As the variety of methods and devices for engaging in electronic transactions and authorizations increase, problems such as fraud and counterfeiting also increase. One way to reduce such problems is to authenticate the identification devices, or other portable consumer devices, used to initiate electronic transactions or authorizations.
Some contemporary authentication systems, such as anti-fraud and anti-counterfeiting systems, authenticate a portable consumer device using various difficult to reproduce authentication features (i.e. holograms or micro printing). Other systems use various forms of risk analysis, while others rely on information, sometimes included on the portable consumer device itself, to provide or generate protected identifiers or passwords. Such systems often include use of encrypted or dynamic information, such as conventional dynamic card verification values (dCVVs) in credit card systems.
In one exemplary system, at the front-end of the transaction (e.g. where a merchant and a consumer reside), a credit card provides information associated with the portable consumer device or the consumer. The information in such systems include various styles and techniques for producing encrypted information or authentication features. Regardless of the type of encryption or authentication feature used, such anti-fraud or anti-counterfeiting systems have various financial and computational resource costs associated with production and utilization. Various embodiments of the present invention are directed toward reducing such costs while also increasing the reliability and security of encryption and authentication feature based transactions and authentications.
An example of a conventional credit card that can include various encrypted information or authentication features is depicted in FIGS. 1A, 1B and 1C. As shown in FIG. 1A, a conventional credit card 100 typically displays information such account number 110, account holder's name 130 and some type of anti-counterfeiting measure 120. Most current credit and debit cards are made of up of at least two layers. FIG. 1B shows a cross-section of typical credit card stock comprising a substrate layer 150 and a top layer 140.
Substrate layer 150 is usually a semi-rigid plastic that can be stamped or embossed. Top layer 140 is usually a print or decal identifying the issuer of the credit card and possibly other information. In most conventional credit cards, important information such as account number 110 and account holder name 130 are embossed by an embosser 160 and then painted at the apex of the embossed regions 170 to increase legibility as shown in FIG. 1C. Embossing such information serves multiple purposes: 1) embossed information is more durable than simple printing, 2) provided a means for quickly copying such information by taking an imprint of the card and 3) embossed information is more difficult to reproduce or alter and, as such, was one of the first attempts to curb counterfeiting. In addition, credit card 100 may also have a card verification value (CVV) printed on the back of that card that is not included in any computer readable media that might be included on the card. However, improvements to existing anti-counterfeiting technologies are still desirable.
For example, authentication feature or anti-counterfeiting measure 120 can be a sophisticated holographic image, a watermark, micro printed designs or text, or fluorescent details that show up under ultraviolet light. The main idea in conventional physical anti-counterfeiting technology is to include a physical characteristic on the card that is too difficult or costly for counterfeiters to reproduce. However, counterfeiters gradually catch up to each technology in time. When the counterfeiters catch up to a particular anti-counterfeiting measure, that measure becomes obsolete. Because conventional anti-counterfeiting technologies are ultimately rendered obsolete, their continued inclusion in portable consumer devices is usually based on their use as an additional anti-counterfeiting deterrent. To increase overall security, physical security measures are often used in conjunction with various front-end and back-end encryption and computer security techniques.
Using various algorithms and encryption keys, the information provided to an authentication system is protected in an encrypted form as it is transmitted from the front-end of the transaction to a back-end system. The information sent can only be unencrypted by the back-end system when the proper encryption key is used. Due to the critical role the encryption key plays, maintaining the secrecy of the encryption keys is of utmost importance in such systems and often requires sophisticated mathematical schemes to produce unique encryption keys or seed values. Using such schemes to produce large numbers of secure and unique encryption keys can often be costly and difficult to scale.
In addition, some conventional authentication systems require a user to enter a PIN presumably known only to the user to authenticate the user or the portable consumer device. This provides a level of security that helps ensure that the user presenting the portable consumer device is an authorized user of that particular device. The assumption here is that the PIN will only be known by an authorized user and will not be revealed to or discovered by someone wishing to commit fraud. In some such systems, the PIN can be included in or used to complete the encryption key or seed value to further increase the security of the particular encryption scheme used.
Despite the best efforts of users and issuers of portable consumer devices, account numbers, personal identifiers, PINs and encryptions keys can be stolen or discovered and then used by unauthorized parties to replicate portable consumer devices so as to defraud authentication systems. Since data can be hacked and stolen and the sophistication of unauthorized users and counterfeiters continues to increase, it is currently possible to make fraudulent cards that can be used for transactions once key information is known. The fraudulent portable consumer device will appear to be an authentic device since it will have all the correct information and characteristics. An unauthorized user may have even discovered the PIN or other access code to provide when presenting the device for authentication.
It is clear that what is needed is a system, method, and device to prevent unauthorized users from creating and using fraudulent versions of portable consumer devices while also decreasing the cost of production and use. Embodiments of the disclosed invention address these and other problems, individually and collectively.