The invention provides a method of electronic value payment that uses a xe2x80x9cblockxe2x80x9d value tagging means that can be used for the detection of fraud in electronic value payment systems. Additionally, the invention applies tag flow control mechanisms to facilitate value auditing across complex operational hierarchies. The invention is practical to implement, flexible enough for use in numerous operational scenarios and independent of actual electronic value representation and encryption mechanisms that may be applied. The size of xe2x80x9cblocksxe2x80x9d of tagged value in the invention is arbitrary and different levels of granularity can be used.
Any system that uses electronic representation of some associated value may be termed an electronic value system. Such systems circumvent the exchange of actual value in favour of the ease of storage and exchange of an electronic representation of that value. The plethora of current electronic value exchange systems can be characterized in two ways, those that are audited, and give rise to the issue of invoices authorising and recording payments, and those that are unaudited, in that they comprise immediate exchange of tokens which have some attributed value. This invention provides a means to detect fraud in electronic value exchange systems. It has primary application in unaudited systems but may also be used as an additional security means for systems that are audited.
Value reconciliation in an audited electronic value exchange system assumes issue of an explicit instruction, or invoice, that authorises value reimbursement between the centrally held accounts of the parties involved in the payment. This gives rise to a record of payment that builds an audit trail that can be traced in order to detect fraudulent value exchanges. Security is high but there is no anonymity and the auditing adds an additional cost to each transaction.
Electronic value payment methods that comprise the exchange of tokens, vouchers, or equivalent electronic money representations do not require an audit of each transaction. The transaction, or value exchange, process is essentially anonymous and no record is necessarily made of the identity of the payment parties, although receipts giving these details may be issued. The value exchange, from payer to payee, is made on the basis of mutual consent and no independent reference is made to either party in the transaction. The payment proceeds only on the basis that the payer has sufficient funds in terms of the number or value of tokens, and that the payee is willing to accept them. Implicit in this process, and that of other similar transaction methods, is trust. To participate in a transaction there must be a strong belief that the tokens exchanged are guaranteed by some third party, have some associated value and that every effort has been made to prevent counterfeiting and fraud.
It is known that there are fixed costs associated with the processes of auditing and value reconciliation. The auditing cost may represent only a small percentage of large value transactions but can make small value transactions uneconomic. The cost imbalances associated with low value transactions makes auditing comparatively expensive and inappropriate. Electronic value transaction systems that do not audit each transaction can therefore make considerable cost and efficiency savings and are therefore desirable. However, the lack of direct transaction auditing means that these systems must make additional safeguards to prevent the introduction of counterfeit value. Counterfeit prevention mechanisms must be practical, cost effective, add little or no overhead to the transaction process, be hidden from the user, allow detection of fraud at the earliest opportunity and ideally give some indication of the level of fraudulent value present in a system should a breach of security occur. Additionally, counterfeit prevention and fraud detection systems should maintain user anonymity.
Consider, for example, the use of telephone payment cards. These cards perform the fundamental task of value storage. They are purchased from a vendor and have a value associated with them that corresponds with the number of tokens that they contain. In use, at appropriately equipped telephone points, value is debited, or tokens are removed, from cards in exchange for telephone services. The telephone system operator has no means with which to identify the card user, other than through assumptions or inductive reasoning, and payments for services are therefore received anonymously. In order to reconcile card sales against phone usage, aggregate statistics of value debited from cards are accounted for by the telephone operators. However, a full system account is not usually possible since much value will always remain on cards in circulation that cannot be readily audited. Sizeable levels of fraudulent value may therefore remain hidden from scheme operators.
An area of growth for electronic value payment is that of xe2x80x9cmeans of exchangexe2x80x9d payment devices. Electronic payment schemes of this type aim to encompass the fundamental properties of traditional cash and will perhaps in future become a replacement for it. Technologies applied in this area allow secure electronic value storage, portability and person to person payment mechanisms. If electronic value systems of this type succeed in their goal of cash replacement then full transaction auditing not only becomes problematic, in terms of storage and cost of processing, but also undesirable if payment anonymity is to be maintained.
Checking mechanisms are applied in such schemes to verify the authenticity of cards and are applied to guarantee the integrity of value transfers to prevent fraud and the potential manufacture of value. Wired logic authentication and encryption response mechanisms are designed to limit the scope of fraud and identify valid cards from those that may have been tampered with or those that may be counterfeit. Public key encryption techniques are also used to verify the authenticity of both parties in a transaction, encrypt messages passed between them, and to prevent message snooping. Encryption schemes used in such exchanges rely on unique card identity mechanisms, transaction numbering or random number generation techniques to create unique encryption sequences that cannot simply be recorded and replayed in order to transfer falsified value between parties.
The growth of telecommunications and the internet offer huge potential for electronic value exchange systems. It is no longer necessary for the payer and the payee in a transaction to be physically located in the same place. Electronic transactions can be made across networks, between an individual and a remotely located point-of-sale device, or between two individuals in different locations. There is no longer the need for physical movement of value with it""s inherent costs and security risks. However, the flexibility of these new electronic payment forms introduces new security risks for scheme operators. Transglobal electronic value usage increases the problems associated with system monitoring and provides great potential for rapid distribution, or laundering, of fraudulent value should its manufacture prove possible.
Throughout these types of systems there is a need for fraud detection mechanisms. The present invention provides the means for electronic value exchange system operators to detect fraud, provides means to assess the levels of fraudulent exposure that have occurred and allows additional information that may have relevance to security and scheme operation to be exchanged.
Stored electronic value systems use number or token representations to describe value. Typically a value representation will consist of a string of binary bits but may also consist of a set of uniquely stored tokens. Electronic payment devices (EPDs) that are capable of storing and exchanging electronic value can take a variety of forms. Actual value storage on an EPD is system or scheme dependent and may be implemented with methods that range from the simple to the highly complex. An EPD may store value using simple memory devices, flash memories, electronically erasable programmable read only memories (EEPROMS) or other technologies capable of retaining information for long periods. EPDs may also use more complex microprocessor and microcontroller technologies.
Electronic payment, or value exchange, between two EPDs requires the payer device to be debited by the payment value amount and then the payee device to be credited with that value. Where electronic value is stored in numerical form, debiting, or removal, of value is achieved by subtracting the payment amount from the electronic stored value representation. Crediting, or addition, of value is achieved by adding the payment value to the electronic stored value representation. In each case, security or operational safeguards are applied which place boundaries on the value of payments. Any EPD will have a finite storage capacity defining not only the upper limit of value that can be stored but also the minimum value that may be represented. EPDs may, for instance, use fractional representations of real value for use in micro-payment systems. In most cases the minimum amount of value on an EPD should never be allowed to go below zero and therefore the value of payment debited from a device should never exceed the amount of value stored on it. Similarly, the amount of value credited to an EPD should never cause it to exceed maximum numerical representation, or storage capacity, limits.
If electronic value is stored in the form of discrete tokens then payment consists of a transfer of the appropriate number of these tokens from payer to payee. The payer device removes the appropriate number of tokens from it""s store and transfers them to the payee device for storage.
As well as differentiating payment and storage methods EPDs can be further characterized by their scope of operation. Broadly speaking, any EPD that has the ability to store and exchange electronic value can be considered to be one of two types, it is either a xe2x80x9cstore of valuexe2x80x9d or a xe2x80x9cmeans of exchangexe2x80x9d device.
xe2x80x9cStore of valuexe2x80x9d EPDs are limited in that they may only make payments to specific point-of-sale devices. Many EPDs of this type are non-rechargeable and therefore disposable once all the value has been paid from them. Others may be re-credited, or recharged, with value but this may only be performed at specific, well controlled, outlets such as bank automated teller machines (ATMs). Electronic person-to-person payments with this type of EPD are not possible.
The scope of operation of xe2x80x9cmeans of exchangexe2x80x9d EPDs is wider. They are designed to offer greater flexibility and aim to operate in an equivalent role to traditional cash based exchange systems. This type of EPD may be both debited and credited with electronic value, they offer the facilities associated with xe2x80x9cstore of valuexe2x80x9d devices and additionally allow person-to-person electronic value exchanges to be made, although specialised interface equipment may be required to allow this operation to be performed.
Common to most electronic value exchange schemes are the processes of value creation, value distribution, value collection and value auditing. The process of value creation is usually limited to a small number of electronic value originators. Value creation may occur during the manufacture of an EPD, at the point where a software payment application is added to an EPD or through transfer of value from some specialised source. Security safeguards are used to prevent value creation by some non-authorised source and to limit the potential for fraudulent value generation. Once created, electronic value is issued to scheme participants, who buy quantities of value using traditional payment methods. The specific amount of value issued will be dependent on the liabilities of the electronic value issuer and the requirements of the electronic payment system. Value creation is usually performed by a bank, national body, similar large organization or the operator of specific point-of-sale devices. In future value creation may increasingly be performed by large retail outlets, such as supermarkets, operating xe2x80x9cloyalty cardxe2x80x9d or equivalent systems.
Once the steps associated with the creation of electronic value have been completed the value is distributed to scheme participants. In the case of non-rechargeable EPDs, such as telephone card systems, distribution is performed through traditional retail channels. Electronic value systems of this type are limited in that value distribution is linked to the distribution of EPDs and there are no means by which distribution of each can be performed separately.
In schemes where EPDs can be both debited and re-credited, electronic value distribution is not tied to the distribution of the actual EPDs. Once there is an operating EPD population, these may be re-credited at bank ATMs, or similar outlets, or, in the case of xe2x80x9cmeans of exchangexe2x80x9d EPD systems, then additionally through person-to-person transactions. Mechanisms must exist for electronic value to traverse operational hierarchies and, for example, for the value to move from a small number of scheme operators who originate the value to banking, or other similar outlets, through to retailers and consumers. It is possible for a small number of scheme originators to source value to large numbers of electronic value users across modem telecommunication networks. The demands made by larger electronic value schemes are likely to require more complex operational hierarchies of inter-connected EPDs.
The present invention has application in systems where, in the course of normal operation, there are value flows that finally lead to value return to the scheme operators. Once any value has been returned it can be audited. In some schemes, such as telephone card systems, this may simply mean the return of aggregated electronic payment figures from point-of-sale devices.
More complex electronic value schemes, such as those using xe2x80x9cmeans of exchangexe2x80x9d EPDs, lead to systems and hierarchies that more readily model those of existing banking structures which operate cash based systems. Electronic value may be withdrawn by a user and passed onto retailers or other scheme users in exchange for goods or services. In turn the value may then be passed to other scheme users or returned back to banks and then to the scheme operators.
Electronic value returned to scheme operators can be fully audited. To detect fraud, scheme operators will balance electronic value issue with that of return and apply measures, such as random population sampling or value velocity flows, to estimate the amount of electronic value in circulation. However, accurate estimates of this kind are known to be problematic. At any point scheme operators will see only a fraction of the electronic value issued. Fraudulent value can easily remain hidden and is often extremely difficult to detect. This is especially true where the system is experiencing growth and where fraudulent value is injected into a system over extended periods. Early detection of fraud is of primary importance so that steps can be taken to find it""s source and to limit its expansion.
In the light of the foregoing, a system according to the present invention involves applying tagging to discrete blocks of value. This value can travel through the electronic value exchange system and on return to the scheme operator, who has a record of the tag information and associated value, may be explicitly audited. Once a specific tagged value block has been accounted for then additional instances of value with the same tag indicates the immediate presence of fraud. The additional amount of value, above that which has been issued with a given tag, also gives some indication of the level of fraud in the system.
More specifically, the present invention provides a system for monitoring the flow of value through a population of users to detect fraud, comprising blocks of electronic value released from a source into the population of users, the blocks each having a predetermined identity tag and being divisible during use to sub-blocks with the same identity tag, such that eventual return of the electronic value to the source can be monitored by means of the identity tags and associated value to detect fraud in the system.
By using the tagging in this way, simplified value auditing of discrete amounts of electronic value can occur and detection of fraudulent value, should the value audited exceed that issued, will arise. Further, the tags can co-exist with the electronic value storage mechanisms of a given scheme, since they may be stored in a separate tag map.
The tag identities may include or be comprised of date and time information to allow systems to relate them easily to period of manufacture and release.
The tag map may comprise any number of tag registers consisting of an identity tag and value count.
The process of electronic value exchange is accompanied by tag information exchange, with the tag information exchanged providing a tag unit breakdown of the electronic value transacted. Tag information for an exchange is removed from the tag map of a payer device and added to the tag map of a payee device in a controlled way. Tag maps involved in an exchange may then be sorted to remove empty register spaces and to facilitate prioritised identity tag ordering. The flow of value in a system is therefore accompanied by a flow of tag information. The system is therefore robust in that it can operate in a multitude of scenarios.
In a particular embodiment each user has a plurality of registers for storing identity tags and associated value counts and a separate value register which stores the total value associated with the user. A separate value register is, however, not essential because the tag registers include the value counts which, when summed, give the total value associated with a user.
The blocks of electronic value are released in an order predetermined by a scheme operator, which order may be systematic or random. The registers of each user may be controlled to sort the resulting sub-blocks by reference to the identity tags. In a particular embodiment, the sub-blocks are sorted into their order of release. As a result there will be rapid movement through a population of users of the value associated with the tag information that has remained longest in the system.
A sort specifier, which causes the registers to be arranged by identity tag in a chosen order, may be passed between users during use of the system. Thus, if payments are always made from the register at the top of the stack of registers, preferential movement of the value associated with a particular identity tag can occur, thereby facilitating the removal of old tag value from the system, for example. Further, if the users exist in a hierarchy, the sort specifier may be passed from a user higher in the hierarchy to a user lower in the hierarchy before a transaction involving the electronic value occurs between the two users.
Preferably electronic value returned to the source can be reissued with a different identity tag.
Further, blocks of electronic value having different identity tags may originate from different sources. Thus, the system allows for a number of different suppliers of value to use the system.
Preferably, means are provided for monitoring the value associated with identity tags at chosen sites within the population of users. As a result, fraudulent value passing through the population of users can be more easily monitored. Also, value flow analysis can be more readily undertaken.
According to another aspect of the present invention there is provided a method of monitoring the flow of value through a population of users to detect fraud, comprising the steps of:
releasing blocks of electronic value from a source into a population of users, the blocks each being provided with a predetermined identity tag and being divisible during use into sub-blocks with the same identity tag, and
monitoring the flow of the electronic value by reference to the identity tags and associated value such that fraud can be detected.
As will be appreciated, the invention has two combinations of use. Firstly it can be applied as an enhancement to other electronic value exchange systems to improve existing security. In this case, the tagging mechanism is used alongside the original electronic value representation and becomes part of the value exchange protocol, but does not represent the actual value exchanged. In this way the original, separate, representation of actual electronic value is exchanged and stored and may be referenced to further enhance security. The second application is for the block value tagging method to replace the electronic storage and value exchange processes of an electronic value exchange system. In this case the block value tagging is an actual representation of electronic value and it segments the electronic value stored.
A number of benefits arise from the invention""s auditing capabilities; firstly it provides a secure means for detecting counterfeit electronic value; secondly the method of tagging provides a partition of value into blocks and therefore reduces the risk of attack associated with a larger single block of value; thirdly the tagging and value streams are handled separately making it possible to change operationally the tag associated with a block of value. This introduces a dynamic level of security in which tags can only be the target of counterfeit attack within a short time window. A further consequence of this is that transaction value flows and value flow patterns can be monitored. This in turn can enhance value measurement security systems and can provide the means for detecting audit trails and payment chains. Additionally, the detection of any tag identities not previously issued by scheme operators will immediately indicate the presence of fraud.