Registers – Systems controlled by data bearing records – Credit or identification card systems
Reexamination Certificate
1999-01-29
2002-07-23
Frech, Karl D. (Department: 2876)
Registers
Systems controlled by data bearing records
Credit or identification card systems
C235S375000
Reexamination Certificate
active
06422460
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a secure authorization system using an authorizing device. More particularly, the present invention relates to a software implementation which limits unauthorized use of an authorizing device, such as a smart card.
BACKGROUND
As computer technology advances, more people are using their computers for everyday tasks. Bank customers are able to check their account balances, transfer money, and pay bills using a computer. The frequency of purchasing products over the Internet is also increasing. To permit this electronic commerce, consumers are paying for the purchased items using various forms of electronic means, such as credit cards, CyberCoin®, and other electronic means. Unfortunately, as the demand for more on-line purchasing options rises so does the need to combat fraud and hence the need for security measures.
Security measures, such as external authorizing devices, i.e., palmtops or personal digital assistants (PDAs), computers, laptop computers, smart cards, etc. are becoming more popular as a means to authorize a transaction. The most popular external device is the smart card. Smart cards are similar to credit cards but include software, a processing module, and a limited amount of memory. The software controls the processing module.
The software and processing module allow a user to use a smart card to authorize a transaction. The authorization can be for approving transactions such as purchases, business expenses, paying business expenses, training, and many other business related items, however this list should not be construed as a limitation. To authorize a transaction, the transaction is submitted to a queue for authorization. The authorizing authority uses the smart card to authorize the transaction in the queue. The software and processing module on the smart card provide the authorizing signature. Authorization can take several forms, but typically the authorizing party enters a password and clicks on an icon which authorizes the transaction. The authorized transaction is then routed back to the user who submitted the transaction to the authorization queue. In some systems, a signature or an icon will indicate that the transaction has been authorized.
Although authorizing devices are an effective security measure, they are not fool proof. For example, present day smart cards are subject to authorizing unauthorized transactions, i.e., fraud. This problem occurs when a person is using a computer network and a transaction is submitted to the authorizing party's computer for the authorizing party's authorization. Unknown to the authorizing party, when the party authorizes what he or she believes is only a single transaction, that party is actually authorizing multiple transactions. As a result, the authorizing party unknowingly authorizes additional transactions which are typically not discovered until a much later date.
This problem has become so notorious, that the problem is known as the Radar O'Reilly attack. The name is based on the popular television show MASH, where the company clerk, Radar O'Reilly hands his Colonel papers to be signed and the Colonel authorizes the paperwork without looking at the paperwork.
Security for smart cards have been the subject of numerous inventions. U.S. Pat. No. 5,594,227 to Deo was granted for a “System and Method for Protecting Unauthorized Access to Data Contents.” The Doe invention recognizes the problem of protecting smart cards against unauthorized use by either human or electronic-machine intervention. This invention is concerned with deterring unauthorized access to a user's smart card by preventing someone from trying to guess the true user's password.
U.S. Pat. No. 4,650,980 to Mizutani was granted for “Individual Discrimination Cards.” The Mizutani invention memorizes the frequency of erroneously entered secret codes. Memorization is accomplished by changing the value of a bit. If the number of erroneously entered secret codes reaches a set value, the card is ejected from the machine.
U.S. Pat. No. 5,434,397 to Diehl et al. was granted for “Protection Against the Non-Authorized Inhibition of Writing in Certain Storage Areas of a Smart Card.” This invention sends data to a smart card and checks to see if the data is written to a proper location. If the data is not written to the proper location, certain functions of the card may be blocked. If the data is not written to the proper location, a bit could be changed to indicate a problem.
These inventions address unauthorized access to the smart card. They do not address preventing unknowing authorization of multiple transactions. Deo and Mizutani are concerned with preventing someone from trying to guess the password of a smart card. Diehl is concerned with blocking access to certain functions of a smart card. Therefore there is a need to prevent the unauthorized authorization of multiple transactions which are presented to a user using a smart card or an authorizing device to authorize a transaction.
SUMMARY OF THE INVENTION
It is an object of the present invention to limit the authorization of unauthorized transactions which are authorized using an authorizing device.
A further object of the present invention is to authorize only one transaction at a time when using an authorizing device to authorize transactions.
A further object of the present invention is to save information relating to the authorization of a transaction.
The present invention is an authorization system for!authorizing one transaction at a time using an authorizing device. The authorizing devices can include palmtops or personal digital assistants (PDAs), computers, laptop computers, smart cards, or similar authorizing devices having a processing module. The processing module of the authorizing device is used to provide the user of the authorizing device the ability to make decisions. The decision making ability can be used to provide an authorizing signature. However, authorizing devices are subject to attack when a program presents additional transactions to the authorizing device for an authorizing signature in a single session. The present invention is an authorization system that limits the number of transactions that can be authorized at one time. The authorizing device of the present invention is used to authorize transactions on a computer network system or over the Internet. The authorization can be for approving transactions such as purchases, business expenses, paying business expenses, training, and many other business related items, however this list should not be construed as a limitation.
To provide security against authorizing multiple transactions that are in a queue, the present invention comprises an authorizing device that only allows the authorization of only one transaction at a time. The authorization of only one transaction is accomplished by software which sets an indicator in the memory of the processing module on the authorizing device. In the preferred embodiment, the indicator referred to as the authorization bit. The setting of the indicator indicates that the authorizing device has already authorized one transaction. If the indicator is set, no other signatures can be made during that session. Therefore if an unauthorized third party attempts to authorize more than one fraudulent transaction, the fraud is limited to only that transaction and no others. In order to use the authorizing device again, the indicator needs to be reset.
In the preferred embodiment, the memory of the processing module on the authorizing device includes volatile memory with the indicator being stored in the volatile memory. When power is disconnected to the authorizing device, the indicator is reset. In order to reset the indicator in a smart card system, the power to the smart card is disconnected by removing the smart card from the smart card reader. Upon removal from the smart card reader, power to the smart card is disconnected which in turn resets the indicator.
In alternate embodiments, the indi
Frech Karl D.
Roberts Abokhair & Mardula LLC
VeriSign, Inc.
LandOfFree
Authorization system using an authorizing device does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authorization system using an authorizing device, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authorization system using an authorizing device will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2908253