Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2000-05-01
2004-07-06
Darrow, Justin T. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S185000, C705S055000, C705S065000
Reexamination Certificate
active
06760841
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to improvements to transaction processing. More particularly, the invention relates to techniques for authentication and protection of transaction information in transactions conducted over insecure communication channels.
BACKGROUND OF THE INVENTION
The use of electronic devices and communication in financial transactions has grown phenomenally in recent years. Electronic devices and communications are commonly used to authorize transactions, and are also used more and more in electronic commerce, especially commerce conducted over the Internet. Electronic transaction authorization typically involves the submission by a merchant of information taken from an identifying token presented by the customer, such as the customer's credit or debit card. The merchant submits the customer's credit or debit card information to a bank computer and the bank computer's debiting the customer's account and authorizing the transaction. Internet commerce transactions typically involve the use of a credit or debit card, with a customer linking to a merchant web site and entering credit card information or debit card information on a form provided by the web site for transmission to a merchant server. The merchant server submits the received credit card information to a bank or other credit card processing agency server in the same way as is done for a conventional credit card transaction.
In the present state of the art, the conduct of financial transactions is fraught with risks for both the merchant and the customer. This is true both in a conventional transaction where a customer submits a credit or debit card to the merchant and even more in the case of electronic commerce conducted over the Internet. For the merchant, there is little or no assurance that a credit or debit card used in a transaction is not stolen or being used in an unauthorized way. In a conventional transaction where the customer physically submits the card to the merchant, a risk exists for the merchant that the card is stolen or counterfeit, and for the customer there is a risk that the customer's card information will be stolen by the merchant, intercepted from the merchant's reader, or intercepted in transit from the merchant's reader to a bank computer. In an Internet transaction, the merchant has little or no assurance that the person conducting the transaction is in possession of the credit card whose information is being submitted. For the customer in an Internet transaction, it cannot be certain that the merchant web site is a legitimate web site, rather than a false front used to collect credit card information. Even if the web site is a legitimate web site, the customer has no assurance that the web site has not been surreptitiously reprogrammed by outsiders so as to redirect traffic to another location in order to collect credit card data submitted to the web site. If the intended web site has received the data, the customer has no assurance that attackers will not obtain personal information such as credit card information which is stored in the web site's servers.
Public key cryptography is commonly used to protect sensitive information during Internet transactions. A merchant server sends a public key to a customer's browser. The browser then uses the public key to encrypt the customer's data and sends the data in encrypted format to the merchant server. The merchant server then uses its private key to decrypt the data for use.
Public key cryptography protects data in transit, but is less effective as a protection against sending data to undesired destinations. A web site using public key cryptography typically presents a digital certificate to a customer's browser, but only the most experienced computer users know how to verify a certificate's digital signature. Moreover, if a web site is set up for the purpose of obtaining credit card information, the web site may well have a genuine certificate and be able to present the certificate during the transaction. Furthermore, the use of public key cryptography offers no assurance to a merchant that credit card information being submitted comes from a credit card held by the submitter, rather than from a copied card or from credit card information collected or intercepted by the submitter.
It may be possible for a user to be provided with a device to read credit card information. However, prior art credit card readers are not adapted to establish that a card is authentic and not a copy. Moreover, if a credit card or debit card reader is placed in the physical possession of a user, the user is free to attack the reader at leisure so that it will operate in unauthorized ways. For example, a user may reconfigure a reader to report reading of a credit card and output purported credit card information, even when no credit card has been submitted to the reader at all. Furthermore, conventional card readers do not provide assurance that a card is genuine and not a counterfeit.
Moreover, credit card readers of the prior art output credit card information in plaintext and do not provide security for the user's credit card information. Even if the information is encrypted in transit, the merchant will receive the information in plaintext at the end of the transmission. A typical card reader thus provides no security for the user against an unscrupulous merchant or against an attack on a merchant's file of card data.
Similar problems exist with merchant processing terminals used at retail locations. Merchant card readers are susceptible to being attacked to allow theft of card information. Moreover, merchant card readers of the prior art are not equipped to identify a credit card as a counterfeit.
There exists, therefore, a need in the art for a system which will provide reliable authentication of a financial document such as a credit or debit card, and which will protect the privacy of the user's data.
SUMMARY OF THE INVENTION
A system according to the present invention reliably authenticates the existence and presentation of a genuine financial document such as a credit or debit card and allows the card information to be submitted securely to an issuing authority such as a bank for transaction approval. The card information is not presented directly to a merchant. Instead, an encrypted information block containing encrypted card information is provided to the merchant. The card information is not seen or known by the merchant, nor is the card information available while being transmitted. The information block is transmitted to a computer controlled by an authority which issued the card, and which has the necessary keys to decrypt the information block and retrieve and authenticate the card information. Once the card is authenticated, the merchant receives a transaction authorization, but has no opportunity to see or compromise the card information.
One aspect of the present invention is a system for reliably authenticating the presentation of a genuine financial document such as a credit or debit card and for securely transmitting the financial information contained on the card together with financial transaction details in order to verify a transaction. A customer initiates a financial transaction, for example by beginning an ordering process for ordering a book over the Internet. The merchant server presents a transaction form to the customer. The transaction form may suitably contain a product number, price and description, with space for the customer to enter information such as shipping information. The transaction form may provide an instruction for the customer to insert a token into an authentication device attached to the customer's computer. The token may be a financial identification card such as a credit card or debit card, or may alternatively be an identification card issued by an individual bank.
The authentication device reads the card information and authenticates the card. The authentication device also stores
Darrow Justin T.
Priest & Goldstein PLLC
XTec Incorporated
LandOfFree
Methods and apparatus for securely conducting and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods and apparatus for securely conducting and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods and apparatus for securely conducting and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3243035