An accepted authentication procedure for credit and debit card transactions involves the use of a PIN—a personal identification code, usually consisting of a four digit number, such as 7356—that is known, or supposed to be known, only to the card holder. Not even the issuing bank or card company knows the user's PIN.
A payment card PIN is held on the card as an element of data in a magnetic strip or an embedded microchip. At a payment terminal connected in a communications network, the terminal reads the PIN from the magnetic strip or microchip and requests the user to enter the PIN on a keypad. If they match, the transaction is authenticated. In this instance, there is no transmission of the PIN over the network. The module simply confirms that the payment is authorised.
Instead of a PIN, which is essentially known as a four digit number, a Passcode can be used, which may be alphanumeric and comprise more than four characters.
However, in many other transactions between a user and a service module, which do not use a dedicated payment terminal with a facility for checking an entered PIN or Passcode, the PIN or Passcode would need to be stored on the service module, and checked there in order to authenticate the transaction.
The PIN or Passcode is vulnerable, however, to discovery when transmitted over a publicly accessible network. Knowledge of the PIN or Passcode could enable unauthorised access to the holder's accounts and other restricted access information. It has been proposed to improve security by more complex procedures.
A common approach is to require a two-part identity check, one part being specific to the instrument used to transmit the information to the service module, the other part being specific to the user. If the instrument is a mobile phone, a combination of phone ID and user ID is required. The phone will have a unique ID, being, of course, the telephone number as it appears on the subscriber identity module (SIM) card. The industry mandates that there is only ever one SIM card with any particular number.
However, transmitting this information over a network is open to the risk of eavesdropping. It does not matter that the SIM card ID is unique—it is only required to record and re-use the data stream to access the service module.
Simply encrypting the information is no help. It would, in any event, be the encoded information that is intercepted. It is not necessary to de-encrypt it, just use it in the encrypted format, to gain access.
Resort is had, therefore, to a one-time password (OTP). Interception is now pointless, as the same data stream will not work a second time.
Examples of OTP systems are found in WO2010/101476, WO0131840, and numerous other patent publications.
However, OTP systems require software on the user module to generate them, and corresponding software on the service module to verify them, and, in order to provide acceptable levels of security, the software and its usage are sometimes made deliberately complex, in some instances requiring time-limited passwords and random number generators, or costly ancillary equipment.
The present invention provides simpler approaches to the problem of secure ID authentication.