A wide variety of systems are available for conducting electronic transactions in a more or less secure manner over a telecommunications link or the like.
One example is electronic payment by credit or debit card, for example. Commercial practices, for example, are swiftly undergoing a change towards completely electronic purchases and payment transactions. By using various payment terminals and debit or credit cards, payment transactions can be performed without handling hard cash at all.
When a user wishes to make a purchase in, for example, a retail store the card is swiped through a card reader, and information relating to the identity of the card, the identity of the retail store and the value of the goods or services being purchased is transmitted to a remote back-end computer network operated by the card issuer (such as a commercial bank or other financial institution). For further identification and security purposes, the card user may be issued with a personal identification number (PIN) and be required to enter his or her PIN into the card reader. The remote card processing system checks, for example, that the user's card account contains sufficient funds or credit to cover the proposed transaction, checks that the user's card account is currently operational and then, after enforcing all the proper verifications, issues a confirmation signal back to the card reader to indicate that the transaction may be authorized.
By providing an extra identification check by way of the PIN, this system helps to prevent fraud, but it is still not completely secure because the PIN may be intercepted together with card identification data when being transmitted between the reader and the remote server. If the thief is also able to obtain card identification details, for example from a discarded till receipt or through conspiracy with the store employee, it is a relatively simple matter to produce a fake card including all the appropriate identification information for later fraudulent use.
In another example, with the emergence and adoption of the Internet and related technologies, businesses are moving toward electronic integration of supply and financial chains.
To improve the confidentiality of communications and commerce over networks, public key infrastructure (PKI) encryption systems have been developed. Using PKI encryption, digital messages are encrypted and decrypted using ciphers or keys. PKI systems attempt to provide a high level of security because messages can be decoded only by persons having the recipient's private key. However, it is well known in the industry that a weakness of PKI technology is its susceptibility to the man-in-the-middle (MITM) attack.
A MITM attack is one in which a fraudster is able to read, insert and modify at will, messages between two parties without either party knowing that the communications path between them has been compromised. In order to implement the attack the attacker, which will typically comprise a software process rather than a person as such, must be able to observe and intercept messages going between the two ‘victims’.
In order to avoid opportunities for interception, masquerading, MITM attacks, and other forms of electronic fraud, the industry had perceived a need for enhanced authentication of the identity of a person initiating an electronic transaction. In the prior art, a large number of attempts have been made to increase system security this way. The following is a list of prior art disclosures, by way of example, targeting this approach.
U.S. Pat. No. 5,754,657 describes a process by which a message source is authenticated by its location using GPS and appends a portion of that raw signal to the data.
U.S. Pat. No. 5,757,916 discloses a technique by which raw satellite signals from a source computer are transmitted to a remote server that requires authentication. A second source computer is employed that also sends its raw GPS signals to the server.
U.S. Pat. No. 7,043,635 discloses a coded identification system comprising an electronic computer and a specific communications device to generate a volatile identification code by applying a mask code to a pseudo-random string.
U.S. Pat. No. 7,231,044 discloses a digital authentication method using the delay between two timing signals emitted by the remote source of the transaction.
U.S. Pat. No. 7,933,413 describes a system with a channel variation component to facilitate a cryptographic key exchange between peer-to-peer devices in a secure way.
U.S. Pat. No. 8,055,587 discloses a method for constructing a secure transaction that requires a value of an originating Internet Protocol (IP) address be encrypted and combined with an account password accompanying authentication at a secure transaction web site.
In order to achieve its full potential, c-commerce must overcome numerous security and related issues, including concerns relating to hacker attacks, merchant impersonation, fraud, and transaction repudiation.