WO2018157211A1 - Vérification sécurisée d'une communication vocale - Google Patents
Vérification sécurisée d'une communication vocale Download PDFInfo
- Publication number
- WO2018157211A1 WO2018157211A1 PCT/AU2018/050188 AU2018050188W WO2018157211A1 WO 2018157211 A1 WO2018157211 A1 WO 2018157211A1 AU 2018050188 W AU2018050188 W AU 2018050188W WO 2018157211 A1 WO2018157211 A1 WO 2018157211A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- individual
- verification code
- telephone
- entity
- software application
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/66—Substation equipment, e.g. for use by subscribers with means for preventing unauthorised or fraudulent calling
- H04M1/663—Preventing unauthorised calls to a telephone set
- H04M1/665—Preventing unauthorised calls to a telephone set by checking the validity of a code
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/42—Systems providing special services or facilities to subscribers
- H04M3/42025—Calling or Called party identification service
- H04M3/42034—Calling party identification service
- H04M3/42042—Notifying the called party of information on the calling party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2203/00—Aspects of automatic or semi-automatic exchanges
- H04M2203/60—Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
- H04M2203/6027—Fraud preventions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2203/00—Aspects of automatic or semi-automatic exchanges
- H04M2203/60—Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
- H04M2203/6045—Identity confirmation
Definitions
- the present invention relates to securely verifying telephone discussions.
- spear phishing A popular media attack known as a spear phishing is used to target unknown customers of entities such as major corporate organisations. While these attacks can sometimes be thwarted at the outset by two factor authentication, spear phishing attacks when successful can enable collection by criminals of key identifying information of customers which allows future tax such as identity fraud to happen on different mediums, including telephone discussion.
- communications can impersonate corporate entities, and thereby attempt to obtain key identifying information from individuals. Particularly because of the impersonal nature of large entities, where unknown employees or representatives may call a customer, the customer finds it practically impossible to gauge the genuineness of a telephone call .
- an entity notifying an individual of an intention to conduct a telephone discussion with the individual having access to a communications device connectable to a data network and with a device software application implementing a trusted connection between an entity computer and the individual over the data network, the software application being adapted to generate or receive a verification code of the intention, the verification code being accessible or reproducible by both the entity computer and by the device software application;
- verifying the intention between the entity and the individual by either receiving a communication of the verification code from the individual and checking that the communication of the verification code matches the verification code, or by
- the step of the entity notifying the individual of the intention comprises the steps of :
- the method further comprises the step of the entity initiating a telephone call to the individual; the step of verifying the intention comprises making an utterance of the verification code to the individual in the telephone call, for the individual to check that the utterance matches the verification code.
- the method may further comprise the step of the entity computer generating the verification code and transmitting the verification code to the device software application over the trusted connection.
- the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; and
- the device software application is configured to operate the verification code generating algorithm to generate the
- the method further comprises the step of storing a record of the intention in the entity computer, and wherein :
- the step of the entity providing a notification of the intention comprises initiating a telephone call to the
- the step of verifying the intention comprises the software application, triggered by the individual in response to
- the entity computer answering the telephone call, communicating the verification code over the trusted connection to the entity computer, the verification code comprising at least a code identifying the individual, followed by the entity computer accessing the data memory to verify that the verification code corresponds to the recorded intention, the entity computer transmitting a
- the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; the method further comprising steps of:
- the step of the device software application receiving or generating the verification code comprises the software
- the step of verifying the intention comprises receiving the verification code from the individual over the return telephone call, and accessing the data memory to verify that the
- verification code corresponds to the recorded intention, and if so conducting a voice discussion with the individual over the return telephone call .
- the individual over the return telephone call may diverting the return telephone call from a telephone queue and connecting the individual with an assigned representative for the telephone discussion.
- Figure 1 is a diagram of method steps of the broad aspect of the invention, not necessarily in order;
- Figure 2 is a functional block diagram of a system implementing one embodiment of the invention
- Figure 3 is a visual representation of a notification step according to the embodiment of Figure 2 ;
- Figure 4 is a functional block diagram of a system implementing another embodiment of the invention.
- Figure 5 is a functional block diagram of a system implementing still another embodiment of the invention.
- Figure 6 is a visual representation of code generation and verification steps according to the embodiment of Figure 5;
- Figure 7 is a functional block diagram of a system implementing yet another embodiment of the invention.
- the method steps of the broadest aspects of the invention are a notification step 101 of a entity notifying an individual of an intention to conduct a telephone discussion with the individual, a code generation step 102 of generating a verification code, a verification step 103 of verifying the intention between the entity and the
- the individual has access to a
- notification step 101 and code generation step 102 may be conducted in a different order or simultaneously.
- the different steps 101-104 may be performed in different manners.
- the notification step 101 can be performed in different manners.
- the notification step 101 can be performed in different
- the code generation step 102 can be performed in different embodiments by a entity computer, the device software application or both, and may be before or after the notification step 101.
- verification step 103 verifies the intended telephone call and involves access by both parties to the verification code, and comparison by at least one party of the other party' s copy or version of the verification code.
- the verification step 103 can involve transmission between the software application and the entity computer, or utterance or other transmission over a telephone call.
- the discussion step 104 of conducting the telephone discussion can occur as a continuance of an already existing telephone call, or a new telephone call initiated by the individual which may be routed by a telephone answering system of entity to an assigned
- Entity 1 wishes to conduct a telephone discussion with an individual 2.
- entity 1 There may be a human representative in entity 1 having the intention, or the intention may be artificially realised by an automatic system fulfilling the role of an entity capable of scheduling or conducting a telephone discussion including imparting and receiving verbal information.
- Entity 1 in the broadest aspect is any entity capable of communicating with the individual by telephone, and may be a company, business, government
- Entity 1 in most circumstances will be a
- Individual 2 is a human person who may be making or potentially making purchases or receiving services from or exchanging services with entity 1, but is not necessarily a customer.
- entity 1 a single person
- the interaction which is sought to be verified may be a private communication of non-commercial character .
- Individual 2 has access to a smart phone 3 which provides wireless mobile telephone communication with entity 1 via wireless telephone towers 4 or directly through Internet 60 via voice call applications, and which also provides the digital communications device housing the device software application 40.
- the device software application 40 and the medium over which the telephone discussion occurs can be implemented in separate devices, including fixed line telephones for the telephone discussion, and a separate communications device such as smart phone, tablet or personal computer for housing the device software application 40. Further, the
- VOIP Voice over Internet Protocol
- Software application 40 implements a trusted connection between individual 2 and entity 1 such that information
- software application 40 is a dedicated application designed and distributed by entity 1 such as, in the case of a bank, a proprietary application of the bank to enable users to access bank services such as balances, transfers and the like.
- Entity 1 has access to an entity computer 20 which may be implemented in a single standalone unit or may be distributed amongst several separated units communicating amongst themselves where necessary, as is known in the art.
- Functional elements of entity computer 10 are typically realised as software modules.
- Employee server 10 processes interaction with a plurality of employee representatives who may wish to utilise the system to contact customer individual 3.
- the employee through employee server 10 generates a notification using notification generator 21 which accesses individual data store 23 to obtain contact details such as an email address or other device identifying details to enable direction of the
- Code generator 22 generates a verification code as described below and may store the generated verification code in code store 24, or may store sufficient related information enabling reconstruction of the generated verification code so that the representative of entity 1 may access the verification code which was used.
- Code generator 22 may construct the verification code in one of many different possible methods, of which many are known in the art.
- a simple example is generation of a pseudo-random number which is generated by code generator 22 stored in code store 24 of entity computer 20.
- a 4-6 digit integer is sufficiently large to provide the required level of security such that the code is effectively unique being difficult to guess.
- lists of numbers or passwords may be generated for one-time use and stored in entity computer 20 for later use and deletion from storage, improved security can be provided by immediate random number generation to guard against data theft of unused codes .
- Notification server 25 then formats and transmits the notification and code as a push notification of text to
- Software application 40 is in a state of readiness to receive notifications from entity 1.
- Software application 40 comprises modules code
- Notification receiver 42 receives the push
- Sensory output generator 43 alerts individual 2, typically by a visual notification which may or may not be configured to appear on a lock screen state.
- the sensory output contains symbolic graphic
- FIG. 3 an example sensory output is shown on the smart phone screen showing textual 51 and graphical 52 identifying information of a notification originating from software
- the notification step 101 is provided simply by the representative initiating a telephone call, and notification server 25 and notification generator 21 in entity computer 20 are not used.
- Device software application 40 instead comprises code generator 45 and sensory output generator 43 to display or otherwise inform individual 2 of generated codes.
- Dongle apparatuses which can be attached to keyrings and display rolling codes, or by smart phone applications such as Google Authenticator . For communications which may occur
- the time parameter which coordinates updating of the code is specified according to a global standard such as universal coordinated time (UCT) rather than any local time zone.
- Uniqueness associated with individual 2 may be achieved by for example generating a secure hash using an algorithm such as SHA2 , using as inputs a time parameter (such as the current UTC hour and minute) , concatenated with a constant secret identifier (or periodically revised and automatically synchronised) of the individual.
- the secret identifier does not need to be known by the individual or used for any other purpose.
- Both the time parameter and the unique secret identifier are accessible by code generator 22 and 45 without access to the Internet, and therefore code generators 22 and 45 are able to both generate the same code at the same time, which renews when the time parameter changes .
- individual 2 Upon receiving the telephone call, individual 2 opens device software application 40, activates code generator 45 and can see the code displayed on the screen through sensory output generator 43. Individual 2 asks the representative of entity 1 for the verification code, and the representative can access the same verification code through code generator 22 which accesses individual data 23 containing the secret identifier of the individual .
- Embodiments are envisaged which have both capabilities, whereby individual 2 can ask for the transmitted verification code received as in the first embodiment above, which may be a genuine one time random number, or if Internet connection is unavailable individual 2 can ask for the rolling time-based code which does not require Internet connection.
- This implementation of the broad aspect of the invention is a class of embodiments which use a verification signal where the verification code is sent over the Internet from the
- This can be a rolling time-based verification code as described above or in a minimal application can be a constant verification code, such as an account number of individual transmitted securely.
- implementation #1 also apply to this implementation 2 where feasible .
- call intention recorder 27 Contemporaneously or prior to the call, the employee through employee server 10 operates call intention recorder 27 to record that a telephone discussion is intended.
- Call intention recorder 27 uses code generator 22 and stores a generated verification code in code store 2 .
- this verification code is not necessarily secret and may simply be identifying minimum information such as the identity of individual 2 together with a time or time period at which the intention was formed or the call initiated, or alternatively together with a real-time datum indicating that a telephone call between the employee and individual 2 is in fact in progress routed through entity computer 20.
- Software application 40 is then caused to operate code generator 45 to generate a verification code.
- the purpose of this verification code is to securely identify to entity 1 that individual 2 is returning a call. Since individual 2 will already have provided security by way of fingerprint, PIN or other identification to open software application 40 or
- the generated verification code can be simply a known identifier of individual 2 such as an email address. Extra security can be provided by a more sophisticated verification code such as the rolling time-based verification code mentioned above or other one-time password, but is not necessary for acceptable security.
- Code verifier 26 then securely communicates a verification signal through Internet 62 device software application 40.
- Verification receiver 47 receives a verification signal and causes sensory output generator 43 to display (display screen 61) a
- Individual 2 then either makes a note of the verification code sent over the Internet and displayed through device software application 4, or uses code generator 45 to generate the verification code.
- Individual 2 then makes a telephone call through smart phone 3, landline or otherwise to entity 1.
- Telephone call router 26 in entity computer 20 answers the telephone call and presents an option to individual 2 or scans for an utterance or tone dialling or other transmission means over the telephone call of the verification code. If telephone call router 26 receives a valid verification code confirmed from accessing code store 24 as described above, telephone call router 26 is then able to immediately direct the telephone call to the responsible employee, speeding
- the verification process may also be used to allow individual 2 to bypass an answering queue.
- individual 2 can simply be a private person, as can entity 1, accordingly the invention extends in its broadest aspects to private communication between individuals who may fear unidentified communication, as well as from the more common application of communication from corporate entities to customers.
- telephone discussion refers to any electrical or electronic remote voice discussion received or initiated by the individual, and includes traditional telephone connections as well as voice over Internet protocol (VOIP) calls and also includes discussions between an individual and a remote artificial intelligence language understanding algorithm.
- VOIP voice over Internet protocol
- the data network connection referred to in the claims over which the trusted connection between the entity and the individual is formed may be the Internet or any other remote data transmission network, including data network connections provided by SMS, MMS or similar.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
L'invention concerne un procédé de conduite d'une discussion téléphonique vérifiée, le procédé comprenant les étapes suivantes : une entité (1) notifie à un individu (2) une intention de conduire une discussion téléphonique avec l'individu (101), l'individu (1) ayant accès à un dispositif de communication (3) doté d'une connexion Internet (60) et d'une application logicielle de dispositif (40) implémentant une connexion de confiance entre un ordinateur d'entité (20) et l'individu (1), l'application logicielle (40) étant adaptée pour générer (45) ou recevoir (41) un code de vérification de l'intention, le code de vérification étant accessible ou reproductible par l'ordinateur d'entité (20) et par l'application logicielle de dispositif (40) ; générer le code de vérification (102, 22) ; vérifier l'intention entre l'entité et l'individu (103, 26) ; et conduire la discussion téléphonique (104).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2019101103A AU2019101103A4 (en) | 2017-03-03 | 2019-09-24 | Securely verifying voice communication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2017900733A AU2017900733A0 (en) | 2017-03-03 | Securely verifying voice communication | |
AU2017900733 | 2017-03-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
AU2019101103A Division AU2019101103A4 (en) | 2017-03-03 | 2019-09-24 | Securely verifying voice communication |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018157211A1 true WO2018157211A1 (fr) | 2018-09-07 |
Family
ID=63369607
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/AU2018/050188 WO2018157211A1 (fr) | 2017-03-03 | 2018-03-01 | Vérification sécurisée d'une communication vocale |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018157211A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11695779B2 (en) | 2021-01-28 | 2023-07-04 | MSP Solutions Group LLC | User management system for computing support |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2755372A1 (fr) * | 2013-01-11 | 2014-07-16 | British Telecommunications public limited company | Validation des communications |
US20150063552A1 (en) * | 2011-07-24 | 2015-03-05 | Emue Holdings Pty Ltd. | Call authentification methods and systems |
US20150087265A1 (en) * | 2013-09-24 | 2015-03-26 | Telesign Corporation | Call center sms verification system and method |
-
2018
- 2018-03-01 WO PCT/AU2018/050188 patent/WO2018157211A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150063552A1 (en) * | 2011-07-24 | 2015-03-05 | Emue Holdings Pty Ltd. | Call authentification methods and systems |
EP2755372A1 (fr) * | 2013-01-11 | 2014-07-16 | British Telecommunications public limited company | Validation des communications |
US20150087265A1 (en) * | 2013-09-24 | 2015-03-26 | Telesign Corporation | Call center sms verification system and method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11695779B2 (en) | 2021-01-28 | 2023-07-04 | MSP Solutions Group LLC | User management system for computing support |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230283711A1 (en) | Authentication using dtmf tones | |
US8751801B2 (en) | System and method for authenticating users using two or more factors | |
US8467512B2 (en) | Method and system for authenticating telephone callers and avoiding unwanted calls | |
KR101268702B1 (ko) | 음성메일 메시징 인증 수행방법 | |
US20110211682A1 (en) | Telephony fraud prevention | |
US8254542B2 (en) | Phone key authentication | |
JP4633059B2 (ja) | 携帯機器を用いた電気通信網における認証の方法及びデバイス | |
US9560196B2 (en) | Computer-implemented system and method for determining call connection status | |
JPH10136086A (ja) | 電話回線上で使用するための汎用認証装置 | |
US20070094497A1 (en) | Secure authentication with voiced responses from a telecommunications terminal | |
Vittori | Ultimate password: is voice the best biometric to beat hackers? | |
KR101718368B1 (ko) | 생체 인식을 통한 보안 통신 시스템 및 방법 | |
KR20220038704A (ko) | 통화 인증을 위한 기술 | |
WO2018157211A1 (fr) | Vérification sécurisée d'une communication vocale | |
CN108235310A (zh) | 识别伪装电话号码的方法、服务器以及系统 | |
AU2019101103A4 (en) | Securely verifying voice communication | |
WO2016144806A2 (fr) | Signature vocale numérique de transactions | |
KR102335892B1 (ko) | 사운드를 이용한 사용자 식별 방법 및 그 장치 | |
KR20100092074A (ko) | 보이스 피싱 예방을 위한 등록 발신자 식별음 제공 시스템,방법 및 기록매체 | |
KR101300730B1 (ko) | 보이스 피싱 방지 시스템 및 방법 | |
KR20100092076A (ko) | 보이스 피싱 예방을 위한 발신자 식별음 검출 및 주의정보 제공 시스템, 방법 및 기록매체 | |
JP2005295309A (ja) | 携帯情報端末捜索システム、携帯情報端末及びその捜索方法 | |
EP3340560A1 (fr) | Procédé et système de validation d'utilisateur de dispositif mobile | |
WO2012022856A1 (fr) | Procédé d'authentification d' un utilisateur du réseau internet | |
JP2002199124A (ja) | 顧客情報盗聴防止通信システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18761913 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18761913 Country of ref document: EP Kind code of ref document: A1 |