DE102010047257A1 - Mobile radio-based transaction system for use in e.g. airport for transaction of money, has server provided to develop cashless money transfer by participants, where location alignment is carried out between locations of participants - Google Patents

Abstract

The system has a server for development of cashless money transfer by participants. A two-factor authentication (18) is carried out in a first plane (12) within a multi-plane security system (10). A location alignment (16) i.e. satellite or network alignment, is carried out between a location of one participant of a cellular radio system and a location of another participant within a navigation system i.e. Global navigation satellite systemin a second plane (14). A BluetoothDongle is utilized in a third plane (20) and deactivates an application in a client.

Description

State of the art

Out US 2009/0222353 A1 and GB 2 362 012 A are known payment systems, which are cashless and for the implementation of a mobile phone is used.

The above outlined solutions according to US 2009/0222353 A1 and according to GB 2 362 012 A the disadvantage resides in the fact that the transactions executed according to these systems can be subject to considerable uncertainty. This is due to the fact that the verification routines according to the solutions GB 2 362 012 A respectively. US 2009/0222353 A1 not be examined for plausibility or only in a single pass.

Disclosure of the invention

The present invention has for its object to provide a highly secure, cashless payment and transaction system for one or more users available.

According to the invention, a cashless payment system is proposed, in which instead of the previously used credit card, usually a credit card or a debit card made of plastic material, the mobile phone occurs. The payment process is now based on an authentication process using a barcode or other optical / graphical or electromagnetic such. As the NFC (Near Field Communication) method or sound-based identification signal for the mobile phone or a PDA (Personal Digital Assistant) or for another communication device. Furthermore, transactions can also be carried out between two users, reciprocal scanning of the mobile phones or PDAs or other communication devices being conceivable. The authentication or the identification via a barcode or by NFC method, or via another optical / graphic or electromagnetic or sound-based identification signal in combination with a mobile phone or a PDA can also be used for other purposes, such. B. as a customer card or to identify employees.

The transaction process proposed according to the invention begins with a barcode or other optical or graphic, electromagnetic or sound-based signal being requested by a user manually or automatically via the mobile telephone, personal digital assistant (PDA) or other communication device. In a Nichtzustandekommen a wireless network connection, such. B. within well insulated buildings, a wireless connection is established with the transaction terminal, which ensures a secure connection of the mobile phone, the PDA or other communication device with the central system server. This secure wireless connection established in the absence of a wireless network connection requests a barcode or other identification over that connection.

The bar code or other optical / graphical or electromagnetic information or identification signal (eg NFC) is generated by the central system server and sent to the requesting mobile telephone or the requesting PDA or the differently configured requesting communication device. The bar code or an alternative optical / graphic or electromagnetic signal is sent to the transaction terminal, such B. a modified card reader, as it is widely used today, scanned or read. The generated read or scanned identification is transmitted together with transaction information to the central system server. The barcode can also be displayed as a number combination on the display of the mobile phone. As a result, the use of the mobile-based transaction system is also possible if the transaction terminal has no reading unit for barcodes or this is damaged.

In a third step, this central system server, which has generated the barcode or the other identification, checks the identification, the transaction information, security criteria, such. As time and place, and possibly other restrictions, such. B. a possibly existing transaction limit, such. For example, an account limit at a bank. The central system server sends the transaction request via the radio network connection or, if it does not arrive via the protected wireless connection, via the transaction terminal to the requesting user. This confirms the transaction or rejects it. Upon confirmation, the transaction is executed and sent as executed to the transaction terminal. If rejected by the user (user), the transaction is aborted.

Alternatively, the transaction process can also be represented as follows. The bar code or the other optical / graphic or electromagnetic information or identification signal is generated directly in the mobile phone or the PDA or a differently configured communication device. The bar code or an alternative optical / graphic or electromagnetic signal is then sent to the transaction terminal, such as a bank. B. a modified Card reader, as it is widely used today, scanned or read. The generated read or scanned identification is transmitted together with transaction information to the central system server.

In a further step, this central system server, which generates the barcode in the same way as the mobile telephone, checks the identification transmitted by the transaction terminal, the transaction information, security criteria, such as eg. As time and place, and possibly other restrictions, such. B. a possibly existing transaction limit, such. For example, an account limit at a bank. The central system server returns the transaction request to the transaction terminal for confirmation. The user confirms the transaction or rejects it. For confirmation, the user z. For example, enter a PIN number at the transaction terminal. Entering a PIN number at the transaction terminal can either be done directly after scanning the bar code or only after the central system server has verified the identification, transaction information and security criteria communicated by the transaction terminal. Alternatively, the user can also enter a PIN code on the mobile phone or PDA before the barcode is generated. Upon confirmation, the transaction is executed and sent as executed to the transaction terminal. If rejected by the user (user), the transaction is aborted. This transaction process is particularly advantageous when the user resides abroad and thus incur high fees for data communication between the central system server and the mobile phone.

The above briefly sketched, essentially three-stage transaction process is underlaid with different levels of security. Thus, in a first security level, the bar code generated by the central system server or alternatively the other graphic / optical or electromagnetic signal is generated in the system server and the validity of the generated bar code or the alternative identification is limited in time. The time limit can z. B. be limited to 300 seconds. Alternatively, as described above, the generation of the barcode within the mobile phone or PDA or a differently configured communication means.

In a second security level, a location system, such. As the Global Positioning System (GPS) or other satellite-based location system, the location of the user (Users) with the place where the identification is desired, be it a cashier, be it another identification terminal, matched. In addition to the GPS is also a determination of the location of the user (user) via the wireless network in question, such. Over the network in which the mobile phone provides communication services.

If the location of the user and the location of the identification do not match, the transaction is rejected. Furthermore, a rejection of the transaction takes place when the distance between two or more identification locations is too large to be covered in a defined period of time.

Within the second level of security to complete the three-stage transaction process outlined above, the location of the user can be determined either on demand, i. H. determine arbitrarily, continuously or at well-defined time intervals, what the plausibility of a comparison of the location, d. H. the place of residence of the user with the place where the identification is to be made, in addition plausibilized and the informative value drastically increased.

Within this second security level, the satellite-based location system, such. For example, the Global Positioning System (GPS), or another satellite-based location system, can determine the location of the user. As an alternative to the satellite-based location system, the location of the user can be determined via the radio network in which the user's mobile phone or PDA is integrated via the corresponding radio network or mobile radio network. If the user is within or outside a defined geographic location, depending on the point of view, the requested transaction may be rejected. The definition is the localization of the user, who must be either inside or outside a defined geographic location to perform the plausibility check of the requested transaction.

In another, and deposited third security level, theft protection is implemented. The theft protection relates primarily to the theft of the communication device, ie in the present case to the theft of the mobile phone or the PDA (Personal Digital Assistant). In a first embodiment of an anti-theft protection to be implemented, the entry of a PIN is required upon confirmation of the transaction. Alternatively, it is possible to operate a separate unlock module, which the user always carries with him, which z. B. may be represented by a Bluetooth dongle or an RFID chip. In a further, third possible embodiment of the theft protection implemented above within security level 3, it is possible to display a photo of the user on the transaction terminal. This means that the central server sends a photograph of the user deposited there to the relevant transaction terminal carrying out the identification on site. Finally, there is a possibility for identification in that an identification is carried out on the basis of personal identification features, such. B. a scan of fingerprints or the iris of the eye is made to the corresponding transaction terminal. A comparison of the data scanned on the transaction terminal with the data stored on the central server quickly leads to a meaningful identification or non-identification.

In a further advantageous embodiment of the inventively proposed cashless payment system, the solvency can also be obtained if there is no wireless connection between the mobile phone or the PDA or another electronic communication device to a regular radio network. In this case, via a data radio connection, such. B. Bluetooth, made a connection to the POS terminal, which then a direct connection to the central server, which was not accessible via the regular radio network is made. In this case, z. B. a POS terminal as a data radio connection to the server. Alternatively, the embodiment variant described above can also be used here, in which a barcode is generated in the mobile telephone or PDA or another communication device and then scanned. In this embodiment can be completely dispensed with a direct connection between the mobile phone and server.

Following the solution proposed by the invention, transactions can also be performed between multiple users by scanning the bar code or the other graphic or visual identification feature interchangeably. All that is required is that the mobile phone or Personal Digital Assistant has a camera. In this regard, it should be noted that the security is given again by the position, since when scanning a barcode from a device A to a device B both devices must have the same position.

In a further advantageous embodiment of a settlement of transactions, with the involvement of the Internet, the central server can send a barcode or other suitable optical or electromagnetic signal to a website. The user just scans this barcode, which is displayed on the monitor of a transaction terminal, from the screen of the same. For this purpose, the user uses his mobile phone, which sends the scanned barcode to the central server. This in turn sends the payment request to the mobile phone, where it is still to be confirmed by the user before the transaction is executed.

The proposed transactions according to the invention can be carried out both in single and multi-user mode. For this purpose, a user can open a single-user account or create a multi-user account. In a multi-user account, which may be particularly interesting for companies, government agencies and families, multiple user accounts can be managed through a master account. The user can, via a correspondingly configured website on the Internet, manage the user account, be it a single-user or a multi-user account, and set geographical and temporal limits. The user can set transaction limits for locations and times that are valid for both a single-user account and a multi-user account.

The barcode or an NFC signal may e.g. B. as an image file between the parties or in the form of data that can then be converted by the client into a barcode. Security Levels 1 through 3 described above allow two-factor authentication based on the knowledge and ownership factors. With reference to a debit card, it should be noted here that the factor "knowledge" is formed by personal identification number (PIN) and the factor "possessing" by the "EC card". Only the combination of the two factors makes it possible to withdraw money from the ATM or pay at EC terminals.

In particular, in the IT sector established in recent years various two-factor authentication systems, the users z. B. secure access to corporate networks or software applications. For this purpose, a one-time password is generated, which authorizes the user in connection with the PIN. The one-time password is generated either via a handy password generator (client) or with the interposition of software. Prerequisite for the one-time password procedure is that both parties involved, d. H. Client and server, have a common, secret password. From this shared secret password now a series of one-time passwords (One Time Passwords: OTP's) generated.

Basically, these systems can differentiate between three different types:

A time control

With this type, server and client always calculate new passwords at fixed time intervals. Although the server each same calculation As the client performs, the server generally accepts and computes multiple one-time passwords within a tolerance range. This allows for the fact that the built-in token clock may not be one hundred percent synchronous. Nevertheless, each one-time password has a precisely defined time interval for its validity, generally between 1 and a maximum of 15 minutes.

B event control

In event-driven procedures, the server performs the same computation that has already occurred on the client side, as in the timed procedure, and again, the server computes and accepts multiple one-time passwords in a tolerance range, except for one-time passwords already in use. This is because the owner occasionally could not use a generated password. This procedure is much gentler for the batteries of a corresponding device (token). It is also possible to operate the process without permanent power supply by simply saving the last value used and thus already depreciated.

C request-response procedure

There are no synchronization problems in the case of the request-response procedure. In this method, the server issues a task, i. H. the request that the client needs to answer (answer). The client thus contains a value of the server as input and calculates a one-time password based thereon.

The implementation of two-factor authentication in the transaction system, keyword "knowledge" and "ownership", is as follows:
In a first variant, the application sends on the mobile phone, representing the client, in addition to the user ID and a one-time password to the server. From this, the server generates a barcode, which it sends back to the client. The barcode is then scanned at the transaction terminal and sent to the server along with the transaction data. The server then sends a payment request to the client, which is confirmed by the user by entering the PIN. To speed up the transaction, the input of the PIN can be waived up to a predetermined amount.

In a further advantageous embodiment variant, the application sends the user ID to the server on the mobile telephone which represents the client. From this, the server generates data for a barcode, which in turn is sent back to the client. The client extends this barcode data with a one-time password and generates the final barcode. This is then scanned at the transaction terminal and transmitted to the server together with the transaction data. The server compares the data of the barcode with the previously sent data and the one-time password. Thereafter, the server sends a payment request to the client, which is acknowledged by the user by entering the PIN. The PIN can be entered either at the client or at the transaction terminal. To speed up the transaction, the input of the PIN can be waived up to a predetermined amount.

In a further advantageous embodiment, the application generates on the mobile phone, which represents the client, a barcode from the personal user ID and a one-time password. As described above, the central system server calculates the same one-time password in parallel. The generated barcode is then scanned at the transaction terminal and sent to the server along with the transaction data. The server compares the one-time password contained in the barcode data with the one-time password calculated for that user. If both one-time passwords match and the checking of further security criteria (transaction limit, position determination) was positive, the server then sends a payment request either to the client or to the transaction terminal, which is confirmed by the user by entering the PIN. The PIN can be entered either at the client or at the transaction terminal. To speed up the transaction, the input of the PIN can be waived up to a predetermined amount. Alternatively, the PIN can also be entered at the beginning in the mobile phone to z. B. to start the generation of the barcode.

In addition, another security check can be installed within this level. Since the calculation of the one-time password occurs in parallel in the mobile phone as well as in the system server, this can also be used to check the identity of the server. To further implement this protection mechanism, the server sends a one-time password to the mobile during the transaction process. Since this must match the one-time password calculated by the mobile phone at this time, the mobile phone can securely verify that it is a "real" system server.

In a further, third security level in addition to the first two security levels implemented as standard outlined above, a user-related security level can be entered. For this purpose, either biometric features of the user can be adjusted, such. Finger or hand prints, iris or face, or Information from an identity document. Alternatively, here also a Bluetooth dongle can be used, which unlocks the application in the client or optionally an RFID card.

Due to the fact that in particular in buildings often limited radio connections prevail, the transaction terminal provides an alternative connection in this case. For this purpose, the client application establishes a data radio connection between the transaction terminal, such. B. Bluetooth, which maintains either a constant connection to the authorization server, such. B. over the Internet, or establishes a dial-up connection for authorization. The client application then communicates with the server via this data channel. The determination of location is in this case given by the transaction terminal, the remaining components of the security check run as described above.

In all variants of the barcode can also be displayed as a number combination on the display of the mobile phone. As a result, the use of mobile-based transaction system is possible even if z. B. the transaction terminal has no reading unit for barcodes or this is damaged.

In the present context, the application with mobile telephone and barcode is understood to mean an application with the mobile telephone and with NFC (near-field communication). The NFC process is the current method favored by credit card companies for contactless payments. Near-Fild Communication (NFC) refers to a transmission standard that is used for the contactless exchange of data over short distances. By means of NFC, the exchange of various information such. For example, you can have phone numbers, pictures, MP3 files, or digital permissions between two devices that are kept close to each other. NFC serves as an access key to content and services such as cashless payments, ticket ordering, online entertainment and access control. The necessary security functions are generally integrated in the NFC hardware.

With the NFC method, in the context of the invention, the mobile phone can be used as a payment device, in which the users of the mobile phone keep it close to a payment terminal, so that the near-field communication can take place. The payment function on a mobile phone requires integration of these into existing SIM card infrastructures. The NFC technology is based on the combination of smart card and contactless connection techniques. The NFC operates in a frequency range of 13.56 megahertz and offers a maximum data transfer rate of 424 kBit / sec. At a range of only 10 cm. This is desirable so that contact can be interpreted as consent to a transaction. NFC is through the ISO 14443, 18092, 21481 ECMA 340, 352, 356, 362 respectively. ETSI TS 102 and 190 standardized.

The communication between NFC-capable devices, ie mobile phone and payment terminal can be both active-passive, as well as active-active (peer-to-peer) in contrast to the conventional contactless technology in this frequency range, which generally runs only active-passive , The use of the NFC method thus provides a link to the RFID environment. The NFC standard is largely compatible with widely used smart card infrastructure based, for example, on ISO / IEC 14443-A respectively. ISO / IEC 14443-B , The NFC standard can be used as a replacement for barcodes, eg. As the electronic ticket purchase or as proposed by the invention, are used to process payment transactions, especially where where the necessary amounts of data can not be transmitted in a meaningful number of barcodes. at NFC standard offers As an alternative to barcodes in particular when two devices cryptographically secured, communicate with each other as is the case with payment applications in the rule.

Short description of the drawing

With reference to the drawing, the invention will be described below in more detail.

It shows:

1 the basic structure of the multilevel safety system proposed according to the invention,

2 a first embodiment of a communication between a mobile radio network, a transaction terminal and a system server,

3 a further embodiment of a communication scheme between mobile radio network, transaction terminal and system server,

4 a variant embodiment of a communication between a system server, a mobile phone and a transaction terminal, wherein the transaction terminal maintains a normal connection to the system server and a different radio link to the mobile phone and

5 the basic structure of the invention proposed Multi-level security system with three different two-factor authentication methods.

6 an embodiment variant when the mobile phone calculates the one-time password and the barcode without direct connection to the system server.

7 a variant that allows the mobile phone to verify the authenticity of the system server.

variants

The representation according to 1 can be seen schematically the structure of the multi-level security system.

In the present context, NFC, i. H. Near-field communication is synonymous and used interchangeably with the term barcode.

Within the inventive mobile radio-based transaction system for processing a cashless payment transaction, secure transactions are performed by various security mechanisms at several levels 12 . 14 . 20 guaranteed. The first level 12 and the second level 14 enable the creation of highly secure transactions with their processes. Within the first level 12 the two-factor authentication takes place 18 , Within the second level 14 a site comparison takes place 16 between the location of the user, ie the current location of a mobile phone 36 which is using a mobile network 32 communicates with the location of a transaction terminal 34 , where a current transaction is currently being processed.

Optionally, the multi-level security system includes 10 next to the first level 12 and the second level 14 another, third level 20 , While the first two levels 12 . 14 By default, security can be enhanced by the additional, user-related third level 20 be extended. For this purpose, either biometric features of the user (client) can be adjusted within the third level. The biometric features may, for. As finger or hand prints, the iris of the eye or the features of the face act. Alternatively, information from an official identity document can be stored in the third level. Alternatively, here also a Bluetooth dongle can be used, which unlocks the application in the client or an RFID card. The client checks whether a Bluetooth dongle or the RFID card in the vicinity, such. B. in the pocket or keychain, the user. Since these are short-range radio technologies, the connection will automatically abort if Bluetooth dongle or RFID are no longer near the client. If this is the case, the application is blocked and a request for a barcode is not possible.

The representations according to the 2 and 3 Embodiments of the implementation of the present invention proposed mobile radio-based transaction system can be seen.

The mobile-based transaction system includes, as shown in FIG 2 , a mobile network 32 in which the user is using the at least one mobile phone 36 is involved, a transaction terminal 34 at a gas station in a department store or at an airport, to give an example, and at least one system server 38 ,

The enumerated components are in all three figures, ie the 2 . 3 and 4 , identical.

The second level 14 of the multi-level security system 10 according to 1 to carry out site reconciliation 16 is done such that the client, ie the user of the at least one mobile phone 36 , a barcode from the at least one system server 38 requests. With this request, he sends, among other data and his current location, ie the location at which the respective user the respective at least one mobile phone 36 used right now. The determination of this location can either be from a first position data transmission 40 by the GPS system 30 is carried out, carried out or from a location of the at least one mobile phone 36 and thus its user within the mobile network 32 be won. During the expiration of the current transaction, an identification of the at least one transaction terminal is made 34 at which the current transaction is currently running, the location of the same is determined. Voices the two locations, ie the location where the user of the at least one mobile phone 36 and the location of the transaction terminal 34 where the particular transaction is currently being processed does not match, the transaction will be rejected.

Within the second level 14 of the multi-level security system 10 A comparison of the location of the implementation of the current transaction with the location of a previously performed transaction can be compared, as a second building block, with the location comparison that is taking place. Based on the assumption that the user of at least one mobile phone 36 Only with a certain speed can change its location, transactions, whose spatial distance is not plausibilisierbar with the time interval, rejected.

In addition to these system-side security precautions, the second level 14 of the multi-level security system 10 can be implemented, the user, ie the user of the at least one mobile phone 36 , make further location-dependent restrictions. These include z. Eg geographic restrictions regarding the web interface. There is the possibility that the user logs on via his website into his webaccount. There, the user can then z. For example, mark areas on a street map in which the use should be allowed or prohibited. In this approach, different expression patterns are possible, such. For example, postcodes, cities, states or other areas of use may be allowed or denied by appropriate codes.

The second level 14 of the multi-level security system 10 ongoing location comparison 16 can be carried out either continuously or at predetermined times, such. Every 10 minutes. A site comparison 16 can in the second level 14 be made even if an appropriate request to the at least one system server 38 is sent. However, because the satellite reception in terms of shielding within a building when using a positioning system 30 is often difficult and in this case only a location on the mobile network 32 , within which the at least one mobile phone 36 and inevitably the user communicates, would be possible, the continuous or at fixed times made site comparisons 16 preferable, but require a relatively high energy input.

Based on 2 and 3 becomes the two-factor authentication 18 that are within the first level 12 of the multi-level security system 10 expires, described in more detail below.

In the in 2 illustrated embodiment of the inventively proposed mobile radio-based transaction system sends the user, ie the client in the form of at least one mobile phone 36 , as part of a first connection 44 in addition to a user ID, a one-time password and the current location to the at least one system server 38 , The location can be either over the cellular network 32 or a satellite-based navigation system 30 be determined. This generates at least one system server 38 a barcode within a second connection step 46 to the user of the at least one mobile phone 36 , ie the client, is reported back. The barcode will then be within a third connection 48 to the at least one transaction terminal 34 sent or scanned by this and from there, compare position 34 , in the context of a fourth connection step 50 to the at least one system server 38 transmitted, compare position 50 in 2 , The system server 38 compares that in connection 50 transmitted barcode with that 46 transmitted barcode. If both barcodes are identical, it sends at least one system server 38 a payment request, compare fifth connection 52 to the client, ie the user of the at least one mobile phone 36 , This is done by the user, ie in the present case the client of the at least one mobile phone 36 , in the context of a sixth connection step 54 confirmed with a personal PIN. After the confirmation, a seventh connection step is performed 56 After that, the confirmation of the transaction from at least one system server 38 to the at least one transaction terminal 34 is confirmed.

In the in 3 illustrated embodiment of the present invention proposed mobile radio-based transaction system, the components 30 . 32 . 34 . 36 and 38 identical, as well as the connecting steps 44 to 56 , The differences between the in

2 illustrated embodiment variant and in 3 illustrated embodiment will be briefly described below. The client, ie the user of the at least one mobile phone 36 , sends as part of the first connection step 44 a user ID and location information to the at least one system server 38 , In the context of the second connection step 46 This generates from the data a barcode, which is returned to the user of the at least one telephone 36 in the context of the second connection step 46 is reported back. The client, ie the user of the at least one mobile phone 36 , extends this barcode data with a one-time password and generates the final barcode from the client, ie the user of the at least one mobile phone 36 , in the context of the third connection step 48 to the at least one transaction terminal 34 is transmitted. As part of the fourth connection step 50 The transaction data and the final barcode are sent to the at least one transaction terminal 34 scanned and in the context of the fourth connection step 50 to the at least one system server 38 reports back. The at least one system server 38 then compares the data of the final barcode with the previously sent data and the one-time password. After that, the at least one system server sends 38 a payment request in the context of the fifth connection step 52 to the client, ie the user of the at least one mobile phone 36 , This request is from the client, ie the user of the at least one mobile phone 36 , confirmed by entering a PIN, what at the transaction terminal 34 or on the mobile phone 36 can be done by yourself. To speed up the transaction, the PIN can not be entered as part of the confirmation up to a predetermined amount. In the context of the sixth connection step 54 the transaction is confirmed as part of the seventh connection step 56 from the at least one system server 38 directly to the at least one transaction terminal 34 where the transaction is currently in progress.

4 shows a schematic representation of a changed data flow in case of poor radio coverage.

Since there are limited radio connections, especially in buildings, this provides at least one transaction terminal 34 in this case an alternative connection ready. This is done by the client application, ie the user of the at least one mobile phone 36 , a data radio connection, ie a separate connection 60 to the transaction terminal 34 z. B. via Bluetooth ago. This transaction terminal 34 either builds a constant connection to the system server 38 by way of a normal connection 58 or implement it via internet. About the "normal" data connection 58 then communicates the user of the application, ie the client, ie the user of the at least one mobile phone 36 with which at least one system server 38 , For this, the client builds a protected connection, such. A so-called Virtual Private Network (VPN), to the system server 38 on. The location is determined in this case by the at least one transaction terminal 34 , the remaining components of the security check under the two-factor authentication 18 as in the context of the 2 and 3 already described.

5 shows the proposed invention multi-level safety system 10 and in particular three possible forms of two-factor authentication in the second level 14 , The first possibility is the timed variant ( 62 ), where clients and servers calculate new one-time passwords at defined intervals. In this case, the one-time password calculation can be implemented by software in the client application. The generated one-time password can then be used directly and does not have to be reentered by the user.

The second possibility ( 64 ) is the event-driven two-factor authentication. In this case, the client does not calculate the one-time password at defined intervals, but only when an event occurs, eg. For example, if the user requests a barcode or triggers the calculation manually. Compared to the former variant ( 62 ) is the event-driven variant ( 64 ) resource-saving.

The third variant ( 66 ) is the challenge response or challenge-response method. In doing so, the server sends a "challenge" to the client, e.g. For example, a numerical value. The client then fulfills the task, for. For example, it performs a calculation based on the server's transmitted numeric value and returns the result to the server. Since the server is doing the same computation, it knows the result and can compare it to the client's sent response.

For all three options, either the authorization takes place at this level if the one-time password (variant 62 . 64 ) or the answer (variant 66 ) is correct or the transaction is rejected.

6 shows a further embodiment, which is particularly advantageous if the mobile phone of the user z. B. has logged into a roaming network, z. B. when staying abroad. In this embodiment, the mobile phone generates 36 based on the user ID and a one-time password a barcode. In addition, as part of the multi-layer security system, further information such. B. position data 32 . 30 , with integrated into the barcode. This barcode will then be at the transaction terminal 34 scanned 68 , In addition, the user can 76 at the transaction terminal 34 enter a PIN code 70 , The transaction information is then passed through the transaction terminal 34 to the central system server 38 transmitted 72 , Based on the one-time password system, the central system server calculates 38 parallel to the client 36 the individual one-time password of this client 36 , As in the other embodiments, the central system server 38 now review the submitted transaction information and confirm or reject the transaction. The confirmation or rejection is then from the central system server 38 to the transaction terminal 34 transmitted 74 ,

7 shows the possible verification of the authenticity of the system server 38 through the mobile phone or PDA or other means of communication 36 , The system server generates this 38 a one-time password and send it either over a data connection or short message (SMS) 78 directly to the mobile phone 36 or, if there is no wireless connection, to the transaction terminal 34 , The user 76 can then do that from the server 38 sent one-time password with the one calculated by the mobile phone Compare one-time password 80 , This allows the user to authenticate the system server 38 check and prevent z. For example, scammers can sneak into the system and manipulate transactions. Will the one-time password directly from the server 38 sent to the mobile phone, the verification can be within the mobile phone 36 without further action of the user. This authenticity check is compatible with all three one-time password variants ( 62 . 64 . 66 ) possible.

LIST OF REFERENCE NUMBERS

10

Multi-level security system

12

first floor

14

second level

16

Location adjustment (satellite or network location)

18

Two-factor authentication

20

Third level

22

biometric features

30

GNSS Location System (Global Navigation Satellite System)

32

mobile network

34

transaction terminal

36

mobile phone

38

system server

40

first position data transmission

42

second position data transmission

44

first connection (Info one time password OTP, location)

46

second connection (barcode)

48

third connection (scanning barcode)

50

fourth connection (transmission of transaction data)

52

fifth connection (payment request)

54

sixth connection (confirmation with PIN)

56

seventh connection (confirmation transaction)

58

normal connection

60

separate connection

62

Timed two-factor authentication

64

event-driven two-factor authentication

66

Challenge Response Method Two-Factor Authentication

68

Scan the barcode generated in the mobile phone (with information about user ID, one-time password, location)

70

Enter PIN at the transaction terminal

72

Transmission of transaction information

74

Confirmation of the transaction

76

user

78

One-time password for authenticating the server 38

80

Comparison of the server 38 sent one-time password with the one from the mobile phone 36 calculated one-time passwords

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• US 2009/0222353 A1 [0001, 0002, 0002]
• GB 2362012 A [0001, 0002, 0002]

Cited non-patent literature

• ISO 14443, 18092, 21481 ECMA 340, 352, 356, 362 [0034]
• ETSI TS 102 and 190 [0034]
• ISO / IEC 14443-A [0035]
• ISO / IEC 14443-B [0035]
• NFC standard offers [0035]

Claims (28)

Mobile-based transaction system with at least one mobile phone ( 36 ), at least one transaction terminal ( 34 ) as well as at least one system server ( 38 ) for processing a cashless payment transaction, characterized in that within a multi-level security system ( 10 ) in a first level ( 12 ) a two-factor authentication ( 18 ) and in a second level ( 14 ) a location comparison between a location of a subscriber of a mobile network ( 32 ) and the location of the subscriber within a navigation system, in particular a global navigation satellite system (GNSS) system ( 30 ) is made. Mobile-based transaction system according to claim 1, characterized in that the two-factor authentication ( 18 ) in the first level ( 12 ) is either timed or event driven or based on the request-response method. Mobile-based transaction system according to one of the preceding claims, characterized in that in the context of a timed two-factor authentication ( 62 ) the at least one system server ( 38 ) and its client, in particular a software application on a mobile phone ( 36 ), calculate new passwords at specified time intervals. Mobile-based transaction system according to one of the preceding claims, characterized in that in the context of time-controlled two-factor authentication ( 18 ) generated one-time passwords are valid for a precisely defined time interval, in particular in a time interval between 1 minute to a maximum of 15 minutes. Mobile-based transaction system according to one of the preceding claims, characterized in that in the first level ( 12 ) an event-driven two-factor authentication ( 64 ), wherein the at least one system server ( 38 ) performs a calculation made on the client side and accepts one-time passwords within a tolerance range, except once-used passwords already used. Mobile-based transaction system according to one of the preceding claims, characterized in that in the context of an event-controlled two-factor authentication ( 64 ) a one-time password is calculated, the event both the request of a barcode and the local proximity of a client ( 36 ) to a transaction terminal ( 34 ), for which either the position of the client ( 34 ) determined via ( 40 ) and ( 42 ) with the position of the transaction terminal ( 34 ) or the transaction terminal ( 34 ) emits a continuous short distance radio signal which triggers the event. Mobile-based transaction system according to one of the preceding claims, characterized in that the two-factor authentication ( 66 ) within the first level ( 12 ) of the multi-level security system ( 10 ) is carried out as part of a "challenge-response" in which the at least one system server ( 38 ) specifies a task on the basis of which the client ( 36 ), in particular the software application of a mobile phone ( 36 ), a one-time password is calculated. Mobile-based transaction system according to one of the preceding claims, characterized in that the client, in particular a software application of a mobile phone ( 36 ), a value of the at least one system server ( 38 ) as input and calculates a one-time password based on this input. Mobile-based transaction system according to one of the preceding claims, characterized in that in the second level ( 14 ) of the multi-level security system ( 10 ) location reconciliation of the client, in particular the software application of a mobile phone ( 36 ), a barcode from the at least one system server ( 38 ), the client requests the at least one system server ( 38 ) transmits its current location. Mobile-based transaction system according to one of the preceding claims, characterized in that the current location in the context of the second-level site comparison ( 14 ) from the data of a satellite positioning system ( 30 ) or from a mobile network ( 32 ) is won. Mobile-based transaction system according to one of the preceding claims, characterized in that during a transaction the location of the transaction terminal ( 34 ) on which the current transaction is made. Mobile-based transaction system according to one of the preceding claims, characterized in that in case of non-compliance of the location of the at least one transaction terminal ( 34 ), on which the current transaction is made, with the location of the subscriber of the mobile network ( 32 ), either from an order within the mobile network ( 32 ) or by means of a satellite positioning system ( 30 ), the transaction is rejected. Mobile-based transaction system according to one of the preceding claims, characterized in that in the context of the second level ( 14 ), the location of the current transaction flow is compared with the location of a previously made transaction, and transactions that do not correlate spatially with a time interval are rejected. Mobile-based transaction system according to one of the preceding claims, characterized in that the location of the mobile telephone ( 36 ) is determined at predetermined times at regular time intervals or on request to the at least one system server ( 38 ) is transmitted. Mobile-based transaction system according to one of the preceding claims, characterized in that the user of the at least one mobile telephone ( 36 ) (Client) in addition to a user ID and a one-time password to the at least one system server ( 38 ) from which the at least one system server ( 38 ) generates a bar code which is sent to the user of the at least one mobile telephone ( 36 ) is returned. Mobile-based transaction system according to one of the preceding claims, characterized in that the generated barcode is stored at the at least one transaction terminal ( 34 ) and, together with the data of the current transaction, to the at least one system server ( 38 ) is transmitted. Mobile-based transaction system according to one of the preceding claims, characterized in that the at least one system server ( 38 ) a request to the user of the mobile phone ( 36 ), which it confirms by entering a PIN. Mobile-based transaction system according to one of the preceding claims, characterized in that in the context of processing a payment below a predetermined amount to the confirmation of the user of the at least one mobile phone ( 36 ) is omitted by entering a PIN. Mobile-based transaction system according to one of the preceding claims, characterized in that the user of the mobile telephone ( 36 ) (Client) a user ID to the at least one system server ( 38 ) from which the at least one system server ( 38 ) Generates data for a barcode that is sent to the user of the at least one mobile phone ( 36 ), where the data for generating the barcode is extended by a one-time password and this combination represents the final barcode. Mobile-based transaction system according to one of the preceding claims, characterized in that the final barcode is attached to the at least one transaction terminal ( 34 ) and together with the data of the current transaction to the at least one system server ( 38 ) is transmitted. Mobile-based transaction system according to one of the preceding claims, characterized in that the at least one system server ( 38 ) compares the data of the final barcode with the previously sent data and the one-time password and the at least one system server ( 38 ) a payment request to the user of the at least one mobile phone ( 36 ) to be confirmed by the user by entering a PIN. Mobile-based transaction system according to one of the preceding claims, characterized in that the PIN is stored either at the at least one mobile telephone ( 36 ) or at least one transaction terminal ( 34 ) is entered. Mobile-based transaction system according to one of the preceding claims, characterized in that within the second level ( 14 ) and within the first level ( 12 ) two-factor authentication ( 18 ) through a third level ( 20 ) are complemented in the biometric features, in particular finger or hand prints, the iris of the eye or the contouring of the face, or information from an official identity document. Mobile-based transaction system according to one of the preceding claims, characterized in that in the third level ( 20 ) a Bluetooth dongle is used, which unlocks the application in the client, or an RFID card is used. Mobile-based transaction system according to one of the preceding claims, characterized in that the at least one transaction terminal ( 34 ) a separate connection ( 60 ) to the at least one mobile telephone ( 36 ) of the user as part of a data radio connection, wherein the at least one transaction terminal ( 34 ) either a constant connection to at least one system server ( 38 ) maintains (Internet) or establishes a dial-up connection for authorization. Mobile-based transaction system according to one of the preceding claims, characterized in that the connection between the client ( 36 ), in particular a software application of a mobile phone ( 36 ), and the system server ( 38 ) is established over a protected connection, in particular a Virtual Private Network (VPN). Mobile-based transaction system according to one of the preceding claims, characterized in that a software application of a mobile telephone ( 36 ) calculates a one-time password and generates a barcode therefrom together with other user data, which is then displayed on a transaction terminal ( 34 ) and to the system server ( 38 ) is transmitted. Mobile-based transaction system according to one of the preceding claims, characterized in that a system server ( 38 ) a one-time password to a mobile phone ( 36 ) or a transaction terminal ( 34 ), which is simultaneously in the mobile phone ( 36 ) can be compared to the authenticity of the system server ( 38 ) to check.

Images