileges; this prevents any malicious software from having the privilege to make any critical action.

Description

Description SECURE PIN ENTRY USING PERSONAL COMPUTER Technical Field

[1] PIN based transactions, where the Personal Identification Number, the PIN, is used to authenticate the user. ATM transactions is an example of PIN based transactions.

[2] PIN Entry Device, PED, is a device used in securing the entry and processing of the PIN, of the user. It needs to have a keypad, a display, storage and processing capabilities. The keypad-like device found beside merchant POS machines for the use by the cardholder to enter his PIN is an example of a PED.

[3] Transaction terminal, is the system used to initiate the transaction. It should have a PED if PIN-based transactions are to be supported on this transaction terminal.

[4] Personal Computer security, spying software, Trojan horses and viruses.

[5] E-commerce, where purchases is done electronically over the Internet.

[6] Using smartcards in making secure transactions.

[7] Card Payments, where a payment card is used to make financial transactions.

[8] Digital Signature, generating and verifying digital signatures on transactions. Background Art

[9] PIN based transactions enjoy very high security due to the very well established technical standards that support it. Also the market responded by implementing the standards and making available, Hardware Security Modules, HSMs, for physically securing the server side part of PIN-based transactions and PIN Entry Devices, PEDs, for securing the client side part. In most critical environments, like banks and governments, only certified HSMs and PEDs are used. One result of this well established field, is the possibility of assuming non-repudiation and putting the liability of the PIN on the user. This is because the whole system for PIN based transactions is based on well established standards of well proven security that need not to be verified every time there is a dispute, the only thing needed is to verify that the standards are taking place in the system. The PIN entered in PIN based transactions is either a PIN to be verified against an offset in the server side, or it is a PIN that unlocks the access to a smartcard, which would create a cryptogram or a digital signature for the transaction.

[10] The PIN Entry Device, PED, is a secure device that captures and processes the PIN. It should have a display to present transaction details on its screen in order to allow the user to review what he is about to authorize by entering his PIN. After the PIN is entered, the PED immediately processes it, either by encrypting it to form an Encrypted PIN Block, or by using it to enable access to a smartcard that would create a transaction cryptogram or a digital signature for the transaction. Transaction cryptogram is a sort of digital signature, but based on symmetric keys and utilizing the Derived Unique Keys (DUK) method for key agreement; it is used mainly in the EMV standard to authorize the transaction. The PIN Entry Device is also able to create and verify Message Authentication Codes, MAC. The details of these operations are well defined by national and international standardization bodies like ANSI and ISO. Also the national and the international institutions that rely on PIN based transactions further enforce the standards by putting their detailed specifications and minimum requirements on the security of PIN Entry Devices. Like the VISA PED Security Requirements.

[11] A transaction terminal is a device or system that initiates a transaction. It must include or interact with a PED if it should support PIN based transactions. It provides the interface to the acquirer's host. The clearest example is the POS terminal with an external PIN pad; in this case the PIN pad is the secure PED. The ATM machine is also a transaction terminal, but it has the PED integrated in the transaction terminal itself, because there is no separate screen for the PED of the ATM machine. The whole ATM machine is considered as both a transactional terminal and a PED.

[12] SecurityJrom malicious software, like Trojan horses, software key loggers and viruses was either done by software or by avoiding the PC altogether and using an external device for entering the highly critical information, like the PIN. 1. Software solution is never guaranteed to be perfect; there is always a possibility that a malicious software would tamper the protecting software itself and another possibility is that a new type of malicious software would arise that the current protecting software would not be able to detect or prevent it for at least a period of time until an update is made available. It is unfair to put the responsibility of the software security of the PC on the user. 2. The hardware solution is could be very secure, but what prohibits it from spreading to most PC users is its high cost. A good example of a hardware solution, is the smartcard reader with a PIN pad integrated in the smartcard reader itself; the PIN is never sent to the host computer, it is sent directly to the smartcard. This integrated PIN pad adds a very high value to security, because without it, i.e. using a normal smartcard reader that does not have an integrated PIN pad, a malicious software can capture the PIN from the keyboard of the PC and every time it detects that the smartcard is inserted, it would maliciously use it to make fraudulent transactions, as many times as it wishes; but when the smartcard reader has an integrated PIN pad on it, this can never happen. A different attack however can still happen even if the smartcard reader has a PIN pad: the malicious software can always tamper with the data coming out of the PC to the smartcard reader in order to be signed. This would make the actual data that is sent to the smartcard reader to be signed different from what the user saw on the PC screen and wanted to sign. The hardware solution to this attack was to integrate a small screen on the smartcard reader in addition to the PIN pad. The smartcard reader would display what is actually going to be signed. Of course this would make the smartcard reader even more and more expensive; but without this secure screen on the smartcard reader, the malicious software can make a fraudulent transaction each time the user tries to make a transaction. [13] E-commerce transactions using credit cards was initially treated in the same way as Mail Order / Telephone Order, MO/TO, transactions where the card holder writes or tells his card number in clear to the merchant. Four security problems arose here, one after the other: 1. The Internet is a public network and people other than the card holder and the merchant can capture the packets passing between them and get the credit card number and use it for fraudulent use. The best solution that solved this network sniffing problem was the SSL, which is now integrated in most web browsers. 2. The second problem is that, the credit card number and the expiration date are not really confidential. Any physical merchant would get the credit card number and its expiration date from the receipt and if he is malicious, he could use it to make fraudulent Internet transactions. This happens even with card holders who never use the Internet altogether. The best solution was the to incorporate the what so called CVV2 or the CVC2 or the like, which is a three or four digits number on the back of credit cards, to be entered in Internet transactions or MO/TO transactions where card is not present. And to further enhance it they added the Address Verification System, where the card holder must enter his billing address to be verified by the bank in order to make sure that the legitimate card holder is the one who is actually making the transaction. 3. The third problem was in the Internet merchant himself being fraudulent and stores a copy of all the card holder's confidential data, including the CVV2 and billing address in order to make fraudulent transactions. The most famous solution that solved this problem was the 3D Secure, Verified by Visa, which is basically a variant from the well known SET protocol. It requires that the issuer bank, the bank of cardholder, gets involved in the transaction to authenticate the user. The two most common methods for authenticating the user are: the user name and password method and the smartcard and PIN method. Of course the smartcard readers mostly used, do not integrate a PIN pad or an LCD screen in order to lower the cost. So, the password or the smartcard PIN are entered on the keyboard of the PC. 4. The fourth problem, which is actually the most dangerous of them all because it is not solved yet the liability is on the user! The problem is the malicious and spying software that are able to read every key stroke typed on the keyboard and see everything displayed on the screen and even take full control over the victim's personal computer. This is not a rare problem, most personal computers today are infected with Trojan horses and spying software. Unfortunately, except for this invention, this problem had no low cost solution. The secure solutions are very expensive, like the use of smartcard with a reader that has an integrated PIN pad and an integrated LCD screen. Disclosure of Invention Technical Problem

[14] The desperate need for a low cost, customer owned, secure PIN entry device, that allows secure transaction terminals to be built around it to provide non-repudiation while relying on well established security standards, like the ANSI and ISO PIN security standards.

[15] The personal computer is made of hardware, kernel, operating system, services and applications; it is practically unfair to hold the user liable or even responsible for the security of all these layers especially because malicious software can in many cases be undetectable or at least difficult to detect for some period of time until it is discovered and a detection and/or removable tool becomes available. Also, statistics revealed that most PCs today are infected with Trojan horses and/or spy software.

[16] Malicious hardware, like hardware key loggers can be attached to personal computers. Technical Solution

[17] A process that allows the personal computer of a user to be used as a secure PIN entry device. Steps are:

[18] Preparing transaction data. As with the normal transaction terminal, like POS terminals, the terminal prepares the transaction data, like the amount, the card number and currency, before interacting with the PED. Same thing here. The scope of the invention is on the secure PIN entry and its interface with the transaction terminal. The transaction terminal itself is outside the scope of the invention, but it could be a simple windows application or a web-based application.

[19] Storing the transaction data in a non-volatile memory. This is the suggested interface between the transaction terminal and the secure PIN entry using personal computer. The non-volatile memory could be for example, the hard disk of the computer or a USB token or any memory that is persistent between system restarts.

[20] Restarting, or hibernating and starting, or shutting down and restarting the computer. This ensures that any malicious software is not in control now. Restarting the computer is usually very characteristic and very easily distinguishable by the normal user; it is too difficult for malicious software to imitate the behavior of restarting the computer while still being in control on the computer. The user might need to adjust the boot sequence of his personal computer. This adjustment, if ever needed, is not a very advanced task and would only be done once, just to configure the computer to seek booting from the bootable media or device mentioned in the next step before attempting to boot normally from the hard disk for example. Fortunately, most computers are already adjusted to seek booting from CD/DVD and USB devices before normally booting from the hard disk, hence need no any adjustment.

[21 ] Booting from a bootable media or device; this bootable media or device must be sufficiently difficult to counterfeit and sufficiently difficult to tamper with the data stored in it and optionally difficult to copy. The reason why it is necessary for this bootable media or device to be difficult to counterfeit, is to help the user to distinguish between the original and any fake bootable media or device that would steal his PIN. The bootable media or device would be mailed to the user. This bootable media or device should also be sufficiently difficult to tamper with the data on it, in order to prevent malicious software from being injected in it. Two examples here: 1. Bootable media: A CD-ROM or a DVD-ROM or a closed CD-R, are by default immune to any tampering of the data on it. To make it anti-counterfeit, special artwork, holograms, marks, even shaping of the CD itself can be applied on the physical disc to make it difficult to imitate. 2. Bootable device: personal computers today allow for booting from USB devices. People today are able to boot from USB drives and USB sticks but there is no technical problem at all to boot from a USB smartcard reader, for example. This may sound very strange, but most, if not all, USB smartcard readers today have firmware which can very easily be enlarged in size to even a few megabytes; this is quite more than sufficient to boot into the secure environment, described in the next step, with a very nice GUI. The firmware of most USB smartcard readers, especially the EMV certified ones, is sufficiently difficult to tamper with the data in it; even firmware upgrades is done securely using cryptographic methods, like digital signatures. Smartcard readers, especially the EMV certified ones, are sufficiently difficult to counterfeit, they even carry certification logos and holographic.

[22] The booted environment should be minimalist, preferably with no networking capabilities in order to dramatically reduce the effort needed to verify its security. It should load only the PED software among with any helper programs or trusted software. Software is assumed to be trusted if it is loaded from the bootable media or device mentioned in the above step or digitally signed using a valid digital signature made by a trusted application provider. Also another way to load trusted software from untrusted source, is to have its checksum stored on a trusted media or device, but this method does not allow newer versions to be loaded without modification on the trusted media or device that contains the checksum. Another requirement on the booted environment is its ability to boot from a read-only source, like a CD, because most boot media or devices that satisfy the requirements in the previous step are not writable, at least during normal operation. There are many was to allow booting from a read-only media, here are two examples: 1. Writing it from scratch: this would allow far more optimization on the size and would take into consideration that the source media or device from which it is booting is not writable. 2. Adapting an already available OS: usually normal operating systems require booting from a writable media, one way to solve this problem is by using the RAM disk technique, in which the boot program would initially reserve part of the personal computer's RAM and use it as a disk emulation, which is of course writable.

[23] Loading transaction data from the non-volatile memory. This is where the secure PIN entry system gets the request from the transaction terminal.

[24] Presenting the transaction data to the user and optionally allowing the user to modify and/or complete it. If the transaction data was digitally signed by its creator, then it should be verified and the user should be notified of the validity of the digital signature. Because this secure booted environment will prevent the user from being faked by a malicious software by telling him that the signature on the transaction data is valid while it is not or the inverse.

[25] If the user agrees to the information that was presented to him, he would enter his PIN. The PIN would either be used to create an encrypted PIN block or enable the use of a smartcard to create a transaction cryptogram or a digital signature. Password encrypted private or secret keys can be used as a low cost alternative to smartcards for creating digital signatures. Other confidential data, like for example the ATM card track2 data which is the data on the magnetic stripe of a debit or credit card, can also be password protected using password based encryption. This way, any one who could maliciously copy information from the users computer or even from the bootable media or device, can not access get the confidential information stored on it. Another level of securing the very confidential data like the ATM card track2 data is to have it stored encrypted under the public key of the server. This way, no one can use the in- formation on the personal computer to try to make an attack on another channel, like real ATM machines for example, simply because he does not have the ATM card information in clear.

[26] Storing the secured transaction request in non-volatile memory. The is where the secure PIN entry system brings its reply to the transaction terminal. It is worthy to note that is need not to be the same non- volatile memory used above for obtaining the transaction data.

[27] Restarting the computer back to normal operation. The bootable media or device should have been ejected, or the boot loader on the bootable media or device is able to detect that there is no currently pending transaction so resumes to normal operation or the boot loader on the bootable media or device allows the user to choose manually whether he wants to boot to the secure environment or to normal operation.

[28] Loading the secured transaction request from the later non-volatile memory. This step is done by the transaction terminal system which is outside the scope of the invention.

[29] The transaction terminal would normally 1. Send the transaction for authorization 2. Receiving the response 3. Present the response to the user and optionally store it

[30] Precautions for protecting your PIN when using Secure PIN Entry using Personal Computer are to a great extent similar to the precautions for protecting your PIN on an ATM or a POS. 1. You should hide your hand that enters the PIN, so that no one can see your PIN while you type it, this also protects your PIN from being stolen using a remote camera. 2. You should check that there is no hardware key logger connected through keyboard cable 3. You should be able to trust that the personal computer does not contain malicious hardware or firmware for capturing the clear text PIN. This can be an easy pre-requisite given that you are using your own notebook or PC at home. You should never for example use a computer in an Internet cafe to make a PIN based transactions.

[31] As the process allows for secure PIN entry, it allows also for entring additional critical pieces of information like a user choosable one time password or secret number to be encrypted and sent to the server in order to be used some time later on another less-secure channel like the Internet or WAP or telephone or IVR. The user can for example enter a user choosable CVV2 or CVC2 or 3D Secure password that the he will use in the next transaction that he will make on the Internet. The user may also specify the some constraints on the next transaction that will happen using the specified CVV2/CVC2, like the maximum amount of the transaction and/or the time within which the transaction should be made.

[32] A mobile phone that supports Java, most modern mobile phones today do, is a sort of personal computer that always boots into a secure environment from its firmware by default. Hence it does not need the parts of the process that involve restarting and booting into a secure environment; all what is needed is to launch the secure PIN entry application. The PIN entry application can execute directly and securely on the mobile phone. Of course the physical phone must be trusted by the user; the mobile phone owned by the user himself could satisfy this requirement very easily, because the user knows that his own phone was never physically accessible to anyone who has the technical expertise and malicious motivation in addition to the ability to pay the cost of obtaining and inserting a malicious hardware or firmware in his mobile phone. The PIN entry application that will run on the mobile phone can also interact with the SIM in the mobile, which is basically a smartcard; this allows for the second use of the secure PIN entry, which is to enable the access to a component in the smartcard that would create a transaction cryptogram or a digital signature for the transaction. Advantageous Effects

[33] The process can be used to protect the PIN entry of any PIN that needs to be secured, not just the ATM PIN, but using the same security standards that were originally made to secure the ATM PIN.

[34] The process radically protects the user from any malicious software that might affect the security of PIN entry; it dramatically reduces the user responsibilities to physical security considerations only, like those in ATM transactions.

[35] If the transaction data was digitally signed by some source, Digital signatures on transaction data will be verified securely in this secure environment, because there is no malicious software that can report falsely about the validity of the digital signature.

[36] Allowing the user to choose the CVV2 or the CVC2 or the 3D Secure password to be used in the next transaction to be done on a less secure channel, has a huge benefig because it allows for extermely secure e-commerce without requiring any change in the traditional merchant system, acquirer bank system and the card transactions network; the only system that will need little adaptation is the issuer bank system in order to allow the CVV2 or the CVC2 or the 3D Secure password to be user choosable and changeable, even for every transaction. An example of the tranditional merchant system is a payment web-page with SSL that allows the user to enter his credit card number, expiration date and CVV2 or CVC2 and sends this information to the acquirer bank, which is usually the bank of the merchant. Neither the merchant system nor the acquirer bank need to change anything. Not even the card transactions network, like MasterCard and VISA will need to modify anything. The same thing can be done for the 3D Secure password, the process allows the 3D Secure password to be different, user choosable, for every transaction; because before every transaction, the user would follow the said process and enter in the secure state, away from any malicious software, the 3D secure password. After that he will use it in the next transaction to be done on unsecure channels like the Internet where malicious software can capture it, or on IVR where it could also be captured or on any less secure channel, but it will be of no use for the attacker any more. Description of Drawings [37] The drawing in sheet 1 shows the security dependency in the case when the PIN is encrypted by the PIN entry system itself as described by the first Best Mode. Best Mode [38] The transaction terminal application puts the transaction data in a file on the hard disk [39] The user inserts the secure PIN entry CD in his computer's CD drive.

[40] The CD is a business card shaped CD-R with a hologram sticker on it. The CD-R is closed, i.e. no other sessions can be added to the CD-R in order to change the data on it. [41] The user hibernates the computer

[42] The user starts the computer

[43] The computer boots from the CD

[44] The secure PIN entry application reads the transaction data from the hard disk

[45] The secure PIN entry application displays the transaction data to the user

[46] The user agrees on the transaction and enters his PIN

[47] The secure PIN entry application generates a random DES or 3DES key, PIN Key, and uses it to encrypt the PIN [48] The secure PIN entry application generates another DES or 3DES key, Auth Key, and use it for generating a Message Authentication Code, MAC, on the transaction. The encrypted PIN is not part of the data on which the MAC is calculated. [49] The secure PIN entry application encrypts the Auth Key under the PIN Key

[50] The secure PIN entry application encrypts the PIN Key under the public key of the HSM used in the server side. The public key is stored on the CD-R itself. [51] The user may also enter, once or twice, the CVV2 to be used in the next Internet transaction. The secure PIN entry application would also encrypt this user choosable CVV2. [52] The secure PIN entry application forms its reply which is the transaction data, the MAC and the encrypted PIN [53] The secure PIN entry application stores the reply in a file on the computer's hard disk [54] The user ejects the CD and restart the computer

[55] The computer returns back from hibernation

[56] The transaction terminal application can now load the reply file from the hard disk. This reply file is almost the transaction request which the transaction terminal needs to send to the acquirer to be authorized. [57] If there was a user choosable encrypted CVV2, the server side would use it to update the cards database in order to secure the next e-commerce transactions coming from less secure channels like the Internet. [58] The user may also specify the some constraints on the next transaction that will happen using the specified CVV2/CVC2 or 3D secure password, like the maximum amount of the transaction and/or the time within which the transaction should be made. Best Mode [59] The personal computer has a bootable smartcard reader, as described in the description above [60] The transaction terminal, which is outside of the scope of the invention, forms the transaction data and puts it in a file on the smartcard which is inserted in the smartcard reader [61 ] The user hibernates the computer

[62] The user starts the computer

[63] The computer boots from the smartcard reader, the boot loader checks the smartcard and finds that there is a pending transaction data, so it launches the secure PIN entry application [64] The secure PIN entry application displays the transaction data to the user

[65] The user agrees on the transaction and enters his PIN

[66] The PIN is sent to the smartcard as a verify PIN command

[67] The transaction data is sent to the smartcard with a command to create an Authorization Request Cryptogram, ARQC [68] The secure PIN entry application forms its reply which is the transaction data and the ARQC [69] The secure PIN entry application stores the reply in a file on the smartcard

[70] The user restart the computer

[71] The boot loader on the smartcard reader will sense that there is no new application data so it skips its booting and the computer boots normally [72] The computer returns back from hibernation

[73] The transaction terminal application can now load the reply file from the smartcard. This reply file is almost the transaction request which the transaction terminal needs to send to the acquirer to be authorized. Industrial Applicability

[74] Physical bootable media or devices can be manufactured and loaded with software that allows the user to apply the process in the transactions he makes.

[75] This process can secure the entry of the PIN of an ATM transaction made from the user's own computer. This allows the user to access and make transactions from his debit and credit account while he is in his home using his personal computer or mobile phone. The issuer bank of the cardholder will feel exactly that the transaction was coming from a real ATM, because the process not only secure the PIN entry, but also allows for transactions to be made in the same way specified in the ISO 8583 standard for card originated transactions. So, the issuer bank will require no change in his system allow his customers to use this type of transactions. All the changes could be handled by the driving system, which is usually owned by the Acquirer bank who is the first to receive the transaction from the transaction terminal, in our case the personal computer.

[76] It can be used to allow secure PIN entry for using a smartcard to sign a contract or transaction.

Claims

Claims
[I] Personal computer physically trusted by the user who wants to enter his PIN to authorize a transaction.
[2] The said PIN is either a PIN to be encrypted or a PIN to be verified by a smartcard to enable operations on it. [3] The user prepares the transaction using a transaction terminal system or software that is outside the scope of the invention. [4] The said transaction terminal would the transaction data in a non-volatile memory [5] The user would restart, or hibernate and start or shutdown and start the said personal computer [6] The computer would boot from a bootable media or device that is sufficiently difficult to counterfeit and sufficiently difficult to tamper with the data stored in it [7] The said bootable media or device launches the secure PIN entry application
[8] The said secure PIN entry application reads the transaction data from the said non-volatile memory [9] The said secure PIN entry application displays the said transaction data to the said user [10] The said user verifies the said displayed transaction data and decides whether to enter his PIN or not
[I I] If the said user decided not to enter his PIN, he can just cancel the transaction and restart the computer back to normal operation and the process stops here
[12] Else, the said user would enter his PIN
[13] Depending on whether a smartcard is to be used or not, the said PIN entry application would process the PIN either by encrypting the PIN and optionally generating a MAC or by sending the PIN to a smartcard to enable the operation that authorizes the transaction on it, which is either an EMV cryptogram or a digital signature or an encrypted PIN and optionally a MAC
[14] The said PIN entry application would form the reply and store it in a non-volatile memory possibly different from the one said above in the transaction data
[15] The said user may also enter a password to enable secure access to password encrypted secret keys, private keys and confidential data. This step can be done before or after the said PIN entry step.
[16] The said user may also enter secure information that updates his records in the server side system, like a user choosable CVV2/CVC2 or new 3D Secure password. [17] The said PIN entry application would also encrypt the said other secrets
[18] The said user restarts the computer
[19] The said computer boots normally or resumes from said hibernation
[20] The said transaction terminal loads the reply from the later said non-volatile memory and resumes the transaction, which is outside the scope of the process. [21] The server side of the system would receive the said transaction terminal request, including the said encrypted PIN or the said cryptogram or the said digital signature, depending on whether the said PIN was encrypted or was used to create a cryptogram or a digital signature. The said request also optionally includes the said MAC [22] The said server side also receives the said encrypted other secrets and decrypts it
[23] The said server side processes the request as normal PIN based transactions relying on the whole sale PIN security standards [24] If the said user entered the said other secret, the said server side would decrypt it and update the system with the new secret [25] The transaction processing is done using the well established and well known transaction processing processes for processing PIN based transactions which is outside the scope of the invention
PCT/IB2004/050628 2004-05-10 2004-05-10 Secure pin entry using personal computer WO2005109360A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2004/050628 WO2005109360A1 (en) 2004-05-10 2004-05-10 Secure pin entry using personal computer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
PCT/IB2004/050628 WO2005109360A1 (en) 2004-05-10 2004-05-10 Secure pin entry using personal computer
PCT/GB2005/001770 WO2006120365A1 (en) 2004-05-10 2005-05-10 Secure transactions using a personal computer

Publications (1)

Publication Number Publication Date
WO2005109360A1 true true WO2005109360A1 (en) 2005-11-17

Family

ID=34957780

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/IB2004/050628 WO2005109360A1 (en) 2004-05-10 2004-05-10 Secure pin entry using personal computer
PCT/GB2005/001770 WO2006120365A1 (en) 2004-05-10 2005-05-10 Secure transactions using a personal computer

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/GB2005/001770 WO2006120365A1 (en) 2004-05-10 2005-05-10 Secure transactions using a personal computer

Country Status (1)

Country Link
WO (2) WO2005109360A1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2448800A (en) * 2007-04-05 2008-10-29 Becrypt Ltd Providing a secure computing environment
US20110099112A1 (en) * 2007-08-31 2011-04-28 Mages Kenneth G Apparatus and method for conducting securing financial transactions
US20110177792A1 (en) * 2010-01-20 2011-07-21 Microsoft Corporation Developer phone registration
EP2415003A1 (en) * 2009-03-30 2012-02-08 Apriva, Llc Method and system for securing a payment transaction with trusted code base
EP2430602A2 (en) * 2009-05-15 2012-03-21 Visa International Service Association Verification of portable consumer devices
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
US9317848B2 (en) 2009-05-15 2016-04-19 Visa International Service Association Integration of verification tokens with mobile communication devices
US9372971B2 (en) 2009-05-15 2016-06-21 Visa International Service Association Integration of verification tokens with portable computing devices
US9424413B2 (en) 2010-02-24 2016-08-23 Visa International Service Association Integration of payment capability into secure elements of computers
US9582801B2 (en) 2009-05-15 2017-02-28 Visa International Service Association Secure communication of payment information to merchants using a verification token
EP3139330A1 (en) * 2015-09-02 2017-03-08 LG CNS Co., Ltd. Financial device and control method thereof
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US9775029B2 (en) 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
US9792611B2 (en) 2009-05-15 2017-10-17 Visa International Service Association Secure authentication system and method
US9972005B2 (en) 2013-12-19 2018-05-15 Visa International Service Association Cloud-based transactions methods and systems

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8641644B2 (en) 2000-11-21 2014-02-04 Sanofi-Aventis Deutschland Gmbh Blood testing apparatus having a rotatable cartridge with multiple lancing elements and testing means
US9427532B2 (en) 2001-06-12 2016-08-30 Sanofi-Aventis Deutschland Gmbh Tissue penetration device
US9795334B2 (en) 2002-04-19 2017-10-24 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US8579831B2 (en) 2002-04-19 2013-11-12 Sanofi-Aventis Deutschland Gmbh Method and apparatus for penetrating tissue
US7041068B2 (en) 2001-06-12 2006-05-09 Pelikan Technologies, Inc. Sampling module device and method
US9248267B2 (en) 2002-04-19 2016-02-02 Sanofi-Aventis Deustchland Gmbh Tissue penetration device
US8784335B2 (en) 2002-04-19 2014-07-22 Sanofi-Aventis Deutschland Gmbh Body fluid sampling device with a capacitive sensor
US8702624B2 (en) 2006-09-29 2014-04-22 Sanofi-Aventis Deutschland Gmbh Analyte measurement device with a single shot actuator
WO2005065414A3 (en) 2003-12-31 2005-12-29 Pelikan Technologies Inc Method and apparatus for improving fluidic flow and sample capture
EP1751546A2 (en) 2004-05-20 2007-02-14 Albatros Technologies GmbH & Co. KG Printable hydrogel for biosensors
US8375440B2 (en) 2007-10-15 2013-02-12 Microsoft Corporation Secure bait and switch resume
US9795747B2 (en) 2010-06-02 2017-10-24 Sanofi-Aventis Deutschland Gmbh Methods and apparatus for lancet actuation
US8700895B1 (en) 2010-06-30 2014-04-15 Google Inc. System and method for operating a computing device in a secure mode
US9118666B2 (en) 2010-06-30 2015-08-25 Google Inc. Computing device integrity verification
RU2597515C2 (en) * 2011-08-03 2016-09-10 ПэйПэл, Инк. Access to account in point of sale
US20130226799A1 (en) * 2011-08-23 2013-08-29 Thanigaivel Ashwin Raj Authentication process for value transfer machine
DE102012015913A1 (en) * 2012-08-10 2014-02-13 Rosch Holding Und Consulting Gmbh Device arrangement for carrying out or release an electronic service, electronic module for such an apparatus arrangement and method for securely inputting authorization data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5327497A (en) * 1992-06-04 1994-07-05 Integrated Technologies Of America, Inc. Preboot protection of unauthorized use of programs and data with a card reader interface
WO2002001520A1 (en) * 2000-06-26 2002-01-03 Covadis S.A. Device for carrying out secure transactions in a communications network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1085396A1 (en) * 1999-09-17 2001-03-21 Hewlett-Packard Company Operation of trusted state in computing platform
US7043456B2 (en) * 2000-06-05 2006-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Mobile electronic transaction personal proxy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5327497A (en) * 1992-06-04 1994-07-05 Integrated Technologies Of America, Inc. Preboot protection of unauthorized use of programs and data with a card reader interface
WO2002001520A1 (en) * 2000-06-26 2002-01-03 Covadis S.A. Device for carrying out secure transactions in a communications network

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2448800A (en) * 2007-04-05 2008-10-29 Becrypt Ltd Providing a secure computing environment
GB2448800B (en) * 2007-04-05 2012-04-25 Becrypt Ltd System and method for providing a secure computing environment
US20110099112A1 (en) * 2007-08-31 2011-04-28 Mages Kenneth G Apparatus and method for conducting securing financial transactions
US9053471B2 (en) * 2007-08-31 2015-06-09 4361423 Canada Inc. Apparatus and method for conducting securing financial transactions
EP2415003A4 (en) * 2009-03-30 2013-05-01 Apriva Llc Method and system for securing a payment transaction with trusted code base
EP2415003A1 (en) * 2009-03-30 2012-02-08 Apriva, Llc Method and system for securing a payment transaction with trusted code base
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US9792611B2 (en) 2009-05-15 2017-10-17 Visa International Service Association Secure authentication system and method
EP2430602A4 (en) * 2009-05-15 2014-01-15 Visa Int Service Ass Verification of portable consumer devices
US8827154B2 (en) 2009-05-15 2014-09-09 Visa International Service Association Verification of portable consumer devices
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
EP2430602A2 (en) * 2009-05-15 2012-03-21 Visa International Service Association Verification of portable consumer devices
US9904919B2 (en) 2009-05-15 2018-02-27 Visa International Service Association Verification of portable consumer devices
US9372971B2 (en) 2009-05-15 2016-06-21 Visa International Service Association Integration of verification tokens with portable computing devices
US9582801B2 (en) 2009-05-15 2017-02-28 Visa International Service Association Secure communication of payment information to merchants using a verification token
US9317848B2 (en) 2009-05-15 2016-04-19 Visa International Service Association Integration of verification tokens with mobile communication devices
US10009177B2 (en) 2009-05-15 2018-06-26 Visa International Service Association Integration of verification tokens with mobile communication devices
US8533811B2 (en) 2010-01-20 2013-09-10 Microsoft Corporation Developer phone registration
US20110177792A1 (en) * 2010-01-20 2011-07-21 Microsoft Corporation Developer phone registration
US9589268B2 (en) 2010-02-24 2017-03-07 Visa International Service Association Integration of payment capability into secure elements of computers
US9424413B2 (en) 2010-02-24 2016-08-23 Visa International Service Association Integration of payment capability into secure elements of computers
US9972005B2 (en) 2013-12-19 2018-05-15 Visa International Service Association Cloud-based transactions methods and systems
US9775029B2 (en) 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
EP3139330A1 (en) * 2015-09-02 2017-03-08 LG CNS Co., Ltd. Financial device and control method thereof

Also Published As

Publication number Publication date Type
WO2006120365A1 (en) 2006-11-16 application

Similar Documents

Publication Publication Date Title
Hiltgen et al. Secure internet banking authentication
US8041338B2 (en) Mobile wallet and digital payment
US5590197A (en) Electronic payment system and method
US6282656B1 (en) Electronic transaction systems and methods therefor
Murdoch et al. Chip and PIN is Broken
US6850916B1 (en) Portable electronic charge and authorization devices and methods therefor
US7003501B2 (en) Method for preventing fraudulent use of credit cards and credit card information, and for preventing unauthorized access to restricted physical and virtual sites
US20020032663A1 (en) Apparatus and method for performing secure network transactions
US20040059952A1 (en) Authentication system
US20060123465A1 (en) Method and system of authentication on an open network
US7089214B2 (en) Method for utilizing a portable electronic authorization device to approve transactions between a user and an electronic transaction system
US20020023217A1 (en) Manufacturing unique devices that generate digital signatures
US20080040285A1 (en) Method And System For Authorizing A Transaction Using A Dynamic Authorization Code
US20080208758A1 (en) Method and apparatus for secure transactions
US20090307139A1 (en) Biometric authentication of mobile financial transactions by trusted service managers
US6694436B1 (en) Terminal and system for performing secure electronic transactions
US20130144792A1 (en) Stand-alone secure pin entry device for enabling emv card transactions with separate card reader
Jurgensen et al. Smart cards: the developer's toolkit
US20120284194A1 (en) Secure card-based transactions using mobile phones or other mobile devices
US20030154376A1 (en) Optical storage medium for storing, a public key infrastructure (pki)-based private key and certificate, a method and system for issuing the same and a method for using
US7526652B2 (en) Secure PIN management
US20140013406A1 (en) Embedded secure element for authentication, storage and transaction within a mobile terminal
US20070033398A1 (en) System and method for selective encryption of input data during a retail transaction
US20030005289A1 (en) System and method for downloading of files to a secure terminal
US8328095B2 (en) Secure payment card transactions

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct app. not ent. europ. phase