WO2012041781A1 - Fraud prevention system and method using unstructured supplementary service data (ussd) - Google Patents

Fraud prevention system and method using unstructured supplementary service data (ussd) Download PDF

Info

Publication number
WO2012041781A1
WO2012041781A1 PCT/EP2011/066598 EP2011066598W WO2012041781A1 WO 2012041781 A1 WO2012041781 A1 WO 2012041781A1 EP 2011066598 W EP2011066598 W EP 2011066598W WO 2012041781 A1 WO2012041781 A1 WO 2012041781A1
Authority
WO
WIPO (PCT)
Prior art keywords
ussd
code
access
authentication
network
Prior art date
Application number
PCT/EP2011/066598
Other languages
French (fr)
Inventor
Colin Larkin
Original Assignee
Moqom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Moqom Limited filed Critical Moqom Limited
Publication of WO2012041781A1 publication Critical patent/WO2012041781A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/325Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
    • G06Q20/3255Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks using mobile network messaging services for payment, e.g. SMS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the invention relates generally to the prevention of electronic credit/debit card fraud and identity theft.
  • the invention is aimed at providing a system and method for minimizing the potential for phishing.
  • the invention also relates to added security for credit card and debit card transactions processed across networks, and for the authentication of access to systems, buildings and the like.
  • Phishing refers to the fraudulent process of attempting to acquire sensitive information such as user names, passwords, financial and credit card details and the like, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website, the look and feel of which is almost identical to the legitimate one. Even when using server authentication, it may require skills well beyond those of the average user, to detect that the website is fake. 'Phishers' are those undertaking the above fraudulent activities and, typically, send electronic communications asking the recipients to "confirm their password", to "verify their account” and/or to "confirm their identity”.
  • 3-D Secure has introduced an additional authentication step for online payments and transactions, in an attempt to overcome the problem of phishing and online fraud.
  • Transactions using 3-D Secure typically guide the electronic transaction process to the website of the card issuing bank for authorising the transaction.
  • the basic concept of the 3-D Secure protocol is to tie the financial authorization process with an online authentication.
  • the authentication method is password-based, to ensure that the authorisation for any online credit card and debit card transaction is subject to a secret password tied to the card, thus limiting the chance of fraud.
  • a number of similar solutions based on token-based code generators, similar to the solutions provided by companies like RACOM, VASCO, etc. have been developed. These token-based solutions are expensive for the financial institutions to roll out and difficult to implement, and require different token generators for each financial institution.
  • a method of generating and communicating an Authentication Code comprising the steps of sending an access request from a user terminal to a first remote system, wherein the access request includes at least a network address of the user terminal, generating an USSD Access Code using at least the network address in response to receiving the access request at a second remote system, and sending the USSD Access Code to an USSD - enabled user terminal, sending an USSD Service Request including the generated USSD Access Code with the USSD - enabled user terminal, authenticating the USSD Access Code in the USSD Service Request at the second remote system, generating and sending an Authentication Code to the USSD - enabled terminal at the second remote system in reply to a positive authentication, and sending the Authentication Code to the first remote system with the USSD - enabled terminal.
  • the step of generating an USSD Access Code preferably uses the network address and data uniquely identifying the first remote system.
  • the step of sending the USSD Access Code to the USSD - enabled terminal preferably comprises the further step of adding a Service Code to the generated USSD Access Code.
  • the step of sending the USSD Access Code to the USSD - enabled terminal may also comprise the further step of encoding at least the USSD Access Code in an information string.
  • the step of sending the USSD Service Request preferably further comprises inputting the information string at the USSD - enabled terminal.
  • the step of sending the USSD Service Request preferably further comprises routing the USSD Service Request via an USSD Gateway, which analyzes the Service Code in the Request to identify the destination for the Service Request.
  • the step of authenticating the USSD Access Code in the USSD Service Request preferably further comprises applying a routing algorithm to the USSD Access Code received in the USSD Service Request to identify the first remote system.
  • the step of authenticating the USSD Access Code in the USSD Service Request preferably further comprises the steps of extracting and authenticating the network address of the USSD - enabled user terminal.
  • the step of generating the Authentication Code preferably further comprises configuring a validity period for the USSD Authentication Code, in order to further improve the security of the method, advantageously with a simple variable.
  • the step of sending the Authentication Code preferably further comprises communicating the Authentication Code as an USSD Service Request Response.
  • the method preferably comprises the further step of authenticating the Authentication Code at the second remote system.
  • the method preferably comprises the further step o granting the user terminal access to data stored at the first remote system over the network in reply to a positive authentication.
  • the method may comprise the further step of processing an electronic transaction at the first remote system in reply to a positive authentication.
  • the method may comprise the further step of granting the user of user terminal access to a location having entry securing means controlled by the first remote system in reply to a positive authentication.
  • the steps of sending the USSD Access Code, the USSD Service Request and the Authentication Code are preferably performed across a signalling channel network.
  • the signalling channel network is preferably encrypted.
  • the signalling channel network may for instance be selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) and Public Switched Telephone Network (PSTN) standards.
  • GSM Global System for Mobile communications
  • TDMA Time Division Multiple Access
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • PSTN Public Switched Telephone Network
  • the user terminal may advantageously be a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
  • the first remote system is preferably hosted at a first server and the second remote system is hosted at a second server.
  • the first remote system is still hosted at the first server, but the second remote system may be hosted at the first server.
  • a data processing system for generating and communicating an Authentication Code in a network to which at least a user terminal is connected, the data processing system comprising means for sending an access request from the user terminal (101A, 101B) to a first remote server, wherein the access request includes at least a network address of the user terminal, means for generating an USSD Access Code using at least the network address in response to receiving the access request, means for sending the generated USSD Access Code to an USSD - enabled user terminal, means for sending an USSD Service Request including the generated USSD Access Code to a second remote server with the USSD - enabled user terminal, means for authenticating the USSD Access Code in the USSD Service Request, means for generating and sending an Authentication Code to the USSD - enabled terminal in reply to a positive authentication, and means for sending the Authentication Code to the first remote system with the USSD - enabled terminal.
  • the means for generating an USSD Access Code, the means for authenticating the USSD Access Code and the means for generating and sending an Authentication Code are preferably embodied in an Access Code Handler module processed by the first or second server.
  • the Access Code Handler module may advantageously be adapted to add a Service Code to the generated USSD Access Code.
  • the means for sending the generated USSD Access Code to an USSD - enabled user terminal is preferably embodied at the first remote server and is preferably further adapted to encode at least the USSD Access Code in an information string.
  • the syntax of the information string may advantageously be an USSD Service Request.
  • the network preferably further comprises an USSD Gateway adapted to analyze the Service Code in the USSD Service Request for identifying the Request destination and routing the Request thereto.
  • the means for authenticating the USSD Access Code in the USSD Service Request preferably further comprises a routing algorithm, which is adapted to identify the first remote system from the USSD Access Code.
  • the means for authenticating the USSD Access Code in the USSD Service Request may further comprise means for extracting and authenticating the network address of the USSD - enabled user terminal.
  • the Authentication Code is preferably configured with a validity period.
  • the means for sending the Authentication Code are preferably further adapted to communicate the Authentication Code as an USSD Service Request Response.
  • the system further comprises means to authenticate the Authentication Code.
  • the first remote system is preferably adapted to grant the user terminal network access to data stored therein, in reply to a positive authentication or adapted to deny the user terminal network access to data stored therein, in reply to a negative authentication.
  • the first remote system may be adapted to process an electronic transaction, in reply to a positive authentication.
  • the first remote system may be adapted to grant the user of user terminal access to a location having entry securing means controlled by the first remote system, in reply to a positive authentication.
  • the network includes a signalling channel network.
  • the signalling channel network is preferably encrypted.
  • the signalling channel network may advantageously be selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE) and Public Switched Telephone Network (PSTN) standards.
  • GSM Global System for Mobile communications
  • TDMA Time Division Multiple Access
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • PSTN Public Switched Telephone Network
  • the user terminal is a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
  • Figure 1 shows a networked environment in which embodiments of the invention may be implemented, including a plurality of terminals.
  • Figure 2 shows a typical hardware structure of a cardholder mobile terminal shown in Figure 1.
  • FIG 3 shows a typical hardware structure of the server terminals shown in Figure 1.
  • Figure 4 details the steps of a method of generating, communicating and using USSD codes according to the invention, apt to be implemented in a networked environment.
  • Figure 5 illustrates a first embodiment of the method of Figure 4 in the networked environment of Figure 1, wherein an account holder accesses an online banking service and gains access to the service by using an USSD Proxy System implemented in a networked terminal.
  • Figure 6 illustrates a second embodiment of the method of Figure 4 invention in the networked environment of Figure 1, wherein an account holder accesses an online banking service and gains access to the service by using an USSD Proxy System integrated with a Financial Institution system.
  • the PIN Code is generated either by the USSD Proxy System or by a Financial Institution's system, depending on the embodiment, and is provided to the account holder in advance.
  • the PIN Code is used to authenticate account holders against their phone number.
  • the purpose of the PIN Code is to prevent anyone from stealing an account holder's mobile telephone handset and use it to generate USSD access codes for gaining access to the account holder's account.
  • USSD Access Code The USSD Access Code is generated by the USSD Proxy System and is linked to the Phone Number of the account holder (e.g. MSISDN). The USSD Access Code is provided to the account holder, through the system which the account holder is accessing. The USSD Access Code is a one - off access code and is only valid for a configurable, limited time.
  • the Authentication Code is a one - off access code that is generated either by the USSD Proxy System or by a Financial Institution's system, depending on the embodiment, and is provided to the account holder to allow the account holder to login into a secure service, to authorise an online purchase or to authorise a credit card transaction.
  • the Authentication Code is only valid for a configurable, limited time.
  • the Authentication Code is communicated to the account holder in response to the account holder inputting an USSD string in an USSD - enabled data processing device.
  • USSD String The USSD string that should be input on the account holder's USSD - enabled data processing device for obtaining and Authentication Code is communicated in clear to the account holder, and takes one of the following two forms: ⁇ '* ⁇ Service Code>* ⁇ USSD Access CodexPIN Code>#'
  • the Phone Number can be any phone number assigned on an USSD -enabled network. In most cases, this is the network number of a mobile telephone handset (or of the Subscriber Identification Module thereof) and is the MSISDN, but other networks are not to be excluded, so as long as such other networks are USSD - enabled.
  • Account Number This is the account holder's Account Number within a Financial Institution's system.
  • the Account Number may also be an assigned Account Number within the USSD Proxy System.
  • FIG. 1 shows a networked environment including a plurality of terminals, in which embodiments of the invention may be implemented.
  • An electronic transaction processing system comprises at least one cardholder terminal 101, at least one Financial Institution system 102 and at least one USSD Proxy System server 103.
  • the at least one Financial Institution system 102 comprises a web server 102A operably connected to a financial server 102B.
  • Each terminal 101, 102A, 102B and 103 is connected to a communication network 104.
  • the cardholder terminal 101 is a mobile telephone handset 101 A having wireless telecommunication emitting and receiving functionality over a cellular telephone network configured according to the Global System for Mobile Communication ('GSM'), General Packet Radio Service ('GPRS'), International Mobile Telecommunications-2000 (IMT— 2000, 'W- CDMA' or '3G') network industry standards, and wherein telecommunication is performed as voice, alphanumeric or audio-video data using the Short Message Service ('SMS') protocol, the Wireless Application protocol ('WAP') the Hypertext Transfer Protocol ('HTTP') or the Secure Hypertext Transfer Protocol ('HTTPS').
  • the cardholder terminal 101 may be a personal computer 101B of the portable or desktop variety.
  • a cardholder mobile telephone handset 101 A receives or emits voice, text, audio and/or image data encoded as a digital signal over a wireless data transmission 105, wherein the signal is relayed respectively to or from the handset by the geographically-closest communication link relay 106 of a plurality thereof.
  • the plurality of communication link relays 106 allows digital signals to be routed between the handset 101 A and their destination by means of a remote gateway 107 via a MSC/HLR 108.
  • Gateway 107 is for instance a communication network switch, which couples digital signal traffic between wireless telecommunication networks, such as the network within which wireless data transmissions 105 take place, and the communication network 104, which is a Wide Area Network ('WAN') 104, an example of which being the Internet.
  • 'WAN' Wide Area Network
  • the gateway 107 further provides protocol conversion if required, for instance whether the handset 101A uses the WAP or HTTPS protocol to communicate data.
  • the gateway 107 is further configured as an USSD Gateway, the specific functionality of which in the system and method of the invention will be described hereafter.
  • a cardholder mobile terminal 101 A may for instance be an iPhoneTM handset manufactured by the Apple Corporation or a Nexus OneTM handset manufactured for Google, Inc. by the HTC Corporation.
  • the cardholder mobile terminal 101A may be any portable data processing device having at least wireless communication means and USSD functionality.
  • a cardholder personal computer terminal 10 IB may have wired and/or wireless telecommunication emitting and receiving functionality over, respectively, a wired Local Area Network ('LAN') and/or a wireless local area network ('WLAN') conforming to the 802.11 standard ('Wi-Fi').
  • 'LAN' wired Local Area Network
  • 'WLAN' wireless local area network
  • 802.11 standard 'Wi-Fi'
  • telecommunication is likewise performed as voice, alphanumeric and/or audio-video data using the Internet Protocol (IP), Voice data over IP ('VoIP') protocol, Hypertext Transfer Protocol ('HTTP') or Secure Hypertext Transfer Protocol ('HTTPS'), the signal being relayed respectively to or from the cardholder terminal 101B by a wired (LAN) or wireless (WLAN) router interfacing the cardholder terminal 10 IB to the WAN communication network 104.
  • IP Internet Protocol
  • VoIP Voice data over IP
  • HTTP'HTTP' Hypertext Transfer Protocol
  • 'HTTPS' Secure Hypertext Transfer Protocol
  • a mobile telephone handset 101A may have wireless telecommunication emitting and receiving functionality over the WLAN in addition to GSM, GPRS, W-CDMA and/or 3G.
  • each of the Financial Institution web servers 102A and the at least one USSD Proxy System server 103 is a data processing device which emits and receives data encoded as a digital signal over a wired data transmission conforming to the IEEE 802.3 ('Gigabit Ethernet') standard, wherein the signal is relayed respectively to or from the computing device by a wired router interfacing the computing device to the WAN communication network 104.
  • each of the at least one Financial Institution System servers 102A, 102B and the at least one USSD Proxy server terminal 103 may be any portable or desktop data processing device computing having at least networking means apt to establish a bilateral data communication with the cardholder terminal 101 A, 101B and each other.
  • the handset 101A firstly includes a data processing unit 201, for instance a general-purpose microprocessor ('CPU'), acting as the main controller of the handset 101 A and which is coupled with memory means 202, comprising non-volatile random-access memory ('NVRAM').
  • a data processing unit 201 for instance a general-purpose microprocessor ('CPU'), acting as the main controller of the handset 101 A and which is coupled with memory means 202, comprising non-volatile random-access memory ('NVRAM').
  • 'NVRAM' non-volatile random-access memory
  • the cardholder mobile terminal 101A further includes a modem 203 to implement the wireless communication functionality, as the modem provides the hardware interface to external communication systems, such as the GSM or GPRS cellular telephone network 106, 107, 108 shown in Figure 1.
  • An aerial 204 coupled with the modem 203 facilitates the reception of wireless signals from nearby communication link relays 106.
  • the modem 203 includes an analogue-to-digital converter 205 ('ADC') for demodulating wavelength wireless signals received via the antenna 204 into digital data, and reciprocally for outgoing data.
  • 'ADC' analogue-to-digital converter
  • the handset 101A further includes self-locating means in the form of a GPS receiver 206, wherein the ADC 205 receives analogue positional and time data from orbiting satellites 110, which the data processing unit 201 or a dedicated data processing unit processes into digital positional and time data.
  • self-locating means in the form of a GPS receiver 206, wherein the ADC 205 receives analogue positional and time data from orbiting satellites 110, which the data processing unit 201 or a dedicated data processing unit processes into digital positional and time data.
  • the handset 101 A may optionally further include imaging means 207 in the form of an electronic image sensor, for capturing image data which the data processing unit 201 or a dedicated data processing unit processes into digital image data.
  • imaging means 207 in the form of an electronic image sensor, for capturing image data which the data processing unit 201 or a dedicated data processing unit processes into digital image data.
  • the CPU 201, NVRAM 202, modem 203, GPS receiver 206 and optional digital camera 207 are connected by a data input/output bus 208, over which they communicate and to which further components of the handset 101A are similarly connected, in order to provide wireless communication functionality and receive user interrupts, inputs and configuration data.
  • Alphanumerical and/or image data processed by CPU 201 is output to a video display unit 209 ('VDU'), from which user interrupts may also be received if it is a touch screen display. Further user interrupts may also be received from a keypad 210 of the handset, or from an external human interface device ('HiD') connected to the handset via a Universal Serial Bus ('USB') interface 211.
  • the USB interface advantageously also allows the CPU 201 to read data from and/or write data to an external or removable storage device.
  • Power is provided to the handset 101 A by an internal module battery 212, which an electrical converter 213 charges from a mains power supply as and when required.
  • the data processing device 101B, 102A, 103 is a computer configured with a data processing unit 301, data outputting means such as video display unit (VDU) 302, data inputting means such as HiD devices, commonly a keyboard 303 and a pointing device (mouse) 304, as well as the VDU 202 itself if it is a touch screen display, and data inputting/outputting means such as the wired network connection to the communication network 104, a magnetic data-carrying medium reader/writer 306 and an optical data-carrying medium reader/writer 307.
  • VDU video display unit
  • HiD devices commonly a keyboard 303 and a pointing device (mouse) 304
  • a central processing unit (CPU) 308 provides task co-ordination and data processing functionality. Instructions and data for the CPU 308 are stored in memory means 309 and a hard disk storage unit 310 facilitates non-volatile storage of the instructions and the data.
  • a wireless network interface card (NIC) 311 provides the interface to the network connection 108.
  • a universal serial bus (USB) input/output interface 312 facilitates connection to the keyboard and pointing devices 303, 304.
  • All of the above devices are connected to a data input/output bus 313, to which the magnetic data-carrying medium reader/writer 306 and optical data-carrying medium reader/writer 307 are also connected.
  • a video adapter 314 receives CPU instructions over the bus 313 for outputting processed data to VDU 302. All the components of data processing unit 301 are powered by a power supply unit 315, which receives electrical power from a local mains power source and transforms same according to component ratings and requirements.
  • a core aspect of the invention is the use of Unstructured Supplementary Service Data (USSD) for generating and communicating codes to support authentication of electronic transactions.
  • USB Unstructured Supplementary Service Data
  • Unstructured Supplementary Service Data is a standard developed for transmitting information over Global System for Mobile communications (GSM) signalling channels, but has since been implemented in many networks 106, 107, 108 such as Time division multiple access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) and Public Switched Telephone Network (PSTN) or other networks.
  • GSM Global System for Mobile communications
  • TDMA Time division multiple access
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • PSTN Public Switched Telephone Network
  • USSD interfaces with the Mobile Switching Centre (MSC) over SS7 and uses Mobile Application Part (MAP) to receive and send USSD data from the Home Location Register (HLR).
  • MSC Mobile Switching Centre
  • MAP Mobile Application Part
  • USSD functionality can be implemented in two modes: Pull Mode, for processing handle Mobile Initiated USSD Requests, wherein the USSD service is triggered by the user entering a set of USSD strings; and Push Mode, for processing network - initiated USSD Requests, wherein the USSD service is triggered by the network which pushes information to the user's handset.
  • USSD messages are simple to create and easy to send. A user can enter an USSD string directly in a mobile handset and press a 'call' button to send the message.
  • AN USSD message can be up to 182 alphanumeric characters in length.
  • the format of an USSD message is defined by the following sequence of functions, having the following respective syntaxes:
  • the Supplementary Information is a variable length code.
  • USSD for querying the available balance and other similar information in prepaid mobile phone services.
  • the function that is triggered when sending an USSD string is both network-dependent and operator-dependent, in that it depends on the specific services which the mobile telephony operator makes available.
  • USSD is a capability of most mobile phones. It is generally associated with real-time or instant messaging-type phone services. USSD is session - oriented, unlike SMS which is a store-and-forward, transaction-oriented technology. Turnaround response times for interactive applications are shorter for USSD than SMS because of the session-based characteristic of USSD, and because it is not a store-and-forward service. Users do not need to access any particular phone menu to access services with USSD, as USSD commands are entered directly from the initial user interface of the mobile phone.
  • USSD is normally used as a 'trigger' to invoke independent calling services that do not require the overhead and additional usage costs of an SMSC, such as a call-back service (e.g. cheaper phone charges while roaming), or interactive data service (e.g. stock quotes, sports results).
  • a call-back service e.g. cheaper phone charges while roaming
  • interactive data service e.g. stock quotes, sports results.
  • USSD is used to send text between the user and an application. USSD should be thought of as a trigger, rather than an application itself. In operation, it is not possible to bill for USSD directly, but instead bill for the application associated with the use of USSD such as circuit switch data, SMS, or pre-paid.
  • USSD messages from handsets are always routed to the home network. This means that if the user is roaming in another network, dialling an USSD string on the phone will always route to the application on the user's home network. If a particular USSD service needs to be accessed in the user's home network, then the user will also be able to access it from another country. Conversely, roaming subscribers from other networks cannot access USSD services on a host network, so this also increases the security.
  • USSD uses the signalling network and not the radio network, so USSD will also work well in areas with low or inexistent radio coverage (low signalling strength), unlike SMS and MMS services.
  • the authentication codes are transferred securely over an encrypted signalling network and the chance of compromising information is low.
  • the Authentication Code is requested by and supplied to a cardholder terminal mobile handset 101A using Unstructured Supplementary Service Data (USSD), or to any other USSD - enabled terminal 101.
  • USSD is supported by most mobile handsets and uses the existing mobile telephony signalling network infrastructure 106, 107, 108, which is encrypted, to deliver the Authentication Codes.
  • HLR Home Location Register
  • VLR Visit Location Register
  • a problem with SMS messaging is that the message may be ghosted or fraudulently manipulated, in a way which USSD cannot.
  • the invention provides an USSD Proxy System, and a method in a data processing network, such as shown in Figures 1 to 3, for issuing cardholders with an Authentication Code to authorize a specific electronic transaction.
  • the Authentication Code generated and provided by the system of the invention may be used to gain access to a physical system, to a physical and access - controlled location, to a distributed service such as an electronic transaction or information processing system and may also, or alternatively, be used to confirm a condition associated with the above electronic authentication - dependent services.
  • the USSD Proxy System of the invention can be implemented as a service hosted at the distinct server 103, which can be used respective several web servers 102A of several, unrelated Financial Institution Systems 102.
  • This embodiment usefully removes the additional data processing overhead at each Financial Institution web server 102A, which a Financial Institution - specific implementation would require.
  • it also provides cardholders of several Financial Institutions with a common user interface.
  • Generating the Authentication Code requires the generating of an USSD Access Code using a specific algorithm, which processes a key (org_keyl) that is unique to each Financial Institution System 102.
  • the generated USSD Access Code is then unique to each combination of Financial Institution System 102 and cardholder terminal 101.
  • a routing algorithm is applied to the USSD Access Code, which outputs the same unique key (org_keyl) originally used to generate the USSD Access Code in the first place.
  • the unique key output by the routing algorithm is then used to identify the correct Financial Institution System 102 and the request for an Authentication Code will be routed to the web server 102A of the identified Financial Institution System 102.
  • a user communicates an access request from their terminal 101 to a remote organisation system 102, wherein the access request includes at least a terminal network address, for instance a phone number or MSISDN of a mobile telephone handset 101.
  • the access request is forwarded by the organisation system 102 to an Access Code Handler for generating and obtaining an USSD Access Code linked to the organisation system 102 and the user terminal 101.
  • the Access Code Handler processes an USSD Access Code Algorithm for generating the USSD Access Code, which is unique to the terminal network address and the organisation, based on both a secure key linked to both the organisation, for instance an organization ID, and the registered network address of the user terminal 101.
  • the Access Code Handler adds a Service Code to the generated USSD Access Code and communicates both to the organisation system 102.
  • the organisation system 102 outputs an information string containing the USSD Access Code and the Service Code received from the Access Code Handler and forwards it to the user terminal 101.
  • the user inputs the information string received from the organisation system 102 as an USSD Service Request on the registered terminal 101, and sends it over the network to which the terminal 101 is connected, i.e. a mobile telephony network.
  • the mobile telephony network routes the USSD Service Request to an USSD Gateway, which analyzes the Service Code in the Request to identify the Access Code Handler to which to route the Service Request.
  • the Access Code Handler applies a routing algorithm to the USSD Access Code received in the Service Request to identify the correct organisation system 102.
  • the secure key originally used to generate the USSD Access Code identifies the correct organisation system 102.
  • the Access Code Handler processes the USSD Access Code to extract the terminal network address, which it authenticates.
  • a question is subsequently asked at step 409, as to the output of the authentication. If the authentication fails, the Access Code Handler generates an error message and communicates it to the user at step 410. If the authentication is valid, then at step 411 the Access Code Handler generates a one-off Authentication Code for the user, which it communicates as an USSD Service Request Response to the USSD Gateway in the mobile telephony network.
  • the USSD Gateway routes the USSD Service Request Response back to the correct user terminal 101 and the user inputs the Authentication Code at the terminal 101 and communicates it to the remote organisation system 102 at step 413.
  • the remote organisation system 102 queries the Access Code Handler for verifying the validity of the received Authentication Code. If the authentication fails, the Access Code Handler generates an error message and communicates it to the remote organisation system 102 at step 415. If the authentication is valid, then at step 416 the Access Code Handler confirms the validity of the Authentication Code to the organisation system 102 and the user gains access, via the terminal 101, to the resources of the remote organisation system 102.
  • FIG. 5 describes a description of a first embodiment of the USSD Proxy System according to the invention in the network of Figure 1 and the data processing devices described in relation to Figures 2 and 3.
  • the embodiment is described in relation to the method of processing, communicating and using an USSD Access Code and an Authentication Code according to the invention within the system, of Figure 4.
  • the operation of the first embodiment is described in sequential steps that are numbered alike in the following description and in Figure 5, and shown in Figure 5 with respective arrows representing data flow across the system.
  • Figure 5 describes an account holder in a financial institution accessing an online banking service 102.
  • the USSD Proxy System 103 is used to gain access to the banking service 102.
  • the account holder preferably has the use of a personal computer 101B and an USSD - enabled mobile terminal 101A, and is provided with a PIN code by the USSD Proxy System 103.
  • the account holder accesses the website of the Financial Institution using normal access credentials.
  • the Financial Institution web server 102A in turn requests the USSD Proxy System 103 to generate a one - off USSD Access Code that is linked to the financial institution and the account holder mobile terminal 101.
  • the USSD Access Code is valid for a configurable amount time.
  • AN USSD String is generated and sent back to the account holder via the Financial Institution web server 102A.
  • the account holder is asked to send an USSD Service Request from the mobile terminal 101A registered in the USSD Proxy System 103 to request an Authentication Code.
  • the Authentication Code is used to gain access or authorising the required activity.
  • the USSD Gateway 107 in the mobile phone network of the mobile telephony service operator receives the USSD Service Request and forwards the request to the USSD Proxy System.
  • the USSD Proxy System identifies the correct Financial Institution in a Routing Server based on the USSD Access Code received in the USSD Request and applying a unique algorithm to identify the correct Financial Institution.
  • the USSD Service Request is then forwarded to the correct Financial Institution System 102.
  • the USSD Proxy System generates an Authentication Code and communicated it to the account holder.
  • the account holder can then use the Authentication Code received on the mobile terminal 101A over USSD to authorise the required service.
  • an account holder or cardholder conventionally accesses a Financial Institution system 102 with a personal computer 101B, and requests to log in using credentials that are outside the scope of the present system.
  • the login request is routed to the Financial Institution web server 102A, and contains the account holder account number within the Financial Institution financial server 102B.
  • the Financial Institution web server 102A forwards the access request to an Access Code Handler module 501 processed by the USSD Proxy System server 103, for obtaining an USSD Access Code that is linked to both the Financial Institution system 102 and the account holder mobile terminal 101 A.
  • the Access Code Handler 501 requests an USSD Access Code Algorithm module 502 processed by the USSD Proxy System server 103 to generate an USSD Access Code, based on a secure key linked to the Financial Institution (representative of an organisation ID) and the registered phone number of the account holder mobile terminal 101A.
  • the USSD Access Code Algorithm module 502 requests the registered phone number of the account holder mobile terminal 101 A and the secure key from a database or data storage 503, optionally also querying the Financial Institution web server 102A for the organisation ID.
  • the USSD Access Code Algorithm module 502 retrieves the registered phone number of the account holder mobile terminal 101A, for instance the MSISDN, and the secure key based on the organisation ID identified in the database or sent in from the Financial Institution web server 102A.
  • the USSD Access Code Algorithm module 502 generates the USSD Access Code, which is unique to the account holder phone number and the Financial Institution system 102, and forwards it to the Access Code Handler 501.
  • the Access Code Handler 501 processes the USSD Access Code to add a Service Code therein, then forwards it to the Financial Institution web server 102A for communication to the account holder personal computer 10 IB.
  • the Financial Institution web server 102A creates an information string containing the USSD Access Code and the Service Code, then communicates the information string to the account holder personal computer 10 IB.
  • the information string is output to the VDU 302 of the account holder personal computer 10 IB, as the following example instructions:
  • the Service Code is a value, for instance "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service and is linked to the USSD Proxy System);
  • the PIN Code is a code provisioned in the USSD Proxy System and is linked to the phone number of the account holder mobile terminal 101A, for instance "5555".
  • the account holder inputs the USSD Service Request received at step 10 ( '*123*776688*5555#') in the standard user interface of the mobile terminal 101A and presses a send command or button.
  • the USSD Service Request is routed over the network 106, 107, 108 of the operator for the mobile terminal 101A network, particularly over the MSC/HLR 108 which, at step 13, routes the USSD Service Request to the USSD Gateway 107.
  • the USSD Gateway 107 processes the Service Code received in the USSD Service Request for identifying the correct application to which the Service Request should be routed to.
  • the Service Request is eventually routed to the USSD Proxy System 103, more specifically to a Routing Server module 504 thereof.
  • the Routing Server module 504 applies a Routing Algorithm to the USSD Access Code received in the Service Request, for identifying the correct Financial Institution System 102.
  • the secure key used to generate the USSD Access Code in step 7 identifies the correct Financial Institution.
  • the Routing Server module 504 eventually routes the Service Request to the Access Code Handler 501.
  • the Access Code Handler module 501 parses and strips the PIN Code and the USSD Access Code from the Service Request, then queries the database or data storage 503 for the PIN Code and Phone Number issued to the account holder. At step 17, the Access Code Handler module 501 retrieves the PIN Code and Phone Number issued to the account holder from the database or data storage 503.
  • the Access Code Handler module 501 authenticates the PIN Code and Phone Number issued to the account holder, as well as the USSD Access Code generated in step 7.
  • the Access Code Handler module 501 has access to all generated USSD Access Codes and their validity period. If the authentication is valid and the credentials match, the Access Code Handler module 501 generates a one - off Authentication Code for the account holder, for instance "987654". If the credentials do not match, an error message is generated and communicated to the account holder. For the purposes of not obscuring the present description unnecessarily, it assumed that the credentials match and an Authentication Code is generated.
  • the Routing Server module 504 routes the USSD Service Request Response, thus the Authentication Code back to the USSD Gateway 107 in the network 106, 107, 108.
  • the USSD Gateway 107 routes the USSD Service Request Response, thus the Authentication Code back to the correct MSC/HLR 108.
  • the MSC/HLR 108 identifies the account holder mobile terminal 101A and sends the USSD Service Request Response, thus the Authentication Code to the account holder mobile terminal 101 A.
  • the Authentication Code is output to the display 209 of the account holder USSD - enabled handset 101A.
  • the account holder inputs the Authentication Code in a relevant interface of the Financial Institution web page on the personal computer 10 IB.
  • the input Authentication Code is forwarded to the Financial Institution web server 102.
  • the Financial Institution web server 102A queries the Access Code Handler module 501 to verify the validity of the Authentication Code for the account holder.
  • the Access Code Handler module 501 replies to the Financial Institution web server 102A with either an 'Authentication Code OK' message or an 'Authentication Code Not OK' message. If the validity period of the Authentication Code has expired, the Access Code Handler module 501 still replies with an 'Authentication Code Not OK' message.
  • the account holder gains access to the required system, in the example the banking data and interface. Access is denied, however, if the Authentication Code is not valid.
  • the Financial Institution web server 102A communicates a reply about the access request to the account holder computer terminal 101B and, at step 29, the account holder is informed about the Authentication.
  • the USSD Proxy System 103 allows a Financial Institution System 102 to trigger USSD Services based on the USSD Service Code (SC), and each Financial Institution and account holder using the service is accordingly provisioned in the USSD Proxy System 102: each account holder is provided with a Phone Number, USSD Access Code (of variable and configurable length) and an Organisation ID (used to identifying the financial institution) in the USSD Proxy System.
  • SC USSD Service Code
  • each account holder is provided with a Phone Number, USSD Access Code (of variable and configurable length) and an Organisation ID (used to identifying the financial institution) in the USSD Proxy System.
  • This solution however requires that the USSD Service Code is provisioned on all mobile telephone network operators' USSD Gateways 104, in order to recognize the Service Code and route the USSD Service Request to the correct Financial Institution System 102 and data processing service thereof.
  • the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify both the correct Financial Institution and the correct USSD Service;
  • the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder.
  • the same USSD Access Code may also be assigned to another account holder, since the combination of the USSD Access Code and mobile handset phone number is unique.
  • the respective USSD Gateways 107 of the phone operators route the USSD Request to the correct Financial Institution System 102.
  • the Access Code Handler module 601 in the Financial Institution System 102 checks the USSD Access Code and phone number and matches the values received in the USSD Service Request to the values stored for the account holder. This check can be done by additional software delivered as part of the integration to the financial institution, or it can be done by the financial institution's own software.
  • the Access Code Handler module 601 in the Financial Institution System 102 generates a one- off Authentication Code and returns it to the account holder over the USSD Proxy System and the mobile telephony network of the phone operator. To increase security, the generated Authentication Code is only valid for a configurable, limited time.
  • the account holder enters the received Authentication Code in the mobile handset interface as previously described, and the Access Code Handler module 501 at the Financial Institution System 102 eventually verifies the validity of the Authentication Code by matching it to the Authentication Code that was generated and sent to the account holder via the USSD Proxy System.
  • the Financial Institution is identified by both the account holder phone number and the USSD Access Code.
  • USSD Access Codes are generated for each account holder by the Financial Institution System 102 and are mapped to the phone number of the account holder mobile handset 101A.
  • the Financial Institution provides the account holder with the USSD Access code.
  • the information string output to the VDU 302 of the account holder personal computer 101B is as the following example:
  • the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service;
  • the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder.
  • the same USSD Access Code may also be assigned to another account holder, since the combination of the USSD Access Code and mobile handset phone number is unique.
  • the USSD Access Code and phone number identify the correct Financial Institution System 102 based on the Organization ID provisioned in the USSD Proxy System.
  • the USSD Proxy System forwards the phone number and USSD Access Code to the Financial Institution System 102.
  • the Financial Institution System 102 checks if the USSD Access Code and phone number received in the USSD Service Request matches the values stored for the account holder. This check can be done by additional software delivered as part of the integration to the Financial Institution, or it can be done by the Financial Institution's own software.
  • a positive check prompts the Financial Institution System 102 to generate a one-off Authentication Code, which is communicated to the USSD Proxy System together with the phone number and USSD Access Code. To increase security, the generated Authentication Code is only valid for a configurable, limited time.
  • the USSD Proxy System forwards the one-off Authentication Code over the network of the mobile telephony operator to the account holder mobile handset 101A, at which it is displayed.
  • the account holder inputs the received Authentication Code and the Financial Institution System 102 eventually checks and verifies that this Authentication Code matches the authentication code that was generated and sent to the account holder via the USSD Proxy System.
  • the Financial Institution is identified by its Organisation ID.
  • no account holder provisioning is required in the USSD Proxy System.
  • the only additional data is provisioned in the USSD Proxy System is an additional Organization ID, used to identify the correct Financial Institution from incoming USSD Service Requests.
  • USSD Access Codes are generated for each account holder by the Financial Institution System 102 and are mapped to the phone number of the account holder mobile handset 101A.
  • the Financial Institution provides the account holder with the USSD Access code and, in this embodiment, a Financial Institution - specific Organisation ID to be used by the account holder when entering the USSD String on an USSD enabled handset 101A.
  • the information string output to the VDU 302 of the account holder personal computer 101B is as the following example:
  • the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service;
  • the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder;
  • the Organisation ID is a value, for instance "5566", which uniquely identifies the Financial Institution to which to forward the request.
  • the USSD Proxy System forwards the Phone Number and USSD Access Code to the Financial Institution System, at which they are checked against the values stored for the account holder.
  • a positive check again prompts the Financial Institution System 102 to generate a one-off Authentication Code, however it is communicated to the USSD Proxy System together with the phone number only.
  • the account holder inputs the received Authentication Code as before, and the Financial Institution checks and verifies that this Authentication Code matches the Authentication Code that was recently generated and sent to the account holder via the USSD Proxy Solution.
  • This embodiment advantageously removes the need to provision the USSD Proxy System with an Organisation ID, and allows an account holder to use the service for several Financial Institutions using the same phone number.
  • the Financial Institution is identified by a unique PIN generation algorithm.
  • the principle of this embodiment is to use an algorithm for generating USSD Access Codes, which are apt to identify the organisation for which it has been generated.
  • the unique PIN generation algorithm generates USSD Access Codes of configurable lengths, which are specific to a Financial Institution.
  • the USSD Access Codes are generated using a key that is unique to the Financial Organisation, in such a way that the output can be reverse - processed by applying the algorithm again for extracting the key and thus identify the correct Financial Institution.
  • the algorithm uses the key that is unique to the particular Financial Institution for input, the USSD Access Code generated is unique to that particular organisation.
  • the PIN Code application may be implemented as either a standalone application that can be processed by the Financial Institution servers 102A, 102B, or as a web interface hosted at a remote server, for example the USS Proxy Solution server 103, which the Financial Institution System 102 can access when generating USSD Access Codes for the USSD users.
  • the Financial Institution issues the generated USSD Access Codes, of a length which is both configurable and algorithm - dependent, to an account holder as before.
  • the information string output to the VDU 302 of the account holder personal computer 101B is as the following example:
  • the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service;
  • the USSD Access Code is a value, for instance "776688" and is specific to the account holder.
  • the USSD Service Request is forwarded to the USSD Proxy System by the mobile telephony network based on the Service Code.
  • the USSD Proxy System applies a reverse algorithm to the received USSD Access Code.
  • the output identifies the Financial Institution, based on the extracted key which was used to generate the USSD Access Code in the first place.
  • the USSD Proxy System then forwards the USSD Access Code and the phone number to the correct Financial Institution, as before.
  • the purpose of the unique PIN generation algorithm is to simplify the user experience for the account holder.
  • the unique PIN generation algorithm eliminates the requirement to allocate specific Service Codes for each Financial Institution System 102 and prevents the inputting of fraudulent or incorrect Organisation ID data in the USSD Service Request by the mobile handset user.
  • this embodiment also removes the requirement to provision for the account holder in the USSD Proxy System and a same Service Code, with the PIC algorithm, can be used for multiple Financial Institution Systems 102.
  • an account holder accesses the Financial Institution's website server 102A by inputting conventional credentials.
  • the Financial Institution website server 102A queries the Access Code Handler 501, 601 to obtain an USSD Access Code that is linked to the phone number of the account holder mobile handset 101.
  • AN USSD Access Code is generated using a specific algorithm, which processes a key that is unique to each Financial Institution, thus which can be used to generate USSD Access Codes for multiple Financial Institutions according to their respective keys.
  • the generated USSD Access Codes are therefore unique to each particular organisation, and their length is again configurable and depends on both the algorithm and the input variables used.
  • the Financial Institution website server 102A communicates the following USSD string to the account holder computer terminal 10 IB, which that the account holder must input in an USSD enabled handset 101A registered to the account holder, for gaining access to the secure website:
  • the USSD Access Code When received in the USSD Service Request, the USSD Access Code is used to determine which Financial Institution the Service Request should be routed to.
  • the account holder inputs the USSD string into the USSD enabled handset 101A, which the phone network routes as an USSD Service Request to the Routing Server module 504 of the USSD Proxy System 103.
  • the Routing Server module 504 applies the routing algorithm to the USSD Access Code received in the USSD Service Request for identifying the Financial Institution for which the USSD Access Code was generated, wherein the Financial Institution is identified based on the routing Algorithm's resulting key.
  • the Routing Server module 504 then forwards the USSD Service Request to the Access Code Handler 501, 601, which accepts the Request and strips away the PIN Code and USSD Access Code.
  • the Access Code Handler 501, 601 then authenticates the PIN Code against the phone number provisioned and authenticates the USSD Access Code against the USSD Access Code recently generated for the phone number.
  • the Access Code Handler 501, 601 then generates an Authentication Code that subsequently communicated returned to the account holder over USSD as a response to the original USSD Service Request, as before.
  • the above embodiments may be used to provide cardholders with transaction - respective authentication codes, for instance to authorise an online purchase or any other electronic transaction that requires additional authentication or authorisation from the cardholder.
  • the above embodiments may be used to provide customers and/or account holders of a Financial Institution with system - respective authentication codes for logging into secure online Internet sites and pages.
  • the above embodiments may be used to provide employees, users and the like with system and/or location - specific authentication codes, used for logging into computer systems, for accessing secure facilities and for any other similar password or code - dependent security check.
  • the embodiments in the invention described with reference to the drawings comprise a computer apparatus and/or processes performed in a computer apparatus.
  • the invention also extends to computer programs, particularly computer programs stored on or in a carrier adapted to bring the invention into practice.
  • the program may be in the form of source code, object code, or a code intermediate source and object code, such as in partially compiled form or in any other form suitable for use in the implementation of the method according to the invention.
  • the carrier may comprise a storage medium such as ROM, e.g. CD ROM, or magnetic recording medium, e.g. a floppy disk or hard disk.
  • the carrier may be an electrical or optical signal which may be transmitted via an electrical or an optical cable or by radio or other means.

Abstract

A system and method are disclosed for generating and communicating an Authentication Code in a network. An access request is sent from a user terminal (101A, 101B) to a first remote system (102), wherein the access request includes at least a network address of the user terminal (101B). The access request is received at a second remote system (103) and an USSD Access Code is generated using at least the network address, and sent to an USSD enabled user terminal (101B). The USSD enabled user terminal (101B) sends an USSD Service Request including the generated USSD Access. The USSD Access Code in the USSD Service Request is authenticated at the second remote system (103) and, in reply to a positive authentication, an Authentication Code is generated at, and sent to the USSD enabled terminal (101B) by, the second remote system (103). The USSD enabled terminal (101B) sends the USSD Authentication Code to the first remote system (102) and gains access thereto.

Description

Title
Fraud Prevention System and Method using Unstructured Supplementary Service Data (USSD). Field of the Invention
The invention relates generally to the prevention of electronic credit/debit card fraud and identity theft. In particular the invention is aimed at providing a system and method for minimizing the potential for phishing.
The invention also relates to added security for credit card and debit card transactions processed across networks, and for the authentication of access to systems, buildings and the like.
Background to the Invention
In recent years, financial institutions have introduced additional security for online credit card and debit card transactions. A known example the 3-D Secure Protocol developed by the VISA Corporation, which was introduced to users as the "Verified by VISA" and "MasterCard Secure code by MasterCard" electronic payment features.
Phishing refers to the fraudulent process of attempting to acquire sensitive information such as user names, passwords, financial and credit card details and the like, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website, the look and feel of which is almost identical to the legitimate one. Even when using server authentication, it may require skills well beyond those of the average user, to detect that the website is fake. 'Phishers' are those undertaking the above fraudulent activities and, typically, send electronic communications asking the recipients to "confirm their password", to "verify their account" and/or to "confirm their identity". While early examples of such communications were sent indiscriminately, in the expectation that some would be received by customers of a given bank or service and replied to, recent research has shown that phishers may be able to determine which banks potential victims use and, accordingly, they are increasingly targeting customers of specific banks and online payment services. The latest trend for phishers is to target social networking websites, since personal details in such sites can be used for purposes of identity theft. Experiments have shows a success rate of over 70% for phishing attacks on social networks. In the above context, 3-D Secure has introduced an additional authentication step for online payments and transactions, in an attempt to overcome the problem of phishing and online fraud. Transactions using 3-D Secure typically guide the electronic transaction process to the website of the card issuing bank for authorising the transaction. The basic concept of the 3-D Secure protocol is to tie the financial authorization process with an online authentication.
The authentication method is password-based, to ensure that the authorisation for any online credit card and debit card transaction is subject to a secret password tied to the card, thus limiting the chance of fraud. A number of similar solutions based on token-based code generators, similar to the solutions provided by companies like RACOM, VASCO, etc. have been developed. These token-based solutions are expensive for the financial institutions to roll out and difficult to implement, and require different token generators for each financial institution.
There is therefore a need to provide a system and method to overcome the problems of online fraud and phishing.
Summary of the Invention
According to a first aspect of the present invention, a method of generating and communicating an Authentication Code is provided in a network, the method comprising the steps of sending an access request from a user terminal to a first remote system, wherein the access request includes at least a network address of the user terminal, generating an USSD Access Code using at least the network address in response to receiving the access request at a second remote system, and sending the USSD Access Code to an USSD - enabled user terminal, sending an USSD Service Request including the generated USSD Access Code with the USSD - enabled user terminal, authenticating the USSD Access Code in the USSD Service Request at the second remote system, generating and sending an Authentication Code to the USSD - enabled terminal at the second remote system in reply to a positive authentication, and sending the Authentication Code to the first remote system with the USSD - enabled terminal.
The step of generating an USSD Access Code preferably uses the network address and data uniquely identifying the first remote system.
The step of sending the USSD Access Code to the USSD - enabled terminal preferably comprises the further step of adding a Service Code to the generated USSD Access Code. The step of sending the USSD Access Code to the USSD - enabled terminal may also comprise the further step of encoding at least the USSD Access Code in an information string. In this embodiment, the step of sending the USSD Service Request preferably further comprises inputting the information string at the USSD - enabled terminal. When a Service Code is added to the generated USSD Access Code, the step of sending the USSD Service Request preferably further comprises routing the USSD Service Request via an USSD Gateway, which analyzes the Service Code in the Request to identify the destination for the Service Request. The step of authenticating the USSD Access Code in the USSD Service Request preferably further comprises applying a routing algorithm to the USSD Access Code received in the USSD Service Request to identify the first remote system.
The step of authenticating the USSD Access Code in the USSD Service Request preferably further comprises the steps of extracting and authenticating the network address of the USSD - enabled user terminal.
The step of generating the Authentication Code preferably further comprises configuring a validity period for the USSD Authentication Code, in order to further improve the security of the method, advantageously with a simple variable. The step of sending the Authentication Code preferably further comprises communicating the Authentication Code as an USSD Service Request Response.
The method preferably comprises the further step of authenticating the Authentication Code at the second remote system. In this embodiment, the method preferably comprises the further step o granting the user terminal access to data stored at the first remote system over the network in reply to a positive authentication. In an alternative embodiment, the method may comprise the further step of processing an electronic transaction at the first remote system in reply to a positive authentication. In yet another alternative embodiment, the method may comprise the further step of granting the user of user terminal access to a location having entry securing means controlled by the first remote system in reply to a positive authentication.
The steps of sending the USSD Access Code, the USSD Service Request and the Authentication Code are preferably performed across a signalling channel network. The signalling channel network is preferably encrypted. The signalling channel network may for instance be selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) and Public Switched Telephone Network (PSTN) standards. The user terminal may advantageously be a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
The first remote system is preferably hosted at a first server and the second remote system is hosted at a second server. Alternatively, the first remote system is still hosted at the first server, but the second remote system may be hosted at the first server.
According to a second aspect of the present invention, a data processing system is provided for generating and communicating an Authentication Code in a network to which at least a user terminal is connected, the data processing system comprising means for sending an access request from the user terminal (101A, 101B) to a first remote server, wherein the access request includes at least a network address of the user terminal, means for generating an USSD Access Code using at least the network address in response to receiving the access request, means for sending the generated USSD Access Code to an USSD - enabled user terminal, means for sending an USSD Service Request including the generated USSD Access Code to a second remote server with the USSD - enabled user terminal, means for authenticating the USSD Access Code in the USSD Service Request, means for generating and sending an Authentication Code to the USSD - enabled terminal in reply to a positive authentication, and means for sending the Authentication Code to the first remote system with the USSD - enabled terminal.
The means for generating an USSD Access Code, the means for authenticating the USSD Access Code and the means for generating and sending an Authentication Code are preferably embodied in an Access Code Handler module processed by the first or second server. The Access Code Handler module may advantageously be adapted to add a Service Code to the generated USSD Access Code.
The means for sending the generated USSD Access Code to an USSD - enabled user terminal is preferably embodied at the first remote server and is preferably further adapted to encode at least the USSD Access Code in an information string. The syntax of the information string may advantageously be an USSD Service Request.
When a Service Code is added to the generated USSD Access Code, the network preferably further comprises an USSD Gateway adapted to analyze the Service Code in the USSD Service Request for identifying the Request destination and routing the Request thereto.
The means for authenticating the USSD Access Code in the USSD Service Request preferably further comprises a routing algorithm, which is adapted to identify the first remote system from the USSD Access Code. The means for authenticating the USSD Access Code in the USSD Service Request may further comprise means for extracting and authenticating the network address of the USSD - enabled user terminal.
The Authentication Code is preferably configured with a validity period. The means for sending the Authentication Code are preferably further adapted to communicate the Authentication Code as an USSD Service Request Response.
Preferably, the system further comprises means to authenticate the Authentication Code. In this embodiment, the first remote system is preferably adapted to grant the user terminal network access to data stored therein, in reply to a positive authentication or adapted to deny the user terminal network access to data stored therein, in reply to a negative authentication. In an alternative embodiment, the first remote system may be adapted to process an electronic transaction, in reply to a positive authentication. In yet another alternative embodiment, the first remote system may be adapted to grant the user of user terminal access to a location having entry securing means controlled by the first remote system, in reply to a positive authentication.
Preferably, at least a portion of the network includes a signalling channel network. The signalling channel network is preferably encrypted. The signalling channel network may advantageously be selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE) and Public Switched Telephone Network (PSTN) standards. Preferably, the user terminal is a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
There is also provided a computer program comprising program instructions for causing a computer program to carry out the above method which may be embodied on a record medium, carrier signal or read-only memory. Brief Description of the Drawings
The present invention will be more clearly understood from the following description of an embodiment thereof, given by way of example only, with reference to the accompanying drawings, in which:
Figure 1 shows a networked environment in which embodiments of the invention may be implemented, including a plurality of terminals. Figure 2 shows a typical hardware structure of a cardholder mobile terminal shown in Figure 1.
Figure 3 shows a typical hardware structure of the server terminals shown in Figure 1.
Figure 4 details the steps of a method of generating, communicating and using USSD codes according to the invention, apt to be implemented in a networked environment.
Figure 5 illustrates a first embodiment of the method of Figure 4 in the networked environment of Figure 1, wherein an account holder accesses an online banking service and gains access to the service by using an USSD Proxy System implemented in a networked terminal.
Figure 6 illustrates a second embodiment of the method of Figure 4 invention in the networked environment of Figure 1, wherein an account holder accesses an online banking service and gains access to the service by using an USSD Proxy System integrated with a Financial Institution system.
Detailed Description of the Drawings
The words "comprises/comprising" and the words "having/including" when used herein with reference to the present invention are used to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof. Definitions
The following definitions are used to clarify the terms and acronyms, including access codes, which are referred to in the present disclosure.
Acronyms:
• HLR - Home Location Register
• MSC - Mobile Switching Centre
• PIN - Personal Identification Number
• USSD - Unstructured Supplementary Services Data
PIN Code: The PIN Code is generated either by the USSD Proxy System or by a Financial Institution's system, depending on the embodiment, and is provided to the account holder in advance. The PIN Code is used to authenticate account holders against their phone number. The purpose of the PIN Code is to prevent anyone from stealing an account holder's mobile telephone handset and use it to generate USSD access codes for gaining access to the account holder's account.
USSD Access Code: The USSD Access Code is generated by the USSD Proxy System and is linked to the Phone Number of the account holder (e.g. MSISDN). The USSD Access Code is provided to the account holder, through the system which the account holder is accessing. The USSD Access Code is a one - off access code and is only valid for a configurable, limited time.
Authentication Code: The Authentication Code is a one - off access code that is generated either by the USSD Proxy System or by a Financial Institution's system, depending on the embodiment, and is provided to the account holder to allow the account holder to login into a secure service, to authorise an online purchase or to authorise a credit card transaction. The Authentication Code is only valid for a configurable, limited time. The Authentication Code is communicated to the account holder in response to the account holder inputting an USSD string in an USSD - enabled data processing device. USSD String: The USSD string that should be input on the account holder's USSD - enabled data processing device for obtaining and Authentication Code is communicated in clear to the account holder, and takes one of the following two forms: · '*<Service Code>*<USSD Access CodexPIN Code>#'
• '*<Service Code>*<USSD Access Code>*<PIN Code>#'
Phone Number: The Phone Number can be any phone number assigned on an USSD -enabled network. In most cases, this is the network number of a mobile telephone handset (or of the Subscriber Identification Module thereof) and is the MSISDN, but other networks are not to be excluded, so as long as such other networks are USSD - enabled.
Account Number: This is the account holder's Account Number within a Financial Institution's system. The Account Number may also be an assigned Account Number within the USSD Proxy System.
Figure 1 shows a networked environment including a plurality of terminals, in which embodiments of the invention may be implemented. An electronic transaction processing system comprises at least one cardholder terminal 101, at least one Financial Institution system 102 and at least one USSD Proxy System server 103. The at least one Financial Institution system 102 comprises a web server 102A operably connected to a financial server 102B. Each terminal 101, 102A, 102B and 103 is connected to a communication network 104.
In the example, the cardholder terminal 101 is a mobile telephone handset 101 A having wireless telecommunication emitting and receiving functionality over a cellular telephone network configured according to the Global System for Mobile Communication ('GSM'), General Packet Radio Service ('GPRS'), International Mobile Telecommunications-2000 (IMT— 2000, 'W- CDMA' or '3G') network industry standards, and wherein telecommunication is performed as voice, alphanumeric or audio-video data using the Short Message Service ('SMS') protocol, the Wireless Application protocol ('WAP') the Hypertext Transfer Protocol ('HTTP') or the Secure Hypertext Transfer Protocol ('HTTPS'). Alternatively, the cardholder terminal 101 may be a personal computer 101B of the portable or desktop variety.
A cardholder mobile telephone handset 101 A receives or emits voice, text, audio and/or image data encoded as a digital signal over a wireless data transmission 105, wherein the signal is relayed respectively to or from the handset by the geographically-closest communication link relay 106 of a plurality thereof. The plurality of communication link relays 106 allows digital signals to be routed between the handset 101 A and their destination by means of a remote gateway 107 via a MSC/HLR 108. Gateway 107 is for instance a communication network switch, which couples digital signal traffic between wireless telecommunication networks, such as the network within which wireless data transmissions 105 take place, and the communication network 104, which is a Wide Area Network ('WAN') 104, an example of which being the Internet. The gateway 107 further provides protocol conversion if required, for instance whether the handset 101A uses the WAP or HTTPS protocol to communicate data. According to the invention, the gateway 107 is further configured as an USSD Gateway, the specific functionality of which in the system and method of the invention will be described hereafter.
A cardholder mobile terminal 101 A may for instance be an iPhone™ handset manufactured by the Apple Corporation or a Nexus One™ handset manufactured for Google, Inc. by the HTC Corporation. Generally, the cardholder mobile terminal 101A may be any portable data processing device having at least wireless communication means and USSD functionality.
Alternatively, a cardholder personal computer terminal 10 IB may have wired and/or wireless telecommunication emitting and receiving functionality over, respectively, a wired Local Area Network ('LAN') and/or a wireless local area network ('WLAN') conforming to the 802.11 standard ('Wi-Fi'). In the LAN or WLAN, telecommunication is likewise performed as voice, alphanumeric and/or audio-video data using the Internet Protocol (IP), Voice data over IP ('VoIP') protocol, Hypertext Transfer Protocol ('HTTP') or Secure Hypertext Transfer Protocol ('HTTPS'), the signal being relayed respectively to or from the cardholder terminal 101B by a wired (LAN) or wireless (WLAN) router interfacing the cardholder terminal 10 IB to the WAN communication network 104. A mobile telephone handset 101A may have wireless telecommunication emitting and receiving functionality over the WLAN in addition to GSM, GPRS, W-CDMA and/or 3G.
In the example, each of the Financial Institution web servers 102A and the at least one USSD Proxy System server 103 is a data processing device which emits and receives data encoded as a digital signal over a wired data transmission conforming to the IEEE 802.3 ('Gigabit Ethernet') standard, wherein the signal is relayed respectively to or from the computing device by a wired router interfacing the computing device to the WAN communication network 104. Generally, each of the at least one Financial Institution System servers 102A, 102B and the at least one USSD Proxy server terminal 103 may be any portable or desktop data processing device computing having at least networking means apt to establish a bilateral data communication with the cardholder terminal 101 A, 101B and each other. A typical hardware architecture of a cardholder mobile telephone handset 101 A is shown in Figure 2 in further detail, by way of non-limitative example. The handset 101A firstly includes a data processing unit 201, for instance a general-purpose microprocessor ('CPU'), acting as the main controller of the handset 101 A and which is coupled with memory means 202, comprising non-volatile random-access memory ('NVRAM').
The cardholder mobile terminal 101A further includes a modem 203 to implement the wireless communication functionality, as the modem provides the hardware interface to external communication systems, such as the GSM or GPRS cellular telephone network 106, 107, 108 shown in Figure 1. An aerial 204 coupled with the modem 203 facilitates the reception of wireless signals from nearby communication link relays 106. The modem 203 includes an analogue-to-digital converter 205 ('ADC') for demodulating wavelength wireless signals received via the antenna 204 into digital data, and reciprocally for outgoing data.
The handset 101A further includes self-locating means in the form of a GPS receiver 206, wherein the ADC 205 receives analogue positional and time data from orbiting satellites 110, which the data processing unit 201 or a dedicated data processing unit processes into digital positional and time data.
The handset 101 A may optionally further include imaging means 207 in the form of an electronic image sensor, for capturing image data which the data processing unit 201 or a dedicated data processing unit processes into digital image data.
The CPU 201, NVRAM 202, modem 203, GPS receiver 206 and optional digital camera 207 are connected by a data input/output bus 208, over which they communicate and to which further components of the handset 101A are similarly connected, in order to provide wireless communication functionality and receive user interrupts, inputs and configuration data. Alphanumerical and/or image data processed by CPU 201 is output to a video display unit 209 ('VDU'), from which user interrupts may also be received if it is a touch screen display. Further user interrupts may also be received from a keypad 210 of the handset, or from an external human interface device ('HiD') connected to the handset via a Universal Serial Bus ('USB') interface 211. The USB interface advantageously also allows the CPU 201 to read data from and/or write data to an external or removable storage device. Power is provided to the handset 101 A by an internal module battery 212, which an electrical converter 213 charges from a mains power supply as and when required.
A typical hardware architecture of each of the cardholder personal computer 101B, the at least one Financial Institution web server 102A and the at least one USSD Proxy server terminal 103 is shown in Figure 3 in further detail, by way of non-limitative example. The data processing device 101B, 102A, 103 is a computer configured with a data processing unit 301, data outputting means such as video display unit (VDU) 302, data inputting means such as HiD devices, commonly a keyboard 303 and a pointing device (mouse) 304, as well as the VDU 202 itself if it is a touch screen display, and data inputting/outputting means such as the wired network connection to the communication network 104, a magnetic data-carrying medium reader/writer 306 and an optical data-carrying medium reader/writer 307. Within data processing unit 301, a central processing unit (CPU) 308 provides task co-ordination and data processing functionality. Instructions and data for the CPU 308 are stored in memory means 309 and a hard disk storage unit 310 facilitates non-volatile storage of the instructions and the data. A wireless network interface card (NIC) 311 provides the interface to the network connection 108. A universal serial bus (USB) input/output interface 312 facilitates connection to the keyboard and pointing devices 303, 304.
All of the above devices are connected to a data input/output bus 313, to which the magnetic data-carrying medium reader/writer 306 and optical data-carrying medium reader/writer 307 are also connected. A video adapter 314 receives CPU instructions over the bus 313 for outputting processed data to VDU 302. All the components of data processing unit 301 are powered by a power supply unit 315, which receives electrical power from a local mains power source and transforms same according to component ratings and requirements. A core aspect of the invention is the use of Unstructured Supplementary Service Data (USSD) for generating and communicating codes to support authentication of electronic transactions. Unstructured Supplementary Service Data (USSD) is a standard developed for transmitting information over Global System for Mobile communications (GSM) signalling channels, but has since been implemented in many networks 106, 107, 108 such as Time division multiple access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) and Public Switched Telephone Network (PSTN) or other networks.
In GSM networks, USSD interfaces with the Mobile Switching Centre (MSC) over SS7 and uses Mobile Application Part (MAP) to receive and send USSD data from the Home Location Register (HLR).
USSD functionality can be implemented in two modes: Pull Mode, for processing handle Mobile Initiated USSD Requests, wherein the USSD service is triggered by the user entering a set of USSD strings; and Push Mode, for processing network - initiated USSD Requests, wherein the USSD service is triggered by the network which pushes information to the user's handset. USSD messages are simple to create and easy to send. A user can enter an USSD string directly in a mobile handset and press a 'call' button to send the message. AN USSD message can be up to 182 alphanumeric characters in length. The format of an USSD message is defined by the following sequence of functions, having the following respective syntaxes:
• Activation *SC*SI#
• Deactivation #SC*SI#
• Interrogation *#SC*SI#
• Registration *SC*SI# and **SC*SI#
• Erasure ##SC*SI#
The codification in the above syntaxes is as follows:
• SC The Service Code is a 2 or 3 digits code, which uniquely specifies
the Supplementary Service.
• SI The Supplementary Information is a variable length code.
• Pagination AN USSD string always starts with *, #, **, ## or *#, each part
within an USSD string is separated by *, and the USSD string is finished by #.
It is known to use USSD for querying the available balance and other similar information in prepaid mobile phone services. The function that is triggered when sending an USSD string is both network-dependent and operator-dependent, in that it depends on the specific services which the mobile telephony operator makes available. USSD is a capability of most mobile phones. It is generally associated with real-time or instant messaging-type phone services. USSD is session - oriented, unlike SMS which is a store-and-forward, transaction-oriented technology. Turnaround response times for interactive applications are shorter for USSD than SMS because of the session-based characteristic of USSD, and because it is not a store-and-forward service. Users do not need to access any particular phone menu to access services with USSD, as USSD commands are entered directly from the initial user interface of the mobile phone.
USSD is normally used as a 'trigger' to invoke independent calling services that do not require the overhead and additional usage costs of an SMSC, such as a call-back service (e.g. cheaper phone charges while roaming), or interactive data service (e.g. stock quotes, sports results). In operation, USSD is used to send text between the user and an application. USSD should be thought of as a trigger, rather than an application itself. In operation, it is not possible to bill for USSD directly, but instead bill for the application associated with the use of USSD such as circuit switch data, SMS, or pre-paid.
USSD messages from handsets are always routed to the home network. This means that if the user is roaming in another network, dialling an USSD string on the phone will always route to the application on the user's home network. If a particular USSD service needs to be accessed in the user's home network, then the user will also be able to access it from another country. Conversely, roaming subscribers from other networks cannot access USSD services on a host network, so this also increases the security.
USSD works on all existing GSM mobile phones. Both SIM Application Toolkit and the Wireless Application Protocol support USSD.
Some of the main advantages of USSD are:
• USSD uses the signalling network and not the radio network, so USSD will also work well in areas with low or inexistent radio coverage (low signalling strength), unlike SMS and MMS services.
• There are no issues with roaming, as USSD signals will always be routed to the home network.
• The authentication codes are transferred securely over an encrypted signalling network and the chance of compromising information is low.
· There is no latency in the USSD request and response, unlike SMS and MMS. • Users do not need to access any particular phone menu to access services with USSD. The USSD command can be entered directly in the initial mobile phone user interface.
The Authentication Code is requested by and supplied to a cardholder terminal mobile handset 101A using Unstructured Supplementary Service Data (USSD), or to any other USSD - enabled terminal 101. USSD is supported by most mobile handsets and uses the existing mobile telephony signalling network infrastructure 106, 107, 108, which is encrypted, to deliver the Authentication Codes. It will be appreciated that USSD is more secure than SMS, because the originator identifying data in USSD is obtained from the Home Location Register (HLR)/Visiting Location Register (VLR) rather than from the device. A problem with SMS messaging is that the message may be ghosted or fraudulently manipulated, in a way which USSD cannot.
The invention provides an USSD Proxy System, and a method in a data processing network, such as shown in Figures 1 to 3, for issuing cardholders with an Authentication Code to authorize a specific electronic transaction. The Authentication Code generated and provided by the system of the invention may be used to gain access to a physical system, to a physical and access - controlled location, to a distributed service such as an electronic transaction or information processing system and may also, or alternatively, be used to confirm a condition associated with the above electronic authentication - dependent services.
The USSD Proxy System of the invention can be implemented as a service hosted at the distinct server 103, which can be used respective several web servers 102A of several, unrelated Financial Institution Systems 102. This embodiment usefully removes the additional data processing overhead at each Financial Institution web server 102A, which a Financial Institution - specific implementation would require. Advantageously, it also provides cardholders of several Financial Institutions with a common user interface.
Generating the Authentication Code requires the generating of an USSD Access Code using a specific algorithm, which processes a key (org_keyl) that is unique to each Financial Institution System 102. The generated USSD Access Code is then unique to each combination of Financial Institution System 102 and cardholder terminal 101. A routing algorithm is applied to the USSD Access Code, which outputs the same unique key (org_keyl) originally used to generate the USSD Access Code in the first place. The unique key output by the routing algorithm is then used to identify the correct Financial Institution System 102 and the request for an Authentication Code will be routed to the web server 102A of the identified Financial Institution System 102.
With reference to Figure 4 now, there follows a description of a method according to the invention and implemented in the distributed data processing system of Figure 1 for processing, communicating and authenticating access and authentication codes.
At step 401, a user communicates an access request from their terminal 101 to a remote organisation system 102, wherein the access request includes at least a terminal network address, for instance a phone number or MSISDN of a mobile telephone handset 101.
At step 402, the access request is forwarded by the organisation system 102 to an Access Code Handler for generating and obtaining an USSD Access Code linked to the organisation system 102 and the user terminal 101. At step 403, the Access Code Handler processes an USSD Access Code Algorithm for generating the USSD Access Code, which is unique to the terminal network address and the organisation, based on both a secure key linked to both the organisation, for instance an organization ID, and the registered network address of the user terminal 101. The Access Code Handler adds a Service Code to the generated USSD Access Code and communicates both to the organisation system 102.
At step 404, the organisation system 102 outputs an information string containing the USSD Access Code and the Service Code received from the Access Code Handler and forwards it to the user terminal 101. At step 405, the user inputs the information string received from the organisation system 102 as an USSD Service Request on the registered terminal 101, and sends it over the network to which the terminal 101 is connected, i.e. a mobile telephony network. At step 406, the mobile telephony network routes the USSD Service Request to an USSD Gateway, which analyzes the Service Code in the Request to identify the Access Code Handler to which to route the Service Request.
At step 407, The Access Code Handler applies a routing algorithm to the USSD Access Code received in the Service Request to identify the correct organisation system 102. The secure key originally used to generate the USSD Access Code identifies the correct organisation system 102. At step 408, the Access Code Handler processes the USSD Access Code to extract the terminal network address, which it authenticates. A question is subsequently asked at step 409, as to the output of the authentication. If the authentication fails, the Access Code Handler generates an error message and communicates it to the user at step 410. If the authentication is valid, then at step 411 the Access Code Handler generates a one-off Authentication Code for the user, which it communicates as an USSD Service Request Response to the USSD Gateway in the mobile telephony network.
At step 412, the USSD Gateway routes the USSD Service Request Response back to the correct user terminal 101 and the user inputs the Authentication Code at the terminal 101 and communicates it to the remote organisation system 102 at step 413. At step 414, the remote organisation system 102 queries the Access Code Handler for verifying the validity of the received Authentication Code. If the authentication fails, the Access Code Handler generates an error message and communicates it to the remote organisation system 102 at step 415. If the authentication is valid, then at step 416 the Access Code Handler confirms the validity of the Authentication Code to the organisation system 102 and the user gains access, via the terminal 101, to the resources of the remote organisation system 102. With reference to Figure 5 now, there follows a description of a first embodiment of the USSD Proxy System according to the invention in the network of Figure 1 and the data processing devices described in relation to Figures 2 and 3. The embodiment is described in relation to the method of processing, communicating and using an USSD Access Code and an Authentication Code according to the invention within the system, of Figure 4. For ease of comprehension, the operation of the first embodiment is described in sequential steps that are numbered alike in the following description and in Figure 5, and shown in Figure 5 with respective arrows representing data flow across the system. Figure 5 describes an account holder in a financial institution accessing an online banking service 102. The USSD Proxy System 103 is used to gain access to the banking service 102. The account holder preferably has the use of a personal computer 101B and an USSD - enabled mobile terminal 101A, and is provided with a PIN code by the USSD Proxy System 103. The account holder accesses the website of the Financial Institution using normal access credentials. The Financial Institution web server 102A in turn requests the USSD Proxy System 103 to generate a one - off USSD Access Code that is linked to the financial institution and the account holder mobile terminal 101. The USSD Access Code is valid for a configurable amount time. AN USSD String is generated and sent back to the account holder via the Financial Institution web server 102A.
The account holder is asked to send an USSD Service Request from the mobile terminal 101A registered in the USSD Proxy System 103 to request an Authentication Code. The Authentication Code is used to gain access or authorising the required activity. The USSD Gateway 107 in the mobile phone network of the mobile telephony service operator receives the USSD Service Request and forwards the request to the USSD Proxy System. The USSD Proxy System identifies the correct Financial Institution in a Routing Server based on the USSD Access Code received in the USSD Request and applying a unique algorithm to identify the correct Financial Institution. The USSD Service Request is then forwarded to the correct Financial Institution System 102. The USSD Proxy System generates an Authentication Code and communicated it to the account holder. The account holder can then use the Authentication Code received on the mobile terminal 101A over USSD to authorise the required service.
At step 1, an account holder or cardholder conventionally accesses a Financial Institution system 102 with a personal computer 101B, and requests to log in using credentials that are outside the scope of the present system. At the next step 2, the login request is routed to the Financial Institution web server 102A, and contains the account holder account number within the Financial Institution financial server 102B. At step 3, the Financial Institution web server 102A forwards the access request to an Access Code Handler module 501 processed by the USSD Proxy System server 103, for obtaining an USSD Access Code that is linked to both the Financial Institution system 102 and the account holder mobile terminal 101 A. At step 4, the Access Code Handler 501 requests an USSD Access Code Algorithm module 502 processed by the USSD Proxy System server 103 to generate an USSD Access Code, based on a secure key linked to the Financial Institution (representative of an organisation ID) and the registered phone number of the account holder mobile terminal 101A. At step 5, the USSD Access Code Algorithm module 502 requests the registered phone number of the account holder mobile terminal 101 A and the secure key from a database or data storage 503, optionally also querying the Financial Institution web server 102A for the organisation ID.
At step 6, the USSD Access Code Algorithm module 502 retrieves the registered phone number of the account holder mobile terminal 101A, for instance the MSISDN, and the secure key based on the organisation ID identified in the database or sent in from the Financial Institution web server 102A.
At step 7, the USSD Access Code Algorithm module 502 generates the USSD Access Code, which is unique to the account holder phone number and the Financial Institution system 102, and forwards it to the Access Code Handler 501. At step 8, the Access Code Handler 501 processes the USSD Access Code to add a Service Code therein, then forwards it to the Financial Institution web server 102A for communication to the account holder personal computer 10 IB.
At step 9, the Financial Institution web server 102A creates an information string containing the USSD Access Code and the Service Code, then communicates the information string to the account holder personal computer 10 IB. At step 10, the information string is output to the VDU 302 of the account holder personal computer 10 IB, as the following example instructions:
"To receive the Authentication Code, please enter:
'*<Service Code> *<USSD Access Code> *<PIN Code>#'
on your phone and press send".
In the above string,
• the Service Code is a value, for instance "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service and is linked to the USSD Proxy System);
• the USSD Access Code is the actual value, for instance "776688", generated at step 7; and
• the PIN Code is a code provisioned in the USSD Proxy System and is linked to the phone number of the account holder mobile terminal 101A, for instance "5555".
At step 11, the account holder inputs the USSD Service Request received at step 10 ( '*123*776688*5555#') in the standard user interface of the mobile terminal 101A and presses a send command or button. At step 12, the USSD Service Request is routed over the network 106, 107, 108 of the operator for the mobile terminal 101A network, particularly over the MSC/HLR 108 which, at step 13, routes the USSD Service Request to the USSD Gateway 107. At step 14, the USSD Gateway 107 processes the Service Code received in the USSD Service Request for identifying the correct application to which the Service Request should be routed to. The Service Request is eventually routed to the USSD Proxy System 103, more specifically to a Routing Server module 504 thereof. At step 15, the Routing Server module 504 applies a Routing Algorithm to the USSD Access Code received in the Service Request, for identifying the correct Financial Institution System 102. The secure key used to generate the USSD Access Code in step 7 identifies the correct Financial Institution. The Routing Server module 504 eventually routes the Service Request to the Access Code Handler 501.
At step 16, the Access Code Handler module 501 parses and strips the PIN Code and the USSD Access Code from the Service Request, then queries the database or data storage 503 for the PIN Code and Phone Number issued to the account holder. At step 17, the Access Code Handler module 501 retrieves the PIN Code and Phone Number issued to the account holder from the database or data storage 503.
At step 18, the Access Code Handler module 501 authenticates the PIN Code and Phone Number issued to the account holder, as well as the USSD Access Code generated in step 7. The Access Code Handler module 501 has access to all generated USSD Access Codes and their validity period. If the authentication is valid and the credentials match, the Access Code Handler module 501 generates a one - off Authentication Code for the account holder, for instance "987654". If the credentials do not match, an error message is generated and communicated to the account holder. For the purposes of not obscuring the present description unnecessarily, it assumed that the credentials match and an Authentication Code is generated. At step 19, the Routing Server module 504 routes the USSD Service Request Response, thus the Authentication Code back to the USSD Gateway 107 in the network 106, 107, 108.
At step 20, the USSD Gateway 107 routes the USSD Service Request Response, thus the Authentication Code back to the correct MSC/HLR 108.
At step 21, the MSC/HLR 108 identifies the account holder mobile terminal 101A and sends the USSD Service Request Response, thus the Authentication Code to the account holder mobile terminal 101 A.
At step 22, the Authentication Code is output to the display 209 of the account holder USSD - enabled handset 101A.
At step 23, within the validity period of the Authentication Code, the account holder inputs the Authentication Code in a relevant interface of the Financial Institution web page on the personal computer 10 IB.
At step 24, the input Authentication Code is forwarded to the Financial Institution web server 102.
At step 25, the Financial Institution web server 102A queries the Access Code Handler module 501 to verify the validity of the Authentication Code for the account holder.
At step 26, the Access Code Handler module 501 replies to the Financial Institution web server 102A with either an 'Authentication Code OK' message or an 'Authentication Code Not OK' message. If the validity period of the Authentication Code has expired, the Access Code Handler module 501 still replies with an 'Authentication Code Not OK' message.
At step 27, if the Authentication Code is valid, the account holder gains access to the required system, in the example the banking data and interface. Access is denied, however, if the Authentication Code is not valid. When access is gained then, at step 28, the Financial Institution web server 102A communicates a reply about the access request to the account holder computer terminal 101B and, at step 29, the account holder is informed about the Authentication.
With reference to Figure 6 now, there follows a description of the USSD Proxy System according to the invention in the network of Figure 1 and the data processing devices described in relation to Figures 2 and 3, pursuant to the method of Figure 4 and how it can be implemented in a number of different ways. The embodiments is described in relation to both the method of processing, communicating and using an USSD Access Code and an Authentication Code according to the invention within the system of Figure 4, and the first embodiment shown in and described in relation to Figure 5 since the data processing sequence and data flow of the second embodiment is substantially similar to that of the first embodiment. This embodiment differs from the first embodiment above, in that the Access Code Handler module 501 of the invention is hosted by, i.e. processed at, the Financial Institution System 102, shown as 601 in Figure 6. This configuration permits identification of the Financial Institution by its respective Service Code and, advantageously, removes the need for the Financial Institution to integrate its system 102 with the respective system of each mobile telephone network operator for providing the USSD functionality of the invention.
In this embodiment, the USSD Proxy System 103 allows a Financial Institution System 102 to trigger USSD Services based on the USSD Service Code (SC), and each Financial Institution and account holder using the service is accordingly provisioned in the USSD Proxy System 102: each account holder is provided with a Phone Number, USSD Access Code (of variable and configurable length) and an Organisation ID (used to identifying the financial institution) in the USSD Proxy System. This solution however requires that the USSD Service Code is provisioned on all mobile telephone network operators' USSD Gateways 104, in order to recognize the Service Code and route the USSD Service Request to the correct Financial Institution System 102 and data processing service thereof. Thus, in the embodiment of Figure 6, USSD Access Codes are generated for each account holder and are mapped to the phone number of the account holder mobile handset 101 A by the Financial Institution System 102 at step 8, rather than by the USSD Proxy System server 103. Accordingly, when an account holder is making an online purchase or logging in to a secure service or webpage offered by the Financial Institution System 102, the information string output to the VDU 302 of the account holder personal computer 101B, is as the following example:
"To receive the Authentication Code, please enter:
'*<Service Code> *< USSD Access Code>#'
on your phone and press send".
In the above string,
• the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify both the correct Financial Institution and the correct USSD Service; and
• the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder. In a minor variant of this embodiment, the same USSD Access Code may also be assigned to another account holder, since the combination of the USSD Access Code and mobile handset phone number is unique.
The respective USSD Gateways 107 of the phone operators route the USSD Request to the correct Financial Institution System 102. The Access Code Handler module 601 in the Financial Institution System 102 checks the USSD Access Code and phone number and matches the values received in the USSD Service Request to the values stored for the account holder. This check can be done by additional software delivered as part of the integration to the financial institution, or it can be done by the financial institution's own software. The Access Code Handler module 601 in the Financial Institution System 102 generates a one- off Authentication Code and returns it to the account holder over the USSD Proxy System and the mobile telephony network of the phone operator. To increase security, the generated Authentication Code is only valid for a configurable, limited time. The account holder enters the received Authentication Code in the mobile handset interface as previously described, and the Access Code Handler module 501 at the Financial Institution System 102 eventually verifies the validity of the Authentication Code by matching it to the Authentication Code that was generated and sent to the account holder via the USSD Proxy System. Several further embodiment of the USSD Proxy System according to the invention are described hereafter in the network of Figure 1 and the data processing devices described in relation to Figures 2 and 3, pursuant to the method of Figure 4.
In an alternative embodiment of the system shown in Figure 6, wherein the Access Code Handler module 601 is hosted by the Financial Institution System 102, the Financial Institution is identified by both the account holder phone number and the USSD Access Code.
USSD Access Codes are generated for each account holder by the Financial Institution System 102 and are mapped to the phone number of the account holder mobile handset 101A. The Financial Institution provides the account holder with the USSD Access code. As before, when an account holder is making an online purchase or logging in to a secure service or webpage offered by the Financial Institution System 102, the information string output to the VDU 302 of the account holder personal computer 101B, is as the following example:
"Please enter:
'*<Service Code> *< USSD Access Code>#'
on your phone and press send".
In the above string, • the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service; and
• the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder.
In a minor variant of this embodiment, the same USSD Access Code may also be assigned to another account holder, since the combination of the USSD Access Code and mobile handset phone number is unique.
The USSD Access Code and phone number (e.g. MSISDN) identify the correct Financial Institution System 102 based on the Organization ID provisioned in the USSD Proxy System. The USSD Proxy System forwards the phone number and USSD Access Code to the Financial Institution System 102. The Financial Institution System 102 checks if the USSD Access Code and phone number received in the USSD Service Request matches the values stored for the account holder. This check can be done by additional software delivered as part of the integration to the Financial Institution, or it can be done by the Financial Institution's own software.
A positive check prompts the Financial Institution System 102 to generate a one-off Authentication Code, which is communicated to the USSD Proxy System together with the phone number and USSD Access Code. To increase security, the generated Authentication Code is only valid for a configurable, limited time. The USSD Proxy System forwards the one-off Authentication Code over the network of the mobile telephony operator to the account holder mobile handset 101A, at which it is displayed.
The account holder inputs the received Authentication Code and the Financial Institution System 102 eventually checks and verifies that this Authentication Code matches the authentication code that was generated and sent to the account holder via the USSD Proxy System. In a second alternative embodiment of the system shown in Figure 6, wherein the Access Code Handler module 601 is hosted by the Financial Institution System 102, the Financial Institution is identified by its Organisation ID. In this embodiment, no account holder provisioning is required in the USSD Proxy System. The only additional data is provisioned in the USSD Proxy System is an additional Organization ID, used to identify the correct Financial Institution from incoming USSD Service Requests.
USSD Access Codes are generated for each account holder by the Financial Institution System 102 and are mapped to the phone number of the account holder mobile handset 101A. The Financial Institution provides the account holder with the USSD Access code and, in this embodiment, a Financial Institution - specific Organisation ID to be used by the account holder when entering the USSD String on an USSD enabled handset 101A. When an account holder is making an online purchase or logging in to a secure service or webpage offered by the Financial Institution System 102, the information string output to the VDU 302 of the account holder personal computer 101B, is as the following example:
"Please enter:
'*<Service Code> *<USSD Access Code> *<Organisation ID>#'
on your phone and press send".
In the above string,
• the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service;
• the USSD Access Code is a value, for instance "776688", generated at step 7, and is specific to the account holder; and
• the Organisation ID is a value, for instance "5566", which uniquely identifies the Financial Institution to which to forward the request.
The USSD Proxy System forwards the Phone Number and USSD Access Code to the Financial Institution System, at which they are checked against the values stored for the account holder. In this embodiment, a positive check again prompts the Financial Institution System 102 to generate a one-off Authentication Code, however it is communicated to the USSD Proxy System together with the phone number only. The account holder inputs the received Authentication Code as before, and the Financial Institution checks and verifies that this Authentication Code matches the Authentication Code that was recently generated and sent to the account holder via the USSD Proxy Solution.
This embodiment advantageously removes the need to provision the USSD Proxy System with an Organisation ID, and allows an account holder to use the service for several Financial Institutions using the same phone number.
In a third alternative embodiment of the system shown in Figure 6, wherein the Access Code Handler module 601 is hosted by the Financial Institution System 102, the Financial Institution is identified by a unique PIN generation algorithm.
The principle of this embodiment is to use an algorithm for generating USSD Access Codes, which are apt to identify the organisation for which it has been generated.
The unique PIN generation algorithm generates USSD Access Codes of configurable lengths, which are specific to a Financial Institution. The USSD Access Codes are generated using a key that is unique to the Financial Organisation, in such a way that the output can be reverse - processed by applying the algorithm again for extracting the key and thus identify the correct Financial Institution. As the algorithm uses the key that is unique to the particular Financial Institution for input, the USSD Access Code generated is unique to that particular organisation.
The PIN Code application may be implemented as either a standalone application that can be processed by the Financial Institution servers 102A, 102B, or as a web interface hosted at a remote server, for example the USS Proxy Solution server 103, which the Financial Institution System 102 can access when generating USSD Access Codes for the USSD users. In this embodiment, the Financial Institution issues the generated USSD Access Codes, of a length which is both configurable and algorithm - dependent, to an account holder as before. When the account holder is making an online purchase or logging in to a secure service or webpage offered by the Financial Institution System 102, the information string output to the VDU 302 of the account holder personal computer 101B, is as the following example:
"Please enter:
'*<Service Code> *< USSD Access Code>#'
on your phone and press send".
In the above string,
• the Service Code is a value, for instance again "123", representing the Service Code used in the phone network 106, 107, 108 to identify the correct USSD Service;
• the USSD Access Code is a value, for instance "776688" and is specific to the account holder.
The USSD Service Request is forwarded to the USSD Proxy System by the mobile telephony network based on the Service Code. The USSD Proxy System applies a reverse algorithm to the received USSD Access Code. The output identifies the Financial Institution, based on the extracted key which was used to generate the USSD Access Code in the first place. The USSD Proxy System then forwards the USSD Access Code and the phone number to the correct Financial Institution, as before.
The purpose of the unique PIN generation algorithm is to simplify the user experience for the account holder. The unique PIN generation algorithm eliminates the requirement to allocate specific Service Codes for each Financial Institution System 102 and prevents the inputting of fraudulent or incorrect Organisation ID data in the USSD Service Request by the mobile handset user. Advantageously, this embodiment also removes the requirement to provision for the account holder in the USSD Proxy System and a same Service Code, with the PIC algorithm, can be used for multiple Financial Institution Systems 102. In a first alternative embodiment of the system shown in Figure 5, wherein the Access Code Handler module 501 is hosted by the USSD Proxy System server 103 or, alternatively, in a fourth alternative embodiment of the system shown in Figure 6, wherein the Access Code Handler module 601 is hosted by the Financial Institution System 102, the Financial Institution is identified by the USSD Proxy Access Code Handler 501, 601.
In this embodiment, an account holder accesses the Financial Institution's website server 102A by inputting conventional credentials. The Financial Institution website server 102A queries the Access Code Handler 501, 601 to obtain an USSD Access Code that is linked to the phone number of the account holder mobile handset 101. AN USSD Access Code is generated using a specific algorithm, which processes a key that is unique to each Financial Institution, thus which can be used to generate USSD Access Codes for multiple Financial Institutions according to their respective keys. The generated USSD Access Codes are therefore unique to each particular organisation, and their length is again configurable and depends on both the algorithm and the input variables used. The Financial Institution website server 102Acommunicates the following USSD string to the account holder computer terminal 10 IB, which that the account holder must input in an USSD enabled handset 101A registered to the account holder, for gaining access to the secure website:
"Please enter:
'*<Service Code> *< USSD Access CodexPIN Code>#'
on your phone and press send"
Alternatively, the following USSD string is sent:
"Please enter:
'*<Service Code> *< USSD Access Code> *<PIN Code>#'
on your phone and press send".
When received in the USSD Service Request, the USSD Access Code is used to determine which Financial Institution the Service Request should be routed to. The account holder inputs the USSD string into the USSD enabled handset 101A, which the phone network routes as an USSD Service Request to the Routing Server module 504 of the USSD Proxy System 103. The Routing Server module 504 applies the routing algorithm to the USSD Access Code received in the USSD Service Request for identifying the Financial Institution for which the USSD Access Code was generated, wherein the Financial Institution is identified based on the routing Algorithm's resulting key.
The Routing Server module 504 then forwards the USSD Service Request to the Access Code Handler 501, 601, which accepts the Request and strips away the PIN Code and USSD Access Code. The Access Code Handler 501, 601 then authenticates the PIN Code against the phone number provisioned and authenticates the USSD Access Code against the USSD Access Code recently generated for the phone number. Subject to the authentication output, the Access Code Handler 501, 601 then generates an Authentication Code that subsequently communicated returned to the account holder over USSD as a response to the original USSD Service Request, as before. The above embodiments may be used to provide cardholders with transaction - respective authentication codes, for instance to authorise an online purchase or any other electronic transaction that requires additional authentication or authorisation from the cardholder.
Alternatively, or additionally, the above embodiments may be used to provide customers and/or account holders of a Financial Institution with system - respective authentication codes for logging into secure online Internet sites and pages.
Alternatively, or additionally, the above embodiments may be used to provide employees, users and the like with system and/or location - specific authentication codes, used for logging into computer systems, for accessing secure facilities and for any other similar password or code - dependent security check.
The embodiments in the invention described with reference to the drawings comprise a computer apparatus and/or processes performed in a computer apparatus. However, the invention also extends to computer programs, particularly computer programs stored on or in a carrier adapted to bring the invention into practice. The program may be in the form of source code, object code, or a code intermediate source and object code, such as in partially compiled form or in any other form suitable for use in the implementation of the method according to the invention. The carrier may comprise a storage medium such as ROM, e.g. CD ROM, or magnetic recording medium, e.g. a floppy disk or hard disk. The carrier may be an electrical or optical signal which may be transmitted via an electrical or an optical cable or by radio or other means.
The invention is not limited to the embodiments hereinbefore described but may be varied in both construction and detail.

Claims

Claims
1. A method of generating and communicating an Authentication Code in a network, comprising the steps of
sending an access request from a user terminal (101A, 101B) to a first remote system
(102), wherein the access request includes at least a network address of the user terminal (101B), generating an USSD Access Code using at least the network address in response to receiving the access request at a second remote system (103), and sending the USSD Access Code to an USSD - enabled user terminal (10 IB),
sending an USSD Service Request including the generated USSD Access Code with the
USSD - enabled user terminal (101B),
authenticating the USSD Access Code in the USSD Service Request at the second remote system (103),
generating and sending an Authentication Code to the USSD - enabled terminal (101B) at the second remote system (103) in reply to a positive authentication, and
sending the Authentication Code to the first remote system (102) with the USSD - enabled terminal (10 IB).
2. The method of claim 1, wherein the step of generating an USSD Access Code uses the network address and data uniquely identifying the first remote system (102).
3. The method according to claim 1 or 2, wherein the step of sending the USSD Access Code to the USSD - enabled terminal (101B) comprises the further step of adding a Service Code to the generated USSD Access Code.
4. The method according to any of claims 1 to 3, wherein the step of sending the USSD Access Code to the USSD - enabled terminal (101B) comprises the further step of encoding at least the USSD Access Code in an information string.
5. The method according to claim 4, wherein the step of sending the USSD Service Request further comprises inputting the information string at the USSD - enabled terminal (101B).
6. The method according to claim 3, or any of claims 4 and 5 when depending on claim 3, wherein the step of sending the USSD Service Request further comprises routing the USSD Service Request via an USSD Gateway, which analyzes the Service Code in the Request to identify the destination for the Service Request.
7. The method according to any of claims 1 to 6, wherein the step of authenticating the USSD Access Code in the USSD Service Request further comprises applying a routing algorithm to the USSD Access Code received in the USSD Service Request to identify the first remote system.
8. The method according to any of claims 1 to 7, wherein the step of authenticating the USSD Access Code in the USSD Service Request further comprises the steps of extracting and authenticating the network address of the USSD - enabled user terminal.
9. The method according to any of claims 1 to 8, wherein the step of generating the Authentication Code further comprises configuring a validity period for the USSD Authentication Code.
10. The method according to any of claims 1 to 9, wherein the step of sending the Authentication Code further comprises communicating the Authentication Code as an USSD Service Request Response.
11. The method according to according to any of claims 1 to 10, comprising the further step of authenticating the Authentication Code at the second remote system (103).
12. The method according to claim 11, comprising the further step of granting the user terminal (101A, 101B) access to data stored at the first remote system (102) over the network in reply to a positive authentication or adapted to deny the user terminal (101A, 101B) network access to data stored therein, in reply to a negative authentication.
13. The method according to claim 11, comprising the further step of processing an electronic transaction at the first remote system (102) in reply to a positive or negative authentication.
14. The method according to claim 11, comprising the further step of granting the user of user terminal (101A, 101B) access to a location having entry securing means controlled by the first remote system (102) in reply to a positive authentication.
15. The method according to any of claims 1 to 14, wherein the steps of sending the USSD Access Code, the USSD Service Request and the Authentication Code are performed across a signalling channel network.
16. The method according to claim 15, wherein the signalling channel network is encrypted.
17. The method according to claim 15 or 16, wherein the signalling channel network is selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA) and Public Switched Telephone Network (PSTN) standards.
18. The method according to any of claims 15 to 17, wherein the user terminal (101B) is a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
19. The method according to any of claims 1 to 18, wherein the first remote system is hosted at a first server (102) and the second remote system (501) is hosted at a second server (103).
20. The method according to any of claims 1 to 18, wherein the first remote system is hosted at a first server and the second remote system is hosted at the first server.
21. A data processing system for generating and communicating an Authentication Code in a network to which at least a user terminal (101A, 101B) is connected, the data processing system comprising
means for sending an access request from the user terminal (101A, 101B) to a first remote server (102), wherein the access request includes at least a network address of the user terminal (101B),
means for generating an USSD Access Code using at least the network address in response to receiving the access request,
means for sending the generated USSD Access Code to an USSD - enabled user terminal (101B),
means for sending an USSD Service Request including the generated USSD Access Code to a second remote server (103) with the USSD - enabled user terminal (101B),
means for authenticating the USSD Access Code in the USSD Service Request, means for generating and sending an Authentication Code to the USSD - enabled terminal (101B) in reply to a positive authentication, and
means for sending the Authentication Code to the first remote system (102) with the USSD - enabled terminal (101B).
22. The system of claim 21, wherein the means for generating an USSD Access Code, the means for authenticating the USSD Access Code and the means for generating and sending an
Authentication Code is an Access Code Handler module processed by the first or second server (102, 103).
23. The system according to claim 22, wherein the Access Code Handler module is adapted to add a Service Code to the generated USSD Access Code.
24. The system according to any of claims 21 to 23, wherein the means for sending the generated USSD Access Code to an USSD - enabled user terminal (101B) is embodied at the first remote server (102) and is further adapted to encode at least the USSD Access Code in an information string.
25. The system according to claim 24, wherein the syntax of the information string is an USSD Service Request.
26. The system according to claim 23, or any of claims 24 and 25 when depending on claim 23, wherein the network further comprises an USSD Gateway adapted to analyze the Service
Code in the USSD Service Request for identifying the Request destination and routing the Request thereto.
27. The system according to any of claims 21 to 26, wherein the means for authenticating the USSD Access Code in the USSD Service Request further comprises a routing algorithm, which is adapted to identify the first remote system (102) from the USSD Access Code.
28. The system according to any of claims 21 to 27, wherein the means for authenticating the USSD Access Code in the USSD Service Request further comprises means for extracting and authenticating the network address of the USSD - enabled user terminal (101B).
29. The system according to any of claims 21 to 28, wherein the Authentication Code is configured with a validity period.
30. The system according to any of claims 21 to 29, wherein the means for sending the Authentication Code are further adapted to communicate the Authentication Code as an USSD Service Request Response.
31. The system according to according to any of claims 21 to 30, further comprising means to authenticate the Authentication Code.
32. The system according to claim 31, wherein the first remote system (102) is adapted to grant the user terminal (101A, 101B) network access to data stored therein, in reply to a positive authentication or adapted to deny the user terminal (101A, 101B) network access to data stored therein, in reply to a negative authentication.
33. The system according to claim 31, wherein the first remote system (102) is adapted to process an electronic transaction, in reply to a positive or negative authentication.
34. The system according to claim 31, wherein the first remote system (102) is adapted to grant the user of user terminal (101A, 101B) access to a location having entry securing means controlled by the first remote system (102), in reply to a positive authentication.
35. The system according to any of claims 21 to 34, wherein at least a portion of the network includes a signalling channel network.
36. The system according to claim 35, wherein the signalling channel network is encrypted.
37. The system according to claim 35 or 36, wherein the signalling channel network is selected from the group comprising Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), Orthogonal Frequency Division Multiple Access (OFDMA) and Public Switched Telephone Network (PSTN) standards.
38. The system according to any of claims 35 to 37, wherein the user terminal (101B) is a mobile telephone handset and the terminal network address is a phone number or MSISDN thereof.
39. A distributed data processing system substantially as described herein, in association with and as shown in the accompanying drawings.
40. A method of generating and communicating an Authentication Code in a network, substantially as described herein, in association with and as shown in the accompanying drawings.
PCT/EP2011/066598 2010-09-30 2011-09-23 Fraud prevention system and method using unstructured supplementary service data (ussd) WO2012041781A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IES2010/0631 2010-09-30
IE20100631 2010-09-30

Publications (1)

Publication Number Publication Date
WO2012041781A1 true WO2012041781A1 (en) 2012-04-05

Family

ID=44862946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/066598 WO2012041781A1 (en) 2010-09-30 2011-09-23 Fraud prevention system and method using unstructured supplementary service data (ussd)

Country Status (1)

Country Link
WO (1) WO2012041781A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103906019A (en) * 2012-12-26 2014-07-02 中兴通讯股份有限公司 Historical menu function realization method based on USSD and server
FR3007921A1 (en) * 2013-06-28 2015-01-02 France Telecom METHOD FOR VALIDATING A TRANSACTION
CN110166957A (en) * 2019-04-15 2019-08-23 中国平安人寿保险股份有限公司 Data deposit card method, apparatus, computer equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1065634A1 (en) * 1999-07-02 2001-01-03 Mic Systems System and method for performing secure electronic transactions over an open communication network
US6259909B1 (en) * 1997-05-28 2001-07-10 Telefonaktiebolaget Lm Ericsson (Publ) Method for securing access to a remote system
US20030050898A1 (en) * 2000-08-18 2003-03-13 Joerg Oppat Method and arrangement for the transmission of an electronic sum of money from a credit reserve
WO2006106405A1 (en) * 2005-04-05 2006-10-12 The Standard Bank Of South Africa Limited A method of authenticating a user of a network terminal device and a system therefor
WO2007026212A1 (en) * 2005-08-29 2007-03-08 Firstrand Bank Limited Off-line vending system
US20070130085A1 (en) * 2005-12-07 2007-06-07 Xi Zhu Method and apparatus of secure authentication and electronic payment through mobile communication tool
WO2008007162A1 (en) * 2006-07-11 2008-01-17 Ultra Proizvodnja Elektronskih Naprav D.O.O Customer identification and authentication procedure for online internet payments using mobile phones
WO2008047330A2 (en) * 2006-10-19 2008-04-24 Firstrand Bank Limited Financial transaction system and method
EP1919156A1 (en) * 2006-11-06 2008-05-07 Axalto SA Optimized EAP-SIM authentication
US20090106138A1 (en) * 2007-10-22 2009-04-23 Smith Steven E Transaction authentication over independent network
WO2010001423A1 (en) * 2008-07-04 2010-01-07 Ooros S.R.L. Method and system for managing financial transactions

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6259909B1 (en) * 1997-05-28 2001-07-10 Telefonaktiebolaget Lm Ericsson (Publ) Method for securing access to a remote system
EP1065634A1 (en) * 1999-07-02 2001-01-03 Mic Systems System and method for performing secure electronic transactions over an open communication network
US20030050898A1 (en) * 2000-08-18 2003-03-13 Joerg Oppat Method and arrangement for the transmission of an electronic sum of money from a credit reserve
WO2006106405A1 (en) * 2005-04-05 2006-10-12 The Standard Bank Of South Africa Limited A method of authenticating a user of a network terminal device and a system therefor
WO2007026212A1 (en) * 2005-08-29 2007-03-08 Firstrand Bank Limited Off-line vending system
US20070130085A1 (en) * 2005-12-07 2007-06-07 Xi Zhu Method and apparatus of secure authentication and electronic payment through mobile communication tool
WO2008007162A1 (en) * 2006-07-11 2008-01-17 Ultra Proizvodnja Elektronskih Naprav D.O.O Customer identification and authentication procedure for online internet payments using mobile phones
WO2008047330A2 (en) * 2006-10-19 2008-04-24 Firstrand Bank Limited Financial transaction system and method
EP1919156A1 (en) * 2006-11-06 2008-05-07 Axalto SA Optimized EAP-SIM authentication
US20090106138A1 (en) * 2007-10-22 2009-04-23 Smith Steven E Transaction authentication over independent network
WO2010001423A1 (en) * 2008-07-04 2010-01-07 Ooros S.R.L. Method and system for managing financial transactions

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "USSD Services for Interactive Mobile Users - Building User-Friendly Mobile Telephony Applications Using Dialogic TM Distributed Signaling Interface Components", INTERNET CITATION, 31 August 2008 (2008-08-31), pages 1 - 17, XP002528245, Retrieved from the Internet <URL:http://www.dialogic.com/products/docs/appnotes/11038_USSD_an.pdf> [retrieved on 20080511] *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103906019A (en) * 2012-12-26 2014-07-02 中兴通讯股份有限公司 Historical menu function realization method based on USSD and server
FR3007921A1 (en) * 2013-06-28 2015-01-02 France Telecom METHOD FOR VALIDATING A TRANSACTION
CN110166957A (en) * 2019-04-15 2019-08-23 中国平安人寿保险股份有限公司 Data deposit card method, apparatus, computer equipment and storage medium
CN110166957B (en) * 2019-04-15 2022-04-05 中国平安人寿保险股份有限公司 Data storage method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
EP2082558B1 (en) System and method for authenticating remote server access
KR102646565B1 (en) Processing electronic tokens
EP2826004B1 (en) Mobile phone takeover protection system and method
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
US9088565B2 (en) Use of a public key key pair in the terminal for authentication and authorization of the telecommunication user with the network operator and business partners
RU2411670C2 (en) Method to create and verify authenticity of electronic signature
WO2016050990A1 (en) Identity and/or risk management system and method
US7865719B2 (en) Method for establishing the authenticity of the identity of a service user and device for carrying out the method
US11165768B2 (en) Technique for connecting to a service
EP1680940B1 (en) Method of user authentication
US20050086535A1 (en) Method for authenticating a user for the purposes of establishing a connection from a mobile terminal to a WLAN network
WO2012041781A1 (en) Fraud prevention system and method using unstructured supplementary service data (ussd)
KR20130075752A (en) Method for near field transaction by using providing dynamic created code
EP3220335A1 (en) Method, first, second server and system for accessing a service
EP4109945A1 (en) Token, particularly otp, based authentication system and method
KR101072930B1 (en) Method for approving the telephone number change request
EP2958043A1 (en) Method for the recognition of user profiles
KR20200003767A (en) System for Processing a Payment
EP3024194A1 (en) Method for accessing a service and corresponding server, device and system
KR20120005996A (en) Device for processing a payment
KR20100023467A (en) Method for providing user authentication using mobile terminal and system thereof
KR20070077481A (en) Process server for relaying user authentication
KR20060112167A (en) System and method for relaying user authentication, server and recording medium
KR20100103441A (en) Payment device
KR20120029454A (en) Method mapping payment means

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11773213

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11773213

Country of ref document: EP

Kind code of ref document: A1