An electronic device and method for making an electronic transaction TECHNICAL FIELD

In general, the present invention relates to the field of secure electronic transactions. More specifically, the present invention relates to an electronic device and method for making a trusted and verifiable electronic transaction.

BACKGROUND

In the new era of E-commerce, consumers constantly interact with screens of electronic devices, and use applications thereon via graphical- and/or text-based user interfaces (Uls) to perform various tasks or activities, e.g. setting an amount of money and initiating a money transfer. This is especially relevant to the use of smart phones.

However, the visible state of an application on an electronic device does not necessarily reflect the true internal state of the device, software or/and hardware, which may be due to an intentional act (e.g., a scam) or an unintentional act (e.g., a bug). Moreover, a user who uses the application cannot prove that the performed interactions with the user- interface elements of the application conform to his intended actions. Similarly, an online bank or merchant may not be able to know or prove whether the state of the software or hardware reflects the intent of the user. Examples of possible issues between a Ul and an internal state include scenarios, where Ul input and interpreted/saved/backhauled intent do not necessarily match, and scenarios including malicious U ls (mislabelled or overlaid buttons). The order of interactions is important as well.

As traditional functions of society are being pushed toward the cloud, problems arise when things go wrong without any corresponding legal recovery mechanisms.

Unfortunately, online banks/merchants and customers cannot prove whether an action was indeed initiated by the customer side, for instance, money transfer, stock purchase, or sale of goods, in particular, the value of the transaction. This may result in serious problems when customers are "scammed" by faulty systems (e.g., customer's browser, business's software, third-party software, e.g., database) or malicious online

banks/merchants or malicious employees without any legal recovery and/or when online banks/merchants are "scammed" by faulty systems, malicious customers or malicious employees without any legal recovery. Besides, online banks/merchants may hence lose trust of customers and face a public-relation crisis. To avoid the above situations, the following technical problem needs to be solved: reliable proofs need to be obtained for all involved parties concerning states of U ls, software, or hardware, chosen Ul options, Ul interaction, and interaction order. This technical problem is, however, challenging to solve since the proofs needs to be: tamper proof; against software, hardware, and network attacks; light weight/efficiently collected; unobtrusive; and trusted by all involved parties, such as online banks/merchants, consumers, judges, etc. Additionally, it might be beneficial to include even more features, such as the involved parties are identifiable and authenticated.

Some previous works have tried to address similar problems in the field of Ul

development and testing. For example, the patent US9158372B2 proposes a method and apparatus for user interaction data storage. However, the integrity of the stored data in US9158372B2 cannot be ensured and thus the stored data cannot be trusted, as it does not allow for signing and tamper-proofing of stored data and relies merely on display changes to detect interactions. Indeed, the available solutions provided by the state-of- the-art still face several critical problems: firstly, the data provided by them are not tamper proof, and hence cannot be trusted by users. Moreover, these data cannot be acceptable in a court of law either. Finally, these available solutions lack efficiency.

In light of the above, there is a need for an improved electronic device as well as a corresponding method for making an electronic transaction, allowing tamper-proofing of user data and improving security of user data transaction.

SUMMARY It is an object of the invention to provide an improved electronic device and a

corresponding method for making an electronic transaction, allowing tamper-proofing of user data and improving security of user data transaction.

The foregoing and other objects are achieved by the subject matter of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures. Generally, the present invention relates to an electronic device and a method for making an electronic transaction, allowing tamper-proofing of user data and improving safety of user transaction. More specifically, embodiments of the present invention can collect states of software or hardware, communication, user interaction and/or metadata (e.g. authentication) and add cryptographic proofs, e.g. signing or attesting the collected data to prevent tampering. Adding cryptographic proofs enables a plurality of users comprising but not limited to customers, business owners, courts, and auditors to prove whether a transaction actually took place. In comparison, without cryptographic proofs it would be possible to fabricate evidence for a transaction even though the transaction actually never occurs. This novel feature according to the embodiments of the invention can provide a proof of data instead of a way to securely transmit or store the data.

An example of applying cryptographic proofs at the user or client side can be a Trusted Computing Module (TCM), which can sign the collected data and be combined with a proof that the TCM works properly, for instance, by attaching a test or cryptographic binary attestation. Similarly, applications of the standard cryptographic schemes can also be implemented for the server and/or a third party. The implementation forms according to the invention will be described in more detail further below. Furthermore, the embodiments of the invention can collect data comprising states of software or hardware, communication, user interaction and/or metadata by using a trusted computing hardware module before a general-purpose processing unit accesses the data, wherein data collection can be restricted depending on efficiency and security needs and wherein the data can be archived as reliable proofs at involved and/or third parties. The data mentioned above can be an analog signal collected at the hardware level, or raw data collected after analogue-to-digital conversion at the hardware or software level, or processed raw data. It is worth noting that the analog signal has the greatest reliability or security, while the processed raw data is the most useful. More specifically, according to a first aspect the invention relates to an electronic device for making an electronic transaction. The electronic device comprises: a processing unit configured to run a transaction application, wherein the transaction application is configured to allow a user to make the electronic transaction; and a user interface being controlled by the processing unit, wherein the user interface is configured to allow a user to interact with the transaction application using one or more user interactions, wherein the one or more user interactions generate user interaction data; wherein the processing unit is further configured to collect at least partially the user interaction data and to trigger an operation for cryptographically signing and storing the collected user interaction data.

Thus, an improved electronic device for making an electronic transaction is provided, allowing tamper-proofing of user data and improving security of user data transaction.

In a further possible implementation form of the first aspect, the electronic device further comprises a display being controlled by the processing unit, wherein the display is configured to display one or more graphical elements defined by the transaction application.

In a further possible implementation form of the first aspect, the processing unit comprises an application processor configured to run the transaction application and a trusted computing module configured to cryptographically sign the collected user interaction data.

In a further possible implementation form of the first aspect, the electronic device further comprises a non-volatile memory configured to store the collected user interaction data.

In a further possible implementation form of the first aspect, the electronic device further comprises a communication interface and wherein the transaction application is configured to exchange transaction data over the communication interface with a remote transaction network entity for making the electronic transaction.

In a further possible implementation form of the first aspect, the electronic device further comprises a communication interface and wherein the processing unit is configured to transmit the collected user interaction data over the communication interface to a remote storage network entity for cryptographically signing and storing the collected user interaction data by the remote storage network entity. In a further possible implementation form of the first aspect, the processing unit is further configured to generate an electronic attestation that the electronic device is operating properly, when generating and/or collecting at least partially the user interaction data, and to trigger an operation for storing the collected user interaction data together with the electronic attest. In a further possible implementation form of the first aspect, the processing unit is configured to collect at least partially the user interaction data, in response to a trigger from the transaction application, a trigger from the user, a trigger from an operating system running on the processing unit and/or a trigger from a third party.

In a further possible implementation form of the first aspect, the electronic device further comprises a communication bus for exchanging data between the processing unit, the display and/or the user interface and wherein the user interaction data comprise data that are generated by the one or more user interactions and exchanged over the

communication bus.

In a further possible implementation form of the first aspect, the electronic device implements an operating system defining an input buffer and/or an output buffer for buffering data and wherein the user interaction data comprise data that are generated by the one or more user interactions and buffered in the input buffer to be processed by the operating system or the output buffer having been processed by the operating system.

In a further possible implementation form of the first aspect, the user interaction data comprises a plurality of screenshots of the display, including a first screenshot of the display prior to a first user interaction of the one or more user interactions and a second screenshot of the display after the first user interaction, a plurality of memory images, including a first memory image prior to the first user interaction and a second memory image after the first user interaction, and/or metadata. In a further possible implementation form of the first aspect, the processing unit is further configured to compress the collected user interaction data.

In a further possible implementation form of the first aspect, the user interface comprises a touchscreen and/or a keyboard.

In a further possible implementation form of the first aspect, the electronic device is a smartphone.

According to a second aspect the invention relates to an electronic transaction system, wherein the electronic transaction system comprises: an electronic device according to the first aspect; and a remote storage network entity, wherein the remote storage network entity is configured to store the collected user interaction data received from the electronic device.

Thus, an improved electronic transaction system is provided, allowing tamper-proofing and storing of user data and improving security of user data transaction.

In a further possible implementation form of the second aspect, the electronic transaction system further comprises a remote transaction network entity configured to exchange transaction data with the electronic device for making the electronic transaction.

According to a third aspect the invention relates to a method for making an electronic transaction. The method comprises: running a transaction application on a processing unit of an electronic device, wherein the transaction application is configured to allow a user to make the electronic transaction; allowing a user to interact with the transaction application using one or more user interactions with a user interface of the electronic device being controlled by the processing unit, wherein the one or more user interactions generate user interaction data; collecting at least partially the user interaction data; and triggering an operation for cryptographically signing and storing the collected user interaction data. Thus, an improved method for making an electronic transaction is provided, allowing tamper-proofing of user data and improving security of user data transaction.

In a further possible implementation form of the third aspect, the method further comprises displaying one or more graphical elements defined by the transaction application on a display of the electronic device being controlled by the processing unit.

According to a fourth aspect the invention relates to a computer program comprising program code for performing the method of the third aspect as such when executed on a computer.

The invention can be implemented in hardware and/or software.

BRIEF DESCRIPTION OF THE DRAWINGS

Further embodiments of the invention will be described with respect to the following figures, wherein: Figure 1 shows a schematic diagram of an electronic transaction system comprising an electronic device according to an embodiment;

Figure 2 shows a schematic diagram summarizing steps of a method for making an electronic transaction according to an embodiment;

Figure 3 shows a schematic diagram illustrating proof of an online transaction via an electronic device according to an embodiment implemented as a smart phone; and Figure 4 shows a schematic diagram illustrating a method for making an electronic transaction according to an embodiment.

In the various figures, identical reference signs will be used for identical or at least functionally equivalent features.

DETAILED DESCRIPTION OF EMBODIMENTS

In the following description, reference is made to the accompanying drawings, which form part of the disclosure, and in which are shown, by way of illustration, specific aspects in which the present invention may be placed. It will be appreciated that other aspects may be utilized and structural or logical changes may be made without departing from the scope of the present invention. The following detailed description, therefore, is not to be taken in a limiting sense, as the scope of the present invention is defined by the appended claims.

For instance, it will be appreciated that a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa. For example, if a specific method step is described, a

corresponding device may include a unit to perform the described method step, even if such unit is not explicitly described or illustrated in the figures.

Moreover, in the following detailed description as well as in the claims embodiments with different functional blocks or processing units are described, which are connected with each other or exchange signals. It will be appreciated that the present invention covers embodiments as well, which include additional functional blocks or processing units that are arranged between the functional blocks or processing units of the embodiments described below.

Finally, it is understood that the features of the various exemplary aspects described herein may be combined with each other, unless specifically noted otherwise.

As will be described in more detail in the following, embodiments of the invention relate to an electronic transaction system 100 comprising an electronic device 101 , a remote storage network entity 121 and a remote transaction network entity 123, which is shown in figure 1 . In an exemplary embodiment, the electronic device 101 could be a smart phone, the remote storage network entity 121 could be a cloud storage server and the remote transaction network entity 123 could be the transaction server of an online merchant or bank. As illustrated in figure 1 , the electronic device 101 comprises a processing unit 103 configured to run a transaction application, wherein the transaction application is configured to allow a user to make the electronic transaction. The electronic device 101 further comprises a user interface 105 and a display 107 being both controlled by the processing unit 103, wherein the display 107 is configured to display one or more graphical elements defined by the transaction application, and wherein the user interface 105 is configured to allow a user to interact with the transaction application using one or more user interactions, wherein the one or more user interactions generate user interaction data. As can be taken from figure 1 , the electronic device 101 further comprises a non-volatile memory 109 configured to store the collected user interaction data and a communication interface 1 1 1 , wherein the transaction application is configured to exchange transaction data over the communication interface 1 1 1 with the remote transaction network entity 123 for making the electronic transaction.

According to an embodiment, the electronic device 101 can be a smartphone and the user interface 105 comprises a touchscreen and/or a keyboard. Furthermore, the user interaction data comprises a plurality of screenshots of the display 107 according to an embodiment, including a first screenshot of the display 107 prior to a first user interaction of the one or more user interactions and a second screenshot of the display 107 after the first user interaction, a plurality of memory images, including a first memory image prior to the first user interaction and a second memory image after the first user interaction, and/or metadata.

Furthermore, the electronic device 101 further comprises a communication bus 1 13 for exchanging data between the processing unit 103, the user interface 105 and/or the display 107 and wherein the user interaction data comprise data that are generated by the one or more user interactions and exchanged over the communication bus 1 13.

Furthermore, the electronic device 101 implements an operating system defining an input buffer and/or an output buffer for buffering data and wherein the user interaction data comprise data that are generated by the one or more user interactions and buffered in the input buffer to be processed by the operating system or the output buffer having been processed by the operating system. Furthermore, the processing unit 103 of the electronic device 101 is configured to collect at least partially the user interaction data and to trigger an operation for cryptographically signing and storing the collected user interaction data, and the processing unit 103 comprises an application processor configured to run the transaction application and a trusted computing module configured to cryptographically sign the collected user interaction data.

According to an embodiment, the processing unit 103 is configured to transmit the collected user interaction data over the communication interface 1 1 1 to the remote storage network entity 121 for cryptographically signing and storing the collected user interaction data by the remote storage network entity 121 .

According to an embodiment, the processing unit 103 is further configured to generate an electronic attestation that the electronic device 101 is operating properly, when generating and/or collecting at least partially the user interaction data, and to trigger an operation for storing the collected user interaction data together with the electronic attest.

According to an embodiment, the processing unit 103 is further configured to collect at least partially the user interaction data, in response to a trigger from the transaction application, a trigger from the user, a trigger from an operating system running on the processing unit 103 and/or a trigger from a third party and compress the collected user interaction data. According to an embodiment, the remote storage network entity 121 is configured to store the collected user interaction data received from the electronic device 101 and exchange transaction data with the electronic device 101 for making the electronic transaction. Figure 2 shows a schematic diagram illustrating a method 200 for tamper-proofing of user data and improving security of user data transaction according to an embodiment, wherein the method 200 comprises five main steps: initializing data capture 201 , capturing data 203, securing data 205, recoding data 207, and evaluating data 209. Data capture is also referred to as data collection according to embodiments of the invention. These steps, which can be performed by the processing unit 103 of the electronic device 101 , will be described in more detail below.

In step 201 , data capture or collection can be initialized by means of one of the following actions: an OS event (e.g., crash, "start trusted acquisition" flag); an application event (e.g., "start trusted acquisition" flag); a first party such as a user, interlocutor, sever, etc. (e.g., "start trusted acquisition" flag); and a third party (e.g., "start trusted acquisition" flag). That is, data capture or collection can be initialized following one of the above actions.

In step 203, data can be captured or collected by means of applications/software or (trusted) operating systems or (trusted) hardware devices, wherein the data can be an analog signal captured at the hardware level, or raw data captured after analogue-to- digital conversion at the hardware or software level, or processed raw data. It is worth noting that the analog signal has the greatest reliability or security while the processed raw data is the most useful.

Moreover, the collected data can comprise the following data types: application states, such as video (full screen/screen area), screenshot (full screen/screen area), memory state (hardware, full/partial), and variables (software, full/partial); user interaction, such as touch-screen interaction (position, press, etc.), pointer system interaction (position, button press, etc.), touch-screen raw data/processed data, device input raw data/processed data, voice and other sensors; and meta data, such as time, session information captured by a device to identify the user (e.g., username, network domain, fingerprints of the user, a photo of the user during interaction, long-term usage records, etc.). Generally, the data capture or collection is restricted to a minimum of the required data. In step 205, the captured or collected data can be secured in the following ways: the captured data can be signed by an interlocutor, i.e. the interlocutor can act upon the captured data; the captured data can be signed by a first party, which might rely on a public key stored on the device or on a trusted hardware inside the device; the captured data can made immutable by some methods, e.g. write-once hardware, Blockchain, etc.; attestation can be constructed based upon captured data; the data deemed unnecessary can be removed or the data can be compressed by using known compression algorithms, such as LZW, run-length, and gzip. In step 207, the captured or collected data can be recorded or stored in a local storage of a first party, e.g. Black box, Blockchain, trusted storage, etc. and/or in a remote storage of an interlocutor or a third party, e.g. Cloud, Blockchain, trusted storage, etc.

Finally in step 209, the captured or collected data can be evaluated by firstly obtaining reported data from persons, such as users, app developers, judges, and officials or from systems, such as bug reporting, tax services, etc. The reported data can subsequently be evaluated to determine whether a business action was initiated by a customer.

In an embodiment, proof of a specific online transaction via a mobile phone is illustrated in figure 3, wherein the online transaction can relate to online shopping or stock trading. Performing the proof of the online transaction comprises the following steps.

In a step 1 , the Operating System (OS) or browser or Application (App) or user of the mobile phone can identify an element, e.g. HTML tag, which causes the initialization of data capture or collection in anticipation of money/stock transfer on a mobile touch screen and internet-access-enabled device. In an embodiment, the HTML tag might dictate data capture options. Moreover, in an embodiment, the browser might heuristically anticipate important actions without specific HTML tags. In an embodiment, the initialization of data capture or collection can be manual.

A full-screen capture can be activated by default in a step 2. In an embodiment, the App/user can decide to restrict the capture to one or more smaller regions of the screen.

In a step 3, capture or collection of raw signals which are sent to the display and raw touch-screen data can be activated. For instance, signals can be captured or collected by the OS or hardware of the mobile phone. The raw touch-screen data can be converted into a video overlay of the touch event in a step 4, which can be merged with the raw signals sent to display. Subsequently, the resultant video can be compressed with a HEVC video codec. In an embodiment, separate data streams can be saved and compressed, i.e., the above step of merging data can be omitted. Moreover, the video can be replaced by a screenshot of the mobile phone in an embodiment.

The user or App or browser can finish the transaction and stop the capture or collection process in a step 5.

In a step 6, metadata including time from cloud or a cellular network, and information of the user account can be collected. In a step 7, a trusted computing cryptoprocessor can attest to the captured data and software configuration.

The attestation can be uploaded to a third-party cloud server (e.g., Google) by the user and/or server in a step 8.

In case of any dispute, in a step 9 a judge can evaluate the attestation using a public key of the cryptoprocessor and thus assess the transaction validity or uncover the transaction irregularities. In a further embodiment, proof of a general online transaction, such as online shopping or stock trading, can be implemented as described in the following steps.

Firstly, the device of a customer can capture intent of the customer and prove that intent to a user-interface of a business owner. Secondly, the user-interface of the business owner can evaluate the proof, and if the proof is valid, the user-interface can initiate an action based upon the intent of the customer; otherwise, the user-interface can abort the transaction.

Next, this transaction process can continue between other components. An action can only be taken if there is evidence that suggests it should be. Therefore, a "shopping basket", for example, cannot incorrectly infer information from the user-interface. In a further embodiment, proof of a device event via a saved and attested memory state can be implemented as described in the following steps, wherein the device event can relate to an attack, e.g. from a competitor or scamming or intrusion detection/monitoring.

When a protected user manifests his intent, a plurality of snapshots of device memory states can be taken, and metadata including time from cloud or a cellular network can be collected. A trusted computing cryptoprocessor can attest to the captured data and software configuration. The attestation can be stored locally and uploaded to a third-party cloud server, e.g., Google by the user and/or server.

In case of suspicion of any unintended behavior, a forensic expert can evaluate the plurality of snapshots of memory states taken previously. This evaluation can thus count as proper evidence in legal proceedings, due to the previous attestation.

A variant of the above embodiment can involve recovering intent of the user from the captured data, which is different from the traditional models, but it can provide better guarantees for all parties involved. In particular, a business owner can show that the transaction was acting upon the request of a customer, rather than an interaction between computing systems which might be malicious or buggy.

Figure 4 shows a schematic diagram illustrating a method 400 for making an electronic transaction according to an embodiment.

The method 400 comprises a step 401 of running a transaction application on a processing unit 103 of an electronic device 101 , wherein the transaction application is configured to allow a user to make the electronic transaction.

Furthermore, the method 400 comprises a step 403 of allowing a user to interact with the transaction application using one or more user interactions with a user interface 105 of the electronic device 101 being controlled by the processing unit 103, wherein the one or more user interactions generate user interaction data. Finally, the method 400 comprises a step 405 of collecting at least partially the user interaction data and a step 407 of triggering an operation for cryptographically signing and storing the collected user interaction data. While a particular feature or aspect of the disclosure may have been disclosed with respect to only one of several implementations or embodiments, such feature or aspect may be combined with one or more other features or aspects of the other implementations or embodiments as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms "include", "have", "with", or other variants thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term "comprise". Also, the terms "exemplary", "for example" and "e.g." are merely meant as an example, rather than the best or optimal. The terms "coupled" and "connected", along with derivatives may have been used. It should be understood that these terms may have been used to indicate that two elements cooperate or interact with each other regardless whether they are in direct physical or electrical contact, or they are not in direct contact with each other.

Although specific aspects have been illustrated and described herein, it will be

appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific aspects shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific aspects discussed herein.

Although the elements in the following claims are recited in a particular sequence with corresponding labeling, unless the claim recitations otherwise imply a particular sequence for implementing some or all of those elements, those elements are not necessarily intended to be limited to being implemented in that particular sequence.

Many alternatives, modifications, and variations will be apparent to those skilled in the art in light of the above teachings. Of course, those skilled in the art readily recognize that there are numerous applications of the invention beyond those described herein. While the present invention has been described with reference to one or more particular embodiments, those skilled in the art recognize that many changes may be made thereto without departing from the scope of the present invention. It is therefore to be understood that within the scope of the appended claims and their equivalents, the invention may be practiced otherwise than as specifically described herein.