Securing Credit/Debit Card transactions using 2 factor authentication tokens
Publication Date: 2014-Mar-21
The IP.com Prior Art Database
Disclosed are a system and method to utilize the one-time password concept in to increase the security of credit and debit card transactions through both physical points of sale and e-commerce websites. The system enables authentication of each transaction associated with a given card using information that changes and is not part of the standard magnetic stripe data, which is susceptible to theft.
Page 01 of 4
Securing Credit /
/Debit Card transactions using
Debit Card transactions using 222 factor authentication tokens
factor authentication tokens
Data theft occurs when attackers obtain the magnetic strip data (i.e. the information required to perform transactions) from credit/debit cards used at physical retail locations. The theft of this data enables the attackers to use the stolen information to create fraudulent transactions and physical cards.
Existing solutions such as Personal Identification Number (PIN) codes for debit cards are insufficient because the PIN is a fixed value and is captured by the card reader at the time of the transactions, which enables the attacker to obtain the PIN. Other solutions such as one-time card numbers are cumbersome to use in a retail purchasing setting, and do not provide a physical card to be swiped at the point of sale (POS) terminal. Online transactions can be protected with solutions that direct an online shopper to a verification page to enter a password/passphrase (a fixed value that does not change).
The novel contribution is a system and method to improve the security of credit and debit card transactions. The system and method utilize the one-time password (OTP) concept to extend the use of "tokens" commonly used in online two-factor authentication methodologies. The system enables authentication of each transaction associated with a given card using information that changes and is not part of the standard magnetic stripe data. This effectively renders the credit card number useless to an attacker who obtains the card number via fraudulent means .
The system generates OTPs based on the time of day and serial number of the token device (held by the user). The OTP from a token is a six-digit numeric value, which is
not stored on the credit card. The OTP can be verified in real time or out of band . The system obtains the OTP from the token device and then uses it to authenticate the transaction. The OTP is only valid for one transaction; even if an attacker obtains the OTP from the point of sale device, it cannot be used again to perform a transaction . This system can be used for both physical POS terminals , as well as online transactions.
A credit/debit card provider provides a mechanism to allow an individual to register one or more tokens with a credit card. The association of the token serial number to the credit card is maintained by the...