1495 results about "Cryptogram" patented technology

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include encrypting account information with a first encryption key to generate a second encryption key, and encrypting key index information using the second key to generate a limited-use key (LUK). The key index information may include a key index having information pertaining to generation of the LUK. The LUK and the key index can be provided to the communication device to facilitate generation of a transaction cryptogram for a transaction conducted using the communication device, and the transaction can be authorized based on the transaction cryptogram generated from the LUK.

Embodiments of the invention provision multiple payment tokens on a communication device. The communication device may be provisioned with multiple limited use keys (LUK), each LUK being associated with a specific type of transaction. When the communication device is used for a transaction, the communication device automatically determines a type of the transaction and selects an appropriate LUK based on the determined transaction type. The selected LUK may be used to create a cryptogram, which can be used to verify the transaction.

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and sending a token instead of a real account identifier and the transaction cryptogram to an access device to conduct the transaction. The LUK may be associated with a set of one or more limited-use thresholds that limits usage of the LUK, and the transaction can be authorized based on at least whether usage of the LUK has exceeded the set of one or more limited-use thresholds.

Methods, systems, and machine-readable media are disclosed for handling information related to a financial transaction including utilizing dynamic cryptograms. According to one embodiment, a method of processing a financial transaction related to a financial account can comprise detecting initiation of the transaction with a device used as a presentation instrument in the transaction. A Dynamic Transaction Cryptogram (DTC) and a dynamic PAN can be generated at the device. The DTC can be used to authenticate the transaction and the dynamic PAN can comprise an encrypted form of a real PAN of the financial account that is valid for a single transaction. The DTC and the dynamic PAN can be provided by the device for use in the transaction.

Techniques for enhancing the security of a communication device may include providing an application agent that executes in a trusted execution environment of the communication device, and a transaction application that executes in a normal application execution environment of the communication device. The application agent may receive, from the application, a limited-use key (LUK) generated by a remote computer, and store the LUK in a secure storage of the trusted execution environment. When the application agent receives a request to conduct a transaction from the application executing in the normal execution environment, the application agent may generate a transaction cryptogram using the LUK, and provides the transaction cryptogram to an access device.

A password is split into a plurality of pieces. The pieces are stored at different remote servers. The different remote servers have the property that together they can determine that the user has knowledge of the correct password. If any subset of the servers are compromised, the compromised subset cannot convince any remaining servers that they know the password.

The authenticity of a website is determined using a unique string of characters known only to the user and the website on each page of the website that is displayed to the user, with a false site being incapable of displaying this unique string of characters, thereby putting the user on notice that the current site is not the authentic one the user desires to access. Voice methods for conveying one-time pass codes to users and for permitting customer institutions to select authentication rules are also disclosed.

The present invention enables a user to receive a financial service anywhere through a mobile terminal equipped with a UIM (User Identification Module) electronic card. In the present invention, a user enters his or her password to a mobile terminal with a UIM card including subscriber telephone number, finance, authorization, and personal information, then, if the entered password is correct, authorization is processed with a remote authorizing server based on the authorization information. After authorization, user's requesting service, e.g., payment service, transaction particulars inquiry service, prepaid card recharging service is conducted through a mobile network.

System has consent, signature, recording and retention functions. Near post-sessional data acquisition gathers nominal comm device information from participants. Active online phones are sent a SMS with the recorded event ID, a hyperlink and password for system access. Otherwise, data is acquired for another text message enabled phone or user email. If disconnected, the user is called for additional data. A contractual relationship is established with these functions. With an ACK-consent upon system access, an ACK-consent by the parties, a RECORD ON command, and a recorded intent-to-contract, the system creates an enforceable contract by storing the ACKs and recorded session.

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and using a signature key to generate a signature. The transaction can be an offline data authentication transaction, and access can be granted based on authentication of the signature prior to verifying the transaction cryptogram.

Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include using a limited-use key (LUK) to generate a transaction cryptogram, and transmitting a token instead of a real account identifier and the transaction cryptogram to an access device to conduct the transaction. The token and the transaction cryptogram can be transmitted to a magnetic stripe reader by generating an emulated magnetic signal. The LUK may be associated with a set of one or more limited-use thresholds that limits usage of the LUK, and the transaction can be authorized based on at least whether usage of the LUK has exceeded the set of one or more limited-use thresholds.

This patent application describes a data processing system and method for securely storing and retrieving a cryptographic secret from a plurality of network-enabled clients. The cryptographic secret is encrypted using a split key arrangement where a first key component is generated and stored inside a hardware security token and a second key component is generated and stored on a server. Random variables and dynamic passwords are introduced to mask the key components during transport. In order to gain access to the first password, the user is required to enter his or her PIN. The key encryption key is generated by performing a series of XOR operations, which unmasks the first and second key components on a client allowing generation of a symmetric key The symmetric key is used to encrypt the cryptographic secret at the user's normal client and decrypt the cryptogram at another client lacking the cryptographic secret. The applications performing the cryptographic functions are intended as browser applets, which remains in transient memory until the user's session has ended. At which time, the key encryption key and cryptographic secret are destroyed.

Systems and methods for token processing are disclosed. An access device can provide access device data to a mobile communication device. The communication device generates a token request including the access device data and communication device data and sends the token request to a server computer. The server computer returns a token and a token cryptogram to the mobile communication device. The token and the cryptogram may be used in a transaction.

An anonymity system including a cryptographic device. The cryptographic device of the anonymity system is adapted to initially determine whether a response to an incoming electronic message is requested. If so, an address of the anonymity system is encrypted with a key. In one embodiment, the key may be a public key of a system targeted to receive an outgoing electronic message from the anonymity system inclusive of data contained in the incoming electronic message. The encrypted address is placed into an outgoing electronic message before re-routing to the target system to allow the target system to re-route the response back to the anonymity system.

Systems and methods for facilitating payment transactions using quick-response (QR) codes are provided. A first machine readable code encoding first data generated by an access device is scanned by a communication device. The communication device generates a cryptogram based on the first data encoded within the first machine readable code. The communication device then obtains financial credentials data from a payment application being executed on the communication device. A second machine readable code encoding second data comprising the financial credentials data and the cryptogram is then generated. The second machine readable code is displayed on a display of the communication device, wherein the second machine readable code is scanned by the access device.

The utility of a portable consumer device is extended by allowing account holders the ability to gain entry into access-controlled venues (e.g., baseball or soccer game, cinema, public transit) using a portable consumer device that is associated with an account that was used to purchase the admission or tickets to the event at the access-controlled venue. Techniques disclosed allow cardholder authentication in a non-payment setting that enables cardholders access to a location or a specific event. A first validation cryptogram is generated in the purchase cycle and is stored. A second validation cryptogram is generated in the validation cycle at the venue. If the second validation cryptogram matches the first validation cryptogram, the consumer is granted access. Validation cryptograms may be based on input data that is specific to the payment card holder (e.g., primary account number), specific to the ticket selling merchant (e.g., merchant identifier), specific to the event (e.g., event identifier, date/time, location, etc.), and/or specific to the transaction (e.g., authorization code from a payment network). Based on the input data, validation cryptograms may be generated using encryption, hashing, a combination of encryption and hashing, and/or other operations on the input data.

Methods and systems are disclosed for executing financial transactions between customers and merchants. An identifier of a financial account is received from the customer at a merchant system. A one-time password is also received from the customer at the merchant system, with the customer having been provided with the one-time password by a mobile electronic device or contactless presentation instrument. A cryptogram is generated to included the identifier of the financial account encrypted using the one-time password. An authorization request is formulated at the merchant system. The authorization request includes the cryptogram and transaction information describing at least a portion of the financial transaction. The authorization request is transmitted from the merchant system to an authorization processor for authorization of the financial transaction.

Techniques for conducting a transaction in a midrange wireless communication system are described. The techniques may include detecting a beacon transmission from a midrange wireless base station, determining that the beacon transmission includes a transaction service identifier, and invoking a transaction application associated with the transaction service identifier. The techniques may also include receiving transaction information for a transaction associated with a transaction identifier mapped to the device identifier; and sending a transaction cryptogram from the transaction application to the midrange wireless base station to conduct the transaction.

A payment authentication service authenticates the identity of a payer during online transactions. The authentication service of the present invention allows a card issuer to verify a cardholder's identity using a variety of authentication methods, such as the use of passwords. Also, the only system participant requiring a certificate is the issuing financial institution. One embodiment of the invention for authenticating the identity of a cardholder during an online transaction involves querying an access control server to determine if a cardholder is enrolled in the payment authentication service, requests a password from the cardholder, verifies the password, and notifies a merchant whether the cardholder's authenticity has been verified. In another aspect of the invention, a chip card and the authentication service independently generate cryptograms that must match in order for the service to verify that the correct chip card is being used by the cardholder.

A method is disclosed for the authentication of applications both at the time of their downloading, as well as at the time of their execution. At least one application works in an equipment connected by a network to a control server, the equipment being locally connected to a security module. The application is loaded and/or executed via an application execution environment of the equipment and uses resources stored in the security module. The authentication method includes reception by the control server, via the network, of data including at least the identifier of the equipment and the identifier of the security module, analysis and verification by the control server of the data; generation of a cryptogram including a digest of the application, data identifying the equipment and the security module and instructions intended for the module; transmission of the cryptogram, via the network and the equipment, to the security module; and verification of the application by comparing the digest extracted from the cryptogram received with a digest determined by the security module. Further, said method further comprising steps wherein, during the initialization and/or the activation of the application, the security module executes the instructions extracted from the cryptogram, to at least one of release and block the access to certain resources of the security module according to the result of the verification suited to this application carried out previously.