WO2017033118A1 - Method and system for enhancing security of contactless card - Google Patents

Method and system for enhancing security of contactless card Download PDF

Info

Publication number
WO2017033118A1
WO2017033118A1 PCT/IB2016/055000 IB2016055000W WO2017033118A1 WO 2017033118 A1 WO2017033118 A1 WO 2017033118A1 IB 2016055000 W IB2016055000 W IB 2016055000W WO 2017033118 A1 WO2017033118 A1 WO 2017033118A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile device
proximity
contactless
status information
contactless card
Prior art date
Application number
PCT/IB2016/055000
Other languages
French (fr)
Inventor
Manish Kumar Jain
Gaurav Goyal
Original Assignee
Comviva Technologies Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comviva Technologies Limited filed Critical Comviva Technologies Limited
Publication of WO2017033118A1 publication Critical patent/WO2017033118A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/352Contactless payments by cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/354Card activation or deactivation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation

Definitions

  • the invention generally relates to financial transaction authentication. More particularly, the invention relates to enhancing security of contactless card.
  • NFC near filed communication
  • an NFC enabled reader device reads information from an NFC enabled card or contactless card to authenticate the contactless card and to enable payment using the contactless card when the contactless card is in near proximity with the NFC enabled device.
  • the contactless cards can be read without a physical contact between the NFC enabled reader device and the contactless card, sharing of confidential authentication information such PIN and CVV number is not required during a transaction.
  • the NFC enabled reader device is authenticated prior to reading information from the contactless card.
  • the present invention as embodied and broadly described herein, provides for enhancing security of contactless card.
  • a user creates an account with a server and associates one or more contactless cards issued to the user by one or more issuers.
  • an operable state for each of the one or more contactless cards is set.
  • the operable state can be either locked state or unlocked state. In a locked state, transactions using the contactless card are prevented. In an unlocked state, transactions using the contactless card are allowed.
  • the user sends a request to the server for enabling the one or more associated contactless cards.
  • the server determines an operable state of the contactless card.
  • the server activates a proximity mode of a mobile device associated with the contactless cards when the operable state is determined as locked state. Accordingly, the server switches the operable state to unlocked state and then activates the proximity mode of the mobile device.
  • the mobile device detects proximity with the contactless cards and shares proximity status information periodically with the server.
  • the server obtains proximity status information indicative of proximity of the contactless card with the mobile device. Thereafter, the server authenticates the contactless card when proximity status information indicates the mobile device and contactless card are within a predefined range. On the contrary, the server prevents any transaction using the contactless card when proximity status information indicates the mobile device and contactless card are out of the predefined range. Furthermore, the server blocks the contactless card from subsequent use if the proximity status information indicates the mobile device and contactless card are out of the predefined range for a consecutive number of occurrences.
  • the advantages of the invention include, but not limited to, enhanced security of the associated contactless cards by detecting proximity of the contactless cards with the mobile device associated with the contactless cards.
  • the user can activate or deactivate detection of the proximity of the contactless cards with associated mobile devices as and when required.
  • lost or stolen contactless card gets automatically blocked from further use when the contactless card is out of the predefined range from the associated mobile device.
  • an easy solution is provided to the user as opposed to blocking or hot- listing the contactless card and destroying the contactless card.
  • an easy solution is provided for safeguarding the contactless cards while travelling and in various other scenarios where proximity status information is not available from the mobile device since the contactless cards are automatically blocked from further use when the contactless card is out of the predefined range from the associated mobile device.
  • Examples of such scenarios include, but not limited to, (1) when both the mobile device and the contactless card are stolen and the stolen mobile device is switched off subsequently; (2) when the mobile device is not reachable; (3) when the mobile device is unable to share the proximity status information periodically with the server; and (4) when the user leaves the contactless card at home or any other location intentionally or unintentionally.
  • two-step security verification is provided during a transaction. Accordingly, in the first step verification, a current operable state of the contactless card is determined and the transaction is prevented if the current operable state is determined as locked state. However, if the current operable state is determined as unlocked state, second step verification is performed. In second step verification, proximity of the contactless card with the mobile device is detected and the transaction is prevented if the mobile device and contactless card are out of the predefined range. Thus, the transaction is allowed only if the contactless card is in unlocked state and is within the predefined range of proximity with the mobile device. As such, the security of the contactless card is greatly enhanced.
  • Figure 2 illustrates an exemplary server for enhancing security of a contactless card, in accordance with an embodiment of present invention.
  • FIGS. 3a & 3b illustrate exemplary network environment that implements the server to enhance security of a contactless card, in accordance with an embodiment of present invention.
  • FIGS 4, 5a-5c, and 6 schematically illustrate various operations of the server to enhance security of a contactless card, in accordance with an embodiment of present invention. It may be noted that to the extent possible, like reference numerals have been used to represent like elements in the drawings. Further, those of ordinary skill in the art will appreciate that elements in the drawings are illustrated for simplicity and may not have been necessarily drawn to scale. For example, the dimensions of some of the elements in the drawings may be exaggerated relative to other elements to help to improve understanding of aspects of the invention.
  • any terms used herein such as but not limited to “includes,” “comprises,” “has,” “consists,” and grammatical variants thereof do NOT specify an exact limitation or restriction and certainly do NOT exclude the possible addition of one or more features or elements, unless otherwise stated, and furthermore must NOT be taken to exclude the possible removal of one or more of the listed features and elements, unless otherwise stated with the limiting language “MUST comprise” or “NEEDS TO include.”
  • Figures la, lb, and lc illustrate an exemplary method (100) for enhancing security of contactless cards, in accordance with an embodiment of present invention.
  • the method (100) comprises steps of: receiving (101), in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers; determining (102) an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state; and activating (103) a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects a proximity with the one or more contactless cards during the activated proximity mode.
  • the method (100) further comprises switching (104) the operable state from the locked stated to unlocked state.
  • the step of activating (103) the proximity mode comprises transmitting (105) a trigger to a contactless module of the mobile device, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
  • the contactless card is one of a credit card, a debit card, an automated teller machine (ATM) card, a fleet card, stored-value card, prepaid card, and a gift card.
  • ATM automated teller machine
  • the request in the step (101) is received via one of: a web based application, a mobile-based application, a short message service (SMS) message, an Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
  • SMS short message service
  • USSD Unstructured Supplementary Service Data
  • IVR interactive voice response
  • the mobile device detects the proximity with the one or more contactless cards periodically during the activated proximity mode.
  • the method (100) further comprises a step of switching (108) the operable state of the one or more contactless cards to locked state in absence of receiving proximity status information from the mobile device for a consecutive number of occurrences.
  • the method (100) further comprises steps of: receiving (106) proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards; and storing (107) the proximity status information in a database.
  • the proximity status information in step (106) is received from a data transmission module of the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device.
  • the method (100) further comprises a step of switching (108) the operable state of the one or more contactless cards to locked state when the received proximity status information indicates the mobile device and the contactless card are out of a predefined range for a consecutive number of occurrences.
  • the method (100) further comprises steps of: receiving (109) a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards; obtaining (110) a proximity status information indicative of a proximity of the contactless card and a mobile device associated with the card; and transmitting (111) an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range.
  • the method (100) further comprises the step of determining (112) an operable state of the contactless card such that the proximity status information is obtained when the operable state is determined as an unlocked state. Further, in one embodiment, the proximity status information in step (110) is obtained from a database, the database being adapted to store the proximity status information received periodically from the mobile device.
  • the proximity status information in step (110) is obtained from the mobile device via a data communication mode of the mobile device. Further, in one embodiment, the proximity status information in step (110) is obtained from the mobile device via a non-data communication mode of the mobile device. In an example, the proximity status information is obtained from the mobile device via one of a short message service (SMS) message and Unstructured Supplementary Service Data (USSD) message.
  • SMS short message service
  • USSD Unstructured Supplementary Service Data
  • Figure 2 illustrates an exemplary server 200 for enhancing security of a contactless card, in accordance with an embodiment of present invention. As would be understood, the server 200 is capable of implementing the methods as described with reference to preceding Figures la, lb, and lc.
  • the server 200 comprises a request receiving unit 201 to receive, in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers.
  • the receiving unit 201 is adapted to receive the request via one of: a web based application, a mobile-based application, a short message service (SMS) message, a Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
  • SMS short message service
  • USSD Unstructured Supplementary Service Data
  • IVR interactive voice response
  • the request receiving unit 201 is adapted to receive one or more further inputs from the user.
  • the server 200 comprises a processor 202 and an analysis unit 203.
  • the processor 202 is adapted to determine an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state.
  • the analysis unit 203 is adapted to activate a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects proximity with the one or more contactless cards during the activated proximity mode.
  • the analysis unit 203 is further adapted to transmit a trigger to a contactless module of the mobile device, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
  • the analysis unit 203 when the operable state is determined as locked state, the analysis unit 203 is adapted to switch the operable state from the locked stated to unlocked state. Further, during a locked state of a contactless card, the analysis unit 203 is adapted to prevent a use of the contactless card and deactivate a proximity mode of the contactless card. Furthermore, during an unlocked state of a contactless card, the analysis unit 203 is adapted to allow a use of the contactless card and activate a proximity mode of the contactless card.
  • the server 200 further comprises an information receiving unit 204.
  • the information receiving unit 204 is adapted to receive a proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards.
  • the information receiving unit 204 receives the proximity status information from a data transmission module of the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device.
  • the information receiving unit 204 is further adapted to store the proximity status information in a database 205 coupled to the server.
  • the database 205 is external to the server 200, as shown in the figure. In another example, the database 205 is integrated within the server 200.
  • the analysis unit 203 is further adapted to determine if the received proximity status information is indicative of the mobile device and the contactless card being out of a predefined range for a consecutive number of occurrences. Thereupon, the analysis unit 203 is adapted to switch the operable state of the one or more contactless cards to locked state in accordance to the determination.
  • the analysis unit 203 is further adapted to determine non-receipt of proximity status information from the mobile device for a consecutive number of occurrences. Thereupon, the analysis unit 203 is adapted to switch the operable state of the one or more contactless cards to locked state in accordance to the determination.
  • the server 200 further comprises an authorizing unit 206.
  • the authorizing unit 206 is adapted to receive a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards.
  • the authorizing unit 206 is further adapted to obtain proximity status information indicative of proximity of the contactless card and a mobile device associated with the card; and to transmit an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range.
  • the authorizing unit 206 is adapted to determine the operable state of the contactless card, such that proximity status information is obtained when the operable state is determined as an unlocked state.
  • the authorizing unit 206 is adapted to obtain the proximity status information from the database 205 that is adapted to store the proximity status information received periodically from the mobile device.
  • the authorizing unit 206 is adapted to obtain the proximity status information from the mobile device via a data communication mode of the mobile device.
  • the authorizing unit 206 is adapted to obtain the proximity status information from the mobile device via a non-data communication mode of the mobile device.
  • the proximity status information is obtained from the mobile device via one of a short message service (SMS) message and Unstructured Supplementary Service Data (USSD) message.
  • SMS short message service
  • USSD Unstructured Supplementary Service Data
  • the processor 202 may include software components to perform the necessary functions.
  • the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may be implemented using hardware components or software components or combination of both.
  • the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may form a single unit/module.
  • the processor 202, the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may form a single unit/module.
  • the server 200 may further include a message generating unit 207 adapted to generate the message and a message transmitting unit 208 adapted to transmit the generated message. Additionally, the server 200 may include a memory 209 adapted to store the outputs of each of the previously mentioned units. In addition, the server 200 may include a bus system (not shown in the figure) for enabling communication between the various units, communication interface (not shown in the figure), and network interface unit (not shown in the figure). Further, it would be understood that in one embodiment the above-mentioned functions of various units can be performed by a single unit.
  • server 200 Although specific hardware components have been depicted in reference to the server 200, it is to be understood that the server 200 and the various components therein may include other hardware components and/or software components as known in the art for performing necessary functions.
  • FIGs 3a & 3b illustrate exemplary network environment that implements the server 200 to enhance security of a contactless card and Figures 4-6 schematically illustrate various operations of the server 200 thereof, in accordance with an embodiment of present invention.
  • the network environment 300 includes one or more computing devices 301-1, 301-2, ... 301-N, (hereinafter referred to as computing device 301 indicating one computing device and computing devices 301 indicating a plurality of computing devices).
  • Examples of commuting device 301 include the desktop, notebook, tablet, smart phone, and laptop.
  • the server 200 is coupled to the computing devices 301 over a network 302.
  • Examples of the network 302 include wireless network, wired network, and cloud based network.
  • the network environment 300 includes a plurality of issuer systems 303-1, 303-2, ... 303-N, (hereinafter referred to as issuer system 303 indicating one issuer system and issuer systems 303 indicating a plurality of issuer systems) corresponding to plurality of issuers such as banks and merchants.
  • issuer system 303 indicating one issuer system and issuer systems 303 indicating a plurality of issuer systems
  • the issuers among various other services, issue one or more contactless cards to a user for conducting financial transactions such as purchase transactions and banking transactions.
  • Examples of the issuer systems 303 include systems employed by banks and merchants.
  • the issuer systems 303 are coupled with the server 200 over the network 302. In an example, the issuer systems 303 are registered with the server 200.
  • the network environment 300 includes a plurality of point of transaction (POT) systems 304-1, 304-2, ... 304-N, (hereinafter referred to as POT system
  • the POT system 304 enables the user to perform financial transactions using the one or more contactless cards issued to the user by the issuers.
  • Examples of the POT system 304 include point of sale (POS) systems, automated teller machines (ATMs), and web-based applications and mobile -based applications, such as banking applications and shopping applications, where the user engages in a financial transaction.
  • the POT systems 304 are coupled with issuer systems 303 over the network 302. Further, the POT systems 304 may be coupled with other systems (not shown in the figure) such as inventory systems, catalogue systems, customer relationship management (CRM) system, and bill processing systems, as well as third party systems over the network 302.
  • CCM customer relationship management
  • the server 200 provides various services to users for managing their financial equipment such as contactless cards.
  • the contactless cards include a credit card, a debit card, an automated teller machine (ATM) card, a fleet card, stored-value card, prepaid card, and a gift card.
  • ATM automated teller machine
  • One such service includes enhancing security of the contactless cards.
  • a user accesses the server 200 through the computing device 301 over the network 302 and creates an account 305 with the server 200.
  • the creation of such account 305 is similar to methods known in the art.
  • the user accesses a web-based application or a mobile -based application hosted by the server 200 on the computing device 301 and creates the account 305.
  • the account 305 includes details of the user such as name and address.
  • the server 200 stores the details of the account
  • the user associates one or more contactless cards 306-1, 306-2 ... 306-N (hereinafter referred to as contactless card 306 indicating one contactless card and contactless cards 306 indicating a plurality of contactless cards) with the account 305 through the computing device 301.
  • contactless card 306 indicating one contactless card and contactless cards 306 indicating a plurality of contactless cards
  • the associated contactless cards 306 might be issued to the user by one issuer or by multiple issuers.
  • the user accesses the account 305 using web-based application or mobile-based application provided by the issuer.
  • the user accesses the account 305 using web- based application or mobile-based application provided by the server 200.
  • the association of the one or more contactless cards 306 may include providing details of the associated contactless card 306 and the corresponding issuer issuing the associated contactless card 306. Thereafter the association is performed as known in the art.
  • the association includes mapping the details of the associated contactless card 306 with the corresponding issuer and storing the mapped data in the databased 205.
  • the contactless card 306 includes a secure element 307 embedded within the contactless card 306.
  • the secure element 307 is adapted to use short-range wireless communication for secure data communication. Examples of the short-range wireless communication include, but not limited to, Wireless Fidelity (Wi-Fi), Near Field Communication (NFC), Bluetooth, Bluetooth Low Energy (BLE), Zigbee, Wi-Fi Direct (WFD), and Ultra Wideband (UWB).
  • the secure element 307 includes various components (not shown in the figure) such as a power supply module, short-range wireless communication module, memory module, a processing unit, and a communication bus system.
  • the memory module stores details of the contactless card 306 such as account number, user identification details, user verification number, account balance information, and transaction record information.
  • the short-range wireless communication module is a NFC sensor, which may further include a transceiver module and an antenna module.
  • the short-range wireless communication sensor enables communication of such data when the contactless card 306 is in proximity with short-range wireless communication enabled devices.
  • each of the contactless cards 306 is associated with a mobile device 308-1, 308-2 ... 308-N (hereinafter referred to as mobile device 308 indicating one mobile device and mobile devices 308 indicating a plurality of mobile devices).
  • the mobile device 308 is associated with the contactless card 306 through a mobile subscriber identification number (MSIDN) of the mobile device 308.
  • MSIDN mobile subscriber identification number
  • each of the contactless cards 306 is associated with a single mobile device 308. In another example, each of the contactless cards 306 is associated with different mobile devices 308.
  • the mobile device 308 is a short-range wireless communication enabled mobile device.
  • the short-range wireless communication include, but not limited to, Wireless Fidelity (Wi-Fi), Near Field Communication (NFC), Bluetooth, Bluetooth Low Energy (BLE), Zigbee, Wi-Fi Direct (WFD), and Ultra Wideband (UWB).
  • the mobile device 308 includes a contactless module 309, which is adapted to use short-range wireless communication protocols for secure data communication.
  • the contactless module 309 is pre-installed in the mobile device 308 by a manufacturer of the mobile device 308 or a network service provider.
  • the contactless module 309 is downloaded onto the mobile device 308 from the server 200.
  • the contactless module 309 is integrated with a mobile-based application provided by the server 200.
  • the contactless module 309 is separate from the mobile-based application provided by the server 200.
  • the contactless module 309 is adapted to communicate with the secure element 307 of the contactless card 306 over short-range radio waves 310 and to detect proximity with the contactless card 306.
  • the communication with the secure element 307 is enabled when the contactless card 306 and the mobile device 308 are within a predefined range.
  • the contactless module 309 is adapted to communicate with the server 200 via communication mode 311. Examples of the communication mode 311 include data communication mode and non-data communication mode.
  • the contactless module 309 communicates proximity status information to the server 200 when the server 200 activates a proximity mode of the mobile device 308.
  • the proximity mode of mobile device 200 is activated by sending a trigger to the contactless module 309.
  • the contactless module 309 detects proximity of the contactless card 306 with the mobile device 308. More specifically, the contactless module 309 detects proximity of the secure element 307 of the contactless card 306 with the contactless module 309. Thus, the proximity status information is indicative of the detected proximity of the contactless card 306 with the mobile device 308.
  • the server 200 stores the details of the associated contactless cards 306 along with mobile device 308 in the database 205 such that the account 305 is mapped with each of the contactless cards 306 and the mobile device 308.
  • a flag is set to indicate the association of the contactless card 306 with the account 305.
  • the server 200 shares association details with the issuer systems 303 of the corresponding issuers. The association details are indicative that the server 200 will perform authentication of the associated contactless cards 306.
  • the server 200 shares information regarding the setting of the flag for each of the associated contactless cards 306 with the issuer systems 303 of the corresponding issuer of the associated contactless card 306.
  • the issuer systems 303 save the association details in a database (not shown in the figure).
  • the issuer system 303 saves a list of associated contactless cards 306 along with the flag details in the database.
  • the issuer system 303 sends a validation request to the server 200 based on the association details, as will be described in subsequent Figures and paragraphs.
  • the user may specify cash limit value/credit limit value for one or more of the associated contactless cards 306.
  • the user may also specify cash limit value/credit limit value for the one or more of the associated contactless cards 306 at the corresponding issuer system 303.
  • the server 200 sets an operable state for each of the associated contactless cards 306 and saves the operable state in the database 205.
  • the operable state can be either an unlocked state or a locked stated.
  • the server 200 prevents a transaction using the contactless card 306 and deactivates a proximity mode of the mobile device associated with the contactless card 306.
  • the operable state of the contactless card 306 is an unlocked state, the server 200 allows a transaction using the contactless card 306 and activates a proximity mode of the mobile device associated with the contactless card 306.
  • the server 200 sets the operable state as locked stated by default for each of the associated contactless card 306. In another embodiment, the server 200 sets the operable state as unlocked stated by default for each of the associated contactless card 306. In yet another embodiment, the server 200 sets the operable state either as locked state or unlocked state upon receiving a request from the user for the one or more associated contactless card 306. In such embodiment, the user selects an option pertaining to the setting of locked state or unlocked state. In one example, the user selects the option through the web-based application or the mobile -based application on the computing device 301.
  • Figure 4 illustrates the operations performed by the server 200 to enhance a security of the associated contactless cards 306, in accordance with an embodiment of present invention.
  • the user sends a request to the server 200.
  • the request pertains to enabling the one or more associated contactless cards 306.
  • the enabling request is indicative of activating the proximity mode of the mobile device 308 associated with the contactless card 306.
  • the mobile device 308 detects proximity with the contactless card 306.
  • the user sends the request through one of the following methods: a web-based application, a mobile-based application, a short message service (SMS) message, an Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
  • SMS short message service
  • USSD Unstructured Supplementary Service Data
  • IVR interactive voice response
  • the user sends the request from the computing device 301.
  • the user sends the request from the mobile device 308 associated with the contactless card 306.
  • the request includes an identifier indicative of the activation of the proximity mode.
  • the request further includes details of the account 305 and/ or details of the associated contactless card 306.
  • the request pertains to one associated contactless card 306.
  • the user sends separate requests for each of the associated contactless cards 306 as required.
  • Each such request includes details of the account 305 and details of the associated contactless card 306.
  • the request pertains to all of the associated contactless cards 306.
  • the user sends one such request.
  • such request includes only the details of the account 305.
  • the receiving unit 201 of the server 200 receives the request from the computing device 301 or the mobile device 308.
  • the processor 202 determines an operable state of the contactless card 306 mentioned in the request from the database 205. If the operable state is determined as locked state, the analysis unit 203 switches the operable state to unlocked state.
  • the message generating unit 207 Upon switching of the operable state, the message generating unit 207 generates a challenge message for the user, as known in the art. Examples of the challenge message include one-time-password (OTP) and captcha message.
  • the message generating unit 207 may generate a response message and store in the memory 209. In an example, the response message is same as the challenge message.
  • the analysis unit 203 saves the switched operable state as a current operable state for the contactless card 306 in the database 205. On the contrary, if the operable state is determined as unlocked state, the message generating unit 207 generates a message indicative of the activated proximity mode and the unlocked state of the contactless card 306.
  • the message transmitting unit 208 of the server 200 transmits the challenge message to the user.
  • the message transmitting unit 208 transmits the challenge message to the computing device 301.
  • the message transmitting unit 208 transmits the challenge message to the mobile device 308 associated with the contactless card 306.
  • the message transmitting unit 208 transmits the challenge message to the same device sending the request.
  • the message transmitting unit 208 transmits the challenge message to a device different from the device sending the request.
  • the request receiving unit 201 receives a response message from the user in response to the challenge message.
  • the processor 202 validates the received response message by matching the received response message with the stored response message.
  • the analysis unit 203 activates the proximity mode of the mobile device
  • the mobile device 308 detects proximity with the contactless card 306. Accordingly, the analysis unit 203 sends a trigger to the contactless module 309 of the mobile device 308 to activate the proximity mode of the mobile device 308.
  • the contactless module 309 pings the secure element 307 of the contactless card 306 periodically and determines proximity with the secure element 307 of the contactless card 306.
  • the contactless module 309 then transmits the proximity status information to the server 200 periodically.
  • the contactless module 309 may transmit the proximity status information via data communication mode or non-data communication mode.
  • the contactless module 309 sends proximity status information in form of messages such as short message service (SMS) message and unstructured supplementary service data (USSD) messages via the non-data communication mode.
  • SMS short message service
  • USB unstructured supplementary service data
  • the information receiving unit 204 of the server 200 receives the proximity status information sent periodically by the mobile device 308 and stores the proximity status information in the database 205. Further, the analysis unit 203 determines if the received proximity status information is indicative of the mobile device 308 and the contactless card 306 being out of a predefined range for a consecutive number of occurrences. In an example, the predefined range is few meters. In an example, the consecutive number of occurrences is predefined as three. Upon such determination, the analysis unit 203 switches the operable state of the contactless card 306 to locked state and transmits an alert message to the mobile device 308. In an example, the alert message indicates the user to resend the request to enable the contactless card 306.
  • the analysis unit 203 deactivates the proximity mode of the mobile device 308. Furthermore, the authorizing unit 206 prevents a transaction using the contactless card 306 from completion at an instance when the received proximity status information indicates the mobile device 308 and the contactless card 306 are out of a predefined range. The same shall be explained in detail with reference to further figures.
  • the below table illustrates the proximity status information received periodically from the mobile device 308.
  • the analysis unit 203 will not switch the operable state to locked state at time instances T 2 and T 4 . However, the analysis unit 203 will switch the operable state to locked stated at time instance T 8 since the proximity status information indicates far proximity or mobile device 308 and the contactless card 306 being out of a predefined range for 3 consecutive number of occurrences. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state.
  • the authorizing unit 206 prevents a transaction using the contactless card 306 T 2, ⁇ 4 ⁇ ⁇ 6 ⁇ T 7 and T 8 .
  • the authorizing unit 206 prevents a transaction at any instance when the contactless card 306 is in far proximity with the mobile device 308.
  • the analysis unit 203 switches the operable state of the contactless card 306 to locked state.
  • the predefined range is few meters.
  • the consecutive number of occurrences is predefined as three.
  • the analysis unit 203 transmits an alert message to the mobile device 308.
  • the alert message indicates the user to resend the request to enable the contactless card 306.
  • the analysis unit 203 deactivates the proximity mode of the mobile device 308.
  • the authorizing unit 206 prevents a transaction using the contactless card 306 from completion at an instance when the proximity status information is not received. The same shall be explained in detail with reference to further figures.
  • the below table illustrates the proximity status information received periodically from the mobile device 308.
  • the analysis unit 203 will not switch the operable state to locked state at time instances T 2 and T 4 . However, the analysis unit 203 will switch the operable state to locked stated at time instance T 8 since the proximity status information is not received from the mobile device 308 for 3 consecutive number of occurrences. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state.
  • the authorizing unit 206 prevents a transaction using the contactless card 306 T 2, T 4i T 6i T 7 and T 8 .
  • the authorizing unit 206 prevents a transaction at any instance when the proximity status information is not received.
  • the analysis unit 203 monitors the non- receipt of the proximity status information and far proximity at each time instance. Accordingly, if the proximity status information is not received or if the received proximity status information is indicative of far proximity, for a consecutive number of occurrences, then the analysis unit 203 switches the operable state of the contactless card 306 to locked state. In an example, the consecutive number of occurrences is predefined as three Additionally, the analysis unit 203 transmits an alert message to the mobile device 308. In an example, the alert message indicates the user to resend the request to enable the contactless card 306. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308.
  • the below table illustrates the proximity status information received periodically from the mobile device 308.
  • the analysis unit 203 will not switch the operable state to locked state at time instances T 3 . However, the analysis unit 203 will switch the operable state to locked stated at time instance T 4 since the proximity status information is not received from the mobile device 308 at time instances T 2 and T 4 and the received proximity status information indicates far proximity at time instance T 3 . Thus, the analysis unit 203 monitored the proximity status information and the non- receipt of the proximity status information for 3 consecutive occurrences and switched the operable state to locked stated. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state. Thus, the switching of the operable state to locked state in various scenarios as explained above provides enhanced security for the contactless card 306.
  • the message generating unit 207 generates a success message indicative of the positive match at step 405.
  • the success message indicates successful activation of the proximity mode of the mobile device 308 or enabling of the contactless card 306.
  • the message transmitting unit 208 then transmits the success message to the user.
  • the message transmitting unit 208 transmits the challenge message to the computing device 301.
  • the message transmitting unit 208 transmits the challenge message to the mobile device 308.
  • the message generating unit 207 generates a failure message.
  • the failure message indicates unsuccessful activation of the proximity mode or enabling of the contactless card 306.
  • the failure message further indicates the user to resend the request for enabling.
  • the analysis unit 203 switches the operable state from unlocked state to locked state. Additionally, the analysis unit 203 saves the switched operable state as the current operable state for the contactless card 306 in the database 205.
  • FIGS. 5a to 5c illustrate the operations performed by the server 200 during a transaction initiated by the associated contactless card 306, in accordance with an embodiment of present invention.
  • the POT system 304 transmits a validation request to the issuer system 303 when a financial transaction is initiated using a contactless card by the user.
  • the transaction include banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web- based application or mobile-based application, and banking transaction on web-based application or mobile -based application.
  • the validation request includes authentication credentials of the POT system 304, transaction information, and card identifier data indicating details about the contactless card, and location information in respect of the transaction.
  • the location information is a geographic location of the POS system and ATM.
  • the location information is geographic location of the computing device 301 which access the web-based applications or mobile- based applications.
  • the POT system 304 may also transmit authentication credentials such as PIN and Password associated with the contactless card and known only to the user.
  • the issuer system 303 determines if the contactless card is one of the associated contactless cards 306. In an example, the issuer system 303 retrieves the list of associated contactless cards 306 along with flag details from a database and determines if the contactless card is one of the associated contactless cards 306 based on the flag details. If the flag is set, the contactless card is determined as the associated contactless card 306 for which the server 200 performs the authentication. Thereafter, the issuer system 303 forwards the validation request to the server 200. On the contrary, if the flag is not set, the contactless card is determined as not being one of the associated contactless cards 306. Consequently, the issuer system 303 will not send the validation request to the server 200. Thereafter, the issuer system 303 performs validation of the contactless card in a manner as known in the art. In an example, the issuer system 303 validates the authentication credentials received along with the validation request.
  • the authorizing unit 206 upon receiving the validation request, obtains a current operable state of the contactless card from the database 205corresponding to a time of the transaction.
  • the authorizing unit 206 determines if the current operable state is "locked state”. If the current operable state is determined as “locked state”, the authorizing unit 206 prevents the transaction. Accordingly, the message generating unit 207 generates a failure message indicative of the "locked state" of the contactless card. In addition to the failure message, the message generating unit 207 generates an alert message for the user. The alert message indicates details about the transaction and "locked state" of the contactless card in respect of the transaction.
  • the authorizing unit 206 blocks further transactions using the contactless card. Accordingly, the message generating unit 207 generates a blocked message.
  • the message transmitting unit 208 of the server 200 transmits the failure message to the issuer system 303.
  • the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the message transmitting unit 208 transmits the blocked message to the user after the predetermined number of unsuccessful transactions. In an example, the message transmitting unit 208 transmits the alert message to the mobile device 308.
  • the issuer system 303 upon receiving the failure message, prevents the processing of the transaction.
  • the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile -based application, and banking transaction on web-based application or mobile-based application are prevented from completion.
  • the issuer system 303 transmits a transaction unsuccessful message to the POT system 304.
  • the POT system 304 may display an appropriate message on a display unit (not shown in the figure) of the POT system 304.
  • the issuer system 303 upon receiving the failure message for a predetermined number of successive transactions initiated by using the contactless card, blocks further transactions using the contactless card in a manner as known in the art. Accordingly, the issuer system 303 transmits a blocked message to the user as known in the art. In an example, the issuer system 303 transmits the blocked message to the mobile device 308. In another example, the issuer system 303 transmits the blocked message to the computing device 301.
  • the issuer system 303 transmits a transaction unsuccessful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction unsuccessful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction unsuccessful message to the computing device 301. However, if at step 504, the current operable state of the contactless card is determined as "unlocked state", then the process flows to step 509 in Figure 5b.
  • the authorizing unit 206 obtains current proximity status information of the contactless card corresponding to the time of the transaction. Accordingly, in one embodiment, the authorizing unit 206 may obtain the current proximity status information from the mobile device 308 associated with the contactless card at the time of transaction. Thus, at step 509-1, the authorizing unit 206 may obtain the current proximity status information from the mobile device 308 associated with the contactless card. As such, the authorizing unit 206 may transmit a request to the contactless module 309 for current proximity status information. The authorizing unit 206 may send the request over a data communication mode when the data communication mode of the mobile device 308 is enabled. The authorizing unit 206 may send the request over a non-data communication mode when the data communication mode of the mobile device 308 is disabled.
  • the contactless module 309 in the mobile device 308 Upon receiving the request for current proximity status information from the server 200, the contactless module 309 in the mobile device 308 detects current proximity with the contactless card and transmits the current proximity status information to the server 200. The contactless module 309 may transmit the current proximity status information over the data communication mode when the data communication mode of the mobile device 308 is enabled. The contactless module 309 may transmit the current proximity status information over the non-data communication mode when the data communication mode of the mobile device 308 is disabled.
  • the authorizing unit 206 may obtain the current proximity status information from the database 205. As such, the authorizing unit 206 obtains the latest proximity status information received from the mobile device 308 prior to the transaction or at the time of transaction and stored in the database 205. In one another embodiment, the authorizing unit 206 may obtain the current proximity status information corresponding to the time of transaction simultaneously from the database 205 and the mobile device 308.
  • the authorizing unit 206 may dynamically select a source of obtaining the current proximity status information based on predefined rules.
  • the source can be the mobile device 308, the database 205, or both, as described above.
  • the authorizing unit 206 of the server 200 determines if the contactless card and the mobile device 308 are within the predefined range based on the current proximity status information.
  • the server 200 Upon determining the contactless card and the mobile device 308 are within the predefined range, at step 511, the server 200 transmits a success message to the issuer system 303. Accordingly, the message generating unit 207 generates a success message indicative of near proximity with the mobile device 308 and the message transmitting unit 208 transmits the success message to the issuer system 303.
  • the authorizing unit 206 also compares a value of the transaction with the cash limit value/credit limit value specified by the user in the account 305. Based on the comparison, the message generating unit 207 generates a transaction value message.
  • the transaction value message indicates, the value of the transaction is above the specified cash limit value/credit limit value.
  • the transaction value message indicates the value of the transaction is below the specified cash limit value/credit limit value.
  • the transaction value message is included in the success message. In one another example, the transaction value message is separate from the success message.
  • the issuer system 303 upon receiving the success message, successfully processes and completes the transaction.
  • the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile-based application, and banking transaction on web-based application or mobile- based application are successfully completed.
  • the issuer system 303 completes the transaction based on the transaction value message received from the server 200. In an example, if the transaction value message indicates that the value of the transaction is below the specified cash limit value/credit limit value, the transaction is completed. In an example, if the transaction value message indicates that the value of the transaction is above the specified cash limit value/credit limit value, the transaction is not completed. In another embodiment, the issuer system 303 completes the transaction based on the cash limit value/credit limit value specified by the user. Upon completing the transaction, the issuer system 303 transmits a transaction successful message POT system 304. Upon receiving the transaction successful message, the POT system 304 may generate a paper bill having transaction information and payment information.
  • the issuer system 303 transmits a transaction successful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction successful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction successful message to the computing device 301.
  • step 510 the authorizing unit 206 determines the contactless card and the mobile device 308 are out of the predefined range based on the current proximity status information, then the process flows to step 514 in Figure 5c.
  • the authorizing unit 206 determines the contactless card and the mobile device 308 are out of the predefined range, and the process flows to step 514 in Figure 5c. Additionally, the authorizing unit 206 switches the current operable state of the contactless card 306 to 'locked state' .
  • the server 200 transmits a failure message to the issuer system 303.
  • the message generating unit 207 generates a failure message indicative of far proximity with the mobile device 308 and the message transmitting unit 208 transmits the failure message to the issuer system 303.
  • the message generating unit 207 In addition to the failure message, the message generating unit 207 generates an alert message for the user.
  • the alert message indicates details about the transaction and details about far proximity of the contactless card with the mobile device 308 in respect of the transaction. Further, in one embodiment, the alert message indicates details about switching of the current operable state of the contactless card 306 to 'locked state' when the authorizing unit 206 does not receive the current proximity status information from the mobile device 308 at step 509-1.
  • the authorizing unit 206 blocks further transactions using the contactless card. Accordingly, the message generating unit 207 generates a blocked message.
  • the message transmitting unit 208 transmits the alert message to the user. In an example, the message transmitting unit 208 transmits the alert message to the mobile device 308. In another example, the transmitting unit 204 transmits the alert message to the computing device 301. Further, the message transmitting unit 208 transmits the blocked message to the user after the predetermined number of unsuccessful transactions.
  • the issuer system 303 prevents the processing of the transaction.
  • the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile -based application, and banking transaction on web-based application or mobile-based application are prevented from completion.
  • the issuer system 303 transmits a transaction unsuccessful message to the POT system 304.
  • the POT system 304 may display an appropriate message on a display unit (not shown in the figure) of the POT system 304.
  • the issuer system 303 upon receiving the failure message for a predetermined number of successive transactions initiated by using the card, the issuer system 303 blocks further transactions using the card in a manner as known in the art. Accordingly, the issuer system 303 transmits a blocked message to the user as known in the art. In an example, the issuer system 303 transmits the blocked message to the mobile device 308. In such example, the mobile device 308 is associated with the card. In an example, the issuer system 303 transmits the blocked message to the computing device 301. In one another example, the issuer system 303 transmits the blocked message to a mobile device 308.
  • the issuer system 303 transmits a transaction unsuccessful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction unsuccessful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction unsuccessful message to the computing device 301.
  • Figure 6 illustrates the operations performed by the server 200 to disable the contactless card 306 and deactivate the proximity mode of the mobile device 308, in accordance with an embodiment of present invention.
  • the user sends a request to the server 200 as described in step 401 earlier.
  • the request pertains to disabling the one or more associated contactless cards 306.
  • the disabling request is indicative of deactivating the proximity mode of the mobile device 308 associated with the contactless card 306.
  • contactless module 309 in the mobile device 308 discontinues detecting proximity of the mobile device 308 with the contactless card 306.
  • the receiving unit 201 receives the request from the computing device 301 or the mobile device 308. As described in reference to step 402, upon receiving the request, the processor 202 determines a current operable state of the contactless card 306 mentioned in the request from the database 205.
  • the analysis unit 203 transmits a challenge message to the mobile device 308 as described in reference to step 402 if the operable state is determined as "unlocked state". On the contrary, if the operable state is determined as "locked state", the analysis unit 203 transmits a message indicative of "locked state" to the mobile device 308. In addition, the message indicates that the proximity mod of mobile device 308 is currently deactivated.
  • the request receiving unit 201 receives a response message from the user in response to the challenge message.
  • the processor 202 validates the received response message by matching the received response message with the stored response message.
  • the analysis unit 203 deactivates the proximity mode of the mobile device 308, if a positive match is obtained at step 605.
  • the proximity mode of the mobile device 308 is deactivated, the mobile device 308 does not detect proximity with the contactless card 306. Accordingly, the analysis unit 203 sends a trigger to the contactless module 309 of the mobile device 308 to deactivate the proximity mode of the mobile device 308. Further, the analysis unit 203 switches the operable state to locked state and saves the switched operable state as a current operable state for the contactless card 306 in the database 205.
  • the message generating unit 207 generates a success message indicative of the positive match.
  • the success message indicates successful deactivation of the proximity mode of the mobile device 308 or disabling of the contactless card 306.
  • the message transmitting unit 208 then transmits the success message to the user.
  • the message transmitting unit 208 transmits the success message to the computing device 301.
  • the message transmitting unit 208 transmits the success message to the mobile device 308
  • the message generating unit 207 generates a failure message.
  • the failure message indicates unsuccessful deactivation of the proximity mode or disabling of the contactless card 306.
  • the failure message further indicates the user to resend the request.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Telephone Function (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

of the Invention The invention relates to method and system for enhancing security of contactless cards. In accordance with one embodiment, a method (100) comprises: receiving (101), in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers; determining (102) an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state; and activating (103) a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects a proximity with the one or more contactless cards during the activated proximity mode.

Description

METHOD AND SYSTEM FOR ENHANCING SECURITY OF CONTACTLESS
CARD
TECHNICAL FIELD
The invention generally relates to financial transaction authentication. More particularly, the invention relates to enhancing security of contactless card.
BACKGROUND
With advent of technology, proximity based payment or contactless payment has gained wide popularity. Example of such contactless payment includes near filed communication (NFC) based payments. In such NFC based payment, an NFC enabled reader device reads information from an NFC enabled card or contactless card to authenticate the contactless card and to enable payment using the contactless card when the contactless card is in near proximity with the NFC enabled device. As the contactless cards can be read without a physical contact between the NFC enabled reader device and the contactless card, sharing of confidential authentication information such PIN and CVV number is not required during a transaction.
However, since the information from the contactless card is read over short range wireless communication, the information can be stolen using a malicious hardware/software component in the NFC enabled reader device. To overcome such security risk, in one technique, the NFC enabled reader device is authenticated prior to reading information from the contactless card.
However, such authentication fails to prevent unauthorized transactions if the contactless card is stolen or lost. Generally, such unauthorized transactions are identified after the unauthorized transactions are processed completely and successfully. Consequently, a user of the contactless card is left with very few options such as hot-listing the contactless card and destroying the card. However, both the options permanently block the contactless cards from usage and require the user to opt for a new contactless card that is a time consuming and lengthy process.
Thus, there exists a need to provide a better technique for preventing such unauthorized transactions using the contactless cards. SUMMARY OF THE INVENTION
In accordance with the purposes of the invention, the present invention as embodied and broadly described herein, provides for enhancing security of contactless card.
Accordingly, in one embodiment, a user creates an account with a server and associates one or more contactless cards issued to the user by one or more issuers. Upon association, an operable state for each of the one or more contactless cards is set. The operable state can be either locked state or unlocked state. In a locked state, transactions using the contactless card are prevented. In an unlocked state, transactions using the contactless card are allowed. To enhance the security of the contactless card, the user sends a request to the server for enabling the one or more associated contactless cards. Upon receiving the request, the server determines an operable state of the contactless card. Thereafter, the server activates a proximity mode of a mobile device associated with the contactless cards when the operable state is determined as locked state. Accordingly, the server switches the operable state to unlocked state and then activates the proximity mode of the mobile device. Upon activating the proximity mode, the mobile device detects proximity with the contactless cards and shares proximity status information periodically with the server.
Further, during a transaction using the contactless card, the server obtains proximity status information indicative of proximity of the contactless card with the mobile device. Thereafter, the server authenticates the contactless card when proximity status information indicates the mobile device and contactless card are within a predefined range. On the contrary, the server prevents any transaction using the contactless card when proximity status information indicates the mobile device and contactless card are out of the predefined range. Furthermore, the server blocks the contactless card from subsequent use if the proximity status information indicates the mobile device and contactless card are out of the predefined range for a consecutive number of occurrences.
The advantages of the invention include, but not limited to, enhanced security of the associated contactless cards by detecting proximity of the contactless cards with the mobile device associated with the contactless cards. Thus, ensuring processing of only authorized transactions using the associated contactless cards when the contactless cards is in near proximity with the associated mobile device, thereby eliminating chances of unauthorized transactions using a stolen contactless card. In addition, the user can activate or deactivate detection of the proximity of the contactless cards with associated mobile devices as and when required. Moreover, lost or stolen contactless card gets automatically blocked from further use when the contactless card is out of the predefined range from the associated mobile device. Thus, an easy solution is provided to the user as opposed to blocking or hot- listing the contactless card and destroying the contactless card.
Additionally, an easy solution is provided for safeguarding the contactless cards while travelling and in various other scenarios where proximity status information is not available from the mobile device since the contactless cards are automatically blocked from further use when the contactless card is out of the predefined range from the associated mobile device. Examples of such scenarios include, but not limited to, (1) when both the mobile device and the contactless card are stolen and the stolen mobile device is switched off subsequently; (2) when the mobile device is not reachable; (3) when the mobile device is unable to share the proximity status information periodically with the server; and (4) when the user leaves the contactless card at home or any other location intentionally or unintentionally.
Further, two-step security verification is provided during a transaction. Accordingly, in the first step verification, a current operable state of the contactless card is determined and the transaction is prevented if the current operable state is determined as locked state. However, if the current operable state is determined as unlocked state, second step verification is performed. In second step verification, proximity of the contactless card with the mobile device is detected and the transaction is prevented if the mobile device and contactless card are out of the predefined range. Thus, the transaction is allowed only if the contactless card is in unlocked state and is within the predefined range of proximity with the mobile device. As such, the security of the contactless card is greatly enhanced.
These and other aspects as well as advantages will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings and claims.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS: To further clarify advantages and aspects of the invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings, which are listed below for quick reference. Figures la-lc illustrates an exemplary method for enhancing security of a contactless card, in accordance with an embodiment of present invention.
Figure 2 illustrates an exemplary server for enhancing security of a contactless card, in accordance with an embodiment of present invention.
Figures 3a & 3b illustrate exemplary network environment that implements the server to enhance security of a contactless card, in accordance with an embodiment of present invention.
Figures 4, 5a-5c, and 6 schematically illustrate various operations of the server to enhance security of a contactless card, in accordance with an embodiment of present invention. It may be noted that to the extent possible, like reference numerals have been used to represent like elements in the drawings. Further, those of ordinary skill in the art will appreciate that elements in the drawings are illustrated for simplicity and may not have been necessarily drawn to scale. For example, the dimensions of some of the elements in the drawings may be exaggerated relative to other elements to help to improve understanding of aspects of the invention. Furthermore, the one or more elements may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the invention so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein. DETAILED DESCRIPTION
It should be understood at the outset that although illustrative implementations of the embodiments of the present disclosure are illustrated below, the present invention may be implemented using any number of techniques, whether currently known or in existence. The present disclosure should in no way be limited to the illustrative implementations, drawings, and techniques illustrated below, including the exemplary design and implementation illustrated and described herein, but may be modified within the scope of the appended claims along with their full scope of equivalents.
The term "some" as used herein is defined as "none, or one, or more than one, or all." Accordingly, the terms "none," "one," "more than one," "more than one, but not all" or "all" would all fall under the definition of "some." The term "some embodiments" may refer to no embodiments or to one embodiment or to several embodiments or to all embodiments. Accordingly, the term "some embodiments" is defined as meaning "no embodiment, or one embodiment, or more than one embodiment, or all embodiments."
The terminology and structure employed herein is for describing, teaching and illuminating some embodiments and their specific features and elements and does not limit, restrict or reduce the spirit and scope of the claims or their equivalents.
More specifically, any terms used herein such as but not limited to "includes," "comprises," "has," "consists," and grammatical variants thereof do NOT specify an exact limitation or restriction and certainly do NOT exclude the possible addition of one or more features or elements, unless otherwise stated, and furthermore must NOT be taken to exclude the possible removal of one or more of the listed features and elements, unless otherwise stated with the limiting language "MUST comprise" or "NEEDS TO include."
Whether or not a certain feature or element was limited to being used only once, either way it may still be referred to as "one or more features" or "one or more elements" or "at least one feature" or "at least one element." Furthermore, the use of the terms "one or more" or "at least one" feature or element do NOT preclude there being none of that feature or element, unless otherwise specified by limiting language such as "there NEEDS to be one or more . . . " or "one or more element is REQUIRED."
Unless otherwise defined, all terms, and especially any technical and/or scientific terms, used herein may be taken to have the same meaning as commonly understood by one having an ordinary skill in the art.
Reference is made herein to some "embodiments." It should be understood that an embodiment is an example of a possible implementation of any features and/or elements presented in the attached claims. Some embodiments have been described for the purpose of illuminating one or more of the potential ways in which the specific features and/or elements of the attached claims fulfil the requirements of uniqueness, utility and non- obviousness.
Use of the phrases and/or terms such as but not limited to "a first embodiment," "a further embodiment," "an alternate embodiment," "one embodiment," "an embodiment," "multiple embodiments," "some embodiments," "other embodiments," "further embodiment", "furthermore embodiment", "additional embodiment" or variants thereof do NOT necessarily refer to the same embodiments. Unless otherwise specified, one or more particular features and/or elements described in connection with one or more embodiments may be found in one embodiment, or may be found in more than one embodiment, or may be found in all embodiments, or may be found in no embodiments. Although one or more features and/or elements may be described herein in the context of only a single embodiment, or alternatively in the context of more than one embodiment, or further alternatively in the context of all embodiments, the features and/or elements may instead be provided separately or in any appropriate combination or not at all. Conversely, any features and/or elements described in the context of separate embodiments may alternatively be realized as existing together in the context of a single embodiment.
Any particular and all details set forth herein are used in the context of some embodiments and therefore should NOT be necessarily taken as limiting factors to the attached claims. The attached claims and their legal equivalents can be realized in the context of embodiments other than the ones used as illustrative examples in the description below.
Figures la, lb, and lc illustrate an exemplary method (100) for enhancing security of contactless cards, in accordance with an embodiment of present invention. In said embodiment, referring to Figure la, the method (100) comprises steps of: receiving (101), in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers; determining (102) an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state; and activating (103) a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects a proximity with the one or more contactless cards during the activated proximity mode. Further, when the operable state is determined as locked state, the method (100) further comprises switching (104) the operable state from the locked stated to unlocked state.
Further, the step of activating (103) the proximity mode comprises transmitting (105) a trigger to a contactless module of the mobile device, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
Further, the contactless card is one of a credit card, a debit card, an automated teller machine (ATM) card, a fleet card, stored-value card, prepaid card, and a gift card.
Further, the request in the step (101) is received via one of: a web based application, a mobile-based application, a short message service (SMS) message, an Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
Further, in the locked state of a contactless card, use of the contactless card is prevented and a proximity mode of a mobile device associated with the contactless card is deactivated. Further, in the unlocked state of a contactless card, use of the contactless card is allowed and a proximity mode of a mobile device associated with the contactless card is activated.
Further, the mobile device detects the proximity with the one or more contactless cards periodically during the activated proximity mode. In addition, the method (100) further comprises a step of switching (108) the operable state of the one or more contactless cards to locked state in absence of receiving proximity status information from the mobile device for a consecutive number of occurrences. Referring to Figure lb, the method (100) further comprises steps of: receiving (106) proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards; and storing (107) the proximity status information in a database.
Further, the proximity status information in step (106) is received from a data transmission module of the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device. In addition, the method (100) further comprises a step of switching (108) the operable state of the one or more contactless cards to locked state when the received proximity status information indicates the mobile device and the contactless card are out of a predefined range for a consecutive number of occurrences. Referring to Figure lc, the method (100) further comprises steps of: receiving (109) a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards; obtaining (110) a proximity status information indicative of a proximity of the contactless card and a mobile device associated with the card; and transmitting (111) an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range.
The method (100) further comprises the step of determining (112) an operable state of the contactless card such that the proximity status information is obtained when the operable state is determined as an unlocked state. Further, in one embodiment, the proximity status information in step (110) is obtained from a database, the database being adapted to store the proximity status information received periodically from the mobile device.
Further, in one embodiment, the proximity status information in step (110) is obtained from the mobile device via a data communication mode of the mobile device. Further, in one embodiment, the proximity status information in step (110) is obtained from the mobile device via a non-data communication mode of the mobile device. In an example, the proximity status information is obtained from the mobile device via one of a short message service (SMS) message and Unstructured Supplementary Service Data (USSD) message. Figure 2 illustrates an exemplary server 200 for enhancing security of a contactless card, in accordance with an embodiment of present invention. As would be understood, the server 200 is capable of implementing the methods as described with reference to preceding Figures la, lb, and lc.
In said embodiment, the server 200 comprises a request receiving unit 201 to receive, in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers. The receiving unit 201 is adapted to receive the request via one of: a web based application, a mobile-based application, a short message service (SMS) message, a Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR). In addition, the request receiving unit 201 is adapted to receive one or more further inputs from the user.
Further, the server 200 comprises a processor 202 and an analysis unit 203. The processor 202 is adapted to determine an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state. Further, the analysis unit 203 is adapted to activate a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects proximity with the one or more contactless cards during the activated proximity mode. To activate the proximity mode, the analysis unit 203 is further adapted to transmit a trigger to a contactless module of the mobile device, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
Furthermore, when the operable state is determined as locked state, the analysis unit 203 is adapted to switch the operable state from the locked stated to unlocked state. Further, during a locked state of a contactless card, the analysis unit 203 is adapted to prevent a use of the contactless card and deactivate a proximity mode of the contactless card. Furthermore, during an unlocked state of a contactless card, the analysis unit 203 is adapted to allow a use of the contactless card and activate a proximity mode of the contactless card.
In said embodiment, the server 200 further comprises an information receiving unit 204. The information receiving unit 204 is adapted to receive a proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards. As such, the information receiving unit 204 receives the proximity status information from a data transmission module of the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device. The information receiving unit 204 is further adapted to store the proximity status information in a database 205 coupled to the server. In an example, the database 205 is external to the server 200, as shown in the figure. In another example, the database 205 is integrated within the server 200. In said embodiment, the analysis unit 203 is further adapted to determine if the received proximity status information is indicative of the mobile device and the contactless card being out of a predefined range for a consecutive number of occurrences. Thereupon, the analysis unit 203 is adapted to switch the operable state of the one or more contactless cards to locked state in accordance to the determination.
In said embodiment, the analysis unit 203 is further adapted to determine non-receipt of proximity status information from the mobile device for a consecutive number of occurrences. Thereupon, the analysis unit 203 is adapted to switch the operable state of the one or more contactless cards to locked state in accordance to the determination.
In said embodiment, the server 200 further comprises an authorizing unit 206. The authorizing unit 206 is adapted to receive a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards. The authorizing unit 206 is further adapted to obtain proximity status information indicative of proximity of the contactless card and a mobile device associated with the card; and to transmit an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range. Further, the authorizing unit 206 is adapted to determine the operable state of the contactless card, such that proximity status information is obtained when the operable state is determined as an unlocked state.
Further, in one embodiment, the authorizing unit 206 is adapted to obtain the proximity status information from the database 205 that is adapted to store the proximity status information received periodically from the mobile device.
Further, in one embodiment, the authorizing unit 206 is adapted to obtain the proximity status information from the mobile device via a data communication mode of the mobile device.
Further, in one embodiment, the authorizing unit 206 is adapted to obtain the proximity status information from the mobile device via a non-data communication mode of the mobile device. In an example, the proximity status information is obtained from the mobile device via one of a short message service (SMS) message and Unstructured Supplementary Service Data (USSD) message. It would be understood, that the processor 202 may include software components to perform the necessary functions. Further, the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may be implemented using hardware components or software components or combination of both. In one embodiment, the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may form a single unit/module. In another embodiment, the processor 202, the analysis unit 203, the information receiving unit 204, and the authorizing unit 206 may form a single unit/module.
In said embodiment, the server 200 may further include a message generating unit 207 adapted to generate the message and a message transmitting unit 208 adapted to transmit the generated message. Additionally, the server 200 may include a memory 209 adapted to store the outputs of each of the previously mentioned units. In addition, the server 200 may include a bus system (not shown in the figure) for enabling communication between the various units, communication interface (not shown in the figure), and network interface unit (not shown in the figure). Further, it would be understood that in one embodiment the above-mentioned functions of various units can be performed by a single unit.
Although specific hardware components have been depicted in reference to the server 200, it is to be understood that the server 200 and the various components therein may include other hardware components and/or software components as known in the art for performing necessary functions.
Figures 3a & 3b illustrate exemplary network environment that implements the server 200 to enhance security of a contactless card and Figures 4-6 schematically illustrate various operations of the server 200 thereof, in accordance with an embodiment of present invention. Referring to Figure 3a, the network environment 300 includes one or more computing devices 301-1, 301-2, ... 301-N, (hereinafter referred to as computing device 301 indicating one computing device and computing devices 301 indicating a plurality of computing devices). Examples of commuting device 301 include the desktop, notebook, tablet, smart phone, and laptop. The server 200 is coupled to the computing devices 301 over a network 302. Examples of the network 302 include wireless network, wired network, and cloud based network. Although only one server 200 is shown in the figure, it is to be understood that multiple servers 200 can be coupled with multiple computing device 301. Further, the network environment 300 includes a plurality of issuer systems 303-1, 303-2, ... 303-N, (hereinafter referred to as issuer system 303 indicating one issuer system and issuer systems 303 indicating a plurality of issuer systems) corresponding to plurality of issuers such as banks and merchants. The issuers, among various other services, issue one or more contactless cards to a user for conducting financial transactions such as purchase transactions and banking transactions. Examples of the issuer systems 303 include systems employed by banks and merchants. The issuer systems 303 are coupled with the server 200 over the network 302. In an example, the issuer systems 303 are registered with the server 200. Furthermore, the network environment 300 includes a plurality of point of transaction (POT) systems 304-1, 304-2, ... 304-N, (hereinafter referred to as POT system
304 indicating one POT system and POT systems 304 indicating a plurality of POT systems). The POT system 304 enables the user to perform financial transactions using the one or more contactless cards issued to the user by the issuers. Examples of the POT system 304 include point of sale (POS) systems, automated teller machines (ATMs), and web-based applications and mobile -based applications, such as banking applications and shopping applications, where the user engages in a financial transaction. The POT systems 304 are coupled with issuer systems 303 over the network 302. Further, the POT systems 304 may be coupled with other systems (not shown in the figure) such as inventory systems, catalogue systems, customer relationship management (CRM) system, and bill processing systems, as well as third party systems over the network 302.
Referring to Figure 3b, the server 200 provides various services to users for managing their financial equipment such as contactless cards. Examples of the contactless cards include a credit card, a debit card, an automated teller machine (ATM) card, a fleet card, stored-value card, prepaid card, and a gift card. One such service includes enhancing security of the contactless cards. Accordingly, a user accesses the server 200 through the computing device 301 over the network 302 and creates an account 305 with the server 200. The creation of such account 305 is similar to methods known in the art. In an example, the user accesses a web-based application or a mobile -based application hosted by the server 200 on the computing device 301 and creates the account 305. The account 305 includes details of the user such as name and address. The server 200 stores the details of the account
305 and the associated details of the user in the database 205. Further the user associates one or more contactless cards 306-1, 306-2 ... 306-N (hereinafter referred to as contactless card 306 indicating one contactless card and contactless cards 306 indicating a plurality of contactless cards) with the account 305 through the computing device 301. It would be understood that the associated contactless cards 306 might be issued to the user by one issuer or by multiple issuers. In one example, the user accesses the account 305 using web-based application or mobile-based application provided by the issuer. In another example, the user accesses the account 305 using web- based application or mobile-based application provided by the server 200. The association of the one or more contactless cards 306 may include providing details of the associated contactless card 306 and the corresponding issuer issuing the associated contactless card 306. Thereafter the association is performed as known in the art. In an example, the association includes mapping the details of the associated contactless card 306 with the corresponding issuer and storing the mapped data in the databased 205.
Furthermore, the contactless card 306 includes a secure element 307 embedded within the contactless card 306. The secure element 307 is adapted to use short-range wireless communication for secure data communication. Examples of the short-range wireless communication include, but not limited to, Wireless Fidelity (Wi-Fi), Near Field Communication (NFC), Bluetooth, Bluetooth Low Energy (BLE), Zigbee, Wi-Fi Direct (WFD), and Ultra Wideband (UWB). The secure element 307 includes various components (not shown in the figure) such as a power supply module, short-range wireless communication module, memory module, a processing unit, and a communication bus system. The memory module stores details of the contactless card 306 such as account number, user identification details, user verification number, account balance information, and transaction record information. In an example, the short-range wireless communication module is a NFC sensor, which may further include a transceiver module and an antenna module. The short-range wireless communication sensor enables communication of such data when the contactless card 306 is in proximity with short-range wireless communication enabled devices.
Further, each of the contactless cards 306 is associated with a mobile device 308-1, 308-2 ... 308-N (hereinafter referred to as mobile device 308 indicating one mobile device and mobile devices 308 indicating a plurality of mobile devices). As would be understood, the mobile device 308 is associated with the contactless card 306 through a mobile subscriber identification number (MSIDN) of the mobile device 308. In one example, each of the contactless cards 306 is associated with a single mobile device 308. In another example, each of the contactless cards 306 is associated with different mobile devices 308.
In said embodiment, the mobile device 308 is a short-range wireless communication enabled mobile device. Examples of the short-range wireless communication include, but not limited to, Wireless Fidelity (Wi-Fi), Near Field Communication (NFC), Bluetooth, Bluetooth Low Energy (BLE), Zigbee, Wi-Fi Direct (WFD), and Ultra Wideband (UWB). Accordingly, the mobile device 308 includes a contactless module 309, which is adapted to use short-range wireless communication protocols for secure data communication. In one example, the contactless module 309 is pre-installed in the mobile device 308 by a manufacturer of the mobile device 308 or a network service provider. In another example, the contactless module 309 is downloaded onto the mobile device 308 from the server 200. In one another example, the contactless module 309 is integrated with a mobile-based application provided by the server 200. In yet another example, the contactless module 309 is separate from the mobile-based application provided by the server 200.
Further, in said embodiment, the contactless module 309 is adapted to communicate with the secure element 307 of the contactless card 306 over short-range radio waves 310 and to detect proximity with the contactless card 306. The communication with the secure element 307 is enabled when the contactless card 306 and the mobile device 308 are within a predefined range. Furthermore, the contactless module 309 is adapted to communicate with the server 200 via communication mode 311. Examples of the communication mode 311 include data communication mode and non-data communication mode. In said embodiment, the contactless module 309 communicates proximity status information to the server 200 when the server 200 activates a proximity mode of the mobile device 308. The proximity mode of mobile device 200 is activated by sending a trigger to the contactless module 309. When the proximity mode is activated, the contactless module 309 detects proximity of the contactless card 306 with the mobile device 308. More specifically, the contactless module 309 detects proximity of the secure element 307 of the contactless card 306 with the contactless module 309. Thus, the proximity status information is indicative of the detected proximity of the contactless card 306 with the mobile device 308.
Further, in said embodiment, the server 200 stores the details of the associated contactless cards 306 along with mobile device 308 in the database 205 such that the account 305 is mapped with each of the contactless cards 306 and the mobile device 308. In an example, a flag is set to indicate the association of the contactless card 306 with the account 305. In addition, the server 200 shares association details with the issuer systems 303 of the corresponding issuers. The association details are indicative that the server 200 will perform authentication of the associated contactless cards 306. In the example above, the server 200 shares information regarding the setting of the flag for each of the associated contactless cards 306 with the issuer systems 303 of the corresponding issuer of the associated contactless card 306. The issuer systems 303 save the association details in a database (not shown in the figure). In an example, the issuer system 303 saves a list of associated contactless cards 306 along with the flag details in the database. Thus, upon receiving information of a transaction using the associated contactless card 306, the issuer system 303 sends a validation request to the server 200 based on the association details, as will be described in subsequent Figures and paragraphs.
In addition, in one embodiment, the user may specify cash limit value/credit limit value for one or more of the associated contactless cards 306. As would be understood, the user may also specify cash limit value/credit limit value for the one or more of the associated contactless cards 306 at the corresponding issuer system 303.
Furthermore, the server 200 sets an operable state for each of the associated contactless cards 306 and saves the operable state in the database 205. The operable state can be either an unlocked state or a locked stated. In accordance with the present embodiment, when the operable state of the contactless card 306 is a locked state, the server 200 prevents a transaction using the contactless card 306 and deactivates a proximity mode of the mobile device associated with the contactless card 306. Conversely, when the operable state of the contactless card 306 is an unlocked state, the server 200 allows a transaction using the contactless card 306 and activates a proximity mode of the mobile device associated with the contactless card 306.
In one embodiment, the server 200 sets the operable state as locked stated by default for each of the associated contactless card 306. In another embodiment, the server 200 sets the operable state as unlocked stated by default for each of the associated contactless card 306. In yet another embodiment, the server 200 sets the operable state either as locked state or unlocked state upon receiving a request from the user for the one or more associated contactless card 306. In such embodiment, the user selects an option pertaining to the setting of locked state or unlocked state. In one example, the user selects the option through the web-based application or the mobile -based application on the computing device 301.
Figure 4 illustrates the operations performed by the server 200 to enhance a security of the associated contactless cards 306, in accordance with an embodiment of present invention.
Referring to Figures 2 and 3 along with Figure 4, at step 401 the user sends a request to the server 200. The request pertains to enabling the one or more associated contactless cards 306. In said embodiment, the enabling request is indicative of activating the proximity mode of the mobile device 308 associated with the contactless card 306. As described earlier, when the proximity mode of the mobile device 308 is activated, the mobile device 308 detects proximity with the contactless card 306. The user sends the request through one of the following methods: a web-based application, a mobile-based application, a short message service (SMS) message, an Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR). In one example, the user sends the request from the computing device 301. In another example, the user sends the request from the mobile device 308 associated with the contactless card 306.
As such, the request includes an identifier indicative of the activation of the proximity mode. The request further includes details of the account 305 and/ or details of the associated contactless card 306. In one embodiment, the request pertains to one associated contactless card 306. In such embodiment, the user sends separate requests for each of the associated contactless cards 306 as required. Each such request includes details of the account 305 and details of the associated contactless card 306. In another embodiment, the request pertains to all of the associated contactless cards 306. In such embodiment, the user sends one such request. In an example, such request includes only the details of the account 305.
At step 402, the receiving unit 201 of the server 200 receives the request from the computing device 301 or the mobile device 308. Upon receiving the request, the processor 202 determines an operable state of the contactless card 306 mentioned in the request from the database 205. If the operable state is determined as locked state, the analysis unit 203 switches the operable state to unlocked state. Upon switching of the operable state, the message generating unit 207 generates a challenge message for the user, as known in the art. Examples of the challenge message include one-time-password (OTP) and captcha message. In addition, the message generating unit 207 may generate a response message and store in the memory 209. In an example, the response message is same as the challenge message. Additionally, the analysis unit 203 saves the switched operable state as a current operable state for the contactless card 306 in the database 205. On the contrary, if the operable state is determined as unlocked state, the message generating unit 207 generates a message indicative of the activated proximity mode and the unlocked state of the contactless card 306.
At step 403, the message transmitting unit 208 of the server 200 transmits the challenge message to the user. In one example, the message transmitting unit 208 transmits the challenge message to the computing device 301. In another example, the message transmitting unit 208 transmits the challenge message to the mobile device 308 associated with the contactless card 306. In one another example, the message transmitting unit 208 transmits the challenge message to the same device sending the request. In yet another example, the message transmitting unit 208 transmits the challenge message to a device different from the device sending the request.
At step 404, the request receiving unit 201 receives a response message from the user in response to the challenge message.
At step 405, the processor 202 validates the received response message by matching the received response message with the stored response message. At step 406, the analysis unit 203 activates the proximity mode of the mobile device
308, if a positive match is obtained at step 405. As described earlier, when the proximity mode of the mobile device 308 is activated, the mobile device 308 detects proximity with the contactless card 306. Accordingly, the analysis unit 203 sends a trigger to the contactless module 309 of the mobile device 308 to activate the proximity mode of the mobile device 308.
At step 407, upon receiving the trigger, the contactless module 309 pings the secure element 307 of the contactless card 306 periodically and determines proximity with the secure element 307 of the contactless card 306. The contactless module 309 then transmits the proximity status information to the server 200 periodically. The contactless module 309 may transmit the proximity status information via data communication mode or non-data communication mode. In an example, the contactless module 309 sends proximity status information in form of messages such as short message service (SMS) message and unstructured supplementary service data (USSD) messages via the non-data communication mode.
Consequently, the information receiving unit 204 of the server 200 receives the proximity status information sent periodically by the mobile device 308 and stores the proximity status information in the database 205. Further, the analysis unit 203 determines if the received proximity status information is indicative of the mobile device 308 and the contactless card 306 being out of a predefined range for a consecutive number of occurrences. In an example, the predefined range is few meters. In an example, the consecutive number of occurrences is predefined as three. Upon such determination, the analysis unit 203 switches the operable state of the contactless card 306 to locked state and transmits an alert message to the mobile device 308. In an example, the alert message indicates the user to resend the request to enable the contactless card 306. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308. Furthermore, the authorizing unit 206 prevents a transaction using the contactless card 306 from completion at an instance when the received proximity status information indicates the mobile device 308 and the contactless card 306 are out of a predefined range. The same shall be explained in detail with reference to further figures.
For example, the below table illustrates the proximity status information received periodically from the mobile device 308.
Figure imgf000020_0001
From the above table and in accordance with an embodiment, the analysis unit 203 will not switch the operable state to locked state at time instances T2 and T4. However, the analysis unit 203 will switch the operable state to locked stated at time instance T8 since the proximity status information indicates far proximity or mobile device 308 and the contactless card 306 being out of a predefined range for 3 consecutive number of occurrences. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state. Further, in accordance with the above table, the authorizing unit 206 prevents a transaction using the contactless card 306 T2, Τ Τ T7 and T8. Thus, the authorizing unit 206 prevents a transaction at any instance when the contactless card 306 is in far proximity with the mobile device 308.
Furthermore, when the information receiving unit 204 of the server 200 does not receive the periodic proximity status information from the mobile device 308 for a consecutive number of occurrences, the analysis unit 203 switches the operable state of the contactless card 306 to locked state. In an example, the predefined range is few meters. In an example, the consecutive number of occurrences is predefined as three. Additionally, the analysis unit 203 transmits an alert message to the mobile device 308. In an example, the alert message indicates the user to resend the request to enable the contactless card 306. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308. Furthermore, the authorizing unit 206 prevents a transaction using the contactless card 306 from completion at an instance when the proximity status information is not received. The same shall be explained in detail with reference to further figures.
For example, the below table illustrates the proximity status information received periodically from the mobile device 308.
Figure imgf000021_0001
From the above table and in accordance with an embodiment, the analysis unit 203 will not switch the operable state to locked state at time instances T2 and T4. However, the analysis unit 203 will switch the operable state to locked stated at time instance T8 since the proximity status information is not received from the mobile device 308 for 3 consecutive number of occurrences. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state.
Further, in accordance with the above table, the authorizing unit 206 prevents a transaction using the contactless card 306 T2, T4i T6i T7 and T8. Thus, the authorizing unit 206 prevents a transaction at any instance when the proximity status information is not received.
Further, in one embodiment of the invention, the analysis unit 203 monitors the non- receipt of the proximity status information and far proximity at each time instance. Accordingly, if the proximity status information is not received or if the received proximity status information is indicative of far proximity, for a consecutive number of occurrences, then the analysis unit 203 switches the operable state of the contactless card 306 to locked state. In an example, the consecutive number of occurrences is predefined as three Additionally, the analysis unit 203 transmits an alert message to the mobile device 308. In an example, the alert message indicates the user to resend the request to enable the contactless card 306. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308.
For example, the below table illustrates the proximity status information received periodically from the mobile device 308.
Figure imgf000022_0001
From the above table and in accordance with an embodiment, the analysis unit 203 will not switch the operable state to locked state at time instances T3. However, the analysis unit 203 will switch the operable state to locked stated at time instance T4 since the proximity status information is not received from the mobile device 308 at time instances T2 and T4 and the received proximity status information indicates far proximity at time instance T3. Thus, the analysis unit 203 monitored the proximity status information and the non- receipt of the proximity status information for 3 consecutive occurrences and switched the operable state to locked stated. Accordingly, the message generating unit 207 generates the alert message and the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the analysis unit 203 deactivates the proximity mode of the mobile device 308 upon switching the operable state to locked state. Thus, the switching of the operable state to locked state in various scenarios as explained above provides enhanced security for the contactless card 306.
At step 408, the message generating unit 207 generates a success message indicative of the positive match at step 405. In an example, the success message indicates successful activation of the proximity mode of the mobile device 308 or enabling of the contactless card 306. The message transmitting unit 208 then transmits the success message to the user. In an example, the message transmitting unit 208 transmits the challenge message to the computing device 301. In another example, the message transmitting unit 208 transmits the challenge message to the mobile device 308.
On the contrary, if a match is not obtained at step 405, the message generating unit 207 generates a failure message. In an example, the failure message indicates unsuccessful activation of the proximity mode or enabling of the contactless card 306. The failure message further indicates the user to resend the request for enabling. Further, the analysis unit 203 switches the operable state from unlocked state to locked state. Additionally, the analysis unit 203 saves the switched operable state as the current operable state for the contactless card 306 in the database 205.
Figures 5a to 5c illustrate the operations performed by the server 200 during a transaction initiated by the associated contactless card 306, in accordance with an embodiment of present invention.
Referring to Figures 2 and 3, along with Figure 5a, at step 501, the POT system 304 transmits a validation request to the issuer system 303 when a financial transaction is initiated using a contactless card by the user. Examples of the transaction include banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web- based application or mobile-based application, and banking transaction on web-based application or mobile -based application. The validation request includes authentication credentials of the POT system 304, transaction information, and card identifier data indicating details about the contactless card, and location information in respect of the transaction. In an example, in case of POS system and ATM, the location information is a geographic location of the POS system and ATM. In another example, in case of the web- based application or mobile -based application, the location information is geographic location of the computing device 301 which access the web-based applications or mobile- based applications. In addition to the validation request, the POT system 304 may also transmit authentication credentials such as PIN and Password associated with the contactless card and known only to the user.
At step 502, upon receiving the validation request, the issuer system 303 determines if the contactless card is one of the associated contactless cards 306. In an example, the issuer system 303 retrieves the list of associated contactless cards 306 along with flag details from a database and determines if the contactless card is one of the associated contactless cards 306 based on the flag details. If the flag is set, the contactless card is determined as the associated contactless card 306 for which the server 200 performs the authentication. Thereafter, the issuer system 303 forwards the validation request to the server 200. On the contrary, if the flag is not set, the contactless card is determined as not being one of the associated contactless cards 306. Consequently, the issuer system 303 will not send the validation request to the server 200. Thereafter, the issuer system 303 performs validation of the contactless card in a manner as known in the art. In an example, the issuer system 303 validates the authentication credentials received along with the validation request.
At step 503, upon receiving the validation request, the authorizing unit 206 obtains a current operable state of the contactless card from the database 205corresponding to a time of the transaction.
At step 504, the authorizing unit 206 determines if the current operable state is "locked state". If the current operable state is determined as "locked state", the authorizing unit 206 prevents the transaction. Accordingly, the message generating unit 207 generates a failure message indicative of the "locked state" of the contactless card. In addition to the failure message, the message generating unit 207 generates an alert message for the user. The alert message indicates details about the transaction and "locked state" of the contactless card in respect of the transaction.
Further, in one embodiment, upon determining "locked state" of the contactless card for predetermined number of successive transactions, the authorizing unit 206 blocks further transactions using the contactless card. Accordingly, the message generating unit 207 generates a blocked message. At step 505, the message transmitting unit 208 of the server 200 transmits the failure message to the issuer system 303. At step 506, the message transmitting unit 208 transmits the alert message to the mobile device 308. Further, the message transmitting unit 208 transmits the blocked message to the user after the predetermined number of unsuccessful transactions. In an example, the message transmitting unit 208 transmits the alert message to the mobile device 308.
At step 507, upon receiving the failure message, the issuer system 303 prevents the processing of the transaction. In examples, the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile -based application, and banking transaction on web-based application or mobile-based application are prevented from completion. Upon preventing the transaction, the issuer system 303 transmits a transaction unsuccessful message to the POT system 304. Upon receiving the transaction unsuccessful message, the POT system 304 may display an appropriate message on a display unit (not shown in the figure) of the POT system 304.
Further, in one embodiment, upon receiving the failure message for a predetermined number of successive transactions initiated by using the contactless card, the issuer system 303 blocks further transactions using the contactless card in a manner as known in the art. Accordingly, the issuer system 303 transmits a blocked message to the user as known in the art. In an example, the issuer system 303 transmits the blocked message to the mobile device 308. In another example, the issuer system 303 transmits the blocked message to the computing device 301.
At step 508, the issuer system 303 transmits a transaction unsuccessful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction unsuccessful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction unsuccessful message to the computing device 301. However, if at step 504, the current operable state of the contactless card is determined as "unlocked state", then the process flows to step 509 in Figure 5b.
Referring to Figures 2 and 3, along with Figure 5b, at step 509, the authorizing unit 206 obtains current proximity status information of the contactless card corresponding to the time of the transaction. Accordingly, in one embodiment, the authorizing unit 206 may obtain the current proximity status information from the mobile device 308 associated with the contactless card at the time of transaction. Thus, at step 509-1, the authorizing unit 206 may obtain the current proximity status information from the mobile device 308 associated with the contactless card. As such, the authorizing unit 206 may transmit a request to the contactless module 309 for current proximity status information. The authorizing unit 206 may send the request over a data communication mode when the data communication mode of the mobile device 308 is enabled. The authorizing unit 206 may send the request over a non-data communication mode when the data communication mode of the mobile device 308 is disabled.
Upon receiving the request for current proximity status information from the server 200, the contactless module 309 in the mobile device 308 detects current proximity with the contactless card and transmits the current proximity status information to the server 200. The contactless module 309 may transmit the current proximity status information over the data communication mode when the data communication mode of the mobile device 308 is enabled. The contactless module 309 may transmit the current proximity status information over the non-data communication mode when the data communication mode of the mobile device 308 is disabled.
In another embodiment, at step 509-2, the authorizing unit 206 may obtain the current proximity status information from the database 205. As such, the authorizing unit 206 obtains the latest proximity status information received from the mobile device 308 prior to the transaction or at the time of transaction and stored in the database 205. In one another embodiment, the authorizing unit 206 may obtain the current proximity status information corresponding to the time of transaction simultaneously from the database 205 and the mobile device 308.
Accordingly, the authorizing unit 206 may dynamically select a source of obtaining the current proximity status information based on predefined rules. The source can be the mobile device 308, the database 205, or both, as described above.
At step 510, the authorizing unit 206 of the server 200 determines if the contactless card and the mobile device 308 are within the predefined range based on the current proximity status information.
Upon determining the contactless card and the mobile device 308 are within the predefined range, at step 511, the server 200 transmits a success message to the issuer system 303. Accordingly, the message generating unit 207 generates a success message indicative of near proximity with the mobile device 308 and the message transmitting unit 208 transmits the success message to the issuer system 303.
In addition, in one embodiment, the authorizing unit 206 also compares a value of the transaction with the cash limit value/credit limit value specified by the user in the account 305. Based on the comparison, the message generating unit 207 generates a transaction value message. In an example, the transaction value message indicates, the value of the transaction is above the specified cash limit value/credit limit value. In another example, the transaction value message indicates the value of the transaction is below the specified cash limit value/credit limit value. In one another example, the transaction value message is included in the success message. In one another example, the transaction value message is separate from the success message.
At step 512, upon receiving the success message, the issuer system 303 successfully processes and completes the transaction. In examples, the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile-based application, and banking transaction on web-based application or mobile- based application are successfully completed.
However, the completion of the transaction is further based on transaction value. In one embodiment, the issuer system 303 completes the transaction based on the transaction value message received from the server 200. In an example, if the transaction value message indicates that the value of the transaction is below the specified cash limit value/credit limit value, the transaction is completed. In an example, if the transaction value message indicates that the value of the transaction is above the specified cash limit value/credit limit value, the transaction is not completed. In another embodiment, the issuer system 303 completes the transaction based on the cash limit value/credit limit value specified by the user. Upon completing the transaction, the issuer system 303 transmits a transaction successful message POT system 304. Upon receiving the transaction successful message, the POT system 304 may generate a paper bill having transaction information and payment information.
At step 513, the issuer system 303 transmits a transaction successful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction successful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction successful message to the computing device 301.
However, if at step 510, the authorizing unit 206 determines the contactless card and the mobile device 308 are out of the predefined range based on the current proximity status information, then the process flows to step 514 in Figure 5c.
Further, in one embodiment, if at step 509-1, the authorizing unit 206 does not receive the current proximity status information from the mobile device 308, the authorizing unit 206 determines the contactless card and the mobile device 308 are out of the predefined range, and the process flows to step 514 in Figure 5c. Additionally, the authorizing unit 206 switches the current operable state of the contactless card 306 to 'locked state' .
Referring to Figures 2 and 3, along with Figure 5c, at step 514, the server 200 transmits a failure message to the issuer system 303. Accordingly, the message generating unit 207 generates a failure message indicative of far proximity with the mobile device 308 and the message transmitting unit 208 transmits the failure message to the issuer system 303.
In addition to the failure message, the message generating unit 207 generates an alert message for the user. The alert message indicates details about the transaction and details about far proximity of the contactless card with the mobile device 308 in respect of the transaction. Further, in one embodiment, the alert message indicates details about switching of the current operable state of the contactless card 306 to 'locked state' when the authorizing unit 206 does not receive the current proximity status information from the mobile device 308 at step 509-1.
Furthermore, in one embodiment, upon determining far proximity with the mobile device 308 for a predetermined number of successive transactions, the authorizing unit 206 blocks further transactions using the contactless card. Accordingly, the message generating unit 207 generates a blocked message. At step 515, the message transmitting unit 208 transmits the alert message to the user. In an example, the message transmitting unit 208 transmits the alert message to the mobile device 308. In another example, the transmitting unit 204 transmits the alert message to the computing device 301. Further, the message transmitting unit 208 transmits the blocked message to the user after the predetermined number of unsuccessful transactions. At step 516, upon receiving the failure message, the issuer system 303 prevents the processing of the transaction. In examples, the banking transaction at ATM, purchase transaction at POS system, e-commerce purchase on web-based application or mobile -based application, and banking transaction on web-based application or mobile-based application are prevented from completion. Upon preventing the transaction, the issuer system 303 transmits a transaction unsuccessful message to the POT system 304. Upon receiving the transaction unsuccessful message, the POT system 304 may display an appropriate message on a display unit (not shown in the figure) of the POT system 304.
Further, in one embodiment, upon receiving the failure message for a predetermined number of successive transactions initiated by using the card, the issuer system 303 blocks further transactions using the card in a manner as known in the art. Accordingly, the issuer system 303 transmits a blocked message to the user as known in the art. In an example, the issuer system 303 transmits the blocked message to the mobile device 308. In such example, the mobile device 308 is associated with the card. In an example, the issuer system 303 transmits the blocked message to the computing device 301. In one another example, the issuer system 303 transmits the blocked message to a mobile device 308.
At step 517, the issuer system 303 transmits a transaction unsuccessful message to the user as known in the art. In an example, the issuer system 303 transmits the transaction unsuccessful message to the mobile device 308. In another example, the issuer system 303 transmits the transaction unsuccessful message to the computing device 301.
Thus, the transaction is allowed only if the contactless card is in unlocked state and is within the predefined range of proximity with the mobile device 308. As such, the security of the contactless card is greatly enhanced as a two-step security verification is provided. Figure 6 illustrates the operations performed by the server 200 to disable the contactless card 306 and deactivate the proximity mode of the mobile device 308, in accordance with an embodiment of present invention.
Referring to Figures 2, 3, 4, & 6, at step 601, the user sends a request to the server 200 as described in step 401 earlier. The request pertains to disabling the one or more associated contactless cards 306. In said embodiment, the disabling request is indicative of deactivating the proximity mode of the mobile device 308 associated with the contactless card 306. Thus, contactless module 309 in the mobile device 308 discontinues detecting proximity of the mobile device 308 with the contactless card 306.
At step 602, the receiving unit 201 receives the request from the computing device 301 or the mobile device 308. As described in reference to step 402, upon receiving the request, the processor 202 determines a current operable state of the contactless card 306 mentioned in the request from the database 205.
At step 603, the analysis unit 203 transmits a challenge message to the mobile device 308 as described in reference to step 402 if the operable state is determined as "unlocked state". On the contrary, if the operable state is determined as "locked state", the analysis unit 203 transmits a message indicative of "locked state" to the mobile device 308. In addition, the message indicates that the proximity mod of mobile device 308 is currently deactivated.
At step 604, the request receiving unit 201 receives a response message from the user in response to the challenge message.
At step 605, the processor 202 validates the received response message by matching the received response message with the stored response message.
At step 606, the analysis unit 203 deactivates the proximity mode of the mobile device 308, if a positive match is obtained at step 605. When the proximity mode of the mobile device 308 is deactivated, the mobile device 308 does not detect proximity with the contactless card 306. Accordingly, the analysis unit 203 sends a trigger to the contactless module 309 of the mobile device 308 to deactivate the proximity mode of the mobile device 308. Further, the analysis unit 203 switches the operable state to locked state and saves the switched operable state as a current operable state for the contactless card 306 in the database 205.
At step 607, the message generating unit 207 generates a success message indicative of the positive match. In an example, the success message indicates successful deactivation of the proximity mode of the mobile device 308 or disabling of the contactless card 306. The message transmitting unit 208 then transmits the success message to the user. In an example, the message transmitting unit 208 transmits the success message to the computing device 301. In another example, the message transmitting unit 208 transmits the success message to the mobile device 308 On the contrary, if a match is not obtained at step 605, the message generating unit 207 generates a failure message. In an example, the failure message indicates unsuccessful deactivation of the proximity mode or disabling of the contactless card 306. The failure message further indicates the user to resend the request.
Although, the above steps have been written from the perspective of a single user, it would be understood that multiple users can follow the same steps for enhancing the security of card based financial transactions.
While certain present preferred embodiments of the invention have been illustrated and described herein, it is to be understood that the invention is not limited thereto. Clearly, the invention may be otherwise variously embodied, and practiced within the scope of the following claims.

Claims

WE CLAIM:
1. A method comprising:
receiving, in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers;
determining an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state; and activating a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects a proximity with the one or more contactless cards during the activated proximity mode.
2. The method as claimed in claim 1, when the operable state is determined as locked state, the method further comprises:
switching the operable state from the locked stated to unlocked state.
3. The method as claimed in claim 1, wherein the contactless card is one of: a credit card, a debit card, an automated teller machine (ATM) card, a fleet card, stored- value card, prepaid card, and a gift card.
4. The method as claimed in claim 1, wherein the request is received via one of: a web based application, a mobile based application, a short message service (SMS) message, a Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
5. The method as claimed in claim 1, wherein in the locked state of a contactless card, use of the contactless card is prevented and a proximity mode of a mobile device associated with the contactless card is deactivated.
6. The method as claimed in claim 1, wherein in the unlocked state of a contactless card, use of the contactless card is allowed and a proximity mode of a mobile device associated with the contactless card is activated.
7. The method as claimed in claim 1, wherein the mobile device detects the proximity with the one or more contactless cards periodically during the activated proximity mode.
8. The method as claimed in claim 1, wherein activating the proximity mode further comprises:
transmitting a trigger to a contactless module of the mobile device, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
9. The method as claimed in claim 1 further comprises:
receiving proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards; and
storing the proximity status information in a database.
10. The method as claimed in claim 9, wherein the proximity status information is received from the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device.
11. The method as claimed in claim 9 further comprises:
switching the operable state of the one or more contactless cards to locked state when the received proximity status information indicates the mobile device and the contactless card are out of a predefined range for a consecutive number of occurrences.
12. The method as claimed in claim 1 further comprises:
switching the operable state of the one or more contactless cards to locked state in absence of receiving proximity status information from the mobile device for a consecutive number of occurrences.
13. The method as claimed in claim 1 further comprises:
receiving a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards; obtaining a proximity status information indicative of a proximity of the contactless card and a mobile device associated with the card; and
transmitting an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range.
The method as claimed in claim 13, wherein the proximity status information is obtained from a database, the database being adapted to store the proximity status information received periodically from the mobile device.
The method as claimed in claim 13, wherein the proximity status information is obtained from the mobile device via a data communication mode of the mobile device.
The method as claimed in claim 13, wherein the proximity status information is obtained from the mobile device via a non-data communication mode of the mobile device.
The method as claimed in claim 13 further comprises:
determining an operable state of the contactless card such that the proximity status information is obtained when the operable state is determined as an unlocked state.
A server comprising:
a request receiving unit to receive, in respect of an account, a request to enable one or more contactless cards, the account being associated with the one or more contactless cards issued to a user of the account by one or more issuers;
a processor to determine an operable state of the one or more contactless cards, the operable state being one of a locked state and an unlocked state; and
an analysis unit to activate a proximity mode of a mobile device associated with the one or more contactless cards when the operable state is determined as locked state, wherein the mobile device detects a proximity with the one or more contactless cards during the activated proximity mode.
19. The server as claimed in claim 18, wherein the analysis unit further:
- when the operable state is determined as locked state, switches the operable state from the locked stated to unlocked state; and
activates the proximity mode of the mobile device.
20. The server as claimed in claim 18, wherein the receiving unit is receives the request via one of: a web based application, a mobile based application, a short message service (SMS) message, a Unstructured Supplementary Service Data (USSD) message, and interactive voice response (IVR).
21. The server as claimed in claim 18, wherein during a locked state of a contactless card, the analysis unit prevents a use of the contactless card and deactivates a proximity mode of the contactless card.
22. The server as claimed in claim 18, wherein during an unlocked state of a contactless card, the analysis unit allows a use of the contactless card and activates a proximity mode of the contactless card.
23. The server as claimed in claim 18, the analysis unit further:
transmits a trigger to a contactless module of the mobile device to activate the proximity mode, the contactless module being adapted to communicate with the one or more contactless cards and to detect the proximity.
24. The server as claimed in claim 18 further comprises:
an information receiving unit to:
receive a proximity status information from the mobile device periodically, the proximity status information being indicative of the detected proximity with the one or more contactless cards; and store the proximity status information in a database coupled with the server.
25. The server as claimed in claim 24, wherein the information receiving unit receives the proximity status information from the mobile device via one of: a data communication mode of the mobile device and a non-data communication mode of the mobile device.
26. The server as claimed in claim 24, wherein the analysis unit further:
determines the received proximity status information is indicative of the mobile device and the contactless card being out of a predefined range for a consecutive number of occurrences; and
switches the operable state of the one or more contact less cards to locked state in accordance to the determination.
The server as claimed in claim 18 further comprises:
an authorizing unit to:
receive a request to authorize a contactless card in respect of a transaction initiated using the contactless card, the contactless card being one of said one or more cards;
obtain a proximity status information indicative of a proximity of the contactless card and a mobile device associated with the card; and transmit an alert message to the mobile device in case the proximity status information indicates the mobile device and the contactless card are out of a predefined range.
The server as claimed in claim 27, wherein the authorizing unit obtains the proximity status information from a database coupled to the server, the database being adapted to store the proximity status information received periodically from the mobile device.
29. The server as claimed in claim 27, wherein the authorizing unit obtains the proximity status information from the mobile device via a data communication mode of the mobile device.
30. The server as claimed in claim 27, wherein the authorizing unit obtains the proximity status information from the mobile device via a non-data communication mode of the mobile device.
The server as claimed in claim 27, wherein the authorizing unit further:
determines the operable state of the contactless card, such that proximity status information is obtained when the operable state is determined as an unlocked state.
The server as claimed in claim 24, the analysis unit further:
determines non-receipt of proximity status information from the mobile device for a consecutive number of occurrences; and
switches the operable state of the one or more contact less cards to locked state in accordance to the determination.
PCT/IB2016/055000 2015-08-25 2016-08-22 Method and system for enhancing security of contactless card WO2017033118A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN2631/DEL/2015 2015-08-25
IN2631DE2015 IN2015DE02631A (en) 2015-08-25 2016-08-22

Publications (1)

Publication Number Publication Date
WO2017033118A1 true WO2017033118A1 (en) 2017-03-02

Family

ID=54395941

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2016/055000 WO2017033118A1 (en) 2015-08-25 2016-08-22 Method and system for enhancing security of contactless card

Country Status (3)

Country Link
IN (1) IN2015DE02631A (en)
WO (1) WO2017033118A1 (en)
ZA (1) ZA201605692B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3531358A1 (en) * 2018-02-27 2019-08-28 Mastercard International Incorporated Reducing fraudulent data transfers
WO2019202374A1 (en) * 2018-04-18 2019-10-24 Adari Swarna Kumari Contactless transaction system and method thereof using contactless transaction card
US11416844B1 (en) * 2019-08-28 2022-08-16 United Services Automobile Association (Usaa) RFID-enabled payment authentication
EP4336432A1 (en) * 2022-09-12 2024-03-13 Thales Dis France Sas Method for providing a user with control over a payment card
JP7548993B2 (en) 2019-07-18 2024-09-10 キャピタル・ワン・サービシーズ・リミテッド・ライアビリティ・カンパニー Continuous Authentication for Digital Services Based on Contactless Card Positioning

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080319889A1 (en) * 2007-06-25 2008-12-25 Ayman Hammad Restricting access to compromised account information
US20110264543A1 (en) * 2010-04-26 2011-10-27 Ebay Inc. Reverse payment flow
US20140282877A1 (en) * 2013-03-13 2014-09-18 Lookout, Inc. System and method for changing security behavior of a device based on proximity to another device
US20150227903A1 (en) * 2014-02-07 2015-08-13 Bank Of America Corporation Remote revocation of application access based on lost or misappropriated card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080319889A1 (en) * 2007-06-25 2008-12-25 Ayman Hammad Restricting access to compromised account information
US20110264543A1 (en) * 2010-04-26 2011-10-27 Ebay Inc. Reverse payment flow
US20140282877A1 (en) * 2013-03-13 2014-09-18 Lookout, Inc. System and method for changing security behavior of a device based on proximity to another device
US20150227903A1 (en) * 2014-02-07 2015-08-13 Bank Of America Corporation Remote revocation of application access based on lost or misappropriated card

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3531358A1 (en) * 2018-02-27 2019-08-28 Mastercard International Incorporated Reducing fraudulent data transfers
WO2019202374A1 (en) * 2018-04-18 2019-10-24 Adari Swarna Kumari Contactless transaction system and method thereof using contactless transaction card
JP7548993B2 (en) 2019-07-18 2024-09-10 キャピタル・ワン・サービシーズ・リミテッド・ライアビリティ・カンパニー Continuous Authentication for Digital Services Based on Contactless Card Positioning
US11416844B1 (en) * 2019-08-28 2022-08-16 United Services Automobile Association (Usaa) RFID-enabled payment authentication
US11748740B1 (en) 2019-08-28 2023-09-05 United Services Automobile Association (Usaa) RFID-enabled payment authentication
US11954669B1 (en) 2019-08-28 2024-04-09 United Services Automobile Association (Usaa) RFID-enabled payment authentication
US12026694B1 (en) 2019-08-28 2024-07-02 United Services Automobile Association (Usaa) RFID-enabled payment authentication
EP4336432A1 (en) * 2022-09-12 2024-03-13 Thales Dis France Sas Method for providing a user with control over a payment card
WO2024056376A1 (en) * 2022-09-12 2024-03-21 Thales Dis France Sas Method for providing a user with control over a payment card

Also Published As

Publication number Publication date
ZA201605692B (en) 2017-08-30
IN2015DE02631A (en) 2015-09-04

Similar Documents

Publication Publication Date Title
US10805423B2 (en) Device profile data usage for state management in mobile device authentication
US11010747B2 (en) Processing a transaction using multiple application identifiers
US10922675B2 (en) Remote transaction system, method and point of sale terminal
US10515361B2 (en) Smart card secure online checkout
US20160117673A1 (en) System and method for secured transactions using mobile devices
US20150195133A1 (en) Methods and systems for provisioning multiple devices
WO2017033118A1 (en) Method and system for enhancing security of contactless card
US12026712B2 (en) Dynamic application selection based on contextual data
US20200372147A1 (en) Systems for enabling tokenized wearable devices
US11868988B2 (en) Devices and methods for selective contactless communication
WO2015189733A1 (en) Methods and systems for authentication of a communication device
US20160342979A1 (en) Systems and methods for transaction authentication using dynamic wireless beacon devices
JP7318042B2 (en) Terminal type identification in interaction processing
CA2943854A1 (en) Remote transaction system, method and point of sale terminal
WO2021026464A1 (en) System, method, and computer program product for authenticating a transaction based on behavioral biometric data
WO2017118923A1 (en) Methods and devices for authentication of an electronic payment card using electronic tokens
KR101834365B1 (en) Service providing system and method for payment based on electronic tag
KR101699032B1 (en) Service providing system and method for payment using electronic tag
EP2960844A1 (en) Transaction management
WO2017024245A1 (en) Systems and methods for interaction authentication using dynamic wireless beacon devices
KR20130005635A (en) System for providing secure card payment system using mobile terminal and method thereof
WO2017009743A1 (en) Method and system for enhancing security of card based financial transaction
US20220138759A1 (en) System, method, and computer program product for virtual accounts based on biometric measurements
CN116057556A (en) System and method for user authentication via a short-range transceiver
CA3000413A1 (en) Systems for enabling tokenized wearable devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16770551

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16770551

Country of ref document: EP

Kind code of ref document: A1