Electrical computers and digital processing systems: support – System access control based on user identification by...
Reexamination Certificate
1998-12-29
2003-07-15
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
System access control based on user identification by...
C713S150000, C713S161000, C713S172000, C380S277000
Reexamination Certificate
active
06594759
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to methods and apparatus for conducting electronic transactions. More particularly, the present invention relates to portable electronic authorization devices (PEADs) which advantageously and substantially eliminate the security risks associated with prior art techniques of approving transactions between a user and an electronic transaction system.
Electronic transaction systems are known. An electronic transaction system typically permits a user to conduct designated transactions electronically, which substantially improves efficiency and convenience to the user. Examples of electronic transactions include transactions conducted via computer networks, automated teller machines (ATM's), automated point-of-sale systems, automated library systems, and the like. Transactions conducted via computer networks may encompass a wide range of transactions, including exchanging information and data via a computer network popularly known as the Internet, e.g., to make a purchase from a vendor on the network. ATM's typically permit users to conduct financial transactions (such as withdrawals, transfers, deposits, and the like) vis-à-vis a financial institution in an electronic manner. Automated point-of-sale systems may be employed by merchants to permit users to purchase products or services using the users' electronic account, and automated library systems may be employed to permit library users to check out and return library materials. Other examples of electronic transaction systems are readily available in popular literature and are not enumerated herein for brevity sake.
To enhance security to the user's account, electronic transaction systems typically request the user to provide identification data to authenticate himself as the user authorized to approve the proposed transaction or transactions. If the user fails to provide the requested identification data, the proposed transaction or transactions are not authorized and will not be processed. The identification data may be required with each transaction. By way of example, an automated point-of-sale system may require the user to approve a purchase transaction and will accept an approval message only if it is satisfied that the person approving the transaction has furnished adequate identifying data authenticating himself as the person authorized to perform the approval. Alternatively, the identification data may be entered by the user at the start of a session to authenticate himself and enable that user to subsequently perform any number of transactions without further authentication.
In the prior art, users are typically required to manually enter the identification data into the electronic transaction system for authentication. Typically, the entry of identification data involves typing in a password on a numeric keypad or on a keyboard. The identification data is then compared with data previously stored within the electronic transaction system, and authentication is satisfied when there is a match. As mentioned previously, the transaction or transactions proposed will not be allowed to proceed if there is no match.
Although prior art electronic transaction systems provide some protection from unauthorized access and use of the user's account, there are disadvantages. To illustrate certain disadvantages associated with prior art electronic transaction systems, reference may be made to
FIG. 1
herein.
FIG. 1
shows an automated teller machine (ATM)
100
, representing the requesting device of an electronic transaction system
102
. Electronic transaction system
102
may include, for example, a central database
104
which contains previously-stored identification data and account data of user
106
.
To initiate a typical transaction with ATM
100
, user
106
first inserts a data card
107
, such as a bank card or a credit card, into a card reader
109
. Data card
107
typically includes a magnetic stripe that contains the account number and other information related to the user, which may then be read by card reader
109
. The data stored in data card
107
enables electronic transaction system
102
to ascertain which account in database
104
user
106
wishes to transact business.
Via a keypad
108
on ATM
100
, user
106
may then be able to enter his identification data, e.g., his personal identification number (PIN), to authenticate himself. If the entered identification data matches the identification data stored with the account in database
104
that is identified by data card
107
, the user is authenticated and granted access to his account. If there is no match, authentication fails. After authentication, user
106
may be able to, for example, employ a combination of keypad
108
and a screen
110
to withdraw cash from his account, which results in cash being dispensed from ATM
100
and the balance in his account within database
104
correspondingly reduced.
Theoretically, the identification data entered into ATM
100
should be secure. In reality, there are many potential security risks to the identification data in prior art authentication techniques. Since the identification data is not encrypted before being entered into ATM
100
, the non-encrypted identification data is vulnerable to unauthorized access and procurement. Encryption of the identification data is not practical in the prior art since it would have been too complicated and/or inconvenient for the user to perform encryption or memorize the encrypted identification data. Unauthorized procurement of the identification data in the prior art may occur, for example, upon entry if it is inadvertently seen by another party, e.g., by another person behind user
106
, either on screen
110
or more likely at keypad
108
.
Even if encryption is employed on the identification data in the prior art, e.g., prior to transmission from ATM
100
to database
104
, the encryption typically occurs within ATM
100
and still requires the entry of non-encrypted identification data from user
106
and the existence of the identification data for some duration of time in ATM
100
. Unauthorized access to the identification data may then occur if an unauthorized party is able to gain entry into ATM
100
and intercepts, e.g., via software or hardware implemented in ATM
100
, the non-encrypted identification data therein.
Furthermore, if public key cryptography is employed within ATM
100
, the storage of the user's private key within ATM
100
renders this private key vulnerable to theft, further exposing the user's account to risk. The stolen password and/or private key may then be employed to allow unauthorized persons to access the user's account to the user's detriment.
In view of the foregoing, there are desired apparatus and methods for conducting transactions with the electronic transaction system while substantially eliminate the risk of unauthorized access to the user's account and unauthorized procurement of the user identification data. Preferably, such an apparatus should be easily portable to permit the user to conveniently and comfortably perform transaction authentication anywhere.
SUMMARY OF THE INVENTION
The invention relates, in one embodiment, to a computer configured to authenticate a user to an electronic transaction system. The computer includes a central processing unit and electronic authorization firmware disposed within the computer and in electronic communication with the central processing unit. The electronic authorization firmware includes a non-volatile memory circuit configured to store at least one of a user private key and user identification data and a firmware identification data. The electronic authorization firmware further includes decryption logic circuitry disposed between the non-volatile memory circuit and the electronic transaction system. The decryption logic circuitry is configured to prevent unauthorized access to at least one of the user private key and the user identification data in the non-volatile me
Barron Gilberto
Esignx Corporation
Moser Patterson & Sheridan LLP
Zand Kambiz
LandOfFree
Authorization firmware for conducting transactions with an... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authorization firmware for conducting transactions with an..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authorization firmware for conducting transactions with an... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3075618