1. Field of the Invention
The present invention relates to a method of secure data communication and to a system employing such a method. In particular, the present invention relates to a method of communicating data between a client terminal and a remote server which prevents effective unauthorised interception of the data being communicated and in the case of encrypted data therefore presents a negligible risk of the encrypted data being decoded. The present invention is particularly well suited, but not exclusively, to financial applications such as ATMs and online banking in which authorisation data for accessing secure financial data is transmitted by client terminals over potentially non-secure communication links to a remote server where the authorisation data is then verified.
2. Description of the Related Art
Naturally, it is important that access to secure data is only granted to authorised personnel. However, in many fields the need for security must be balanced with the need for quick and remote access of the data. For example, the ability of a hospital's accident and emergency team to access immediately a patient's private medical records can prove life-saving. In the case of bank customers, they now demand that they have quick and easy access to their funds without being obliged to visit a branch of the bank during normal working hours. To this end, secure systems have been developed which hold data on secure database servers and which permit access to the data via remote client terminals.
In such secure systems, the identity of a user is generally verified through the use of authorisation data, e.g. username, password or a personal identification number (PIN), which is sent between the client terminal and the database server. Although measures may be taken by the user of a client terminal to ensure that the authorisation data remains secret, the authorisation data may nevertheless be observed by others as it is entered by the user or it may be electronically intercepted at some point between the client terminal and the database server.
Unauthorised access to financial data, such as a person's bank details, clearly carries financial rewards making it the target of increasing criminal activity. Currently, many credit or debit cards employ a magnetic strip or an electronic chip which carries part of the cardholder's authorisation data. The remainder of the authorisation data is known to the cardholder for example in the form of a PIN. When the card is inserted into an automated teller machine (ATM) or credit card “PDQ” machine, the information stored on the magnetic strip or electronic chip as well as the PIN entered by the cardholder are passed to a remote database server, or a separate authorisation server, for verification. If the authorisation data is correct, the cardholder is granted access to his financial data.
A simple form of card fraud is to observe the cardholder entering his PIN at an ATM and then to steal the card. Alternatively, rather than stealing the card which will naturally alert the cardholder, the data stored on the card may be copied using publicly-available magnetic-card readers during financial transactions. The copied card may then be used to make purchases and cash withdrawals without drawing the attention of the cardholder or bank.
Smart cards offer significant security advantages over magnetic-strip cards in that all authorisation data, including the PIN, are stored on the card in encrypted form. This makes card copying during financial transactions practically impossible. Moreover, if a card is stolen it is extremely difficult and time-consuming for criminals to access the PIN stored on the card. Nevertheless, card fraud is still possible by observing the cardholder entering his PIN and subsequently stealing the card. This form of card fraud is particularly relevant to smart cards in which a PIN, rather than a signature, is used for everyday electronic point-of-sale (EPOS) transactions. As a result, the chances of a cardholder's PIN being observed are increasing.
FR 2819067 describes an EPOS terminal for use with a smart card and comprises a touch-screen keypad. Each time a smart card is inserted into the EPOS terminal, a random keypad arrangement is displayed to the cardholder on the touch-screen keypad for entering his PIN. As a result, an observer is unable to determine a cardholder's PIN merely by observing the finger movement of the cardholder. Similar systems are described in U.S. Pat. No. 5,949,348 and U.S. Pat. No. 4,479,112.
As the PIN of a smart card is stored on the card itself, EPOS transactions occur without the need to send the full authorisation data to the database or authorisation server. In particular, at no time is the PIN stored on the card communicated beyond the EPOS terminal. These publications do not therefore address the problem of others intercepting authorisation data during communications between the EPOS terminal and a remote database server.
Whilst smart cards offer one secure form of authorisation, a card reader must nevertheless be provided at every client terminal in order to read the card and confirm authorisation. Accordingly, smart cards are impractical for many applications, in particular where access to secure data is intended to be granted via the internet. For applications such as online banking, authorisation data continues to be sent between the client terminal (e.g. a home computer) and the database or authorisation server for verification. Although, the authorisation data is normally encrypted, e.g. using public-key encryption, there are concerns that it is only matter of time before methods of decrypting such data are developed.