WO2006036363A2 - Highly secure and low-cost dialogic enciphered dynamic pin system for credit card and login - Google Patents

Highly secure and low-cost dialogic enciphered dynamic pin system for credit card and login Download PDF

Info

Publication number
WO2006036363A2
WO2006036363A2 PCT/US2005/029425 US2005029425W WO2006036363A2 WO 2006036363 A2 WO2006036363 A2 WO 2006036363A2 US 2005029425 W US2005029425 W US 2005029425W WO 2006036363 A2 WO2006036363 A2 WO 2006036363A2
Authority
WO
WIPO (PCT)
Prior art keywords
card
pin number
account
transaction
addend
Prior art date
Application number
PCT/US2005/029425
Other languages
French (fr)
Other versions
WO2006036363A3 (en
Inventor
Peng Qin
Original Assignee
Peng Qin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Qin filed Critical Peng Qin
Publication of WO2006036363A2 publication Critical patent/WO2006036363A2/en
Publication of WO2006036363A3 publication Critical patent/WO2006036363A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions

Definitions

  • Card Verification Number fails when the card is stolen or this number is exposed or intercepted; Address Verification Services becomes void when the cardholder's address is filched and no physical products need to be shipped; Manual Review involves tremendous efforts and resources of the staff which significantly increases the cost for both the merchant and card issuer, and there are many cases that direct contact with the cardholder fails or delays.
  • Password Protection like in the means of Verified by Visa and MasterCard SecureCode also fail when skillful hackers sneak some insidious virus into the users computer to monitor and filter the keystrokes and information browsed or entered, various of such detrimental virus have existence for years and are still evolving to being more perdue by hiding within the processes or threads of other legitimate applications, the encryp ⁇ ion of transmitted data provides " no protection since the iHtbrrnatf ⁇ ; ri u is : "rnferteptetl before being encrypted, the trend of this omnipotent hacker method will become stronger and stronger while other means become more difficult, and the threat of this method is not only to the credit cards but also to all the online accounts requesting login name and password for access, further when the virus is able to scan all local files the whole computer will be compromised; Dynamic Account Number like in American Express Private Payment system is also defeated easily with the login name and password filched by the virus, and unauthorized users can login and get new dynamic card numbers anytime; Smart Card technology has its limitation of the locations of usage
  • the primary object of the present invention is to prevent credit card and debit card fraud with generic highly secure and low cost scheme.
  • Another object of the present invention is to prevent identity fraud of online account administration and usage.
  • An optional object of the present invention is to enhance the security of any system which uses static login name, password or PIN number to grant authentication and authorization to the users.
  • This invention is a highly secure Dialogic Enciphered Dynamic PIN System which is used to prevent fraud of credit card, debit card and any account access on-line and POS transactions effectively with low-cost and convenience.
  • the card or account issuer randomly assigns and securely stores operation addend, short secure PIN number and long secret formula with encryption in the backend database for each account, three numbers are sent to the cardholder or account owner via separate mails.
  • the cardholder or account owner can use touch-tone phones to call the card or account issuer's automated telephone account administration system to update operation addend and secure PIN number or get new secret formula based on sufficient authentication anytime.
  • Each cardholder or account owner has a small special passcode protected calculator to encipher dynamic answer PIN numbers for all transactions of the carcTS and accounts.
  • a request of authentication of the cardholder and authorization of the transaction is sent to the card issuer with the transaction amount and other details by the merchant based on the card number provided by the cardholder, the card issuer assigns a random inquiry PIN number to the transaction and sends it back to the cardholder via merchant, the card holder selects the card from the list in the calculator, enters the transaction amount as the base, then types in the inquiry PIN number and the secure PIN number separately, the calculator does special calculation to the transaction amount by the sequence of secret formula + inquiry PIN number + secure PIN number.
  • This low-cost offline Dialogic Enciphered Dynamic PIN System ensures extremely high security of the online transactions against even the most skillful hackers who can completely monitor all the activities including keystrokes and browsed information on the client's computer while the computer is online or offline, and are capable of decrypting all the encrypted information transmitted through the network.
  • Card Issuer a financial institute like a bank which issues credit cards or debit cards to cardholders.
  • Account Issuer a corporation or institute which generates and holds on-line accounts for the account owners.
  • Card Service Center a corporation which maintains and updates the card issuer directory and other software and information for clients to access and download.
  • Cardholder the legitimate owner and holder of the card.
  • Account owner the legitimate owner of the account.
  • the card or account issuer system has a software component using some aigoritnrrvi ⁇ generare-pseudo random numbers, or a hardware using electronic noise to generate real random numbers, for the 4 or more digit secure PIN numbers, fractional operation addends, and 30 or more digit secret formulas for the accounts, as well as 4 or more digit inquiry PIN numbers for the transactions;
  • the card or account issuer system has a backend database which stores the secure PIN number, operation addend and secret formula in encrypted format for the accounts, as well as caching the transaction information and inquiry PIN number for the transactions;
  • the card or account issuer system has another software component which does special calculation to the transaction amount or base by the sequence of secret formula + inquiry PIN number + secure PIN number, as well as comparing the results with the dynamic answer PIN numbers from the users;
  • the card or account issuer system also has an automated telephone account administration system which allows the cardholder or account owner to call to update secure PIN number, operation addend and secret formula
  • the card service center maintains and updates the card issuer directory containing the name, number, status of enrollment of dynamic PIN program and network address of each card issuer, presents this directory on ⁇ line for merchants to download;
  • the card service center also presents the information related to the Dialogic Enciphered Dynamic PIN System, as well as the card processor and merchant side software component.
  • the card processor and merchant download the software components from the card service center and install them into their websites or terminals, to provide the means for passing additional data between card issuers and users.
  • the cardholder and account owner will get a generic small special passcode protected calculator which stores the card or account type, partial card number or account login name, operation addend, secret formula and secure PIN number for each card or account, does special calculations based on the transaction amount or base by the sequence of secret formula + inquiry PIN number + secure PIN number, displays the card or account type, partial card number or accourrriogin name, inquiry PIN numbered dynamic answer PIN rtumDer ⁇ as well as "pmorm the functions of a regular calculator and phone address notebook.
  • (1 ) addend is a fractional number with 3 significant digits after decimal point, bigger than 0.100, and smaller than 0.999
  • shift(x) means shift xxxx.xxx to x.xxxxxx
  • trim(x) means trim x.xxxxxx to x.xxx

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Computer Security & Cryptography (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A highly secure Dialogic Enciphered Dynamic PIN System is used to prevent fraud of credit card, debit card and any account access on-line and POS transactions effectively with low-cost and convenience. Each cardholder or account owner has a small special passcode protected calculator to store the operation addend and long secure formula for each account. Card issuer sends back an inquiry PIN number after receiving a request of transaction, the cardholder or account owner selects the card or account from the calculator, enters the transaction amount, inquiry PIN number, and secure PIN number as memorized, then the calculator does special calculation to the transaction amount or base by the sequence of secret formula + inquiry PIN number + secure PIN number, and generates an answer PIN number which is sent back to card issuer. The same calculation is done in the card issuer side to authenticate the user and authorize the transaction at the same time with high security.

Description

INVENTION TITLE
Highly Secure and Low-Cost Dialogic Enciphered Dynamic PIN System for
Credit Card and Login
I (Peng Qin at 9 Alpine Court, Hillsborough, NJ 08844, U.S.A., Tel: 908-874-
8682) hereby claim the benefit of the priority of the early filed Provisional
Patent, with Application Number: "60/522,354", Filing Date: "09/20/2004", and Title: "Highly Secure and Low-Cost Dialogic Enciphered Dynamic PIN
System for Credit Card and Login".
DESCRIPTION
FIELD OF THE INVENTION
[Para l]The present invention relates to credit card, debit card and account access user authentication and transaction authorization in various forms of usage through Internet, telephone or terminal, to achieve high security and prevent fraudulent use of the cards or accounts by unauthorized users to the maximum extend, with automated low-cost and convenient systems.
Heading BACKGROUND OF THE INVENTION
[Para 2] Credit card and debit card frauds have become the most serious issue since online transactions are widely used a decade ago, these frauds cause huge lost and cost of billions of dollars to the cardholders, merchants and card issuers every year, and have tremendous impact on the online retail business which has great potential of growth being blocked to significant extend. Frauds not only happen to online transactions, but also happen to other remote and traditional Point Of SaIe transactions. With the increase of various online accounts generation and administration, online identification and account access fraud is becoming a more common and serious problem. [Para 3] The battle agarrrst fraud has been going on for αecades, hardly
Figure imgf000003_0001
lost and cost of frauds grows to billions of US dollars annually, and there is no trend to a decrease or stop. With the fast growing online transactions' amount at the rate of 25% or more annually, and the increasing ratio of online to total transactions from about 4% in current market, the total damage of frauds is still going up.
[Para 4] The credit card systems were initially designed for the POS sales where cardholders are physically present allowing the merchant to check personal identity in various but fairly effective ways, the biggest flaw is the merchant's laziness of checking identity for all sales. But when credit cards and debit cards started to be used remotely over telephone or Internet, security issues got much more complicated since merchants are not able to check the users' identity face to face even if they want to do so. With various ways to get other people's personal and card information, especially the increased vulnerability of the computer network system and skills of the hackers, unauthorized users are getting more advantages and benefits from committing frauds remotely, and fighting against these frauds are getting more difficult and costly. The credit card systems are facing a critical crisis and need effective means to prevent frauds effectively and efficiently.
[Para 5] The currently means used to prevent frauds all have deficiency which result in security holes or over rejections. Card Verification Number fails when the card is stolen or this number is exposed or intercepted; Address Verification Services becomes void when the cardholder's address is filched and no physical products need to be shipped; Manual Review involves tremendous efforts and resources of the staff which significantly increases the cost for both the merchant and card issuer, and there are many cases that direct contact with the cardholder fails or delays. Password Protection like in the means of Verified by Visa and MasterCard SecureCode also fail when skillful hackers sneak some insidious virus into the users computer to monitor and filter the keystrokes and information browsed or entered, various of such detrimental virus have existence for years and are still evolving to being more perdue by hiding within the processes or threads of other legitimate applications, the encrypτion of transmitted data provides" no protection since the iHtbrrnatfό;riuis:"rnferteptetl before being encrypted, the trend of this omnipotent hacker method will become stronger and stronger while other means become more difficult, and the threat of this method is not only to the credit cards but also to all the online accounts requesting login name and password for access, further when the virus is able to scan all local files the whole computer will be compromised; Dynamic Account Number like in American Express Private Payment system is also defeated easily with the login name and password filched by the virus, and unauthorized users can login and get new dynamic card numbers anytime; Smart Card technology has its limitation of the locations of usage and compatibility issue between different card issuers, plus bearing the extra cost of millions of card readers can be a big burden to each card issuer, and the cardholders are less willing to spend dozens of dollars for each of the cards, plus there will be a cost of billions of US dollars to replace all the plastic cards with the Smart Cards having chip embedded and data filled, in addition to the expenses of developing the various software and upgrading systems for each card issuer, the method is costly yet still very vulnerable since the card reader software can be also hacked to reveal the data in the card thus the account is purloined, though Smart Card technology does improve the security of the cards, it is still far away from effectively conquering the problem of fraud; Offline Smart Card Reader has a good step toward the solution, but it results in higher cost of the portable readers compared to the regular readers connected to the computer since all the operations will be performed in the card reader instead of the computer, the burden of such high cost has been the main obstacle of the popularity of Smart Cards in certain major markets like United States, also the size of the portable card reader can hardly be reduced to satisfactory level that these readers can be easily carried in the wallet since the parts for holding and reading the card will take space, the card is still vulnerable when fallen into the hands of skillful hackers capable of hacking the card via simulated readers.
[Para 6] None of the above means come close enough to the ultimate solution of the fraud problem because the philosophy was not met. The philosophy is that anything exists in the computer is not guaranteed for security yet some information has to exisTon the computer and be transferred through the netwof K'f anything rep'ierats"όr tias a pattern is traceable, high cost is always a big obstacle, convenience and ease of usage are the keys to the market, single generic solution for all cards is important, operability in all locations is essential, and durable effectiveness is the winning point, yet nothing is absolute, the best scheme is the combination of the achievement of the above within the reality. Here comes my invention of Dialogic Enciphered Dynamic PIN System.
OBJECTS OF THE INVENTION
[Para 7] The primary object of the present invention is to prevent credit card and debit card fraud with generic highly secure and low cost scheme.
[Para 8] Another object of the present invention is to prevent identity fraud of online account administration and usage.
[Para 9] An optional object of the present invention is to enhance the security of any system which uses static login name, password or PIN number to grant authentication and authorization to the users.
SUMMARY OF THE INVENTION
[Para 10] This invention is a highly secure Dialogic Enciphered Dynamic PIN System which is used to prevent fraud of credit card, debit card and any account access on-line and POS transactions effectively with low-cost and convenience. The card or account issuer randomly assigns and securely stores operation addend, short secure PIN number and long secret formula with encryption in the backend database for each account, three numbers are sent to the cardholder or account owner via separate mails. The cardholder or account owner can use touch-tone phones to call the card or account issuer's automated telephone account administration system to update operation addend and secure PIN number or get new secret formula based on sufficient authentication anytime. Each cardholder or account owner has a small special passcode protected calculator to encipher dynamic answer PIN numbers for all transactions of the carcTS and accounts. The cardholder or account owner enters-inexarα or account'type, last four digit of the card number or account login name, plus the operation addend and secret formula of each card or account into the calculator once at the beginning, but only memorizes the real secure PIN number without writing it down or storing it anywhere.
[Para 1 1 ] For credit and debit card transactions, a request of authentication of the cardholder and authorization of the transaction is sent to the card issuer with the transaction amount and other details by the merchant based on the card number provided by the cardholder, the card issuer assigns a random inquiry PIN number to the transaction and sends it back to the cardholder via merchant, the card holder selects the card from the list in the calculator, enters the transaction amount as the base, then types in the inquiry PIN number and the secure PIN number separately, the calculator does special calculation to the transaction amount by the sequence of secret formula + inquiry PIN number + secure PIN number. The cardholder takes the first 4 or more digits of the result as dynamic answer PIN number and sends it back to the card issuer, the card issuer system retrieves the inquiry PIN number cached in the database plus the decrypted operation addend, secret formula and secure PIN number of this account stored in the backend database, does the same calculation and compares the first 4 or more digits of the result with the dynamic answer PIN number from the cardholder, if the two numbers match the car holder is authenticated and the transaction is authorized, otherwise both the card holder and transaction are rejected.
[Para 12] For account access, no merchant is involved, the account owner sends the login name and password to account issuer as usual, if this step succeeds the account issuer sends a random 4 digit base number and inquiry PIN number to the account owner, the account owner selects the account in the calculator, inputs the base number, inquiry PIN number and secure PIN number, then the calculator does special calculation to the base, the account owner sends the first 4 or more digits as dynamic answer PIN number back to the account issuer, the account issuer does the same calculation and compares the two results, the account owner is authenticated and access is granted if the results match, otherwise access is denied. The card or account is automatically suspended wrtn certain' ri'umϋer of failed tries. This low-cost offline Dialogic Enciphered Dynamic PIN System ensures extremely high security of the online transactions against even the most skillful hackers who can completely monitor all the activities including keystrokes and browsed information on the client's computer while the computer is online or offline, and are capable of decrypting all the encrypted information transmitted through the network.
DETAILED DESCRIPTION OF THE INVENTION [Para 1 3] Terms used in This Description:
(1 ) Card Issuer: a financial institute like a bank which issues credit cards or debit cards to cardholders.
(2) Account Issuer: a corporation or institute which generates and holds on-line accounts for the account owners.
(3) Card Service Center: a corporation which maintains and updates the card issuer directory and other software and information for clients to access and download.
(4) Merchant: a retailer which sells product or services to the customers and charge their credit cards or debit cards to get the payment.
(5) Card Processor: a service company which acts as a gateway between the merchant and card issuers, to forward the requests to appropriate card issuers based on the card number, and the feedback back to the merchant.
(6) Cardholder: the legitimate owner and holder of the card.
(7) Account owner: the legitimate owner of the account.
(8) User: a person claims to be the cardholder or account owner and requests authentication and transaction for the transaction or access.
The Preparation of the System [Para 14] The card or account issuer system has a software component using some aigoritnrrviΘ generare-pseudo random numbers, or a hardware using electronic noise to generate real random numbers, for the 4 or more digit secure PIN numbers, fractional operation addends, and 30 or more digit secret formulas for the accounts, as well as 4 or more digit inquiry PIN numbers for the transactions; The card or account issuer system has a backend database which stores the secure PIN number, operation addend and secret formula in encrypted format for the accounts, as well as caching the transaction information and inquiry PIN number for the transactions; The card or account issuer system has another software component which does special calculation to the transaction amount or base by the sequence of secret formula + inquiry PIN number + secure PIN number, as well as comparing the results with the dynamic answer PIN numbers from the users; The card or account issuer system also has an automated telephone account administration system which allows the cardholder or account owner to call to update secure PIN number, operation addend and secret formula based on sufficient authentication.
[Para 1 5] The card service center maintains and updates the card issuer directory containing the name, number, status of enrollment of dynamic PIN program and network address of each card issuer, presents this directory on¬ line for merchants to download; The card service center also presents the information related to the Dialogic Enciphered Dynamic PIN System, as well as the card processor and merchant side software component.
[Para 16] The card processor and merchant download the software components from the card service center and install them into their websites or terminals, to provide the means for passing additional data between card issuers and users.
[Para 17] The cardholder and account owner will get a generic small special passcode protected calculator which stores the card or account type, partial card number or account login name, operation addend, secret formula and secure PIN number for each card or account, does special calculations based on the transaction amount or base by the sequence of secret formula + inquiry PIN number + secure PIN number, displays the card or account type, partial card number or accourrriogin name, inquiry PIN numbered dynamic answer PIN rtumDer^as weil as "pmorm the functions of a regular calculator and phone address notebook.
How the System and Method Work in Typical Scenarios
[Para 18] The Credit Card or Debit Card Transaction Over the Internet or Telephone:
[Para 19] Remote user authentication and transaction authorization over the Internet or telephone are the primary usage of this Dialogic Enciphered Dynamic PIN System. The user does remote shopping on Internet or via other means, and proceeds to check out with the total charge amount, the user provides the credit or debit card number, owner name, expiration date and other information as requested to the merchant through website or telephone, then the merchant system connects to the card processor which further identifies the card issuer and connects to the card issuer, the request of transaction with the transaction amount and card information is forwarded from the user to merchant to card processor to card issuer, the card issuer system generates a 4 or more digit random inquiry PIN number and sends it back to the user via card processor and merchant, the card issuer system also caches the request of transaction with the inquiry PIN number associated in the database at the same time, the user takes out his small special calculator, types in the passcode to activate it, selects the card from the list, enters the transaction amount, inquiry PIN number and real secure PIN number respectively, then press the calculation button, the calculator takes the transaction amount as the base and applies special operations to the base by the order of secret formula + inquiry PIN number + secure PIN number, then the first 4 or more digits of the result is displayed as the dynamic answer PIN number which is sent back to the card issuer with the other transaction data and inquiry PIN number via merchant and card processor, the card issuer system retrieves the encrypted operation addend, secret formula and secure PIN number from the database based on the card number and decrypts the operation addend, secret formula and secure PIN number, the card issuer system further takes trW transaction amount as the base and applies special operations tό 'ttie' base by the order of the secret formula + inquiry PIN number + secure PIN number, the card issuer system takes the first 4 or more digits of the result and compares it to the dynamic answer PIN number from the user, if the two number match the user is authenticated and the transaction is authorized, otherwise both are rejected, an acknowledgement is sent to the merchant and user via card processor, then the transaction is processed or rejected accordingly. The user does not really need to understand what happen in the calculator or card issuer side, all he/she needs to do is providing the regular card info, typing the transaction amount, inquiry PIN number and secure PIN number into the calculator, sending the result back to the merchant and getting approved. Since the small size passcode protected calculator is carried in the wallet, the user does not need to depend on any other software or hardware to do the calculation.
[Para 20] The Account Access Over the Internet:
[Para 21 ] The user connects to the website and loads the login page, provides the account number, login name and password as usual, then the website will respond with a 4 or more digit random base number and inquiry PIN number, the user takes out the special calculator, activates the calculator with the right passcode, selects the account from the list, enters the base number, inquiry PIN number and secure PIN number, then the calculator does special operations to the base by the order of secret formula + inquiry PIN number + secure PIN number, the user sends the first 4 or more digits of the result as dynamic answer PIN number to the website, then the website retrieves encrypted operation addend, secret formula and secure PIN number from the database and decrypts them, further applies special operations to the base by the order of secret formula + inquiry PIN number + secure PIN number, and compares the result with the dynamic answer PIN number from the user, if the two numbers match the user is authenticated and the access is granted, otherwise both are denied.
[Para 22] The Credit Card or Debit Card POS Transaction in the Retail Store or Gas Station: [Para 23] The user does shopping and proceeds to check out, the merchant sum up the amount, the user slides the card on the terminal to provide the regular card information, the card info and the transaction amount are sent to the card issuer via card processor, the card issuer system caches the transaction request, generates a 4 or more digit inquiry PIN number and sends it to the terminal via card processor, the user takes out the special calculator, selects the card from the list, inputs transaction amount, inquiry PIN number and secure PIN number, the calculator does special operations to the base transaction amount by the order of secret formula + inquiry PIN number + secure PIN number, the first 4 or more digits of the result are sent back the card issuer as dynamic answer PIN number, the card issuer retrieves the encrypted operation addend, secret formula and secure PIN number and decrypt them, then applies special operations to the transaction amount by the order of secret formula + inquiry PIN number + secure PIN number, finally compares the result with the dynamic answer PIN number from the user, authenticates the user and authorize the transaction if the two number match, reject both if they do not match, and sends acknowledgement to the user via card processor and merchant.
[Para 24] The Secure Access to Specific Area, Region or System:
[Para 25] When secure card is needed to gain access to specific region or system, additional layer of security is applied with the inquiry and answering dialog process. The security system generates 4 or more digit base number and inquiry PIN number, the user selects the security account from the list in the special calculator, enters the base number, inquiry PIN number and secure PIN number, the calculator does special operations to the base number by the order of secret formula + inquiry PIN number + secure PIN number, the first 4 or more digits of the result are entered back into the security system via keypad, the security system does similar calculation and compares the result with the dynamic answer PIN number provided by the user, the user is authenticated and access is granted if the two numbers match, otherwise both are rejected. What is -me Enciphering Scheme and How n Works
[Para 26] The special calculator in the user side and the main computer in the card issuer side must always be able to do calculations based on the same transaction amount, operation addend, secret formula, inquiry PIN number and secure PIN number. And it must be extremely difficult and practically impossible for anyone to break the operation addend, secret formula and secure PIN number by intercepting even a great number of inquiry PIN and answer PIN numbers for the same account.
[Para 27] Ten specific operations are defined for the digit 0-9. A special function AbsShiftTrimPlus ensures that the output of each operation is bigger than 0 and independent of the precision of the different systems used; since the output of the previous operation is the input of the next operation in chain, this AbsShiftTrimPlus function also ensures the input of each operation is bigger than 0. Please note that the computer takes input in radian and calculator takes input in degree for trigonometric functions such as sin(x), cos(x) and taπ(x), so the conversion of the input is needed in order to have the output on both systems matching. The function and operations are defined as below:
[Para 28] Function:
(1 ) addend is a fractional number with 3 significant digits after decimal point, bigger than 0.100, and smaller than 0.999
(2) AbsShiftTrimPlus(x) = trim(shift(abs(x)))+addend > 1
(3) abs(x) means the absolute value of x, so abs(x) >= 0
(4) shift(x) means shift xxxx.xxx to x.xxxxxx
(5) trim(x) means trim x.xxxxxx to x.xxx
[Para 29] Operations:
(1) 1 (x) = trim(shift(abs(x2)))+addend = AbsShiftTrimPlus(x2) > addend & <= 9.999+addend
(2) 2(x) = trim(shift(abs(sqrt(x))))+addend = AbsShiftTrimPlus(sqrt(x)) > addend & <= 9.999+addeπd (3) computer: siTT(x) input - radian
3(k) = trim(shift(abs(sin(x))))+addend = AbsShiftTrimPlus(sin(x)) > addend & < 1 +addend
(4) calculator: sin(x) input - degree
3(x) = trim(shift(abs(sin(1 80*x/3.141 592654))))+addend = AbsShiftTrimPlus(sin(1 80*x/3.141 592654)) > addend & < 1 + addend
(5) computer: cos(x) input - radian
4(x) = trim(shift(abs(cos(x))))+addend = AbsShiftTrimPlus(cos(x)) > addend & < 1 + addend
(6) calculator: cos(x) input - degree
4(x) = trim(shift(abs(cos(1 80*x/3.141 592654))))+addend = AbsShiftTrimPlus(cos(180*x/3.141 592654)) > addend & < 1 +addend
(7) computer: tan(x) input - radian, can not be (n+0.5)*pi, and it will not be.
5(x) = trim(shift(abs(tan(x))))+addend = AbsShiftTrimPlus(tan(x)) > addend & <= 9.999+addend
(8) calculator: tan(x) input - degree, can not be (n+0.5)*l 80, and it will not be.
5(x) = trim(shift(abs(tan(1 80*x/3.141 592654))))+addend = AbsShiftTrimPlus(tan(1 80*x/3.141 592654)) > addend a < = 9.999+addend
(9) 6(x) = trim(shift(abs(l 0*)))+addend) = AbsShiftTrimPlus(l 0") > addend & <= 9.999+addend
(10) 7(x) = trim(shift(abs(log(x))))+addend = AbsShiftTrimPlus(log(x)) > addend & <= 9.999+addend
(1 1 ) 8(x) = trim(shift(abs(eχ)))+addend = AbsShiftTrimPlus(ex) > addend & <= 9.999+addend
(1 2) 9(x) = trim(shift(abs(ln(x)))+addend = AbsShiftTrimPlus(ln(x)) > addend & < = 9.999+addend
(1 3) 0(x) = trim(shift(abs(l /x)))+addend = AbsShiftTrimPlus(l /x) > addend & <= 9.999+addend (14) so we alwayTTiave output: f(x)>0, thus input x>0
[Para 30] Now let's take an example case, one user has a operation addend as 0.1 23, secret formula as 57931 50793 1 3486 1 8034 73604 91 372 581 , and a secure PIN number as 71 63, three numbers are confidential. This user makes a purchase of $ 1 23.45 at a merchant's site, the merchant system sends the transaction amount $ 1 23.45 to the card issuer, card issuer assigns a random inquiry PIN number as 5942 and this number is forwarded to the user. Now the user takes out the special calculator and does the following calculation:
[Para 31 ] First the transaction amount will be used as the base, the input of the first operation will be AbsShiftTrimPlus(x), this gives the merchant a chance to shift the transaction amount to high value as $ 1 2345.00 to cheat the card issuer, since AbsShiftTrimPlus(l 23.45) = AbsShiftTrimPlus(l 2345.00) = 1 .234
[Para 32] In order to lock the transaction amount, we add one digit to the left of the transaction amount, this digit represents the number of digits of the transaction amount starting from the penny, so the base of this case will become 51 23.45, the merchant can not simply shift the base to 51 2345.00 or even 71 2345.00, since 51 2345.00 violates the rule, and AbsShiftTrimPlus(51 23.45) = 5.1 23 does not equal AbsShiftTrimPlus(71 2345.00) = 7.1 23, thus the transaction amount is locked.
[Para 33] So the calculations in the user side calculator will be:
(1 ) Operation addend = 0.1 23
(2) Transaction Amount = 1 23.45
(3) Base = 51 23.45
(4) l *Unput = AbsShiftTrimPlus(51 23.45) = 5.246
(5) Operations by secret formula:
(6) 5(5.246) = AbsShiftTrimPlus(tanO 80*5.246/3.141 592654)) = 1 .692+0.1 23 = 1 .81 5
(7) 7(1 .81 5) = AbsShiftTrimPlus(log(l .81 5)) = 2.588+0.1 23 = 2.71 1
(8) 9(2.71 1 ) = AbsShiftTrimPlus(ln(2.71 1 )) = 9.973+0.1 23 = 10.096
(9) 3(10.096) = AbsShiftTrimPlus(sin(l 80*1 0.096/3.141 592654)) = 6.21 9+0.1 23 = 6.342 (10) 1(6.342) = #bsShiftTrimPlus(6.3422) = 4.022+0.123 = 4.145
"(M J 5WNS1)1 ^A'bsSHiftTrimPlusdand 80*4.145/3.141592654)) = 1.569+0.123 = 1.692
(12) 0(1.692) = AbsShiftTrimPlusd / 1.692) = 5.910+0.123 = 6.033
(13) 7(6.033) = AbsShiftTrimPlus(log(6.033)) = 7.805+0.123 = 7.928
(14) 9(7.928) = AbsShiftTrimPlus(ln(7.928)) = 2.070+0.123 = 2.193 (15) 3(2.193) = AbsShiftTrimPlus(sin(l 80*2.193/3.141592654)) =
8.125+0.123 = 8.248
(16) 1(8.248) = AbsShiftTrimPlus(8.2482) = 6.802+0.123 = 6.925 (17) 3(6.925) = AbsShiftTrimPlus(sin(l 80*6.925/3.141592654)) =
5.986+0.123 = 6.109
(18) 4(6.109) = AbsShiftTrϊmPlus(cos(l 80*6.109/3.141592654)) = 9.848+0.123 = 9.971
(19) 8(9.971) = AbsShiftTrimPlus(e997i) = 2.139+0.123 = 2.262
(20) 6(2.262) - AbsShiftTrimPlusd O2-2")= 1.828+0.123 - 1.951
(21) 1(1.951) = AbsShiftTrimPlusd.9512) = 3.806+0.123 = 3.929
(22) 8(3.929) = AbsShiftTrimPlusd3-929) = 5.085 + 0.123 = 5.208
(23) 0(5.208) = AbsShiftTrimPlusd /5.208) = 1.920+0.123 - 2.043
(24) 3(2.043) = AbsShiftTrimPlus(sin(l 80*2.043/3.141592654)) = 8.905+0.123 = 9.028
(25) 4(9.028) = AbsShiftTrimPlus(cos(l 80*9.028/3.141592654)) = 9.223+0.123 = 9.346
(26) 7(9.346) = AbsShiftTrimPlus(log(9.346)) = 9.706+0.123 = 9.829
(27) 3(9.829) = AbsShiftTrimPlus(sin(l 80*9.829/3.141592654)) = 3.933+0.123 = 4.056
(28) 6(4.056) = AbsShiftTrimPlusd O4-05*) = 1.137+0.123 = 1.260
(29) 0(1.260) = AbsShiftTrimPlusd /1.260) = 7.936+0.123 = 8.059
(30) 4(8.059) = AbsShiftTrimPlus(cos(l 80*8.059/3.141592654)) = 2.035+0.123 = 2.158
(31) 9(2.158) = AbsShiftTrimPlus(ln(2.158)) = 7.691+0.123 = 7.814
(32) 1(7.814) = AbsShiftTrimPlus(7.8142) = 6.105+0.123 = 6.228
(33) 3(6.228) = AbsShiftTrimPlus(sin(l 80*6.228/3.141592654)) = 5.515+0.123 = 5.638 (34) 7(5.638) = ΛJsShiftTrimPlus(log(5.638)) = 7.TT 1 +0.1 23 = 7.634 (3K)TZ(W6Sl^ ^δ5«SS6aiaTπmPlus(sqrt(7.634)) = 2.762+0.1 23 = 2.885
(36) 5(2.885) = AbsShiftTrimPlus(tan(l 80*2.885 /3.1 41 592654)) = 2.623+0.1 23 = 2.746
(37) 8(2.746) = AbsShiftTrimPlus^ ™) = 1 .558+0.1 23 = 1 .681
(38) 1 (1 .681 ) = AbsShiftTrimPlus(1 .681 2) = 2.825+0.1 23 = 2.948
(39) Operations by inquiry PIN number:
(40) 5(2.948) = AbsShiftTrimPlus(tan(l 80*2.948/3.141 592654)) = 1 .960+0.1 23 = 2.083
(41 ) 9(2.083) = AbsShiftTrimPlus(ln(2.083)) = 7.338+0.1 23 = 7.461
(42) 4(7.461 ) = AbsShiftTrimPlus(cos(l 80*7.461 /3.141 592654)) = 3.829+0.1 23 = 3.952
(43) 2(3.952) = AbsShiftTrimPlus(sqrt(3.952)) = 1 .987+0.1 23 = 2.1 1 0
(44) Operations by secure PIN number:
(45) 7(2.1 1 0) = AbsShiftTrimPlus(log(2.1 1 O)) = 3.242+0.1 23 = 3.365
(46) 1 (3.365) = AbsShiftTrimPlus(3.3652) = 1 .1 32+0.1 23 = 1 .255
(47) 6(1 .255) = AbsShiftTrimPlus(l 01-255) = 1 .798+0.1 23 = 1 .921
(48) 3(1 .921 ) = AbsShiftTrimPlus(sin(l 80*1 .921 /3.1 41 592654)) = 9.393+0.1 23 = 9.51 6
(49) So the Answer PIN Number is: 951 6
[Para 34] The user sends this answer PIN number to the card issuer, card issuer computer system does the same calculations and gets the result, if the two numbers match the card issuer authorizes the transaction, otherwise rejects the transaction.
How Secure this Method is
[Para 35] Since the user authentication and transaction authorization are based on the inquiry PIN number and answer PIN number transmitted over the network in addition to the regular card or account information and transaction data, and the inquiry PIN number and answer PIN number are different every time, the security of this Dialogic Enciphered Dynamic PIN System is ensured by the extreme difficulty or impossibility of breaking the operation addend, secret formula and secure PIN number with intercepted sets of transaction amount, inquiry PIN ήuTrrøer and answer PIN number.
[Para 36] Since there is no way to solve the puzzle by just solving the equation since each operation can not be reversed, so the only way is to build a matrix of or go through all the possibilities. The operations to the base are in the sequence of 30 to 40 digit secret formula + 4 or more digit inquiry PIN number + 4 or more digit secure PIN number, so the total operations are 30+n+4+4, with the consideration of the operation addend, total number of possible operation sets is about i θ(4+38+ 1 1> = 1 053.
[Para 37] If the hacker has a super computer which is capable of doing 1 trillion operations per second, which is 1 012, it will take him 1 O33 years to finish all the possibilities, and also needs at least 1 053 bytes of space to store the matrix which is beyond the capacity of any existing computer.
[Para 38] So we are assured breaking the Dialogic Enciphered Dynamic PIN System is a mission impossible, thus the security of this system is ensured.

Claims

Highly Secure and Lmv-Cost Dialogic Enciphered Dynamic PIN System for
Credit Card and Login
What is claimed is:
[Claim 1 ] A system for authenticating the user and authorizing the transaction of credit card, debit card and account access, comprising: a card or account issuer system generating and storing random number operation addend, short secure PIN number and long secret formula for each account, generating random number inquiry PIN number upon request of transaction, comparing the dynamic answer PIN number with the result calculated based on data stored in server side to authorize the transaction, in addition to the regular function of authorizing regular plastic cards transactions as widely used in the current market; a card or account issuer automated telephone account administration system performing realtime secure PIN number and secret formula update based on sufficient authentication; a small special passcode protected calculator storing card or account information, operation addend and secret formula, performing special calculation with transaction amount, inquiry PIN number and secure PIN number; a card processor and merchant system connecting to the card issuer, sending transaction request to the card issuer, forwarding inquiry PIN number to the user, and the dynamic answer PIN number back to the card issuer.
[Claim 2] A method for authenticating the user and authorize the transaction, comprising the steps of: card or account issuer system generating real random numbers for operation addend, short secure PIN number and long secret formula for each account, storing them in the database in encrypted format; user activating the special calculator by passcode, storing the card or account information, operation addend and the secret formula for each card or account, memorizing the secure PIN number; card processor arm merchant downloading and installing the software compdn^nts, tlbWnioauing and updating card issuer directory from card service center; merchant and card processor system forwarding transaction request to the card issuer; card issuer system generating random inquiry PIN number and sending it to the user via card processor and merchant, also caching the transaction data and inquiry PIN number in the database; account issuer system generating random inquiry PIN number and sending it to the user directly, also caching the transaction data and inquiry PIN number in the database; user's special calculator calculating dynamic answer PIN number based on stored operation addend and secret formula, also entered transaction amount or base, inquiry PIN number and secure PIN number; merchant and card processor system forwarding dynamic answer PIN number back to the card issuer; card or account issuer system calculating comparative dynamic PIN number based on the returned transaction amount or base, decrypted stored operation addend, secret formula, inquiry PIN number and secure PIN number, authorizing the transaction for matching results and rejecting transaction for non-matching results.
[Claim 3] The system for authorizing card transaction or account access to claim 1 , wherein said card or account issuer system uses random number generator to generate fractional operation addend, 4 or more digit secure PIN number and 30 or more digit secret formula for each account, and stores these numbers in encrypted format in the database. The lengths of the secret formula for different cards or accounts are different to increase the security of the cards.
[Claim 4] The system for generating random numbers to claim 3, wherein said random number generator can be a software using some algorithm to generate pseudo random number as commonly used, or a hardware connected to the computer using -electronic noise to generate real random numbers which are ntiiWac&atølΦ.
[Claim 5] The system for authorizing card transaction or account access to claim 1 , wherein said card or account issuer system generates random number fractional operation addend, 4 or more digit inquiry PIN number upon request of authentication or transaction, caches the transaction data including the transaction amount and merchant information, as well as inquiry PIN number in the database with association to the account specified by the card or account number in the request, and sends the inquiry PIN number to the user via card processor and merchant or directly.
[Claim 6] The system for authorizing card transaction or account access to claim 1 , wherein said card or account issuer system receives a dynamic answer PIN number from the user, calculates server side comparative dynamic PIN number based on the transaction amount or base, decrypted operation addend, secret formula, inquiry PIN number and secure PIN number, by the same function and algorithm as in the user's special calculator, compares the two dynamic PIN number to authorize transaction for matching numbers or reject transaction for non-matching numbers, and sends the acknowledgement back to the merchant and user via card processor or directly.
[Claim 7] The system for authorizing card transaction to claim 1 , wherein said regular card issuer system authorizes regular plastic cards transactions by comparing the cardholder name, card number and expiration date provided by the user and stored in the database, authorizes transaction for matching card information and rejects transaction for non-matching card information.
[Claim 8] The system for authorizing card transaction or account access to claim 1 , wherein said card or account issuer automated telephone account administration system updates secure PIN number, and assigns new operation addend and secret formula based on sufficient authentication such as the matching secure PIN number and some of social security number, telephone number, cardholder's birth date, mother's maiden name, mother's birth date, etc. If the user can not provide the old secure PIN number, a new secure PIN number will only be mmied to the cardholder's address, τne cardholder can call back WWH JHe-WW1SeI(EWe11 PIN; number to update the secure PIN number, operation addend and the secret formula. When the secret formula has been used for certain times, for better ensured security, the user will be reminded to update the secret formula and operation addend via telephone, the new formula and addend are entered into the special calculator for next usage. Telephone system prevents hackers from stealing information from computer or network via virus or other means.
[Claim 9] The system for authorizing card transaction or account access to claim 1 , wherein said small special calculator has the size of credit card and can be carried in a wallet, is protected by user assigned passcode and will erase the stored data upon certain number of failed tries. The calculator has a small keypad for user to enter and update the card or account type, last 4 or more digits of the card number or account login name, the operation addend and the secret formula, as well as the inquiry PIN number and secure PIN number. The calculator also has a LCD to display the card type and last digits of card number, as well as the inquiry PIN number and dynamic answer PIN number, but not the operation addend, secret formula and secure PIN number. The calculator has a built in function table for each digit of 0 - 9, each digit is associated with some special operation to the base number, the operations in the sequence of secret formula + inquiry PIN number + secure PIN number are performed against the transaction amount or base entered, and the first 4 or more digits of the result are displayed as the dynamic answer PIN number for the user to send back to the card or account issuer. The calculator also has the functions of a regular calculator in unprotected mode, and phone and address book in protected mode.
[Claim 1 0] The system for authorizing card transaction to claim 1 , wherein said card processor and merchant system is some software components in the merchant website or terminal and the card processor system. The component in card processor system connects to the card service center to download and update the card issuer directory which has the card issuers' name, number, status of enrollment of dynamic PIN program and network address. The card processor component forwards transaction requests to trrε card issuers, inquiry PlKl nuwfcϊeps to the 'users via merchants, and dynamic answer PIN numbers back to card issuers. The component in merchant website or terminal forwards communication between the user and card processor.
PCT/US2005/029425 2004-09-20 2005-08-18 Highly secure and low-cost dialogic enciphered dynamic pin system for credit card and login WO2006036363A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US52235404P 2004-09-20 2004-09-20
US60/522,354 2004-09-20
US17874805A 2005-07-12 2005-07-12
US11/178,748 2005-07-12

Publications (2)

Publication Number Publication Date
WO2006036363A2 true WO2006036363A2 (en) 2006-04-06
WO2006036363A3 WO2006036363A3 (en) 2009-04-16

Family

ID=36119340

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2005/029425 WO2006036363A2 (en) 2004-09-20 2005-08-18 Highly secure and low-cost dialogic enciphered dynamic pin system for credit card and login

Country Status (1)

Country Link
WO (1) WO2006036363A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009037335A2 (en) * 2007-09-20 2009-03-26 Tds Todos Data System Ab System, method and device for enabling interaction with dynamic security
US8494959B2 (en) 2007-08-17 2013-07-23 Emc Corporation Payment card with dynamic account number
US9626725B2 (en) 2010-12-23 2017-04-18 Facebook, Inc. Using social graph for account recovery
US9727886B2 (en) 2010-12-23 2017-08-08 Facebook, Inc. Predicting real-world connections based on interactions in social networking system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030163427A1 (en) * 2002-02-27 2003-08-28 Nicholas Ho Chung Fung Activity management method
US20040067750A1 (en) * 2002-10-03 2004-04-08 Engstrom G. Eric Identification based operational modification of a portable electronic device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030163427A1 (en) * 2002-02-27 2003-08-28 Nicholas Ho Chung Fung Activity management method
US20040067750A1 (en) * 2002-10-03 2004-04-08 Engstrom G. Eric Identification based operational modification of a portable electronic device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8494959B2 (en) 2007-08-17 2013-07-23 Emc Corporation Payment card with dynamic account number
WO2009037335A2 (en) * 2007-09-20 2009-03-26 Tds Todos Data System Ab System, method and device for enabling interaction with dynamic security
EP2043036A1 (en) * 2007-09-20 2009-04-01 Tds Todos Data System Ab System, method and device for enabling interaction with dynamic security
WO2009037335A3 (en) * 2007-09-20 2009-06-04 Tds Todos Data System Ab System, method and device for enabling interaction with dynamic security
NO341998B1 (en) * 2007-09-20 2018-03-12 Tds Todos Data System Ab System, method and device for enabling interaction with dynamic safety
US9626725B2 (en) 2010-12-23 2017-04-18 Facebook, Inc. Using social graph for account recovery
US9727886B2 (en) 2010-12-23 2017-08-08 Facebook, Inc. Predicting real-world connections based on interactions in social networking system
US11848927B1 (en) 2010-12-23 2023-12-19 Meta Platforms, Inc. Using social graph for account recovery

Also Published As

Publication number Publication date
WO2006036363A3 (en) 2009-04-16

Similar Documents

Publication Publication Date Title
US10083285B2 (en) Direct authentication system and method via trusted authenticators
US8567670B2 (en) Dynamic card verification values and credit transactions
US8555079B2 (en) Token management
US11777937B2 (en) Systems and methods for third-party interoperability in secure network transactions using tokenized data
US8656180B2 (en) Token activation
US20170308896A1 (en) Methods and apparatus for brokering a transaction
US7505941B2 (en) Methods and apparatus for conducting electronic transactions using biometrics
US8972719B2 (en) Passcode restoration
US9053471B2 (en) Apparatus and method for conducting securing financial transactions
US20130226813A1 (en) Cyberspace Identification Trust Authority (CITA) System and Method
CN110084602B (en) Method, system, equipment and storage medium for lending protected private information
US8620824B2 (en) Pin protection for portable payment devices
JP2010170561A (en) Portable electronic charge and authorization device and method therefor
US8055545B2 (en) Apparatus and method for conducting secure financial transactions
US20240054468A1 (en) Systems and methods for linking high-value tokens using a low-value token
WO2006036363A2 (en) Highly secure and low-cost dialogic enciphered dynamic pin system for credit card and login
US20040015688A1 (en) Interactive authentication process
US11663597B2 (en) Secure e-commerce protocol
EP1172776A2 (en) Interactive authentication process
CA2883873A1 (en) Secure transaction system
WO2002021469A2 (en) Interactive authentication process

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05785187

Country of ref document: EP

Kind code of ref document: A2