WO2018157211A1 - Vérification sécurisée d'une communication vocale - Google Patents

Vérification sécurisée d'une communication vocale Download PDF

Info

Publication number
WO2018157211A1
WO2018157211A1 PCT/AU2018/050188 AU2018050188W WO2018157211A1 WO 2018157211 A1 WO2018157211 A1 WO 2018157211A1 AU 2018050188 W AU2018050188 W AU 2018050188W WO 2018157211 A1 WO2018157211 A1 WO 2018157211A1
Authority
WO
WIPO (PCT)
Prior art keywords
individual
verification code
telephone
entity
software application
Prior art date
Application number
PCT/AU2018/050188
Other languages
English (en)
Inventor
Jeremy Machet
Original Assignee
Jeremy Machet
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2017900733A external-priority patent/AU2017900733A0/en
Application filed by Jeremy Machet filed Critical Jeremy Machet
Publication of WO2018157211A1 publication Critical patent/WO2018157211A1/fr
Priority to AU2019101103A priority Critical patent/AU2019101103A4/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/66Substation equipment, e.g. for use by subscribers with means for preventing unauthorised or fraudulent calling
    • H04M1/663Preventing unauthorised calls to a telephone set
    • H04M1/665Preventing unauthorised calls to a telephone set by checking the validity of a code
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/42025Calling or Called party identification service
    • H04M3/42034Calling party identification service
    • H04M3/42042Notifying the called party of information on the calling party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/60Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
    • H04M2203/6027Fraud preventions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/60Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
    • H04M2203/6045Identity confirmation

Definitions

  • the present invention relates to securely verifying telephone discussions.
  • spear phishing A popular media attack known as a spear phishing is used to target unknown customers of entities such as major corporate organisations. While these attacks can sometimes be thwarted at the outset by two factor authentication, spear phishing attacks when successful can enable collection by criminals of key identifying information of customers which allows future tax such as identity fraud to happen on different mediums, including telephone discussion.
  • communications can impersonate corporate entities, and thereby attempt to obtain key identifying information from individuals. Particularly because of the impersonal nature of large entities, where unknown employees or representatives may call a customer, the customer finds it practically impossible to gauge the genuineness of a telephone call .
  • an entity notifying an individual of an intention to conduct a telephone discussion with the individual having access to a communications device connectable to a data network and with a device software application implementing a trusted connection between an entity computer and the individual over the data network, the software application being adapted to generate or receive a verification code of the intention, the verification code being accessible or reproducible by both the entity computer and by the device software application;
  • verifying the intention between the entity and the individual by either receiving a communication of the verification code from the individual and checking that the communication of the verification code matches the verification code, or by
  • the step of the entity notifying the individual of the intention comprises the steps of :
  • the method further comprises the step of the entity initiating a telephone call to the individual; the step of verifying the intention comprises making an utterance of the verification code to the individual in the telephone call, for the individual to check that the utterance matches the verification code.
  • the method may further comprise the step of the entity computer generating the verification code and transmitting the verification code to the device software application over the trusted connection.
  • the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; and
  • the device software application is configured to operate the verification code generating algorithm to generate the
  • the method further comprises the step of storing a record of the intention in the entity computer, and wherein :
  • the step of the entity providing a notification of the intention comprises initiating a telephone call to the
  • the step of verifying the intention comprises the software application, triggered by the individual in response to
  • the entity computer answering the telephone call, communicating the verification code over the trusted connection to the entity computer, the verification code comprising at least a code identifying the individual, followed by the entity computer accessing the data memory to verify that the verification code corresponds to the recorded intention, the entity computer transmitting a
  • the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; the method further comprising steps of:
  • the step of the device software application receiving or generating the verification code comprises the software
  • the step of verifying the intention comprises receiving the verification code from the individual over the return telephone call, and accessing the data memory to verify that the
  • verification code corresponds to the recorded intention, and if so conducting a voice discussion with the individual over the return telephone call .
  • the individual over the return telephone call may diverting the return telephone call from a telephone queue and connecting the individual with an assigned representative for the telephone discussion.
  • Figure 1 is a diagram of method steps of the broad aspect of the invention, not necessarily in order;
  • Figure 2 is a functional block diagram of a system implementing one embodiment of the invention
  • Figure 3 is a visual representation of a notification step according to the embodiment of Figure 2 ;
  • Figure 4 is a functional block diagram of a system implementing another embodiment of the invention.
  • Figure 5 is a functional block diagram of a system implementing still another embodiment of the invention.
  • Figure 6 is a visual representation of code generation and verification steps according to the embodiment of Figure 5;
  • Figure 7 is a functional block diagram of a system implementing yet another embodiment of the invention.
  • the method steps of the broadest aspects of the invention are a notification step 101 of a entity notifying an individual of an intention to conduct a telephone discussion with the individual, a code generation step 102 of generating a verification code, a verification step 103 of verifying the intention between the entity and the
  • the individual has access to a
  • notification step 101 and code generation step 102 may be conducted in a different order or simultaneously.
  • the different steps 101-104 may be performed in different manners.
  • the notification step 101 can be performed in different manners.
  • the notification step 101 can be performed in different
  • the code generation step 102 can be performed in different embodiments by a entity computer, the device software application or both, and may be before or after the notification step 101.
  • verification step 103 verifies the intended telephone call and involves access by both parties to the verification code, and comparison by at least one party of the other party' s copy or version of the verification code.
  • the verification step 103 can involve transmission between the software application and the entity computer, or utterance or other transmission over a telephone call.
  • the discussion step 104 of conducting the telephone discussion can occur as a continuance of an already existing telephone call, or a new telephone call initiated by the individual which may be routed by a telephone answering system of entity to an assigned
  • Entity 1 wishes to conduct a telephone discussion with an individual 2.
  • entity 1 There may be a human representative in entity 1 having the intention, or the intention may be artificially realised by an automatic system fulfilling the role of an entity capable of scheduling or conducting a telephone discussion including imparting and receiving verbal information.
  • Entity 1 in the broadest aspect is any entity capable of communicating with the individual by telephone, and may be a company, business, government
  • Entity 1 in most circumstances will be a
  • Individual 2 is a human person who may be making or potentially making purchases or receiving services from or exchanging services with entity 1, but is not necessarily a customer.
  • entity 1 a single person
  • the interaction which is sought to be verified may be a private communication of non-commercial character .
  • Individual 2 has access to a smart phone 3 which provides wireless mobile telephone communication with entity 1 via wireless telephone towers 4 or directly through Internet 60 via voice call applications, and which also provides the digital communications device housing the device software application 40.
  • the device software application 40 and the medium over which the telephone discussion occurs can be implemented in separate devices, including fixed line telephones for the telephone discussion, and a separate communications device such as smart phone, tablet or personal computer for housing the device software application 40. Further, the
  • VOIP Voice over Internet Protocol
  • Software application 40 implements a trusted connection between individual 2 and entity 1 such that information
  • software application 40 is a dedicated application designed and distributed by entity 1 such as, in the case of a bank, a proprietary application of the bank to enable users to access bank services such as balances, transfers and the like.
  • Entity 1 has access to an entity computer 20 which may be implemented in a single standalone unit or may be distributed amongst several separated units communicating amongst themselves where necessary, as is known in the art.
  • Functional elements of entity computer 10 are typically realised as software modules.
  • Employee server 10 processes interaction with a plurality of employee representatives who may wish to utilise the system to contact customer individual 3.
  • the employee through employee server 10 generates a notification using notification generator 21 which accesses individual data store 23 to obtain contact details such as an email address or other device identifying details to enable direction of the
  • Code generator 22 generates a verification code as described below and may store the generated verification code in code store 24, or may store sufficient related information enabling reconstruction of the generated verification code so that the representative of entity 1 may access the verification code which was used.
  • Code generator 22 may construct the verification code in one of many different possible methods, of which many are known in the art.
  • a simple example is generation of a pseudo-random number which is generated by code generator 22 stored in code store 24 of entity computer 20.
  • a 4-6 digit integer is sufficiently large to provide the required level of security such that the code is effectively unique being difficult to guess.
  • lists of numbers or passwords may be generated for one-time use and stored in entity computer 20 for later use and deletion from storage, improved security can be provided by immediate random number generation to guard against data theft of unused codes .
  • Notification server 25 then formats and transmits the notification and code as a push notification of text to
  • Software application 40 is in a state of readiness to receive notifications from entity 1.
  • Software application 40 comprises modules code
  • Notification receiver 42 receives the push
  • Sensory output generator 43 alerts individual 2, typically by a visual notification which may or may not be configured to appear on a lock screen state.
  • the sensory output contains symbolic graphic
  • FIG. 3 an example sensory output is shown on the smart phone screen showing textual 51 and graphical 52 identifying information of a notification originating from software
  • the notification step 101 is provided simply by the representative initiating a telephone call, and notification server 25 and notification generator 21 in entity computer 20 are not used.
  • Device software application 40 instead comprises code generator 45 and sensory output generator 43 to display or otherwise inform individual 2 of generated codes.
  • Dongle apparatuses which can be attached to keyrings and display rolling codes, or by smart phone applications such as Google Authenticator . For communications which may occur
  • the time parameter which coordinates updating of the code is specified according to a global standard such as universal coordinated time (UCT) rather than any local time zone.
  • Uniqueness associated with individual 2 may be achieved by for example generating a secure hash using an algorithm such as SHA2 , using as inputs a time parameter (such as the current UTC hour and minute) , concatenated with a constant secret identifier (or periodically revised and automatically synchronised) of the individual.
  • the secret identifier does not need to be known by the individual or used for any other purpose.
  • Both the time parameter and the unique secret identifier are accessible by code generator 22 and 45 without access to the Internet, and therefore code generators 22 and 45 are able to both generate the same code at the same time, which renews when the time parameter changes .
  • individual 2 Upon receiving the telephone call, individual 2 opens device software application 40, activates code generator 45 and can see the code displayed on the screen through sensory output generator 43. Individual 2 asks the representative of entity 1 for the verification code, and the representative can access the same verification code through code generator 22 which accesses individual data 23 containing the secret identifier of the individual .
  • Embodiments are envisaged which have both capabilities, whereby individual 2 can ask for the transmitted verification code received as in the first embodiment above, which may be a genuine one time random number, or if Internet connection is unavailable individual 2 can ask for the rolling time-based code which does not require Internet connection.
  • This implementation of the broad aspect of the invention is a class of embodiments which use a verification signal where the verification code is sent over the Internet from the
  • This can be a rolling time-based verification code as described above or in a minimal application can be a constant verification code, such as an account number of individual transmitted securely.
  • implementation #1 also apply to this implementation 2 where feasible .
  • call intention recorder 27 Contemporaneously or prior to the call, the employee through employee server 10 operates call intention recorder 27 to record that a telephone discussion is intended.
  • Call intention recorder 27 uses code generator 22 and stores a generated verification code in code store 2 .
  • this verification code is not necessarily secret and may simply be identifying minimum information such as the identity of individual 2 together with a time or time period at which the intention was formed or the call initiated, or alternatively together with a real-time datum indicating that a telephone call between the employee and individual 2 is in fact in progress routed through entity computer 20.
  • Software application 40 is then caused to operate code generator 45 to generate a verification code.
  • the purpose of this verification code is to securely identify to entity 1 that individual 2 is returning a call. Since individual 2 will already have provided security by way of fingerprint, PIN or other identification to open software application 40 or
  • the generated verification code can be simply a known identifier of individual 2 such as an email address. Extra security can be provided by a more sophisticated verification code such as the rolling time-based verification code mentioned above or other one-time password, but is not necessary for acceptable security.
  • Code verifier 26 then securely communicates a verification signal through Internet 62 device software application 40.
  • Verification receiver 47 receives a verification signal and causes sensory output generator 43 to display (display screen 61) a
  • Individual 2 then either makes a note of the verification code sent over the Internet and displayed through device software application 4, or uses code generator 45 to generate the verification code.
  • Individual 2 then makes a telephone call through smart phone 3, landline or otherwise to entity 1.
  • Telephone call router 26 in entity computer 20 answers the telephone call and presents an option to individual 2 or scans for an utterance or tone dialling or other transmission means over the telephone call of the verification code. If telephone call router 26 receives a valid verification code confirmed from accessing code store 24 as described above, telephone call router 26 is then able to immediately direct the telephone call to the responsible employee, speeding
  • the verification process may also be used to allow individual 2 to bypass an answering queue.
  • individual 2 can simply be a private person, as can entity 1, accordingly the invention extends in its broadest aspects to private communication between individuals who may fear unidentified communication, as well as from the more common application of communication from corporate entities to customers.
  • telephone discussion refers to any electrical or electronic remote voice discussion received or initiated by the individual, and includes traditional telephone connections as well as voice over Internet protocol (VOIP) calls and also includes discussions between an individual and a remote artificial intelligence language understanding algorithm.
  • VOIP voice over Internet protocol
  • the data network connection referred to in the claims over which the trusted connection between the entity and the individual is formed may be the Internet or any other remote data transmission network, including data network connections provided by SMS, MMS or similar.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé de conduite d'une discussion téléphonique vérifiée, le procédé comprenant les étapes suivantes : une entité (1) notifie à un individu (2) une intention de conduire une discussion téléphonique avec l'individu (101), l'individu (1) ayant accès à un dispositif de communication (3) doté d'une connexion Internet (60) et d'une application logicielle de dispositif (40) implémentant une connexion de confiance entre un ordinateur d'entité (20) et l'individu (1), l'application logicielle (40) étant adaptée pour générer (45) ou recevoir (41) un code de vérification de l'intention, le code de vérification étant accessible ou reproductible par l'ordinateur d'entité (20) et par l'application logicielle de dispositif (40) ; générer le code de vérification (102, 22) ; vérifier l'intention entre l'entité et l'individu (103, 26) ; et conduire la discussion téléphonique (104).
PCT/AU2018/050188 2017-03-03 2018-03-01 Vérification sécurisée d'une communication vocale WO2018157211A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2019101103A AU2019101103A4 (en) 2017-03-03 2019-09-24 Securely verifying voice communication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2017900733A AU2017900733A0 (en) 2017-03-03 Securely verifying voice communication
AU2017900733 2017-03-03

Related Child Applications (1)

Application Number Title Priority Date Filing Date
AU2019101103A Division AU2019101103A4 (en) 2017-03-03 2019-09-24 Securely verifying voice communication

Publications (1)

Publication Number Publication Date
WO2018157211A1 true WO2018157211A1 (fr) 2018-09-07

Family

ID=63369607

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2018/050188 WO2018157211A1 (fr) 2017-03-03 2018-03-01 Vérification sécurisée d'une communication vocale

Country Status (1)

Country Link
WO (1) WO2018157211A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11695779B2 (en) 2021-01-28 2023-07-04 MSP Solutions Group LLC User management system for computing support

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2755372A1 (fr) * 2013-01-11 2014-07-16 British Telecommunications public limited company Validation des communications
US20150063552A1 (en) * 2011-07-24 2015-03-05 Emue Holdings Pty Ltd. Call authentification methods and systems
US20150087265A1 (en) * 2013-09-24 2015-03-26 Telesign Corporation Call center sms verification system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150063552A1 (en) * 2011-07-24 2015-03-05 Emue Holdings Pty Ltd. Call authentification methods and systems
EP2755372A1 (fr) * 2013-01-11 2014-07-16 British Telecommunications public limited company Validation des communications
US20150087265A1 (en) * 2013-09-24 2015-03-26 Telesign Corporation Call center sms verification system and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11695779B2 (en) 2021-01-28 2023-07-04 MSP Solutions Group LLC User management system for computing support

Similar Documents

Publication Publication Date Title
US20230283711A1 (en) Authentication using dtmf tones
US8751801B2 (en) System and method for authenticating users using two or more factors
US8467512B2 (en) Method and system for authenticating telephone callers and avoiding unwanted calls
KR101268702B1 (ko) 음성메일 메시징 인증 수행방법
US20110211682A1 (en) Telephony fraud prevention
US8254542B2 (en) Phone key authentication
JP4633059B2 (ja) 携帯機器を用いた電気通信網における認証の方法及びデバイス
US9560196B2 (en) Computer-implemented system and method for determining call connection status
JPH10136086A (ja) 電話回線上で使用するための汎用認証装置
US20070094497A1 (en) Secure authentication with voiced responses from a telecommunications terminal
Vittori Ultimate password: is voice the best biometric to beat hackers?
KR101718368B1 (ko) 생체 인식을 통한 보안 통신 시스템 및 방법
KR20220038704A (ko) 통화 인증을 위한 기술
WO2018157211A1 (fr) Vérification sécurisée d'une communication vocale
CN108235310A (zh) 识别伪装电话号码的方法、服务器以及系统
AU2019101103A4 (en) Securely verifying voice communication
WO2016144806A2 (fr) Signature vocale numérique de transactions
KR102335892B1 (ko) 사운드를 이용한 사용자 식별 방법 및 그 장치
KR20100092074A (ko) 보이스 피싱 예방을 위한 등록 발신자 식별음 제공 시스템,방법 및 기록매체
KR101300730B1 (ko) 보이스 피싱 방지 시스템 및 방법
KR20100092076A (ko) 보이스 피싱 예방을 위한 발신자 식별음 검출 및 주의정보 제공 시스템, 방법 및 기록매체
JP2005295309A (ja) 携帯情報端末捜索システム、携帯情報端末及びその捜索方法
EP3340560A1 (fr) Procédé et système de validation d'utilisateur de dispositif mobile
WO2012022856A1 (fr) Procédé d'authentification d' un utilisateur du réseau internet
JP2002199124A (ja) 顧客情報盗聴防止通信システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18761913

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18761913

Country of ref document: EP

Kind code of ref document: A1