View All Documents & Correspondence
Method And Devices For Authentication A Mobile Device Operating In Host Card Emulation Mode
Abstract: Methods and devices for electronic token processing in a networked environment are provided. The electronic token can be leveraged by various entities such as users, merchants, acquirers, payment processors, etc. that form part of a networked environment. A tokenization apparatus is provided to register and subsequently provide dual encrypted electronic token to a mobile device. Particularly, the tokenization apparatus is adapted to provide to the mobile device Application KEY for storing upon a SIM card and dual encrypted electronic token, encrypted using a first decryption technique pre-agreed between the mobile device and the tokenization apparatus and a second decryption techniques which is based on the Application KEY. Only after the dual encrypted electronic token has been appropriately decrypted, i.e. using the first decryption technique pre-agreed between the mobile device and the tokenization apparatus and the second decryption technique based on the Application KEY, the same can be used in the networked environment. FIGURE 1
Notices, Deadlines & Correspondence
Patent Information
Applicants
Comviva Technologies Limited
Inventors
1. SORUBAN, Rajasekaran
2. MEHER, Seetesh Kumar
3. REDDY, Rajasekhara P
4. SINGAREDDI, Vedhavyas
5. PANDEY, Abhishek
6. JAIN, Nitin
7. CHAUDHARY, Bhaskar
Specification
FIELD OF THE INVENTION:
The present invention relates to providing authentication and security features in mobile devices for operating in host card emulation mode.
DISCUSSION OF THE BACKGROUND:
With the advent of advancing mobile technology, more features have been integrated into mobile devices. From Global Positioning System (GPS) applications mobile office products, mobile devices have practically become a necessity for everyday needs. In order to further utilize mobile technology to better cater to a user's daily requirements, attempts have been made to provide for authentication and security features that can be utilized in various types of transactions by the mobile. The authentication and security features are adapted to replace conventional cards such as credit cards, debit cards, loyalty cards, transportation cards, etc.
Specifically, mobile wallet incorporating authentication and security features was sought to be realized through provisioning of card issuer's account information directly into a Secure Element (SE) of the mobile device equipped with Near Field Communication (NFC) chipset. The SE may be a smart card chip capable of storing multiple applications, including of account specific information that may not be easily accessed by external parties.
Further, to make the wallet function more convenient to the owners of the mobile device, a method of providing contactless payment (NFC-based applications) through provisioning account specific information within the secure domain of the mobile device's SE has been provided.
More specifically, user credentials, such as card numbers, may be provisioned onto mobile devices equipped with Near Field Communication chipset (NFC enabled) to make payments. Once the user credentials have been provisioned onto the NFC enabled mobile device, the provisioned NFC enabled device may transfer information and thereby participate in a transaction with another NFC compatible device by coming near within a few centimeters of one another without physically contacting each other. This type of technology is conventionally referred to as “contactless” technology and a transaction made with this technology is referred to as “contactless” transaction.
Regardless of benefits that may be obtained through integrating wallet functionality into mobile device, the market penetration of mobile wallet applications is substantially low.
In the recent past, Host Card Emulation (HCE) has been proposed and implemented that enables for presentation of a virtual and exact representation of a smart card using only software.
When contactless transaction is made via HCE mode, there is no need for tamper resistant hardware element (such as a secure element to securely protect sensitive assets such as card details, PIN/Password, etc.). Thus to maintain the desired level of security during a proximity transaction made via HCE mode, the user is required to enter PIN/Passcode.
It has been felt that requiring the user to enter PIN/Passcode for every proximity transaction or for some transactions based on predefined rules or for some random transactions would affect user experience. At the same time, not requiring user to enter PIN/Passcode requires tamper resistance hardware (i.e. secure element) on the phone. Providing such tamper resistant hardware on mobile phone increases the deployment complexity as provisioning the authentication application will increase cost and involve additional player into the mobile transaction ecosystem. This method has proved to be a failure so far across the world.
Yet another alternative, wherein instead of entering PIN/Passcode, the user is required to enter biometric data also increases the cost of the mobile phones for the reason that the mobile phones then should contain inbuilt biometric sensors.
In yet another alternative, a token based transaction system is also under consideration wherein in place of the original card details, tokens are transferred between the NFC enabled devices. Transfer of tokens limit the risk of exposure of critical account details. However, it has been felt that the tokens can be copied by a malware and another hacker phone can use this token for any other transaction as strong user identification is not tied with the token.
Thus, it can be sad that in the past the following authentication approaches have been adopted wherein, each authentication approach has an associated disadvantage as indicated below:
? Biometric based authentication – expensive
? Passcode/PIN authentication using secure element –expensive
? PIN/Passcode authentication of user on cloud – will introduce delay during payment operation (eg: tap time) affecting User experience
? Issuer requests authentication (one of the Card holder verification method - CVM) of PIN to be entered on the POS (Point of Sale Pin Entry Device) by user during the payment operation – introduces inconvenience on the part of the genuine user.
So there is an unmet need to provide authentication and security features in mobile devices interaction in host card emulation mode with a POS terminal. Particularly, the unmet need to securely authenticate a user:
• without involving user in the second factor “what I know” or “what I am” as holding the mobile wallet is the first factor – “what I have”
• without delaying or prolonging tap time.
• without incurring significant economic costs by reusing the common and existing handset and network infrastructure; and
• without any change in the intermediate transaction network which is not at the control of the Issuer.
Apart from the above, it is also desired to detect fraud (for example, a scenario wherein a hacker steals a token from a particular mobile device and uses it on a different device) in an economic fashion and without causing inconvenience to the legitimate users.
SUMMARY OF THE INVENTION:
Accordingly, the present invention provides a method for communicating electronic token. The electronic token can be leveraged by various entities such as users, merchants, acquirers, payment processors etc that form part of a networked environment. In an embodiment, the token can support interoperability and can be accepted, processed and routed by the entities within the networked environment. In the networked environment, a tokenization apparatus is provided to register and subsequently provide dual encrypted electronic token to a mobile device of a user. Particularly, the tokenization apparatus is adapted to provide to the mobile device an Application KEY for storing upon a SIM card and dual encrypted electronic token, encrypted using a first decryption technique pre-agreed between the mobile device and the tokenization apparatus and a second decryption techniques which is based on the Application KEY. Only after the dual encrypted electronic token has been appropriately decrypted, i.e. using the first decryption technique pre-agreed between the mobile device and the tokenization apparatus and the second decryption technique based on the Application KEY, the same can be used in the networked environment.
To further clarify advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended figures. It is appreciated that these figures depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying figures.
BRIEF DESCRIPTION OF FIGURES:
These and other features, aspects, and advantages of the present invention will become better understood when the following detailed description is read with reference to the accompanying figures in which like characters represent like parts throughout the figures, wherein:
Figure 1 illustrates block diagram of the networked environment (100) comprising of a mobile device (101) operating in host card emulation mode;
Figure 2 illustrates a flow chart of a method implemented by a tokenization apparatus corresponding to an embodiment of the invention;
Figure 3 illustrates a flow chart of the method implemented by the tokenization apparatus for the purposes of generating the encrypted electronic token in accordance with a preferred aspect of the present invention;
Figure 4 illustrates a block diagram of the tokenization apparatus in accordance with a preferred embodiment of the present invention;
Figure 5 illustrates a method implemented by a mobile device operating in a host card emulation mode for receiving an encrypted electronic token in accordance with a preferred embodiment of the present invention;
Figure 6 illustrates a method implemented by a mobile device for sharing the electronic token; and
Figure 7 illustrates a block diagram of a mobile device adapted to implement the method as illustrated in figures 5 and 6.
Further, skilled artisans will appreciate that elements in the figures are illustrated for simplicity and may not have been necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present invention. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the figures by conventional symbols, and the figures may show only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the figures with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.
Detailed Description:
For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the figures and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.
It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof.
Reference throughout this specification to “an aspect”, “another aspect” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrase “in an embodiment”, “in another embodiment” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or sub-systems or elements or structures or components proceeded by "comprises... a" does not, without more constraints, preclude the existence of other devices or other sub-systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.
Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.
Embodiments of the present invention will be described below in detail with reference to the accompanying figures.
Referring to figure 1, there is illustrated a networked environment (100) comprising of a mobile device (101) operating in host card emulation mode. The mobile device is in operative communication with a tokenization apparatus (102) vide two different routes. By way of example, the mobile device (101) can be in operative communication with the tokenization apparatus an Issuer device (104) (a first route) and vide a mobile network (103) (a second route). The mobile device (101) may be in operative communication with a Point of Sale (POS) device (105), which in turn can be in turn in operative communication with an Acquirer device (107). The Acquirer device (107) can be in further operative communication with the Issuer device (104) and both the Acquirer device (107) and the Issuer device (104) can form part of a network (106). The functioning of the different components of the networked environment taken individually and a whole will be described in the following paragraphs.
In accordance with a first embodiment, the present invention provides a method for communicating electronic token to a mobile device, said method comprising: receiving, from the mobile device via a first communication link, a registration request; providing an acknowledgment, to the mobile device via the first communication link, in case a first condition set is satisfied by the registration request; receiving, from the mobile device via a second communication link, an authentication request; providing an Application KEY to the mobile device via the second communication link, in case a second condition set is satisfied by the authentication request, the Application KEY being adapted to be stored on a SIM card contained in the mobile device; receiving a request for an electronic token from the mobile device via the first communication link; and generating encrypted electronic token and providing the same to the mobile device via the first communication link, wherein the encrypted token is encrypted by a first encryption technique pre-agreed with the mobile device and a second encryption technique that is based on the Application KEY.
Now referring to figure 2, there is illustrated a procedure as adopted by the tokenization apparatus (102) for communicating electronic token to the mobile device (101). The tokenization apparatus receives (201), from the mobile device via a first communication link, a registration request. In response thereto, the tokenization apparatus provides (202) an acknowledgment, to the mobile device via the first communication link. In a preferred aspect of the invention, the tokenization apparatus is configured to provide the acknowledgment in case a first condition set is satisfied by the registration request.
The tokenization apparatus is further adapted to receive (203) from the mobile device, via a second communication link, an authentication request and in response thereto is adapted to providing (204) an Application KEY to the mobile device via the second communication link. In a preferred aspect of the invention, the tokenization apparatus is configured to provide the Application KEY in case a second condition set is satisfied by the registration authentication request. The Application KEY thus provided by the tokenization apparatus is adapted to be stored on a SIM card contained in the mobile device.
The tokenization apparatus is further adapted to receive (205) a request for an electronic token from the mobile device via the first communication link; and in response thereto generates an encrypted electronic token and provides (206) the same to the mobile device via the first communication link. The encrypted token thus generated by the tokenization apparatus is encrypted by a first encryption technique pre-agreed with the mobile device and a second encryption technique that is based on the Application KEY.
In an embodiment of the present invention, the registration request comprise one or more of an account identifier a PIN number, a name or date of birth, wherein the account identifier can include one or more of actual card number, a mobile number, a personal account number (PAN).
In yet another embodiment of the present invention, the first condition set includes a card number or a PAN number being pre-mapped to a mobile number.
In still another embodiment of the present invention, the acknowledgment comprises a unique identifier that triggers automatic sending of the authentication request.
In a further embodiment of the present invention, the authentication request comprises the unique identifier, a mobile number from which the authentication request is transmitted and a mobile number as appended by the second communication link to the authentication request.
In a furthermore embodiment of the present invention, the second condition set includes one or more conditions selected from the group comprising of:
• the mobile number as contained in the authentication request matches with the mobile number as appended by the second communication link to the authentication request;
• the unique number contained in the authentication request corresponds to the mobile number from which the authentication request is transmitted; and
• the authentication request is received within a predetermined time period, the time period being calculated from the time of providing the acknowledgment.
In an embodiment of the present invention, the Application Key is comprised within a SIM Application Toolkit (STK) or a Java card applet.
In yet another embodiment of the present invention, the STK or the Java card applet is adapted to perform decoding in accordance with the Application KEY.
In still another embodiment of the present invention, the request for the electronic token comprises an account identifier which can include one or more of actual card number, a mobile number or a personal account number (PAN).
In a further embodiment of the present invention, the first encryption technique is pre-agreed with the mobile device during registration stage.
In addition to communicating the electronic token to the mobile device, the tokenization apparatus is adapted to perform additional steps during the life of the electronic token. While the additional steps are not directly related to “communicating the electronic token to the mobile device”, the same can be said to be involved when the electronic token (as received by the mobile deice from the tokenization apparatus) is being used.
As illustrated in figure 2, the tokenization apparatus is further adapted to receive (207), from a designated intermediary device, decrypted electronic token and a cryptogram, wherein the decrypted token and the cryptogram are assumed to be generated by the mobile device. The cryptogram thus received is verified (208) and an account identifier is obtained (209) as per pre-stored mapping data. Finally, the account identifier thus obtained is transmitted (210) to a designated intermediary device to enable the designated intermediary device to take appropriate action based thereupon.
Referring back to Figure 1, when the mobile device (101) interacts with a POS Device (105), the mobile device can provide to the POS device the decrypted token and the cryptogram. The POS device (105) may then generate an authorization request message including the decrypted token and the cryptogram and send the same to the acquirer device (107). The acquirer device (107) may forward the authorization request message including the token (and other additional information as may be needed) to the issuer device (106). The issuer device (106) (acting as the intermediary device), may determine that the authorization request message comprises a token and may provide the authorization request message (as a whole) or the decrypted token and the cryptogram (i.e. relevant information) to the tokenization apparatus (101).
The tokenization apparatus may evaluate the cryptogram, may search for token record associated with the received token to determine an account identifier associated with the token and may provide the account identifier to the issuer device (106). The account identifier can include one or more of actual card number, a mobile number, a personal account number (PAN) or other suitable piece of information. Based on the account identifier, the issuer device (106) may perform additional steps of evaluation and based on the results of such evaluation send an appropriate response in respect of the authorization request message to the acquirer device (107). The acquirer device (107) may in turn communicate the response to the POS device (105).
Now referring to figure 3, the step of generating encrypted electronic token is illustrated more elaborately as 300 and comprises:
• generating (301) an electronic token;
• generating (302) mapping data that maps the electronic token to an account identifier as contained in the request for electronic token;
• encrypting (303) the electronic token encrypted by a first encryption technique pre-agreed with the mobile device to generate a first level electronic token; and
• encrypting (304) the first level electronic token with a second encryption technique that is based on the Application KEY to generate dual encrypted electronic token.
It can be observed from above that the tokenization apparatus is in communication with the mobile device via two communication links namely the first communication link and the second communication link. Vide the first communication link, the tokenization apparatus is configured to receive the registration request from the mobile device, provide the acknowledgement to the mobile device, receiving request for an electronic token, and provide the electronic token to the mobile device. On the other hand, vide the second communication link the tokenization apparatus is adapted to receive an authentication request and provide the Application KEY. In a preferred embodiment the first communication link is illustrated in figure 1 by reference numeral 108 or reference numeral 109. The second communication link is vide a mobile network (104) and is illustrated by reference numeral 110.
In accordance with a second embodiment, the present invention provides an apparatus for communication electronic token to a mobile device, said apparatus comprising: a first receiver operable in a first communication link for receiving a registration request from the mobile device; a processor for determining whether registration request satisfies a first condition set and in response thereto, generating an acknowledgment; a first transmitter operable in the first communication link for transmitting the acknowledgment to the mobile device; a second receiver operable in a second communication ink for receiving an authentication request from the mobile device; the processor being further adapted to determine whether authentication request satisfies a second condition set and in response thereto, generating an Application KEY, wherein the Application KEY is adapted to be stored on a SIM card contained in the mobile device; a second transmitter operable in a second communication ink for transmitting the Application KEY to the mobile device; the first receiver being further adapted to receive a request for an electronic token from the mobile device; the processor being further adapted to generate encrypted electronic token, the encrypted token being encrypted by a first encryption technique pre-agreed with the mobile device and a second encryption technique that is based on the Application KEY; and the first transmitter being further adapted to transmit the encrypted electronic token to the mobile device.
Now referring to figure 4, there is illustrated the construction of the tokenization apparatus (102). The tokenization apparatus comprises a processor (401) in communication with a transceiver (402). In a preferred aspect of the invention, the transceiver may comprise a first receiver (403), a first transmitter (404), a second receiver (405) and a second transmitter (406).
In a preferred aspect of the invention, the first receiver (403) is operable in the first communication link for receiving a registration request from the mobile device. The first receiver is in operational communication with the processor (401) that may comprise a registration sub-component (409) for determining whether the registration request satisfies a first condition set and in response thereto, generate an acknowledgement. The processor (401) and more particularly the registration sub-component (409) may be operational communication with the first transmitter (404), which is operable in the first communication link, for transmitting the acknowledgment to the mobile device.
In a preferred aspect of the invention, the second receiver (405) is operable in the second communication link for receiving the authentication request from the mobile device. The second receiver is in operational communication with the processor (401) that may comprise an Authentication and Provisioning sub-component (410) for determining whether the authentication request satisfies a second condition set and in response thereto generate the Application KEY. The processor (401) and more particularly the Authentication and Provisioning sub-component (410) may be operational communication with the second transmitter (406), which is operable in the second communication link, for transmitting the Application KEY to the mobile device.
In a further aspect of the invention, the first receiver (403) is further adapted to receive a request for an electronic token from the mobile device and provide the same to the processor (401). The processor (401) may comprise a Token Preparation and Transmission sub-component (411) that generates an electronic token, encrypts the electronic token by a first encryption technique pre-agreed with the mobile device to obtain a first level encrypted token, encrypts the first level encrypted token by a second encryption technique that is based on the Application Key to generate dual encrypted electronic token. The processor (401) and more particularly the Token Preparation and Transmission sub-component (411) may be in operational communication with the first transmitter for sending the dual encrypted electronic token to the mobile device.
In a further preferred aspect of the invention, the tokenization apparatus and more particularly the transceiver can comprise a third receiver (407) adapted to receive from a designated intermediary device decrypted electronic token and a cryptogram. The third receiver (407) may be in operational communication with the processor (401), which may further comprise a sub-component (412) that verifies the cryptogram and an account identifier is obtained (209) as per pre-stored mapping data (de-tokenization process). The sub-component (412) may be in further operational interconnection with a third transmitter (408) for transmitting the account identifier thus obtained to the designated intermediary device (authentication transmission) to enable the designated intermediary device to take appropriate action based thereupon.
While in the above paragraphs, the tokenization apparatus has been described in detail in terms of its construction and in terms of the process performed, in the following paragraphs, the details of the mobile device will be provided.
Thus, in accordance with yet another embodiment, the present invention provides a method as implemented by a mobile device for receiving electronic token, said method comprising: transmitting, to a tokenization apparatus via a first communication link, a registration request; receiving, from the tokenization apparatus via the first communication link, an acknowledgment; transmitting, to the tokenization apparatus via a second communication link, an authentication request; receiving, from the tokenization apparatus via the second communication link, an Application KEY; storing the Application KEY on a SIM card contained in the mobile device; transmitting, to the tokenization apparatus via the first communication link, a request for an electronic token; and receiving, from the tokenization apparatus via the first communication link, an encrypted electronic token that is encrypted by a first encryption technique pre-agreed with the tokenization apparatus and a second encryption technique that is based on the Application KEY.
Now referring to figure 5, the process (500) performed by the mobile device for receiving an electronic token which is dual encrypted is illustrated. The process (500) starts with the mobile device transmitting (501) to the tokenization apparatus a registration request. Referring to figure 1, the registration request is transmitted by the mobile device via a first communication link (108 or 109). The mobile device is further adapted to receive (502) an acknowledgment from the tokenization apparatus via the first communication link. Based on receipt of the acknowledgment, the mobile device is configured to automatically generate an authentication request including the contents of the acknowledgment and transmit (503) the authentication request to the tokenization apparatus. The authentication request is transmitted by the mobile device to the tokenization apparatus via a second communication link (110 of figure 1). The mobile device is further adapted to receive (504) an Application KEY from the tokenization apparatus vide the second communication link and store (505) the Application KEY thus received on a SIM card contained in the mobile device.
As and when the need arises, the mobile device is further adapted to transmit (506) a request for an electronic token to the tokenization apparatus. In a preferred aspect of the invention, the request for electronic token is transmitted via the first communication link (108 or 109). The mobile device is further adapted to receive (507) via the first communication link electronic token, that is encrypted by a first encryption technique pre-agreed with the tokenization apparatus and a second encryption technique that is based on the Application KEY.
The present invention furthermore provides a method as implemented by a mobile device for sharing an electronic token, said method comprising: receiving, by processor via a communication device, a request for the electronic token; retrieving, by a processor from a memory device associated with the mobile device, an encrypted electronic token; decrypting, by the processor, the encrypted electronic token to obtain a first level decrypted electronic token; sending, by the processor to a SIM card associated with the mobile device, the first level decrypted electronic token; decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token; sending, by the SIM card to the processor, the electronic token; and transmitting, by the processor vide the communication device, the electronic token.
The process (600) as performed by the mobile device during sharing of the electronic token is illustrated in figure 6 and comprises receiving (601) a request for the electronic token. In an embodiment, a POS device (105) as illustrated in figure 1 requests for the electronic token. The request for the electronic token is received by a communication device and the same is provided to a processor, wherein both the communication device and the processor form part of the mobile device. The processor retrieves (602) the encrypted electronic token from a memory device associated with the mobile device. The processor performs decryption (603) of the encrypted electronic token to obtain a first level decrypted electronic token and sends (604) the first level decrypted electronic token to a SIM card associated with the mobile device. The SIM card performs a further decryption (605) of the first level decrypted electronic token to obtain the electronic token. The further decryption as performed by the SIM card is based on the Application KEY thus stored on the SIM card. The SIM card then sends (606) the electronic token (which is decrypted) to the processor and the processor in turn sends (607) the electronic token via the communication device to the POS device.
For the purposes of enhancing security and for detecting fraud, the SIM card prior to performing the decryption can send a query to the communication device. In an embodiment, the SIM card may send the query directly to the communication device and may receive a response directly from the communication device. By way of non-limiting example, the response as provided by the communication device may for example indicate a time of receipt of a last request for the electronic token by the communication device. By way of another non-limiting example, the response as provided by the communication device may indicate a total number of requests for electronic tokens as received by it.
Based on the response received from the communication device, the SIM card can either perform the decryption or detect a fraud. By way of a non-limiting example, if the response provided by the communication device indicates that no request for electronic token has been received, a fraud can be detected. By way of another non-limiting example, if a time gap between a current time and a time of receipt of the last request for the electronic token by the communication device is exceeding a predetermined threshold value, a fraud can be detected. In yet another non-limiting example, if the total number of requests for electronic tokens as received by the communication device is not matching with a value as determined by the SIM card, a fraud may be detected.
In yet another alternative, for the purposes of enhancing security and for detecting fraud, the SIM card prior to performing decryption can send an instruction to a mobile device operating system to obtain a confirmation from a user for token decryption. In case the user fails to provide a confirmation or provides a negative response or fails to provide a confirmation within a predetermined amount of time period, a fraud may be detected.
In yet another alternative, for the purposes of enhancing security and for detecting fraud, the SIM card prior to performing decryption can send an instruction to a mobile device operating system to obtain a security code from a user for token decryption. In case the user fails to provide a security code or if the security code provided is incorrect or fails to provide the security code within a predetermined amount of time period, a fraud may be detected.
Once the SIM card detects fraud, the SIM card can be adapted to generate a signal indicative of a possible fraud and transmits the same to the designated recipient device (for example, either the tokenization apparatus or the issuer device).
On the other hand, if no fraud is detected, the SIM card can proceed with decrypting the first level decrypted electronic token to obtain the decrypted electronic token and sending the same to the communication device.
In order to further enhance the security and for detecting fraud, the processor of the mobile device may be adapted to query the SIM card to provide a count of the number of decryptions performed by the SIM card over a period of time and compare the same with a number of times the processor has requested the SIM card to perform decryption and in case of a mismatch, detect a fraud. To enable the above, the SIM card can be adapted to keep a count of a number of decryptions performed over a period of time and likewise, the processor can be adapted to keep a count of a number of decryptions have been requested by the processor over a period of time. In case the processor detects the fraud, the can be further adapted to generate a signal indicative of a possible fraud and transmit the same to the designated recipient device (for example, either the tokenization apparatus or the issuer device).
It can be seen from the above that possible fraud can be detected both by the SIM card as well as the processor of the mobile device. In this way, it is possible to detect the element which is the cause of the fraud. For example, if the SIM card generates the signal indicative of a possible fraud, it can be reasonably assumed that the processor is the element which is the cause of the fraud. On the other hand, if the processor generates the signal indicative of a possible fraud, it can be reasonably assumed that the SIM card is the element which is the cause of the fraud. Thus, based on the above, the appropriate course of action for correction can be easily put into force. For example, if the SIM card is the cause of the fraud, process for re-acquiring the Application KEY can be initiated while if the processor is the cause of fraud, process for re-acquiring the mobile wallet (as contained in the processor) can be initiated.
In a further embodiment, the present invention provides a mobile device (101) as illustrated in figure 7 for receiving and sharing an electronic token, said mobile device comprises a processor (701) in operational interconnection with a transceiver unit (702), a memory (703) in association with the processor and a SIM card (704) in association with the processor.
In an embodiment of the present invention, the transceiver unit (702) may further comprise a first transmitting unit (705) operable in a first communication link for transmitting a registration request to a tokenization apparatus and a first receiving unit (706) operable in the first communication link for receiving an acknowledgment from the tokenization apparatus.
In another embodiment of the present invention, the transceiver unit (702) may further comprise a second transmitting unit (707) operable in a second communication link for transmitting an authentication request to the tokenization apparatus and a second receiving unit (708) operable in the second communication link for receiving an Application KEY from the tokenization apparatus.
The Application KEY thus received is stored on the SIM card (704) contained in the mobile device.
The first transmitting unit (705) is further operable to transmit via the first communication link a request for an electronic token to the tokenization apparatus and the first receiving unit (706) is further operable to receive via the first communication link an encrypted electronic token that is encrypted by a first encryption technique pre-agreed with the tokenization apparatus and a second encryption technique that is based on the Application KEY. The encrypted electronic token (709) is stored on the memory (703).
The processor (701) implements a mobile wallet application (MWA) and can comprise of a Registration Request Generator unit (710). The Registration Request Generator unit (710) is preferably in operational communication with the first transmitter unit (705) for sending the registration request to the tokenization apparatus.
The processor (701) may further comprise an Authentication Request Generator Unit (711) which is in operational communication with the first receiver (706) for receiving the acknowledgment therefrom. The Authentication Request Generator Unit (711) automatically generates the authentication request i.e. without any input from the user and merely on the basis of the acknowledgment as received by the first receiver (706). The Authentication Request Generator Unit (711) is in further operational communication with the second transmitter (707) for sending the authentication request thus generated to the tokenization apparatus.
The processor (701) further comprises an Electronic Token Request Generator unit (712) may be in further operational interconnection with the first transmitter (705) for generating a request for electronic token and sending the same to the tokenization apparatus.
To enable the mobile device to share the electronic token, the mobile device further comprises a communication device (713) for receiving a request for the electronic token. The communication device provides the received request to the processor, which then fetches the encrypted electronic token (709) from the memory (703). The processor (701) may further comprise a decryption unit (714) which decrypts the encrypted electronic token to obtain a first level decrypted electronic token. The processor and more particularly, the decryption unit (714) is in operational communication with the SIM card (704) storing thereupon the Application KEY and provides the first level decrypted electronic token to the SIM card. The SIM card decrypts the first level decrypted electronic token using the Application KEY to obtain decrypted electronic token. The SIM card then returns the decrypted electronic token to the processor, which then provides the decrypted electronic token to the communication device (713) for further sharing with an external device.
To enable the security functions to be performable and more particularly to enable the detection of fraud on the basis of number of times the decryption has been performed, the processor (701) may be provided with a counter (715) and likewise the SIM card (704) may be provided with a counter (716).
In order to implement the security function which is based on the user providing a confirmation or the user providing a security feature, the processor (701) may be provided with a comparator (717) which may be in operational communication with an Input/Output unit (718) and/or a display unit (719). It may be noted that the Input/Output unit, the display unit may serve other purposes as is conventional in a mobile device.
While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein.
The figures and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of embodiments is at least as broad as given by the following claims.
CLAIMS:WE CLAIM:
1. The method for communicating electronic token to a mobile device, said method comprising:
• receiving, from the mobile device via a first communication link, a registration request;
• providing an acknowledgment, to the mobile device via the first communication link, in case a first condition set is satisfied by the registration request;
• receiving, from the mobile device via a second communication link, an authentication request;
• providing an Application KEY to the mobile device via the second communication link, in case a second condition set is satisfied by the authentication request, the Application KEY being adapted to be stored on a SIM card contained in the mobile device;
• receiving a request for an electronic token from the mobile device via the first communication link; and
• generating encrypted electronic token and providing the same to the mobile device via the first communication link, wherein the encrypted token is encrypted by a first encryption technique pre-agreed with the mobile device and a second encryption technique that is based on the Application KEY.
2. The method as claimed in claim 1, wherein the registration request comprise one or more of an account identifier a PIN number, a name or date of birth, wherein the account identifier can include one or more of actual card number, a mobile number, a personal account number (PAN).
3. The method as claimed in claim 1, wherein the first condition set includes a card number or a PAN number being pre-mapped to a mobile number.
4. The method as claimed in claim 1, wherein the acknowledgment comprises a unique identifier that triggers automatic sending of the authentication request.
5. The method as claimed in claim 1, wherein the authentication request comprises the unique identifier, a mobile number from which the authentication request is transmitted and a mobile number as appended by the second communication link to the authentication request.
6. The method as claimed in claim 1, wherein the second condition set includes one or more conditions selected from the group comprising of:
a. the mobile number as contained in the authentication request matches with the mobile number as appended by the second communication link to the authentication request;
b. the unique number contained in the authentication request corresponds to the mobile number from which the authentication request is transmitted; and
c. the authentication request is received within a predetermined time period, the time period being calculated from the time of providing the acknowledgment.
7. The method as claimed in claim 1, wherein the Application Key is comprised within a SIM Application Toolkit (STK) or a Java card applet.
8. The method as claimed in claim 7, wherein the STK or the Java card applet is adapted to perform decoding in accordance with the Application KEY.
9. The method as claimed in claim 1, wherein the request for the electronic token comprises an account identifier which can include one or more of actual card number, a mobile number or a personal account number (PAN).
10. The method as claimed in claim 1, wherein the first encryption technique is pre-agreed with the mobile device during registration stage.
11. The method as claimed in claim 1, wherein generating encrypted electronic token comprises:
a. generating an electronic token;
b. generating mapping data that maps the electronic token to an account identifier as contained in the request for electronic token;
c. encrypting the electronic token encrypted by a first encryption technique pre-agreed with the mobile device to generate a first level electronic token; and
d. encrypting the first level electronic token with a second encryption technique that is based on the Application KEY to generate dual encrypted electronic token.
12. The method as claimed in claim 11 further comprising: receiving, from a designated intermediary device, decrypted electronic token and a cryptogram, as sent by the mobile device.
13. The method as claimed in claim 12 further comprising:
a. verifying the cryptogram thus received;
b. obtaining an account identifier as per pre-stored mapping data; and
c. transmitting the account identifier to a designated recipient device.
14. An apparatus for communicating electronic token to a mobile device, said apparatus comprising:
• a first receiver operable in a first communication link for receiving a registration request from the mobile device;
• a processor for determining whether registration request satisfies a first condition set and in response thereto, generating an acknowledgment;
• a first transmitter operable in the first communication link for transmitting the acknowledgment to the mobile device;
• a second receiver operable in a second communication ink for receiving an authentication request from the mobile device;
• the processor being further adapted to determine whether authentication request satisfies a second condition set and in response thereto, generating an Application KEY, wherein the Application KEY is adapted to be stored on a SIM card contained in the mobile device;
• a second transmitter operable in a second communication ink for transmitting the Application KEY to the mobile device;
• the first receiver being further adapted to receive a request for an electronic token from the mobile device;
• the processor being further adapted to generate encrypted electronic token, the encrypted token being encrypted by a first encryption technique pre-agreed with the mobile device and a second encryption technique that is based on the Application KEY; and
• the first transmitter being further adapted to transmit the encrypted electronic token to the mobile device.
15. The apparatus as claimed in claim 14 further comprising a third receiver adapted to receive from a designated intermediary device, decrypted electronic token and a cryptogram, as sent by the mobile device.
16. The apparatus as claimed in claim 15, wherein the processor is further adapted to access a storage device and obtain therefrom account identifier as per pre-stored mapping data, if the cryptogram thus received is verified.
17. The apparatus as claimed in claim 16 further comprising a third transmitter adapted to transmit the account identifier to a designated recipient device.
18. A method as implemented by a mobile device for receiving electronic token, said method comprising:
• transmitting, to a token providing apparatus via a first communication link, a registration request;
• receiving, from the token providing apparatus via the first communication link, an acknowledgment;
• transmitting, to the token providing apparatus via a second communication link, an authentication request;
• receiving, from the token providing apparatus via the second communication link, an Application KEY,
• storing the Application KEY on a SIM card contained in the mobile device;
• transmitting, to the token providing apparatus via the first communication link, a request for an electronic token; and
• receiving, from the token providing apparatus via the first communication link, an encrypted electronic token that is encrypted by a first encryption technique pre-agreed with the token providing apparatus and a second encryption technique that is based on the Application KEY.
19. The method as claimed in claim 18, wherein the encrypted electronic token is stored on a memory associated with the mobile device.
20. The method as claimed in claim 18, wherein the encrypted electronic token is stored on a non-secure portion of a memory associated with the mobile device.
21. A method as implemented by a mobile device for sharing an electronic token, said method comprising:
• receiving, by processor via a communication device, a request for the electronic token;
• retrieving, by a processor from a memory device associated with the mobile device, an encrypted electronic token;
• decrypting, by the processor, the encrypted electronic token to obtain a first level decrypted electronic token;
• sending, by the processor to a SIM card associated with the mobile device, the first level decrypted electronic token;
• decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token;
• sending, by the SIM card to the processor, the electronic token; and
• transmitting, by the processor vide the communication device, the electronic token.
22. The method as claimed in claim 21, wherein the request for the electronic token is received by a near field communication (NFC) device incorporated in the mobile device.
23. The method as claimed in claim 21, wherein the encrypted electronic token is retrieved from a non-secure portion of the memory device associated with the mobile device.
24. The method as claimed in claim 21, wherein the encrypted token is decrypted by the processor adopting a pre-agreed first decryption technique to obtain the first level decrypted electronic token.
25. The method as claimed in claim 21, wherein the first level decrypted electronic token is decrypted by the SIM card adopting a second decryption technique, the second decryption technique being based on an Application KEY that is stored on the SIM card.
26. The method as claimed in claim 21, wherein decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token further comprises:
a. sending, by the SIM card, a query to the communication device; and
b. decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token in case the communication device received a request for the electronic token within a predetermined time period.
27. The method as claimed in claim 26, wherein if the communication device has NOT received a request for the electronic token within a predetermined time period, the SIM card generates a signal indicate of a possible fraud and transmits the same to a designated recipient device.
28. The method as claimed in claim 26, wherein decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token further comprises:
a. sending, by the SIM card, an instruction to a mobile device operating system to obtain a confirmation from a user for token decryption; and
b. decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token in case a confirmation is received or generating a signal indicate of a possible fraud and transmitting the same to a designated recipient device.
29. The method as claimed in claim 21, wherein decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token further comprises:
a. sending, by the SIM card, an instruction to a mobile device operating system to obtain a PIN number from a user; and
b. decrypting, by the SIM card, the first level decrypted electronic token to obtain the electronic token in case PIN is received or generating a signal indicate of a possible fraud and transmitting the same to a designated recipient device.
30. The method as claimed in claim 21, wherein the SIM card is further adapted to keep count of a number of decryptions performed over a period of time.
31. The method as claimed in claim 21, wherein the processor is further adapted to keep count of a number of times first level decrypted electronic token is sent to the SIM card for performing decryption.
32. The method as claimed in claim 21, wherein the processor is further adapted to query the SIM card to provide count of the number of decryptions performed by the SIM card over a period of time; receive a response from the SIM card, the response including the count of the number the number of decryptions performed by the SIM card over a period of time; compare the received count number with a count of a number of times the first level decrypted electronic token is sent by the processor to the SIM card for performing decryption; and in case of a mismatch, generate a signal indicate of a possible fraud and transmits the same to a designated recipient device.
33. A mobile device for sharing an electronic token, said device comprising:
• a communication device for receiving a request for the electronic token;
• a memory device storing thereupon an encrypted electronic token;
• a processor in operational communication with the communication device and the memory for retrieving the encrypted electronic token from the memory in response to the request for the electronic token and decrypt the encrypted electronic token to obtain a first level decrypted electronic token;
• a SIM card operably linked to the processor for receiving the first level decrypted electronic token from the processor; decrypting, the first level decrypted electronic token to obtain the electronic token and providing the electronic token to the processor; and
• the processor being further adapted to transmit the electronic token vide the communication device.
34. The mobile device as claimed in claim 33, wherein the SIM card is further adapted to:
a. send, a query to the communication device; and
b. decrypting the first level decrypted electronic token to obtain the electronic token in case the communication device received a request for the electronic token within a predetermined time period.
35. The mobile device as claimed in claim 34, wherein the SIM card is further adapted to generate a signal indicate of a possible fraud and transmits the same to a designated recipient device if the communication device has NOT received a request for the electronic token within a predetermined time period.
36. The method as claimed in claim 33, wherein the SIM card is further adapted to:
a. send an instruction to a mobile device operating system to obtain a confirmation from a user for token decryption; and
b. decrypt the first level decrypted electronic token to obtain the electronic token in case a confirmation is received or generate a signal indicate of a possible fraud and transmit the same to a designated recipient device.
37. The method as claimed in claim 33, wherein the SIM card is further adapted to:
a. send an instruction to a mobile device operating system to obtain a PIN number from a user; and
b. decrypting the first level decrypted electronic token to obtain the electronic token in case PIN is received or generate a signal indicate of a possible fraud and transmit the same to a designated recipient device.
38. The mobile device as claimed in claim 33, wherein the processor is further adapted to query the SIM card to provide count of the number of decryptions performed by the SIM card over a period of time; receive a response from the SIM card, the response including the count of the number the number of decryptions performed by the SIM card over a period of time; compare the received count number with a count of a number of times the first level decrypted electronic token is sent by the processor to the SIM card for performing decryption; and in case of a mismatch, generate a signal indicate of a possible fraud and transmits the same to a designated recipient device.
Documents
Orders
| Section | Controller | Decision Date |
|---|---|---|
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 777-DEL-2015-IntimationOfGrant30-05-2022.pdf | 2022-05-30 |
| 1 | Specification.pdf | 2015-03-28 |
| 2 | 777-DEL-2015-PatentCertificate30-05-2022.pdf | 2022-05-30 |
| 2 | FORM 5.pdf | 2015-03-28 |
| 3 | FORM 3.pdf | 2015-03-28 |
| 3 | 777-DEL-2015-Written submissions and relevant documents [11-04-2022(online)].pdf | 2022-04-11 |
| 4 | Form 26.pdf | 2015-03-28 |
| 4 | 777-DEL-2015-Correspondence to notify the Controller [26-03-2022(online)].pdf | 2022-03-26 |
| 5 | Drawings.pdf | 2015-03-28 |
| 5 | 777-DEL-2015-FORM-26 [26-03-2022(online)].pdf | 2022-03-26 |
| 6 | Form-9(Online).pdf | 2015-03-30 |
| 6 | 777-DEL-2015-US(14)-HearingNotice-(HearingDate-28-03-2022).pdf | 2022-03-01 |
| 7 | 777-del-2015-Form-1-(03-09-2015).pdf | 2015-09-03 |
| 7 | 777-DEL-2015-ABSTRACT [29-05-2020(online)].pdf | 2020-05-29 |
| 8 | 777-del-2015-Correspondence Others-(03-09-2015).pdf | 2015-09-03 |
| 8 | 777-DEL-2015-CLAIMS [29-05-2020(online)].pdf | 2020-05-29 |
| 9 | 777-DEL-2015-DRAWING [29-05-2020(online)].pdf | 2020-05-29 |
| 9 | 777-DEL-2015-FER.pdf | 2019-11-29 |
| 10 | 777-DEL-2015-FER_SER_REPLY [29-05-2020(online)].pdf | 2020-05-29 |
| 10 | 777-DEL-2015-OTHERS [29-05-2020(online)].pdf | 2020-05-29 |
| 11 | 777-DEL-2015-FER_SER_REPLY [29-05-2020(online)].pdf | 2020-05-29 |
| 11 | 777-DEL-2015-OTHERS [29-05-2020(online)].pdf | 2020-05-29 |
| 12 | 777-DEL-2015-DRAWING [29-05-2020(online)].pdf | 2020-05-29 |
| 12 | 777-DEL-2015-FER.pdf | 2019-11-29 |
| 13 | 777-DEL-2015-CLAIMS [29-05-2020(online)].pdf | 2020-05-29 |
| 13 | 777-del-2015-Correspondence Others-(03-09-2015).pdf | 2015-09-03 |
| 14 | 777-DEL-2015-ABSTRACT [29-05-2020(online)].pdf | 2020-05-29 |
| 14 | 777-del-2015-Form-1-(03-09-2015).pdf | 2015-09-03 |
| 15 | 777-DEL-2015-US(14)-HearingNotice-(HearingDate-28-03-2022).pdf | 2022-03-01 |
| 15 | Form-9(Online).pdf | 2015-03-30 |
| 16 | 777-DEL-2015-FORM-26 [26-03-2022(online)].pdf | 2022-03-26 |
| 16 | Drawings.pdf | 2015-03-28 |
| 17 | 777-DEL-2015-Correspondence to notify the Controller [26-03-2022(online)].pdf | 2022-03-26 |
| 17 | Form 26.pdf | 2015-03-28 |
| 18 | FORM 3.pdf | 2015-03-28 |
| 18 | 777-DEL-2015-Written submissions and relevant documents [11-04-2022(online)].pdf | 2022-04-11 |
| 19 | FORM 5.pdf | 2015-03-28 |
| 19 | 777-DEL-2015-PatentCertificate30-05-2022.pdf | 2022-05-30 |
| 20 | Specification.pdf | 2015-03-28 |
| 20 | 777-DEL-2015-IntimationOfGrant30-05-2022.pdf | 2022-05-30 |
Search Strategy
| 1 | SearchStrategyMatrix-converted(2)_18-11-2019.pdf |