Customer authentication using Personal TAN (transaction number) generator in payment scenarios (online and point-of-sale) and bank transactions (ATMs, counter transactions, online transactions)
Original Publication Date: 2002-Jun-01
Included in the Prior Art Database: 2003-Jul-23
When consumers make (cashless) payments using electronic means (e.g. Credit card, paying for products or services in the Internet) they need to be authenticated. That applies to bank transactions (e.g. withdrawing money from a cash machine, online banking) where the customer is not recognised per- sonally, too.
Customer authentication using Per-sonal TAN (transaction number)generator in payment scenarios(online and point-of-sale) and banktransactions (ATMs, counter trans-actions, online transactions)
Idee: Andrew Turk, Berlin
Information / Kommunikation
When consumers make (cashless) payments usingelectronic means (e.g. Credit card, paying forproducts or services in the Internet) they need to beauthenticated. That applies to bank transactions (e.g.withdrawing money from a cash machine, onlinebanking) where the customer is not recognised per-sonally, too.
So far customers have been authenticated by theirhand-written signature or by entry of a secret per-sonal identification number (PIN). In online bankingscenarios (in some countries) customers are addition-ally identified by entry of a transaction number(TAN), taken from a TAN list, supplied in advanceby the bank. To increase the level of security thebanking industry has recently introduced a systemknown as SET (secure electronic transaction), inwhich a digital certificate is stored on the customer’sPC. The most modern authentication systems use anauthentication loop using a mobile telephone:
• After declaring his intention to pay, the customerreceives a TAN by SMS, which is entered intothe POS (point-of-sale) system or website toconfirm the payment.
• After declaring his intention to pay, the customerreceives a TAN via the Internet or through thePOS system, which is entered into the mobilephone to confirm the payment.
In order to avoid an authentication by a PIN or sig-nature personal TAN generators (PTG) can be used.Each PTG generates random numbers. The PTGencodes the random numbers using a personal en-cryption key to make the TAN generator personal.The TAN server knows how the TAN was generatedand has access to the decoding encryption key foreach PTG. A once used TAN is voided. The PTGthat can be kept as a key-fob can be used for banktransactions, credit card payments, online bankingand internet transactions. There are three methods tocreate TANs using the PTG:
Synchronisation: The PTG generates on TAN everyminute according to a secret number generation pro-gramme. It is synchronised with a TAN server whichruns the same secret number generation programme.Currently this method is only used in the field ofnetwork security (authentication of users on a LAN,WAN, Extra- and Intranet).
Serial TAN generation (pre-defined method): Aseries of TANs (e.g. 10000) is generated on manu-facture of the PTG and stored on the PTG and on theTAN server. Only TANs activated on the server canbe validated. Validating a TAN voids it (and if nec-essary all unvoided TANs higher in the server list)and activates the next one. In case the user acciden-tally uses a TAN without validating it (and thereforewithout activating the next one on the server), a se-ries of TAN (e.g. 10) can be activated in advance. Anumber of TANs is activated, equal to the numbervoided....