Secure Payments with Untrusted Devices

US 20140006190A1
Filed: 06/28/2012
Published: 01/02/2014
Est. Priority Date: 06/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user and a trusted transaction in a payment terminal, comprising the steps of:

using a payment token at the payment terminal to initialize the trusted transaction, a corresponding payment request being placed and communicated to a financial entity;

issuing a verification data by the financial entity to a mobile device;

recovering the verification data from the mobile device;

communicating a response to the financial entity according to the verification data, such that the financial entity authenticates the user and the trusted transaction according to the response; and

wherein both the mobile device and the payment token are controlled by the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the present invention relate to a point-of-sale (POS) system, and more particularly, to systems, devices and methods of making secure payments using a mobile device in addition to a POS terminal that may be an insecure payment device exposed to various tamper attempts under certain circumstances. The mobile device is involved in a trusted transaction between a central financial entity, e.g., a bank, and the payment terminal, such that the insecure payment terminal may be further authenticated based on rolling codes, two-way or three-way authentication, or an off-line mode enabled by incorporation of the mobile device. Although either of the mobile device and the payment terminal provides limited security, a POS system incorporating both of them demonstrates an enhanced level of security.

69 Citations

View as Search Results

30 Claims

1. A method of authenticating a user and a trusted transaction in a payment terminal, comprising the steps of:
- using a payment token at the payment terminal to initialize the trusted transaction, a corresponding payment request being placed and communicated to a financial entity;
  
  issuing a verification data by the financial entity to a mobile device;
  
  recovering the verification data from the mobile device;
  
  communicating a response to the financial entity according to the verification data, such that the financial entity authenticates the user and the trusted transaction according to the response; and
  
  wherein both the mobile device and the payment token are controlled by the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the verification data is a transaction code generated by the financial entity for the trusted transaction, and the transaction code changes with the trusted transaction.
  - 3. The method according to claim 2, wherein the verification data is recovered from the mobile device, and inputted to the payment terminal as the response communicated to the financial entity.
  - 4. The method according to claim 2, wherein the verification data replaces a personal identification number (PIN) conventionally inputted to the payment terminal for authentication.
  - 5. The method according to claim 2, wherein the verification data is applied in addition to a PIN conventionally inputted to the payment terminal for authentication.
  - 6. The method according to claim 1, wherein the verification data is a security question generated by the financial entity, and the user inputs an answer to the security question on the mobile device as the response communicated to the financial entity.
  - 7. The method according to claim 1, wherein the verification data is a confirmation notice generated by the financial entity, and the user inputs a confirmation reply on the mobile device as the response communicated to the financial entity.
  - 8. The method according to claim 1, wherein a matching data that is identical or matches with the verification data is also communicated to the payment terminal, and both the verification data and the matching data assume a form selected from a group consisting of picture, word and musical clip, such that the user compares the verification data to the matching data, inputs the response on the mobile device and authenticates the user and the trusted transaction, the response indicating whether the matching data is consistent with the verification data as intended.
  - 9. The method according to claim 1, wherein the payment token is selected from a group consisting of a debit card, a credit card and a prepaid cash card.
  - 10. The method according to claim 1, wherein the verification data is recovered from a source selected from a group consisting of an email and an instant message.
  - 11. The method according to claim 1, wherein the mobile device is used to read smart tags affixed to goods and shelves in a store, and check out the goods placed in a shopping cart.

12. A method of three-way authentication of a user and a trusted transaction in a payment terminal, comprising the steps of:
- coupling every two of a mobile device, a financial entity and the payment terminal via a respective communication link;
  
  exchanging a personalities between the mobile device and the payment terminal to unlock further functionality;
  
  using a payment token at the payment terminal to initialize the trusted transaction, a corresponding payment request being placed and communicated to the financial entity;
  
  communicating with the mobile device by the financial entity for confirmation;
  
  inputting a verification data at the payment terminal, such that the financial entity authenticates the user and the trusted transaction according to the verification data; and
  
  wherein both the mobile device and the payment token are controlled by the user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method according to claim 12, wherein a mobile-to-payment communication link is established between the payment terminal and the mobile device, and implemented as a link selected from a group consisting of a short-range radio link, an optical link and an infrared link.
  - 14. The method according to claim 13, wherein the mobile-to-payment communication link is implemented based on one technology selected from near-field communication (NFC), Wi-Fi network and Bluetooth network.
  - 15. The method according to claim 12, wherein the personalities include a digital certificate.
  - 16. The method according to claim 12, wherein the personalities are matched with a preapproved list, and further functionality is unlocked according to a matching result.
  - 17. The method according to claim 12, wherein further functionality is unlocked to allow payment by both the mobile device and the payment terminal.
  - 18. The method according to claim 12, wherein the payment token is selected from a group consisting of a debit card, a credit card and a prepaid cash card.
  - 19. The method according to claim 12, wherein the mobile device is used to read smart tags affixed to goods and shelves in a store, and check out the goods placed in a shopping cart.

20. A method of authenticating a user and a trusted transaction in a payment terminal at an offline mode, comprising the steps of:
- coupling a mobile device and the payment terminal via a communication link;
  
  exchanging personalities between the mobile device and the payment terminal to unlock further functionality;
  
  using a payment token at the payment terminal to initialize the trusted transaction, a corresponding payment request being placed and communicated to the mobile device;
  
  prompting the user to approve the payment request; and
  
  wherein both the mobile device and the payment token are and controlled by the user.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 21. The method according to claim 20, wherein a mobile-to-payment communication link is established between the payment terminal and the mobile device, and implemented as a link selected from a group consisting of a short-range radio link, an optical link and an infrared link.
  - 22. The method according to claim 21, wherein the mobile-to-payment communication link is implemented based on one technology selected from near-field communication (NFC), Wi-Fi network and Bluetooth network.
  - 23. The method according to claim 20, wherein the personalities include a digital certificate.
  - 24. The method according to claim 20, wherein the personalities are matched with a preapproved list, and further functionality is locked according to a matching result.
  - 25. The method according to claim 20, wherein further functionality is unlocked to allow payment by both the mobile device and the payment terminal.
  - 26. The method according to claim 20, wherein the payment token is selected from a group consisting of a debit card, a credit card and a prepaid cash card.
  - 27. The method according to claim 20, wherein the mobile device is used to read smart tags affixed to goods and shelves in a store, and check out the goods placed in a shopping cart.
  - 28. The method according to claim 20, wherein the offline mode is enabled in small transactions involving a limited amount of money.
  - 29. The method according to claim 20, wherein the step of prompting the user to approve the payment request further comprises the sub-steps of:
    - sending a verification identifier by the payment terminal, the type of the communication link allowing the verification identifier to be sent as a signal selected from a group consisting of a radio beacon and a light beacon;
      
      receiving the verification identifier according to the type of the communication link by the mobile device; and
      
      authenticating the user and the trusted transaction according to the verification identifier in the mobile device.
  - 30. The method according to claim 20, wherein the step of prompting the user to approve the payment request further comprises the sub-steps of:
    - waving a visible tag in front of a device selected from the mobile device and the payment terminal; and
      
      extracting information for authentication and/or cryptography from the visible tag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Maxim Integrated Products, Inc. (Analog Devices, Inc.)
Original Assignee
Maxim Integrated Products, Inc. (Analog Devices, Inc.)
Inventors
Ma, Edward Tangkwai, Muchsel, Robert Michael, Loomis, Donald Wood III

Granted Patent

US 9,858,560 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/18
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/40   Authorisation, e.g. identif...

Secure Payments with Untrusted Devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Payments with Untrusted Devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links