Electrical computers and digital processing systems: support – System access control based on user identification by...
Reexamination Certificate
2000-03-13
2001-01-16
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
System access control based on user identification by...
C713S168000, C713S169000, C380S255000, C380S281000, C380S283000
Reexamination Certificate
active
06175922
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to methods and apparatus for conducting electronic transactions. More particularly, the present invention relates to portable electronic authorization devices (PEADs) which advantageously and substantially eliminate the security risks associated with prior art techniques of approving transactions between a user and an electronic transaction system.
Electronic transaction systems are known. An electronic transaction system typically permits a user to conduct designated transactions electronically, which substantially improves efficiency and convenience to the user. Examples of electronic transactions include transactions conducted via computer networks, automated teller machines (ATM's), automated point-of-sale systems, automated library systems, and the like. Transactions conducted via computer networks may encompass a wide range of transactions, including exchanging information and data via a computer network popularly known as the Internet, e.g., to make a purchase from a vendor on the network. ATM's typically permit users to conduct financial transactions (such as withdrawals, transfers, deposits, and the like) vis-{grave over (a)}-vis a financial institution in an electronic manner. Automated point-of-sale systems may be employed by merchants to permit users to purchase products or services using the users' electronic account, and automated library systems may be employed to permit library users to check out and return library materials. Other examples of electronic transaction systems are readily available in popular literature and are not enumerated herein for brevity sake.
To enhance security to the user's account, electronic transaction systems typically request the user to provide identification data to authenticate himself as the user authorized to approve the proposed transaction or transactions. If the user fails to provide the requested identification data, the proposed transaction or transactions are not authorized and will not be processed. The identification data may be required with each transaction. By way of example, an automated point-of-sale system may require the user to approve a purchase transaction and will accept an approval message only if it is satisfied that the person approving the transaction has furnished adequate identifying data authenticating himself as the person authorized to perform the approval. Alternatively, the identification data may be entered by the user at the start of a session to authenticate himself and enable that user to subsequently perform any number of transactions without Her authentication.
In the prior art, users are typically required to manually enter the identification data into the electronic transaction system for authentication. Typically, the entry of identification data involves typing in a password on a numeric keypad or on a keyboard. The identification data is then compared with data previously stored within the electronic transaction system, and authentication is satisfied when there is a match. As mentioned previously, the transaction or transactions proposed will not be allowed to proceed if there is no match.
Although prior art electronic transaction systems provide some protection from unauthorized access and use of the user's account, there are disadvantages. To illustrate certain disadvantages associated with prior art electronic transaction systems, reference may be made to
FIG. 1
herein. FIG. I shows an automated teller machine (ATM)
100
, representing the requesting device of an electronic transaction system
102
. Electronic transaction system
102
may include, for example, a central database
104
which contains previously-stored identification data and account data of user
106
.
To initiate a typical transaction with ATM
100
, user
106
first inserts a data card
107
, such as a bank card or a credit card, into a card reader
109
. Data card
107
typically includes a magnetic stripe that contains the account number and other information related to the user, which may then be read by card reader
109
. The data stored in data card
107
enables electronic transaction system
102
to ascertain which account in database
104
user
106
wishes to transact business.
Via a keypad
108
on ATM
100
, user
106
may then be able to enter his identification data, e.g., his personal identification number (PIN), to authenticate himself. If the entered identification data matches the identification data stored with the account in database
104
that is identified by data card
107
, the user is authenticated and granted access to his account. If there is no match, authentication fails. After authentication, user
106
may be able to, for example, employ a combination of keypad
108
and a screen
110
to withdraw cash from his account, which results in cash being dispensed from ATM
100
and the balance in his account within database
104
correspondingly reduced.
Theoretically, the identification data entered into ATM
100
should be secure. In reality, there are many potential security risks to the identification data in prior art authentication techniques. Since the identification data is not encrypted before being entered into ATM
100
, the non-encrypted identification data is vulnerable to unauthorized access and procurement. Encryption of the identification data is not practical in the prior art since it would have been too complicated and/or inconvenient for the user to perform encryption or memorize the encrypted identification data. Unauthorized procurement of the identification data in the prior art may occur, for example, upon entry if it is inadvertently seen by another party, e.g., by another person behind user
106
, either on screen
110
or more likely at keypad
108
.
Even if encryption is employed on the identification data in the prior art, e.g., prior to transmission from ATM
100
to database
104
, the encryption typically occurs within ATM
100
and still requires the entry of non-encrypted identification data from user
106
and the existence of the identification data for some duration of time in ATM
100
. Unauthorized access to the identification data may then occur if an unauthorized party is able to gain entry into ATM
100
and intercepts, e.g., via software or hardware implemented in ATM
100
, the non-encrypted identification data therein.
Furthermore, if public key cryptography is employed within ATM
100
, the storage of the user's private key within ATM
100
renders this private key vulnerable to theft, further exposing the user's account to risk. The stolen password and/or private key may then be employed to allow unauthorized persons to access the user's account to the user's detriment.
In view of the foregoing, there are desired apparatus and methods for conducting transactions with the electronic transaction system while substantially eliminate the risk of unauthorized access to the user's account and unauthorized procurement of the user identification data. Preferably, such an apparatus should be easily portable to permit the user to conveniently and comfortably perform transaction authentication anywhere.
SUMMARY OF THE INVENTION
The present invention relates, in one embodiment, to a method for completing a transaction request pertaining to an electronic transaction conducted over an electronic network having a server and a requesting device. The method includes receiving from the server at the requesting device a transaction program, which includes an executable portion. The method also includes searching, employing the executable portion, for a transaction approval device associated with the requesting terminal. If the transaction approval device is detected, the method includes employing the transaction approval device to approve the transaction request. There is further included transmitting, using the requesting device, an approved transaction request to the server to complete the electronic transaction. The approved transaction request signifies
eSign, Inc.
Flehr Hohbach Test Albritton & Herbert LLP
Peeso Thomas R.
LandOfFree
Electronic transaction systems and methods therefor does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Electronic transaction systems and methods therefor, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Electronic transaction systems and methods therefor will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2449925