Browse Prior Art Database

Customer authentication using Personal TAN (transaction number) generator in payment scenarios (online and point-of-sale) and bank transactions (ATMs, counter transactions, online transactions) Disclosure Number: IPCOM000018435D
Original Publication Date: 2002-Jun-01
Included in the Prior Art Database: 2003-Jul-23
Document File: 2 page(s) / 421K

Publishing Venue


Related People

Andrew Turk: AUTHOR


When consumers make (cashless) payments using electronic means (e.g. Credit card, paying for products or services in the Internet) they need to be authenticated. That applies to bank transactions (e.g. withdrawing money from a cash machine, online banking) where the customer is not recognised per- sonally, too.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 48% of the total text.

Customer authentication using Per-sonal TAN (transaction number)generator in payment scenarios(online and point-of-sale) and banktransactions (ATMs, counter trans-actions, online transactions)

Idee: Andrew Turk, Berlin

Information / Kommunikation

When  consumers  make  (cashless)  payments usingelectronic means (e.g. Credit card, paying forproducts or services in the Internet) they need to beauthenticated. That applies to bank transactions (e.g.withdrawing  money  from  a cash machine, onlinebanking) where the customer is not recognised per-sonally, too.

So far customers have been  authenticated  by  theirhand-written signature or by entry of a secret per-sonal identification number (PIN). In online bankingscenarios (in some countries) customers are addition-ally  identified  by  entry  of  a  transaction  number(TAN), taken from a TAN list, supplied in advanceby the  bank.  To  increase  the  level  of  security  thebanking  industry  has  recently  introduced  a  systemknown  as  SET  (secure  electronic transaction), inwhich a digital certificate is stored on the customer’sPC. The most modern authentication systems use anauthentication loop using a mobile telephone:

•   After declaring his intention to pay, the customerreceives a TAN by SMS, which is entered intothe  POS  (point-of-sale)  system  or website toconfirm the payment.

•   After declaring his intention to pay, the customerreceives a TAN via the Internet or through thePOS system, which is entered into the mobilephone to confirm the payment.

In order to avoid an authentication by a PIN or sig-nature personal TAN generators (PTG) can be used.Each  PTG  generates  random  numbers.  The PTGencodes the random numbers using a personal en-cryption key to make the TAN generator personal.The TAN server knows how the TAN was generatedand has access to the decoding encryption key foreach PTG. A once used TAN is voided. The PTGthat can be kept as a key-fob can be used for banktransactions,  credit  card  payments,  online  bankingand internet transactions. There are three methods tocreate TANs using the PTG:

Synchronisation: The PTG generates on TAN everyminute according to a secret number generation pro-gramme. It is synchronised with a TAN server whichruns the same secret number generation programme.Currently this method is only used in the field ofnetwork security (authentication of users on a LAN,WAN, Extra- and Intranet).

Serial  TAN  generation  (pre-defined  method): Aseries of TANs (e.g. 10000) is generated on manu-facture of the PTG and stored on the PTG and on theTAN server. Only TANs activated on the server canbe validated. Validating a TAN voids it (and if nec-essary all unvoided TANs higher in the server list)and activates the next one. In case the user acciden-tally uses a TAN without validating it (and thereforewithout activating the next one on the server), a se-ries of TAN (e.g. 10) can be activated in advance. Anumber of TANs is activated, equal to the numbervoided....