1
POSTAL COUNTER POSTAGE EVIDENCING
SYSTEM WITH CLOSED LOOP
VERIFICATION
5
FIELD OF THE INVENTION
The instant invention relates to a method and apparatus for securely producing evidence of postage dispensed. More particularly, the instant invention is directed to a closed loop verification system of audit and control which enables the 10 detection of fraud at postal facility counters and the collection of evidence to support a charge of such fraud against particular individual(s).
BACKGROUND OF THE INVENTION 15
In many countries there are post offices, under the physical control of a postal authority, where letters and packages can be mailed. An individual can walk into the post office and present their mailpiece to a postal clerk at the postal 2Q counter. The clerk will weigh the mailpiece to determine the appropriate postage required, collect the value from the individual (i.e. cash, credit card, etc.) to pay for the required postage, and print out and attach to the mailpiece evidence of postage paid. 25
FIG. 1 shows a traditional postal counter audit system 1 that is used to implement the procedure described above. The postal counter audit system 1 includes a personal computer (PC) 3, a scale 5, and a label printer 7 (which collectively form a postal counter system 8). The postal 30 counter system 8 prints evidence of postage dispensed at the direction of the postal clerks. Each postal counter system 8 maintains a logfile in the PC 3 of all postage that it dispenses. The logfile data should match the value collected by the postal clerks for the postage dispensed. 35
As further shown in FIG. 1, several postal counter systems 8 are commonly networked together along with an administrative computer 9 at a postal facility 10. The administrative computer 9 is controlled by a postal administrator responsible for the proper operation of the postal facility 10, 40 e.g., a local postmaster. The postal administrator collects the logfile from each postal counter system 8 (electronically via the administrative computer 9). These logfiles are compared with the cash receipts (cash, credit card transactions, etc.) collected at each postal counter system 8. Any discrepancies 45 between the cash receipts and the logfiles are an indicator of potential fraud by a postal clerk. Additionally, all logfiles, or at least a summary of logfile data from the postal facility 10, and a summary of cash receipt data are transmitted (over existing communication networks 12) to a postal funds 50 management computer 11. The postal funds management computer 11 also compares the received logfile data with the cash receipt data to determine if any discrepancies exist which would be evidence of potential fraud.
Unfortunately, existing postal counter audit systems 1 are 55 subject to several types of fraud which may go undetected. Since the PC 3 includes a processor which is not a secure device, the logfiles stored in PC 3 may be easily tampered with by postal clerks that have access to PC 3 and some basic computer knowledge. As a result, a clerk could simply 60 modify the logfiles (perhaps by deleting entries) and pocket the funds from the cash drawer associated with the modified records. Since the tampered logfiles would match the cash receipts, it would be difficult for a postal administrator to determine that a clerk was stealing postal funds. Moreover, 65 an administrator (working on his own or in conjunction with a clerk) could also falsify records (logfile summaries and
2
cash receipts) prior to transmission to the postal funds management computer 11 and such fraudulent activity might go undetected.
The above potential fraudulent activities are largely attributable to the fact that there is no prepayment of postage at a postal counter system 8 as there is with a conventional prepayment postage meter. That is, in a postage meter since the value contained therein has already been paid for, the problems associated with a cash basis transaction for postage does not exist. Accordingly, the instant invention is directed toward the detection of fraud in a "pay for postage as you dispense" counter operation and the collection of collaborating evidence in support of such fraud detection.
Additionally, the postal counter audit system 1 does not have a source of data, separate from the data transmitted from the administrative computer 9 (or the postal counter system 8) to the funds management computer 11, that can be used to independently verify the data transmitted from the administrative computer 9. For example, if the logfiles are altered as discussed above, there is no data feedback based on the processing of the actual mailpieces passing through the mailstream that is used to detect such fraud.
Yet another problem occurs when several people operate a single postal counter system 8. In this situation, even if fraud is detected, it may be difficult to identify only those individuals committing the fraud.
Finally, another potential problem may exist if a postal clerk delays the reporting of logfiles. That is, if a postal clerk lags behind in sending out up to date logfiles, some of the cash received could be pocketed. In this situation the cash sent to the administrator would still match the transmitted logfiles which lag behind.
SUMMARY OF THE INVENTION
A method for auditing postage dispensing transactions at a postal facility includes the steps of: receiving in a secure processor based device a request to dispense an amount of postage; updating, in response to the request, accounting data within the secure processor based device to account for the amount of postage; cryptographically securing the updated accounting data in the secure processor based device; dispensing the amount of postage by generating and applying the cryptographically, secured, updated accounting data to a mailpiece. The method further includes receiving cash value for the amount of postage dispensed; sending from the secure processor based device to an administrative computer a cryptographically secure message including the updated accounting data; obtaining and comparing, at the administrative computer, the updated accounting data from the secure message with the cash value received and previous updated accounting data received from a previous secure message from the secure processor based device, and determining if any inconsistencies exist based on the comparing; and obtaining and analyzing, at a funds management computer, the updated accounting data from the mailpiece and the updated accounting data from the secure message and determining if any inconsistencies exist based on the analyzing. An apparatus incorporates the method.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate a presently preferred embodiment of the invention, and together with the general description given above and the detailed description of the preferred embodiment given below, serve to explain the principles of the invention.
3
FIG. 1 shows a prior art postal counter audit system;
FIG. 2 shows the inventive postal counter audit and control system;
FIG. 3 shows a representative example of a digital postage mark; 5
FIG. 4 describes the cryptographic elements used in the inventive a system of FIG. 2;
FIG. 5 shows a verification procedure; and
FIG. 6 shows an audit procedure implemented in the 10 invention of FIG. 2.
DETAILED DESCRIPTION OF THE
PREFERRED EMBODIMENT
The inventive postal counter audit and control system 15 (PCACS) 13, as shown in FIG. 2, employs a combination of smart card technology, public key cryptography, administrative audit and control, and physical security to manage the security of postage value dispensed by postal clerks at a postal counter. The PCACS 13 includes individual postage 20 dispensing counters 15, an administrative computer 17, a funds management computer 19, a postal verification system (s) 21 and a certificate authority (CA) computer 23.
The postage dispensing counters 15 each include a PC ^ 15a, a smart card reader 15fc, a smart card 15c, a scale 15d and a label/mailpiece printer 15e. The purpose of the postage dispensing counters 15 are to provide a postal clerk the ability to create digital postage marks (DPM's 31) as evidence of postage dispensed by the postage dispensing 3Q counter 15. That is, unlike existing postal counter systems 1 (FIG. 1) that only print non-cryptographically secure evidence of postage dispensed, the postage dispensing counters 15 print cryptographically secure and verifiable DPMs 31.
Referring to FIG. 3, a representative DPM 31 is shown on 35 a sealed mailpiece or sealed package 33 containing thereon a recipient address field 35. The DPM 31 contains a dollar amount 37, a date 39 that the evidence of postage was affixed to the mailpiece 33, a location 41 that the mailpiece 33 was mailed from, a meter serial number 43, the class of mail 45, 40 a FIM code 47 and a 2D bar code 49. Bar code 49 includes cryptographically secured information that is derived from address field 35 and other information (such as the date 39, serial number 43, value of postage dispensed 37, piece count, descending and ascending register values) generated 45 or contained in the meter that affixed DPM 31 to the mailpiece 33.
The cryptographically secured information contained in the bar code 49 may include all or only some of the data elements discussed above. However, whichever data is 50 included it is digitally signed with the private key of the meter. Upon receipt of the mailpiece 33, the cognizant postal authority can obtain the public key that corresponds to the meter private key in order to verify the authenticity of the cryptographically secured information and the DPM 31. 55
Returning to FIG. 2, the PC 15a provides both the postal clerk interface and the communication interface between the smart cards 15c and the administrative computer 17. The smart cards 15c provide a secure, cost-effective mechanism to distribute the ability to create DPMs 31 to postage 60 dispensing counters 15 and to individual postal clerks. That is, each postal clerk can be assigned a specific (uniquely identifiable such as through a unique serial no.) smart card 15c that provides the postal clerk with the ability to access the postal dispensing counters 15 via the card reader 15fc and 65 the PC 15a to create a DPM 31. The smart card 15c maintains a log of the postage dispensed from that smart
4
card 15c which log should be consistent with the cash received at the postage dispensing counters 15. The DPM 31 is formatted for printing by the PC 15a and printed on a mailpiece or label by the printer 15d (preferably in machinereadable format such as the 2D barcode 49). As previously mentioned, each DPM 31 contains a digitally signed record (secret or public key infrastructures can be used) that indicates the smart card 15c that produced the DPM 31 and the postage amount dispensed. In a preferred embodiment, the DPM 31 also contains the date and an indication of register values of the smart card 15c.
The use of a smart card or a similar portable processing device in conjunction with a PC to create a verifiable DPM 31 as evidence of postage dispensed and to securely account for postage in the smart card is well known in the art as reflected in U.S. Pat. No. 5,781,438 which is hereby incorporated by reference. Accordingly, while a detailed description of such devices is not considered necessary for an understanding of the instant invention, a brief overview is considered helpful.
The smart card 15c accounts for all of the evidence of postage value dispensed from it in an ascending register. Additionally, the amount of evidence of postage value at any given time that is permitted to be dispensed is reflected in the descending register. The sum of the ascending and descending registers is known as the control sum and will always reflect the total of authorized postage value that has been made available to the meter over its lifetime. Moreover, these registers together with the smart card's 15c dedicated processor are all protected from a security attack by both physical and logical measures. Accordingly, the ability of an attacker to alter the accounting registers within the smart card 15c is significantly reduced as compared to modifying the logfiles of the prior art postal counter systems 8 (FIG. 1).
Referring to FIGS. 2-6, the operation of the PCACS 13 will now be described. When the smart card 15c is in the reader 15fc and a postal clerk requests postage to be dispensed via the PC 15a, the smart card 15c accounts for the postage to be dispensed by adjusting the ascending and descending registers. Then, the smart card 15c signs the ascending and descending register data together with the smart card 15c serial number utilizing a private key Vsc stored therein. The signed data is transmitted to the PC 15a which forms the final DPM 31 image that includes the signed data. The PC 15a then drives the printer 15e to print the DPM 31 on a label or the mailpiece. Once the mailpiece is placed into the mailstream, the DPM 31 can be scanned and read at the verification system 21 for verification (in a known manner) and subsequent use in detecting fraudulent activity as discussed in more detail below.
In addition to the above, the PC 15a may also store transaction logfiles which account for every postage dispensing transaction that takes place. Since the data in the logfiles consists of data signed by the smart card 15c, any modification of logfiles data can be detected. These logfiles therefore can be used as yet another source of data by the administrative computer 17 and/or the funds management computer 19 to help detect fraudulent activity.
The administrative computer 17 provides a central point of local audit and control over the postage dispensing counters 15 at each postal facility 18. In addition, the administrative computer 17 provides a communication interface between postage dispensing counters 15 and the certificate authority computer 23, the postal verification computer 21 and the funds management computer 19. Each administrative computer 17 is capable of auditing the func
|
