This invention relates to a method and a device for generating a single-use, transaction-specific financial account number, thereby providing a high level of security for financial transactions, particularly credit card transactions.
There are over 500 million general purpose, retail, oil and other credit card accounts in the United States (hereafter called “cards”). Worldwide the figure is almost 1 billion such cards. Typically, each authorized user of an account is issued a credit card: a physical plastic object with an embossed account number and cardholder name appearing on its face. Anti-counterfeiting indicia, such as holograms, photographs or signatures, may also appear on the card to discourage wrongful usage.
Since the credit card number is unchanging, there is a risk of fraudulent use by anyone who steals the number. The key element of defense against a fraudulent user impersonating the authentic cardholder is signature verification. A signature area appears on the back of most cards, and when a person receives a new credit card, he is instructed to sign his name on the back of the card. A merchant who accepts the card will then be able to compare the signature specimen that appears on the back of the card to the signature on the sales draft signed by the consumer at the time of purchase. In some cases, the merchant may also ask for photo ID before accepting the card or as a method of checking that the signatures are for the person whose name appears on the face of the card.
In addition to examining the signature on the card, most merchants who accept credit cards use a small device known as an authorization terminal. The authorization terminal is capable of reading information disposed on a magnetic stripe located on the back of the credit card. In some cases, this stripe also contains other difficult-to-counterfeit information. To process a credit card purchase, the merchant passes the card through the magnetic stripe reader of the terminal and enters the amount of the purchase. The information is then sent by the device over a phone or wireless connection to a central database for account number verification and purchase authorization. A card that has been reported lost or stolen is declined. If magnetic stripes on credit cards become damaged and unreadable, the authorization terminal permits manual entry of the credit card number as it appears embossed on the face of the card.
With the dramatic growth of direct marketing, an increasing share of all card purchases are being made without the physical presentation of the card to the selling merchant. Instead, the consumer simply relays the card number to the merchant, and the merchant enters the card number into a computer terminal which is also designed to handle the order processing function. As electronic commerce grows over the next decade, the percentage of such remote, non-face-to-face purchases can be expected to grow. This poses an increasingly acute problem for the entire credit card system, since credit card numbers are highly insecure.
To protect against thieves fraudulently creating credit card numbers and then using them for remote purchasing, a check-digit algorithm is typically employed for credit card account numbers which makes it comparatively difficult (approximately 1 chance in 500,000) to pick a random 16-digit number that is also a valid credit card account number. In addition, since not every valid credit card account number is currently in use, simply making up a valid number is, in itself, not enough to get an authorization code from the central authorizing network. In addition to passing the check-digit test, a bank must have issued that number to an active customer.
To further help combat mail-order based credit card fraud, both Visa and MasterCard have deployed databases that allow a merchant to verify that a given credit card account number is connected to a specific billing address. Visa calls this service the Address Verification Service. The theory behind the service is that a thief (for example, a dishonest restaurant waiter) might be able to use a credit card receipt slip to steal an active account number, but if he tries to use that number for a mail order purchase he would not know the correct address associated with that number. Even if a thief were to obtain the cardholder's address, this service can allow a merchant to compare the shipping address of the catalog order to the current billing address for that account number and thus possibly identify any suspicious activity.
Currently, credit cards also incorporate an expiration date after which they are no longer valid. These dates are typically one to two years after the card is issued. The reason for an expiration date is to reduce the issuing bank's risk of cards being presented after an account is closed. Since the expiration date is an absolute indication of whether or not to accept a card, an old card that is lost or misplaced eventually expires with minimal risk that it will be found and used improperly.
In addition, credit card information and transaction information may be encrypted using well known encryption schemes like RSA's public key cryptography. For example, SET is a joint Visa/MasterCard standard for encrypting credit card numbers transmitted over the Internet.
In spite of these safeguards, credit card security is vulnerable to a number of attacks by unscrupulous persons. Some examples of these attacks are as follows:
a) Theft of cards: Any conventional credit card which is stolen can be misused, either at a merchant's establishment by forging the signature on the card onto a sales slip, or by ordering merchandise or services remotely.
b) “Sniffing:” Credit card transaction information being transmitted over public networks can possibly be intercepted and captured or “sniffed.” The sniffed information can then be used to create counterfeit cards and/or order goods and services. For example, if a hacker were to break the SET encryption scheme, the hacker could sniff out credit card numbers and misuse them. Re-submission of the sniffed encrypted credit card numbers to the same merchant is known as “replay.”
A large-scale attack on credit-card number security would threaten the entire credit card system. For example, if someone were to steal 1 million active credit card account numbers, and were also able to steal the billing addresses to which those cards were issued, the entire credit card system would be threatened. At the very least, mail order sales might have to be suspended until new safeguards were put in place. At worst, a flood of counterfeit cards, with correct account numbers and valid names embossed on their faces, could be created.
With the advent of almost instantaneous worldwide money transfers, a band of organized thieves could clear hundreds of millions or even billions of dollars of charges through the authorization system and then wire that money to a safe haven before cardholders suspected that their cards had been charged an unauthorized amount. If the theft also involved data revealing each account's unused available credit line, such criminal activity might be even harder to detect before it was too late to rescind the wire transfers of stolen money.
Cards which store information, as opposed to merely having embossed numbers, are known in the art. Such “smart cards” are becoming increasingly common. These cards contain a small microprocessor capable of storing data in a secure fashion and of performing computer operations on such data. Smart cards may have built-in small numeric display screens. In particular, smart cards used for distribution of cryptographic keys, display keys on their display screens.
Smart cards are used to authenticate card users and to authenticate the card/user combination to a third party. These cards are also used for controlling access to computer systems and databases and entry into secure areas. Northern Telecom offers a credit card sized smart card called Entrust which contains a microchip that stores encoded, private keys.
Hardware tokens such as Security Dynamics' SecurID card use a “time synchronous methodology” to produce passwords every 30 seconds.
Wire transfer calculator-style devices are also known in the art. Such devices are the size of a credit card and contain a tamper-resistant “secure perimeter” within which is disposed a clock and a cryptoprocessor. These devices also have a small LCD alpha-numeric display screen and a numeric keypad for data entry.
A number of security devices and methods involving credit cards have been disclosed. For example, U.S. Pat. No. 5,311,594, “Fraud Protection For Card Transactions,” describes a challenge-response method for fraud protection wherein credit card holders are authenticated based on their responses to randomly asked questions like their mother's phone number, their graduation year, birth date, etc. The responses are checked against prestored information in a database.
U.S. Pat. No. 5,457,747, “Anti-Fraud Verification System Using a Data Card,” describes a biometric system for deterring credit card fraud. Credit cards have two magnetic stripes, one that has been permanently encoded with the card holder's biometric information and one that an ATM can write onto. To use the card, the card holder supplies the same biometric information at a verification terminal. The terminal checks the biometric information supplied by the card holder against that recorded on the magnetic stripe. If the biometrics match, the terminal will write a transaction authorization onto the magnetic stripe.
U.S. Pat. No. 5,485,519, “Enhanced Security For a Secure Token Code,” describes a method for enhancing security for a private key stored in a smart card. A user input PIN is combined algorithmically with a code resident in the smart card to produce the private key. The private key is not stored in the smart card except for short intervals when the card is actually being used by an authorized user who has input his PIN.