Registers – Systems controlled by data bearing records – Credit or identification card systems
Patent
1996-12-09
1999-03-02
Gross, Anita Pellman
Registers
Systems controlled by data bearing records
Credit or identification card systems
235379, 235382, 902 8, 902 25, G06F 1760, G06K 560, G07F 708, B65H 100
Patent
active
058774823
DESCRIPTION:
BRIEF SUMMARY
The present invention relates to the security, reliability and practicability of electronic transactions involving the use of magnetic strip cards and Personal Identification Numbers.
BACKGROUND OF THE INVENTION
There are over one billion magnetic strip cards which are used as the basis of debit and credit financial transactions. These cards are being increasingly used in association with Personal Identification Numbers (PINs). Typically these PINs are encrypted in Electronic Funds Transfer (EFT) terminals using symmetric algorithms such as that specified in the Data Encryption Standard (DES). While much effort has gone into formulating security measures within these term experience has shown that the greatest security risk is associated with the computers which control the operation of these terminals. A fundamental property of algorithms such as the DES is that it is impossible to prove that a copy of the encryption key which has been used to encrypt the PIN and is under the control of the computer systems operator has not been obtained by some third party. Thus with current practice the magnetic strip image and the PIN can be recovered from the terminal transmission and the attacker is in a position to derive benefit from the card holders account until the funds are exhausted or a fraud is detected. Further frauds can be committed because these systems are forced to allow manual entry of card numbers as a result of the poor quality and reliability of magnetic strip encoding.
A further limitation of magnetic strip technology is the amount of information which can be encoded on the card particularly given the limitations imposed by the International Standards Organisation (ISO).
Yet another limitation of current practice is that PINs can not be safely stored in computer systems since the means to decrypt them into clear text is also usually present. This leads to a situation where all PIN driven transactions must be transmitted to a computer system which has the means of verifying the PIN validity in real time. Such computers must of necessity contain the means of producing apparently valid PINs. In a large scale international scheme deployment of such facilities in many countries is dangerous in that it may expose large banks to attack as a result of compromised facilities in foreign counties or cause problems for their card holders as a result of unreliable communications links.
The problem of card authentication is also serious in that data encoded on a magnetic strip card can be readily generated from data transmitted to the computer system. Thus the card issuer has no proof that the transaction was originated on the basis of the physical card, since it could have been generated from the data contained in a previous transaction.
SUMMARY OF THE INVENTION
According to a first aspect, the present invention provides a method of encoding a magnetic strip card to enable validation of the card by an issuing organisation during an electronic transaction, the method comprising the steps issue, which is not readily derived from any other data recorded on the card, prior to issuing the card to a client,
According to a second aspect, the present invention consists in a method of encoding a magnetic strip card to enable validation of the card by an issuing organisation during an electronic transaction, the method comprising the steps of issue, which is independent of any data visibly recorded on the card, card, prior to issuing the card and PIN to a client,
According to a third aspect, the present invention provides a method of validation of a magnetic strip card during an electronic transaction wherein data stored an the magnetic strip card is read by a transaction terminal following which the terminal transmits a transaction message including card details and transaction details to an issuing organisation which issued the card, either directly or via intermediate processors, where a card key forming part of the stored data read from the card was recorded in a secure database at the time of card issue, the
REFERENCES:
patent: 3956615 (1976-05-01), Anderson et al.
patent: 4025760 (1977-05-01), Trenkamp
patent: 4186871 (1980-02-01), Anderson et al.
patent: 4612532 (1986-09-01), Bacon et al.
patent: 4628195 (1986-12-01), Baus
patent: 4965568 (1990-10-01), Atalla et al.
patent: 5130519 (1992-07-01), Bush et al.
patent: 5227613 (1993-07-01), Takagi et al.
patent: 5295188 (1994-03-01), Wilson et al.
patent: 5365589 (1994-11-01), Gutowitz
patent: 5371797 (1994-12-01), Bocinsky
patent: 5623547 (1997-04-01), Jones et al.
patent: 5623557 (1997-04-01), Shimoyoshi et al.
patent: 5650604 (1997-07-01), Marcous et al.
Cyr Daniel St.
Gross Anita Pellman
LandOfFree
Security system for EFT using magnetic strip cards does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security system for EFT using magnetic strip cards, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security system for EFT using magnetic strip cards will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-425068