[go: up one dir, main page]

WO2013009255A1 - A security device and a method for supporting validation in a validation process for an end user interacting with a web site - Google Patents

A security device and a method for supporting validation in a validation process for an end user interacting with a web site Download PDF

Info

Publication number
WO2013009255A1
WO2013009255A1 PCT/SE2012/050815 SE2012050815W WO2013009255A1 WO 2013009255 A1 WO2013009255 A1 WO 2013009255A1 SE 2012050815 W SE2012050815 W SE 2012050815W WO 2013009255 A1 WO2013009255 A1 WO 2013009255A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
security device
signed
communication device
validation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/SE2012/050815
Other languages
French (fr)
Inventor
Heide Larsson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Show & Pay AB
Original Assignee
Show & Pay AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Show & Pay AB filed Critical Show & Pay AB
Priority to EP12811746.2A priority Critical patent/EP2732415A4/en
Publication of WO2013009255A1 publication Critical patent/WO2013009255A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3272Short range or proximity payments by means of M-devices using an audio code
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists

Definitions

  • TITLE A security device and a method for supporting validation in a validation process for an end user interacting with a web site.
  • the present invention relates to interactions during a data session between e.g. a customer and an on-line marketplace or on-line member accounts, etc., in a computerized environment which is part of a global interconnecting network, such as the Internet, or local net such as an intranet.
  • a global interconnecting network such as the Internet
  • local net such as an intranet.
  • Internet has been proved to be an efficient channel for marketing both products and services, distributing product information as well as for selecting, ordering and transferring payment for desired products and services, means that there has been a radical increase in exposure to customer card frauds.
  • a customer has to fill in his/her customer card information in a specific payment form, displayed in a web page, which typically is provided by an on-line marketplace where the on-line purchase is taking place.
  • the on-line marketplace will validate the on-line purchase by sending the customer card information (i.e. customer card parameters) to the customer's bank or customer card company.
  • Information provided by the customer is thus used in the validation process.
  • the information provided normally includes parameters such as the customer's name, surname, customer card number, validation date and sometimes also the Card Validation Code (CVC) number of the issued customer card.
  • CVC Card Validation Code
  • the purpose of the validation process is to validate that the customer who is making the purchase, is also the same customer who has the customer card in his/her possession and that he or she is the correct holder/owner of the customer card.
  • the filling of an on-line, web site based order form is a problem for many people.
  • An object of the present invention is to solve said problems and limitations and facilitate for an end user to provide the end user with an automatic and easy way of entering personal data information needed in the validation process and for completing and finalize the on-line order resulting from the data session interaction.
  • One aspect of the present invention is a security device comprising a receiver circuitry and an audio chip connected to a first interface for transferring of sound waves received from a communication device.
  • Another aspect of the present invention is a method in a security device for supporting validation/authenticating in a validation process for an end user interacting with a web site during a data session by means of a communication device.
  • Said security device being removably connectable to the communication device, and wherein the interaction during the data session is taking place via an interconnecting network.
  • Said data session results in a file to be electronically signed and verified/authenticated.
  • the method is characterized in that it comprises receiving sound waves transferring the file to be signed from the communication device via a first interface, generating a response with a signed file by means of an electronic signing process wherein personal data is added to the received file to be signed, and forwarding the response with the signed file to the communication device for further transfer of the response to a validation entity for validation.
  • One advantage of the present invention is that the invention makes it possible to integrate the external software with the communication device, e.g. computer, smart phone, mobile phone, etc., without using any complex drive routines and programs.
  • the communication device e.g. computer, smart phone, mobile phone, etc.
  • Another advantage of the present invention is that the invention makes it supports validation/authenticating in a validation process for an end user interacting with a web site during a data session by means of a communication device by automatically filling in personal data in an on-line, web site based order form.
  • one advantage is that hardware required for utilizing embodiments of the invention is already present in existing web-based, or mobile phone based, ordering and payment systems.
  • the presence of already present hardware is convenient and enables all intermediate transaction parties, banks and electronic marketplaces with the necessary hardware to realize and quickly implement the invention.
  • Figure 1 is a schematic diagram showing a system overview of an example of different parties that may be involved in a data session
  • FIG. 2 is a block diagram illustrating an exemplary embodiment of a security device according to the present invention.
  • Figure 3 is a flowchart illustrating an exemplary embodiment of the method according to the present invention.
  • Figure 4 is a signaling scheme for a system illustrated in Fig. 1 wherein an exemplary embodiment of the present invention is applicable;
  • Figure 5 is a signaling scheme for a system and a process wherein another exemplary embodiment of the present invention is applicable.
  • Embodiments of present invention will now be described in detail below wherein the embodiments of the invention address and solve the problems related to validation of personal identification information and other information, e.g. customer card information, during a data session involving electronic transaction or interaction methods.
  • personal identification information and other information e.g. customer card information
  • the present invention is illustrated by examples in which a transaction such as a purchase is performed, but the invention is equally applicable to interactions in which information is exchanged or amended, thus in the following the term "on-line electronic market place" is intended to also include places where interactions (such as the change of membership information or status or input or the like) take place such as on-line member accounts, fora/forums, etc, and the term “transaction” is also intended to mean interaction.
  • the present invention may be used in any data session between a customer or client and a web site wherein a validation process for authenticate information has to be involved of security reasons.
  • the term file should be interpreted in it is broadest interpretation, e.g. a set of information and/or data.
  • a file to be signed is an incomplete set of information and/or data that has to be completed with certain required information and/or data to be a signed file. In the following, it is provided a way of electronically sign a file.
  • FIG. 1 is a diagram showing a system overview wherein an example of an embodiment of the invention may be used.
  • the illustrated system comprises a transaction institute 100, e.g. a card issuer typically a bank or the like, an end-user, e.g. a customer or a client, having a communication device 110 connected via a channel of communication established by an interconnecting network 130, e.g. a wireless or fixed network, an on-line electronic marketplace 120, i.e. a web site for various products or services provided by an on-line merchant, and it may also comprise a secure server 140 belonging to, managed and handled by a second intermediate transaction party.
  • a transaction institute 100 e.g. a card issuer typically a bank or the like
  • an end-user e.g. a customer or a client
  • a communication device 110 connected via a channel of communication established by an interconnecting network 130, e.g. a wireless or fixed network
  • an on-line electronic marketplace 120 i.e. a
  • a web browser is a software application in a communication device 1 10, said web browser retrieving, presenting, and traversing information resources on the World Wide Web.
  • An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content.
  • URI Uniform Resource Identifier
  • Hyperlinks present in resources enable users easily to navigate their browsers to related resources.
  • a web browser can also be defined as an application software or program designed to enable users to access, retrieve and view documents and other resources on the Internet. Although browsers are primarily intended to access the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems.
  • the major web browsers are Internet Explorer, Firefox, Google Chrome, Safari, and Opera.
  • a web browser may be an app for a smart phone.
  • Today e-commerce is used on web pages for purchasing products or for making an important agreement or login to specific areas.
  • Several banks use external devices to generate the keys that are needed to be inserted to the web page or read from the web pages into the devices.
  • a web site 120 may be for example an on-line electronic marketplace 120 for various products or services provided by an on-line merchant.
  • the on-line electronic marketplace 120 it is possible for a customer using a communication device 1 10 to choose desired services or products.
  • the customer initiates an electronic on-line order for a selected product, or service, in the on-line electronic marketplace 120.
  • an electronic market place 120 is meant a place where various products, services or combinations thereof are displayed, or presented, and available for purchase or rent purposes; typically an electronic market place 120 may be an Internet shop, a car rental site, or a site providing a service or product and which requires a payment e.g. via customer card.
  • the customer 110 finalizes the order by filling out an on-line form, typically an order confirmation page within the domain of the on-line electronic marketplace 120.
  • the filled- in on-line form comprises personal data information comprising personal identification data enabling electronic signing and optionally other information for finalizing a service, purchase, a deal, or agreement, etc.
  • the finalization of a purchase may involve transaction information such as order value related to the order and some information about the customer card, typically this information is the customer card number, the card validity (i.e. year and month of expiration) and probably also the CVC-number (not illustrated) of the card.
  • the customer 1 10 will receive confirmation from the on-line electronic marketplace 120, via any previously established channel 130, that the customer 110 has accepted the order.
  • a secure server 140 may involve a processing system and different interfaces. Processing system controls the operation of secure server 140. Processing system also process information received via the interfaces.
  • a specific interface may allow the secure server to communicate, for example, with a server, such as the server of a bank, transaction institute and/or a server at the electronic marketplace 120. Further, the secure server may comprise an interface for communicating with another network, such as the Internet, wireless networks supporting GSM, LTE, WiMAX or any other suitable network.
  • said object is achieved by using a system of file saving/reading and sound reproducing/playing.
  • This is based on features of the present invention that make it possible to integrate the external software with the communication device, e.g. computer, smart phone, mobile phone, etc., without using any complex drive routines and programs.
  • Figure 2 is a block diagram illustrating an exemplary embodiment of a security device according to the present invention and said security device attached to a communication device.
  • the security device 200 is configured to support validation/authenticating in a validation process for a customer interacting with a web site 120 during a data session by means of a communication device 110.
  • Said security device 200 is attachable or removably connected to the communication device 1 10.
  • the interaction during the data session is taking place in a computerised environment which is part of an interconnecting network 130.
  • Said data session has resulted in an on-line order file to be electronic signed and verified/authenticated.
  • a typical interaction during a data session may be performed according to the following example.
  • An end user e.g. a customer or client, is capable to visit a web site on the Internet by means of a communication device 110 comprising means 205, e.g. web browser, audio circuitry and transducers for generating and reproducing sound, e.g. a loudspeaker, and communication equipment 260 for enabling communication over the interconnecting network (130 in figure 1).
  • the end user initiates a data session with a web site, in this example an on-line market place providing items and/or services for sale.
  • the initiation starts a data communication between the customer's communication device 1 10 and the web site, in which data communication layout scripts are sent to the communication device as xTML code resulting in web sites that are displayed on the communication device 1 10.
  • the web site 120 provides the end user a certain web page, which is designed to guide the client or customer to finalize the session process, e.g. purchase of goods and/or services.
  • the web site 120 instructs the user to connect the user's personal security device to the communication device 1 10. If the security device is configured as a USB-stick, the USB-stick is attached to the USB-port of the communication device 1 10.
  • security devices may be configured to be attached to a sound jack of a mobile phone or smart phone, which communication devices typically do not have an USB port.
  • the security device is preprogrammed with personal data information and/or security information for electronic signing an order file sent from the web site to the communication device.
  • the security device 200 may trigger the communication device 110 comprising said means 205, e.g. a web browser, audio circuitry and transducers for generating and reproducing sound, wherein the web browser shows the web page on the communication devices display to reproduce and play some sort of sound signal, or audio signal, incorporated in a received file, e.g. an audio file or other file in a suitable format, provided by the web page.
  • the audio or sound signal comprises encrypted information, e.g. purchase file of ordered goods or services.
  • the security device is therefore provided with a receiver circuitry 210 and an audio chip 212 to be able to receive the analogue sound and process the received analogue signals.
  • audio chip is meant circuitry for transducing sound waves to electric signals.
  • the security device may comprise a receiver circuitry 210 comprising the audio chip 212 configured to receive and signal processing sound waves via a first interface, which is a medium, such as air, or a channel, such as an inlet or pipe for transferring sound or audio signals to the receiver circuitry.
  • the inlet or pipe may be configured to guide the sound waves through the casing of the security device.
  • Said receiver circuitry 210 may also comprise a demodulating circuitry, e.g. a filter 212, for extracting information modulated on and carried by the sound waves.
  • the receiver circuitry may be an Application Specific Integrated Circuit, ASIC, comprising the audio chip 212 and the demodulating circuitry.
  • Said sound waves are modulated with data information for transferring/carrying the information to the security device.
  • Any kind of information may be coded, modulated and carried by the sound waves, e.g. an order file received by the communication device.
  • Two modulation techniques may be used, either frequency modulation or amplitude modulation. Both are well known in the art.
  • Said receiver circuitry 210 and the audio chip 212 which is capable of converting sound waves into electric signals, and vice versa.
  • the receiver circuitry 210 with the audio chip 212 directly transforms the analogue sound waves into digital data.
  • Said demodulating filter 214 is configured to extract the modulated file or data information.
  • the security device comprises also a digital processor 220, such as a Central Processing Unit (CPU), microprocessor, etc.
  • CPU Central Processing Unit
  • the digital processor 220 is acting as a control unit of the other components and circuitries in the security device.
  • the invention may be implemented in digital electronically circuitry, or in computer hardware, firmware, software, or in combinations of them.
  • Apparatus of the invention may be implemented in a computer program product tangibly embodied in a machine readable storage device for execution by a programmable processor 220; and method steps of the invention may be performed by a programmable processor 220 executing a program of instructions to perform functions of the invention by operating on input data and generating output.
  • Embodiments of the invention may advantageously be implemented in one or more computer programs that are executable on a programmable system including at least one programmable processor 220 coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device.
  • Each computer program may be implemented in a high-level procedural or object-oriented programming language or in assembly or machine language if desired; and in any case, the language may be a compiled or interpreted language.
  • a processor 220 will receive instructions and data from a read-only memory and/or a random access memory.
  • Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks. Any of the foregoing may be supplemented by, or incorporated in, specially -designed ASICs (Application Specific Integrated Circuits).
  • the digital processor 220 is configured to read, decode if necessary and store the received and converted/coded information preferably as a file into a first memory area 221.
  • the security device is capable to read and store an order file into said memory storage 221.
  • the security device may also comprise an electronic signing process block 230 configured to generate a signed order file by adding personal data to the received order file.
  • Said electronic signing process block 230 is connected to the first memory area 221 , wherein the received and converted information is preferably temporarily stored.
  • the digital processor 220 is monitoring said first memory area 221 , and when a file has been completely loaded and stored, the digital processor 220 transfers the stored file to the electronic signing process circuitry, which is connected to a second memory area 222 where the personal data information comprising personal identification data enabling electronic signing is stored.
  • the second memory area comprises the information to be validated and sent.
  • the second memory area 222 may also store personal data information about a customer card, typically this information is the customer card number, the card validity (i.e.
  • Any other kind of information to be added to a received file may be stored in the second memory area 222. Said information may be stored by a security device provider before the device is handled to the user. Some information may also be inserted by the device owner and user.
  • the second area may be implemented as a Read-Only Memory (ROM).
  • the stored information in the second memory area 222 is preferably stored in a structured way that enables the electronic signing process block 230 to correctly insert data information, which may be a set of different data information, from the second memory area 222 into the correct spaces, fields or areas of the file, e.g. an electronic order form.
  • the security device When the security device have fulfilled, completed and signed the electronic order form, it will forward the signed order form into a third memory area 223, wherein the signed and completed order file is stored.
  • the security device 200 may also comprise a transceiver circuitry 240 configured to communicate with the communication device via a second interface 250, which may enable removable connectivity to a suitable port of the communication device.
  • the second interface 250 may be a contact that matches a corresponding contact of the communication device.
  • the communication device could be a stick with a contact that e.g. fits into the Universal Serial Bus (USB) port or a head-phone or microphone jack of a mobile phone, tablet computer, or similar portable device.
  • the transceiver circuitry 240 may be configured to insert the signed file in a message which is addressed, e.g. with an Internet Protocol (IP) address, to the validation entity, e.g. a server of the web site or a separate secure server.
  • IP Internet Protocol
  • the transceiver circuitry 240 forwards the signed order file to the communication device 1 10, which transfers the signed order file to a validation entity e.g. a secure server (140 in figure 1) for validation. Said transfer is performed by means of the communication equipment 260 over the interconnecting network, e.g. Internet or a wireless radio access network connected to the Internet..
  • a validation entity e.g. a secure server (140 in figure 1) for validation. Said transfer is performed by means of the communication equipment 260 over the interconnecting network, e.g. Internet or a wireless radio access network connected to the Internet.
  • the security device 200 may comprise an encryption block that encrypts the signed order file before loading the file into the transceiver circuitry 240.
  • the security device 200 may comprise a digital-to-analogue converter, said converter being capable of converting the digital data into an audio or sound file format.
  • the order file may be delivered in the same file format as it was received and played by the communication device 1 10.
  • the security device 200 is a personal entity storing data information which have to be protected. Therefore, the digital processor 220 is configured to perform an identification process when the security device is started and/or energized. The user has to identify himself or herself in the proper and correct way.
  • the security device may therefore be equipped with means like e.g. a fingerprints identifier, voice recognition functionality, e.g. by means of the audio chip, PIN code, password, etc.
  • a security device with built in audio chip 212 is provided, said security device is connectable to a suitable port of a computer and/or a mobile phone.
  • the security device comprises an audio chip 212, sound-chip, etc.
  • the audio chip 212 is configured to listen to a sound/audio signals reproduced and generated/played by the communication device means 205 and to convert the sound signals to binary data.
  • the sound is generated from a sound/audio file, which is received by the web browser from a web site.
  • the security device is further configured to decrypt the content of the binary data and to generate a corresponding encrypted file in a memory area of the security device.
  • Said encrypted file is uploaded to the secure server (140 in figure 1) as a response to confirm the purchase, identification or login.
  • the secure server is a validation entity.
  • a solution according to one exemplified embodiment of the present invention may be an USB-stick with built in audio chip 212.
  • another embodiment of the invention is a device, e.g. wherein the casing is designed as a memory stick, wherein the second interface is a contact or a plug that is attachable to the audio jack, e.g. microphone jack and/or earphone or headphone contact.
  • Figure 3 is a flowchart illustrating an exemplary embodiment of the method according to the present invention.
  • the method is adapted for and performed by a security device for supporting validation/authenticating in a validation process for a customer interacting with a web site 120 during a data session by means of a communication device 110.
  • a customer or client is capable to visit a web site on the Internet by means of a communication device comprising a web browser.
  • An end user e.g. a customer or client, is watching on the communication device display a certain web page provided by the web site 120.
  • the web page is designed for guiding the client or customer to finalize the session process, e.g. purchase of goods and/or services.
  • the web site 120 will instruct the user to connect the user's personal security device to the communication device 110.
  • the user may have to connect the security device within a specified time period - in other case the process will not be completed.
  • Said security device is removably connected to the communication device, and wherein the interaction during the data session is taking place via an interconnecting network 130.
  • Said data session results in a file to be electronic signed and verified/authenticated.
  • the security device is a USB-stick
  • the USB-stick is attached to the USB-port of the communication device 110 or a sound jack of a mobile phone.
  • the security device comprises means for supporting authentication of personal identification information about the client/customer.
  • the method comprises an electronic signing process, which now will be described. After the insertion of the security device into the communication device, the security device and communication device starts a transfer and receiving process of the file to be signed via the first interface, the file which is sent in a playable sound or audio file format.
  • Step S310 Transfer and receiving process - Receiving sound waves transferring the file to be signed from the communication device via a first interface
  • the web page 205 plays by means of a sound card or sound chip in the communication device some sort of sound, or audio signal, by means of a file, e.g. an audio file or other file in a suitable format.
  • the audio file comprises the file to be signed preferably in an encrypted format, the file to be signed may be an order file or a purchase file of ordered goods or services.
  • the security device 200 may comprise a receiver circuitry 210 configured to receive and signal processing sound waves via a first interface 212.
  • the audio chip 212 may be integrated with the receiver circuitry 210.
  • the receiver circuitry 210 directly transforms the sound waves into digital data. Sound waves are modulated with data information, preferably as a file, for transferring/carrying the information to the security device.
  • Said receiver circuitry 210 may comprise a demodulating filter 214 for extracting the modulated with data information.
  • the security device may be configured to decrypt the digital data using any standard or customized decryption scheme.
  • Step 320 Electronic signing process - Generating a response comprising a signed file by means of an electronic signing process wherein personal data is added to the received file to be signed;
  • the security device In this step, the security device generates a response, e.g. a file, message or a response sound.
  • the security device comprises an electronic signing process block 230 configured to generate a response e.g. a signed order file by adding personal data to the received file to be signed.
  • Said electronic signing process block is connected to a first memory area 221 , wherein the received and converted information is preferably temporarily stored.
  • the digital processor 220 is monitoring said first memory area 221 , and when a file has been completely loaded and stored, the digital processor 220 transfers the file to be signed to the electronic signing process block, which is connected to a second memory area 222 where the personal data information comprising personal identification data enabling electronic signing is stored.
  • the second memory area 222 may also store information about a customer card, typically this information is the customer card number, the card validity (i.e. year and month of expiration) and probably also the CVC-number (not illustrated) of the card. Any kind of information to be added to a received file may be stored in the second memory area 222. Said information may be stored by a security device provider before the device is handled to the user. Some information may also be inserted by the device owner and user.
  • the security device When the security device have fulfilled, completed and signed the electronic order form, it forwards the signed order form into a third memory area 223, wherein the signed and completed order file is stored. Now the forwarding process is performed:
  • the security device may also comprise a transceiver circuitry 240 configured to communicate with the communication device 1 10 via a second interface 250, which may enable removable connectivity to a suitable port of the communication device.
  • the transceiver circuitry 240 may be configured to insert the signed file of the response file in a message which is addressed, e.g. with an Internet Protocol (IP) address, to the validation entity, e.g. a server of the web site or a separate secure server.
  • IP Internet Protocol
  • the transceiver circuitry 240 forwards the signed order file to communication equipment 260 of the communication device 110, which transfers the signed order file to a validation entity, e.g. a secure server 140 of a second intermediate transaction party, for validation by means of the same communication equipment and interfaces and in the same way as the communication device is communicating over the interconnecting network 130, e.g. wireless network, Internet, etc.
  • IP Internet Protocol
  • the security device may comprise an encryption block that encrypts the signed order file before loading the file into the transceiver circuitry.
  • the security device may comprise a digital-to-analogue converter, said converter being capable to convert the digital data into an audio or sound file format.
  • the order file may be delivered in the same file format as it was received and played by the communication device.
  • the digital processor 220 is configured by means of software and/or hardware to control the above steps and processes of the exemplified embodiment of the method according to the present invention.
  • the response file is uploaded to the secure server (140 in Fig. 1), which is able to authenticate the personal identification information in the response file.
  • the secure server is able to return the authenticated personal identification information.
  • the response file may also comprise other information, e.g. purchase order.
  • FIG. 4 illustrates a signaling scheme for a system illustrated in Fig. 1 wherein an exemplary embodiment (commercial alternative) of the present invention is applicable.
  • the system comprises a communication device 110, e.g. a Personal Computer (PC), laptop, mobile phone, smart phone, tablet computer, etc.
  • An end user e.g. a customer or client, is capable to visit a web site on the Internet by means of a communication device comprising a web browser.
  • the end user initiates a data session with a web site, in this example an on-line market place providing items and/or services for sale.
  • the initiation starts a data communication between the customer and the web site, in which data communication layout scripts are sent to the communication device as xTML code resulting in web sites that are displayed on the communication device.
  • the web site 120 provides the end user a certain web page, which is designed to guide the client or customer to finalize the session process, e.g. purchase of goods and/or services.
  • the web site 120 instructs the user to connect the user's personal security device to the communication device 110.
  • the security device is a USB-stick
  • the second interface 250 of the USB-stick is attached to the USB-port of the communication device 1 10.
  • the security device is a device, e.g. designed as a stick, having a plug or contact as second interface 250, said plug or contact is inserted into the sound jack of the communication device, e.g. a mobile phone, smartphone.
  • the security device is preprogrammed with personal data information for electronic signing an order file sent from the web site to the communication device.
  • the security device When the security device is attached, it may trigger the web page to play some sort of sound, or audio signal, by means of a file, e.g. an audio file or other file in a suitable format. When the security device is attached, it may send a trigger signal. Alternatively, the customer may trigger the web page to play the sound by pressing a key of keypad of the communication device to which the communication device is attached.
  • the file comprises encrypted information, e.g. purchase file of ordered goods or services.
  • the security device is therefore provided with a receiver circuitry 210 and an audio chip 212 to be able to receive the analogue sound and process the received analogue signals.
  • the method for supporting validation/authenticating according to the present invention in a validation process involving S310: the transfer and receiving process; S320: the electronic signing process; and S330: the forwarding process; is now performed by the security device attached to the communication device
  • the security device and its processes are adapted to generate response file wherein the file to be signed, e.g. an order file, is completed with missing data and signed.
  • the response file is inserted in a message in an IP/TCP protocol that is addressed, given the destination IP address of a web server, either a web server at the web site or a secure server (140 in Fig. 1).
  • the receiving web server or secure server (140 in figure 1) is adapted to authenticate the personal identification information in the response file.
  • the web server or secure server is configured to use said information for returning the authenticated personal identification information.
  • the response file may also comprise other information, e.g. purchase order.
  • the web site receives the response file, which initiates the purchase process, which results in that an electronic invoice and the authenticated personal identification information is sent to a Transaction Institute, which performs a check of the received data. If the transaction is allowed, a transaction acknowledgement is sent to the client/customer (110).
  • Figure 5 is a signaling scheme for a system and process wherein another exemplary embodiment of the present invention is applicable.
  • web sites may not be an on-line market place offering items for sale.
  • Web sites may offer services such as agreements, contracts, etc, wherein the file to be signed is not an order file.
  • the system of Fig. 5 is illustrating an interaction between an end user and a web site offering an agreement to be signed, which does not involve any transaction with a bank or Transaction Institute issuing a banking card, customer card, credit card, etc. Such a system does not therefore involve a bank or other transaction institute, as illustrated in Fig. 5.
  • the only difference between the system and process in Fig. 5 and that in Fig. 4 is that in the system and process in Fig.
  • the web site receiving the authenticated response file does not initiate a purchase process, which results in that an electronic invoice and the authenticated personal identification information is sent to a Transaction Institute, which performs a check of the received data. Instead, the web site receiving the authenticated response file initiate a purchase process, which results in that the receiving web server related to the web site, which may be a secure server, is adapted to perform a test, indicated as "OK?", if the received response file comprising the signed file in the response file is acceptable. If the response file is approved, a transaction acknowledgement is sent to the client/customer.
  • a secure server 140 may involve a processing system and different interfaces. Processing system controls the operation of secure server 140. Processing system also process information received via the interfaces.
  • a specific interface may allow the secure server to communicate, for example, with a server, such as the server of a bank, transaction institute and/or a server at the electronic marketplace 120. Further, the secure server may comprise an interface for communicating with another network, such as the Internet, wireless networks such as GSM, LTE, WiMAX or any other suitable network.
  • embodiments of present invention are easy to implement, mainly due to the fact that no introduction of additional software packets is required. Therefore, negative customer attitudes towards solutions of the invention caused by the necessity to download and install software are avoided.
  • hardware required for utilising the invention is already present in existing web-based or mobile phone based ordering and payment systems, which enables the intermediate transaction party, the banks and the merchants with means to conveniently realize and quickly implement the invention.
  • the purpose of the present invention is not to change the present payment and transaction processes and methods.
  • the present invention is only an independent addition or supplement that can be added as an extra step to the present payment and transaction processes and methods.
  • Embodiments of the present invention may be provided by a web site, e.g. an electronic marketplace, as a safety mechanism, to be used by customers to verify their personal identification data and possession of a customer card in a purchase process within an electronic transaction method. In this way any potential perpetrator will probably fail the verification process, due to lack of knowledge about the visible aspects of the customer card in question. Thereby security is enhanced.
  • a web site e.g. an electronic marketplace
  • Embodiments of the present invention may also be provided by a web site, e.g. a bank or other commercial institute, as a safety mechanism, to be used by customers to verify their personal identification data during a data session wherein a customer or client is interactively linked or connected to the web site.
  • a web site e.g. a bank or other commercial institute, as a safety mechanism, to be used by customers to verify their personal identification data during a data session wherein a customer or client is interactively linked or connected to the web site.
  • Various embodiments of the present invention also solve security issues when it comes to electronic commerce on Internet and purchases made via a mobile phone on a mobile phone network, even though not explicitly exemplified in this specification.
  • Various embodiments of the present invention also solve the issue of purchases with stolen customer card information on the Internet and purchases made via a mobile phone network.
  • the present invention is not limited to the above-described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention, which is defined by the appended claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention refers to a security device (200) comprising a receiver circuitry (210) and an audio chip (212) connected to a first interface, e.g. air interface, for transferring of sound waves. The present invention also refers to a method in such a security device for supporting validation/authenticating in a validation process for an end user interacting with a web site (120) during a data session by means of a communication device (110), said security device being removably connected to the communication device.

Description

TITLE: A security device and a method for supporting validation in a validation process for an end user interacting with a web site.
TECHNICAL FIELD
The present invention relates to interactions during a data session between e.g. a customer and an on-line marketplace or on-line member accounts, etc., in a computerized environment which is part of a global interconnecting network, such as the Internet, or local net such as an intranet. BACKGROUND
Internet has been proved to be an efficient channel for marketing both products and services, distributing product information as well as for selecting, ordering and transferring payment for desired products and services, means that there has been a radical increase in exposure to customer card frauds.
Even though numerous approaches and technologies have been suggested for enabling secure electronic transaction or interactions, following an on-line purchase, still no single secure electronic transaction or interaction method has completely been adopted as the overall dominating method, nor has any method been standardized worldwide. The complexity of previously suggested transaction security systems and security methods, which have made them too expensive and often too difficult to use for an ordinary user, have discouraged many merchants from using on-line security systems.
Thus, at present, in a normal on-line purchase or interaction, for example changing membership details, changing status, booking events or meetings, etc, a customer has to fill in his/her customer card information in a specific payment form, displayed in a web page, which typically is provided by an on-line marketplace where the on-line purchase is taking place. The on-line marketplace will validate the on-line purchase by sending the customer card information (i.e. customer card parameters) to the customer's bank or customer card company. Information provided by the customer is thus used in the validation process. The information provided normally includes parameters such as the customer's name, surname, customer card number, validation date and sometimes also the Card Validation Code (CVC) number of the issued customer card.
The purpose of the validation process is to validate that the customer who is making the purchase, is also the same customer who has the customer card in his/her possession and that he or she is the correct holder/owner of the customer card. However, the filling of an on-line, web site based order form is a problem for many people.
It exist devices that could be inserted into the USB port to emulate the keyboard, to insert the numbers, but they still can't read the numbers from the web page, at least not without installing software and plug-ins into the computer itself. If external software is to be installed in a computer, or a mobile phone, this might be quite troublesome to a person without knowledge about or experience of computers.
This is a huge limitation because a web browser of a computer is running in a so called "sandbox" and can't access other devices of the computer which are not allowed of the original browser. This limitation is a result of security thinking, as a web browser has to be protected against virus, masks, Trojans, etc and also other security aspects.
SUMMARY
An object of the present invention is to solve said problems and limitations and facilitate for an end user to provide the end user with an automatic and easy way of entering personal data information needed in the validation process and for completing and finalize the on-line order resulting from the data session interaction.
One aspect of the present invention is a security device comprising a receiver circuitry and an audio chip connected to a first interface for transferring of sound waves received from a communication device.
Another aspect of the present invention is a method in a security device for supporting validation/authenticating in a validation process for an end user interacting with a web site during a data session by means of a communication device. Said security device being removably connectable to the communication device, and wherein the interaction during the data session is taking place via an interconnecting network. Said data session results in a file to be electronically signed and verified/authenticated. The method is characterized in that it comprises receiving sound waves transferring the file to be signed from the communication device via a first interface, generating a response with a signed file by means of an electronic signing process wherein personal data is added to the received file to be signed, and forwarding the response with the signed file to the communication device for further transfer of the response to a validation entity for validation.
A number of embodiments of said aspects of the present invention are disclosed in the following detailed description and dependent claims. One advantage of the present invention is that the invention makes it possible to integrate the external software with the communication device, e.g. computer, smart phone, mobile phone, etc., without using any complex drive routines and programs.
Another advantage of the present invention is that the invention makes it supports validation/authenticating in a validation process for an end user interacting with a web site during a data session by means of a communication device by automatically filling in personal data in an on-line, web site based order form.
Further one advantage of embodiments of the invention is the ease of implementation, i.e. no introduction of additional software packets, like prior art security technologies use, is required.
Further one advantage is that hardware required for utilizing embodiments of the invention is already present in existing web-based, or mobile phone based, ordering and payment systems. The presence of already present hardware is convenient and enables all intermediate transaction parties, banks and electronic marketplaces with the necessary hardware to realize and quickly implement the invention.
These and other aspects and advantages of embodiments of the present invention will become apparent from the following detailed description and from the accompanying drawings. BRIEF DESCRIPTION OF THE DRAWINGS
In the following description of embodiments of the invention, reference will be made to the accompanying drawings of which:
Figure 1 is a schematic diagram showing a system overview of an example of different parties that may be involved in a data session;
Figure 2 is a block diagram illustrating an exemplary embodiment of a security device according to the present invention;
Figure 3 is a flowchart illustrating an exemplary embodiment of the method according to the present invention;
Figure 4 is a signaling scheme for a system illustrated in Fig. 1 wherein an exemplary embodiment of the present invention is applicable;
Figure 5 is a signaling scheme for a system and a process wherein another exemplary embodiment of the present invention is applicable. DETAILED DESCRIPTION
Embodiments of present invention will now be described in detail below wherein the embodiments of the invention address and solve the problems related to validation of personal identification information and other information, e.g. customer card information, during a data session involving electronic transaction or interaction methods.
In the following the present invention is illustrated by examples in which a transaction such as a purchase is performed, but the invention is equally applicable to interactions in which information is exchanged or amended, thus in the following the term "on-line electronic market place" is intended to also include places where interactions (such as the change of membership information or status or input or the like) take place such as on-line member accounts, fora/forums, etc, and the term "transaction" is also intended to mean interaction. Thus, the present invention may be used in any data session between a customer or client and a web site wherein a validation process for authenticate information has to be involved of security reasons. Further, the term file should be interpreted in it is broadest interpretation, e.g. a set of information and/or data. A file to be signed is an incomplete set of information and/or data that has to be completed with certain required information and/or data to be a signed file. In the following, it is provided a way of electronically sign a file.
Figure 1 is a diagram showing a system overview wherein an example of an embodiment of the invention may be used. The illustrated system comprises a transaction institute 100, e.g. a card issuer typically a bank or the like, an end-user, e.g. a customer or a client, having a communication device 110 connected via a channel of communication established by an interconnecting network 130, e.g. a wireless or fixed network, an on-line electronic marketplace 120, i.e. a web site for various products or services provided by an on-line merchant, and it may also comprise a secure server 140 belonging to, managed and handled by a second intermediate transaction party.
A web browser is a software application in a communication device 1 10, said web browser retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content. Hyperlinks present in resources enable users easily to navigate their browsers to related resources. A web browser can also be defined as an application software or program designed to enable users to access, retrieve and view documents and other resources on the Internet. Although browsers are primarily intended to access the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems.
The major web browsers are Internet Explorer, Firefox, Google Chrome, Safari, and Opera. A web browser may be an app for a smart phone. Today e-commerce is used on web pages for purchasing products or for making an important agreement or login to specific areas. Several banks use external devices to generate the keys that are needed to be inserted to the web page or read from the web pages into the devices.
A web site 120 may be for example an on-line electronic marketplace 120 for various products or services provided by an on-line merchant. In the on-line electronic marketplace 120 it is possible for a customer using a communication device 1 10 to choose desired services or products. The customer initiates an electronic on-line order for a selected product, or service, in the on-line electronic marketplace 120. By an electronic market place 120 is meant a place where various products, services or combinations thereof are displayed, or presented, and available for purchase or rent purposes; typically an electronic market place 120 may be an Internet shop, a car rental site, or a site providing a service or product and which requires a payment e.g. via customer card. The customer 110 finalizes the order by filling out an on-line form, typically an order confirmation page within the domain of the on-line electronic marketplace 120. The filled- in on-line form comprises personal data information comprising personal identification data enabling electronic signing and optionally other information for finalizing a service, purchase, a deal, or agreement, etc. The finalization of a purchase may involve transaction information such as order value related to the order and some information about the customer card, typically this information is the customer card number, the card validity (i.e. year and month of expiration) and probably also the CVC-number (not illustrated) of the card. After the customer 110 has entered the necessary card information in the on-line form, the customer 1 10 will receive confirmation from the on-line electronic marketplace 120, via any previously established channel 130, that the customer 110 has accepted the order.
A secure server 140 may involve a processing system and different interfaces. Processing system controls the operation of secure server 140. Processing system also process information received via the interfaces. A specific interface may allow the secure server to communicate, for example, with a server, such as the server of a bank, transaction institute and/or a server at the electronic marketplace 120. Further, the secure server may comprise an interface for communicating with another network, such as the Internet, wireless networks supporting GSM, LTE, WiMAX or any other suitable network.
However, the filling of an on-line, web site based order form is a problem for many people.
Thus, said object is achieved by using a system of file saving/reading and sound reproducing/playing. This is based on features of the present invention that make it possible to integrate the external software with the communication device, e.g. computer, smart phone, mobile phone, etc., without using any complex drive routines and programs.
In the following description, it will be explained how the above described transaction will be finalized by means of a security device according to the present invention.
Figure 2 is a block diagram illustrating an exemplary embodiment of a security device according to the present invention and said security device attached to a communication device.
The security device 200 is configured to support validation/authenticating in a validation process for a customer interacting with a web site 120 during a data session by means of a communication device 110. Said security device 200 is attachable or removably connected to the communication device 1 10. The interaction during the data session is taking place in a computerised environment which is part of an interconnecting network 130. Said data session has resulted in an on-line order file to be electronic signed and verified/authenticated.
A typical interaction during a data session may be performed according to the following example. An end user, e.g. a customer or client, is capable to visit a web site on the Internet by means of a communication device 110 comprising means 205, e.g. web browser, audio circuitry and transducers for generating and reproducing sound, e.g. a loudspeaker, and communication equipment 260 for enabling communication over the interconnecting network (130 in figure 1). The end user initiates a data session with a web site, in this example an on-line market place providing items and/or services for sale. The initiation starts a data communication between the customer's communication device 1 10 and the web site, in which data communication layout scripts are sent to the communication device as xTML code resulting in web sites that are displayed on the communication device 1 10. If the end user has decided to buy something from the web site, the web site 120 provides the end user a certain web page, which is designed to guide the client or customer to finalize the session process, e.g. purchase of goods and/or services. The web site 120 instructs the user to connect the user's personal security device to the communication device 1 10. If the security device is configured as a USB-stick, the USB-stick is attached to the USB-port of the communication device 1 10. Alternatively, security devices may be configured to be attached to a sound jack of a mobile phone or smart phone, which communication devices typically do not have an USB port. The security device is preprogrammed with personal data information and/or security information for electronic signing an order file sent from the web site to the communication device.
When the security device 200 is attached, it may trigger the communication device 110 comprising said means 205, e.g. a web browser, audio circuitry and transducers for generating and reproducing sound, wherein the web browser shows the web page on the communication devices display to reproduce and play some sort of sound signal, or audio signal, incorporated in a received file, e.g. an audio file or other file in a suitable format, provided by the web page. The audio or sound signal comprises encrypted information, e.g. purchase file of ordered goods or services. The security device is therefore provided with a receiver circuitry 210 and an audio chip 212 to be able to receive the analogue sound and process the received analogue signals. With audio chip is meant circuitry for transducing sound waves to electric signals.
The security device may comprise a receiver circuitry 210 comprising the audio chip 212 configured to receive and signal processing sound waves via a first interface, which is a medium, such as air, or a channel, such as an inlet or pipe for transferring sound or audio signals to the receiver circuitry. The inlet or pipe may be configured to guide the sound waves through the casing of the security device. Said receiver circuitry 210 may also comprise a demodulating circuitry, e.g. a filter 212, for extracting information modulated on and carried by the sound waves. According to one embodiment of the present invention, the receiver circuitry may be an Application Specific Integrated Circuit, ASIC, comprising the audio chip 212 and the demodulating circuitry.
Said sound waves are modulated with data information for transferring/carrying the information to the security device. Any kind of information may be coded, modulated and carried by the sound waves, e.g. an order file received by the communication device. Two modulation techniques may be used, either frequency modulation or amplitude modulation. Both are well known in the art. Said receiver circuitry 210 and the audio chip 212 which is capable of converting sound waves into electric signals, and vice versa. Preferably, the receiver circuitry 210 with the audio chip 212 directly transforms the analogue sound waves into digital data. Said demodulating filter 214 is configured to extract the modulated file or data information. The security device comprises also a digital processor 220, such as a Central Processing Unit (CPU), microprocessor, etc. The digital processor 220 is acting as a control unit of the other components and circuitries in the security device. The invention may be implemented in digital electronically circuitry, or in computer hardware, firmware, software, or in combinations of them. Apparatus of the invention may be implemented in a computer program product tangibly embodied in a machine readable storage device for execution by a programmable processor 220; and method steps of the invention may be performed by a programmable processor 220 executing a program of instructions to perform functions of the invention by operating on input data and generating output.
Embodiments of the invention may advantageously be implemented in one or more computer programs that are executable on a programmable system including at least one programmable processor 220 coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device. Each computer program may be implemented in a high-level procedural or object-oriented programming language or in assembly or machine language if desired; and in any case, the language may be a compiled or interpreted language.
Generally, a processor 220 will receive instructions and data from a read-only memory and/or a random access memory. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks. Any of the foregoing may be supplemented by, or incorporated in, specially -designed ASICs (Application Specific Integrated Circuits).
Thus, the digital processor 220 is configured to read, decode if necessary and store the received and converted/coded information preferably as a file into a first memory area 221. Thus, the security device is capable to read and store an order file into said memory storage 221.
The security device may also comprise an electronic signing process block 230 configured to generate a signed order file by adding personal data to the received order file. Said electronic signing process block 230 is connected to the first memory area 221 , wherein the received and converted information is preferably temporarily stored. The digital processor 220 is monitoring said first memory area 221 , and when a file has been completely loaded and stored, the digital processor 220 transfers the stored file to the electronic signing process circuitry, which is connected to a second memory area 222 where the personal data information comprising personal identification data enabling electronic signing is stored. Thus, the second memory area comprises the information to be validated and sent. Further, the second memory area 222 may also store personal data information about a customer card, typically this information is the customer card number, the card validity (i.e. year and month of expiration) and probably also the CVC- number (not illustrated) of the card. Any other kind of information to be added to a received file may be stored in the second memory area 222. Said information may be stored by a security device provider before the device is handled to the user. Some information may also be inserted by the device owner and user. The second area may be implemented as a Read-Only Memory (ROM).
The stored information in the second memory area 222 is preferably stored in a structured way that enables the electronic signing process block 230 to correctly insert data information, which may be a set of different data information, from the second memory area 222 into the correct spaces, fields or areas of the file, e.g. an electronic order form.
When the security device have fulfilled, completed and signed the electronic order form, it will forward the signed order form into a third memory area 223, wherein the signed and completed order file is stored.
The security device 200 may also comprise a transceiver circuitry 240 configured to communicate with the communication device via a second interface 250, which may enable removable connectivity to a suitable port of the communication device. The second interface 250 may be a contact that matches a corresponding contact of the communication device. For example, the communication device could be a stick with a contact that e.g. fits into the Universal Serial Bus (USB) port or a head-phone or microphone jack of a mobile phone, tablet computer, or similar portable device. The transceiver circuitry 240 may be configured to insert the signed file in a message which is addressed, e.g. with an Internet Protocol (IP) address, to the validation entity, e.g. a server of the web site or a separate secure server. The transceiver circuitry 240 forwards the signed order file to the communication device 1 10, which transfers the signed order file to a validation entity e.g. a secure server (140 in figure 1) for validation. Said transfer is performed by means of the communication equipment 260 over the interconnecting network, e.g. Internet or a wireless radio access network connected to the Internet..
Further, the security device 200 may comprise an encryption block that encrypts the signed order file before loading the file into the transceiver circuitry 240. Optionally, the security device 200 may comprise a digital-to-analogue converter, said converter being capable of converting the digital data into an audio or sound file format. Thus, the order file may be delivered in the same file format as it was received and played by the communication device 1 10.
The security device 200 is a personal entity storing data information which have to be protected. Therefore, the digital processor 220 is configured to perform an identification process when the security device is started and/or energized. The user has to identify himself or herself in the proper and correct way. The security device may therefore be equipped with means like e.g. a fingerprints identifier, voice recognition functionality, e.g. by means of the audio chip, PIN code, password, etc.
Thus, a security device with built in audio chip 212 is provided, said security device is connectable to a suitable port of a computer and/or a mobile phone. The security device comprises an audio chip 212, sound-chip, etc. When the security device is connected to a computer or a mobile phone, the audio chip 212 is configured to listen to a sound/audio signals reproduced and generated/played by the communication device means 205 and to convert the sound signals to binary data. The sound is generated from a sound/audio file, which is received by the web browser from a web site. The security device is further configured to decrypt the content of the binary data and to generate a corresponding encrypted file in a memory area of the security device. Said encrypted file is uploaded to the secure server (140 in figure 1) as a response to confirm the purchase, identification or login. The secure server is a validation entity.
A solution according to one exemplified embodiment of the present invention may be an USB-stick with built in audio chip 212. Alternatively, another embodiment of the invention is a device, e.g. wherein the casing is designed as a memory stick, wherein the second interface is a contact or a plug that is attachable to the audio jack, e.g. microphone jack and/or earphone or headphone contact.
Figure 3 is a flowchart illustrating an exemplary embodiment of the method according to the present invention. The method is adapted for and performed by a security device for supporting validation/authenticating in a validation process for a customer interacting with a web site 120 during a data session by means of a communication device 110.
A customer or client is capable to visit a web site on the Internet by means of a communication device comprising a web browser. An end user, e.g. a customer or client, is watching on the communication device display a certain web page provided by the web site 120. The web page is designed for guiding the client or customer to finalize the session process, e.g. purchase of goods and/or services. The web site 120 will instruct the user to connect the user's personal security device to the communication device 110. The user may have to connect the security device within a specified time period - in other case the process will not be completed. Said security device is removably connected to the communication device, and wherein the interaction during the data session is taking place via an interconnecting network 130. Said data session results in a file to be electronic signed and verified/authenticated. If the security device is a USB-stick, the USB-stick is attached to the USB-port of the communication device 110 or a sound jack of a mobile phone. The security device comprises means for supporting authentication of personal identification information about the client/customer. The method comprises an electronic signing process, which now will be described. After the insertion of the security device into the communication device, the security device and communication device starts a transfer and receiving process of the file to be signed via the first interface, the file which is sent in a playable sound or audio file format.
Step S310: Transfer and receiving process - Receiving sound waves transferring the file to be signed from the communication device via a first interface;
The web page 205 plays by means of a sound card or sound chip in the communication device some sort of sound, or audio signal, by means of a file, e.g. an audio file or other file in a suitable format. The audio file comprises the file to be signed preferably in an encrypted format, the file to be signed may be an order file or a purchase file of ordered goods or services. The security device 200 may comprise a receiver circuitry 210 configured to receive and signal processing sound waves via a first interface 212. The audio chip 212 may be integrated with the receiver circuitry 210. Preferably, the receiver circuitry 210 directly transforms the sound waves into digital data. Sound waves are modulated with data information, preferably as a file, for transferring/carrying the information to the security device. Said receiver circuitry 210 may comprise a demodulating filter 214 for extracting the modulated with data information.
Thus, the security device may be configured to decrypt the digital data using any standard or customized decryption scheme.
Step 320: Electronic signing process - Generating a response comprising a signed file by means of an electronic signing process wherein personal data is added to the received file to be signed;
In this step, the security device generates a response, e.g. a file, message or a response sound. The security device comprises an electronic signing process block 230 configured to generate a response e.g. a signed order file by adding personal data to the received file to be signed. Said electronic signing process block is connected to a first memory area 221 , wherein the received and converted information is preferably temporarily stored. The digital processor 220 is monitoring said first memory area 221 , and when a file has been completely loaded and stored, the digital processor 220 transfers the file to be signed to the electronic signing process block, which is connected to a second memory area 222 where the personal data information comprising personal identification data enabling electronic signing is stored. Further, the second memory area 222 may also store information about a customer card, typically this information is the customer card number, the card validity (i.e. year and month of expiration) and probably also the CVC-number (not illustrated) of the card. Any kind of information to be added to a received file may be stored in the second memory area 222. Said information may be stored by a security device provider before the device is handled to the user. Some information may also be inserted by the device owner and user.
When the security device have fulfilled, completed and signed the electronic order form, it forwards the signed order form into a third memory area 223, wherein the signed and completed order file is stored. Now the forwarding process is performed:
S330: Forwarding process - Forwarding the response with the signed file to the
communication device for further transfer of the signed file to a validation entity for validation.
The security device may also comprise a transceiver circuitry 240 configured to communicate with the communication device 1 10 via a second interface 250, which may enable removable connectivity to a suitable port of the communication device. The transceiver circuitry 240 may be configured to insert the signed file of the response file in a message which is addressed, e.g. with an Internet Protocol (IP) address, to the validation entity, e.g. a server of the web site or a separate secure server. The transceiver circuitry 240 forwards the signed order file to communication equipment 260 of the communication device 110, which transfers the signed order file to a validation entity, e.g. a secure server 140 of a second intermediate transaction party, for validation by means of the same communication equipment and interfaces and in the same way as the communication device is communicating over the interconnecting network 130, e.g. wireless network, Internet, etc.
Further, the security device may comprise an encryption block that encrypts the signed order file before loading the file into the transceiver circuitry.
Optionally, the security device may comprise a digital-to-analogue converter, said converter being capable to convert the digital data into an audio or sound file format. Thus, the order file may be delivered in the same file format as it was received and played by the communication device.
The digital processor 220 is configured by means of software and/or hardware to control the above steps and processes of the exemplified embodiment of the method according to the present invention.
The response file is uploaded to the secure server (140 in Fig. 1), which is able to authenticate the personal identification information in the response file. By means of information about the web site, e.g. the on-line electronic marketplace, the secure server is able to return the authenticated personal identification information. The response file may also comprise other information, e.g. purchase order.
Figure 4 illustrates a signaling scheme for a system illustrated in Fig. 1 wherein an exemplary embodiment (commercial alternative) of the present invention is applicable. The system comprises a communication device 110, e.g. a Personal Computer (PC), laptop, mobile phone, smart phone, tablet computer, etc. An end user, e.g. a customer or client, is capable to visit a web site on the Internet by means of a communication device comprising a web browser. The end user initiates a data session with a web site, in this example an on-line market place providing items and/or services for sale. The initiation starts a data communication between the customer and the web site, in which data communication layout scripts are sent to the communication device as xTML code resulting in web sites that are displayed on the communication device. If the end user has decided to buy something from the web site, the web site 120 provides the end user a certain web page, which is designed to guide the client or customer to finalize the session process, e.g. purchase of goods and/or services. The web site 120 instructs the user to connect the user's personal security device to the communication device 110. If the security device is a USB-stick, the second interface 250 of the USB-stick is attached to the USB-port of the communication device 1 10. If the security device is a device, e.g. designed as a stick, having a plug or contact as second interface 250, said plug or contact is inserted into the sound jack of the communication device, e.g. a mobile phone, smartphone. The security device is preprogrammed with personal data information for electronic signing an order file sent from the web site to the communication device.
When the security device is attached, it may trigger the web page to play some sort of sound, or audio signal, by means of a file, e.g. an audio file or other file in a suitable format. When the security device is attached, it may send a trigger signal. Alternatively, the customer may trigger the web page to play the sound by pressing a key of keypad of the communication device to which the communication device is attached. The file comprises encrypted information, e.g. purchase file of ordered goods or services. The security device is therefore provided with a receiver circuitry 210 and an audio chip 212 to be able to receive the analogue sound and process the received analogue signals.
The method for supporting validation/authenticating according to the present invention in a validation process involving S310: the transfer and receiving process; S320: the electronic signing process; and S330: the forwarding process; is now performed by the security device attached to the communication device
The security device and its processes are adapted to generate response file wherein the file to be signed, e.g. an order file, is completed with missing data and signed. Preferably, the response file is inserted in a message in an IP/TCP protocol that is addressed, given the destination IP address of a web server, either a web server at the web site or a secure server (140 in Fig. 1). The receiving web server or secure server (140 in figure 1) is adapted to authenticate the personal identification information in the response file. By means of information about the web site, e.g. the on-line electronic market place, the web server or secure server is configured to use said information for returning the authenticated personal identification information. The response file may also comprise other information, e.g. purchase order.
The web site receives the response file, which initiates the purchase process, which results in that an electronic invoice and the authenticated personal identification information is sent to a Transaction Institute, which performs a check of the received data. If the transaction is allowed, a transaction acknowledgement is sent to the client/customer (110).
Figure 5 is a signaling scheme for a system and process wherein another exemplary embodiment of the present invention is applicable. As already mentioned, web sites may not be an on-line market place offering items for sale. Web sites may offer services such as agreements, contracts, etc, wherein the file to be signed is not an order file. The system of Fig. 5 is illustrating an interaction between an end user and a web site offering an agreement to be signed, which does not involve any transaction with a bank or Transaction Institute issuing a banking card, customer card, credit card, etc. Such a system does not therefore involve a bank or other transaction institute, as illustrated in Fig. 5. Thus, the only difference between the system and process in Fig. 5 and that in Fig. 4 is that in the system and process in Fig. 5, the web site receiving the authenticated response file does not initiate a purchase process, which results in that an electronic invoice and the authenticated personal identification information is sent to a Transaction Institute, which performs a check of the received data. Instead, the web site receiving the authenticated response file initiate a purchase process, which results in that the receiving web server related to the web site, which may be a secure server, is adapted to perform a test, indicated as "OK?", if the received response file comprising the signed file in the response file is acceptable. If the response file is approved, a transaction acknowledgement is sent to the client/customer.
A secure server 140 may involve a processing system and different interfaces. Processing system controls the operation of secure server 140. Processing system also process information received via the interfaces. A specific interface may allow the secure server to communicate, for example, with a server, such as the server of a bank, transaction institute and/or a server at the electronic marketplace 120. Further, the secure server may comprise an interface for communicating with another network, such as the Internet, wireless networks such as GSM, LTE, WiMAX or any other suitable network.
As mentioned above, embodiments of present invention are easy to implement, mainly due to the fact that no introduction of additional software packets is required. Therefore, negative customer attitudes towards solutions of the invention caused by the necessity to download and install software are avoided. Moreover, hardware required for utilising the invention is already present in existing web-based or mobile phone based ordering and payment systems, which enables the intermediate transaction party, the banks and the merchants with means to conveniently realize and quickly implement the invention. The purpose of the present invention is not to change the present payment and transaction processes and methods. The present invention is only an independent addition or supplement that can be added as an extra step to the present payment and transaction processes and methods.
Embodiments of the present invention may be provided by a web site, e.g. an electronic marketplace, as a safety mechanism, to be used by customers to verify their personal identification data and possession of a customer card in a purchase process within an electronic transaction method. In this way any potential perpetrator will probably fail the verification process, due to lack of knowledge about the visible aspects of the customer card in question. Thereby security is enhanced.
Embodiments of the present invention may also be provided by a web site, e.g. a bank or other commercial institute, as a safety mechanism, to be used by customers to verify their personal identification data during a data session wherein a customer or client is interactively linked or connected to the web site.
Various embodiments of the present invention also solve security issues when it comes to electronic commerce on Internet and purchases made via a mobile phone on a mobile phone network, even though not explicitly exemplified in this specification. Various embodiments of the present invention also solve the issue of purchases with stolen customer card information on the Internet and purchases made via a mobile phone network. As should be noted, the present invention is not limited to the above-described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention, which is defined by the appended claims.

Claims

1. A security device (200) comprising a receiver circuitry (210) and an audio chip (212) connected to a first interface for transferring of sound waves.
2. The security device (200) according to claim 1 , said security device being configured for supporting validation/authenticating in a validation process for an end user interacting with a web site(120) during a data session by means of a communication device (110), said security device (200) being removably connectable to the communication device (110), and wherein the interaction during the data session is taking place via an interconnecting network (130), said data session resulting in a file to be electronically signed and verified/authenticated, the security device is
characterised in that it may comprise a receiver circuitry (210) configured to receive and signal processing sound waves via a first interface, said sound waves transferring the file to be signed from the communication device (110); an electronic signing process block (230) configured to generate a response comprising a signed file by adding personal data to the received file to be signed; and a transceiver circuitry (240) configured to communicating with a connected communication device (110) via a second interface (250), the transceiver circuitry (240) being configured to forward the response with the signed file to the communication device for further transfer of the response with the signed file to a validation entity.
3. The security device (200) according to claim 1 , wherein said security device being configured for supporting validation/authenticating in a validation process for an end user interacting with a web site(120) during a data session by means of a
communication device (110), said security device (200) being removably connectable to the communication device (1 10), and wherein the interaction during the data session is taking place via an interconnecting network (130), said data session resulting in a file to be electronically signed and verified/authenticated, wherein the receiver circuitry (210) is configured to receive and signal processing sound waves via the first interface, said sound waves transferring the file to be signed from the communication device (110).
4. The security device (200) according to claim 3, wherein the security device comprises an electronic signing process block (230) configured to generate a response comprising a signed file by adding personal data to the received file to be signed.
5. The security device (200) according to claim 4, wherein the security device comprises a transceiver circuitry (240) being configured to forward the response with the signed file to the communication device for further transfer of the response with the signed file to a validation entity.
6. The security device (200) according to claim 1 , wherein the second interface (250) of the security device is a Universal Serial Bus contact.
7. The security device (200) according to claim 1 , wherein the second interface (250) of the security device is an electric plug or contact adapted for insertion into an audio jack or headphone contact.
8. The security device (200) according to claim 1 , wherein the security device comprises equipment for performing an identification process for identifying the owner of the security device.
9. The security device (200) according to claim 1 , wherein the file to be electronically signed and verified/authenticated is an order file,
10. A method in a security device for supporting validation/authenticating in a validation process for an end user interacting with a web site (120) during a data session by means of a communication device (110), said security device being removably connected to the communication device, and wherein the interaction during the data session is taking place via an interconnecting network (130), said data session resulting in a file to be electronically signed and verified/authenticated, the method is characterised in that it may comprise:
- Receiving sound waves transferring the file to be signed from the communication device via a first interface (S310);
- Generating a response with a signed file by means of an electronic signing process wherein personal data is added to the received file to be signed (S320);
- Forwarding the response with the signed file to the communication device for further transfer of the response to a validation entity for validation (S330).
11. The method according to claim 10, wherein the receiving step involves extracting the file which is carried by said sound waves.
12. The method according to claim 10 or 11 , wherein the generating step involves acquiring the personal data from a memory storage in the security device, said personal data being pre-stored in said memory storage.
13. The method according to one of claims 10 - 12, wherein the response with the signed file is transferred of the response to a secure server (140) for validation.
14. The method according to one of claims 10 - 14, wherein the personal data comprises information about a customer credit or debit card, such as the customer card number, the card validity and the CVC-number of the card.
PCT/SE2012/050815 2011-07-11 2012-07-09 A security device and a method for supporting validation in a validation process for an end user interacting with a web site Ceased WO2013009255A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP12811746.2A EP2732415A4 (en) 2011-07-11 2012-07-09 A security device and a method for supporting validation in a validation process for an end user interacting with a web site

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201161506232P 2011-07-11 2011-07-11
US61/506,232 2011-07-11
SE1150659-9 2011-07-11
SE1150659 2011-07-11

Publications (1)

Publication Number Publication Date
WO2013009255A1 true WO2013009255A1 (en) 2013-01-17

Family

ID=47506313

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2012/050815 Ceased WO2013009255A1 (en) 2011-07-11 2012-07-09 A security device and a method for supporting validation in a validation process for an end user interacting with a web site

Country Status (2)

Country Link
EP (1) EP2732415A4 (en)
WO (1) WO2013009255A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071480A2 (en) * 2000-03-21 2001-09-27 Quack.Com System and method for voice access to internet-based information
WO2002005078A2 (en) * 2000-07-07 2002-01-17 Qualcomm Incorporated Method and apparatus for secure identity authentication with audible tones
JP2002041479A (en) * 2000-07-21 2002-02-08 Matsushita Electric Ind Co Ltd Information terminal system, information terminal device, information processing device, and information processing method
WO2003001336A2 (en) * 2001-06-22 2003-01-03 Worldcom, Inc. A system and method for multi-modal authentication using speaker verification
JP2009193480A (en) * 2008-02-18 2009-08-27 Hitachi High-Tech Control Systems Corp Voice management apparatus, system management method and program
US20110277023A1 (en) * 2010-05-10 2011-11-10 Intel Corporation Audible authentication for wireless network enrollment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7533735B2 (en) * 2002-02-15 2009-05-19 Qualcomm Corporation Digital authentication over acoustic channel
US7484102B2 (en) * 2004-09-07 2009-01-27 Microsoft Corporation Securing audio-based access to application data
GB2427286A (en) * 2005-06-11 2006-12-20 Harley Clark Financial transaction method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001071480A2 (en) * 2000-03-21 2001-09-27 Quack.Com System and method for voice access to internet-based information
WO2002005078A2 (en) * 2000-07-07 2002-01-17 Qualcomm Incorporated Method and apparatus for secure identity authentication with audible tones
JP2002041479A (en) * 2000-07-21 2002-02-08 Matsushita Electric Ind Co Ltd Information terminal system, information terminal device, information processing device, and information processing method
WO2003001336A2 (en) * 2001-06-22 2003-01-03 Worldcom, Inc. A system and method for multi-modal authentication using speaker verification
JP2009193480A (en) * 2008-02-18 2009-08-27 Hitachi High-Tech Control Systems Corp Voice management apparatus, system management method and program
US20110277023A1 (en) * 2010-05-10 2011-11-10 Intel Corporation Audible authentication for wireless network enrollment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2732415A4 *

Also Published As

Publication number Publication date
EP2732415A4 (en) 2014-12-17
EP2732415A1 (en) 2014-05-21

Similar Documents

Publication Publication Date Title
US11087317B2 (en) Authentication and verification services for third party vendors using mobile devices
US8996423B2 (en) Authentication for a commercial transaction using a mobile module
US7849020B2 (en) Method and apparatus for network transactions
US20060235795A1 (en) Secure network commercial transactions
CN102971760B (en) Method, server, merchant device, and computer-readable storage medium for establishing communication
US20090157558A1 (en) Information home electric appliance
WO2006113834A9 (en) Network commercial transactions
JP2005512234A6 (en) Customer-centric context-aware switching model
JP2005512234A (en) Customer-centric context-aware switching model
KR101505847B1 (en) Method for Validating Alliance Application for Payment
TWI665624B (en) Online mall identity verification method
WO2013009255A1 (en) A security device and a method for supporting validation in a validation process for an end user interacting with a web site
KR20100136019A (en) Payment processing method and system, server and recording medium therefor
KR20100136018A (en) Payment processing method and system, server and recording medium therefor
TWI678674B (en) Ticket top-up system, method and mobile apparatus
CN110197409A (en) The auth method of network shopping mall
AU2011202945B2 (en) Network commercial transactions
JP2005107825A (en) Settlement system and method for credit card in online shopping and recording medium
JP2004172908A (en) Communication system, communication method, and program
KR20100136017A (en) Payment processing method and system, server and recording medium therefor
KR20150039174A (en) Method for Delivering Gifting Contents
KR20100136001A (en) Payment processing method and system, server and recording medium therefor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12811746

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2012811746

Country of ref document: EP