A SYSTEM AND METHOD FOR AUTHENTICATING USERS IN A PAYMENT SYSTEM
Field of the invention
The present invention relates to the use of RFID tags in payment systems.
Technical background
Radio frequency identification or RFID technologies use radio waves to automatically identify individual items. The most common applications are tracking goods in a supply chain, tracking assets, tracking packages at a distribution centre, security (including controlling access to buildings and networks) and payment systems that let customers pay for items without using cash.
The system consists of a tag or transponder, which is made up of a microchip with an antenna attached to it, and an interrogator or reader. The reader sends out a radio signal that "couple" with the antenna on the RFID tag. The chip modulates the received signal, which is subsequently sent back to the reader. A serial number is stored on the chip that identifies a product, and perhaps also includes other information
RFID systems are advantageous over other identification systems in that they do not require line of sight. RFID tags can be read as long as they are within range of a reader, irrespective of spatial arrangement.
RFID tags may be used when buying bus or cinema tickets, tickets for football games, etc. By implementing RFID based access control in cinemas or football stadiums, users will get seamless access to the events in question without interaction with guard staff, ticket inspectors or gatekeepers. However, the use of RFID products in payment
systems is challenging, in particular in respect to security issues. A payment RFID tag will be connected to the user's bank account, and if it is lost, a third party may buy a car using the rightful owner's money.
In order to provide a satisfactory level of security, the RFID system must include some sort of user authentication. As far as we know, no solution for direct authentication of users exists today. Currently users are authenticated by entering personal identification number (PIN) codes at external terminals, or by sending short message system
(SMS) based receipts from mobile phones. These solutions are demanding with respect to user interaction, and prevent the technology from gaining ground as a means for identification and authentication.
Brief summary of the invention
It is an object of the present invention to provide a system and method for authentication of users that is satisfactory from a security viewpoint, and which requires very little user interaction.
It is another object to provide a system that is common (standard) for many different services. Such a solution could lead to the further dissemination of RFID systems.
These objects are achieved in a system and method as described in the appended patent claims.
Detailed description of the invention
The inventive solution will now be described in detail with reference to the appended drawing, which shows a system for the authentication of a user, according to the present invention.
The core of the invention is to introduce some sort of 2 step authentication - in which the user must accept the transaction with his/her mobile phone. This will greatly reduce the possibility of misuse. This solution is 5 different from common SMS commerce in that the transaction is initiated automatically and only requires a small degree of user interaction.
The system is illustrated in the appended figure. The user possesses a mobile terminal 1 and an RFID tag. When o entering a shop, bus, cinema or other payment site, the presence of the RFID tag is detected by an RFID reader 2. The identification of the tag is sent to an authentication centre 3. The authentication centre is arranged to send an inquiry to the user' s mobile phone asking him/her to accept s the transaction. If the user accepts the transaction, by pressing an appropriate key, the transaction information is sent from the authentication centre to a transaction system 4. The arrows indicate the communication between the individual units involved in the transaction.
0 In order to avoid the system being triggered each time a person enters a shop, the RFID tag should be of a short- range type, e.g. with an activation range of only some few centimetres. A customer can then bring the goods he wants to purchase to the till (cash register) . The cashier will s enter the cash value of the goods, whereupon the transaction is initiated by holding the RFID tag near to a RFID reader.
The authentication centre 3 can be realized as a server running an authentication application. In addition, a 0 corresponding application can be installed at the mobile terminal. This is an application listening for arriving requests for acceptance of a transaction, and presents this to the user as a YES/NO option (dedicating YES and NO to specific keys on the keyboard, or to specific fields on a 5 touch sensitive screen) . Alternatively, the application on
the mobile terminal may request the user to enter a 3 or 4 number code.
The system could be realized using IP-communication (i.e GPRS) between the server and the client software on the mobile terminal.
The inventive solution could also be realized as a SMS service. When the transaction is initialized, the authentication centre sends a SMS message to the client' s mobile terminal. The client can respond to the message by returning a message containing a Y, and thereby accept the transaction. This will require the client to touch 3 or 4 keys, at the most. Optionally, the authentication centre can require the client to return a short number code. This could be a fixed number (PIN-code) or a number that is increased by 1 for each transaction, e.g. 10 for the first transaction, 11 for the next, etc. These measures will increase the security of the system.
In summary, the system includes a mobile terminal 1, and an RFID tag at the customer side. The RFID tag should of course not be attached to the phone, in case the later is lost or stolen. An RFID reader 2 is communicating with the RFID tag over a wireless link 10. The RFID reader 2 is also in communication with an authentication centre 3 over a communication link 20. The authentication centre 3 communicates with the mobile terminal 1 over the public mobile telephone network 30, and is connected to a transaction system 4 via communication link 50.