FIELD

[0001] The present invention relates to securely verifying telephone discussions.

BACKGROUND

[0002] While password including the use of two factor

authentication and other secure verification strategies are used routinely to verify internet transactions, verification by an individual of the identity of a telephone caller is less

developed.

[0003] A popular media attack known as a spear phishing is used to target unknown customers of entities such as major corporate organisations. While these attacks can sometimes be thwarted at the outset by two factor authentication, spear phishing attacks when successful can enable collection by criminals of key identifying information of customers which allows future tax such as identity fraud to happen on different mediums, including telephone discussion.

[0004] It is not only the case that email and web based

communications can impersonate corporate entities, and thereby attempt to obtain key identifying information from individuals. Particularly because of the impersonal nature of large entities, where unknown employees or representatives may call a customer, the customer finds it practically impossible to gauge the genuineness of a telephone call .

[0005] There is therefore a need to provide an improved security for telephone communications.

SUMMARY OF THE INVENTION

[0006] In accordance with a broad aspect of the invention, there is provided a method of conducting a verified telephone

discussion, the method comprising the steps of:

an entity notifying an individual of an intention to conduct a telephone discussion with the individual, the individual having access to a communications device connectable to a data network and with a device software application implementing a trusted connection between an entity computer and the individual over the data network, the software application being adapted to generate or receive a verification code of the intention, the verification code being accessible or reproducible by both the entity computer and by the device software application;

generating the verification code;

verifying the intention between the entity and the individual by either receiving a communication of the verification code from the individual and checking that the communication of the verification code matches the verification code, or by

communicating the verification code to the individual for checking by the individual ; and

conducting the telephone discussion.

[0007] In one embodiment, the step of the entity notifying the individual of the intention comprises the steps of :

generating, within the entity computer, a notification signal signifying that the entity intends to conduct a telephone discussion with the individual;

sending the notification signal from the entity computer over the trusted connection to the device software application running on the communications device;

the device software application being configured to inform the individual of the intention and providing the verification code to the individual through a trusted sensory output, in response to receiving the notification signal. [0008] In one embodiment, the method further comprises the step of the entity initiating a telephone call to the individual; the step of verifying the intention comprises making an utterance of the verification code to the individual in the telephone call, for the individual to check that the utterance matches the verification code. The method may further comprise the step of the entity computer generating the verification code and transmitting the verification code to the device software application over the trusted connection. Alternatively, the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; and

the device software application is configured to operate the verification code generating algorithm to generate the

verification code, in response to receiving the notification signal .

[0009] In one embodiment, the method further comprises the step of storing a record of the intention in the entity computer, and wherein :

the step of the entity providing a notification of the intention comprises initiating a telephone call to the

individual ;

the step of verifying the intention comprises the software application, triggered by the individual in response to

answering the telephone call, communicating the verification code over the trusted connection to the entity computer, the verification code comprising at least a code identifying the individual, followed by the entity computer accessing the data memory to verify that the verification code corresponds to the recorded intention, the entity computer transmitting a

verification signal to the device software application over the trusted connection, in response to which the device software application is configured to verify the telephone call to the individual by a trusted sensory output. [0010] In one embodiment, the entity computer and the device software application are each programmed with a verification code generating algorithm adapted to generate the verification code independently; the method further comprising steps of:

recording the intention in a data memory of the entity computer ;

making a first telephone call to the individual which is not answered or is terminated by the individual, thereby providing the step of providing a notification of the intention to conduct a telephone discussion;

receiving a return telephone call from the individual to the entity intending to conduct the voice discussion,

and wherein:

the step of the device software application receiving or generating the verification code comprises the software

application, triggered by the individual in response to

receiving the first telephone call, operating the verification code generating algorithm to generate the verification code; the step of verifying the intention comprises receiving the verification code from the individual over the return telephone call, and accessing the data memory to verify that the

verification code corresponds to the recorded intention, and if so conducting a voice discussion with the individual over the return telephone call . The step of conducting the voice

discussion the individual over the return telephone call may diverting the return telephone call from a telephone queue and connecting the individual with an assigned representative for the telephone discussion.

BRIEF DESCRIPTION OF DRAWINGS

[0011] Figure 1 is a diagram of method steps of the broad aspect of the invention, not necessarily in order;

[0012] Figure 2 is a functional block diagram of a system implementing one embodiment of the invention; [0013] Figure 3 is a visual representation of a notification step according to the embodiment of Figure 2 ;

[0014] Figure 4 is a functional block diagram of a system implementing another embodiment of the invention;

[0015] Figure 5 is a functional block diagram of a system implementing still another embodiment of the invention;

[0016] Figure 6 is a visual representation of code generation and verification steps according to the embodiment of Figure 5;

[0017] Figure 7 is a functional block diagram of a system implementing yet another embodiment of the invention.

DETAILED DESCRIPTION OF EMBODIMENTS

[0018] Embodiments of the current invention will now be

described.

[0019] The broadest aspect of the invention is first explained.

[0020] Referring now to Figure 1, the method steps of the broadest aspects of the invention are a notification step 101 of a entity notifying an individual of an intention to conduct a telephone discussion with the individual, a code generation step 102 of generating a verification code, a verification step 103 of verifying the intention between the entity and the

individual, and finally a discussion step 104 of conducting the telephone discussion. The individual has access to a

communications device with an Internet connection and with a device software application as described above in the broad aspect of the invention. In different embodiments of the invention, notification step 101 and code generation step 102 may be conducted in a different order or simultaneously.

[0021] In different embodiments to be described below, the different steps 101-104 may be performed in different manners. The notification step 101 can be performed in different

embodiments utilising the making of a telephone call or Internet signal transmission to the device software application. The code generation step 102 can be performed in different embodiments by a entity computer, the device software application or both, and may be before or after the notification step 101. The

verification step 103 verifies the intended telephone call and involves access by both parties to the verification code, and comparison by at least one party of the other party' s copy or version of the verification code. In different embodiments, the verification step 103 can involve transmission between the software application and the entity computer, or utterance or other transmission over a telephone call. The discussion step 104 of conducting the telephone discussion can occur as a continuance of an already existing telephone call, or a new telephone call initiated by the individual which may be routed by a telephone answering system of entity to an assigned

representative .

Implementation #1 - telephonic transmission of verification

[0022] In this implementation, embodiments are described wherein utterance or other transmission over a telephone call is used in the verification step 103.

Referring now to Figure 2, system elements implementing this embodiment are shown. An entity 1 wishes to conduct a telephone discussion with an individual 2. There may be a human representative in entity 1 having the intention, or the intention may be artificially realised by an automatic system fulfilling the role of an entity capable of scheduling or conducting a telephone discussion including imparting and receiving verbal information. Entity 1 in the broadest aspect is any entity capable of communicating with the individual by telephone, and may be a company, business, government

department, club, society, partnership, single person, automatic system or any other entity having a need to contact one or more individuals in circumstances where the one or more individuals may not recognise the identity of a telephone caller, as a result of the entity size or complexity or remoteness or any other factors. Entity 1 in most circumstances will be a

corporate entity having many human representatives who may wish to contact customer individuals by telephone. Individual 2 is a human person who may be making or potentially making purchases or receiving services from or exchanging services with entity 1, but is not necessarily a customer. For example, embodiments where entity 1 a single person, the interaction which is sought to be verified may be a private communication of non-commercial character .

[0023] Individual 2 has access to a smart phone 3 which provides wireless mobile telephone communication with entity 1 via wireless telephone towers 4 or directly through Internet 60 via voice call applications, and which also provides the digital communications device housing the device software application 40. In other examples, the device software application 40 and the medium over which the telephone discussion occurs can be implemented in separate devices, including fixed line telephones for the telephone discussion, and a separate communications device such as smart phone, tablet or personal computer for housing the device software application 40. Further, the

telephone discussion need not occur over wireless mobile, and can occur over any medium capable of transmitting a voice discussion, including Voice over Internet Protocol (VOIP) .

[0024] Software application 40 implements a trusted connection between individual 2 and entity 1 such that information

emanating from software application 40 can be trusted by

individual 2 to be genuine information emanating from entity 1. Typically, software application 40 is a dedicated application designed and distributed by entity 1 such as, in the case of a bank, a proprietary application of the bank to enable users to access bank services such as balances, transfers and the like.

[0025] Entity 1 has access to an entity computer 20 which may be implemented in a single standalone unit or may be distributed amongst several separated units communicating amongst themselves where necessary, as is known in the art. Functional elements of entity computer 10 are typically realised as software modules. Employee server 10 processes interaction with a plurality of employee representatives who may wish to utilise the system to contact customer individual 3. When an employee wishes to conduct a telephone discussion with individual 3, the employee through employee server 10 generates a notification using notification generator 21 which accesses individual data store 23 to obtain contact details such as an email address or other device identifying details to enable direction of the

notification to the communications device 3 of individual 2, typically by push notification. Code generator 22 generates a verification code as described below and may store the generated verification code in code store 24, or may store sufficient related information enabling reconstruction of the generated verification code so that the representative of entity 1 may access the verification code which was used.

[0026] Code generator 22 may construct the verification code in one of many different possible methods, of which many are known in the art. A simple example is generation of a pseudo-random number which is generated by code generator 22 stored in code store 24 of entity computer 20. Typically, a 4-6 digit integer is sufficiently large to provide the required level of security such that the code is effectively unique being difficult to guess. While lists of numbers or passwords may be generated for one-time use and stored in entity computer 20 for later use and deletion from storage, improved security can be provided by immediate random number generation to guard against data theft of unused codes .

[0027] Notification server 25 then formats and transmits the notification and code as a push notification of text to

communications device 3 over Internet 60. Software application 40 is in a state of readiness to receive notifications from entity 1. Software application 40 comprises modules code

receiver 41, notification receiver 42 and sensory output

generator 43. Notification receiver 42 receives the push

notification and code receiver 41 unpacks the verification code from the text of the push notification. Sensory output generator 43 alerts individual 2, typically by a visual notification which may or may not be configured to appear on a lock screen state. Preferably, the sensory output contains symbolic graphic

information trusted by individual 2 to indicate a notification from the genuine device software application 40. Referring now to Figure 3, an example sensory output is shown on the smart phone screen showing textual 51 and graphical 52 identifying information of a notification originating from software

application 40, together with the verification code 53 in the form of a "secret number" 2323903 and the name "Tom" of the representative intending to hold a telephone discussion. While sensory output in this example is purely visual, the sensory output may include any combination of senses . [0028] The representative "Tom" of entity 1 at the same time or later makes a telephone call to smart phone 3 or other telephone of individual 2. When individual 2 answers the phone, he or she asks "Tom" for the secret number. "Tom" is able to access code store 24 to retrieve the verification code and utter the code 2323903 over the telephone call to individual 2 who checks that the uttered code is. Individual 2 may then conduct the telephone discussion by continuing the phone conversation with confidence because the secret number came through the trusted connection with entity 1.

[0029] Referring now to Figure 4, an alternative embodiment of the telephonic implementation #1 does not need to involve

Internet transmission of the verification code. In this

embodiment, the notification step 101 is provided simply by the representative initiating a telephone call, and notification server 25 and notification generator 21 in entity computer 20 are not used. Device software application 40 instead comprises code generator 45 and sensory output generator 43 to display or otherwise inform individual 2 of generated codes.

[0030] Code generator 22 of entity computer 20 and code

generator 45 of device software application 40 are each

programmed with an algorithm that can independently generate the same code at the same time, which is unique or sufficiently specific for the individual 2. Heightened security is provided by the code being a time-based code which changes in a rolling manner according to time. In the prior art, such a method is used to authenticate Internet logins such as by security

"dongle" apparatuses which can be attached to keyrings and display rolling codes, or by smart phone applications such as Google Authenticator . For communications which may occur

worldwide, the time parameter which coordinates updating of the code is specified according to a global standard such as universal coordinated time (UCT) rather than any local time zone. Uniqueness associated with individual 2 may be achieved by for example generating a secure hash using an algorithm such as SHA2 , using as inputs a time parameter (such as the current UTC hour and minute) , concatenated with a constant secret identifier (or periodically revised and automatically synchronised) of the individual. The secret identifier does not need to be known by the individual or used for any other purpose. Both the time parameter and the unique secret identifier are accessible by code generator 22 and 45 without access to the Internet, and therefore code generators 22 and 45 are able to both generate the same code at the same time, which renews when the time parameter changes .

[0031] Upon receiving the telephone call, individual 2 opens device software application 40, activates code generator 45 and can see the code displayed on the screen through sensory output generator 43. Individual 2 asks the representative of entity 1 for the verification code, and the representative can access the same verification code through code generator 22 which accesses individual data 23 containing the secret identifier of the individual .

[0032] While the second method of implementation #1 is somewhat less secure, being dependent on the secrecy of the secret identifier used in the synchronised remote code generation, it has advantage of not necessarily requiring Internet connection which may not always be available during a telephone call .

Embodiments are envisaged which have both capabilities, whereby individual 2 can ask for the transmitted verification code received as in the first embodiment above, which may be a genuine one time random number, or if Internet connection is unavailable individual 2 can ask for the rolling time-based code which does not require Internet connection. Implementation #2-Internet transmission of verification

[0033] This implementation of the broad aspect of the invention is a class of embodiments which use a verification signal where the verification code is sent over the Internet from the

individual 2 to the entity 1 via the device software

application. This can be a rolling time-based verification code as described above or in a minimal application can be a constant verification code, such as an account number of individual transmitted securely. Possible types of entities and other general descriptions as described above in relation to

implementation #1 also apply to this implementation 2 where feasible .

[0034] In this implementation #2, referring now to Figure 5 and Figure 6, an employee of entity 1, a bank called MyyBank, places a telephone call with individual 2, constituting the

notification step 101. Contemporaneously or prior to the call, the employee through employee server 10 operates call intention recorder 27 to record that a telephone discussion is intended. Call intention recorder 27 uses code generator 22 and stores a generated verification code in code store 2 . As discussed below, this verification code is not necessarily secret and may simply be identifying minimum information such as the identity of individual 2 together with a time or time period at which the intention was formed or the call initiated, or alternatively together with a real-time datum indicating that a telephone call between the employee and individual 2 is in fact in progress routed through entity computer 20.

[0035] Having received a telephone call, individual 2 named Jeremy wishes to continue with the telephone conversation subject to verification, and therefore operates a "verify phone call" option 62 on a menu shown on screen display 60 of device software application 40. Individual 2 selects the "verify phone call" option 62.

[0036] Software application 40 is then caused to operate code generator 45 to generate a verification code. The purpose of this verification code is to securely identify to entity 1 that individual 2 is returning a call. Since individual 2 will already have provided security by way of fingerprint, PIN or other identification to open software application 40 or

smartphone 3, and also since the communications between software application 40 and entity 1 is trusted and secure (typically encrypted) , the generated verification code can be simply a known identifier of individual 2 such as an email address. Extra security can be provided by a more sophisticated verification code such as the rolling time-based verification code mentioned above or other one-time password, but is not necessary for acceptable security.

[0037] After generating the unique verification code, software application 40 is then caused to operate code transmitter 46 which securely communicates the verification code over Internet 60 to entity computer 20 through code verifier 26. Code verifier 26 accesses code store 24, and locates the corresponding

verification code or corresponding matching information

indicating that an intended telephone discussion exists. Code verifier 26 then securely communicates a verification signal through Internet 62 device software application 40. Verification receiver 47 receives a verification signal and causes sensory output generator 43 to display (display screen 61) a

verification confirmation 63 on digital communications device 3 reading "The call from Tom at MyyBank is legitimate. You may proceed". If an intended telephone discussion does not exist, the system preferably does not remain silent but communicates a non-verification signal causing sensory output generator 43 to display a warning that the call is illegitimate.

[0038] Individual 2 then proceeds reassured to conduct the telephone discussion in the knowledge that a communication from entity 1 was intended at the same time and therefore acceptably verified.

Implementation #3- call-back verification and routing.

[0039] This implementation allows the individual 2 to use a verification code to facilitate return calling. Possible types of entities and other general descriptions as described above in relation to implementation #1 also apply to this implementation

3 where feasible.

[0040] Referring now to Figure 7, this implementation is illustrated as an add-on feature to the implementation of Figure 2, but can also be implemented as an add-on feature to the implementation of Figure 4 or 5 or otherwise. In all versions, individual 2 receives a first telephone call from the entity which individual 2 does not answer, either because individual 2 is not available or for any other reason. The phone call from entity 1 may be preceded by the entity 1 activating the

notification steps and code storage through software application

4 described above, or the making of a telephone itself may provide the step 101 of notification, depending on the

implementation. Individual 2 then either makes a note of the verification code sent over the Internet and displayed through device software application 4, or uses code generator 45 to generate the verification code. Individual 2 then makes a telephone call through smart phone 3, landline or otherwise to entity 1. Telephone call router 26 in entity computer 20 answers the telephone call and presents an option to individual 2 or scans for an utterance or tone dialling or other transmission means over the telephone call of the verification code. If telephone call router 26 receives a valid verification code confirmed from accessing code store 24 as described above, telephone call router 26 is then able to immediately direct the telephone call to the responsible employee, speeding

communication and requiring no further verification. In this embodiment, the verification process may also be used to allow individual 2 to bypass an answering queue.

[0041] Persons skilled in the art will also appreciate that many variations may be made to the invention without departing from the scope of the invention, which is determined from the

broadest scope and claims.

[0042] For example, individual 2 can simply be a private person, as can entity 1, accordingly the invention extends in its broadest aspects to private communication between individuals who may fear unidentified communication, as well as from the more common application of communication from corporate entities to customers.

[0043] Further, the term "telephone discussion" refers to any electrical or electronic remote voice discussion received or initiated by the individual, and includes traditional telephone connections as well as voice over Internet protocol (VOIP) calls and also includes discussions between an individual and a remote artificial intelligence language understanding algorithm.

[0044] Further still, the data network connection referred to in the claims over which the trusted connection between the entity and the individual is formed may be the Internet or any other remote data transmission network, including data network connections provided by SMS, MMS or similar.

[0045] In the claims which follow and in the preceding

description of the invention, except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as "comprises" or

"comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention. Further, any method steps recited in the claims are not necessarily intended to be performed temporally in the sequence written, or to be performed without pause once started, unless the context requires it.

[0046] It is to be understood that, if any prior art publication is referred to herein, such reference does not constitute an admission that the publication forms a part of the common general knowledge in the art, in Australia or any other country.