Trusted remote attestation agent (TRAA)
First Claim
1. A system for use with a service provider, the system comprising:
- a consumer electronic device, having a hardware secure element;
an agent module stored in the hardware secure element and having access to an identity, stored in the hardware secure element, of a provisioning subscriber identity module (SIM) for a financial instrument on the consumer electronic device; and
a processor of the consumer electronic device configured to execute the agent module to cause the system to perform operations comprising;
performing an integrity verification of the agent module;
determining a presence on the consumer electronic device of a SIM that matches the identity of the provisioning SIM;
determining a connectivity of the consumer electronic device to the service provider;
determining a connectivity of the consumer electronic device to a home mobile network;
locking the financial instrument based on one or more of;
a failure of the integrity verification, an absence on the consumer electronic device of the SIM that matches the identity of the provisioning SIM, an unavailability of the connectivity to the service provider, and an unavailability of the connectivity to the home mobile network; and
re-enabling the locked financial instrument based on i)a confirmation from the service provider that indicates a successful integrity verification, ii) a determination that the SIM matching the identity of the provisioning SIM is present on the consumer electronic device, iii) a determination that the connectivity to the service provider has become available, and iv) a determination that the connectivity to the home mobile network has become available.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for use with a service provider and a consumer electronic device include a trusted remote attestation agent (TRAA) configured to perform a set of checking procedures or mechanisms to determine the security status of a consumer electronic device (e.g., mobile terminal or phone) holding financial instruments. Checking procedures may include: self-verifying integrity by the TRAA; checking for presence of a provisioning SIM card (one present when financial instruments were enabled on the device); checking that communication connectivity between the device and service provider is available and active; and that communication connectivity to a home mobile network is available and active. Frequency of the checking mechanisms may be adjusted according to a risk-profile of a user associated with the device or the GPS location of the device. The checks may be used to temporarily disable or limit the use of the financial instruments from the device.
-
Citations
20 Claims
-
1. A system for use with a service provider, the system comprising:
-
a consumer electronic device, having a hardware secure element; an agent module stored in the hardware secure element and having access to an identity, stored in the hardware secure element, of a provisioning subscriber identity module (SIM) for a financial instrument on the consumer electronic device; and a processor of the consumer electronic device configured to execute the agent module to cause the system to perform operations comprising; performing an integrity verification of the agent module; determining a presence on the consumer electronic device of a SIM that matches the identity of the provisioning SIM; determining a connectivity of the consumer electronic device to the service provider; determining a connectivity of the consumer electronic device to a home mobile network; locking the financial instrument based on one or more of;
a failure of the integrity verification, an absence on the consumer electronic device of the SIM that matches the identity of the provisioning SIM, an unavailability of the connectivity to the service provider, and an unavailability of the connectivity to the home mobile network; andre-enabling the locked financial instrument based on i)a confirmation from the service provider that indicates a successful integrity verification, ii) a determination that the SIM matching the identity of the provisioning SIM is present on the consumer electronic device, iii) a determination that the connectivity to the service provider has become available, and iv) a determination that the connectivity to the home mobile network has become available. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for use with a consumer electronic device and a service provider, the method comprising:
-
performing, by a processor of the consumer electronic device executing an agent module stored in a hardware secure element of the consumer electronic device, a self-verification of integrity of the agent module; determining, by the agent module executing on the processor of the consumer electronic device, whether a subscriber identity module (SIM) card that matches an identity of a provisioning SIM is present on the consumer electronic device; responsive to determining that the SIM card that matches the identity of the provisioning SIM is present on the consumer electronic device, determining, by the agent module executing on the processor of the consumer electronic device, whether a network connection to a server processor of the service provider is available, and determining, by the agent module executing on the processor of the consumer electronic device, whether a network connection to a home mobile network is available; locking a financial instrument on the consumer electronic device based on one or more of;
a failure of the integrity verification of the agent module, an absence on the consumer electronic device of the SIM card that matches the identity of the provisioning SIM, an unavailability of the network connection to the server processor of the service provider, and an unavailability of the network connection to the home mobile network; andre-enabling the locked financial instrument based on i) a confirmation from the service provider that indicates a successful integrity verification, ii) a determination that the SIM card matching the identity of the provisioning SIM is present on the consumer electronic device, iii) a determination that the network connection to the server processor of the service provider has become available, and iv) a determination that the network connection to the home mobile network has become available. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A tangible, non-transitory computer-readable medium or media storing machine-readable instructions executable to cause a consumer electronic device to perform operations comprising:
-
storing an agent module in a hardware secure element of the consumer electronic device; performing, by the agent module, a self-verification of integrity of the agent module; determining, by the agent module, whether a subscriber identity module (SIM) card that matches an identity of a provisioning SIM is present on the consumer electronic device; determining, by the agent module, whether a network connection to a server processor of a service provider is available; determining, by the agent module, whether a network connection to a home mobile network is available; locking a financial instrument on the consumer electronic device based on one or more of;
a failure of the integrity verification of the agent module, an absence on the consumer electronic device of the SIM that matches the identity of the provisioning SIM, an unavailability of the network connection to the server processor of the service provider, and an unavailability of the network connection to the home mobile network; andre-enabling the locked financial instrument based on i) a confirmation from the service provider that indicates a successful integrity verification, ii) a determination that the SIM card matching the identity of the provisioning SIM is present on the consumer electronic device, iii) a determination that the network connection to the server processor of the service provider has become available, and iv) a determination that the network connection to the home mobile network has become available. - View Dependent Claims (17, 18, 19)
-
-
20. A non-transitory, machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
-
installing an agent module to a hardware secure element of the machine; performing, by the agent module, a self-verification of integrity of the agent module; determining, by the agent module, whether a provisioning uniquely identifiable network communication element that was present when the machine was provisioned with a financial instrument is present on the machine; determining, by the agent module, whether a network connection to a server processor of a service provider is available; determining, by the agent module, whether a network connection to a home mobile network is available; locking the financial instrument based on one or more of;
a failure of the integrity verification, an unavailability of the provisioning uniquely identifiable network communication element that was present when the machine was provisioned with a financial instrument, an unavailability of the network connection to the server processor of the service provider, and an unavailability of the network connection to the home mobile network; andre-enabling the locked financial instrument based on i) a confirmation from the service provider that indicates a successful integrity verification, ii) the presence on the machine of the uniquely identifiable network communication element that was present when the machine was provisioned with a financial instrument, iii) a determination that the network connection to the server processor of the service provider has become available, and iv) a determination that the network connection to the home mobile network has become available.
-
Specification