MoneyPINs

Single Card - Multi Account

Authentication and Authorization

US Patent 6954740 and Others Pending

Introduction

With millions falling victims to high-tech theft, consumers and enterprises need all the protection possible with minor inconvenience to both.  Because many consumer services are now moving online and going mainstream, the attempts to defraud and steal services are becoming more common.  Any significant accumulation of events that can contribute to an overall reduction of consumer trust will prevent users from migrating from offline processes.  In some cases, such occurrences may also drive current users back to offline processes, which are perceived as being more secured.  In general, online consumer processes provide enterprises with a more economical method of accessing and delivering services to its consumers.  Loosing the ability to migrate consumers online reduces the economic benefits for the enterprise trying to reduce costs.  For enterprises, the inherent lack of trust could result in a lack of revenue, as potential customers are not likely to move online to take advantage of the service.  These considerations need to be part of any business that needs authentication and fraud elimination from their services.   Furthermore, with many financial organizations offering online banking services and credit cards, and retail outlets offering membership cards, and employers requiring access cards, it seems that an average person can accumulate an abundance of cards.  When this person loses his purse he looses all his privacy with all the accessibility given by these cards. 

MoneyPINs provides authentication and authorization to applications such as check systems, credit cards, loan approvals, retail cards, security cards and electronic wallet.  In addition, it can provide authenticated access to sensitive legal or medical documents, HR or financial information.  This capability can easily be integrated into existing legacy or web based applications.  In fact, as enterprises are employing the efficiencies of the Internet for e-business with suppliers and customers, Money PINS authentication is the logical next step for increased security.  Additionally, Money PINS can completely change the market for banking, stock trading, online gaming, membership cards, and security cards with the first easy-to-use SINGLE CARD authentication and authorization system, using conventional bank/credit/debit/membership accounts that can affordably reduce the billions of dollars Internet businesses lose annually to fraud.  MoneyPINs instills trust in Internet and Electronic transactions.

Summary of Vulnerabilities - Online and Offline Transactions

1.      Checking-account theft is the fastest-growing financial fraud affecting consumers and is now second only to credit card theft.  Banks don’t use the same kind of fraud detection software on checking accounts that they use on credit card transactions to spot suspicious purchases.  In practice, they cannot use the same schemes as credit card fraud detection software mainly because authorization is not verified at the same time the checks are presented.

2.      Flaws in Internet Explorer and the Microsoft software.  Thieves exploited security flaws in Internet Explorer and the Microsoft software that runs big Internet servers.

3.      Hackers (including inside hackers) breaking into the Web servers of large trusted companies and steal personal and financial data.

4.      “Phishing” and Pharming.  Phishing is the behavioral trick of leading consumers to a Web site that resembles one they normally use.  Phishing attempts designed specifically to steal bank information.  The trend neatly follows a sharp rise in so-called phishing e-mails, which attempt to steal consumers' user names and passwords by imitating e-mail from legitimate financial institutions.  Pharming is a machine level redirection of a browser to a hacker’s Web site.  In both cases, when consumers enter their information, even after using strong second factor authentication, criminals collect the data that can then be used to access consumers’ online accounts.

5.      Trojan horse programs, keyloggers, and Man-in-the-middle attacks.  Trojan horse programs and keyloggers steal passwords and account information.  Such secret malicious programs, which experts say are more widespread than many realize, could be the cause of up to half the account takeovers.  Man-in-the-middle attacks occur with network sniffers, sniffing communication packets and also occur in the form of keyboard logging, when a rogue piece of code captures a password the consumer has entered into his or her computer.   As public terminals become increasingly prevalent, a rogue piece of code that can sniff at consumers’ usernames, passwords, and other information is more likely prevalent.

6.      Unauthorized demand drafts.  Demand drafts were designed to accommodate legitimate telemarketers who receive authorization from consumers to take money out of their checking accounts.  But the potential for abuse is high.  Not only do they not require a signature, but also they require no action by the checking account holder.

7.      Forged digital proof of payment.  Congress passed the legislation authorizing the change last year. The Check Clearing for the 21st Century Act cleared the way for the simplified process by allowing digital images of checks to be deemed legal representation of payment — so-called substitute checks can now be presented to companies as proof of payment.   There are many ways to forge digital images and make them look as the original checks.  Just viewing several counterfeit notes can easily convince many laymen on the powers of digital imaging.

  1. Forged/Stolen credit cards.  There is a time gap for notification, when a credit card is stolen or misused which enables thieves to use the card to its limit.

9.      Forged checks and payments.  There are many ways for thieves to access your checking account.  For example, forging your checks, counterfeiting checks, wire draft to withdraw money from your account, or produce unauthorized payment.

10.  Unauthorized debit transactions.  Debit cards were designed to accommodate legitimate consumers who wish to pay directly using money out of their checking accounts.  However, the potential for abuse is high.

 

MoneyPINs Solution

Shareable Centralized Stores of One-Time Process Passwords/PINS (MoneyPINs OTP) Accessed with Strong Authentication

One Time Password/PIN is used only once per process, transaction, or login attempt.  The dynamic nature of One-Time Password/PIN limits the vulnerability to a single instance, which nonetheless may present a vulnerability window.   However, the risk associated with this vulnerability window can be minimized using options built in MoneyPINs system.  OTP Sharing is a concept where OTPs are maintained by one centralized enterprise that later can be used at other enterprises in a trusted fashion.  OTP sharing can help address the major obstacles to deploying authentication to large consumer segments by allowing consumers to use OTPs generated from the same centralized enterprise, at multiple locations and web sites, and by allowing consumers to view the OTP that have already been used and for which purpose.  The key concept in the sharing model is a centralized OTP service infrastructure responsible for storage and provisioning of stores of OTPs and for the validation of a multi-factor authentication associated with the store (pool) of OTPs.   In this model strong authentication is only required at the CAE, which is the centralized level.  Only the CAE need to optionally deploy second-factor strong authentication to member users accessing the CAE.  An enterprise using MoneyPINs CAE services does not necessarily need to employ strong authentication infrastructure with its customers, because the CAE enterprise will.   The concept of requiring a physical device that generates a single-use dynamic password at the consumers’ level is not used in this model.  However the centralized level may use similar concept to generate stores of OTPs.  Most consumers are familiar with the concept of logging in with a username password.  Typically, a consumer will log in to the CAE- centralized service, managed by the first authentication factor—usually, a username and password in its own (using SSL connection).  To accommodate a stronger authentication one or more of the following suggested authentication methods could be used (second and third factors):

·          Digital Certificate stored on a key

·          OTP on a hardware token

·          Smart card

·          IP or Machine ID of registered computer

·          Cell phone or wireless PDA

·          Biometrics device

After authentication consumers can access their OTP store and could either generate more or delete old stores of OTP.  The consumer could also elect to use master keys/passwords that could be designated as a master authorization to generate run time OTP’s.  OTP stores can be shared between accounts or delegated to specific accounts as designated by the user.

MoneyPINS Account Cards

The cards used by Money PINS are a combination of both magnetic stripe/bar code and proximity cards, providing a seamless technology bridge, with one common output. Enhanced application cards include MIFARE compliant cards. MIFARE cards come equipped with a wealth of features, including securely separated files for complex Money PINS applications, mutual authentication and data encryption.

Centralized OTPs Authentication Enterprise (MoneyPINs CAE)

This model implies that each enterprise acting as a Centralized Authentication will need to deploy an authentication scheme, which will authenticate member consumers and other enterprises requesting authentication of OTPs. 

 

The figure above shows an example of consumer interaction with the CAE.  The consumer has requested to initiate a session with the CAE.  To authenticate himself to the CAE, he will enter his username, his associated password, and other requested information.  The CAE will validate the username and password against the CAE membership store, retrieve the second factor authentication method and then verify the second factor authentication data (Token, Biometerics, IP address, Certificate, Smart Card, etc).  Upon successful authentication the consumer can view his CAE Accounts and their respective OTPs stores.  He also can generate more OTPs or cancel OTPs stores.  The consumer could also elect to use master keys-passwords that could be designated as a master authorization needed to generate run time OTP’s.  The consumer with the cooperation of the CAE (e.g. financial enterprise) which accounts he is using can also configure his CAE profile to enable tiered authentication (e.g. smart card interface or biometrics devices interface based of transaction amount levels).   After initiating a session with the CAE and generating OTPs stores the consumer can choose one of the OTPs delivery methods as following:

1.   Print or Email lists of OTPs to be used for the next batch of transactions.

2.      Print to scratch pads or scratch paper lists of OTPs  

3.   Download with optional encryption the formula or the selected OTPs to a smart card or to a magnetic card writer.

4.   Download, to an originating PC, OTPs stores, public keys, and optional formulas required for generating OTPs.  For example, this process can be initiated when check printing is needed.

5.   Interface with check clearing system, credit card system or other systems.

 

 

The figure above shows an example of transaction authentication session.  The Consumer performs a transaction and submits to a merchant a CAE account number (or his CAE card), an account selection designator + OTP and optional additional details.  The OTP submitted could be a master password used to generate run time OTP’s.  The transaction can include a Check, Credit Card, Money Transfer, Electronic Check, Debit, Bank Transfer, etc.  Transactions can also include non-financial transactions as login requests, software registration verification and electronic authorizations. The transaction verification process is as follows:

  • The requesting authentication entity (transaction originator including bank, merchant or card company) sends the transaction details (including a CAE account number, and an OTP) to the CAE server.  An optional account selection designator is also sent which can be used to select the actual account used for the transaction (e.g. Visa 1, MC 2…)
  • The CAE server authenticates the details and issues an authorization number which applies only to that specific transaction and the specific selected account
  • The authorization is sent to the transaction originator for approval via the Internet or other electronic means
  • The merchant processes the transaction in the normal way.

Analysis:

Because the CAE is sharing only the CAE account and an OTP and not the real account or the consumer’s identity Information, MoneyPINs system entails a relatively simple liability focused more on customer’s use of the OTP for authentication and authorization.  In this MoneyPINs model, each transaction originating enterprise needs only to establish a business and operational relationship with the CAE, meaning that it is simpler to implement.  The CAE can specify the framework and rules for authentication and communication.  This model enables rapid creation of strong-authentication communities and can help the deployment of consumer’s strong authentication.

  

MoneyPINs OTPs Delivery Methods to Consumers

OTP delivery methods to the consumers from the CAE could be one or more of the following:

·          Set (store) of encrypted OTPs could be downloaded periodically and stored on the local PC.  The downloaded OTPs are decrypted one at a time for incremental usage.  Multiple encryption and hashing methods can be associated with the downloaded OTPs file (see MoneyPINs.com demo site)

·          OTPs can be visually obtained from MoneyPINs by logging into the server using a master password (see moneyPINs.com demo site)

·          OTPs can be e-mailed or mailed to consumers without computers

·          OTP’s can be printed on scratch pads or scratch paper

·          OTPs can be transmitted from MoneyPINs using any wireless device (pager, cell phone, PDA, or wireless laptop)

·          OTPs can be written to a Smart Card, PDA, Smart Cell Phone, or Magnetic Card (MoneyPINs Shareable OTPs Wallet Model) 

MoneyPINs Shareable OTP WALLET Future Model

This OTP Wallet leverages next-generation mobile devices such as Java cell phones, smart cards, and personal digital assistants (PDAs).  In this model, the mobile device becomes an "OTP wallet” that can contain multiple OTPs and optional credentials.  In this model the party acting as the centralized authentication enterprise (CAE) initially authenticates the member user.  Upon successful authentication, the CAE can assert the user’s identity and then send “OTP Wallet” data for storage on the mobile device.  The primary advantage of this model is that the technology to enable this model is relatively easy and well understood and hardware devices are already available in the market.  However, unlike as in other models discussed, the mobile device can optionally store consumer’s credentials that can be shared with other enterprises.  This factor results in complex liability and trust models that need to be negotiated between the participants.

Consumer Authorization using MoneyPINs Consumer-Generated OTPs

Strong authentication at the centralized level and lax verification at the consumer’s transaction level is one of the core principles of MoneyPINs.  Shared OTPs that are selected and generated by the consumers is another core concept where OTPs are issued to the consumers by one centralized enterprise, which can later be used at other enterprises in a trusted fashion.  The consumer-generated store of OTPs could be used as keys for non-repudiated transactions and for authorization and authentication.   Some consumers may initially shy away of this technology.  However, when authentication and fraud elimination is the end result, consumers could understand the need for such technology. 

MoneyPINs Applications and Implementations

MoneyPINs is a patented solution that prevents fraud by empowering merchants and financial institutions to automatically perform real-time authentication of the consumer’s true identity and authorization.

MoneyPINs incorporates all the concepts and models discussed above:

1.      Shareable Centralized Stores of One-Time Passwords/PINS/Keys (OTP)

2.      One card for all accounts

3.      Centralized Authentication of OTPs

4.      Consumer Authorization using Shareable Consumer Generated OTPs

5.      Alternate OTPs Delivery Methods to Consumers

6.      OTPs Wallet

MoneyPINs can also be considered as a secure e-commerce method performed without revealing financial or personal information of the consumers.  No one can use your bank or credit card account without your authorization.  You can pay anywhere just by giving a CAE account and a MoneyPINs OTP.  You can sign your checks with a non-repudiated key that reflects the values of your check (nobody can forge, copy or use your checks).   You can authorize and pay for a transaction, using your credit card just by giving a MoneyPINs number that only you can give and generate.  Imagine paying using a smart card that gives timed OTPs, which are as good as a bank note.  When using MoneyPINs, your financial data is safe.  Merchants just get your MoneyPINs account number and an OTP.  When authorizing credit card transactions the vendor uses your MoneyPINs account (CAE account), while the authorization is submitted to the issuing bank with your actual credit card number stored in your CAE account profile.  Vendors alternatively, could receive your address information only when you authorize them to do so using an authorizing token. 

MoneyPINs Applications:

  • Checks, debit and credit card authorizations
  • Controlled protected Internet payments
  • Money transfer
  • Online payments
  • Online gaming
  • Retail membership cards
  • Security Cards
  • Electronic checks
  • Anonymous payments
  • e-Cash  and electronic wallet
  • Financial transactions
  • Software authentication
  • Document authentication
  • Application logins
  • Electronic gift certificates
  • Internet auctions
  • One-time key systems


Implementations

Credit Cards Transactions

An account holder commonly orders an item and provides the merchant with a credit card or a CAE account number, amount to authorize and an OTP.  The methods for posting OTP are listed herein:

·          OTPs can be attached on the credit card slip by sticking a preprinted label

·          OTPs can be handwritten on the credit slip

·          OTPs can be written using a mobile electronic device (e.g. smart card, PDA)

·          OTPs can be transmitted from the CAE using a pager or any other wireless device

The merchant can use the information to verify the consumer’s authenticity and to verify that the account holder can in fact use the credit card to execute the particular transaction.  If an unauthorized person obtains the credit card number, this person cannot use the credit card number in placing unauthorized transaction requests without obtaining the OTPs available only to the account holder.  If a CAE account is used, real account information is not revealed and the real account is selected by the CAE based in the PIN input.

 

 

 
Credit Card or Bank Checks Transactions using Mirrored Conventional Accounts

An account holder provides a merchant or a financial organization with a CAE account number, the amount to authorize and an OTP. The CAE account number has its mirrored real account number (CC or bank account) and real account information is not revealed to the public.

  • The Bank or the Merchant sends transaction details to the CAE (or directly to the card company or bank)
  • The CAE authenticates the details and issues an authorization which applies only to that specific transaction
  • The authorization is sent to the bank or the card company for approval via the Internet or other electronic means using the real account number
  • After processing the approval request by the issuing bank, the CAE returns the authorization to the merchant or to the other financial organization

Then the merchant and the financial organization process the transaction in the normal way. Any further transactions (ACH, check delivery, etc) can be performed later at settlement time.

Bank Check Transactions Using Computing Hardware (Hard Copy/Wireless)
A customer commonly uses check-writing software to print several checks at a time.  The checks contain an OTP for each check.  The OTPs are generated by check writing software, which uses the same algorithm and a public key specific to what the customer selected in his CAE account. The algorithm can include the content of the AMOUNT, DATE and PAY TO THE ORDER OF fields.  The generated OTP can be printed on the PC field or Check Number Field on the MICR line.  The bank, in order to verify the check can use the account number, OTP and other optional personal data.  In addition, the AMOUNT, DATE and PAY TO THE ORDER OF fields, which are used to generate the OTP, are verified.  If an unauthorized person obtains your checkbook, the unauthorized person cannot use the checks without obtaining the OTPs. Written signatures are not commonly used to verify checks except for over the counter check presentations.  The OTP can be used in effect, as a signature on the check and a check content verifier.  The authentication of the financial document is achieved by using the secret OTP/key available only to the signer of the financial document and the CAE.

This described method is one several modes of operation that can be used with bank checks and the CAE.  The OTPs can be stored in the CAE for each check. Or more effectively, OTPs, in his case a public key, can be used to generate batch or batches of checks.

 

 

Checks with NO Computing Hardware (Written Hard Copy)

An account holder commonly writes several checks and provides different merchants or banks with OTPs for each check.  Several methods can be used to post the OTP:

·          OTPs can be attached on the check by sticking a preprinted label

·          OTPs can be handwritten on the check

·          OTPs can be provided from an mobile electronic device (e.g. smart card, PDA)

·          OTPs can be transmitted from the CAE using a pager or any other wireless device 

This method is one of several modes of operation used with bank checks and the CAE.  In this specific method, OTP need to be stored in the CAE for each check or a private key for a group of checks. 

Retail Membership Cards

The CAE card contains a bar code or a magnetic strip readable at the retail outlets. The barcode and the magnetic strip contain the CAE account number.  When a retailer issues a card, he uses the CAE account and submits to the CAE the retail account used.  The retailers can use the CAE account number or its own account number.  When the retailer scans the CAE card he can either use the CAE account directly or with a combination of a conversion table.  OTP are mostly not needed, except for using the card for financial transactions or to gain entry

Electronic Check Payments

Consumers can pay for products or services with an electronic check by selecting a corresponding CAE account.  The consumer can give the merchant his CAE account number and an OTP.  Either the consumer or the merchant can initiate the transaction.  The CAE transmits the required data to a secure transaction server for posting.  At settlement time, the CAE system initiates a debit to the consumer's checking account via the Automated Clearing House (ACH) and then transfers collected funds to the merchant's account.  The CAE system notifies merchants of failed debit attempts, including “Not Sufficient Funds” returns.

Electronic E-Mail Payments

The CAE can use e-mail to inform the receiver that a payment has been made.  It uses the consumer’s account for the money. It can use either one of the following methods for settling the payments:

  • Charging the consumer's credit card for any transactions (payments).
  • Debiting a checking account for any payments.

The Consumer sends a check to create a positive balance in his account at the CAE and any authorized payments will be deducted from his account. The merchant can receive the payment from the CAE by a check, or direct deposit into his checking account.

Electronic Check Payments Using Positive Balance Account

Money is kept in a CAE account.  It can use either one of the following methods for settling the payments:

1.      Charging the consumer's credit card for maintaining the required balance.

2.      Debiting a checking account for the required balance.

3.      The Consumer sends a check to create a positive balance in his account, and any authorized payments will be deducted from this account.

After a member consumer approves a transaction, by giving a merchant a CAE account and an OTP, the merchant is paid by the CAE.  The merchant can receive the payment from the CAE by a check, or a direct deposit into his checking account.

Electronic Money (Wallet)

Magnetic card contains a 'purse' in which OTPs are held electronically.  The card also contains security parameters that protect transactions between the Merchant and the CAE.   The consumer's money is deposited in his CAE account using any conventional deposit methods.  The merchant inserts the Wallet card and the consumer gives him an OTP.   The CAE server will authorize the transaction if balance exists, and update the consumer’s balance.  The CAE then delivers the cash to the merchant.  The merchant can receive the payment from the CAE by a check, or a direct deposit into his checking account.

Electronic Gift Cards

Magnetic card contains a gift amount, which corresponds to the amount in the CAE consumer’s account.  When a merchant issues a gift card a new CAE account is created using the card account number, amount, security parameters and several OTPs.  The card contains security parameters that protect transactions between the Merchant and the CAE.  The consumer's gift money can be kept with the CAE or it can be kept with the merchant.  When a consumer performs a purchase, the merchant inserts the card and the consumer gives him an OTP.  The CAE will authorize the transaction if balance exists, and update the consumer’s balance.  The consumer can view his balance and transactions on the CAE using a master password issued at the time he gets his card.

Software Authentication

Software companies can secure their software distribution and the installation licenses using a CAE account.  Each license will have its corresponding OTP record.  MoneyPINs SDK can be used to interface with the CAE and verify licenses using Internet connections.

Document Authentication

Legal and other enterprises can secure and authenticate their distributed documents using a CAE account.  Each enterprise can have a CAE account and a set of OTPs.  MoneyPINs SDK can be used to interface with the CAE and authenticate documents using Internet connections.  In addition to the above method, the CAE can contain a private key (OTP private key) used in combination of a public key to create a document hash.

Message Validation

Enterprises can authenticate distributed messages using MoneyPINs.  Each message can have its associated OTP.  MoneyPINs SDK can be used to interface with the CAE and authenticate messages using Internet connections.  In addition, the CAE can contain a private key (OTP private key) used in combination of a public key to create a message hash.

Conclusion

Strong authentication is an important component for addressing threats such as phishing, account hijacking, and associated identity theft and fraud.  Though strong authentication by itself may not completely solve the problem, it should be considered one of the foundations for a comprehensive solution around consumer-identity protection.  Phishing is the greatest threat to this system. However, phishing can be controlled and its associated risks are smaller than other implementations. MoneyPINs is a major solution that can be used to help address authentication for consumer applications as well for enterprise users.  MoneyPINs is also a solution that can provide authorization for financial transactions in addition to authentication.  As discussed, several implementation models could exist for using MoneyPINs.  Each implementation model is uniquely qualified for its applicability to specific use cases ranging from financial transactions to more complex authentication and authorization solutions.  The advantage of MoneyPINs is that the models discussed could help reduce the cost and complexity of deploying strong authentication while reducing fraud and abuse.  Only the CAE need to optionally deploy second-factor strong authentication to member users accessing the CAE (added value for strong authentication).  An enterprise using MoneyPINs services does not necessarily need to employ strong authentication infrastructure for its customers, because the CAE enterprise will.  The advantage for consumers is that they can use their single CAE account/card and store of authenticated OTPs to access various accounts, applications and systems, which can have lower levels of authentication strength and infrastructure.

Definitions

1. Authentication — the process of electronically establishing an acceptable level of

Confidence, an identity of a claimant

2. Consumer — A person presenting a credential purporting to be a particular identity who uses an OTP to perform and authorize a transaction

3. Credential — Digital documents used in authentication that binds an identity or identification attribute to an OTP and CAE account

4. Identity — a unique identifier of a person that includes a legal name and a minimum set of attributes needed to make the identity unique

5. One Time Password/PIN (OTP) — is a string of alphanumeric characters that uniquely identifies a transaction, a document, or an entity in combination with an account number. The OTP includes a secret key, password, PIN, and private/public key set.  The OTP is used in a combination of set of MoneyPINs CAE actions including financial transactions.  The OTP in MoneyPINs does not necessary mean it is used only once.

6. Enterprise — any financial or commercial organization

7. CAE — Central Authentication Enterprise or interchangeably MoneyPINs CAE