WO2002061640A1 - Safe identification system in banking, financial and electronic information systems - Google Patents

Safe identification system in banking, financial and electronic information systems Download PDF

Info

Publication number
WO2002061640A1
WO2002061640A1 PCT/BR2002/000002 BR0200002W WO02061640A1 WO 2002061640 A1 WO2002061640 A1 WO 2002061640A1 BR 0200002 W BR0200002 W BR 0200002W WO 02061640 A1 WO02061640 A1 WO 02061640A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
password
client
card
security
Prior art date
Application number
PCT/BR2002/000002
Other languages
French (fr)
Inventor
Clovis Golfetto
Original Assignee
Clovis Golfetto
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Clovis Golfetto filed Critical Clovis Golfetto
Publication of WO2002061640A1 publication Critical patent/WO2002061640A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions

Definitions

  • the present patent refers to an utility model which allows the increase of security in electronic systems of authorization and blocking of access, through the correct identification of the user through a number and password and/or a sequence of answers such as magnetic cards, credit cards, debt cards, financial and commercial transactions and service rendering done in electronic environment, data processing, data teleprocessing or telecommunications that involve financial values or information exchange.
  • the present security systems to identify a client are based on access names/numbers and on passwords and/or answers to pre programmed questions, given by the system or chosen by the user .
  • the user wishes to access the system, there is a verification of the user ' s identification through the comparison between the data in their records and the ones supplied by the user o avoid that a client ' s password becomes known by others, several methods of concealment and camouflage are used by system managers in order to guarantee the safe guard of the information.
  • the client has the obligation to memorize and keep an absolute secret of his password. Besides, many people have difficulty in memorizing their passwords, which prevents the creation of very long names or passwords.
  • the base of the new system consists of replacing the access names/ numbers and respective password of the present systems, which are recorded in the database by systems that create, through programmable algorithms, new names/numbers of access. They cease to exist as soon as a transaction or access is concluded .Besides, it shares with the client the storage of all the necessary data to access the transactions, that is, the system does not have all the client ' s data( name/number and password) stored its database.
  • the user can, at any time, change his access name/number and password so that he is able, at any moment ,to check and block transactions as well as modify his secret data to access the system, which are recorded in the bank, credit card managers or in the system that manages his checking account or information.
  • the security utility model hereby proposed is based on the guarantee that only the true users have access to the system.
  • the access name/number cannot be fixed, that is, part of the characters that compose an access name/number will be periodically replaced, preferably at each transaction.
  • the password shall not be permanent and can be changed by the user at any moment, according to his need. This way, the user must memorize only part of his access name/number , being his password, and part of his access J
  • the access name/number calculated or created at the moment the user accesses the system. After accessing the system, that access name/number is no longer valid. So , even if someone finds out the name/number of the client and the password used there will be no access to the client's transaction, thus avoiding frauds and theft.
  • One of the possibilities of creating the access name/number and passwords is from mathematic operations For example, the number in the user ' s credit card printed in the card today is 01234567 8901 2345. His new number can be formed this way: the first 12 numbers are the ones printed in the card and the last four would be variable numbers, calculated at the time the client is carrying out the transaction.
  • the user gets connected to his card manager or bank and tells them the basic data.
  • the manager then, generates an aleatory sequence of numbers. Based on these numbers, the user can calculate which the final numbers of his card will be and which the password for that card is.
  • the client can also define how much he wants to buy with that card and what the limit for each purchase will be. The calculation form was previously established, so the system will only store the code corresponding to the formula the client will use. Having the numbers generated by the system, the client obtains the last four numbers in the card and the valid password for that number. Having done that, the client informs his data and this card number to the store where he is buying. When the store checks the data with the card manager, it will be blocking the access to that number, which will no longer exist.
  • This method can also be used in sales by telephone and in the credit 9 ⁇ H HeHt car machines.
  • the sequence of numbers can be obtained by joining the time and the day, or be generated in an aleatory way, as soon as the card is passed through the magnetic band.
  • the client knowing these data, can calculate the four last digits in the card and inform the attendant. In this case, the four last digits in the card will be changed and there is no need of a password because the transaction is made in the local. So, if the card is stolen or cloned, there will not be any possibility of a transaction. Even if the attendant is the defrauder, he will not be able to succeed.
  • each bank can establish different ways for the client to choose the most suitable, besides enabling him to change these formulas whenever he likes.
  • the card will be used to do shopping. Since there in no verification whether the card owner is the person actually buying, there is a risk of different kinds of fraud. - The card owner could buy something, give a false address for the delivery and then deny to pay for it. In this case, either the store or the card manager will have a loss.
  • the proposed solution to shop through the internet is to use a card system with only one card number and expiration date, which are generated via internet and calculated in real time, either in a regular way or through a specific program supplied by the bank/card manager.
  • the client surfs through the shop site, chooses the products, finalizes the purchase and before typing his credit card number, he interrupts the procedure, opens another window to an adequate program for this purpose, that is, to generate a number, and gets connected to the card manager where he is registered. With the amount he has to pay in hand ,he asks the manager to send a number and a password for that purchase.
  • the manager after making sure it is the client, through the security system, generates the card number and the password. Then, the client types the numbers in the shop site and the operation is finalized. In case there is an attempt to get hold of the number or if the client tries to use it again, or even if a crook makes any attempt, the manager will reject the operation.
  • the shopping site records the card data and the IP number of the alleged client who tried to make the operation .
  • the Manager registers the data of the shopping site that reported the situation and contacts the client about the attempt to use his card via e- mail. This procedure significantly increases the security for all the parties involved;.
  • the client asks the manager to generate a credit card number and a password for posterior use, through the internet or telephone, specifying the a limit for the purchases and how many operations can be made with that card, or still, the time and date, initial and final, of that card expiration date.
  • the basic number of the card can be used (the first twelve numbers), changing the last four numbers (this procedure could even be used in the present card machines ), and the password could follow different criteria.
  • the client can do his shopping, always entering the number and the password.
  • the sequential number of the operation can be added, since in the present system there are three extra numbers recorded in the card after the sixteen that compose the card number.
  • an emergency password can be created. If there is a kidnapping/mugging, the client would use an emergency password instead of the correct one or the calculated one when he is at the ATM , as proposed in this utility model. So, the system can recognize a situation and adopt defensive measures for the client without arousing the thieves ' suspicion, like, for example, present little balance in the account, conceal financial operations, restrict the amount withdrawn. Besides, the system can also set off emergency procedures in the bank, such as trying to track and photograph the robbers using the cameras in the ATM terminal and get in touch with the police and relatives. The password could still indicate the seriousness of the situation.
  • the password has six numbers
  • the first five would be the alarm password and the last, from zero to nine, the degree of risk concerning the situation. If it is zero, it is because he was robbed and forced to reveal the password, but since he is not in danger, the system should retain the card in the machine and set off the alarm at once or call local security. If it is 5, for example, the bank should approve the transaction because the client ' s life is at risk. If the last number of the password is 9, the situation is extremely serious, and so on.
  • This system can also be used with credit or debt cards as well as with any system that checks the identity through name/number and password.
  • This system can also solve the problem of memorizing the card number and password, since they would not be fixed, but calculated through a formula of the client ' s knowledge. Then it is perfectly possible to generate an aleatory number so that the client can calculate the new number any time, since the system and the client know the method chosen to assemble the card and password numbers
  • the dynamic position password allows the increase of security in electronic systems of authorization and blocking of access, through the user ' s correct identification of the Dynamic Position Password.
  • the Model of the Dynamic Position Password hereby proposed can be used in banking, financial and electronic commerce systems that require the validation of the user's positive identification through an electronic signature or password, such as magnetic cards, credit and debt cards, financial and commercial transactions, rendering of services done in electronic environment, data processing, internet or telecommunications, that involve financial values or information exchange.
  • the present security systems to identify a client are based on access names/numbers and on passwords and/or answers to pre programmed questions, given by the system or chosen by the user .
  • the user wishes to access the system, there is a verification of the user's identification through the comparison between the data in their records and the ones supplied by the user o avoid that a client ' s password becomes known by others, several methods of concealment and camouflage are used by system managers in order to guarantee the safe guard of the information.
  • the client has the obligation to memorize and keep an absolute secret of his password. Besides, many people have difficulty in memorizing their passwords, which prevents the creation of very long names or passwords.
  • the base of the new system consists of replacing the password, (the client access number - CAN - may also be changed, which can be used instead of the credit card number or the agency and account number, and can include all the client's operations), which is fixed today, by a dynamic password that varies at each access, being determined by the hereby proposed Model of Dynamic Position Password.
  • the password is not fixed, but dynamic, and its value is obtained by the content in certain positions of an aleatory matrix, whose positions have been previously realized by the client.
  • Their position and order, chosen by the client are the information to be kept by the identification system that allows either the blocking or the access to data and transactions.
  • SUPPLIER the entity that withholds and supplies the data and transaction system to which the client wants to have access to( for instance: banks, internet providers, credit and debt cards managers, stores or private nets of electronic information).
  • MATRIX - any individual who wants to have access to data and transactions of others or those not authorized , either through false identification or other means not permitted by the security manager; .
  • MATRIX - consists of a matrix whose size is determined by the need of security and facility of access;
  • NORMAL ACCESS SEQUENCE - consists of a matrix position sequence to allow the normal access to the system, called normal password formation method;
  • EMERGENCY ACCESS SEQUENCE - consists of a matrix position sequence to access the system in emergency situations, called emergency password
  • SECURITY MANAGER - module of the access control system that allows to draw up a cadastre and the alteration of the normal access sequence and of the emergency- access sequence; y
  • SECURITY AGENT individual or module that is responsible for drawing up the cadastre, erasing it and the client's data alteration. It is an agent authorized by the supplier and certified by the security manager.
  • the Client or user should compose, with the Security Agent, the Normal Access Sequence and the Emergency Access Sequence that will be stored by the Security Agent. We call this sequence the creation of the dynamic position passwords ( normal and emergency ). Once the normal and emergency access sequence are established, the client or user will be capable of accessing the data or transaction system given by the supplier, by means of positive identification through the normal or emergency access password .
  • the client To access the system in normal conditions, the client should identify himsejf passing the magnetic card or entering his data, for example, agency and checking account)The system then generates an aleatory matrix, that is, a group of numbers taken at random and disposed in lines and columns, so that the .client, using the numbers of the positions in the matrix in the same sequence previously established .compose his normal password valid only for that access.
  • an aleatory matrix that is, a group of numbers taken at random and disposed in lines and columns, so that the .client, using the numbers of the positions in the matrix in the same sequence previously established .compose his normal password valid only for that access.
  • the security manager who compares the password sent by the client to the one he formed himself, from the same matrix and rule, kept in his records. If the password given by the client is identical to the one formed by the system, the user will have access to the data and transaction in the system. If not, the system will block access to the system because the identification was considered invalid. If the client makes a mistake,
  • the client or user can make his transactions with confidence and total tranquility, because even if the enemy seizes his password, no transaction will be made, since this password will not be valid in the following moment the access is made.
  • AVAILABILITY - consists of assuring access to the client whenever he wishes to make any transaction or access the data or transaction system;
  • POSITIVE IDENTIFICATION - consists of validating the client's identity in an unmistakable way whenever he wishes to access the data or transaction system;
  • ENEMY BLOCKING - consists of blocking any attempt to access the data or transaction system by any enemy, that is, any individual other than the client;
  • FACILITY OF IDENTIFICATION TO ACCESS - consists of making the client's positive identification the simplest and quickest as possible; . CANNOT BE RETRACTED - the system shall not enable the retraction or denial of the operation or transaction made by the client
  • the difficulty of the present systems is related to the antagonism caused by the challenges imposed to the access control system.
  • the ideal situation would be not to have any obstacle to access the system, so that he would not be obliged to memorize passwords. However, it would make the system unsafe, allowing anyone to obtain access to data and transactions.
  • the necessary security is the one that allows the client to feel safe, is simple, fast and as easy as possible, requiring from the client, less effort to memorize.
  • the access control system is improved as not to block access to the client indefinitely, when there is a mistake in the password composition, since the proposed system is mathematically and logically more superior in terms of security.

Abstract

The present model of utility increases security and confidence for the user's identification in data processing, banking, financial and electronic commerce systems, internet, sales through telephone, credit and debt cards, magnetic cards through the utilization of an access name/number and variable password, with a single validity and which are defined based on rules pre established by the client. The access name/numbers and password are not stored in a database, but calculated by the client, at the moment its use is deemed necessary. Therefore, if such data are discovered by others. With the user's safe identification, special use passwords can be created, for example, in a situation of holdups or 'flash kidnappings'.

Description

SAFE IDENTIFICATION SYSTEM IN BANKING, FINANCIAL AND ELECTRONIC INFORMATION SYSTEMS
The present patent refers to an utility model which allows the increase of security in electronic systems of authorization and blocking of access, through the correct identification of the user through a number and password and/or a sequence of answers such as magnetic cards, credit cards, debt cards, financial and commercial transactions and service rendering done in electronic environment, data processing, data teleprocessing or telecommunications that involve financial values or information exchange. The present security systems to identify a client, are based on access names/numbers and on passwords and/or answers to pre programmed questions, given by the system or chosen by the user .Whenever the user wishes to access the system, there is a verification of the user's identification through the comparison between the data in their records and the ones supplied by the user o avoid that a client's password becomes known by others, several methods of concealment and camouflage are used by system managers in order to guarantee the safe guard of the information. Likewise, the client has the obligation to memorize and keep an absolute secret of his password. Besides, many people have difficulty in memorizing their passwords, which prevents the creation of very long names or passwords. Many systems and devices were invented in order to prevent likely defrauders from finding out clients' information. However, whenever there is a breakthrough in this area, an efficient method of breaking security also follows, thus allowing the access of information to non authorized persons, causing serious damage and frauds. A common example of frauds is in the segment of credit cards, bank magnetic cards and commerce by internet. Internet represents a great step of mankind concerning the availability of information and new ways of commerce. But the security in these systems is very poor, since any security method is based on name/number of access and password, even if cryptographed or camouflaged and once discovered, jeopardize security and give total freedom to access data and transactions. So, to increase security, it is necessary to create something new that prevents the fraudulent use of these systems and information. To solve the security problem, a new model was created, that changes the way of managing the system security, decreasing its vulnerability and increasing the safety and mostly, the confidence of clients(users) and service suppliers(banks, stores and credit cards and debt cards managers and others). The base of the new system consists of replacing the access names/ numbers and respective password of the present systems, which are recorded in the database by systems that create, through programmable algorithms, new names/numbers of access. They cease to exist as soon as a transaction or access is concluded .Besides, it shares with the client the storage of all the necessary data to access the transactions, that is, the system does not have all the client's data( name/number and password) stored its database. Through the conjugation of some methods presented here and others to be created, it is possible to assert with certainty if the person trying to make the transaction is the true client. Therefore, there is no point in stealing this information, since it is no longer valid for another access to the system .Even if the user's name/number and password are discovered, it is not possible to access the system neither to carry out any transaction. This is essential in any commerce system through the internet, since with only the credit card number it is possible to purchase anything, without knowing the card password. This way, one uses the concept of shared security, with variable access number/name and password ; the user must know part of the access key and the password.
Furthermore, the user can, at any time, change his access name/number and password so that he is able, at any moment ,to check and block transactions as well as modify his secret data to access the system, which are recorded in the bank, credit card managers or in the system that manages his checking account or information. The security utility model hereby proposed is based on the guarantee that only the true users have access to the system. For this purpose, the access name/number cannot be fixed, that is, part of the characters that compose an access name/number will be periodically replaced, preferably at each transaction. Likewise, the password shall not be permanent and can be changed by the user at any moment, according to his need. This way, the user must memorize only part of his access name/number , being his password, and part of his access J
name/number calculated or created at the moment the user accesses the system. After accessing the system, that access name/number is no longer valid. So , even if someone finds out the name/number of the client and the password used there will be no access to the client's transaction, thus avoiding frauds and theft. One of the possibilities of creating the access name/number and passwords is from mathematic operations For example, the number in the user's credit card printed in the card today is 01234567 8901 2345. His new number can be formed this way: the first 12 numbers are the ones printed in the card and the last four would be variable numbers, calculated at the time the client is carrying out the transaction. For example ,in a purchase through the internet , the user gets connected to his card manager or bank and tells them the basic data. The manager, then, generates an aleatory sequence of numbers. Based on these numbers, the user can calculate which the final numbers of his card will be and which the password for that card is. The client can also define how much he wants to buy with that card and what the limit for each purchase will be. The calculation form was previously established, so the system will only store the code corresponding to the formula the client will use. Having the numbers generated by the system, the client obtains the last four numbers in the card and the valid password for that number. Having done that, the client informs his data and this card number to the store where he is buying. When the store checks the data with the card manager, it will be blocking the access to that number, which will no longer exist. This method can also be used in sales by telephone and in the credit H HeHt car machines.
In a credit card machine, the ones we see today, the sequence of numbers can be obtained by joining the time and the day, or be generated in an aleatory way, as soon as the card is passed through the magnetic band. The client, knowing these data, can calculate the four last digits in the card and inform the attendant. In this case, the four last digits in the card will be changed and there is no need of a password because the transaction is made in the local. So, if the card is stolen or cloned, there will not be any possibility of a transaction. Even if the attendant is the defrauder, he will not be able to succeed. In order to increase security even more, each bank can establish different ways for the client to choose the most suitable, besides enabling him to change these formulas whenever he likes.
Since this system allows a safe identification of the user, passwords can be created for special occasions such as "flash kidnappings" , always showing a withdrawal limit and a balance inferior to the true ones. Therefore, it is possible to trigger a safety procedure that will depend on where the machine is installed.
A practical example: credit card transactions through the internet. Nowadays the user chooses a site, does his shopping and in the end, types the credit card number and the expiration date. The store system checks the expiration date and confirms the sale. What are the risks to the user through this procedure?
- If someone finds out his data (card number and expiration date), the card will be used to do shopping. Since there in no verification whether the card owner is the person actually buying, there is a risk of different kinds of fraud. - The card owner could buy something, give a false address for the delivery and then deny to pay for it. In this case, either the store or the card manager will have a loss.
- Consequently, there is no trust between the parties, since both are at risk of having to pay for the loss. The proposed solution to shop through the internet is to use a card system with only one card number and expiration date, which are generated via internet and calculated in real time, either in a regular way or through a specific program supplied by the bank/card manager. For this purpose, we present the following alternatives: a) the client surfs through the shop site, chooses the products, finalizes the purchase and before typing his credit card number, he interrupts the procedure, opens another window to an adequate program for this purpose, that is, to generate a number, and gets connected to the card manager where he is registered. With the amount he has to pay in hand ,he asks the manager to send a number and a password for that purchase. The manager, after making sure it is the client, through the security system, generates the card number and the password. Then, the client types the numbers in the shop site and the operation is finalized.. In case there is an attempt to get hold of the number or if the client tries to use it again, or even if a crook makes any attempt, the manager will reject the operation. To track the source of the possible fraud, the shopping site records the card data and the IP number of the alleged client who tried to make the operation .Besides, the Manager registers the data of the shopping site that reported the situation and contacts the client about the attempt to use his card via e- mail. This procedure significantly increases the security for all the parties involved;. b) The client asks the manager to generate a credit card number and a password for posterior use, through the internet or telephone, specifying the a limit for the purchases and how many operations can be made with that card, or still, the time and date, initial and final, of that card expiration date. In this case, the basic number of the card can be used (the first twelve numbers), changing the last four numbers (this procedure could even be used in the present card machines ), and the password could follow different criteria. With this credit card number, the client can do his shopping, always entering the number and the password. To increase security, the sequential number of the operation can be added, since in the present system there are three extra numbers recorded in the card after the sixteen that compose the card number.
In bank magnetic cards, besides the procedures above, which can be used with debt and bank cards an emergency password can be created. If there is a kidnapping/mugging, the client would use an emergency password instead of the correct one or the calculated one when he is at the ATM , as proposed in this utility model. So, the system can recognize a situation and adopt defensive measures for the client without arousing the thieves' suspicion, like, for example, present little balance in the account, conceal financial operations, restrict the amount withdrawn. Besides, the system can also set off emergency procedures in the bank, such as trying to track and photograph the robbers using the cameras in the ATM terminal and get in touch with the police and relatives. The password could still indicate the seriousness of the situation. For example, if the password has six numbers, the first five would be the alarm password and the last, from zero to nine, the degree of risk concerning the situation. If it is zero, it is because he was robbed and forced to reveal the password, but since he is not in danger, the system should retain the card in the machine and set off the alarm at once or call local security. If it is 5, for example, the bank should approve the transaction because the client's life is at risk. If the last number of the password is 9, the situation is extremely serious, and so on. This system can also be used with credit or debt cards as well as with any system that checks the identity through name/number and password.
This system can also solve the problem of memorizing the card number and password, since they would not be fixed, but calculated through a formula of the client's knowledge. Then it is perfectly possible to generate an aleatory number so that the client can calculate the new number any time, since the system and the client know the method chosen to assemble the card and password numbers
One can also create a credit card number with a zero limit only to make sure about the user's identity.
Another very efficient utilization is the dynamic position password identification system, in which all the passwords are variable (change at each access), besides being quick, simple and safe.
The dynamic position password allows the increase of security in electronic systems of authorization and blocking of access, through the user's correct identification of the Dynamic Position Password.
The Model of the Dynamic Position Password hereby proposed can be used in banking, financial and electronic commerce systems that require the validation of the user's positive identification through an electronic signature or password, such as magnetic cards, credit and debt cards, financial and commercial transactions, rendering of services done in electronic environment, data processing, internet or telecommunications, that involve financial values or information exchange. The present security systems to identify a client are based on access names/numbers and on passwords and/or answers to pre programmed questions, given by the system or chosen by the user .Whenever the user wishes to access the system, there is a verification of the user's identification through the comparison between the data in their records and the ones supplied by the user o avoid that a client's password becomes known by others, several methods of concealment and camouflage are used by system managers in order to guarantee the safe guard of the information. Likewise, the client has the obligation to memorize and keep an absolute secret of his password. Besides, many people have difficulty in memorizing their passwords, which prevents the creation of very long names or passwords. Many systems and devices were invented in order to prevent likely defrauders from finding out clients' information. However, whenever there is a breakthrough in this area, an efficient method of breaking security also follows, thus allowing the access of information to non authorized persons, causing serious damage and frauds. A common example of frauds is in the segment of credit cards, bank magnetic cards and commerce by internet. Internet represents a great step of mankind concerning the availability of information and new ways of commerce. But the security in these systems is very poor, since any security method is based on name/number of access and password, even if cryptographed or camouflaged and once discovered, jeopardize security and give total freedom to access data and transactions. So, to increase security, it is necessary to create something new that prevents the fraudulent use of these systems and information.
To solve the security problem, a new model was created, that changes the wa of managing the system security, decreasing Us vulnerability and increasing the safety and mostly, the confidence of clients(users) and service suppliers(banks, stores and credit cards and debt cards managers and others).
The base of the new system consists of replacing the password, ( the client access number - CAN - may also be changed, which can be used instead of the credit card number or the agency and account number, and can include all the client's operations), which is fixed today, by a dynamic password that varies at each access, being determined by the hereby proposed Model of Dynamic Position Password. In this new model, the password is not fixed, but dynamic, and its value is obtained by the content in certain positions of an aleatory matrix, whose positions have been previously realized by the client. Their position and order, chosen by the client, are the information to be kept by the identification system that allows either the blocking or the access to data and transactions.
The system is consisted basically of the following elements: . SUPPLIER - the entity that withholds and supplies the data and transaction system to which the client wants to have access to( for instance: banks, internet providers, credit and debt cards managers, stores or private nets of electronic information).
. CLIENT OR USER - the supplier's client or user who needs to be positively identified in order to access the data and transactions available after his entry in the data or transaction system;
. ENEMY - any individual who wants to have access to data and transactions of others or those not authorized , either through false identification or other means not permitted by the security manager; . MATRIX - consists of a matrix whose size is determined by the need of security and facility of access;
. NORMAL ACCESS SEQUENCE - consists of a matrix position sequence to allow the normal access to the system, called normal password formation method;
. EMERGENCY ACCESS SEQUENCE - consists of a matrix position sequence to access the system in emergency situations, called emergency password
. TRANSACTION OR DATA SYSTEM - system belonging to the supplier, which contains data and/or transactions that will be accessed by the clients after a positive identification and that should be protected from the enemy. . ACCESS CONTROL SYSTEM - system that keeps the client's cadastral information, the normal access sequence and the emergency access system described above, with absolute security and secrecy;
. SECURITY MANAGER - module of the access control system that allows to draw up a cadastre and the alteration of the normal access sequence and of the emergency- access sequence; y
. SECURITY AGENT - individual or module that is responsible for drawing up the cadastre, erasing it and the client's data alteration. It is an agent authorized by the supplier and certified by the security manager.
HOW THE MODEL OF DYNAMIC POSITION PASSWORD WORKS Once the new Access Control System is established by the Supplier, based on this model, the Client or user should compose, with the Security Agent, the Normal Access Sequence and the Emergency Access Sequence that will be stored by the Security Agent. We call this sequence the creation of the dynamic position passwords ( normal and emergency ). Once the normal and emergency access sequence are established, the client or user will be capable of accessing the data or transaction system given by the supplier, by means of positive identification through the normal or emergency access password .
To access the system in normal conditions, the client should identify himsejf passing the magnetic card or entering his data, for example, agency and checking account)The system then generates an aleatory matrix, that is, a group of numbers taken at random and disposed in lines and columns, so that the .client, using the numbers of the positions in the matrix in the same sequence previously established .compose his normal password valid only for that access. When the client identifies the numbers that compose his password, he types and submits them to checking by the security manager, who compares the password sent by the client to the one he formed himself, from the same matrix and rule, kept in his records. If the password given by the client is identical to the one formed by the system, the user will have access to the data and transaction in the system. If not, the system will block access to the system because the identification was considered invalid. If the client makes a mistake, a new matrix will be generated and thus, a new password should be used.
To each attempt of initial access to the system, successful or not, a new aleatory matrix will be generated, so that the passwords will never be repeated, before an amount of time determined by the security manager. In case it occurs
(password repetition ), a new matrix is generated before being presented to the client or user This way, the non occurrence of repeated passwords is guaranteed.
Since there are no repeated passwords, that is, they change at each access, the client or user can make his transactions with confidence and total tranquility, because even if the enemy seizes his password, no transaction will be made, since this password will not be valid in the following moment the access is made.
CHALLENGES TO THE SECURITY SYSTEMS
The main challenges to the access control systems can be summarized as follows:
. AVAILABILITY - consists of assuring access to the client whenever he wishes to make any transaction or access the data or transaction system;
. POSITIVE IDENTIFICATION - consists of validating the client's identity in an unmistakable way whenever he wishes to access the data or transaction system;
. ENEMY BLOCKING - consists of blocking any attempt to access the data or transaction system by any enemy, that is, any individual other than the client;
. FACILITY OF IDENTIFICATION TO ACCESS - consists of making the client's positive identification the simplest and quickest as possible; . CANNOT BE RETRACTED - the system shall not enable the retraction or denial of the operation or transaction made by the client
The difficulty of the present systems is related to the antagonism caused by the challenges imposed to the access control system.
On the client's part, the ideal situation would be not to have any obstacle to access the system, so that he would not be obliged to memorize passwords. However, it would make the system unsafe, allowing anyone to obtain access to data and transactions.
On the manager's part, the safer the system ,the better Therefore, the existence of passwords and other mechanisms that increase security are justified. The longer and harder the password, the greater the security and, it is desirable that it still takes longer to identify the client and and requires more attention from him.
From the supplier's point of view, the necessary security is the one that allows the client to feel safe, is simple, fast and as easy as possible, requiring from the client, less effort to memorize.
The model of the Dynamic Position Password hereby proposed improves the present systems in the following aspects:
. from the client's point of vie : - facilitates password memorization;
- offers a safe and reliable system, by providing the enemy blocking in a very precise and efficient manner;
- universality - allows the same access sequence to be used in several systems it has access to, even if they work with different kinds of characters and even symbols;
- allows a great availability - even if some enemy tries to access the system, it is possible to allow the positive identification of the true user any time, permitting his access. The access control system is improved as not to block access to the client indefinitely, when there is a mistake in the password composition, since the proposed system is mathematically and logically more superior in terms of security.
. from the supplier's point of view:
- it is a safe system and easy to access;
- offers high availability, avoiding loss of accesses or transactions and guarantees that the operation cannot be retracted;
- fast, simple and little dependent of computer resources;
- it is precise and reliable in the positive identification of the client; 1Z
It is possible to create variations on the performance of this system, such as associate letters to numbers ( in an aleatory way) or to special keys or positions on the screen, to avoid the capture of the information typed by the client.

Claims

REVINDICATIONS A safe identification system in banking , financial and electronic information systems, characterized by the use of changing passwords or variables, through the use of name/number of variable access and by the sharing of the necessary data to calculate the name/number of access and passwords.
2. Utilization method of changing or variable passwords.
3. Method of use of name/number of variable access.
4. Calculation method of access name/number and passwords.
5. A security system in purchases with credit card via internet, using variable card number and password.
6. A security system for credit and debt cards in sale terminals, outlets and stores using the last four numbers in the card as security variables.
7. A system of personal protection through a special password for magnetic card users, which allows withdrawals in ATMs.
PCT/BR2002/000002 2001-01-29 2002-01-09 Safe identification system in banking, financial and electronic information systems WO2002061640A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
BR8100120U BR8100120U (en) 2001-01-29 2001-01-29 Secure identification system in banking, financial and electronic information systems
BRMU8100120-7 2001-01-29

Publications (1)

Publication Number Publication Date
WO2002061640A1 true WO2002061640A1 (en) 2002-08-08

Family

ID=4024826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/BR2002/000002 WO2002061640A1 (en) 2001-01-29 2002-01-09 Safe identification system in banking, financial and electronic information systems

Country Status (2)

Country Link
BR (1) BR8100120U (en)
WO (1) WO2002061640A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1528708A1 (en) 2003-10-31 2005-05-04 Samsung Electronics Co., Ltd. User authentication system and method for controlling same
EP2239679A1 (en) 2009-04-08 2010-10-13 David Vázquez del Mercado Habif A method and a system for controlling the use of an electronic device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5988497A (en) * 1996-05-30 1999-11-23 Mci Communications Corporation Method for authenticating credit transactions to prevent fraudulent charges
US6163771A (en) * 1997-08-28 2000-12-19 Walker Digital, Llc Method and device for generating a single-use financial account number
US20010034717A1 (en) * 2000-02-15 2001-10-25 Whitworth Brian L. Fraud resistant credit card using encryption, encrypted cards on computing devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5988497A (en) * 1996-05-30 1999-11-23 Mci Communications Corporation Method for authenticating credit transactions to prevent fraudulent charges
US6163771A (en) * 1997-08-28 2000-12-19 Walker Digital, Llc Method and device for generating a single-use financial account number
US20010034717A1 (en) * 2000-02-15 2001-10-25 Whitworth Brian L. Fraud resistant credit card using encryption, encrypted cards on computing devices

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1528708A1 (en) 2003-10-31 2005-05-04 Samsung Electronics Co., Ltd. User authentication system and method for controlling same
EP2239679A1 (en) 2009-04-08 2010-10-13 David Vázquez del Mercado Habif A method and a system for controlling the use of an electronic device

Also Published As

Publication number Publication date
BR8100120U (en) 2002-10-15

Similar Documents

Publication Publication Date Title
US10083285B2 (en) Direct authentication system and method via trusted authenticators
US11895225B2 (en) Systems and methods for trustworthy electronic authentication using a computing device
WO2019147373A1 (en) Secure access to physical and digital assets using authentication key
US7983979B2 (en) Method and system for managing account information
US7248719B2 (en) Tokenless electronic transaction system
US6594376B2 (en) Tokenless electronic transaction system
US6422460B1 (en) Authorization system using an authorizing device
US20110142234A1 (en) Multi-Factor Authentication Using a Mobile Phone
US20090144162A1 (en) Transaction Security Method and Apparatus
US20100306105A1 (en) Method and device for generating a single-use financial account number
JP2009048627A (en) Method and apparatus for performing delegated transaction
US20130024377A1 (en) Methods And Systems For Securing Transactions And Authenticating The Granting Of Permission To Perform Various Functions Over A Network
JP2008537210A (en) Secured data communication method
US7069584B1 (en) Process and apparatus for improving the security of authentication procedures using a new “Super PIN”
Reno Multifactor authentication: Its time has come
JP6511409B2 (en) Transaction locking system and transaction locking method in financial institution
WO2002061640A1 (en) Safe identification system in banking, financial and electronic information systems
Mohanty et al. Nfc featured triple tier atm protection
KR100657577B1 (en) System and method for authorization using client information assembly
Muslimin et al. Islamic Law Perspective on Cybercrime in The Financial Services Industry
JP2007072766A (en) Personal authentication system and method
JP2001243391A (en) Credit card settlement system
JP2005182129A (en) Individual authentication method for automatic transaction apparatus, and automatic transaction apparatus
Bunage et al. Online Credit Card Fraud Prevention
Auerbach From zero trust to total trust in financial services

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69 EPC (EPO FORM 1205A DATED 02.12.2003)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP