A constantly recurring problem on the market in the case of purchases for which credit cards or bankcards are used is to establish the identity of the card user. Usually, each card has a specific code, for instance a four-digit number code, which in some stores may be inputted in a terminal in conjunction with the purchase. However, this is not a particularly attractive solution for an individual possessing a dozen cards, each having its specific code. Restaurants, for example, often employ the method of requesting the customer to sign a slip in confirmation of the transaction, and the signature serves as a post-check, should any doubt arise about the payment. This means that only long after the event will the cardholder notice if an unauthorized individual has utilized his card without his knowing. It might even happen that the personnel of the restaurant fraudulently charge the card with several transactions during the period when they alone have access to the card. It is often sufficient that a dishonest person gets hold of the number of the card to enable him to use the card on a later occasion.
According to prior-art technology intended for situations wherein a customer has recurrent contacts with e.g. a bank, the customer is equipped with a list of codes hidden by a rub-off film. The bank has access to the same list, which may be stored e.g. in the bank computer system. Each time the customer requests a transaction, for instance by telephone, he exposes one of the code number by rubbing off the film and then discloses the exposed number to the bank. The number is compared against the list in the bank, and a match ensures that the customer is the person he claims to be, or at least is in possession of the rub-off list in question.
According to prior-art systems devised to provide secure transactions for instance on the Internet, the user must have access to a small electronic device at the time of the transaction. Codes are exchanged between the computer and the electronic device in order to ensure that the user actually has access to the electronic device. This technology is employed above all in conjunction with banking services on the Internet when a customer uses the service comparatively often.
The solution involving the individual-related electronic device does, however produce two problems:
In the first place, it is possible for a skilful expert to copy the electronics, for example the ROM memory, of an electronic device to which he has access albeit briefly. The electronic device may then be returned to the owner who suspects no mischief. From then on, there is no possibility for the computer system to ascertain whether a request is made by the owner or the dishonest person.
In the second place, an electronic device is specific to each service provider, which means that a user of several services must carry with him several electronic devices. Consequently, there is a risk that he has forgotten the electronic device that is required for the occasion. In addition, it reduces the user's chances to keep an eye on all electronic devices, and a dishonest person can easily use a stolen device or copy a “borrowed” device before the user has had time to miss it.
When credit cards are used for payment over the Internet, generally only the number of the credit card serves as the authenticity check. It is possible to encrypt the credit card number, but if the encrypting code is cracked, a dishonest person could use the card comparatively freely until the time when the user receives a bill, usually at the end of a month. Electronic devices of the kind described above could of course be used to increase security, but the problems related to copying of the electronics of the device and the need for several devices do, of course remain.
Some providers of services offer systems on the Internet, according to which a person must first register as a customer and only then is he allowed to make purchases using his credit card. Like the system involving the electronic devices, these systems suffer from the disadvantage that they are specific to each service provider, making the user's life very complicated as he has to have contact with several service providers.
Other common services for which authentication of a user's authorization is needed are for logging in into computer systems and admittance into security-classified premises. These systems are based almost exclusively on the presentation of a user ID in conjunction with a code or a password, which in some systems are changed according to predetermined routines, or on security pass cards and an associated code. Generally speaking, the fact is that in our society a multitude of codes exists which it is difficult for the individual to remember. He might therefore be tempted to write down the codes somewhere, which reduces security.
The combination of disclosure of a code and an electronic device, which has to be physically available, improves security but at the cost of requiring several devices. Consequently, this technology hardly presents a universal solution to the problems outlined above.
There is therefore a need for a uniform system that might be used with several types of service requests and that allows the authenticity of the customer or user to be verified in a simple manner.
Definitions
In the following description, a number of expressions will occur, which are defined as follows.
By the expression “commission” is to be understood generally a service that a person wishes to be rendered by a provider. For example, a commission could be a financial transaction delivered by a bank or similar establishment, but a commission could equally well be a request for admission into a building or for log-in into a computer system. To order such a commission is referred to as a “service request”.
By the expression “service provider” is to be understood both the company carrying out the commission (such as a bank, a credit card company or a security company) and the equipment used to implement the commission (such as a door lock, an automatic teller machine or a computer system in log-in situations).
The “customer” is the individual requesting the commission from the service provider, and in the following description, the customer and the service provider are also users of the method and the system in accordance with the invention.
By the expression “database” is to be understood the data-storage memory unit as well as the software processing volumes of data and executing operations for instance for the purpose of comparing volumes of data.
By “mobile telephone” is to be understood herein a portable telephone, such as a cellular telephone (e.g. GSM) or the like. The expression naturally includes any portable telephones that may be developed in the future.