Browse Prior Art Database

Customer authentication using Personal TAN (transaction number) generator in payment scenarios (online and point-of-sale) and bank transactions (ATMs, counter transactions, online transactions)

IP.com Disclosure Number: IPCOM000018435D
Original Publication Date: 2002-Jun-01
Included in the Prior Art Database: 2003-Jul-23
Document File: 2 page(s) / 421K

Publishing Venue

Siemens

Related People

Andrew Turk: AUTHOR

Abstract

When consumers make (cashless) payments using electronic means (e.g. Credit card, paying for products or services in the Internet) they need to be authenticated. That applies to bank transactions (e.g. withdrawing money from a cash machine, online banking) where the customer is not recognised per- sonally, too. So far customers have been authenticated by their hand-written signature or by entry of a secret per- sonal identification number (PIN). In online banking scenarios (in some countries) customers are addition- ally identified by entry of a transaction number (TAN), taken from a TAN list, supplied in advance by the bank. To increase the level of security the banking industry has recently introduced a system known as SET (secure electronic transaction), in which a digital certificate is stored on the customer’s PC. The most modern authentication systems use an authentication loop using a mobile telephone:

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 48% of the total text.

Customer authentication using Per-sonal TAN (transaction number)generator in payment scenarios(online and point-of-sale) and banktransactions (ATMs, counter trans-actions, online transactions)

Idee: Andrew Turk, Berlin

Information / Kommunikation

When� consumers� make� (cashless)� payments usingelectronic means (e.g. Credit card, paying forproducts or services in the Internet) they need to beauthenticated. That applies to bank transactions (e.g.withdrawing� money� from� a cash machine, onlinebanking) where the customer is not recognised per-sonally, too.

So far customers have been� authenticated� by� theirhand-written signature or by entry of a secret per-sonal identification number (PIN). In online bankingscenarios (in some countries) customers are addition-ally� identified� by� entry� of� a� transaction� number(TAN), taken from a TAN list, supplied in advanceby the� bank.� To� increase� the� level� of� security� thebanking� industry� has� recently� introduced� a� systemknown� as� SET� (secure� electronic transaction), inwhich a digital certificate is stored on the customer’sPC. The most modern authentication systems use anauthentication loop using a mobile telephone:

•� � After declaring his intention to pay, the customerreceives a TAN by SMS, which is entered intothe� POS� (point-of-sale)� system� or website toconfirm the payment.

•� � After declaring his intention to pay, the customerreceives a TAN via the Internet or through thePOS system, which is entered into the mobilephone to confirm the payment.

In order to avoid an authentication by a PIN or sig-nature personal TAN generators (PTG) can be used.Each� PTG� generates� random� numbers.� The PTGencodes the random numbers using a personal en-cryption key to make the TAN generator personal.The TAN server knows how the TAN was generatedand has access to the decoding encryption key foreach PTG. A once used TAN is voided. The PTGthat can be kept as a key-fob can be used for banktransactions,� credit� card� payments,� online� bankingand internet transactions. There are three methods tocreate TANs using the PTG:

Synchronisation: The PTG generates on TAN everyminute according to a secret number generation pro-gramme. It is synchronised with a TAN server whichruns the same secret number generation programme.Currently this method is only used in the field ofnetwork security (authentication of users on a LAN,WAN, Extra- and Intranet).

Serial� TAN� generation� (pre-defined� method): Aseries of TANs (e.g. 10000) is generated on manu-facture of the PTG and stored on the PTG and on theTAN server. Only TANs activated on the server canbe validated. Validating a TAN voids it (and if nec-essary all unvoided TANs higher in the server list)and activates the next one. In case the user acciden-tally uses a TAN without validating it (and thereforewithout activating the next one on the server), a se-ries of TAN (e.g. 10) can be activated in advance. Anumber of TANs is activated, equal to the numbervoided....