1. Field of Invention
This invention authenticates a transaction request in order to permit progress of a transaction based on a match between an authentication code generated by the requestor of the transaction and an authentication code generated by an authentication agency.
2. Brief Description of the Prior Art
Central authentication of remote transactions is an important mode of business conduct. Remote access to electronic funds transfer networks must be authenticated to prevent theft of funds. Access to communications systems, such as cellular mobile radio systems, must be authenticated to prevent theft of communication services. Authentication is also important in governing electronic access to computer networks and interactive television and physical access to secured locations. Operators of these kinds of systems have developed a number of different techniques for reducing the susceptibility of their systems to various forms of fraud. However, almost all of these techniques can be circumvented by sophisticated misusers with enough computer resources at their disposal or by dishonest employees who can access the systems at various exposed points to steal access code information.
Many of the authentication techniques use combinations of passwords and personal identification numbers (PINs) to attempt to verify that the user attempting to access a network or service is authorized for access. Unauthorized access using PINs and passwords improperly obtained can be somewhat reduced by requiring users to periodically change these codes. A personal identification system disclosed in U.S. Pat. No. 4,376,279 uses a PIN secretly selected by the user, a code number secretly selected by officers of the authenticating agency and an irreversible transform secretly selected by the manufacturer of the system to produce a code number that is magnetically encoded onto a user card, such as a credit card or banking access card. Since only the user knows the selected PIN, the user's entry of that PIN, after inserting the card into the system presumably establishes that authority of that user to access the system. However, even though the system is partitioned to protect different portions of the access code information, changing access codes is cumbersome, so that the same information is used over and over again. An eavesdropper or other person that can obtain access to the transaction data and with enough computer power may, over time, accumulate enough information to learn the access code and gain unauthorized entry.
Theft of telecommunication services through eavesdropping on cellular mobile radio calls has become a major problem. The eavesdropper captures or derives the caller's access code, builds it into his radio unit, and makes subsequent unauthorized calls billed to the original caller. A long period of time could go by before this misuse is discovered and the access code changed. Hackers seeking access to telecommunication and computer networks program their computers to try thousands of access codes in an attempt to find one that works. Once a successful code is found, the hacker can gain network access. Similar problems will exist for emerging interactive television services, such as entertainment and home shopping. Authentication techniques that use repeatedly transmitted access codes are susceptible to various sophisticated attacks. Some technique is needed to keep the attackers off balance.