FIELD OF THE INVENTION
The present invention relates to a system and method of secure online transactions using a Trusted Personal Device. More particularly, the present invention relates to a system and method of simplified transactions over electronic platform involving more than one party. Further, the present invention discloses a special virtual 5 keyboard on a Trusted Personal Device capable of being used as a field storage interface, automated field retrieval and filling system requiring minimal user intervention.
BACKGROUND OF THE INVENTION 10
Recent years have seen substantial growth in smart phone and tablet markets. The product has paved in its way to a large number of users now a days. Such devices are being collectively referred to as Trusted Personal Devices or TPDs. They are essentially portable electronic communication and computing devices which typically have access to data connectivity. Meanwhile, e/m-commerce (electronic/ 15 mobile commerce) has been growing steadily and significantly. Mobile banking, mobile payments and online transactions have found altogether a new platform in the form of smart phones and tablets. Almost anything and everything is within reach to a consumer through this combination of smart phone and tablets, internet, and mobile banking facilities provided by all financial institutions. 20
Almost all electronic applications, whether on-device or web-based, require user input which needs to be usually repeated for each instance of use or some predetermined time interval as defined by the application. Such repetitive user input is required for a variety of reason including but not limited to logging in (sign-on), data entry, providing payment identity and payment authentication. 25
Typically, such user input is done by entering the individual keys on a keyboard virtual or otherwise. For example, for signing in to an email application, if the
3
username is ‘user’ and the password is ‘pass123’, the user is required to move input focus to the respective field and press the individual keys viz ‘u’, ‘s’, ’e’ and ‘r’ on the keyboard and then move the focus to the next field and enter ‘p’, ‘a’, ‘s’, ‘s’, ‘1’, ‘2’, ‘3’ and then follow it up with a click/ invocation of an action button named ‘sign-in’.
Alternatively, there exist form/ password managers as separate applications or web 5 browser extensions, where this information could first be similarly keyed in and saved such that before the next instance of sign-in, the form/ password could be invoked automatically such that the form information could be automatically filled in or explicitly by the user such that the saved information could be copy-pasted using the device’s clipboard (temporary memory storage). 10
In a variation of the first-time data storage described above, certain applications with privileged access, such as browser extensions, could automatically/ with user’s permission, save the forms/ field data as and when the data is being normally entered on the form/ when it is submitted.
However, the methods described above have the limitation that in case of browser 15 extensions, they will function only within that particular browser application and in case of independent applications, they require the user to switch between the application where the data is being entered and the special form/ password manger application and may additionally require the user to depend on susceptible copy-paste functionality provided by the devices. These aspects make the usage of the 20 existing solutions cumbersome and non-secure especially on Trusted Personal Devices.
Tapping in to e/m-commerce demands, financial institutions have been providing internet banking/ internet based payment facilities to the account holders. These facilities are also used for various purposes such as online bill payments, e-25 governance. Accordingly, various security levels are used where a user may be required to authenticate himself with a pre-determined password as well as an instantly generated password. The pre-determined passwords are the ones which
4
are set by user and used every time a transaction is made. They are memorized by the user. The instantly generated passwords, generally known as OTPs (One Time Passwords), are unique single use passwords generated by the financial institutions or designated authentication service providers. Such passwords, generated with time as well as use limitations and are usually sent over an SMS to the registered 5 mobile number of the customer.
Presently, a consumer can select a product he wants to purchase online or avail a service, make payment through payment gateway channels partner to the seller through net-banking, credit/ debit cards or other internet based financial instruments. 10
In a typical event of making an e/m-commerce transaction, product to be purchased or service to be availed is selected and entered into shopping cart. While checking out, various payment options are provided subject to availability, like, through net-banking, credit or debit cards, or even cash-on-delivery. In case net-banking or credit/debit card payment option is selected, the webpage is redirected to a 15 payment gateway of a bank or any financial institution platform for entering user authentication data followed by request, generation and SMS of unique One Time Password (OTP) for validation purposes. Once validation is done, and payment is approved the webpage is redirected back to the seller webpage resulting into successful completion of online purchase event. 20
The process is non-trivial for the user. Many a times, OTP, the unique password, is generated by the bank only after explicit initiation of a request for the same through SMS by the user from his registered mobile number, even before the initiation of purchase event on merchant website.
An online purchase event becomes particularly cumbersome when it is performed 25 on a smart phone or tablet, as the user, apart from being required to remember and enter correctly his payment instrument identity (such as credit card number and other details) is required to switch to an SMS application view the unique OTP
5
passwords received as SMS, remember it correctly, switch back to the application where the purchase was being made and enter it in the appropriate OTP input field. Such switchover at times leads to failed transactions and ultimately results in loss of time as well as business.
CN101916478 describes a method for automatically acquiring, verifying and 5 inputting a dynamic password in a normal short message by a client. However, the ergonomics of the transaction is still pending redress. There are many aspects in a typical online transaction through smart phones and tablets. The following paragraphs identify the shortcomings of the state of the art.
In another aspect, a consumer in general possesses accounts and credit cards with 10 multiple financial institutions. In such cases, the user is required to remember multi-level passwords for multiple accounts which itself is very challenging. Carrying cards all the time increases the risk of theft/loss.
With the development of e/m-commerce concerns of user data security has also increased. There is considerable rise in cases of phishing, password hacking/theft, 15 card cloning and other financial frauds.
Apart from the above general concerns of data security as well as user friendly transaction process requirement, there are technical limitations to be addressed. For instance, the technology and user interface is developed differently for TPDs.
Thus, there is a requirement for a system and method for obviating the 20 disadvantages associated with the state of the art methods. There is a need for such system which provides a user friendly interface having inbuilt security, data field storage, retrieval and automated entry, especially for the e/m-commerce scenarios.
25
6
OBJECT OF THE INVENTION
Accordingly, the main object of the disclosed invention is to provide a system and method of secure online transaction using a Trusted Personal Device.
Another main object of the proposed invention is to provide a system and method of simplified transactions over electronic platform involving more than one party. 5
Yet another object of the invention is to provide an ergonomically advantageous method for performing online transactions using a smart phone and tablet.
Yet another object of the invention is to provide a special virtual keyboard on a Trusted Personal Device capable of secure and ergonomic storage of form data involving one or more input fields, including sensitive ones like passwords and PINs, 10 over one or more pages, and one or more actions for field, page navigations and page submissions.
Yet another object of the invention is to provide a special virtual keyboard on a Trusted Personal Device capable of secure and ergonomic retrieval of form data involving one or more input fields, including sensitive ones like passwords and PINs, 15 over one or more pages, and one or more actions for field, page navigations and page submissions.
Yet another object of the invention is to provide a special virtual keyboard on a Trusted Personal Device capable of secure and ergonomic filling of form data involving one or more input fields, including sensitive ones like passwords and PINs, 20 over one or more pages, and one or more actions for field, page navigations and page submissions.
Yet another object of the invention is to provide a special virtual keyboard enabled with the tokenization feature for enhance data security.
Yet another object of the invention is to provide a multi-level security feature 25 enabled method for performing online transactions using a smart phone or tablet.
7
Still another object of the proposed invention is to provide an alternative to state of the art method of online transactions using a Trusted Personal Device.
SUMMARY OF THE INVENTION
Accordingly, the present invention relates to a system and ergonomic method of 5 secure online payment using a Trusted Personal Device. More particularly, the present invention relates to a system and method of simplified transactions over electronic platform involving more than one party. Further, this invention also enables simplified and secure online payments using a Trusted Personal Device
Further, the present invention discloses a special virtual keyboard of a Trusted 10 Personal Device capable of being used as a field storage interface, automated field retrieval and filling system requiring minimal user intervention.
In a preferred embodiment, the present invention discloses a Keyboard based smart vault wherein the smart vault allows secure and ergonomic storage and retrieval of form data involving one or more input fields, including sensitive ones like passwords 15 and PINs, over one or more pages, and one or more actions for field, page navigations and page submissions.
In another preferred embodiment of the present invention, a special virtual keyboard or a keyboard extension is proposed wherein apart from usual character entry, the keyboard is capable of being provisioned from a server to validate the 20 Device and mobile number.
The keyboard is further capable of enabling cryptographically secured storage of data, either locally or on remote server. In yet another preferred embodiment of the present invention, the said keyboard is capable of identifying, categorizing and fetching specific field values from one location and auto-completing the desired 25 information on other location in a Trusted Personal Device.
8
In another preferred embodiment, the system supports single password access to enable entry of data indicated as sensitive by the user. For example, if the banking application password is entered, the user may indicate that it requires an additional authentication factor from the use. Alternatively or in addition, the system allows leveraging fingerprint or any biometric authentication device, if present on the 5 mobile device, to act as the additional factor of authentication.
Further aspects of the invention will become apparent from consideration of the drawings and the ensuing description of preferred embodiments of the invention. A person skilled in the art will realize that other embodiments of the invention are possible and that the details of the invention can be modified in a number of 10 respects, all without departing from the concept. Thus, the following drawings and description are to be regarded as illustrative in nature and not restrictive.
BRIEF DESCRIPTION OF DRAWINGS
A complete understanding of the system and method of the present invention may 15 be obtained by reference to the following drawings:
Fig.1 depicts the invention showing representative diagram of the virtual device keyboard on top of a sample application on the mobile phone or tablet.
20
Fig.2 shows module outline of proposed keyboard based smart vault.
Fig.3 shows flow for a typical mobile payment process being auto-processed by the one-click checkout button on the keyboard of proposed invention.
25
9
DETAILED DESCRIPTION OF THE INVENTION
The present invention relates to a system and method of secure online payment using a Trusted Personal Device, particularly a smart phone or a tablet. More particularly, the present invention relates to a system and method of simplified transactions over electronic platform involving more than one party like seller, third 5 party payment gateway financial institution etc. Further, the present invention specifically discloses for a smart phone and a tablet, a virtual keyboard based smart vault capable of being used as auto-payment data field storage interface requiring minimal user intervention.
In a preferred embodiment of the present invention, a special virtual keyboard or a 10 keyboard extension is proposed wherein apart from usual character entry, the keyboard is capable of being provisioned from a server to validate the Device and mobile number. The keyboard is further capable of enabling cryptographically secured storage of data, either locally or on remote server.
In another preferred embodiment of the present invention, the keyboard based 15 smart vault stores sensitive information like details of all credit/debit cards of user, CVV numbers, Names and Addresses of corresponding cards, login and transaction passwords of bank accounts and other such sensitive/ non-sensitive data in the form of encrypted codes which is stored locally or remote servers. All the information is retrievable through a single password and/ or any other suitable authentication 20 methods. This feature obviates the problem of carrying all the cards or remembering all passwords all the time. The system supports single password access to enable entry of data indicated as sensitive by the user. For example, if the banking application is being accessed, the user may indicate that it requires an explicit authentication by the user. Alternatively, the system allows leveraging fingerprint 25 device or any biometric authentication device, if present on the mobile device to act as a factor of authentication.
10
In yet another preferred embodiment of the present invention, the said keyboard saves specific data input fields in a local database using encrypted secure storage. The keyboard is capable of identifying, categorizing and fetching specific field values from one location and auto-completing the desired information on other location in a Trusted Personal Device. For instance, during a typical purchasing event, the said 5 keyboard identifies the bank providing payment gateway, corresponding card details, like card number, CVV code, expiry date, and name on card and auto-completes the corresponding fields.
In another preferred embodiment of the present invention, the keyboard identifies the OTP received on the phone or a tablet from the message box, fetches the same 10 and auto-complete the same in the corresponding field for secondary authentication during the transaction event.
In another embodiment, the keyboard allows third party OTP service providers and financial institutions to plug-in and directly delivers the OTP to the TPD using secure data channels as an alternative to SMS as a channel of delivery of OTP thereby 15 reducing costs and improving security.
In another preferred embodiment, the keyboard is ‘tokenization’ enabled wherein the entered password/PIN/CVV is converted into another coded password before being sent to a third party server. During the validation at the bank’s server, the coded password is de-coded to originally entered password/PIN/CVV. Thus, though 20 the keyboard is a standard keyboard layout with the alphabets for the language and a special number only mode, it transforms the keyed in password/pin/cvv as the case may be, to something else in a process called tokenization. For instance, if the keyboard types 1234, it may transform into 6395 based on a secret one time transforming key passed on to the application from a designated server. This 25 ensures that the real pin/secret is never entered on the third party merchant or app. Before the transaction reaches the issuer' authentication system, the back end servers securely communicate with the designated server to access the same key to re-transform it back to the original pin/secret.
11
Referring to Figure 1, process flow of a transaction event is simplified wherein the keyboard based smart vault fetches information for input fields. The keyboard enters all the desired values automatically using single password authentication resulting in single click transactions. This minimizes the chances of failed transactions. 5
Referring to Figure 2, a typical module of proposed keyboard based smart vault is shown wherein the user can select from the optional modes of the keyboard based smart vault like, standard keyboard or smart vault modes. Further, module for provisioning and activation of the keyboard for storing data for future use is provided. Here, the user registers all information pertaining to various cards and 10 corresponding details. The module further allows for secondary authentications like optional PIN and/or biometrics based authentication. Thus to start the application one-time pre-registration of account/card details is done along with security provisioning of the keyboard based smart vault.
Referring to Figure 3, Process flow for a typical mobile payment (checkout) process 15 being auto-processed by the one-click checkout button on the keyboard is shown. Clicking the one-click button on the keyboard based smart vault initiates the transaction event. The system optionally requires card/wallet selection and user authentication through a PIN/ Pattern/ Biometric authentication as the case may be. Once authenticated, the keyboard based smart vault automatically fills in the fields 20 as required and submits the form or part thereof. The keyboard is capable of handling multi-page forms requiring no additional inputs from the user and switching the pages to-and-fro. The vault keyboard reads the OTP received over SMS or on data channel to the device and enters it. It submits all forms leading to payment result page, thus obviating the user from remembering or entering all 25 details personally every time.
Thus by using the keyboard based smart vault, the user has to remember only one or two authentication passwords for all cards/accounts, making the online banking much easier and simpler without compromising the security.
12
WORKING SEQUENCE
The system and method of secure one-click transaction involves a smart phone or a tablet with internet access, merchant’s/seller’s server, financial institution’s server and network operator. The sequence of events in a typical financial transaction using the present invention will be as follows: 5
a. User equips the smart phone or the tablet with keyboard based smart vault/keyboard extension. The user enters details of all or preferred credit/debit cards or accounts and their corresponding login and transaction passwords for the provisioning of the keyboard based smart vault. The keyboard has security levels where the data entered is encrypted and 10 secured with password and optionally additional authentication measure like biometrics or PINs. This particular step is performed once and the information is secured for future transactions.
b. During an online transaction over the smart phone or tablet, the user authenticates himself for the use of keyboard based smart vault by entering 15 the password.
c. The user then selects the product to be purchased or a bill to be paid and goes for payment option. The page is redirected to a third party gateway , or to the payment gateway of any particular bank selected by the user.
d. The payment gateway has fields or forms to be filled in. The fields are 20 identified and filled automatically by the keyboard based smart vault, wherein the keyboard is capable of identifying which credit/debit card details are to be filled in. For instance, in case the payment gateway is of Bank A, details of Bank A card will be filled in automatically. Codes and passwords will be entered by the keyboard based smart vault automatically. 25
13
e. Once the card details are entered, Bank shall send OTP to the user through SMS. The OTP is received by the smart phone/tablet as SMS. The OTP is identified and fetched by the keyboard based smart vault and corresponding field on the page is filled automatically.
f. Once all details are logged in, the Bank approves the payment and the page 5 is redirected to merchant’s or seller’s website for further steps.
Thus, using the proposed invention, the user is required to remember only one or two passwords of keyboard based smart vault. Also, the card and account details are also not required to be entered each time. In addition to the same, the user is no more required to switch from one page to another to fetch and fill OTP during the 10 transaction.
Accordingly, in yet another embodiment of the present invention is proposed a system for secure online transactions comprising:
a trusted personal device comprising a special virtual keyboard capable of being used as a data storage interface, automated data retrieval and filling system; and a 15 keyboard based smart vault that allows secure and ergonomic storage and retrieval of form data involving one or more input fields, the data including but not limited to sensitive ones like dynamic passwords and PINs, over one or more pages, and one or more actions for field, page navigations and page submissions; and
a remote server for communicating the transactions; 20
wherein said special virtual keyboard apart from usual character entry, is capable of being provisioned by the remote server to validate the trusted personal device and validate user for secure transaction procedures; said keyboard based smart vault is further capable of enabling cryptographically secured storage of data, either locally on trusted personal device or on the remote server; said special virtual keyboard is 25
14
capable of identifying, categorizing and fetching specific field values from one location and auto-completing the desired information at desired location in the trusted personal device; the system is provisioned for single step authentication of the user through keyboard based smart vault; and the system is capable of storing, identifying and fetching data pertaining to plurality of financial institutions through 5 the keyboard based smart vault.
In yet another embodiment of the present invention is proposed a method of secure online payments using a trusted personal device comprising steps of:
a. customizing the trusted personal device with a keyboard based smart vault wherein the user enters details of all or preferred financial institution data 10 and authentication values for the provisioning of the keyboard based smart vault;
b. securing said keyboard smart vault having security levels where the data entered is encrypted and secured with password and optionally additional authentication measure like biometrics or PINs wherein the step a. is 15 performed once and the information is secured for future transactions;
c. activating an online transaction over the trusted personal device wherein the user authenticates himself for the use of keyboard based smart vault by entering password;
d. selecting a transaction page including but not limited to purchasing a product 20 or paying a bill wherein the page is redirected to a third party gateway, or to the payment gateway of any particular financial institution selected by the user;
15
e. identifying, fetching and filling automatically the fields or forms on the payment gateway using the keyboard based smart vault capable of identifying preferred financial institution data and authentication details;
f. requesting and receiving validation data from corresponding financial institution server including but not limited to OTP through SMS wherein the 5 OTP is received by the trusted personal device and is identified and fetched by the keyboard based smart vault and corresponding field on the gateway page is filled automatically;
g. authenticating logged details and approving the transaction by server of corresponding financial institution; and 10
h. redirecting page to merchant’s or seller’s website for completion of transaction.
It is to be understood that the present invention is not to be limited to just the preferred embodiment disclosed, but that the invention described herein is capable of numerous rearrangements, modifications and substitutions without departing 15 from the scope of the claims hereafter.

CLAIMS
We Claim:
1. An ergonomically advanced system for secure online transactions comprising:
i) a trusted personal device comprising:
a) a special virtual keyboard capable of being used as a data storage interface, automated data retrieval and filling system; and
b) a keyboard based smart vault that allows secure and ergonomic storage and retrieval of form data involving one or more input fields, the data including but not limited to sensitive ones like dynamic passwords and PINs, over one or more pages, and one or more actions for field, page navigations and page submissions; and
ii) a remote server for communicating the transactions;
wherein:
said special virtual keyboard apart from usual character entry, is capable of being provisioned by the remote server to validate the trusted personal device and validate user for secure transaction procedures;
said keyboard based smart vault is further capable of enabling cryptographically secured storage of data, either locally on trusted personal device or on the remote server;
said special virtual keyboard is capable of identifying, categorizing and fetching specific field values from one location and auto-completing the desired information at desired location in the trusted personal device;
the system is provisioned for single step authentication of the user through keyboard based smart vault; and
2
the system is capable of storing, identifying and fetching data pertaining to plurality of financial institutions through the keyboard based smart vault.
2. The system for secure online transactions as claimed in claim 1 wherein the system provides auto-payment data field storage interface requiring minimal user intervention.
3. The system for secure online transactions as claimed in claim 1 wherein the online payments involves plurality of parties including but not limited to a seller, a third party payment institution, a payee, and a gateway of financial institutions.
4. The system for secure online transactions as claimed in claim 1 wherein the keyboard is capable of converting originally entered passwords into coded passwords before the authentication data being sent to third party server.
5. The system for secure online transactions as claimed in claim 1 wherein the trusted personal device includes a smart phone and a tablet.
6. The system for secure online transactions as claimed in claim 1 wherein the said keyboard based smart vault stores sensitive information like details of all credit and debit cards of user, authentication and validation data of corresponding cards, and other such sensitive and non-sensitive data in the form of encrypted codes stored locally or on the remote server.
7. The system for secure online transactions as claimed in claim 6 wherein the system supports single password and/or any other suitable authentication methods to enable entry/retrieval of said keyboard based smart vault data as indicated sensitive by the user.
8. An ergonomically advanced system and method of secure online transactions using a trusted personal device comprising:
3
a special virtual keyboard having field storage interface, automated field retrieval and filling means, the special virtual keyboard being enabled on the trusted personal device;
a keyboard based smart vault enabled on the trusted personal device such that the smart vault allows secure and ergonomic storage and retrieval of form data involving one or more input fields, the data including but not limited to sensitive ones like dynamic passwords and PINs, over one or more pages, and one or more actions for field, page navigations and page submissions; and
a remote server for communicating the transactions;
wherein:
said special virtual keyboard validates the trusted personal device and user for the secure transaction procedures;
said keyboard based smart vault enables cryptographically secured storage of data, either locally or on the remote server;
said special virtual keyboard identifies, categorizes and fetches specific field values from one location and auto-completes the desired information on a desired location in the trusted personal device;
the system is provisioned for single step authentication of the user through the keyboard based smart vault; and
the system is capable of storing, identifying and fetching data pertaining to plurality of financial institutions automatically through the keyboard based smart vault.
9. An ergonomically advanced method of secure online transactions using a trusted personal device comprising steps of:
4
a. customizing the trusted personal device with a keyboard based smart vault wherein the user enters details of all or preferred financial institution data and authentication values for the provisioning of the keyboard based smart vault;
b. securing said keyboard smart vault having security levels where the data entered is encrypted and secured with password and optionally additional authentication measure like biometrics or PINs wherein the step a. is performed once and the information is secured for future transactions;
c. activating an online transaction over the trusted personal device wherein the user authenticates himself for the use of keyboard based smart vault by entering password;
d. selecting a transaction page including but not limited to purchasing a product or paying a bill wherein the page is redirected to a third party gateway, or to the payment gateway of any particular financial institution selected by the user;
e. identifying, fetching and filling automatically the fields or forms on the payment gateway using the keyboard based smart vault capable of identifying preferred financial institution data and authentication details;
f. requesting and receiving validation data from corresponding financial institution server including but not limited to OTP through SMS wherein the OTP is received by the trusted personal device and is identified and fetched by the keyboard based smart vault and corresponding field on the gateway page is filled automatically;
g. authenticating logged details and approving the transaction by server of corresponding financial institution; and
h. redirecting page to merchant’s or seller’s website for completion of transaction.
5
10. The method of secure online transactions as claimed in claim 9 wherein the trusted personal device includes but not limited to a smart phone and a tablet.
11. The method of secure online transactions as claimed in claim 9 wherein the preferred financial institution data includes but not limited to details of credit or debit card issued by a bank.