Payments by credit or debit cards represent a large portion of consumer spending. Historically, credit or debit cards were encoded with a magnetic stripe, which allows a transaction responsive to a transaction device arranged to read information encoded on the magnetic stripe, in a secured manner. The device reading the magnetic stripe is typically in communication with the credit card issuer via a transaction network, the credit card issuer ultimately approving the transaction. Credit or debit cards are unfortunately susceptible to theft which may be unrealized by the user for a significant period of time.
Advances in technology have led to the development of contactless smart cards, such as those defined under ISO/IEC 7210 and ISO/IEC 14443, also known as Near Field Communication (NFC). Similar technology is available meeting other standards or protocols generally under the term radio frequency identification (RFID), with the range of RFID typically restricted to be of the same order as that of NFC. The term contactless element (CE) as used throughout this document refers to any short range communication device operating under any of NFC, RFID or other short range communication standard with range on the same order as that of NFC, and typically require that the CE be juxtaposed with a reader. The use of optically readable codes are specifically included herein with the definition of a CE. Such CE smart cards may be used for transactions, however since they may be read by any reader within about 4 cm, they do not provide for increased security. As such, CE smart cards are typically only used for low value transactions, wherein a small value is pre-loaded on the CE smart card, and the small value is depreciated with each transaction until a limit is reached.
Mobile devices (MDs) are increasingly being used for financial transactions due to their ubiquity, available screen and input devices. An MD as used herein includes any electronic MD used for personal functionalities such as multimedia playing, data communication over a network or voice communication. One embodiment of an MD is a mobile station, also known as a mobile communication device, mobile phone, mobile telephone, hand phone, wireless phone, cell phone, cellular phone, cellular telephone, mobile handset or cell telephone.
With the development of IEEE 802.11, and the broad establishment of the resultant wireless networks, various MDs have been developed which communicate over available wireless networks in addition to cellular telephone capabilities. Furthermore, various MDs have been developed with the ability to access the Internet both over a wireless network and/or over a cellular network.
The ubiquitous MD, having an associated means for user identification and charging expenses, presents an opportunity to utilize the MD as an electronic wallet. There are several known methods for providing a service or a product, and in particular, payment for products or services other than phone usage or airtime, by using a mobile station.
CEs in cooperation with an MD have been developed into two main groups, devices which are connected to a controller of the MD, such as to the MD's CPU, and can communicate therewith, and devices which are not connected to the MD's CPU. In the case of CEs connected to the MD's CPU one can find various devices, such as NFC devices on SIM cards, also known as “SIM Contactless Element” (SCE), external cards such as SD cards with NFC devices, SIM add-on Contactless Elements (SCCE), and NFC devices found within the MD's hardware. The above group of devices denoted herein as “embedded CE” (ECE) devices can be used in the same manner as CE devices which are not connected to the MD's CPU for applications where the CE reader communicates with the CE device directly and the communication doesn't rely on any action of the MD's CPU. It is to be noted that in the event that the CE comprises an optically readable code displayed on a display of the MD, the MD is inherently an ECE device.
The group of CEs which are not connected to an MD CPU may include NFC or RFID tags, stickers, key fobs, optically readable codes which may be affixed to the MD, and other form factors. Such a CE, when secured in relation to the MD may thus be utilized to provide an identification number read by a reader within proximity of the CE.
As transaction systems have become more sophisticated and in more widespread use, the incidence of fraudulent transactions have also increased. In particular, both “phishing” and “man in the middle” attacks have been shown to defeat many CE based security systems. In a phishing attack, a user is sent a message indicating that connection to a specific uniform resource locator (URL) is required, however the URL, while appearing to be a legitimate URL, is actually that of a fraudulent server. The user may not recognize, or notice, the slight change in URL, whose actual address refers to a fraudulent server. In such a manner personal information and passwords may be obtained from an unsuspecting user.
Man in the middle attacks are particularly useful against ECE devices, wherein the CE may be read by a fraudulent reader, and relayed to a remote purchasing location without the user being aware.
Recently CE enabled posters have become common, with the poster having embedded CE devices therein. A user with an ECE juxtaposes the CE with an embedded CE, which acts to generate a pointer on the MD to a target URL, perhaps offering a discount. Unfortunately, a legitimate embedded CE may be covered by a fraudulent embedded CE, or may be covered by a blocking material with an adjacent fraudulent CE attached, causing the MD to generate a pointer to a fraudulent URL.
What is needed, and is not provided by the prior art, is a method of increased security without requiring significant effort on the part of the user, and preferably appropriate for use with any MD, without requiring specific features, applications, or devices. Such a method is preferably equally appropriate for use with a computer or other device connecting to a transaction server over a network, such as the Internet.