WO2008096191A1 - Method and device for using a telephone as a means of authorizing a transaction - Google Patents

Method and device for using a telephone as a means of authorizing a transaction Download PDF

Info

Publication number
WO2008096191A1
WO2008096191A1 PCT/IB2007/000308 IB2007000308W WO2008096191A1 WO 2008096191 A1 WO2008096191 A1 WO 2008096191A1 IB 2007000308 W IB2007000308 W IB 2007000308W WO 2008096191 A1 WO2008096191 A1 WO 2008096191A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
telephone
authorizing
application
instruction
Prior art date
Application number
PCT/IB2007/000308
Other languages
French (fr)
Inventor
Davide Enderlin
Original Assignee
Phonegroup Sa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Phonegroup Sa filed Critical Phonegroup Sa
Priority to PCT/IB2007/000308 priority Critical patent/WO2008096191A1/en
Publication of WO2008096191A1 publication Critical patent/WO2008096191A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/18Payment architectures involving self-service terminals [SST], vending machines, kiosks or multimedia terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F19/00Complete banking systems; Coded card-freed arrangements adapted for dispensing or receiving monies or the like and posting such transactions to existing accounts, e.g. automatic teller machines
    • G07F19/20Automatic teller machines [ATMs]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP

Definitions

  • the present invention relates to a method and device for using a telephone as a means of authorizing a transaction as mentioned in the preamble of Claim 1 in relation to the device and Claim 4 in relation to the use of the said device.
  • Phishing is a fraud which uses a social engineering technique, and is used to obtain access to confidential personal information for the purpose of identity theft, by using electronic communications, especially fraudulent electronic mail messages, but also telephone calls. These messages entice the user to disclose personal data such as his current account number, credit card number, identification codes, and the like. By stealing these personal data, the criminal can, for example, obtain free access via automatic teller machines or electronic banking to the victim' s resources .
  • a skimmer is a tool used to commit a criminal offence against users of automatic ' teller machines by duplicating the credit cards inserted into the machines.
  • An electronic memory card particularly of the type known as EPROM, stores the card data which are usually contained in a magnetic strip on one side of the card, while a small concealed video camera records the secret code entered by the customer to authorize the transaction.
  • the skimmer is connected to a PC and the illegally obtained data are transcribed to plastic cards which are similar to the original cards and which operate perfectly.
  • the object of the present invention is to overcome ' the aforesaid disadvantages, the said object being achieved by the characteristics specified in Claim 1, in relation to the device, and in Claim 4, in relation to the method used by the authorization device; in particular, the system proposed by the invention is intended to enhance security and thus provide increased protection by means of a device different from the use of secret codes or scratch lists; this is achieved by means of a telephone network, which, as explained below, makes it possible to identify the user authorized for the transaction.
  • the branch of the institution or bank sends details of the ten-digit code generated by the system and the instructions for associating a telephone with this code to its customers 10 who have requested the activation of the authorization method according to the invention.
  • the user 10 calls, from the telephone 5 which he intends to activate, the number dedicated to the activation of the identification of the calling telephone number 5, and, following the voice instructions, dials the code received from the bank and the telephone number from which he is calling, which provides a further level of security to prevent errors.
  • the system then carries out three checks, to ensure, firstly, that the user is not calling from a concealed or private telephone number; secondly, that the code entered is valid and free; and thirdly, that the telephone number entered is indeed that number from which the call is made.
  • an application will associate the calling telephone number with the ten- digit code. These numbers will form the keys to establish the connection to the banking institution which is necessary in order to carry out the transaction desired by the customer, such as the withdrawal of cash from an automatic teller machine. It will also be possible to reset a code by means of a bank call, to enable the user to change the telephone number associated with his code.
  • the user 10 wishing to carry out a transaction by Internet banking, or to use a credit card or automatic teller machine, calls the telephone number dedicated to the service from the telephone which he has associated with his code by the operations described in the preceding paragraph.
  • the device for authorizing the transaction determines whether the calling telephone number is one of those associated with the codes, and if this is the case, it informs the institution that the "gate" associated with the code is open; the gate is simply the information and communication technology channel associated with the exchange of data between the user and the application.
  • the bank's discretion it is also possible to implement a further security level by requiring the customer to enter the code even if he is calling from an authorized telephone number.
  • the opening of a gate is notified to the bank systems, the credit cards, automatic teller machines and/or Internet banking systems associated with this gate will be active for a single transaction and for a time to be agreed, for example 5 minutes.
  • the authorization device determines that the calling number is not one of those associated with the codes, and requests that either the authorized number or the corresponding code be entered via the keypad. Only if the two entered numbers are actually associated with each other, the system informs the institution that the gate associated with the code is open.
  • Figure 1 shows schematically the configuration of the components of the system proposed by the invention.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

What is described is an authorization device for transactions and a method for the use of the said device, comprising the use of a telephone network for the exchange of data to determine whether the party requesting the transaction is authorized to execute it.

Description

Method and device for using a telephone as a means of authorizing a transaction
The present invention relates to a method and device for using a telephone as a means of authorizing a transaction as mentioned in the preamble of Claim 1 in relation to the device and Claim 4 in relation to the use of the said device.
At the present time, information and communication technology makes it possible to use or collect financial means, particularly cash, for transactions from any geographical area of the world by means of the Internet or inter-bank networks. The advantages which this confers, such as the high degree of flexibility in the use of personal financial resources, have been accompanied by increasingly sophisticated levels of fraud. The cost of this high-technology crime often has to be met by unwary users of services such as automatic teller machines and credit cards. Phenomena such as phishing and skimmers have become a very serious problem for these users and for credit institutions. To clarify the problems relating to these criminal activities, we must now give a general outline of their nature.
Phishing is a fraud which uses a social engineering technique, and is used to obtain access to confidential personal information for the purpose of identity theft, by using electronic communications, especially fraudulent electronic mail messages, but also telephone calls. These messages entice the user to disclose personal data such as his current account number, credit card number, identification codes, and the like. By stealing these personal data, the criminal can, for example, obtain free access via automatic teller machines or electronic banking to the victim' s resources . A skimmer is a tool used to commit a criminal offence against users of automatic ' teller machines by duplicating the credit cards inserted into the machines. An electronic memory card, particularly of the type known as EPROM, stores the card data which are usually contained in a magnetic strip on one side of the card, while a small concealed video camera records the secret code entered by the customer to authorize the transaction. When the card number and secret code have been acquired, the skimmer is connected to a PC and the illegally obtained data are transcribed to plastic cards which are similar to the original cards and which operate perfectly.
The object of the present invention is to overcome ' the aforesaid disadvantages, the said object being achieved by the characteristics specified in Claim 1, in relation to the device, and in Claim 4, in relation to the method used by the authorization device; in particular, the system proposed by the invention is intended to enhance security and thus provide increased protection by means of a device different from the use of secret codes or scratch lists; this is achieved by means of a telephone network, which, as explained below, makes it possible to identify the user authorized for the transaction.
In the following description, a preferred embodiment and two supplementary embodiments are outlined in order to clarify the inventive concept by means of practical applications; the said embodiments are not to be considered limiting and are provided solely for explanatory purposes.
In the preferred embodiment, the branch of the institution or bank sends details of the ten-digit code generated by the system and the instructions for associating a telephone with this code to its customers 10 who have requested the activation of the authorization method according to the invention. The user 10 calls, from the telephone 5 which he intends to activate, the number dedicated to the activation of the identification of the calling telephone number 5, and, following the voice instructions, dials the code received from the bank and the telephone number from which he is calling, which provides a further level of security to prevent errors. The system then carries out three checks, to ensure, firstly, that the user is not calling from a concealed or private telephone number; secondly, that the code entered is valid and free; and thirdly, that the telephone number entered is indeed that number from which the call is made. If the outcome of the three checks is positive, an application will associate the calling telephone number with the ten- digit code. These numbers will form the keys to establish the connection to the banking institution which is necessary in order to carry out the transaction desired by the customer, such as the withdrawal of cash from an automatic teller machine. It will also be possible to reset a code by means of a bank call, to enable the user to change the telephone number associated with his code.
In a second embodiment, the user 10 wishing to carry out a transaction by Internet banking, or to use a credit card or automatic teller machine, calls the telephone number dedicated to the service from the telephone which he has associated with his code by the operations described in the preceding paragraph. The device for authorizing the transaction determines whether the calling telephone number is one of those associated with the codes, and if this is the case, it informs the institution that the "gate" associated with the code is open; the gate is simply the information and communication technology channel associated with the exchange of data between the user and the application. At the bank's discretion, it is also possible to implement a further security level by requiring the customer to enter the code even if he is calling from an authorized telephone number. As soon as the opening of a gate is notified to the bank systems, the credit cards, automatic teller machines and/or Internet banking systems associated with this gate will be active for a single transaction and for a time to be agreed, for example 5 minutes.
In a third embodiment, the authorization device determines that the calling number is not one of those associated with the codes, and requests that either the authorized number or the corresponding code be entered via the keypad. Only if the two entered numbers are actually associated with each other, the system informs the institution that the gate associated with the code is open.
Figure 1 shows schematically the configuration of the components of the system proposed by the invention.

Claims

Claims
1. Device for authorizing a transaction, comprising a first network interface 2, for executing a transaction requested by a participant, the said interface 2 being connected to a computer network 3 configured to receive a transaction instruction, a second network interface 4 connected to a telephone network 1 and configured to receive a telephone call from a telephone 5, the said network interface also being connected to the said computer network 3 in which is implemented an application for generating an instruction for authorizing the said transaction, characterized in that the said application can generate the said instruction for the said transaction on the basis of an identification code of the user and an identification of the telephone number of the telephone 5 supplied to the application via the telephone network 2.
2. Device for authorizing a transaction according to Claim 1, characterized in that the application is implemented in a server.
3. Device for authorizing a transaction according to any one of the preceding claims, characterized in that the information and communication technology connections to be made are of the protected type.
4. Method for using the device according to Claim 1, comprising the receiving of the participant's request for authorization by means of a telephone call made by a telephone 5 to the second interface 4, containing an identification code, and the telephone number of the said telephone, the examination by the application of the correctness of the said identification code and of the said telephone number, and, if the outcome of the said examination is positive, the generation by the application of the instruction for authorization of the execution of the said transaction.
5. Method according to Claim 4, characterized in that the transaction is a credit card operation.
6. Method according to Claim 4, characterized in that the transaction is an automatic teller machine operation.
7. Method according to Claim 4, characterized in that the transaction is an electronic banking operation.
PCT/IB2007/000308 2007-02-09 2007-02-09 Method and device for using a telephone as a means of authorizing a transaction WO2008096191A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2007/000308 WO2008096191A1 (en) 2007-02-09 2007-02-09 Method and device for using a telephone as a means of authorizing a transaction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2007/000308 WO2008096191A1 (en) 2007-02-09 2007-02-09 Method and device for using a telephone as a means of authorizing a transaction

Publications (1)

Publication Number Publication Date
WO2008096191A1 true WO2008096191A1 (en) 2008-08-14

Family

ID=38657174

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/000308 WO2008096191A1 (en) 2007-02-09 2007-02-09 Method and device for using a telephone as a means of authorizing a transaction

Country Status (1)

Country Link
WO (1) WO2008096191A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0926611A2 (en) * 1997-12-23 1999-06-30 AT&T Corp. Method for validation of electronic transactions
WO1999057663A1 (en) * 1998-04-22 1999-11-11 Echarge Corporation Method and apparatus for ordering goods, services and content over an internetwork
WO2002037240A2 (en) * 2000-11-01 2002-05-10 British Telecommunications Public Limited Company Computer system
GB2371665A (en) * 2001-01-25 2002-07-31 Lets Guard It Europ Ab Call-back function provides a user with an authorisation code for accessing a service
EP1646019A1 (en) * 2004-10-05 2006-04-12 Deutsche Telekom AG Method and communication system for conducting a payment transaction

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0926611A2 (en) * 1997-12-23 1999-06-30 AT&T Corp. Method for validation of electronic transactions
WO1999057663A1 (en) * 1998-04-22 1999-11-11 Echarge Corporation Method and apparatus for ordering goods, services and content over an internetwork
WO2002037240A2 (en) * 2000-11-01 2002-05-10 British Telecommunications Public Limited Company Computer system
GB2371665A (en) * 2001-01-25 2002-07-31 Lets Guard It Europ Ab Call-back function provides a user with an authorisation code for accessing a service
EP1646019A1 (en) * 2004-10-05 2006-04-12 Deutsche Telekom AG Method and communication system for conducting a payment transaction

Similar Documents

Publication Publication Date Title
US10083285B2 (en) Direct authentication system and method via trusted authenticators
CA2664680C (en) A system and method for verifying a user's identity in electronic transactions
US7983979B2 (en) Method and system for managing account information
US8788389B1 (en) Methods and systems for providing a customer controlled account lock feature
EP1708473A1 (en) A-computer accounting system with a lock using in a bank and the corresponding method used for secure payment by phone
US20130024377A1 (en) Methods And Systems For Securing Transactions And Authenticating The Granting Of Permission To Perform Various Functions Over A Network
CN1996839A (en) A low-cost and easy-to-distribute identity verification method and device
Sankhwar et al. A safeguard against ATM fraud
US8172137B1 (en) Authentication with no physical identification document
WO2008052592A1 (en) High security use of bank cards and system therefore
JP2008287687A (en) Identification system using cellular phone
KR20060109562A (en) Method for approving a settlement of a financetransaction depend on an outsider
JP6511409B2 (en) Transaction locking system and transaction locking method in financial institution
WO2008096191A1 (en) Method and device for using a telephone as a means of authorizing a transaction
KR20000037178A (en) Phonenumber Proof Type Tele-banking Service System
WO2009108066A1 (en) Method and arrangement for secure transactions
Onwudebelu et al. Real Time SMS-Based hashing scheme for securing financial transactions on ATM systems
JP2007025907A (en) Authentication system and authentication method
EP3971851A1 (en) An electronic device, method and computer program product for instructing performance of a transaction which has been requested at an automated teller machine
Sharma et al. Secure branchless banking
JP6689917B2 (en) Personal authentication method at financial institutions
JP2006243978A (en) Server and program
RU2256216C2 (en) System for paying for services in telecommunication network
JP2002269619A (en) Automatic teller machine, informing system using it and informing method thereof
Feinberg Best Practices for Protecting Corporate Electronic Banking Customers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07713027

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07713027

Country of ref document: EP

Kind code of ref document: A1