WO2009065417A1 - M. currency- net sense - Google Patents

Abstract

The invention concerns a secure mobile transaction system and method with a SMS communication and a SIM authentication. A vendor (V) and a client (C) make transaction via a NetSense (S). Additionally, geographic authentication and parental payment are possible.

Description

M. CURRENCY- NET SENSE

TECHNICAL FIELD

Mobile technology that is designated to provide customers the ability to do their payments through their mobile phones

Its true that there is no previous available creation that covers what Net Signature has invented and what it offers as valuable services for the M currency clients, yet preventing what credit card (like Visa or Master Card) clients go through from getting their credit cards lost, forged, stolen, which leads to their accounts withdrawal is the motive behind inventing M currency.

What's new in the invention's concept?

Using Mobile phones as a popular technology that is used by over 27 million people in Egypt alone, this makes the idea of using mobiles for a new service that replaces credit cards more appealing

BACKGROUND ART

There is no previous available invention that includes the same creative concept that M currency-Net Sense is based on.

■DISCLOSURE OF INVENTION

Billing Payment • Signing in

The above diagram shows the signing of an existing customer, where he has to insert his user name and password and then chooses 1 of the above mentioned services.

After signing in, the customer has a list of choices and starts with the (New Credit); this option is to recharge his account by entering the 14 digit code on the scratch card.

Another option is for the customer to review his billing history by clicking on the (Client's Bill) icon. An existing client can check his balance account; which is basically the amount of money in his account.

This customer (1) can also choose to transfer credit to another existing M- Currency customer (2). At this point the customer (1) will have to enter his mobile number, pin code (another code than the password he signed in with) and the mobile number of customer (2).

After the transaction is done a notification would have to be sent to both customers (1) & (2).

E.g. for notification SMS:

(customer 1 mobile #) has transferred an amount of (...EGP) to (customer 2 mobile #)

The points an offer choice is for the customer to check the pointing system scheme of M-Currency, check the existing offers on the pointing system and check the amounts of points this customer has on the M-Currency system.

An existing customer can also access our online shopping centre:

The shopping centre page contains a list of vendors, where the client chooses from.

Each vendor of the list has a page, where he chooses to put all or some of his commodities or services with its prices and the client will add to his cart as he surfs the list.

After the client finishes adding to his cart he will press an icon (bill me) where he will have to insert his mobile number and pin code. After the transaction is done a notification would have to be sent to the customer.

E.g. for notification SMS:

You have purchased:

1. (Item) from (vendor) with (amount) EGP

2. (Item) from (vendor) with (amount) EGP

3. (Item) from (vendor) with (amount) EGP

4. (Item) from (vendor) with (amount) EGP The vendor phase describes the purchasing process when a customer purchases a good or a service either by being physically at the vendor or by phone.

After the customer has placed his/her order, he/she is asked to give his/her mobile number. The vendor then contacts the server via the POS machine inserting the mobile number of the customer and the amount of payment.

The server sends an SMS to the customer stating the amount and the vendor's name

E.g. of SMS:

You are asked to pay and amount of ( )EGP to (vendor's name)

Reply

The customer then should press reply, write his pin code without any text and press send.

The system verifies the pin code and then sends the vendor and the customer a notification.

If the customer wrote down a text with in the reply message the system should be able to extract the pin code and verify it.

Purchasing Online

The shopping centre page contains a list of vendors, where the client chooses from. Each vendor of the list has a page, where he chooses to put all or some of his commodities or services with its prices and the client will add to his cart as he surfs the list.

After the client finishes adding to his cart he will press an icon (bill me) where he will have to insert his mobile number and pin code.

The server then sends each vendor a notification of the items chosen by the customer, and later on, upon the delivery policy of each vendor, the vendor sends the items chosen to the customer.

After the transaction is done a notification would have to be sent to the customer.

E.g. for notification SMS:

You have purchased:

1. (Item) from (vendor) with (amount) EGP 2. (Item) from (vendor) with (amount) EGP

3. (Item) from (vendor) with (amount) EGP

4. (Item) from (vendor) with (amount) EGP

Mobile Media Purchasing

One of the future applications of M-Currency is to place an order from a media advertisement. Each good or service on the advertisement would have an M- Currency associated code. The customer would have to send the server an SMS with the code number of the good or service. The server then sends an SMS to the customer to acquire the pin code. After the customer is to reply to the server with the pin code and verifies it, the server sends the vendor the order to the POS machine, and the vendor delivers the good or service purchased.

Call Center

M-Currency Call centre is to provide the customer with several services, one of those services is to provide the opportunity for M-Currency customers to provide whatever is advertised via different type of media through the call centre; the customer calls the call centre and he chooses the purchase option from the IVR, he places his order and the customer service officer verifies the customer's information (mobile number and pin code). The customer service officer then places the order to the vendor's POS machine and the vendor delivers the customer's purchased good or service.

Money Transfer

The money transfer from one customer to another can be done via SMS system or over the internet.

Over the internet, through M-Currency' s web site, customer (A) can choose to transfer credit to another existing M-Currency customer (B). At this point the customer (A) will have to enter his mobile number, pin code and the mobile number of customer (B).

After the transaction is done a notification would have to be sent to both customers (A) & (B). E.g. for notification SMS:

(customer 1 mobile #) has transferred an amount of (...EGP) to (customer 2 mobile #)

Through SMS, the customer can simply dial the IVR and choose the amount of money he would like to transfer and then inserts the pin code, later on when the transaction is made, a notification SMS is sent to both customers.

Advertisement

M-Currency provides the Vendors with the ability to advertise through the M- Currency system as follows:

The vendor signs up through M-Currency's web site giving the vendor's user name and password, the client then choose from a given segments' list on our website, the age, the gender, and certain interests( e.g. 16 to 20 years, males, music, rock). The vendor then inserts the amount of SMS he would like to send and they would be sent to the number of customers and specifications, the vendor chose.

BRIEF DESCRIPTION OF DRAWINGS

Codes

- Key Players:

(S): NetSense

(V): Vendor

(C): Client

(CS): Customer Support -On going Transactions between key players:

(Sl): Requesting Pin Code to allow transaction.

(S2): Confirm Transfer

(S3): Sending Client's Request

(S4): Sending commercials and offers to clients

(S5): Money Transfer from one client's account to another.

(S6): Sending new account's balance after every transaction to client. (Vl) Sending Client's details to S (V2) Delivery to client (V3) Logging into Website (V4) Choosing different segments of Clients (Cl) Entering Pin Code (C2) Logging into website (C3) Entering transaction data (C4) Calling Customer Support

(C5) Requesting Money Transfer to another client's account. (CSl): Requesting Pin Code to allow transaction (CS2): Sending Client's details and request to S. - The X- List

1. Recharging account

2. Client's bill

3. Checking Balance

4. Money Transfer

5. Collecting points and receiving offers

6. Shopping online

Description of Drawings:

• Diagram No.l

1. V starts the process using step Vl

2. S contacts C using step Sl

3. C responds to S in step Cl

4. S then performs step S2 to C and V, and performs step S6 with C • Diagram No. 2

1. C performs steps C2 and C3

2. S performs steps S3 to V, and S6 to C

3. V performs step V2

• Diagram No. 3

When C performs step C2, he/she could do any of the processes available in the X- List

• Diagram No. 4

1. C performs step C3

2. S responds to C and performs step Sl

3. C performs step Cl

4. S performs steps S3 to V and S6 to C

5. V performs step V2

• Diagram No. 5

1. C performs step C4

2. CS performs step CSl

3. C performs step Cl and C3

4. CS performs step CS2

5. S performs step S3 to V and S6 to C

6. V performs step V2

• Diagram No. 6

1. First C (Ca) performs steps Cl and C5

2. S performs step S5 to second C (Cb)

3. S performs step S6 to both (Ca) and (Cb)

• Diagram No. 7

1. V performs steps V3 and V4

2. S performs step S4

Claims

Our Security Measures and methodologies are applied on many factor in the payment matrix that NetSense using and maintaining.

1) Payment Process/Cycle Security

2) Merchant Security

3) Customer Security

4) Online/Network Security

5) GSM Security

6) Secured Development Cycle

7) NetSense PKI Envelope

The above makes our payment model is ten layers secured payment solution and each of those layers has a matrix of security options that makes it at the end a multiple of 10s of security layers and measures

Payment Process/Cycle Security

NetSense Mobile Payment can be initiated from the Merchant or the Customer. Both directions are ultra secured methods to ensure maximum security measures for both Merchants and Customers which in return boosts business and sales for the merchant and gives a hassle free payment model to the customer with online Statement that have all transaction reflected immediately.

NetSense makes a difference in regards of security; due to the credit push concept applied in the process flow which makes the customer is the driver/Initiator of the payment process. Nothing can happen that customers would not approve or agree with.

The customer only communicates sensitive information with NetSense -her/his trusted partner -and does not provide any such information to either the merchant or to any third party operator. This process prevents misuse of the customer's sensitive information; the transaction cannot be repeated by anyone else, at any other time.

All transactions get individually approved by the buyer, with the input of a PIN. The PIN is used in connection with NetSense PKI signatures, and sensitive personal information is not stored in Merchant system. Transaction details are only captured at NetSense payment Servers. All communication is encrypted using public-private key infrastructure.

a.Mobile Payment Initiated from the Merchant:

NetSense Merchant will have a terminal that allows him to withdraw money from a certain Customer's mobile payment account. Once the Merchant initiates the transaction an Immediate SMS (max. delay of SMS delivery is couple of minutes) delivered to the Customer mobile phone asking for his approval/ Authentication on this specific payment transaction, which makes our payment model is the best of bread as a Verified Payment and a Present Payment methods, which are considered the two most secured payment models that can be achieved in today's financial transactions and payment methods/models/transactions. (When you pay in cash money Which is a Verified and a Present Payment, Verified because it is REAL money and has the Central Bank logo on it, and Present because you have them in your hands.), our mobile payment will replace any other form of payment due to this fact and even will take place of cash money that we used to know for ages due to the fact that Mobile Payment can not be faked.

Our Hardware POS (Point Of Sale) encrypts all transaction details with the highest Encryption standards that are available in the industry (AES & 3DES) with the private key that is installed in each Hardware POS which makes the details of the transaction safe from any intrusion, modification, intercepting with any mean of communication through a burned in Security Key on the Merchant POS that can only be changed by NetSense Authorized Stuff in our Manufacturing premises.

The Merchant initiated payment transaction can be initiated from a Soft POS , which NetSense developed to give Merchant an advantages of easy to use and low cost overhead in adopting Mobile Payment that is through an ultra secured web payment page that the Merchant can use to process Mobile payment transaction. This Ultra Secured payment page uses the traditional username and password authentication methodology with other optional authentication techniques like:

i) Virtual/On Screen Keyboard ii) Certificate based login iii) Two factor authentication mechanism iv) All communications are served on the highest level of SSL secured web page available in today's industry standards.

The above four layers are an added security measures that we conduct to ultra secure our soft POS payment Tool, which gives the Merchant an optimum security even against any internal fraud attempts from Stores stuff. Scenario

2) Merchant uses his Soft POS or Hardware POS asking authorization to withdraw certain amount of money from a Mobile Payment Account

3) Customer receives an SMS with Transaction detail which are a. Merchant Name b. Amount c. Asking for PIN to authorize the transaction

4) Customer Sends his PIN number to NetSense Payment Server

5) NetSense transfers the money from the customer's mobile payment account to Merchant's Netsense Account

6) Merchant receives a Success Status on his Software/Hardware POS with transaction ID and/or confirmation code for further tracking.

7) Merchant can withdraw liquid money from NetSense on weekly bases or can pay other Merchant using Mobile Payment in Business to Business Transaction.

b. Mobile Payment Initiated from the Customer:

Customer/Payee will initiate the payment transaction by sending our Ultra secured payment Servers an SMS authorizing OUR Payment gateway to deduct a certain amount and deposit it to the Merchant Account. Such a transaction is verified by requesting the payee/customer a valid PIN number to ensure that this transaction is legitimate, which is another layer of security.

The above two models makes our innovative payment gateway is the most secured to be used to B2C commerce model.

The Payment process is as follows:

Scenario (1)

1) Customer sends SMS with Merchant ID and Amount of Transaction to NetSense Mobile Payment gateway.

2) Customer receives an SMS with Transaction detail which are a. Merchant Name b. Amount c. Asking for PIN to authorize the transaction

3) Customer Sends his PIN number to NetSense Payment Server

4) NetSense transfers the money from the customer's mobile payment account to Merchant's Netsense Account

5) Merchant receives a Success Status on his Software/Hardware POS with transaction ID and/or confirmation code for further tracking. 6) Merchant can withdraw liquid money from NetSense on weekly bases or can pay other Merchant using Mobile Payment in Business to Business Transaction.

Scenario (2)

1) Customer sends SMS with Merchant ID, Amount of Transaction and PIN to NetSense Mobile Payment gateway.

2) NetSense transfers the money from the customer's mobile payment account to Merchant's Netsense Account

3) Merchant receives a Success Status on his Software/Hardware POS with transaction ID and/or confirmation code for further tracking.

4) Merchant can withdraw liquid money from NetSense on weekly bases or can pay other Merchant using Mobile Payment in Business to Business Transaction.

Scenario (3)

1) Mobile Application downloaded and installed on Customer's Mobile Phone(Virtual Wallet)

2) Launch the Virtual Wallet is authenticated via PIN number

3) Virtual Wallet needs the following details to be able to forward a transaction a. Merchant ID b. Amount c. Repeated Payment (to be processed monthly /weekly to the same merchant)

4) Click send on the Virtual Wallet

5) Merchant Receives an SMS confirming the transaction

6) Customer Receives an SMS confirming the payment with confirmation code and transaction ID for further tracking.

7) Transaction is logged at Customer's and Merchant's control panel.

- Please note that it is IMPOSSSIBLE to intercept an SMS being sent from a mobile.

Merchant Security

Mobile Payment offers unique security measures to the Merchant as it is considered Verified Payment and a Present Payment. Which means that the Merchant sees the Buyer and validates that she/he is receiving the Confirmation SMS as well as the ability to verify his identity by authentication through his PIN number in addition to the SMS/Mail that the Merchant receives to verify the success and the amount of the transaction credited to his account? Merchant enjoys the ability of using a Hardware POS that is Mobile Payment enabled which in it's turn uses extreme security measure through using an Internal/Private Key of the Merchant in the Mobile Payment POS that is installed by NetSense POS Team, which in return is used to validate and insures integrity of all payment details that is forward to NetSense payment Servers as long as identifies the Merchant to NetSense Payment Servers.

This Merchant Private Key makes the transaction is bullet proof in the sense that it can not be altered/modified and makes it secured against man in the middle attack and many other attacks.

Merchant still enjoys another level of security through using Software POS machine that he/she can use to request funds from a certain Mobile Payment Account and this Software POS is secured by: v) Virtual/On Screen Keyboard vi) Certificate based authentication vii) Two factor authentication mechanism viii) All communications are served on the highest level of SSL secured web page available in today's industry standards. That is through utilizing SIM Application Toolkit Security

Customer Security

Customer Security is one of our major concerns as we are committed to deliver ultra secured Mobile payment solution as much as easy to use. This is achieved through many factors in our matrix :

A) SIM Card

The SIM provides the most basic level of security in GSM networks. The security functions provided by the SIM include:

• Storing and performing the algorithm used for authentication of the SIM to the network.

• Storing the subscriber authentication key.

• Storing and performing the algorithm used to generate the cipher key.

• Storing the cipher key, which is used to encrypt information transmitted between the handset and the cellular base station. • Control of access to data stored, and functions performed, in the SIM.

The SIM is at the heart of the security model for the entire network. But network security features are becoming re-usable by non-GSM applications on a transaction basis, as in the WAP Identity Module (WIM). The SIM itself is a tamper-resistant device, but as smart cards in general become more popular, instances of attacks have increased. In response to this, some SIM operating system suppliers are using external agencies to validate security. An example of this is MuItOS, which has been assessed at ITSEC level E6.

The approaches to security in mobile payment are driven by the fundamental difference between securing the network and securing applications. Securing a public network is more pertinent to circuit switched voice traffic. However, securing applications, and more specifically transactions, is more applicable to transmission of data packets, which is what happens during Mobile Payment.

Cellular networks already provide better security than public fixed networks, because of the greater threat of eavesdropping on radio-based conversations.

Data and voice communications over digital cellular networks are encrypted as standard.

However, network security is only mandated (in GSM at least) between handsets and base stations. Importantly, backbone network security is at the discretion of operators. Consequently, NetSense mobile Payment application has its own security requirements, over and above basic cellular network provision.

B) Geographic Authentication

Netsense is the pioneer in implementing Geographic authentication to the Mobile Payment world. This Security layers makes NetSense Payment Service is immune to SIM fraud and some other phreaking techniques.

Simply Geographic authentication invented by NetSense is as follows:

1) NetSense has a running application that knows where the customer at the moment of performing a Mobile Payment transaction, Netsense Application knows the location of the Mobile handset owner through the ID of the GSM network node.

2) NetSense knows the exact location of the Merchant through records that NetSense holds. 3) NetSense Payment Servers compares the location of the Merchant with the position of the Customer.

4) If a non tolerated error occurs, NetSense call center calls the Mobile line owner

4.1) Validates his identity via challenge questions

4.2) inform him/her about the transaction

4.3) takes necessary action(s)

C) Privacy

NetSense allows Customers to pay via her/his Mobile phone number or via an ID that Netsense issues to the customer, this solution is suitable

for customers that don't want to disclose their mobile phone number to the Merchant.

NetSense maps the Customer ID to the Mobile number to keep its customers privacy.

D) Behavior/density analyses

NetSense monitors the density of its customer's transactions to be able to spot any susceptible transaction and that is through analyzing the density and the behavior of the customer's transactions. In other words, if a NetSense customer never paid money for buying a certain goods and NetSense have found him making a big transaction for such a good at a sudden, NetSense call center calls the customer and verify the legitimate of this specific transaction.

E) Parental Payment

NetSense allows unique features that no other payment has, which is Parental control over payment. NetSense offers this feature as follows:

1) Parents charge their children/kids NetSense Mobile Payment account

2) Parents login to NetSense Web Accountant Module.

3) Parents control which Merchant Categories children/kids can pay money to. This unique feature allows control on what children/kids pays for as much as safety as much as safety for not carrying cash plus the statement that parents may have to watch their kids. Online/Network Security

NetSense utilizes the best of bread in today's Network and online security. NetSense Servers farm is considered ultra secured hosting farm by utilizing Internet Resilient Firewalls solution in active/active state, with three redundant internet connections to our datacenter, in addition to IDS (Intrusion Detection System) and IPS (Intrusion Preventation System) in every zone of our Servers Farm. Dividing our Servers farm in a multi-zone is considered an extra layer of security in-between our farm and allows us to take different measures of security for each/every zone of these zones according to it's level of exposure in NetSense Servers farm. For instance

DMZ Zone is separated from Applications/DB Servers farm zone with resilient firewalls and the communication between those zones is over VPN or SSL according to the load expected in specific tier/zone. Intrusion Detection Systems (IDS) are available in every and each zone and those IDS examine the traffic in zones to ensure an extra layer of security added to our server's farm. Every and Each zone has its own Security administrator and each administrator secures his zone against all other zones without distribution to the operation.

NetSense utilizes several resilient Reverse Proxies in front of our application servers to ensure an extra added layer of security on the Application level, which makes our application servers completely isolated from the Internet by (Firewall+Reverse Proxy+Load Balancing switches).

NetSense utilizes best of Load Balancing Hardware to accept connections and distribute the load on NetSense Servers Farm according to the utilization of each server and load it has which adds another layer of security in availability guaranteed in our operation.

NetSense Servers Farm file system is fully encrypted with the max. level of Encryption level available today in cryptographic world, which ensures extremes security of all the details of transactions stored in NetSense Physical storage units in the mean while ensures max. security on the level of physical security as File System used in our operation is useless to any person on earth except us.

NetSense Utilizes Read-Only Storage dedicated to log servers.

NetSense it taking extremes security measures its security against internal stuff as much as the internet. NetSense has the advantages of having its own PKI platform which is used to ensure security, integrity and authenticated communication in between our different zones farm, all communication and all file systems are encrypted.

NetSense Monitoring team is monitoring Operation/availability and IDS/IPS alerts to ensure smooth operation around the clock.

GMS Security

There are many security measures that exist in Today's GSM networks, due to the fact that thee GSM networks are Digital Network, which gives an advantages over Analogue and fixed line network.

GSM Networks don't allow SMS forgery, in other words you can send an SMS to a certain user faking its origin, but still you can not control it destination, which makes NetSense PIN confirmation SMS is always sent to NetSense Short Messaging Server and can not be deviated from its authentic destination.

NetSense Mobile Payment solution utilizes those embedded security measures for the benefit of its mobile payment mechanism. GSM security features that NetSense uses are Authentication Algorithm, Ciphering Algorithm, Ciphering Key Generating Algorithm, Cipher Block Chaining, Cipher Feedback, Digital Signature Algorithm, Ciphering Key, Secure Hash Algorithm, and Signed Response.

The subscriber is uniquely identified by the International Mobile Subscriber Identity (IMSI). This information, along with the individual subscriber authentication key (Ki), constitutes sensitive identification credentials analogous to the Electronic Serial Number (ESN) in analog systems such as AMPS and TACS. The design of the GSM authentication and encryption schemes is such that this sensitive information is never transmitted over the radio channel. Rather, a challenge-response mechanism is used to perform authentication. The actual conversations are encrypted using a temporary, randomly generated ciphering key (Kc). The MS identifies itself by means of the Temporary Mobile Subscriber Identity (TMSI), which is issued by the network and may be changed periodically (i.e. during hand-offs) for additional security.

The security mechanisms of GSM are implemented in three different system elements; the Subscriber Identity Module (SIM), the GSM handset, and the GSM network. The SIM contains the IMSI, the individual subscriber authentication key (Ki), the ciphering key generating algorithm (A8), the authentication algorithm (A3), as well as a Personal Identification Number (PIN). The GSM handset contains the ciphering algorithm (A5). The encryption algorithms (A3, A5, A8) are present in the GSM network as well. The Authentication Center (AUC)₇ part of the Operation and Maintenance Subsystem (OMS) of the GSM network, consists of a database of identification

and authentication information for subscribers. This information consists of the IMSI, the TMSI, the Location Area Identity (LAI), and the individual subscriber authentication key (Ki) for each user. In order for the authentication and security mechanisms to function, all three elements (SIM, handset, and GSM network) are required. This distribution of security credentials and encryption algorithms provides an additional measure of security both in ensuring the privacy of cellular telephone conversations/SMS and in the prevention of cellular telephone fraud.

Secured Development Cycle

NetSense took into consideration the security of its application platform since day zero, with many input validation measures, strong authentication, authorization mechanisms, and strong session management. This is done by using our security experts and many other commercial security assessment tools like:

• Use static analysis tools to detect use of prohibited libraries or unsafe functions

• Use static analysis tools to detect the lack of secure libraries like input filtering

• Use analysis tools to detect C/C++ memory errors

• Use commercial web application scanning tools and filter results to provide relevance

• Use commercial source code scanning tools and filter results to provide relevance

• Use commercial binary analysis tools and filter results to provide relevance

NetSense Public key infrastructure (PKI)

PKI (public key infrastructure) enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. '

A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key

• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor

• One or more directories where the certificates (with their public keys) are held

• A certificate management system.

NetSense utilizes its PKI to ensure ultra secured data exchange through it payment solution elements and uses it's PKI as the envelope to protect all communications from any data risks.

New Elements that need Security

Create a new system that can merge mobile phones to NetSignature M-Currency payment system and mobile phones network.