Tokenless identification system for authorization of electronic transactions and electronic transmissions5613012
Abstract
A tokenless identification system and method for authorization of transactions and transmissions. The tokenless system and method are principally based on a correlative comparison of a unique biometrics sample, such as a finger print or voice recording, gathered directly from the person of an unknown user, with an authenticated biometrics sample of the same type obtained and stored previously. It can be networked to act as a full or partial intermediary between other independent computer systems, or may be the sole computer systems carrying out all necessary executions. It further contemplates the use of a private code that is returned to the user after the identification has been complete, authenticating and indicating to the user that the computer system was accessed. The identification system and method of additionally include emergency notification to permit an authorized user to alert authorities an access attempt is coerced.
Claims
I claim:
1. A voluntary tokenless identification computer system for determining an individual's identity from an examination of at least one biometric sample and a personal identification code gathered during a bid step, and comparison with previously recorded biometric sample and personal identification code gathered during a registration step, wherein the system is authenticated to the individual, said system comprising:
a. at least one computer;
b. first gathering and display means for voluntary input of at least one biometric sample, personal identification code, and a private code from an individual during the registration step, wherein the private code is not used for gaining access to the system;
c. second gathering and display means for voluntary input of at least one biometric sample and personal identification code, from an individual during a bid step;
d. first interconnecting means for interconnecting said first and second gathering and display means to said computer for transmitting the gathered biometric sample, personal identification code, or private code from said first and second gathering means to said computer;
e. means for comparison of biometric sample and personal identification code gathered during the bid step with the biometric samples and personal identification codes gathered during the registration step, for producing an evaluation;
f. execution means within said computer for storage of data and processing and execution of commands for producing a determination;
g. means for output of said evaluation, determination, or private code from said computer; and
h. system authentication means wherein the private code gathered during the registration step, is displayed to the authorized user of the system during the output step to authenticate that the computer system was accessed.
2. The apparatus of claim 1 wherein the computer comprises means for detecting and preventing electronic intrusion of the computer system.
3. The apparatus of claim 1 wherein the computer is placed remote from the first and second gathering and display means.
4. The apparatus of claim 1, the first and second gathering and display means further comprising:
a. at least one biometric input means for gathering biometric samples further comprising a hardware and software component;
b. at least one terminal means that is functionally partially or fully integrated with the biometric input means for input of and appending additional data;
c. at least one data entry means for input of a personal identification code wherein the data entry means is integrated either with the biometric input means or the terminal means; and
d. second interconnecting means for interconnecting said biometric input means, data entry means and said terminal.
5. The apparatus of claim 4 wherein said terminal further comprises at least one display means for display of data.
6. The apparatus of claim 4 wherein the biometric input means has a hardware identification code previously registered with the computer, which makes the biometric input means uniquely identifiable to the computer.
7. The apparatus of claim 4 wherein the hardware component further comprises:
a. at least one computing module for data processing;
b. erasable and non-erasable memory modules for storage of data and software;
c. biometric scanner device for input of biometrics data;
d. data entry means for entering data;
e. digital communication port; and
f. means for prevention of electronic eavesdropping.
8. The apparatus of claim 7 wherein when there are more than one computing modules, the computing modules are connected in a manner to prevent monitoring of communications between said computing modules.
9. The apparatus of claim 4 wherein the hardware component further comprises display means for display of data.
10. The apparatus of claim 4 wherein the hardware component further comprises RF shielding.
11. The apparatus of claim 4 wherein the hardware component further comprises a wireless communications means.
12. The apparatus of claim 4 wherein the biometric input means is secured from physical tampering.
13. The apparatus of claim 4 further comprising means for detection of physical penetration of the biometric input means.
14. The apparatus of claim 7 further comprising means for electronic self destruction whereby software and data stored within the erasable memory modules are erased.
15. The apparatus of claim 7 further comprising means for physical self destruction whereby the computing modules and the erasable and non erasable memory modules are destroyed.
16. The apparatus of claim 4 wherein the hardware component further comprises means for reading magnetic strip cards.
17. The apparatus of claim 4 wherein the hardware component further comprises means for reading a smart card.
18. The apparatus of claim 4 wherein the software component resides in a computing module and further comprises;
a. electronically erasable memory module wherein at least one command interface module, a first set of software and associated data specifically configured for the intended use of the biometric input device and data are stored; and
b. non-erasable memory module wherein a second set of software and associated data are stored.
19. The apparatus of claim 4 said software component further comprising means for encryption of data from plaintext to ciphertext.
20. The apparatus of claim 4 said software component further comprising means to detect alteration of data further comprising;
a. a secret key; and
b. an irreversible one way transformation of the data that cannot be reproduced without the secret key.
21. The device of claim 4 wherein the first set of software and associated data further comprise:
a. biometric encoding algorithm; and
b. encryption code.
22. The device of claim 4 wherein the second set of software and associated data further comprise:
a. an operating system; and
b. a device driver.
23. The apparatus of claim 4 wherein said terminal is any electronic device and which issues commands to and receives results from the biometric input means.
24. The apparatus of claim 4 wherein said terminal is selected from the group of facsimile machines, telephones, television remote control, personal computers, credit/debit card processors, cash registers, automated teller machines, wireless personal computers.
25. The apparatus of claim 4 wherein said second interconnecting means is means for wireless communications.
26. The apparatus of claim 1 wherein said first interconnecting means is selected from the group X.25, ATM network, Telephone network, Internet network, cable television network, cellular telephone network.
27. The apparatus of claim 1 wherein the comparison means further comprises means for encryption and decryption of data.
28. The apparatus of claim 1 wherein comparison means further comprises means for identifying the biometric input device.
29. The apparatus of claim 1 wherein the computer system further comprises:
a. at least one independent computer network system; and
b. third interconnecting means for interconnecting said computer system with said at least one independent computer network system.
30. The apparatus of claim 29 wherein the third interconnecting means comprises an X.25 network.
31. The apparatus of claim 1 wherein the execution means comprises at least one database for storage and retrieval of data.
32. The apparatus of claim 31 wherein the data base further comprises an individual biometric data base.
33. The apparatus of claim 31 wherein the data base further comprises a prior fraud check data base.
34. The apparatus of claim 31 wherein the data base further comprises an electronic document data base.
35. The apparatus of claim 31 wherein the data base further comprises an electronic signature data base.
36. The apparatus of claim 1 wherein said output means is selected from the group of an X.25 network, ATM network, Telephone network, Internet network, cable television network.
37. The apparatus of claim 1 wherein said private code is generated by the computer.
38. A method for voluntary and tokenless identification of individuals using a computer system, wherein the computer system is authenticated to the individual, said method comprising the steps of:
a. registration step, wherein at least one biometric sample is gathered, and a personal identification code and private code are selected and stored, wherein the private code is not used for gaining access to the computer system;
b. a bid step wherein at least one biometric sample and personal identification code for an individual is gathered;
c. a comparison step wherein the biometric sample and personal identification code gathered during the bid step is compared with biometric samples and personal identification codes gathered and stored during the registration step, for producing either a successful or failed identification result;
d. an execution step wherein a command is processed and executed to produce a determination;
e. an output seep wherein said identification result or determination is externalized and displayed; and
f. a presentation step wherein on successful identification of the individual, the private code is presented to the individual being identified, for authenticating the system to the individual.
39. The method of claim 38 wherein both the registration and bid steps further comprise a biometric sample check step wherein the quality of the biometric sample is verified.
40. The method of claim 38 wherein the registration step further comprises a personal identification code and biometric sample duplication check step wherein the biometrics and personal identification code gathered during the registration step is checked against all previously registered biometrics currently associated with the identical personal identification code.
41. The method of claim 38 wherein the registration step further comprises an ancillary data input step wherein ancillary data is collected.
42. The method of claim 41 wherein the ancillary data further comprises name and address of the individual.
43. The method of claim 41 wherein the ancillary data further comprises a title of an individual.
44. The method of claim 43 wherein the ancillary data input step further comprises a title index assignment step wherein each title of the individual is assigned a code.
45. The method of claim 41 wherein the ancillary data further comprises a financial asset account number.
46. The method of claim 45 wherein the ancillary data input step further comprises an account index assignment step wherein each financial asset account number is assigned an index code.
47. The method of claim 38 wherein the registration step further comprises a prior fraud check step wherein the biometric sample gathered during registration is compared to a subset of previously registered biometric samples.
48. The method of claim 38 wherein the registration step further comprises an emergency mechanism setup step.
49. The method of claim 48 further comprising an emergency account index assignment step wherein an account index is labeled as an emergency account where in the event the account is accessed appropriate authorities are notified of the emergency.
50. The method of claim 49 further comprising a false screen display setup step wherein there is assignment of false screen data.
51. The method of claim 49 wherein access to various financial asset accounts is limited.
52. The method of claim 38 wherein the registration step further comprises a modification step wherein any previously entered ancillary data can be modified or deleted.
53. The method of claim 38 wherein both the registration and bid steps further comprise a data sealing step to provide the ability to detect alteration of the data further comprising:
a. a secret key; and
b. an irreversible one way transformation of the data that cannot be reproduced without the secret key.
54. The method of claim 38, wherein the registration and bid steps further comprise an encryption step to convert the data from plaintext to ciphertext.
55. The method of claim 38 wherein the bid or registration steps further comprise a transmission step wherein the data is transmitted.
56. The method of claim 38 wherein the bid or registration steps is further provided with a unique transmission code having a unique hardware identification code and incrementing sequence number which increases by one for each transmission.
57. The method of claim 38 wherein the registration step further comprises choosing a language for communication in a set language step.
58. The method of claim 38 wherein the bid step further comprises choosing a title in a set title number step.
59. The method of claim 38 wherein the bid step further comprises choosing an account number in a set account number step.
60. The method of claim 38 wherein the bid step further comprises validating an amount in a validate amount step.
61. The method of claim 38 wherein the bid step further comprises entering an amount in an enter amount step.
62. The method of claim 38 wherein the bid step further comprises validating a document in a validate document step.
63. The method of claim 38 wherein the bid step further comprises appending ancillary data in an assign register step.
64. The method of claim 63 the ancillary data further comprising a counter party identification code.
65. The method of claim 38 wherein the bid or registration step further comprise aborting or cancelling said registration or bid step in a reset step.
66. The method of claim 38 wherein the bid step further comprises transmission of data in a transmission step.
67. The method of claim 38 wherein the bid step further comprises choosing a language for communication in a set language step.
68. The method of claim 38 wherein the comparison step further comprises use of the unique transmission codes to detect repeat transmissions.
69. The method of claim 38 wherein the comparison step further comprises a counter party identification step using the counter party identification and unique transmission codes.
70. The method of claim 38 wherein the comparison step comprises matching the individual's personal identification code and biometric gathered during the bid step, with the personal identification code and biometric gathered during the registration step for positive identification of the individual.
71. The method of claim 70 wherein if there is no match of the personal identification code and biometric gathered during the registration step and the personal identification code and biometric gathered during the bid step, there is no recognition of the individual.
72. The method of claim 38 wherein the execution step further comprises a debit/credit transaction step.
73. The method of claim 72 wherein the debit/credit transaction step further comprises an address collection step.
74. The method of claim 38 wherein the execution step further comprises an archiving step and a tracking code assignment step, where a tracking code is assigned to the data, for archival of data.
75. The method of claim 74 wherein the data is sent through a message digest encoding algorithm step to produce an electronically signatured document.
76. The method of claim 74 wherein the execution step further comprises the retrieval of archived data using said tracking code.
77. The method of claim 38 wherein the execution step further comprises a modification step wherein title index codes, account numbers and account index codes are added, deleted or modified.
78. The method of claim 77 wherein the execution step further comprises an account number retrieval step where the account index code is used to retrieve an account number.
79. The method of claim 38 wherein the execution step further comprises an emergency activation step.
80. The method of claim 79 wherein the emergency activation step further comprises recognition of the emergency code and identifying the entire transaction as an emergency and notification of authorities.
81. The method of claim 79 wherein the execution step further comprises a false display step wherein previously designated, false accounts or false limitations on accounts are accessible.
82. The method of claim 38 wherein the output step further comprises an identification result notification step.
83. The method of claim 38 wherein the output step further comprises a determination notification step.
84. The method of claim 38 wherein the output step further comprises an emergency code step wherein authorities are notified.
85. The method of claim 38 wherein the output step further comprises display of false screens.
86. The method of claim 38 wherein the presentation step further comprises encryption, externalization, and decryption of the private code.
87. A method for rapid search of previously stored biometric samples from individuals using at least two biometric baskets, each biometric basket being capable of containing any number of algorithmically distinct biometric samples, each biometric basket containing less than the total number of samples registered with the system, and each biometric basket being identified by a unique biometric basket code, the method comprising:
a. a storage step further comprising:
i. gathering a biometric sample from an individual;
ii. selection of a biometric basket code;
iii. locating the biometric basket identified by the biometric basket code;
iv. comparison of the biometric sample gathered from said individual, with any previously stored biometric samples in the biometric basket, to make sure that the biometric sample gathered from the individual is algorithmically distinct from all biometric samples currently stored in said biometric basket; whereupon if the biometric sample is not distinct from previously stored biometric samples, a different biometric basket is selected and comparison is attempted again until an acceptable biometric basket is selected; and
v. storage of the entered biometric sample gathered from said individual in the acceptable biometric baskets; and
b. a bid step further comprising:
i. entering a biometric basket code by a candidate individual;
ii. entering a biometric sample by said candidate individual; and
c. a comparison step further comprising:
i. locating the biometric basket that is identified by the biometric basket code entered by said candidate individual; and
ii. comparison of the entered biometric sample from said candidate individual with all of the biometric samples stored in said located biometric basket for producing either a successful or failed identification result.
88. A voluntary tokenless identification computer system for determining an individual's identity from an examination of at least one biometric sample and a biometric basket code gathered during a bid step, and comparison with previously recorded biometric samples gathered during a registration step, said system comprising:
a. at least one computer;
b. first gathering and display means for voluntary input of at least one biometric sample and selection of a biometric basket code for an individual during the registration step;
c. storage and retrieval means comprising at least two biometric baskets wherein less than all of the registered biometrics are stored in each biometric basket;
d. second gathering and display means for voluntary input of at least one biometric sample and biometric basket code from an individual during a bid step;
e. first interconnecting means for interconnecting said first and second gathering and display means to said computer for transmitting the gathered biometric sample and biometric basket code from said first and second gathering means to said computer;
f. means for comparison of the biometric sample gathered during the bid step with the biometric samples in the biometric basket identified by the biometric basket code gathered during the bid step, for producing an evaluation;
g. execution means within said computer for storage of data and processing and execution of commands for producing a determination; and
h. means for output of said evaluation or determination from said computer.
89. The apparatus of claim 88 wherein the computer comprises means for detecting and preventing electronic intrusion of the computer system, and is placed remote from the gathering and display means.
90. The apparatus of claim 88, the first and second gathering and display means further comprising:
a. at least one biometric input means for gathering biometric samples further comprising a hardware and software component;
b. at least one terminal means that is functionally partially or fully integrated with the biometric input means for input of and appending additional data;
c. at least one data entry means for input of a personal identification code wherein the data entry means is integrated either with the biometric input means or the terminal means; and
d. second interconnecting means for interconnecting said biometric input means, data entry means and said terminal.
91. The apparatus of claim 90 wherein said terminal further comprises at least one display means for display of data.
92. The apparatus of claim 90 wherein the biometric input means has a hardware identification code previously registered with the computer, which makes the biometric input means uniquely identifiable to the computer.
93. The apparatus of claim 90 wherein the hardware component further comprises;
a. at least one computing module for data processing;
b. erasable and non-erasable memory modules for storage of data and software;
c. biometric scanner device for input of biometrics data;
d. data entry means for entering data;
e. digital communication port; and
f. means for prevention of electronic eavesdropping.
94. The apparatus of claim 93 wherein when there are more than one computing modules, the computing modules are connected in a manner to prevent monitoring of communications between said computing modules.
95. The apparatus of claim 90 wherein the hardware component further comprises display means for display of data.
96. The apparatus of claim 90 wherein the hardware component further comprises RF shielding.
97. The apparatus of claim 90 wherein the hardware component further comprises a wireless communication means.
98. The apparatus of claim 90 wherein the biometric input means is secured from physical tampering.
99. The apparatus of claim 90 further comprising means for detection of physical penetration of the biometric input means.
100. The apparatus of claim 93 further comprising means for electronic self destruction whereby software and data stored within the erasable memory modules are erased.
101. The apparatus of claim 93 further comprising means for physical self destruction whereby the computing modules and the erasable and non erasable memory modules are destroyed.
102. The apparatus of claim 90 wherein the hardware component further comprises means for reading magnetic strip cards.
103. The apparatus of claim 90 wherein the hardware component further comprises means for reading a smart card.
104. The apparatus of claim 90 wherein the software component resides in a computing module and further comprises:
a. electronically erasable memory module wherein at least one command interface module, a first set of software and associated data specifically configured for the intended use of the biometric input device and data are stored; and
b. non-erasable memory module wherein a second set of software and associated data are stored.
105. The apparatus of claim 90 said software component further comprising means for encryption of data from plaintext to ciphertext.
106. The apparatus of claim 90 said software component further comprising means to detect alteration of data further comprising;
a. a secret key; and
b. an irreversible one way transformation of the data that cannot be reproduced without the secret key.
107. The apparatus of claim 90 wherein the first set of software and associated data further comprise:
a. a biometric encoding algorithm; and
b. an encryption code.
108. The apparatus of claim 90 wherein the second set of software and associated data further comprise:
a. an operating system; and
b. a device driver.
109. The apparatus of claim 90 wherein said terminal is any electronic device and which issues commands to and receives results from the biometric input means.
110. The apparatus of claim 90 wherein said terminal is selected from the group of facsimile machines, telephones, television remote control, personal computers, credit/debit card processors, cash registers, automated teller machines, wireless personal computers.
111. The apparatus of claim 90 wherein said interconnecting means is means for wireless communications.
112. The apparatus of claim 88 wherein said first interconnecting means is selected from the group X.25, ATM network, telephone network, Internet network, cable television network, cellular telephone network.
113. The apparatus of claim 88 wherein the comparison means further comprises means for encryption and decryption of data.
114. The apparatus of claim 88 wherein the comparison means further comprises means for identifying the biometric input device.
115. The apparatus of claim 88 wherein the computer system further comprises:
a. at least one counter party computer system; and
b. third interconnecting means for interconnecting said computer system with said at least one counter party computer system.
116. The apparatus of claim 115 wherein the third interconnecting means is selected from the group X.25, ATM network, telephone network, Internet network, cable television network.
117. The apparatus of claim 88 wherein the execution means comprises at least one database for storage and retrieval of data.
118. The apparatus of claim 117 wherein the database further comprises an individual biometric database.
119. The apparatus of claim 117 wherein the database further comprises a prior fraud check database.
120. The apparatus of claim 117 wherein the database further comprises an electronic document database.
121. The apparatus of claim 117 wherein the database further comprises an electronic signature database.
122. The apparatus of claim 88 wherein said output means is selected from the group of X.25, ATM network, telephone network, Internet network, cable television network.
123. A method for voluntary and tokenless identification of individuals using a computer system, said method comprising the steps of:
a. a registration step wherein;
i. at least one registration biometric sample for an individual is gathered;
ii. a biometric basket code is selected that identifies a biometric basket, wherein there are at least two biometric baskets in the computer system and each basket contains less than the total number of biometric samples registered with the computer system;
iii. the computer system attempts to store the registration biometric sample in the biometric basket, producing a storage result; whereupon for a failed storage result, a different biometric basket is selected and storage is attempted again until a successful storage result is obtained;
b. a bid step wherein at least one bid biometric sample and a biometric basket code for an individual is gathered, wherein the biometric basket code identifies the biometric basket to be searched, wherein portable memory devices such as magnetic stripe cards or smart cards are not used;
c. a comparison step wherein the bid biometric sample is compared to each stored biometric within the biometric basket to be searched, for producing either a successful or failed identification result;
d. an execution step wherein a command is processed and executed to produce a determination; and
e. output step wherein said identification result or determination is externalized and displayed.
124. The method of claim 123 wherein both the registration and bid steps further comprise a biometric sample check step wherein the quality of the biometric sample is verified.
125. The method of claim 123 wherein the registration step further comprises a personal identification code and biometric sample duplication check step wherein the biometrics and personal identification code gathered during the registration step is checked against all previously registered biometrics currently associated with the identical personal identification code.
126. The method of claim 123 wherein the registration step further comprises an ancillary data input step wherein ancillary data is collected.
127. The method of claim 126 wherein the ancillary data further comprises names and address of the individual.
128. The method of claim 126 wherein the ancillary data further comprises a title of an individual.
129. The method of claim 128 wherein the ancillary data input step further comprises a title index assignment step, wherein each title of the individual is assigned a code.
130. The method of claim 129 wherein the ancillary data further comprises a financial asset account number.
131. The method of claim 130 wherein the ancillary data input step further comprises an account index assignment step wherein each financial asset account number is assigned an index code.
132. The method of claim 123 wherein the registration step further comprises a prior fraud check step wherein the biometric sample gathered during registration is compared to a subset of previously registered biometric samples.
133. The method of claim 123 wherein the registration step further comprises an emergency mechanism setup step.
134. The method of claim 133 further comprising an emergency account index assignment step wherein an account index is labeled as an emergency account where in the event the account is accessed appropriate authorities are notified of the emergency.
135. The method of claim 134 further comprising a false screen display setup step wherein there is assignment of false screen data.
136. The method of claim 134 wherein access to various financial asset accounts is limited.
137. The method of claim 123 wherein the registration step further comprises a modification step wherein any previously entered ancillary data can be modified or deleted.
138. The method of claim 123 wherein both the registration and bid steps further comprise a data sealing step to provide the ability to detect alteration of the data further comprising:
a. a secret key; and
b. an irreversible one way transformation of the data that cannot be reproduced without the secret key.
139. The method of claim 123 wherein the registration and bid steps further comprise an encryption step to convert the data from plaintext to ciphertext.
140. The method of claim 123 wherein the bid or registration steps further comprise a transmission step wherein the data is transmitted.
141. The method of claim 123 wherein the bid or registration steps are further provided with a unique transmission code having a unique hardware identification code and incrementing sequence number which increases by one for each transmission.
142. The method of claim 123 wherein the registration step further comprises choosing a language for communication in a set language step.
143. The method of claim 123 wherein the bid step further comprises choosing a title in a set title number step.
144. The method of claim 123 wherein the bid step further comprises choosing an account number in a set account number step.
145. The method of claim 123 wherein the bid step further comprises validating an amount in a validate amount step.
146. The method of claim 123 wherein the bid step further comprises entering an amount in an enter amount step.
147. The method of claim 123 wherein the bid step further comprises validating a document in a validate document step.
148. The method of claim 123 wherein the bid step further comprises appending ancillary data in an assign register step.
149. The method of claim 148 the ancillary data further comprising a counter party identification code.
150. The method of claim 123 wherein the bid or registration step further comprise aborting or cancelling said bid or reqistration step in a reset step.
151. The method of claim 123 wherein the bid step further comprises transmission of data in a transmission step.
152. The method of claim 123 wherein the bid step further comprises choosing a language for communication in a set language step.
153. The method of claim 123 wherein the comparison step further comprises use of the unique transmission codes to detect repeat transmissions.
154. The method of claim 123 wherein the comparison step further comprises a counter party identification step using the counter party identification and unique transmission codes.
155. The method of claim 123 wherein the comparison step comprises matching the individual's personal identification code and biometric gathered during the bid step, with the personal identification code and biometric gathered during the registration step, for positive identification of the individual.
156. The method of claim 155 wherein if there is no match of the personal identification code and biometrics gathered during the registration step and the personal identification code and biometrics gathered during the bid step, there is no recognition of the individual.
157. The method of claim 123 wherein the execution step further comprises a debit/credit transaction step.
158. The method of claim 157 wherein the debit/credit transaction step further comprises an address collection step.
159. The method of claim 123 wherein the execution step further comprises an archiving step and a tracking code assignment step, where a tracking code is assigned to the data, for archival of data.
160. The method of claim 159 wherein the data is sent through a message digest encoding algorithm step to produce an electronically signatured document.
161. The method of claim 159 wherein the execution step further comprises the retrieval of archived data using said tracking code.
162. The method of claim 123 wherein the execution step further comprises a modification step wherein title index codes, account numbers and account index codes are added, deleted or modified.
163. The method of claim 162 wherein the execution step further comprises an account number retrieval step where the account index code is used to retrieve an account number.
164. The method of claim 123 wherein the execution step further comprises an emergency activation step.
165. The method of claim 164 wherein the emergency activation step further comprises a recognition of the emergency code and identifying the entire transaction as an emergency, and notification of authorities.
166. The method of claim 164 wherein the execution step further comprises a false display step wherein previously designated, false accounts or false limitations on accounts are accessible.
167. The method of claim 123 wherein the output step further comprises an identification result notification step.
168. The method of claim 123 wherein the output step further comprises a determination notification step.
169. The method of claim 123 wherein the output step further comprises an emergency code step wherein the authorities are notified.
170. The method of claim 123 wherein the output step further comprises display of false screens.
Description
BACKGROUND
The use of tokens and credit cards in today's financial world is pervasive. A token would be any inanimate object which coffers a capability to the individual presenting the object. Remote access of every financial account is through the use of tokens or plastic cards. Whether buying groceries with debit cards or consumer goods with credit cards, at the heart of that transaction is a money transfer enabled by a token, which acts to identify an individual and the financial account he is accessing.
The reason for the migration from metal coins to plastic cards is simple and straightforward: access to money in this money transfer system is vastly safer and more convenient for both merchants and consumers than handling large quantities of coins and notes.
Unfortunately, current technology in combination with this convenient token-based money transfer system results in a system that is prone to theft and fraud.
As verification of user identity is based solely on data placed on the token, which can be easily reproduced and transferred between individuals, such security must rely on both the diligence and the luck of the authorized user and merchant in maintaining this information as proprietary. However, by their very nature, tokens do not have a very strong connection with the individual. Identification of the rightful owner of the token through the token is tenuous at best. This is easily demonstrated by the fact that individuals other than the rightful owners of the tokens have been using these tokens to defraud merchants and other consumer goods suppliers.
The mammoth expansion of the consumer credit industry during the 1980s brought with it large profits for issuers, and newfound convenience for consumers. However, as consumer credit became easier for consumers to acquire, it also became a target for criminals. Much as the mobility of the automobile led to a rash of bank robberies in the late 1920's and early 1930's, so too did the ubiquity of consumer credit lead to vastly increased opportunities for criminals.
Initially, the banking industry was willing to accept a certain amount of loss due to fraud, passing the cost on to the consumer. However, as criminals became more organized, more technically adept, and as credit retail stations began to be manned by people who were more and more poorly trained in credit card security matters, the rate of increase of fraud losses skyrocketed. The staggering statistics on fraud and cost of preventive steps, has forced the credit card companies in particular, to look for other solutions to the problem.
Fraud losses in the credit card industry stem from many different areas due to the highly vulnerable nature of the system, but they are mainly due to either lost, stolen, or counterfeit cards. Credit cards operate without the use of a personal identification code (PIC), therefore a lost credit card can be turned into cash if the card falls into the wrong hands. While theft of a token constitutes the majority of fraud in the system, the use of counterfeit credit cards has been on the rise. Counterfeit credit cards are manufactured by a more technically sophisticated criminal by acquiring a cardholder's valid account number and then producing a counterfeit card using that valid number. The counterfeiter encodes the magnetic strip, and embosses the counterfeit plastic card with the account number. The card is then presented to merchants and charged up to the rightful cardholder's account. Another form of loss is by a criminal merchant who surreptitiously obtains the cardholder's account number. Yet another type of fraud is committed by the authorized cardholder when the token is used for making purchases and thereafter a claim is made that the token was either lost or stolen. It is estimated that losses due to all types of fraud exceeds $950 million dollars annually.
Generally, debit cards are used in conjunction with a personal identification code (PIC). Counterfeiting a debit card is more difficult as the criminal must acquire not only the account number, but also the PIC, and then manufacture the card as in the credit card example. However, various strategies have been used to obtain PICs from unwary cardholders; these range from Trojan horse automated teller machines, or ATMs, in shopping malls that dispense cash but record the PIC, to merchant point of sale devices that also record the PIC, to individuals with binoculars that watch cardholders enter PICs at ATMs. The subsequently manufactured counterfeit debit cards are then used in various ATM machines until the unlucky account is emptied.
The financial industry is well aware of the trends in fraud expense, and is constantly taking steps to improve the security of the card. Thus fraud and theft of token have an indirect impact on the cost to the system.
Card blanks are manufactured under very tight security. Then they are individualized with the account number, expiration date, and are then mailed to the cardholder. Manufacturing and distributing the card alone costs the industry approximately one billion dollars annually. The standard card costs the financial industry $2 for each, but only $0.30 of this $2 is associated with actual manufacturing cost.
Over the last ten years, the industry has altered the tokens because of counterfeiting fraud, without any fundamental changes in the use of the credit transaction system. The remedy has been mostly administrative changes such as having customers call the issuer to activate their card. Other changes include addition of a hologram, a picture ID, or an improved signature area. These type of changes in particular, are an indication that the systems susceptibility to fraud is due to lack of true identification of the individual. It is estimated that this could double the manufacturing cost to two billion dollars annually.
In the near future, the banking industry expects to move to an even more expensive card, called a "smart card". Smart cards contain as much computing power as did some of the first home computers. Current cost projections for a first-generation smart card is estimated at approximately $3.50, not including distribution costs, which is significantly higher than the $0.30 plastic card blank.
This significant increase in cost has forced the industry to look for new ways of using the power in the smart card in addition to simple transaction authorization. It is envisioned that in addition to storing credit and debit account numbers, smart cards may also store phone numbers, frequent flyer miles, coupons obtained from stores, a transaction history, electronic cash usable at tollbooths and on public transit systems, as well as the customer's name, vital statistics, and perhaps even medical records. Clearly, the financial industry trend is to further establish use of tokens.
The side effect of increasing the capabilities of the smart card is centralization of functions. The flip side of increased functionality is increased vulnerability. Given the number of functions that the smart card will be performing, the loss or damage of this monster card will be excruciatingly inconvenient for the cardholder. Being without such a card will financially incapacitate the cardholder until it is replaced. Additionally, losing a card full of electronic cash will also result in a real financial loss as well. Furthermore, ability of counterfeiters to one day copy a smartcard is not addressed.
Unfortunately, because of the projected concentration of functions onto the smart card, the cardholder is left more vulnerable to the loss or destruction of the card itself. Thus, after spending vast sums of money, the resulting system will be more secure, but threatens to levy heavier and heavier penalties for destruction or loss of this card on the consumer.
The financial industry recognizes the security issues associated with smartcards, and efforts are currently underway to make each plastic card difficult to counterfeit. Billions of dollars will be spent in the next five years in attempts to make plastic ever more secure. To date, the consumer financial transaction industry has had a simple equation to balance: in order to reduce fraud, the cost of the card must increase.
In addition to and associated with the pervasiveness of electronic financial transactions, there is now the widespread use of electronic facsimiles, electronic mail messages and similar electronic communications. Similar to the problem of lack of proper identification of individuals for financial transactions is the problem of lack of proper identification of individuals for electronic transmissions. The ease and speed of electronic communication, and its low cost compared to conventional mail, has made it a method of choice for communication between individuals and businesses alike. This type of communication has expanded greatly and is expected to continue to expand. However, millions of electronic messages such as facsimiles and electronic mail (or "E-mail" or "email") messages are sent without knowing whether they arrive at their true destination or whether a certain individual actually sent or received that electronic message. Furthermore, there is no way to verify the identify the individual who sent or who received an electronic message.
Recently, various attempts have been made to overcome problems inherent in the token and code security system. One major focus has been to encrypt, variablize or otherwise modify the PIC to make it more difficult for an unauthorized user to carry out more than one transaction, largely by focusing on manipulation of the PIC to make such code more fraud resistant. A variety of approaches have been suggested, such as introducing an algorithm that varies the PIC in a predictable way known only to the user, thereby requiring a different PIC code for each subsequent accessing of an account. For example, the PIC code can be varied and made specific to the calendar day or date of the access attempt. In yet another approach, a time-variable element is introduced to generate a non-predictable personal identification code that is revealed only to an authorized user at the time of access. Although more resistant to fraud that systems incorporating non-variable codes, such an approach is not virtually fraud-proof because it still relies on data that is not uniquely and irreproducibly personal to the authorized user. Furthermore, such systems further inconvenience consumers that already have trouble remembering constant codes, much less variable ones. Examples of these approaches are disclosed in U.S. Pat. No. 4,837,422 to Dethloff et al.; U.S. Pat. No. 4,998,279 to Weiss; U.S. Pat. No. 5,168,520 to Weiss; U.S. Pat. No. 5,251,259 to Mosley; U.S. Pat. No. 5,239,538 to Parrillo; U.S. Pat. No. 5,276,314 to Martino et al.; and U.S. Pat. No. 5,343,529 to Goldfine et al. all of which are incorporated herein by reference.
More recently, some have turned their attention from the use of personal identification codes to the use of unique biometrics as the basis of identity verification, and ultimately computer access. In this approach, authenticated biometrics are recorded from a user of known identity and stored for future reference on a token. In every subsequent access attempt, the user is required to enter physically the requested biometrics, which are then compared to the authenticated biometrics on the token to determine if the two match in order to verify user identity. Because the biometrics are uniquely personal to the user and because the act of physically entering the biometrics are virtually irreproducible, a match is putative of actual identity, thereby decreasing the risk of fraud. Various biometrics have been suggested, such as finger prints, hand prints, voice prints, retinal images, handwriting samples and the like. However, because the biometrics are generally stored in electronic (and thus reproducible) form on a token and because the comparison and verification process is not isolated from the hardware and software directly used by the individual attempting access, a significant risk of fraudulent access still exists. Examples of this approach to system security are described in U.S. Pat. No. 4,821,118 to Lafreniere; U.S. Pat. No. 4,993,068 to Piosenka et al.; U.S. Pat. No. 4,995,086 to Lilley et al.; U.S. Pat. No. 5,054,089 to Uchida et al.; U.S. Pat. No. 5,095,194 to Barbanell; U.S. Pat. No. 5,109,427 to Yang; U.S. Pat. No. 5,109,428 to Igaki et al.; U.S. Pat. No. 5,144,680 to Kobayashi et al.; U.S. Pat. No. 5,146,102 to Higuchi et al.; U.S. Pat. No. 5,180,901 to Hiramatsu; U.S. Pat. No. 5,210,588 to Lee; U.S. Pat. No. 5,210,797 to Usui et al.; U.S. Pat. No. 5,222,152 to Fishbine et al.; U.S. Pat. No. 5,230,025 to Fishbine et al.; U.S. Pat. No. 5,241,606 to Horie; U.S. Pat. No. 5,265,162 to Bush et al.; U.S. Pat. No. 5,321,242 to Heath, Jr.; U.S. Pat. No. 5,325,442 to Knapp; U.S. Pat. No. 5,351,303 to Willmore, all of which are incorporated herein by reference.
As will be appreciated from the foregoing discussion, a dynamic but unavoidable tension arises in attempting to design a security system that is highly fraud resistant, but nevertheless easy and convenient for the consumer to use. Unfortunately, none of the above-disclosed proposed improvements to the token and code system adequately address, much less attempt to balance, this tension. Such systems generally store the authenticated biometrics in electronic form directly on the token that can presumably be copied. Further, such systems do not adequately isolate the identity verification process from tampering by someone attempting to gain unauthorized access.
An example of token-based security system which relies on a biometrics of a user can be found in U.S. Pat. No. 5,280,527 to Gullman et al. In Gullman's system, the user must carry and present a credit card sized token (referred to as a biometrics security apparatus) containing a microchip in which is recorded characteristics of the authorized user's voice. In order to initiate the access procedure, the user must insert the token into a terminal such as an ATM, and then speak into the terminal to provide a biometrics input for comparison with an authenticated input stored in the microchip of the presented token. The process of identity verification is generally not isolated from potential tampering by one attempting unauthorized access. If a match is found, the remote terminal may then signal the host computer that access should be permitted, or may prompt the user for an additional code, such as a PIN (also stored on the token), before sending the necessary verification signal to the host computer.
Although Gullman's reliance of comparison of stored and input biometrics potentially reduces the risk of unauthorized access as compared to numeric codes, Gullman's use of the token as the repository for the authenticating data combined with Gullman's failure to isolate the identity verification process from the possibility of tampering greatly diminishes any improvement to fraud resistance resulting from the replacement of a numeric code with a biometrics. Further, the system remains somewhat cumbersome and inconvenient to use because it too requires the presentation of a token in order to initiate an access request.
Almost uniformly, patents that disclose token-based systems teach away from biometrics recognition without the use of tokens. Reasons cited for such teachings range from storage requirements for biometrics recognition systems to significant time lapses in identification of a large number of individuals, even for the most powerful computers.
In view of the foregoing, there has long been a need for a computer access system that is highly fraud-resistant, practical, and efficient for the user to operate and carry out electronic transactions and transmissions expeditiously.
There is also a need for a computer system that is completely tokenless and that is capable of verifying a user's personal identity, based solely upon a personal identification code and biometrics that is unique and physically personal to an authorized user, as opposed to verifying an individual's possession of any physical objects that can be freely transferred between different individuals. Such biometrics must be easily and non-intrusively obtained; must be easy and cost-effective to store and to analyze; and must not unduly invade the user's privacy rights.
A further need in computer access system design is user convenience. It is highly desirable for a consumer to able to access the system spontaneously, particularly when unexpected needs arise, with a minimum of effort. In particular, there is a need for a system that greatly reduces or eliminates the need to memorize numerous or cumbersome codes, and that eliminates the need to possess, carry, and present a proprietary object in order to initiate an access request.
Such systems must be simple to operate, accurate and reliable. There is also a need for a computer access system that can allow a user to access multiple accounts and procure all services authorized to the user, and carry out transactions in and between all financial accounts, make point of purchase payments, receive various services, etc.
There is further a great need for a computer access system that affords an authorized user the ability to alert authorities that a third party is coercing the user to request access without the third party being aware that an alert has been generated. There is also a need for a system that is nevertheless able to effect, unknown to the coercing third party, temporary restrictions on the types and amounts of transactions that can be undertaken once access is granted.
Furthermore, the computer system must be affordable and flexible enough to be operatively compatible with existing networks having a variety of electronic transaction and transmission devices and system configurations.
Finally, there is a need for secured sending and receipt of electronic mail messages and electronic facsimiles, where content of the electronic message is protected from disclosure to unauthorized individuals, and the identity of the sender or recipient can be obtained with a high degree of certainty.
SUMMARY OF THE INVENTION
The present invention satisfies these needs by providing an improved identification system for determining an individual's identity from a comparison of an individual's biometrics sample and personal identification code gathered during a bid step with biometrics sample and personal identification code for that individual gathered during a registration step and stored at a remote site wherein there is a data processing center. The invention comprises a computer network host system with means for comparing the entered biometrics sample and personal identification code, and is equipped with various data bases and memory modules. Furthermore, the invention is provided with biometrics and personal identification code input apparatus and terminals for entering data to provide information for execution of the requested transactions and transmissions by the host system once the identity of the individual is determined. The invention is also provided with means for connecting the host system with the terminal and the biometrics input apparatus.
The computer also has means for execution of various transactions and transmission in addition to traditional storing of and modification of data. Additionally, the computer can output the evaluation of the biometrics-PIC ("personal identification code") comparison, and the determination of an identification evaluation, or status of any execution of transactions or transmissions. Furthermore, the computer system notifies and authenticates to the individual being identified that the computer system was accessed, by returning to the individual a private code which was previously selected by that individual during the registration step.
Preferably, the computer system is protected from electronic eavesdropping and electronic intrusion and viruses. Further, the devices used by the computer for gathering biometric samples and personal identification codes would comprise: a) at least one biometric input device for gathering biometric samples, which would have a hardware and a software component; b) at least one terminal device that is functionally partially or fully integrated with the biometric input means for input of and appending ancillary information; c) at least one data entry device for input of a personal identification code whereby this data entry device is integrated either with the biometric input device or the terminal device; and, d) a means for interconnecting the biometric input device, data entry device and the terminal. The terminal device also has at least one display device for displaying data and information. For additional security the computer system uniquely identifies the biometric input apparatus, and the counter party or merchant through a counter party or merchant identification code relating to the terminal that is connected to the biometric input device. It is also preferred that the biometric input apparatus be secured from physical and electronic tampering, and that in case of physical breach of the device, means be employed to physically and/or electronically destroy components within the apparatus and/or erase critical data from the device's memory modules.
In addition, the biometric input apparatus would have a hardware component comprising: a) at least one computing module for data processing; b) erasable and non-erasable memory modules for storage of data and software; c) a biometric scanner device for input of biometric data; d) a data entry device for entering data; e) a digital communications port; f) a device for prevention of electronic eavesdropping.
In order to protect the integrity and confidentiality of electronic data sent between the biometric input apparatus, the terminal, and the computer network, it is preferred that the data be encrypted and sealed.
The host computer network is also connected to and is able to communicate with other independent computer systems, databases, facsimile machines, and other computer networks through conventional means.
The method of the present invention includes voluntarily identifying an individual without the use of any tokens by means of examination of at least one biometrics sample provided by that the individual and a personal identification code also provided by that individual. During a registration step, the individual is to register with the system an authenticated biometric sample, a personal identification code and a private code. Thereafter, during a bid step the biometrics sample and personal identification code of the individual is gathered and compared to the ones registered during the registration step. A match of the personal identification codes and biometrics sample will result in the positive identification of the individual. In order to authenticate to the identified individual that the real computer system was accessed, the individual's private code, which was collected at the registration step, is returned to the individual.
It is preferred that the method of the invention include a method for examining the biometrics samples during registration and comparing such biometrics with a collection of biometrics samples from individuals who have been designated as having previously attempted to perpetrate or who have actually perpetrated fraud upon the system.
In a preferred embodiment, the invention includes a method for notifying authorities of the presence of exigent circumstances or that the authorized user is under duress.
It is also preferred that a method of encryption and sealing of data be used to protect the data, including the digitized biometrics sample, from being revealed accidentally or unveiled from criminal elements during transmission.
It is also preferred that the method include steps for the individual to choose various financial accounts, and choose various modes of electronic transmissions.
It is also preferred that the method include a method for archiving of data and electronic transmissions, and retrieval of the archived data using a tracking code.
It is furthermore preferred that any document, such as a facsimile or an electronic mail message be uniquely checksummed using algorithm for future identification of the document.
Yet another method of the invention is to be able to rapidly identify an individual from an examination of his biometrics sample and personal identification code by storing several dissimilar biometrics samples from different individuals in an electronic basket that is identified by one personal identification code.
In one embodiment of the invention, the computer system can allow individuals to select their own personal identification code (or "PIC") from a group of PICs selected by the remote data processing center. This is performed in a method whereby once the individual's biometric is gathered, the data processing center selects several PICs at random which may be conducive to being memorized. The data processing center then conducts a comparison of the biometric gathered with those already in those PIC baskets or groups. In the event the new registrant's biometric is to similar to any previously registered biometric which has been allotted to any one of those randomly selected PIC groups, then that PIC is rejected by the database for use by the new individual and an alternative PIC is selected for another such biometric comparison. Once the data processing center has generated several PIC options without a confusingly similar biometric, those PICs are presented to the new registrant from which the individual may select one PIC.
In one embodiment of the invention, there is a method for rapid search of at least one first previously stored biometric sample from a first individual, using a personal identification code-basket that is capable of containing at least one algorithmically unique second biometric sample that is from at least one second individual, and which is identified by said personal identification code-basket, comprising, firstly, a storage step further comprising: a) the selection of a private code by a first individual; b) the selection of a personal identification code by said first individual; c) the entering a biometric sample from said first individual; d) locating the personal identification code-basket identified by the personal identification code selected by said first individual; e) comparison of the biometric sample taken from said first individual with any previously stored biometric samples in said selected personal identification code-basket to make sure that the biometric sample entered by said first individual is algorithmically unique from the previously stored at least one biometric sample provided by at least one second individual, and; f) storage of the entered biometric sample from said first individual in the selected personal identification code-basket if said sample is algorithmically unique from the at least one previously stored biometric sample from said at least one second individual. There is also a bid step further comprising: a) entering said selected personal identification code by said first individual, and; b) entering a biometric sample by said first individual. There is also a comparison step comprising: a) finding the personal identification code-basket that is identified by said personal identification code entered by said first individual, and; b) comparison of the entered biometric sample from said first individual with said at least one stored biometric sample from said at least one second individual in said entered personal identification code-basket for producing either a successful or failed identification result. There could also be: a) an execution step wherein a command is processed and executed to produce a determination; b) an output step wherein said identification result or said determination is externalized and displayed, and; c) a presentation step wherein on successful identification of said first individual, said private code is presented to said first individual.
According to one embodiment of the invention, the host system is positioned in series between the individual being identified and other computer networks that are to be accessed, thereby acting as an interface. It will be appreciated that in this embodiment, the user tenders an access request directly to the host computer system of the invention, which is operationally interactive with other independent secured computer systems such as VISANET. The computer system would therefore maintain authenticated biometrics data samples for all authorized users of each secured computer system that it services. These data would be cross-referenced by each authorized user. Thus, after identity verification is completed, the security system provides to the user a listing of systems that he is authorized to access, and prompts the user to select the desired network. Thereafter, the requested execution step and information regarding the transaction is forwarded to the selected independent computer network similar to the type of communications sent today between merchants and credit card companies.
In a second embodiment the host system may also carry out the functions of the other independent computer systems such as debiting or crediting a financial account. In this system, the computer system of the invention carries out the functions requested by the individual without use of external, independent computer networks.
According to a further embodiment of the invention, a means is provided for alerting predesignated authorities during an access attempt during which the user has been coerced by a third party to request access to the host computer system. In such an embodiment, an authorized user would have a number of codes, most of which would be recognized by the computer system as the standard access codes, and others which would be recognized as emergency codes. The comparison means of the computer system of the invention would be configured to accept and recognize at least one code per authorized user, and to activate the emergency alert means whenever the code entered by the user matched an emergency code. At the same time, the determination of an authorized identity for the user would result in the user being afforded access to the requested secured computer system perhaps on an access level that has been predetermined to be restricted or perhaps resulting in the display of misleading data (i.e., "false screens"), thereby preventing the coercing third party from knowing that an emergency notification had been entered by the user. The emergency code would be entered as a part of or simultaneously with the user's personal identification code or by selecting an emergency account index during the access of the computer system. In either case, the well-being of the user requesting access might be jeopardized if the coercing party discovered that the user was attempting to notify authorities. Thus, it is critical that the access procedure continue uninterruptedly and that access be granted to an authorized user so that the coercing party believes that everything is proceeding normally. Although these features can be incorporated into the invention's host computer network, it is also possible that an independent computer network can also carry out the same or modified versions of the above-mentioned features.
The present invention is clearly advantageous over the prior art in a number of ways. First, it is extremely easy and efficient for the user, particularly where the user is accessing financial accounts, because it eliminates the need to carry and present any tokens in order to access one's accounts. The present invention eliminates all the inconveniences associated with carrying, safeguarding and locating any desired tokens. Further, because tokens are often specific to a particular computer system that further requires remembering a secret code assigned to the particular token, this invention eliminates all such tokens and thereby significantly reduces the amount of memorization and diligence increasingly required of consumers by providing access to all assets using only one personal identification code. Thus, in a single, tokenless transaction, the consumer can efficiently and securely conduct virtually any commercial exchange or electronic message, from withdrawing cash from a bank account, to authorization his agreement to the terms of a contract, to making a purchase directly from television, to paying local property taxes. The consumer is now uniquely empowered, by means of this invention, to conveniently conduct his personal and/or professional electronic transmissions and transactions at any time without dependence upon tokens which may be stolen, lost or damaged.
The invention is clearly advantageous from a convenience standpoint to retailers and financial institutions by making purchases and other financial transactions less cumbersome and more spontaneous. The paper work of financial transactions is significantly reduced as compared to current systems, such as credit card purchase wherein separate receipts are generated for use by the credit card company, the merchant and the consumer. Such electronic transactions also save merchants and banks considerable time and expense by greatly reducing operational costs. Because the system of the invention is designed to provide a consumer with simultaneous direct access to all of his financial accounts, the need for transactions involving money, checks, commercial paper and the like will be greatly reduced, thereby reducing the cost of equipment and staff required to collect and account for such transactions. Further, the substantial manufacturing and distributing costs of issuing and reissuing credit cards, ATM cards, calling cards and the like will be eliminated, thereby providing further economic savings to merchants, banks, and ultimately to consumers. In fact, the system of the invention will likely spur economic growth since all of a consumer's electronic financial resources will be available at the mere input of his fingerprint or other biometrics.
The invention is markedly advantageous and superior to existing systems in being highly fraud resistant. As discussed above, present computer systems are inherently unreliable because they base determination of a user's identity on the physical presentation of a unique manufactured object along with, in some cases, information that the user knows. Unfortunately, both the token and information can be transferred to another, through loss, theft or by voluntary action of the authorized user. Thus, unless the loss or unintended transfer of these items is realized and reported by the authorized user, anyone possessing such items will be recognized by existing security systems as the authorized user to whom that token and information is assigned.
By contrast, the present invention virtually eliminates the risk of granting access to non-authorized users by determining user identity from an analysis of one or more of a user's unique, biometrics characteristics. Even in the very rare circumstance of coercion, where an authorized individual is coerced by a coercing party to access his accounts, the system anticipates an emergency account index, whereby the authorized user can alert authorities of the transgression without the knowledge of the coercing party.
The invention further enhances fraud resistance by maiming authenticating data and carrying out the identity verification operations at a point in the system that is operationally isolated from the user requesting access, thereby preventing the user from acquiring copies of the authenticating data or from tampering with the verification process. Such a system is clearly superior to existing token-based systems wherein authenticating information, such as personal codes, is stored on and can be recovered from the token, and wherein the actual identity determination is potentially in operational contact with the user during the access process.
It is an object of the invention therefore to provide a computer access identification system that eliminates the need for a user to possess and present a physical object, such as a token, in order to initiate a system access request.
It is another object of the invention to provide a computer access identification system that is capable of verifying a user's identity, as opposed to verifying possession of proprietary objects and information.
It is yet another object of the invention to verify user identity based upon one or more unique characteristics physically personal to the user.
Yet another object of the invention is to provide a system of secured access that is practical, convenient, and easy use.
Still another object of the invention is to provide a system of secured access to a computer system that is highly resistant to fraudulent access attempts by non-authorized users.
Yet another object of the invention is to provide a computer access identification system that enables a user to notify authorities that a particular access request is being coerced by a third party without giving notice to said third party of the notification.
There is also a need for a computer access identification system that automatically restricts a user's transactional capabilities on the computer system according a desired configuration provided by the user.
These and other advantages of the invention will become more fully apparent when the following detailed description of the invention is read in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a diagram of the system of the present invention;
FIG. 2 is a diagram of the Data Processing Center (DPC) and its internal data bases and execution modules;
FIG. 3 is a diagram of the retail point of sale terminal, the biometrics input apparatus and its components, and the interconnections between them;
FIG. 4 is a flow chart of the operation of the biometrics input apparatus and the terminal for generating a request packet;
FIG. 5 is a representational diagram of the request packet and the mandatory and optional data it contains;
FIG. 6 is a representational diagram of the response packet and the mandatory and optional data it contains;
FIG. 7 is a flow chart depicting the data encryption and sealing process at the biometrics input device;
FIG. 8 is a flow chart depicting the data decryption and counter party identification process at the DPC;
FIG. 9 is a flow chart depicting the data encryption and sealing process at the DPC;
FIG. 10 is a flow chart representing the registration of an individual during the registration process;
FIG. 11 is a flow chart representing the process of identification of the individual and returning a private code to the individual;
FIG. 12 is a flow chart of the skeleton of the processes that occur at the DPC and an execution step;
FIG. 13 is a flow chart of the emergency request and response process at the DPC;
FIG. 14 is a flow chart of the overall operation of retail transaction authorization execution at the DPC;
FIG. 15 is a flow chart of the overall operation of remote transaction authorization execution step at the DPC;
FIG. 16 is a flow chart of the overall operation of ATM account access execution at the DPC;
FIG. 17 is a flow chart of the overall operation of issuer batch modification execution at the DPC;
FIG. 18 is a flow chart of the overall operation of secure fax submit and electronic document submit execution at the DPC;
FIG. 19 is a flow chart of the overall operation of secure fax data and electronic document data execution at the DPC;
FIG. 20A is a representational diagram of the electronic signature request packet;
FIG. 20B is a representational diagram of the electronic signature response packet;
FIG. 20C is a representational diagram of the electronic signature verification request packet;
FIG. 20D is a representational diagram of the electronic signature verification request packet;
FIG. 21 is a flow chart of the overall operation of electronic signature execution at the DPC; and
FIG. 22 is a flow chart of the overall operation of electronic signature verification execution at the DPC.
DETAILED DESCRIPTION OF THE DRAWINGS
As noted, the main objective of this invention is to provide a tokenless, secure, reliable, safe, and consistent, apparatus and method, for identifying individuals for the purpose of performing financial transactions and non-financial transmissions, which can accommodate large numbers of users. It is the essence of this invention that consumers have the ability to conduct these transactions without the use of any tokens, credit cards, badges or identification cards including drivers licenses. In order to be functional it is important that the system operate at speeds required for completing financial transactions such as credit card purchases and ATM services, from multiple banks and credit accounts. The system must be secure, such that individuals records and their biometrics information remain confidential and safe, both within the computer system that identifies the individual and authorizes transactions, or during transfer of data between the computer system and remote sites with which the computer system communicates. Furthermore, the system must be reliable in that errors in identification and authorization must not hamper or make use of the system cumbersome. Since only the use of biometrics are contemplated for identification of individuals, the system must also have security measures to either reduce access, even to the authorized user, or notify authorities in emergency cases. It is appreciated that the system must be able to handle a large number of users, and accommodate storage and transfer of large amounts of data, such as bio-characteristic information, commensurate with speeds at which financial transactions are carried on today.
Turning now to the figures, the overall configuration of the invention and its components are shown in FIG. 1. Essentially a Data Processing Center (DPC) 1 is connected to various terminals 2 through various type of communication means 3 which can be one of several types. The DPC is also connected and communicates with independent computer networks 4. The DPC contains several data bases and software execution modules as shown in FIG. 1. In a preferred embodiment of the invention, the data bases are backed up or "mirrored" for safety reasons. The Firewall Machine 5 is responsible for prevention of electronic intrusion of the system while the Gateway Machine 6 is responsible for carrying out all requests from the user, including adding, deleting and otherwise modifying all data bases. The Gateway Machine is also responsible for decryption and de-packaging of data that has arrived from the terminals using the MACM module 7, MDM module 8, and the SNM module 9. The PGL module 10, and the IML module 11 are used to locate the proper personal identification code and biometrics sample basket. FIG. 3 depicts an example of a terminal and the biometrics input device 11, which has a biometrics scanner 13, data entry means such as a key pad or PIN pad 14, and a display panel 15. The biometrics scanner can be any one of finger print scanner, voice recognition, palm print scanner, retinal scanner or the like, although the fingerprint scanner will be used as an example. The biometrics input device is further equipped with computing modules 16, device drivers, and erasable and non-erasable memory modules. The biometrics input device communicates with the terminal through preferably a serial port 17. The terminal 1 communicates through a conventional modem 18 with the DPC 1 through request packets 19 and response packets 10 using one of the interconnecting means in FIG. 1 such as cable network cellular telephone networks, telephone networks, Internet, ATM network, or X.25. FIG. 4 shows a representational diagram of the request packet 19 and its method of generation by the biometrics input device software. FIG. 5 and FIG. 6 show a representational diagram of the request packet and response packet with optional and mandatory data segments. Furthermore, it is shown which parts of the packets are encrypted and which ones are sealed. FIG. 7 is a block diagram of the overall process for data encryption and sealing showing the use of DUKPT key data 20 for encryption of data before appending additional data before sealing the request packet with a Message Authentication Code Key (MAC) 21. FIG. 8 and FIG. 9 show the decryption and encryption process at the DPC. FIG. 12 through 19 and 11 through 12 are block diagrams of selected examples of execution steps carried on at the DPC.
Description of the drawings, diagrams, flow charts and the description of the invention, including hardware components, software components, execution modules, data bases, connection means, the data transferred between them, and the method of the invention is described in detail as follows.
1.1. Biometric Input Apparatus (BIA)
1.1.1. Introduction
The BIA is a combination of hardware and software whose job is to gather, encode, and encrypt biometric input for use in individual identification. All actions of the BIA are directed by an outside controlling entity called a terminal, which issues commands and receives results over the BIA's serial line.
BIA hardware comes in four basic versions: standard, wireless, integrated phone/cable television (or "CATV")/fax, and ATM. Each BIA hardware variant addresses a particular need in the marketplace, and because of the differences in construction, each variant has a different level of security.
BIA software comes in seven basic versions: personal computer (or "PC"), retail, ATM, registration, internal, issuer, and integrated remote. Each software load provides a different, use-specific command set. For instance, the registration software load does not accept requests to form retail transaction messages. Likewise, the retail software command set cannot send individual registration messages. To provide another layer of security, the DPC knows what software package is loaded into each BIA; any attempts by an BIA to send a message that it is normally not able to send is rejected, and treated as a major security violation.
The ability of the invention to detect and combat merchant-based fraud relies on the fact that the BIA's external interface is strictly limited, that the construction of the BIA makes it extremely difficult to tamper with the contents, that each BIA has its unique encryption codes that are known only to the DPC, and that each BIA is only allowed to perform operations limited to its designated function. Each biometric input means has a hardware identification code previously registered with the DPC, which makes the biometric input means uniquely identifiable to the DPC in each subsequent transmission from that biometric input device.
The BIA is constructed with the assumption that the controlling terminal is a source for fraud and deception. Terminals range from software applications running on personal computers to dedicated hardware/software systems developed for a particular use such as a retail point of sale. Regardless of the particular model, no BIA reveals unencrypted biometric information. BIA models without display means (such as LCD, LED, or quartz screens) must reveal selected information (such as individual private codes) to the terminal for display, and as a result those particular terminal-BIA combinations are considered to be less secure.
Depending on the task at hand, BIA models are either partially or fully integrated with the terminal. Partially integrated devices are physically separate from the terminal, and they include wireless and standard retail point of sale BIAs. Fully integrated devices are contained within the physical enclosure of the terminal itself, for instance, an ATM, or a telephone.
No BIA ever discloses any secret encryption codes to any external source.
1.1.2. BIA Models
Particular BIA hardware models have different configurations. They are introduced in brief here:
BIA
Standard model has computing module (i.e., multichip modules), biometric scanner (i.e., single fingerprint scanner), display means (i.e., LCD screen), communications port (i.e., serial port), data entry means (i.e., a manual data entry key board or PIC pad) encased in tamper-resistant case, and electronic detection means (i.e., RF shielding).
BIA/Wireless
Standard model, but serial line replaced with spread-spectrum wireless communications module using external antenna. Used in restaurant point of sale.
BIA/ATM
Has heavy-duty scanner and serial port, along with a multichip module. The fact that the LCD is part of the terminal and not the BIA means lower security because it must reveal the private code to the terminal. Used in ATMs.
BIA/Catv
Has light-duty scanner, otherwise like ATM. Used in telephones, CATV remotes, and fax machines. Weakest security, both because the LCD and PIC pad are pan of the terminal not the BIA, and because of the low-cost nature of the market.
1.1.3. BIA Command Set Messages
Each BIA software command set provides a different set of operations. They are introduced briefly here:
BIA/ATM
Account Access
BIA/Catv
Remote Transaction Authorization
BIA/Fax
Secure Fax Submit
Secure Fax Data
Secure Fax Tracking
Secure Fax Retrieve
Secure Fax Reject
Secure Fax Archive
Secure Fax Contract Accept
Secure Fax Contract Reject
Electronic Document Archive Retrieve
BIA/Internal
Individual Identification
BIA/Issuer
Issuer Batch
BIA/PC
Electronic Document Submit
Electronic Document Data
Electronic Document Tracking
Electronic Document Retrieve
Electronic Document Reject
Electronic Document Archive
Electronic Document Archive Retrieve
Electronic Signature Submission
Electronic Signature Check
Remote Transaction Authorization
Network Credential
Secured Connection
BIA/Registration
Individual Identification
Biometric Registration
BIA/Retail
Transaction Authorization
1.1.4. BIA Hardware: Standard Model
The Standard BIA hardware is a multichip module combined with a single-print scanner, an LCD screen, a serial port, and a PIC pad encased in a hard tamper-resistant case that makes attempts to penetrate obvious while also providing RF shielding for the contents.
The following components are amalgamated into a multichip module, called the BIA Multichip Module (a process for encapsulating several processors in one physical shell, well known in the industry), constructed to protect the communications pathways between the devices from easy wiretapping.
Serial processor
PIC pad processor
LCD screen processor
CCD scanner A/D processor
High-speed DSP processor containing both flash and mask ROM
General purpose microprocessor
Standard RAM
EEPROM
The following software packages and data are stored in mask ROM. Mask ROM is cheaper than other types of read only memory, but it is easily reverse engineered, and is not electronically erasable. As such we only place the noncritical commonly available code here. (Mask ROM is well known in the industry).
MAC calculation library
DUKPT Key Management library
DES (with CBC) Encryption library
Base-64 (8-bit to printable ASCII) converter library
Public Key Encryption library
Embedded Operating System
Serial line device driver
LCD device driver
PIC pad device driver
Scanner device driver
Unique hardware identification code
Multi-Language profiles
The following standard data and software packages are stored in flash ROM. Flash ROM is more expensive, but it is much more difficult to reverse engineer, and most importantly, it is electronically erasable. All of the more critical information is stored here. Flash ROM is used in an attempt to increase the difficulty of duplicating an BIA. (Flash ROM is well known in the industry).
Unique DUKPT Future Key Table
Unique 112-bit MAC Key
DSP biometric quality determination algorithm
DSP biometric encoding algorithm
Random number generator algorithm
Command function table
The message sequence number, incremented each time a message is sent from the BIA, is stored in the EEPROM. EEPROM can be erased many times, but is also nonvolatile--its contents remain valid across power interruptions. (EEPROM is well known in the industry).
The following data is stored in RAM. RAM is temporary in nature, and is lost whenever power is lost.
Encoded Biometric Register
PIC Register
Account Index Code Register
Title Index Code Register
Amount Register
Document Name Register
PIC-Block Key
Message Key
Response Key
Shared Session Key
Private Session Key
8 General Registers
stack and heap space
Each multichip module contains a "write-once" memory location that is irreversibly set following the initialization of the flash ROM. Whenever an attempt is made to download software to the flash ROM, this memory location is checked; if it is already been set, then the BIA refuses to load. This way, critical software and data keys may only be downloaded once into the device, at the time of manufacture.
All registers and keys are explicitly zeroed when a transaction is canceled. Once a transaction is completed, registers are cleared as well. Once a "form message" command is executed, biometric, PIC, and account index code registers are also cleared, along with any encryption keys that aren't required for subsequent use.
It is important that the software not keep copies of registers or keys in stack variables (known in the industry).
The following associated hardware components comprise the standard BIA hardware module.
BIA Multichip module
CCD single-print scanner
capacitance detector plate (known in the industry)
lighted PIC keypad
2-line 40-column LCD screen
RF shielding
tamper-resistant case
serial connection (up to 57.6 kb)
breech detection hardware (known in the industry)
optional thermite charge attached to Multichip module (known in the industry)
All temporary storage and internal hardware and software used to calculate these values are secured, which means they resist any attempts to determine their current values, or their means of functioning. This feature is essential for the security of the invention, just as it is critical that the "wiretapping" of an BIA and specifically the gathering of a Biometric-PIC Block for fraudulent means is made as difficult as possible.
The multichip module and the components are, where practical, physically connected to each other without exposed wiring being present.
The enclosure protecting the electronic components of the BIA is welded shut during manufacture; it cannot be opened under any circumstances without significant damage to the case. Upon detecting any opening (or damage) of the enclosure, the BIA performs an emergency electronic zero of any and all keys residing in flash ROM, followed by all of the software libraries. Specific breech detection methods are kept confidential and proprietary.
In addition to protecting the contents, the case also shields the internal operations from RF signal detectors.
Supersecure versions of the BIA exist whereby breech detection methods are connected to a mechanism that physically destroys the multichip module as well as the detection methods themselves.
1.1.5. BIA Hardware: Wireless Model
The Wireless version of BIA hardware is identical to the Standard model in construction, except that it exports a spread-spectrum wireless communications module using an external antenna instead of an external serial port.
This version is designed to be used in restaurants, where transactions are authorized at the customer's convenience.
In the following descriptions, items which are added to the standard set are signified by the + character, while items that are removed from the standard set are signified by the - character.
Multichip Module:
-Document Name Register
-Shared Session Key
-Private Session Key
-Message Key
Components:
-Serial port
+External antenna
+Spread-spectrum wireless serial module (known in the industry)
1.1.6. BIA Hardware: ATM Model
The ATM version of BIA hardware is a multichip module combined with a heavy-duty single-pit scanner and a serial port. The components are encased in a tamper-resistant case that makes attempts to penetrate obvious while also providing RF shielding for the contents.
This version is designed to be retrofitted into ATM locations. As such, the scanner pad is a heavy-duty sensor pad, and the entire construction makes use of the existing screens and keypads present in the ATM itself.
In the following descriptions, items which are added to the standard set are signified by the + character, while items that are removed from the standard set are signified by the - character.
Multichip Module:
-Amount Register
-Document Name Register
-Shared Session Key
-Private Session Key
-Message Key
Components:
-lighted PIC keypad
-2-line 40-column LCD screen
Note that since the ATM has no LCD screen or PIC keypad, it really has no need of those device drivers in the mask ROM.
1.1.7. BIA Hardware: Phone/CATV Model
The Phone/CATV version of BIA hardware is a multichip module combined with a single-print scanner and a serial port. The module is physically attached to the scanner, and the whole is encased in plastic in order to make tampering more difficult. Some mount of RF shielding is provided for the components.
This version is designed to be integrated with telephones, television remote controls, and fax machines. As a result, it makes use of the existing keypads and LCD or television screens to enter or display values. It also uses the communication facilities of the host terminal. For example, the fax machine uses the built-in fax modem and the television remote uses the CATV cable network.
This hardware model is (in comparison with other models) relatively insecure, as it is intended that these devices cost as little as possible, be lightweight, and integrate easily with existing low-cost devices.
Of course, higher-security versions with more complete enclosures are possible and encouraged.
In the following descriptions, items which are added to the standard set are signified by the + character, while items that are removed from the standard set are signified by the - character.
Multichip Module:
-Document Name Register
-Shared Session Key
-Private Session Key
-Message Key
Components:
-lighted PIC keypad
-2-line 40-column LCD screen
1.2. BIA Software
1.2.1. BIA Software Command Interface:
The external interface to the BIA is much like a standard modem; commands are sent to it from a controlling terminal using the external serial line. When a command completes, a response code is sent from the BIA to the terminal.
Each BIA software load supports a different set of operations. For instance, a retail load supports only transaction authorizations, while a registration load supports individual identification and biometric registration.
All BIA data fields are in printable ASCII, with fields separated by field separator (or "fs") control character, and records separated by newlines. Encrypted fields are binary converted to 64-bit ASCII using the base-64 conversion library (all known in the industry).
Some commands are not available in some configurations. For instance, the ATM BIA cannot "Get PIC", since there is no attached PIC pad. Instead, the ATM BIA supports a "Set PIC" command.
Response Codes:
Out of time:
The time allotted for the command has expired. A message to that effect will be displayed on the LCD screen, if available. When time expires for a given command, the BIA acts as if the cancel button was pushed.
Canceled:
The "cancel" button has been pushed, and the entire operation has been canceled. This has the side effect of clearing all information which was gathered. A message to that effect will be displayed on the LCD screen, if available.
Ok:
The command was successful.
Other:
Each command may have specific other response codes which are valid only for it. These response codes will generally have text accompanying the code, which will be displayed on the LCD screen if it is available.
Message:
This indicates that the command is ongoing, but that the BIA wants to send a message to the terminal with an interim result message. The result is also displayed on the LCD, if available. This facility is used for prompts, as well as status messages.
Commands:
In the argument list of the commands below, the <> characters surround individual arguments, [] characters surround optional arguments, and the .vertline. character indicates that a given argument may be comprised of one of the choices presented.
Set Language <language-name>
This command selects from one of a number of different languages encoded within the BIA for prompting for user input.
Get Biometric <time>[primary.vertline.secondary]
This command requests the BIA to activate its scanner to get biometric input from the individual, storing it into the Encoded Biometric Register.
First, the message "Please place finger on lighted panel" is displayed on the LCD panel and returned to the terminal. The scanner pad is illuminated, prompting the individual to enter his biometric.
A <time> value of zero means that there is no limit to the time for biometric scan input.
When in scanning mode, a fingerprint scan is taken and given a preliminary analysis by the print quality algorithm. If the scan is not good enough, the BIA continues to take new scans until <time> seconds pass. As time passes and snapshots of the print are taken and analyzed, messages are posted to the LCD screen and sent to the terminal based on the problems detected by the print quality software. If no print of appropriate quality is forthcoming, the BIA returns an error code of time expired, displaying a message to that effect on the LCD.
Once the print quality algorithm affirms the quality of the print scan, the print's minutiae are then extracted by the print encoding algorithm. Only a subset of the minutiae are selected at random, with care taken to retain enough sufficient for identification. These minutiae are then ordered randomly, and are placed in the Encoded Biometric Register. Then the BIA responds with the success result code.
If the [primary.vertline.secondary] is specified (only available in the biometric registration command set) then the entire minutiae set is selected, not just the smaller subset. Likewise, primary/secondary biometric selection ends up placing the encoded biometric into the appropriate register.
Whether or not the operation succeeds, as soon as scanning has terminated, the light indicating that scanning is in progress is turned off
It is very important that the same biometric input yields different encodings, so as to complicate the task of anyone attempting to discover the encryption codes of a captured BIA. This is accomplished by the selection of a random subset and random ordering of the encoded biometric.
Get PIC <time>
This command requests the BIA to fill the PIC Register by reading from the keypad.
First, the message "Please enter your PIC, then press <enter>" is displayed on the LCD display and sent to the terminal, the appropriate keypad lights are turned on, and then keypad scanning begins.
Scanning terminates when either <time> number of seconds runs out, or when the individual hits the "enter" key.
Note that the individual digits of the PIC are not displayed on the LCD panel, but for each digit the individual types, a star "*" appears to give the individual feedback. When the "correction" key is pressed, the last digit entered is erased, allowing the individual to fix input mistakes.
When PIC input terminates, the keypad lights turns off.
If successful, the command returns OK.
Get Account Index Code <time>
First, the message "Now enter your account index code, then press <enter>" is displayed on the LCD and sent to the terminal. This prompts the individual to enter his account index code. When each key is pressed, that value appears on the LCD panel. The correction button can be pressed to erase one of the values. When the "enter" button is pressed, the Account index code register is set.
During input, the appropriate keypad keys are lit, and when input is concluded, the keypad lights are turned off.
If successful, the command returns OK.
Get Title Index Code <time>
First, the message "Please enter your title index code, then press <enter>" is displayed on the LCD and sent to the terminal. This prompts the individual to enter his title index code. When each key is pressed, that value appears on the LCD panel. The correction button can be pressed to erase one of the values. When the "enter" button is pressed, the Title Index Code register is set.
During input, the appropriate keypad keys are lit, and when input is concluded, the keypad lights are turned off.
If successful, the command returns OK.
Validate Amount <amount> <time>
The Validate Amount command sends the message "Amount <amount> OK?" to the terminal, and displays it on the LCD screen. If the individual confirms the amount by hitting the "yes" (or enter) button, the Amount Register is set to <amount>. The <amount> value must be a valid number, with no control characters or spaces, etc. During prompting, the yes, no, and cancel buttons are lit. Once prompting is complete, all the lights are turned off.
If the individual enters "no", then the transaction is canceled.
Enter Amount <time>
The Enter Amount command sends the message "Enter amount" to the terminal, and also displays it on the LCD screen as well. The individual must then enter the dollar amount himself. Each character entered is displayed on the LCD screen. All appropriate buttons are lit. If the enter button is hit, the Amount Register is set to be the value entered on the keyboard. Once entry is complete, all the lights are turned off
Validate Document <name> <time>
The Validate Document command sends the message "Document <name> OK?" to the terminal, and displays it on the LCD screen as well. If the individual confirms the document by hitting the "yes" (or enter) button, the Document Name Register is set to <name>. The <name> must be printable ASCII, with no control characters, and no leading or trailing spaces. During prompting, the yes, no, and cancel buttons are lit. Once prompting is complete, all the lights are turned off.
If the individual enters "no", the transaction is canceled.
Assign Register <register> <text>
The assign register command sets the designated General <register> to have the value <text>. This is used to set information such as the merchant code, the product information, and so on.
Get Message Key
The Get Message Key command causes the BIA to generate a 56-bit random key to be used by the controlling hardware to encrypt any message body that the controlling device wishes to add to the message. That generated key is returned by the BIA in hexadecimal format (known in the industry). The message key are then added to the biometric-PIC block.
Form Message <type=identification.vertline.transaction.vertline.account access . . . >
The form message command instructs the BIA to output a message containing all the information it has gathered. It also checks to make sure that all the registers appropriate to that specific message <type> have been set. If all required registers are not set, the BIA returns with an error. The specific command set software will determine which messages can be formed by that BIA model; all others will be rejected.
Each message includes a transmission code consisting of the BIA's unique hardware identification code and an incrementing sequence number. The transmission code allows the DPC to identify the sending BIA and to detect resubmission attacks.
The BIA uses the DUKPT key management system to select the biometric-PIC block encryption 56-bit DES key from the Future Key Table. This key is then used to encrypt the Biometric-PIC Block using cipher block chaining (CBC). In addition, a response DES key is also generated randomly, and is used by the DPC to encrypt the portions of the response that need to be encrypted.
Note: splitting the response key from the biometric-PIC block key is very important, since each encryption key must be used only within the context of its own responsibilities. That way, if someone were to break the key encoding the private code, it would not result in the disclosure of the biometric-PIC.
The Biometric-PIC block consists of the following fields:
300-byte authorization biometric
4-12 digit PIC
56-bit response key
[optional 56-bit message key]
Note that the message key is only present if the controlling terminal has requested a message key for this message. It is up to the controlling terminal to encrypt any message body attached to the transaction authorization request using the message key.
Once all encryption is complete, the BIA outputs the body of the appropriate request message (such as a Transaction Authorization Request message), terminated by and protected with the Message Authentication Code (MAC).
The MAC field is calculated using the BIA's secret 112-bit DES MAC key, and covers all message fields from first to last. The MAC assures the DPC that nothing in the message has changed effectively sealing the message, while still allowing the plaintext fields to be inspected by the controlling terminal.
When the Form Message command is done, the BIA sends the message "I'm talking to DPC Central" to the terminal as well as displaying it on the LCD screen, indicating that work is proceeding on the request.
The command returns OK in addition to returning the entire formed message upon completion of the command.
Show Response <encrypted response> <time>
The Show Response command instructs the BIA to use its current Response Key to decrypt the private code from the system.
After decryption, a chime sounds, and the private code is displayed on the LCD screen for <time> seconds. At no time does this command transmit the decrypted private code to the controlling terminal.
Validate Private <encrypted validation> <time>
This command is used by a terminal during a secure network communications session to ask the individual to validate a message from an outside source. The message comes encrypted and in two parts: the challenge, and the response.
Upon receipt of a Validate Private command, the BIA displays the text of the challenge message as in "OK <challenge>?" on the LCD screen, but does not send this to the terminal. When the individual validates the challenge, the response is encrypted by the BIA using the Private Session Key, and then returned to the terminal along with the OK response code. If the individual does not validate the challenge, then the BIA returns with a "failed" response code, along with the text "transaction canceled at your request," which is also displayed on the LCD screen.
Note that the terminal is never allowed to see the plaintext of either the challenge or the response.
Reset
The Reset command instructs the BIA to clear all temporary registers, the LCD screen, all temporary Key registers, and to turn off all keypad lights that may be on.
Set PIC <value>
This command assigns the BIA's PIC Register to be <value>.
Note that allowing a non-secured device to provide the PIC is a potential security problem, because non-secured devices are much more vulnerable to wiretapping or replacement.
Set Account index code <value>
This command assigns the BIA's Account index code Register to be <value>.
Note that allowing a non-secured device to provide the account index code is a potential security problem, because non-secured devices are much more vulnerable to wiretapping or replacement.
Set Title Index Code <value>
This command assigns the BIA's Title Index Code Register to be <value>.
Note that allowing a non-secured device to provide the Title Index Code is a potential security problem, because non-secured devices are much more vulnerable to wiretapping or replacement.
Set Amount <value>
This command assigns the BIA's Amount Register to be <value>.
Decrypt Response <encrypted response message>
The Decrypt Response command instructs the BIA to use it's current Response Key to decrypt the encrypted portion of the response message. Once decrypted, the response is returned to the controlling device, presumably for display on the ATM terminal's LED screen.
Note that providing this decryption ability is a security problem, as once the plaintext leaves the BIA, the terminal has the ability to do with it what it will.
1.2.2. BIA Software: Support Libraries
The BIA software is supported by several different software libraries. Some of them are standard, generally available libraries, but some have special requirements in the context of the BIA.
1.2.2.1. Random Number Generator
Since the BIA is constantly selecting random DES keys for use in the message body and message response encryption, it is important that the keys selected be unpredictable keys. If the random number generator is based on time of day, or on some other externally-predictable mechanism, then the encryption keys will be much more easily guessed by an adversary that happens to know the algorithm. In order to assure the security of the encryption techniques used in the BIA, it is assumed that both the random number generator algorithm as well as the encryption algorithms are both publicly known.
A standard random number algorithm for generating DES keys is defined in ANSI X9.17, appendix C (known in the industry).
1.2.2.2. DSP Biometric Encoding Algorithms
The biometric encoding algorithm is a proprietary algorithm for locating the minutiae that are formed by ridge endings and bifurcations on human fingertips. A complete list of minutiae is stored in the DPC as a reference, while only a partial list is required by the algorithm when performing a comparison between an identification candidate and a registered individual.
During both biometric registration as well as identification, the encoding algorithm ensures that enough minutiae are found before ending the biometric input step.
1.2.2.3. Operating System and Device Driven
The BIA is a realtime computing environment, and as such requires a realtime embedded operating system to run it. The operating system is responsible for taking interrupts from devices and scheduling tasks.
Each device driver is responsible for the interface between the operating system and the specific hardware, such as the PIC pad device driver, or the CCD Scanner device driver. Hardware is the source for events such as "PIC pad key pressed", or "CCD Scanner scan complete". The device driver handles such interrupts, interprets the events, and then takes action on the events.
1.2.2.4. DES Encryption Library
There are any number of DES implementations publicly available. DES implementations provide a secret key-based encryption from plaintext to ciphertext, and decryption from ciphertext to plaintext, using 56-bit secret keys.
1.2.2.5. Public Key Encryption Library
Public Key encryption support libraries are available from Public Key Partners, holders of the RSA public key patent (known in the industry). Public Key cryptosystems are asymmetric encryption systems that allow communication to take place without requiring a costly exchange of secret keys. To use a public key encryption system, a public key is used to encrypt a DES key, and then the DES key is used to encrypt a message. The BIA uses public key cryptosystems to provide for the secure exchange of secret keys.
Unfortunately, public key systems are significantly less well tested than secret-key systems, and as such there is an overall lower level of confidence in such algorithms. As a result, the invention uses public key cryptography for communications security and short-lived credential exchange, and not long-term storage of secrets. Both the end-user individual and the bank are identified by the DPC to create the network credential. The network credential includes the end-user individual's identification as well as the context of the connection (i.e., the TCP/IP source and destination ports).
1.2.2.6. DUKPT Key Management Library
The derived unique key per transaction key (DUKPT) management library is used to create future DES keys given an initial key and a message sequence number. Future keys are stored in a Future Key Table. Once used, a given key is cleared from the table. Initial keys are only used to generate the initial future key table. Therefore the initial key is not stored by the BIA.
The use of DUKPT is designed to create a key management mechanism that provided a different DES key for each transaction, without leaving behind the trace of the initial key. The implications of this are that even successful capture and dissection of a given future key table does not reveal messages that were previously sent, a very important goal when the effective lifetime of the information transmitted is decades. DUKPT is fully specified in ANSI X9.24 (known in the industry).
DUKPT was originally developed to support PIC encryption mechanisms for debit card transactions. In this environment, it was critical to protect all transactions. An assumption is made that a criminal records encrypted transactions for a six month period, and then captures and successfully extracts the encryption code from the PIC pad. The criminal could then manufacture one new counterfeit debit card for each message that had been transmitted over that six month period. Under DUKPT, however, the criminal's theft and dissection would not allow him to decrypt previous messages (although new messages would still be decryptable if the criminal were to replace the PIC pad subsequent to dissection).
In the biometric-PIC situation, the criminal has an even harder time, as even if messages are decrypted, turning a digital biometric-PIC into a physical fingerprint is much harder than turning an account number-PIC into a plastic card, which is one of the significant benefits of the tokenless system.
Still, if a criminal can decrypt, he can encrypt, which might allow him to electronically submit a biometric-PIC to the system to authorize a fraudulent transaction. While this is quite difficult, it is still best to restrict the options available to the criminal as much as possible, hence the use of DUKPT.
1.3. BIA Software Command Sets
1.3.1. BIA Software: Retail Command Set
The BIA/Retail software interface exports an interface that allows specific retail point of sale terminals to interact with the system.
The BIA/Retail interface is designed to allow the terminal to perform the following operation:
Transaction Authorization
In order to implement those operations, the BIA/Retail provides the following command set:
Set Language <language-name>
Get Biometric <time>
Get PIC <time>
Assign Register <register> <value>
Get Account index code <time>
Validate Amount <mount> <time>
Enter Amount <time>
Form Message <type>
Show Response <encrypted response> <time>
Reset
1.3.2. BIA Software: CATV (Integrated Remote) Command Set
The BIA/CATV software interface exports a command set that allows terminals integrated with a Phone/CATV BIAs to interact with the system. The following operation is supported:
Remote Transaction Authorization
In order to implement that operation, the BIA/CATV provides the following command set:
Get Biometric <time>
Set PIC <text>
Assign Register <register> <text>
Set Account index code <text>
Form Message <type>
Decrypt Response <encrypted response message>
Reset
1.3.3. BIA Software: Integrated FAX Command Set
The BIA/Fax software interface exports a command set that allows terminals integrated with a fax BIA to interact with the system. The following operations are supported:
Secure Fax Submit
Secure Fax Data
Secure Fax Tracking
Secure Fax Retrieve
Secure Fax Reject
Secure Fax Archive
Secure Fax Contract Accept
Secure Fax Contract Reject
Electronic Document Archive Retrieve
In order to implement these operations, the BIA/Fax provides the following command set:
Get Biometric <time>
Set PIC <text>
Set Title Index Code <text>
Assign Register <register> <value>
Get Message Key
Form Message <type>
Decrypt Response <encrypted response message>
Reset
1.3.4. BIA Software: Registration Command Set
The BIA/Reg software interface exports an interface that allows general purpose computers to interact with the system to identify and register individuals. The following operations are supported:
Individual Identification
Biometric Registration
In order to support those operations, the BIA/Reg provides the following command set:
Set Language <language-name>
Get Biometric <time> [primary.vertline.secondary]
Get PIC <time>
Assign Register <register> <text>
Get Message Key
Form Message <type>
Show Response <encrypted response> <time>
Reset
1.3.5. BIA Software: PC Command Set
The BIA/PC software interface exports a command set that allows general purpose computers to send, receive, and sign electronic documents, conduct transactions across the network, and provide biometric-derived credentials to sites on the network. The following operations are supported:
Electronic Document Submit
Electronic Document Data
Electronic Document Tracking
Electronic Document Retrieve
Electronic Document Reject
Electronic Document Archive
Electronic Document Archive Retrieve
Electronic Signature Submission
Electronic Signature Check
Remote Transaction Authorization
Network Credential
Secured Connection
In order to support those operations, the BIA/PC provides the following command set:
Set Language <language-name>
Get Biometric <time>
Get PIC <time>
Get Account index code <time>
Validate Amount <mount> <time>
Enter Amount <time>
Validate Document <name> <time>
Assign Register <register> <text>
Get Message Key
Form Message <type>
Show Response <encrypted response> <time>
Validate Private <encrypted validation> <time>
Reset
1.3.6. BIA Software: Issuer Command Set
The BIA/Iss software interface exports an interface that allows general purpose computers to interact with the system to authenticate and submit batch change requests. The following operation is supported:
Issuer Batch
In order to implement this operation, the BIA/Iss provides the following command set:
Set Language <language-name>
Get Biometric <time> [primary.vertline.secondary]
Get PIC <time>
Assign Register <register> <value>
Get Message Key
Form Message <type>
Show Response <encrypted response> <time>
Reset
1.3.7. BIA Software: Internal Command Set
The BIA/Int exports a command set that allows general purpose computers to interact with the system to identify individuals. The following operation is supported:
Individual Identification
In order to implement this operation, the BIA/Int provides the following command set:
Set Language <language-name>
Get Biometric <time>
Get PIC <time>
Assign Register <register> <value>
Get Message Key
Form Message <type>
Show Response <encrypted response> <time>
Reset
1.3.8. BIA Software: ATM Command Set
The BIA/ATM software interface exports a command set that allows ATMs to identify individuals. The following operation is supported:
Account Access
In order to implement this operation, the BIA/ATM provides the following command set:
Get Biometric <time>
Set PIC <text>
Set Account index code <text>
Assign Register <register> <value>
Form Message <type>
Decrypt Response <encrypted response message>
Reset
1.4. Terminals
1.4.1. Introduction
The terminal is the device that controls the BIA and connects to the DPC via modem, X.25 connection, or Internet connection--methods well-known to the industry. Terminals come in different shapes and sizes, and require different versions of the BIA to perform their tasks. Any electronic device, which issues commands to and receives results from the biometric input device, can be a terminal.
Some terminals are application programs that run on a general purpose microcomputer, while other terminals are combinations of special purpose hardware and software.
While the terminal is critical for the functioning of the system as a whole, the system itself places no trust in the terminal whatsoever. Whenever a terminal provides information to the system, the system always validates it in some manner, either through presentation to the individual for confirmation, or by cross-checking through other previously registered information.
While terminals are able to read some pans of BIA messages in order to validate that the data was processed properly by the BIA, terminals cannot read biometric identification information including the biometric, the PIC, encryption keys, or account index codes.
Specific BIAs export some security functionality to the terminal, such as PIC entry, and private code display. As a result, such devices are regarded as somewhat less secure than their entirely self-contained counterparts, and as such have consequently lower security ratings.
There are many different terminal types; each is connected to a specific model BIA. Each terminal |
