Remote banking operations, product purchasing transactions and other electronic authentication procedures performed through the telephone network, Internet data network, or other communication media require a high level of security that is not fully achieved with existing equipment and techniques.
Credit card purchasing in point-of-sale systems is not completely safe and the system is exposed to computer hackers and other fraudulent activities. Credit card identification fraud is very common and very costly. Credit card companies report spending hundreds of millions of dollars every year because of this problem.
In existing credit card security systems, heavy reliance is placed on the possession of the card itself and identification numbers that the user must protect and remember. These identification techniques lead to problems if the card is stolen and the identification number is copied or forgotten. Those numbers are sent through the communcation media with limited security or certainty that the purchase is being made by the right person, who legally posseses the card and is authorized to use it.
Futhermore, at regular point-of-sale locations in stores where credit card are routinely used for purchasing transactions, the authentication techniques are very limited and there are many instances of card forgery costing credit card companies millions of dollars. Typically in these systems, the credit card is read at the point-of-sale and the purchase information is communicated by a modem using a standard V.32 protocol over the telephone lines to a Credit Card Center, which has a database. The database analyzes the transaction and send a reply which allows for the transaction to be completed by acknowledging the credit card and authorizing the transaction.
As mentioned above, the telephone line authorization procedure may be interfered with, and this would leave the point-of-sale vulnerable to fraudulent activities.
In U.S. Pat. No. 5,513,272 to Bogosian, there is disclosed a system for verifying the authorized user of a credit card having a fingerprint of the card owner stored on the information strip of the card. The card user provides his fingerprint via a scanning device, and the information is compared with the owner's stored fingerprint on the card and with a database-stored owner fingerprint, by communications employing an encryption technique-between the fingerprint scanner and the database. In addition and prior to this, as part of a required procedure, the card's information strip is read, and the card itself is scanned to obtain a digital numeric sequence representing the surface of the card, and this is also compared with a database-stored card image surface. An additional comparison is made of a photograph of the card owner and a database-stored photograph. Voice recognition and retinal scanning may also be used to increase the level of verification.
The system described in the Bogosian patent is overly complicated, time consuming and costly, requiring several layers of verification for cross-checking beginning with reading the card, scanning of the card image and the fingerprint, with optional voice recognition, retinal scanning and photographic scanning. The encryption techniques are described at the level used for automatic bank teller machines, which are simplified protocols not involving the use of token keys. The patent does not describe the use of existing communications for credit card authorization via a modem.
In addition, use of the card information strip for storage of the card owner's fingerprint data presents the risk of a breach in security, if the card is lost or stolen, since the fingerprint data is available right on the card. The fingerprint scanning technology available when the Bogosian patent was filed in 1994 used an optical reader with complex optics, which is not very accurate and requires a very long time to process fingerprint data.
The current practice used for purchases over the Internet is also subject to fraudulent activities, since it depends on a similar approach to that of the point-of-sale purchase, beginning with the user PC sending credit card information to the website offering the sale. The information is then sent to the credit card company database for authorization, and the reply allows completion of the transaction by acknowledging the credit card and authorizing the transaction, or refusing authorization.
The entire purchase transaction can be encrypted or not according to the country or company, using a private or public encryption key. The user may also provide a password or user ID, but if the key or password is discovered by another, it can be used for non-legitimate purchases, and fraudulent activities.
Therefore, it would be desirable to provide a method of enhancing the security of credit card transactions conducted via point-of-sale or Internet purchase authorization systems, to eliminate the potential for fraudulent activities by verifying the identity of user of the card, and to avoid use of stolen credit cards by others.
It would also be desirable to protect the communications between the point-of-sale system and the credit card database, or between the user and the credit card database in the case of Internet purchases, so that no interference is possible.