WO2000062262A1 - Method and device for securing the use of cards comprising means of identification and/or authentication - Google Patents
Method and device for securing the use of cards comprising means of identification and/or authentication Download PDFInfo
- Publication number
- WO2000062262A1 WO2000062262A1 PCT/FR2000/000945 FR0000945W WO0062262A1 WO 2000062262 A1 WO2000062262 A1 WO 2000062262A1 FR 0000945 W FR0000945 W FR 0000945W WO 0062262 A1 WO0062262 A1 WO 0062262A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- identifier
- terminal
- radiotelephone
- support
- authorization
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/42—Confirmation, e.g. check or permission by the legal debtor of payment
- G06Q20/425—Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
- G06Q20/229—Hierarchy of users of accounts
- G06Q20/2295—Parent-child type, e.g. where parent has control on child rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3224—Transactions dependent on location of M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/405—Establishing or using transaction specific rules
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Definitions
- the invention relates to a method and a system for securing the use of cards and other media comprising means of identification and / or authentication, in particular bank payment cards.
- Payment cards with magnetic stripe or integrated circuit are currently supplied by banks or similar establishments to their customers, possibly with confidential codes which must be entered on the computer terminals with which these cards are used, to make payments. , withdraw bank notes, etc.
- a lost or stolen card is used by a third party, without the card holder being informed of this use and without being able to oppose it (on the Internet for example). It can also happen that the holder of a payment card lends it to another person by communicating the confidential code to them so that they can use it on a computer terminal. The card holder is only informed later of payments made with his card, upon receipt of a bank account statement or after questioning of the bank which supplied him with the payment card.
- Such cards can also be used, but without identification or authentication security, to make remote payments, in particular on the Internet or by telephone. This can cause problems due to the advent of software for generating credit card identification numbers.
- a support is not necessarily a material element provided with an identification number: it can indeed simply be an identification number.
- the invention aims to provide a simple and effective solution to this problem.
- It relates to a method and a system for securing the use of media, such as the aforementioned cards, enabling their holders to be informed of their use by third parties and possibly to oppose this use. It also relates to a method and a system of the aforementioned type, which implement pre-existing means and communication networks and which do not require too expensive an investment.
- a method of securing the use of supports provided with at least one identifier consisting of: * associating each support with a radiotelephone having an identifier, then recording in a first database, for each association of support and radiotelephone, a pair of data representative of the identifier of the support and of the identifier of the radiotelephone, and * each time the identifier of a support is used from a computer terminal:
- the invention takes advantage of the characteristics of radiotelephony networks of the GSM or other type, which consist in permanently (or almost) knowing the location of a mobile telephone in relation to a cellular network of base stations with which the mobile telephones communicate by radio link.
- This location of a mobile phone is relatively precise, at least in urban areas, and the invention is based on the fact that a match between the location of a mobile phone and the location of a computer terminal on which a payment card (or support) associated with this mobile phone is used, makes it possible to assume, at least to some extent, that the payment card is used by the holder of the mobile phone.
- the invention provides for calling the mobile telephone to ask its bearer to accept or refuse the use his card on the aforementioned computer terminal.
- the invention preferably provides for assigning to this terminal a location identical to that of the localized radiotelephone, then recording in the second base a pair of data representative of the identifier of this terminal and its location. This allows you to build the second database as you go.
- the holder of the mobile phone will validate the use if he himself has used the medium and may either accept the use or refuse it if he has not used the card himself, it can be entrusted to a third party, or lost or stolen.
- the method consists in determining the location of the terminal by locating the mobile telephone associated with this other medium. , to check the agreement between this location and the one previously saved in the database and, in the event of a discrepancy between these locations, call the mobile phone for acceptance or refusal of the use of the other medium on this terminal.
- the method can consist in registering in a subscriber identification module of the mobile telephone, for example in integrated circuits, a software module comprising means for authenticating the medium associated with this. mobile phone.
- a software module comprising means for authenticating the medium associated with this. mobile phone.
- the invention also provides for the possibility of storing in the subscriber identification module a software module ensuring functions of prior authorization of at least one intended use of the associated medium, of activation and deactivation of this medium, and acceptance and refusal of use of the medium. The execution of these functions can be controlled simply and quickly by the carrier of the mobile telephone, using the function keys on the keyboard of his telephone.
- the identification module is not necessarily housed in each mobile phone, for example in a SIM card. It could, for example, be housed in a server.
- this method consists in associating at least two supports of the aforementioned type with a mobile phone, one of these supports being usable by the carrier of the mobile phone and the other by another person, and subject each use of the identifier of this other medium to prior authorization by the user of the radiotelephone with a view to obtaining authorization or refusal of use.
- This allows in particular a person to keep his own support and to permanently control the use of another support that he has entrusted to a third party.
- the information associated with the aforementioned cards and concerning their nature, their state of activation or deactivation, the limiting conditions of their use and the prior authorizations of use are advantageously recorded in a third database to be able to be used at any appropriate time. .
- each time an identifier is used on the Internet for a transaction between a requesting computer terminal and a mail-order computer site, fields are extracted from the frame which comprises the identifier information relating to the location of the requesting terminal, and, depending on the result of the location comparison, an authorization to use the identifier of the medium is transmitted to the terminal, or else a radiotelephone is sent a message intended to obtain from its user an authorization or a refusal to use the identifier of the medium from the terminal.
- each time an identifier is used for a bank transaction and when certain selected conditions are met the same transaction authorization number is sent jointly to the mobile phone associated with the identifier and the computer terminal having transmitted the identifier, then we wait for the user of the mobile telephone to return the authorization number, via his mobile telephone, to transmit it to the terminal carrying out the transaction.
- the final authorization of the transaction then preferably results from a comparison between the two authorization numbers, either by the user of the terminal, or directly by said terminal (authorization given in the event of identity of the numbers).
- the invention also provides a system for securing the use of supports provided with at least one identifier. This system includes:
- a first database in which pairs of data are stored comprising data representative of a radiotelephone identifier and data representative of a support identifier belonging to a user of the radiotelephone,
- a second database could be provided for storing pairs of data comprising a data representative of an identifier of a computer terminal, from which a support identifier can be transmitted, and a data representative of the location of this terminal.
- the information processing means are capable of interrogating the second database to determine the location of a terminal having transmitted a support identifier
- each mobile phone can distinguish a medium associated with a mobile telephone from a medium which is not associated with a mobile telephone by detection of its identifier
- each radiotelephone associated with a medium may include a subscriber identification module comprising a memory in which is stored a software module comprising means for authenticating the associated medium, this subscriber identification module possibly comprising means for prior authorization of at least one use of the associated medium, means of activating and deactivating this medium, and means of authorizing and refusing to use the identifier of this medium from a terminal computer science.
- the identification module could be housed in another part of the system, such as for example in the information processing means,
- a third database may be provided to store information relating to each associated medium and representative of its nature, its state of activation or deactivation, limit conditions of use and prior authorizations for use,
- the information processing means may be arranged so as to allow the constitution, updating and management of the first database and / or the second database (28) and / or the third database of data,
- the radiotelephones already associated with a first support held by their user, may be associated with at least one second support provided with an identifier and held by another person.
- the information processing means are arranged, each time the identifier of a second medium is used, to check whether prior authorization for the use of this second medium has been given by the user of the associated radiotelephone. , and, in the absence of this authorization, to send to the radiotelephone, via the second server, a message intended to obtain from its user an authorization or a refusal to use the identifier of the second medium from the terminal.
- the mobile telephone which is associated with a second support whose identifier is in use, is arranged to emit a visual or audible alarm for authorization request.
- the information processing means could be arranged so as to subject each use of the identifier of a second medium to a prior verification of at least one condition stored in a memory, and preferably chosen from a value cumulative purchase limit on the two supports and a purchase limit value on the second support,
- the information processing means may be arranged so as to discriminate transactions carried out on the Internet, between a requesting computer terminal and a mail-order computer site, transactions carried out on a computer terminal not using the network Internet, discrimination being effected by an analysis of the fields contained in the frames.
- the information processing means are arranged to extract from these analyzed fields information relating to the location of the requesting terminal on the Internet, and to transmit to the first server an authorization to use the identifier of the medium on the terminal or to send to the radiotelephone, via the second server, a message intended to obtain from its user an authorization or a refusal to use the identifier of the medium from the terminal, depending on the result of the location comparison ,
- the first server can be connected to a multiplicity of bank servers capable, in the event of receipt of a transaction request by a computer terminal, to address jointly to the first server and to the computer terminal, when certain conditions are met, the same authorization number.
- the information processing means are arranged to transmit the authorization number to the mobile telephone associated with the terminal carrying out the transaction, once the connection has been established with this telephone, then, in the event of reissue of the authorization number by the mobile telephone (on the order of its owner-user), to communicate this authorization number at the computer terminal, via the first server.
- the computer terminals are arranged to make a comparison between the two authorization numbers received and to authorize the transaction when these numbers coincide.
- the method and the system according to the invention make it possible to secure the transactions carried out by means of payment cards (supports) on computer terminals of any type (electronic payment terminals, automatic teller machines, payments made on the Internet). or by phone, etc.).
- This method and this system also generally make it possible to secure the use of information carriers of any type, provided with means of identification and / or authentication, by informing their holders of any fraudulent or not in accordance with predetermined conditions and allowing them to oppose this use.
- FIG. 1 schematically shows the security system according to the invention
- bank payment cards 10 of a conventional type (such as blue cards, visa, eurocard, etc.) comprising example a magnetic strip and / or integrated circuits forming support for identification and authentication information of a card and / or its holder.
- the cards 10 can be used, in particular, on computer terminals (called TPEs) such as those referenced 12 in FIG. 1, which are currently found in most stores, points of sale, etc. and which are connected to a banking computer network 14 via the public switched telephone network.
- TPEs computer terminals
- ATMs automatic teller machines
- They can also be used for transactions carried out by telephone or on the Internet from a computer terminal 18 of the PC type: in in this case, the buyer communicates the identification number of his payment card to the seller, who then issues a payment order by debit from the buyer's bank account, which is sent to the banking network 12 by the seller with the number d identification of the buyer's payment card.
- the invention proposes to ensure the security of the use of these cards (or more generally supports) when using their identifier on a computer network, by virtue of an association with a radiotelephony network, for example of the GSM type. , GSM-WAP or other.
- the invention provides for associating each payment card 10 with a radiotelephone or mobile telephone 20 by recording in a first database 22 a pair of information comprising an identifier of the payment card 10 and an identifier of the telephone.
- the identifier of the card 10 can include its number 26, as it appears on the card, with additional information indicating that the card belongs to the system according to the invention.
- the identifier of radiotelephone 20, or of the corresponding subscriber can be either the telephone number of radiotelephone 20, either subscriber identification information such as IMSI (International Mobile Subscriber Identity) which allows the radiotelephone network 24 to identify a subscriber in a unique manner, this information not being known to the subscriber to whom it is only provides the telephone number of his radiotelephone 20.
- IMSI International Mobile Subscriber Identity
- a database in the radiotelephone network 24 makes it possible to correspond between the telephone number of radiotelephone 20 and the subscriber identification information, used in the network 24 for the location of this subscriber.
- the invention also provides for recording, in a database 28, information relating to the terminals on which the cards 10 can be used, this information comprising an identifier of the terminal and its geographic location.
- the terminal identifier is automatically supplied to the banking network 14 each time a card identifier 10 is used on this terminal. Its location can possibly be known when it is a fixed terminal such as an automatic cash dispenser 16, but it is more generally determined when it is first used from the location of the radiotelephone 20 of the person using his card 10 on this terminal, as will be described in more detail below.
- the invention also provides a third database 30 in which information relating to the cards 10 associated with radiotelephones 20 is recorded, such as for example the nature of this card, its activation or deactivation state, boundary conditions d 'use (such as a ceiling value and / or a cumulative value since a chosen date) and prior authorizations for use.
- the system according to the invention comprises a computer server 32, making it possible to update and use the information contained in the databases 22, 28 and 30, means of connection 34 to a server 36 of the banking network 14 and means of connection 38 to a server 40 of the radiotelephony network 24.
- the invention also provides for using the electronic card or subscription card which is fitted to certain radiotelephones 20 (the SIM or Subscriber card Identity Module) and which allows the subscriber to have access to the services of the radio telephone network 24 and which contains all the data concerning the subscriber and in particular authentication means and information relating to the subscription, this module comprising integrated circuits comprising a microprocessor and memories of the ROM, EPROM and RAM type.
- these means are programmed on the one hand, to authenticate the card 10 associated with the radiotelephone 20 and, on the other hand, to offer the subscriber a certain number of additional functions, such as in particular prior authorizations to use of card 10, activation and deactivation functions of this card, and functions for accepting and refusing use of card 10.
- the invention also provides for associating two cards 10 or more cards to the same radiotelephone 20, one of these cards being held by the carrier of the radiotelephone, the other or the other cards each being given to a different person.
- the means (module) of subscriber identification of the radiotelephone comprises functions allowing the bearer of the radiotelephone to authorize prior uses of said other card or of said other cards, with fixing of limit conditions of use (in particular transaction limits (personal or cumulative) or priority of use), activation and deactivation functions of this other card or these other cards, and functions of acceptance and refusal of the uses of this other card or these other cards.
- a certain amount of information such as the card identifier, the terminal identifier and the amount of the transaction are processed by the server. 36 of the banking network 14.
- the identifier of the card 10 reveals that it belongs to the system according to the invention, the identifiers of the terminal used and of the card 10 as well as the amount of the transaction are transmitted by the server 36 to the server 32 of the system according to the invention (step 44) which, firstly, will check the activation or deactivation state of the card 10 (step 46), this information being in its database 30.
- the server 32 also has access, in its database 22, to the identifier of the radiotelephone 20 or subscriber which is associated with the identifier of the card 10.
- the server 32 sends, in step 48, a request for the location of the radio telephone 20 to the server 40 of the radio telephone network 24. If the radio telephone 20 cannot be located as indicated at 50 (for example when it is switched off), the server 32 of the system according to the invention sends to the server 36 of the banking network 14 a refusal 52 of the transaction carried out by the card 10 on the terminal 12, 16 or 18.
- the radiotelephone 20 When the radiotelephone 20 is locatable, its approximate location is transmitted by the server 40 of the radiotelephony network 24 to the server 32 of the system according to the invention which, during this time, has sought in its database 28 the location of the terminal used, this location information being accessible from the terminal identifier transmitted by the server 36.
- the server 32 then performs, as indicated in 54, a comparison of the location of the terminal 12 or 16 and of the localized location of the radiotelephone 20 and optionally compares the amount of the transaction made with the card 10 to a ceiling prerecorded in its database 30.
- the server 32 sends to the server 36 of the banking network an information of acceptance of the transaction effect via the card 10 on terminal 12 or 16.
- the server 32 calls the radiotelephone 20, via the server 40 and the radiotelephone network 24, to ask the carrier of the radiotelephone to validate the transaction, as indicated in 60 (in data or voice mode, for example following the risk). If the radiotelephone bearer 20 validates the transaction as indicated in 62, the server 32 of the system according to the invention sends to the server 36 of the banking network 14 a transaction acceptance, as indicated in 58.
- the server 32 of the system according to the invention sends a refusal to the server 36 of the banking network 14, as indicated in 66.
- the server 32 identifies the location of the terminal to that of the localized mobile telephone and then saves it in the database 28. It then proceeds to the aforementioned step 60 of calling the radiotelephone 20, to request validation or refusal of the transaction by the carrier of the radiotelephone. This makes it possible to gradually build the database 28, and therefore to complete and update it.
- step 46 When the server 32 of the system according to the invention finds, at the end of step 46, that the card 10 is deactivated, as indicated at 70, it proceeds to step 60 of calling the radiotelephone 20 to request a validation or refusal of transaction.
- These operations of validation or rejection of a transaction by the radiotelephone bearer are carried out using the radiotelephone function keys, selected from a menu stored, preferably, in the memories of the means (module) d subscriber identification.
- the information pre-recorded in this module makes it possible to authenticate the transactions carried out with a card 10.
- the information contained in the subscriber identification module of the radiotelephone 20 allows the server 32 to authenticate the transaction carried out with the card 10.
- the requests validation provided in step 60 may include typing, on the keys of the radiotelephone 20, the confidential code associated with the card 10, or the code (PIN or SIM) associated with the mobile telephone.
- the verification of the code entered on the radiotelephone 20 and of the confidential code of the card (or of the mobile) is carried out by the subscriber identification module of the radiotelephone and conditions the sending by the server 32 of a acceptance or rejection of the transaction.
- the card held by the holder of the radiotelephone 20 is considered to be a "master” card while the other payment card or cards are considered to be “slave” cards.
- the master card can be used normally by its holder, as already described with reference to FIG. 2: the server 32 after having checked that the card is activated and that it is a master card as indicated in 72, passes in step 48 of requesting the location of the radiotelephone.
- the server 32 When the server 32, after having checked that the card used is indeed activated, notes that it is a slave card as indicated in 74 (this information is found in its database 30) and then compares the amount of the transaction made with this card to a prerecorded ceiling in its database 30, as indicated in 76. If the amount is greater than the ceiling recorded, the server 32 calls the mobile telephone 20 to request validation of the transaction (this is step 60 in FIG. 2). This can result in the display of an alarm message on the phone screen or in the issuance of an audible alarm through its loudspeaker. If the amount of the transaction is less than the ceiling recorded, the server 32 accepts the transaction and sends corresponding information to the server 36 of the banking network 14 (step 58 of FIG. 2).
- the carrier of the radiotelephone 20 makes purchases with his payment card 10 in a shopping center. He then leaves the shopping center. Later, his radiotelephone rings and he reads on the display screen the following message: "1500 francs at store XY2 - do you want to validate?". He checks in his card holder, his payment card 10 is not there. He answers "NO”. He then presses the "MENU” key on his radiotelephone then selects "PAYMENT CARD” and the "DEACTIVATION” function. The server 32 of the system according to the invention then refuses any transaction carried out by means of the card.
- radiotelephone 20 lends his payment card to his daughter who wishes to make a purchase of around 800 francs. A little later, his radiotelephone rings and he reads on the display screen: "900 francs at XYZ, do you want to validate?". He presses the "VALIDATION” button, thinking that his daughter has slightly exceeded the amount provided.
- the carrier of the radiotelephone 20 wishes to make some purchases on the Internet using his payment card. He presses the "MENU” key on his radiotelephone, then selects "PAYMENT CARD”, chooses the "PRE-AUTHORIZATION” function and then strikes an amount of 1200 francs. He then buys a few items on the Internet for 340 francs, by typing the number of his payment card on the keyboard of his microcomputer connected to the Internet. He is not called on his radiotelephone for a validation request. A little later, he again uses his payment card to buy items on another website. The transaction amount is approximately
- radiotelephone 20 Upon arriving at his office, the carrier of radiotelephone 20 realizes that he does not have his card holder. He presses the "MENU” key on his radiotelephone then selects "PAYMENT CARD” and chooses the "DEACTIVATION” function. Returning to his home, he finds his card holder. With his radiotelephone, he reactivates his payment card.
- radiotelephone 20 entrusted an employee with a "slave" payment card to enable him to pay his travel and subsistence expenses in the provinces for a few days.
- he registers in the database 30 of the system according to the invention an authorization of 1,500 francs valid for three days on the payment card entrusted to the employee.
- the wearer of radiotelephone 20 made purchases some time ago from a merchant, using his payment card 10. In the meantime, the merchant has changed his address and is now in another district of the city. .
- the server 32 of the system according to the invention finds that the location located of the radiotelephone does not correspond with the location of the terminal 12 recorded in its database 28. It calls the radiotelephone 20 to request validation of the transaction and saves the localized location of the radiotelephone as the new location of the terminal 12 in its database 28.
- the server 32 of the system according to the invention can check, without calling the radiotelephone 20, the consistency between the number of the cardholder's payment card and the identifiers recorded in the subscriber identification module equipping the radiotelephone .
- the server 32 calls the radiotelephone 20 and requests by message on the display screen a validation of the transaction in progress.
- the server 32 calls the radiotelephone 20 and requests on the display screen the entry, by means of the radiotelephone keys, of the confidential code associated with the payment card or of the identification code of the telephone. mobile.
- the server 32 calls the radiotelephone 20 and asks to speak to the bearer to inform him about the risk of the transaction while asking him to enter the confidential code of his payment card or the code of mobile phone identification.
- the server 32 sends the server 36 of the banking network a transaction refusal.
- the invention applies not only to the example which has been described and shown, but also to the securing of any use of cards or information carriers provided with means of identification and / or authentication, such as example that health cards, access cards to protected areas, electronic wallets, etc. and securing access and connection ("logging") to computer networks (for example of the intranet type) or to private data files, etc.
- the identifier of a medium associated with a radiotelephone identifier makes it possible (for the information processing means) to distinguish this medium from other media which are not associated with radiotelephones.
- the frames that circulate on the Internet include a field comprising information representative of the location (or address) of the “requesting” computer terminal which has just sent them.
- subscriber identification means were installed in the mobile telephone, for example in the form of a SIM card.
- these means could be stored in the form of a support authentication software module in another location of the system according to the invention, for example in a server, or more generally in a memory or an electronic card accessible by means classical computing.
- the bank servers systematically received the card identifier during each transaction, and that they issued an authorization number which was sent to the requesting terminal when certain chosen conditions were met. It is therefore possible to jointly transmit the transaction authorization number to the mobile telephone associated with the identifier and to the computer terminal which transmitted this identifier, then wait for the user of the mobile telephone to return, via said mobile telephone, the number authorization in order to transmit it to the terminal carrying out the transaction.
- the user intended to further strengthen the security of the transactions, either the user performs the comparison between the two authorization numbers and decides himself to accept the transaction, or the comparison is carried out by the terminal (preferably) , and the authorization is decided by this terminal when the numbers match.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP00922691A EP1171851A1 (en) | 1999-04-12 | 2000-04-12 | Method and device for securing the use of cards comprising means of identification and/or authentication |
AU43005/00A AU4300500A (en) | 1999-04-12 | 2000-04-12 | Method and device for securing the use of cards comprising means of identification and/or authentication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR99/04537 | 1999-04-12 | ||
FR9904537A FR2792143B1 (en) | 1999-04-12 | 1999-04-12 | METHOD AND SYSTEM FOR SECURING THE USE OF CARDS COMPRISING MEANS OF IDENTIFICATION AND / OR AUTHENTICATION |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000062262A1 true WO2000062262A1 (en) | 2000-10-19 |
Family
ID=9544283
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2000/000945 WO2000062262A1 (en) | 1999-04-12 | 2000-04-12 | Method and device for securing the use of cards comprising means of identification and/or authentication |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1171851A1 (en) |
AU (1) | AU4300500A (en) |
FR (1) | FR2792143B1 (en) |
WO (1) | WO2000062262A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001065432A2 (en) * | 2000-03-03 | 2001-09-07 | Massimiliano Rijllo | Process and system for purchasing goods and services through a distributed data network |
EP1207505A1 (en) * | 2000-11-15 | 2002-05-22 | TELEFONAKTIEBOLAGET LM ERICSSON (publ) | Method for payment, user equipment, server, payment system and computer programme product |
GB2402792A (en) * | 2003-06-11 | 2004-12-15 | Sanjay Hora | Verifying identity and authorising transactions |
CN100463467C (en) * | 2004-12-01 | 2009-02-18 | 中兴通讯股份有限公司 | Mobile phone capable of paying riding fee and its paying method |
WO2012134330A1 (en) | 2011-03-25 | 2012-10-04 | Общество С Ограниченной Ответственностью "Аилайн Кэмьюникейшнс Снг" | Method for presenting information when conducting distributed transactions and structure for implementing same |
US20150149222A1 (en) * | 2001-08-21 | 2015-05-28 | Bookit Oy Ajanvarauspalvelu | Booking method and system |
US11222339B2 (en) * | 2019-12-17 | 2022-01-11 | Capital One Services, Llc | Computer-based systems and methods configured for one or more technological applications for authorizing a credit card for use by a user |
US11669827B1 (en) * | 2006-10-31 | 2023-06-06 | United Services Automobile Association (Usaa) | GPS validation for transactions |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002055960A (en) * | 2000-08-10 | 2002-02-20 | Nec Corp | System and method for card authentication |
GB0122249D0 (en) * | 2000-11-01 | 2001-11-07 | British Telecomm | Transaction authentication |
FR2816736B1 (en) | 2000-11-10 | 2003-10-24 | Smart Design | METHOD AND INSTALLATION FOR SECURING THE USE OF MEDIA ASSOCIATED WITH IDENTIFIERS AND ELECTRONIC DEVICES |
FR2819127A1 (en) | 2001-01-02 | 2002-07-05 | Smart Design | Securing of commercial transactions in shops, etc. where a purchaser uses a credit or banker's card by use of a customer's mobile phone to provide transaction confirmation and thus reduce fraud |
FR2834163B1 (en) * | 2001-12-20 | 2004-11-19 | Cegetel Groupe | METHOD FOR CONTROLLING ACCESS TO CONTENT AND SYSTEM FOR CONTROLLING ACCESS TO CONTENT |
US7748617B2 (en) | 2004-04-12 | 2010-07-06 | Gray R O'neal | Electronic identification system |
US7275685B2 (en) | 2004-04-12 | 2007-10-02 | Rearden Capital Corporation | Method for electronic payment |
US7337956B2 (en) | 2004-04-12 | 2008-03-04 | Rearden Capital Corporation | System and method for facilitating the purchase of goods and services |
DE102006037167A1 (en) * | 2006-08-09 | 2008-02-14 | Deutsche Telekom Ag | Method and system for carrying out a payment transaction with a means of payment |
DE102009060946A1 (en) * | 2009-12-23 | 2011-06-30 | Doering, Wolfram, 13469 | Method for electronic communication of banking orders and communication system for carrying out the method |
LU92006B1 (en) * | 2012-05-24 | 2013-11-25 | Alexandre Coste | Method of notification, identification, and authentication to an automated data processing system by geolocation of the applicant |
US20150120453A1 (en) * | 2013-10-25 | 2015-04-30 | Palo Alto Research Center Incorporated | Real-time local offer targeting and delivery system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5615110A (en) * | 1994-05-19 | 1997-03-25 | Wong; Kam-Fu | Security system for non-cash transactions |
WO1998006214A1 (en) * | 1996-08-08 | 1998-02-12 | Raymond Anthony Joao | Financial transaction, authorization, notification and security apparatus |
WO1998034203A1 (en) * | 1997-01-30 | 1998-08-06 | Qualcomm Incorporated | Method and apparatus for performing financial transactions using a mobile communication unit |
WO1998047116A1 (en) * | 1997-04-15 | 1998-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Tele/datacommunications payment method and apparatus |
WO1999014711A2 (en) * | 1997-09-17 | 1999-03-25 | Andrasev Akos | Method for checking rightful use of a debit card or similar means giving right of disposing of a bank account |
-
1999
- 1999-04-12 FR FR9904537A patent/FR2792143B1/en not_active Expired - Fee Related
-
2000
- 2000-04-12 EP EP00922691A patent/EP1171851A1/en not_active Withdrawn
- 2000-04-12 AU AU43005/00A patent/AU4300500A/en not_active Abandoned
- 2000-04-12 WO PCT/FR2000/000945 patent/WO2000062262A1/en not_active Application Discontinuation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5615110A (en) * | 1994-05-19 | 1997-03-25 | Wong; Kam-Fu | Security system for non-cash transactions |
WO1998006214A1 (en) * | 1996-08-08 | 1998-02-12 | Raymond Anthony Joao | Financial transaction, authorization, notification and security apparatus |
WO1998034203A1 (en) * | 1997-01-30 | 1998-08-06 | Qualcomm Incorporated | Method and apparatus for performing financial transactions using a mobile communication unit |
WO1998047116A1 (en) * | 1997-04-15 | 1998-10-22 | Telefonaktiebolaget Lm Ericsson (Publ) | Tele/datacommunications payment method and apparatus |
WO1999014711A2 (en) * | 1997-09-17 | 1999-03-25 | Andrasev Akos | Method for checking rightful use of a debit card or similar means giving right of disposing of a bank account |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001065432A3 (en) * | 2000-03-03 | 2002-09-06 | Massimiliano Rijllo | Process and system for purchasing goods and services through a distributed data network |
WO2001065432A2 (en) * | 2000-03-03 | 2001-09-07 | Massimiliano Rijllo | Process and system for purchasing goods and services through a distributed data network |
EP1207505A1 (en) * | 2000-11-15 | 2002-05-22 | TELEFONAKTIEBOLAGET LM ERICSSON (publ) | Method for payment, user equipment, server, payment system and computer programme product |
WO2002041266A2 (en) * | 2000-11-15 | 2002-05-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for payment, user equipment, server, payment system and computer programme product |
WO2002041266A3 (en) * | 2000-11-15 | 2002-08-15 | Ericsson Telefon Ab L M | Method for payment, user equipment, server, payment system and computer programme product |
US20150149222A1 (en) * | 2001-08-21 | 2015-05-28 | Bookit Oy Ajanvarauspalvelu | Booking method and system |
GB2402792A (en) * | 2003-06-11 | 2004-12-15 | Sanjay Hora | Verifying identity and authorising transactions |
CN100463467C (en) * | 2004-12-01 | 2009-02-18 | 中兴通讯股份有限公司 | Mobile phone capable of paying riding fee and its paying method |
US11669827B1 (en) * | 2006-10-31 | 2023-06-06 | United Services Automobile Association (Usaa) | GPS validation for transactions |
WO2012134330A1 (en) | 2011-03-25 | 2012-10-04 | Общество С Ограниченной Ответственностью "Аилайн Кэмьюникейшнс Снг" | Method for presenting information when conducting distributed transactions and structure for implementing same |
US9226154B2 (en) | 2011-03-25 | 2015-12-29 | Eyeline Communications Cis, Llc. | Method for presenting information when conducting distributed transactions and structure for implementing same |
US11222339B2 (en) * | 2019-12-17 | 2022-01-11 | Capital One Services, Llc | Computer-based systems and methods configured for one or more technological applications for authorizing a credit card for use by a user |
US20220122086A1 (en) * | 2019-12-17 | 2022-04-21 | Capital One Services, Llc | Computer-based systems and methods configured for one or more technological applications for authorizing a credit card for use by a user |
US11720897B2 (en) * | 2019-12-17 | 2023-08-08 | Capital One Services, Llc | Computer-based systems and methods configured for one or more technological applications for authorizing a credit card for use by a user |
Also Published As
Publication number | Publication date |
---|---|
EP1171851A1 (en) | 2002-01-16 |
AU4300500A (en) | 2000-11-14 |
FR2792143B1 (en) | 2004-04-02 |
FR2792143A1 (en) | 2000-10-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2000062262A1 (en) | Method and device for securing the use of cards comprising means of identification and/or authentication | |
EP1254437B1 (en) | Service activation by virtual prepaid card | |
EP1899950B1 (en) | Method for securing a transaction with a payment card and activation server for implementating the method | |
US6597770B2 (en) | Method and system for authorization of account-based transactions | |
US20020152177A1 (en) | Method and arrangement for electronically transferring an amount of money from a credit account memory | |
JP2005004764A (en) | Method of payment from account by customer having mobile user terminal, and customer authentication network | |
EP2537286A1 (en) | Method for biometric authentication, authentication system and corresponding program | |
EP2369780B1 (en) | Method and system for validating a transaction, and corresponding transactional terminal and programme | |
EP1668938B1 (en) | Method for matching a mobile telephone with a personal card | |
CA2398317A1 (en) | System and method for making secure data transmissions | |
FR2908211A1 (en) | METHOD AND SYSTEM FOR REMOVING MONEY USING A MOBILE TELEPHONE | |
EP1415283B1 (en) | Method and system for formal guarantee of a payment, using a portable telephone | |
EP1323140B1 (en) | Method for providing identification data of a banking card to a user | |
WO2002039392A2 (en) | Method and installation for making secure the use of media associated with identifiers and with electronic devices | |
FR2829647A1 (en) | Authentication of a transaction relating to acquisition and payment for goods and services, whereby authentication makes use of both Internet and mobile phone technology for transmission and validation of codes and passwords | |
FR2914763A1 (en) | DYNAMIC CRYPTOGRAM | |
FR2905021A1 (en) | METHOD AND SYSTEM OF PAYMENT USING A MOBILE TELEPHONE | |
EP1301910B1 (en) | Method for making secure a transaction via a telecommunication network, and system therefor | |
FR2812424A1 (en) | Method for secure transaction of goods and services over a mobile telephone using a cellular network, uses network operator as trusted third party, and separate paths to client and vendor to authenticate each | |
WO2003007251A1 (en) | Payment guarantee method for electronic commerce, particularly by mobile telephone, and the system for implementing same | |
FR2775548A1 (en) | Goods/services rechargable telephone payment system | |
WO2002046984A1 (en) | Method for secure transaction between a buyer and a seller | |
EP1172775A1 (en) | Method for protecting an access to a secured domain | |
FR2802685A1 (en) | Method and software for comparing a PIN number for a service card fitted with a variable display, a new value based on a random number is generated each time the card is used, this new value serves for the next card user | |
EP1649430A2 (en) | Method for operating private payment means and device for operating private payment means and uses thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2000922691 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000922691 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000922691 Country of ref document: EP |