The increasing use of transaction verification throughout the world is exhibited in the credit card, bank card and other card payment systems being used commonly in grocery stores, banks, universities and on Internet websites. A prevalent problem with remote payment card systems has been remote transaction verification. A primary system of transaction verification security involves a user's signature, which for example may be signed onto a sales receipt. However, apart from the obvious problem of easily forged signatures, such a signature system is not readily adaptable to modern remote electronic transactions, such as transactions over the Internet.
An early remote electronic verification method involved a basic Luhn algorithm to generate unique card numbers in a non sequential manner, which numbers were then verified by testing them against the algorithm. The method was not intended to be cryptographically secure, as it protected only against accidental error and not malicious attacks. This basic method of verification became increasingly invalid with the advent of the Internet, as fraud increased and details of the algorithm became widespread.
Today, half of all credit card fraud is conducted online. In response to this widespread fraud, credit card companies have implemented a static CVV (Card Verification Value) printed on the back or front of cards at time of issue. The CVV, usually a three or four digit number, is required to be entered at the time of transaction, particularly with online payment. A disadvantage of the CVV number system is that many modern credit card fraud systems use card details including a static CVV number gained from hacking online shopping payment databases, phishing techniques or screen and keylogging programs installed on a victim's computer system. Obviously, a major drawback to the CVV number system is the static nature of the printed numbers, which mean that once card details including a CVV are compromised a victim can be easily defrauded repeatedly. Furthermore, the simple static nature of the CVV number system method offers little proof that a remote user actually has the physical card in their possession, as this simple three or four digit number easily can be shared along with other card details. In response to the security weaknesses of CVV number systems, some banks have begun issuing members with a one-time, password-generating electronic device known as a hardware token. These devices have a small screen and button which, when pressed, generates a one-time, dynamically changing password using encrypted secret key programming. A password code is generally changed every minute or so. Disadvantages of this system include the enormous expense of buying and issuing these electronic devices that must be secured from the factory of manufacture, battery maintenance, electronic fragility, inability to carry inside conventional wallets, separation from corresponding identification cards, and internal clock synchronization that is necessary with a remote server.
Smart Card technology has also been proposed for use in secure verification methods. Such technology has not become widely used, however, due to issues of remote infrastructure cost and availability, electronic cloning, cost of cards with integrated circuits, and the fragility of the card circuits under conditions of day to day use.
Proximity cards used as a payment system in some transportation services have also been proposed. Apart from suffering from the same problems as smart card systems, proximity cards also have the added security issue of a potential unauthorized third party cloning or charging the card at a distance.
There is therefore a need for an improved, secure, dynamically manipulable password transaction verification system. International patent application no. PCT/AU2006/002013, titled “Method and Device for Visual Code Transaction Verification”, described such a system for the first time. The international patent application was filed 31 Dec. 2006 and published as WO 2008/028215. The system avoids the associated remote infrastructure costs and electronic security vulnerabilities of the prior art.