KAREEMI NAZIM
| US5578808A | 1996-11-26 | |||
| US4827518A | 1989-05-02 | |||
| US4837422A | 1989-06-06 | |||
| US5280527A | 1994-01-18 | |||
| US5150420A | 1992-09-22 | |||
| US5027401A | 1991-06-25 | |||
| US4993068A | 1991-02-12 | |||
| US4700055A | 1987-10-13 |
| 1. | A method of securely storing confidential data relevant to a cardholder within a memory in a smartcard, comprising the following steps: (a) storing within said memory said confidential data; (b) storing within said memory PIN token data unique to said cardholder, said PIN token data represent ing a biometric created by said cardholder; and (c) reading said confidential data from said memory only after a person presenting said smartcard provides a said biometric that upon signal processing, produces a PIN identical within a predetermined acceptance threshold to said PIN token data stored at step (b). |
| 2. | The method of claim 1, wherein at step (b) said biometric is a genuine signature made by said cardholder, and step (c) includes said person writing a signature, when using said smartcard, that upon signal processing produces a signature PIN identical within said predeter mined acceptance threshold to said PIN token data stored at step (b). |
| 3. | The method of claim 1, wherein at step (b) said biometric is a portion of a fingerprint made by said cardholder, and step (c) includes said person producing a fingerprint, when using said smartcard, that upon signal processing produces a fingerprint PIN identical within said predetermined acceptance threshold to said PIN token data stored at step (b). |
| 4. | The method of claim 1, wherein at step (b) said biometric is selected from a group consisting of (i) a voiceprint made by said cardholder, (ii) a video image of at least a portion of a retina of said cardholder, and (iii) a video image of at least a portion of said cardholder's face. |
| 5. | The method of claim 1, wherein step (a) in cludes storing said confidential data in said memory in an encrypted format readable only with at least one en cryption key also stored in said memory. |
| 6. | The method of claim 5, further including stor ing each said encryption key in said memory such that if physical integrity of said smartcard is violated, each said encryption key is erased; wherein said confidential data stored in said memory is protected. |
| 7. | The method of claim 1, wherein said confiden tial data stored in said memory includes at least one type of data selected from a group consisting of (i) financial account data, (ii) business record data, (iii) business contact data, and (iv) medical data. |
| 8. | The method of claim 1, wherein: said smartcard may be used by two cardholders; at step (a) at least 4 KBytes of said confidential data is stored in said memory; and step (b) includes storing unique PIN token data for each of said cardholders. |
| 9. | The method of claim 8, wherein step (a) in cludes storing confidential said data for use by each of said cardholders. |
| 10. | A smartcard that securely stores confidential data relevant to a cardholder within an internal memory, comprising: memory having storage capacity for at least 4 KByte of confidential cardholder data whose confidentiality is to be preserved; said memory further storing PIN token data unique to said cardholder, said PIN token data representing a biometric created by said cardholder; wherein when using said smartcard, access to said confidential data is gained only after a person present ing said smartcard provides a said biometric that upon signal processing produces a PIN identical within a pre determined acceptance threshold to said PIN token data stored in said memory. |
| 11. | The smartcard of claim 10, wherein said memory further stores at least one encryption key such that said confidential cardholder data is stored in said memory in s format encrypted with said encryption key. |
| 12. | The smartcard of claim 11, further including means for deleting each said encryption key from said memory if physical integrity of said smartcard is violat ed. |
| 13. | The smartcard of claim 10, wherein said biometric is a genuine signature made by said cardholder, and wherein a person seeking to use said smartcard must first write a signature that upon signal processing pro duces a signature PIN identical within said predetermined acceptance threshold to said PIN token data stored in said memory. |
| 14. | The smartcard of claim 10, wherein: said biometric is selected from a group consisting of (i) a portion of a fingerprint made by said cardhold er, (ii) a voiceprint made by said cardholder, (iii) a video image of at least a portion of a retina of said cardholder, and (iv) a video image of at least a portion of said cardholder's face; and a person seeking to use said smartcard must first produce a biometric that upon signal processing produces a PIN identical within said predetermined acceptance threshold to said PIN token data stored in said memory. |
| 15. | The smartcard of claim 10, wherein said confi dential data stored in said memory includes at least one type of data selected from a group consisting of (i) financial account data, (ii) business record data, (iii) business contact data, and (iv) medical data. |
| 16. | The smartcard of claim 10, wherein said smart card may be used by two cardholders, and wherein said memory stores unique PIN token data for each of said cardholders. |
| 17. | The smartcard of claim 16, wherein said memory stores confidential said data for use by each of said cardholders. |
| 18. | A system for preserving security of confiden tial data relevant to a cardholder stored in a smartcard, comprising: said smartcard including memory storing at least 4 KByte of confidential cardholder data whose confidential ity is to be preserved; said memory further storing PIN token data unique to said cardholder, said PIN token data representing a biometric created by said cardholder; and a unit, disposed at a point of use of said smart card, with which a person presenting said smartcard must produce said biometric that upon signal processing pro duces a PIN identical within a predetermined acceptance threshold to said PIN token data stored in said memory before access to said confidential cardholder data is gained. |
| 19. | The system of claim 18, wherein said biometric includes at least one characteristic selected from a group consisting of (a) a genuine signature made by said cardholder, wherein said person presenting said smartcard must first write a signature that upon signal processing produces a signature PIN identical within said predeter mined acceptance threshold to said PIN token data stored in said memory, (b) at least a portion of a fingerprint made by said cardholder, wherein said person presenting said smartcard must first produce a fingerprint that upon signal processing produces a fingerprint PIN identical within said predetermined acceptance threshold to said PIN token data stored in said memory, (c) a voiceprint made by said cardholder, wherein said person presenting said smartcard must first enunciate at least one sound that upon signal processing produces a voiceprint PIN identical within said predetermined acceptance threshold to said PIN token data stored in said memory, and (d) a portion of a video image scanned from said cardholder, wherein said person presenting said smartcard must first be video scanned to produce an image that upon signal processing produces an image PIN identical within said predetermined acceptance threshold to said PIN token data stored in said memory. |
| 20. | The system of claim 18, wherein said smartcard may be used by two cardholders, said memory stores unique PIN token data for each of said cardholders, and said memory further stores confidential said data for use by each of said cardholders. |
FIELD OF THE INVENTION This invention relates to systems and methods for secur- ing confidential information, and more specifically to systems and methods to permit use of a smartcard to re- tain confidential data for multiple credit cards with security provided by at least one biometric provided by the smartcard owner.
BACKGROUND OF THE INVENTION Credit cards and debit cards have found increasingly wide use in commercial transactions. A financial institution issues a card to a qualified user who uses the card to pay for merchandise and/or services during a transaction.
As shown in Fig. lA, for a credit or debit card 10, a magnetic stripe 20 on one surface of the card carries two or more tracks 30 of magnetically encoded data 40. The data identifies the card issuer and card account number.
For a debit card, the card is issued with bank account identification data for the card owner. In use, the magnetically stored data is read and points to the user's account, from which it is determined whether the present transaction amount can be covered. Typically, cards that store data magnetically can at present only store about 200 bytes per card.
Fig. 1B shows a smartcard 50, which includes solid state memory 60 storing user data 70. Whereas magnetic storage on credit or debit cards is presently limited to perhaps 200 byes of data, memory 60 in smartcard 50 can store substantially more data. For example, data 70 may in- clude any or all of bank account numbers, medical data, client names and telephone numbers, among other data.
Some individuals carry and use many different cards.
Unfortunately carrying a few cards in one's wallet can render the wallet extremely bulky. Thus, there is a need for a method by which the bulk associated with carrying a plurality of cards can be substantially reduced.
Understandably the data stored in credit, debit, or smartcards (collectively"cards") must be maintained in a confidential manner, to prevent unauthorized charges against the subject account. One technique used to pro- mote confidentiality of data stored in cards is to pro- vide the card owner with a personal identification number ("PIN"), or password. When the card is being used during a transaction, the card user must manually enter the PIN on whatever device is used to read data from the card.
If the card-stored PIN data agrees with what is now manu- ally entered, the transaction can proceed, otherwise it will not proceed.
Unfortunately, card owners often forget their PIN. Other card owners may pick a PIN that is too easily compromised by a third party who somehow obtains the card, for exam- ple, a PIN that is simply the initials of the card owner.
Thus, there is a need for a methodology that allows a card owner to reliably provide the correct PIN without memorization, which PIN cannot readily be compromised by third parties.
Further, there is a need for a system or method by which the equivalent of a plurality of cards can be implemented without undue bulk, while protecting data stored therein
with a PIN that need not be memorized and that cannot readily be compromised.
The present invention provides such a system and method.
SUMMARY OF THE PRESENT INVENTION The present invention provides a single omnibus smartcard that can store data otherwise contained in at least two magnetically stored cards and/or at least one other smartcard. By storing multiple sources of data within a single smartcard, the bulk otherwise needed to store a plurality of cards is reduced.
To preserve confidentiality of data stored in the single omnibus smartcard, data representing a characteristic of the card owner is reduced to a token number that is also stored in the smartcard. This token number then repre- sents the user's PIN. As such, there is no PIN that must be remembered by the user. The user characteristic pref- erably is a signature, but may be the user's fingerprint or voiceprint.
In the preferred embodiment, whenever the omnibus smartcard is used, the user provides a signature on a vendor's signature capture device. The capture device generates a token value from the signature. This real- time token value is compared with the true token value stored within the omnibus smartcard. If the two token values agree, the transaction can proceed. If they do not agree, the card user can be asked to provide a second signature to the vendor to re-check the token match. If there is no match, the transaction should not proceed.
If the stored user characteristic is a fingerprint, when the smartcard is used the card user will provide a fin- gerprint to a fingerprint capture device that will gener- ate a token value therefrom. If the stored user characteristic is a voiceprint, e. g., the user saying the user's name, when the smartcard is used, the card user
will enunciate the name into a voice capture device that will generate a token value therefrom.
In this fashion, data otherwise stored within a plurality of cards is storable within a single omnibus smartcard, with PIN-level security that does not require memoriza- tion of a PIN value, and that cannot readily be comprised by dishonest third persons.
Other features and advantages of the invention will ap- pear from the following description in which the pre- ferred embodiments have been set forth in detail, in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1A and FIG. 1B depict credit/debit and smartcards, respectively, according to the prior art; FIG. 2 depicts an omnibus smartcard with enhanced PIN security, according to the present invention; FIG. 3A depicts use of an omnibus smartcard according to a preferred embodiment of the present invention during a transaction; and FIG. 3B depicts use of an omnibus smartcard according to alternative embodiments of the present invention during a transaction; and FIG. 4 is a flowchart depicting steps carried out during a transaction using an omnibus smartcard, according to the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT Fig. 2 depicts an omnibus smartcard 80 with enhanced PIN security, according to the present invention. By"omni- bus"it is meant that smartcard 80 stores data that ordi- narily would be stored in at least two separate cards (credit card, debit card, or smartcard) according to the
prior art. Smartcard 80 has an internal memory 90 that is shown storing data 40 (which may be identical to data 40 stored on a prior art credit card or debit card 10 as shown in Fig. lA), data 40-1 (which may otherwise have been stored on another prior art credit or debit card such as card 10), data 70 (which may be identical to data 70 stored in a prior art smartcard 50 as shown in Fig.
1B), as well as data 70-1 (which might otherwise have been stored on another prior art smartcard such as card 50). For purposes of the present invention, it will be assumed that smartcard 80 stores at least 2 Kbytes of data, e. g., preferably more data than could be stored on a single prior art credit or debit card with magnetic data storage. Modern memory 90 can today store 8 Kbyte to 16 Kbyte, and future smartcard memory 90 will probably store at least 32 Kbyte. Regardless of its storage ca- pacity, physically memory 90 is encapsulated within the body of card 80 per se.
Although Fig. 2 depicts omnibus smartcard 80 as storing data that would otherwise be stored in two credit/debit cards and two smartcards (e. g., a total of four cards), it is understood that the contents stored in memory 90 may include more or less than what would be stored in four prior art cards. Further, there is no need that memory 90 store data otherwise stored magnetically and in solid state, or that there be a 50%: 50% proportion be- tween the nature of what is stored in memory 90 in omni- bus smartcard 80.
Note that omnibus smartcard memory 90 also stores card- holder characteristic data 100. According to the present invention, data 100 is a PIN value that must be re-gener- ated at the time and place of a transaction involving omnibus smartcard 80. Rather than store a combination of numbers that the cardholder wishes (and must of course remember), data 100 is a digital token number that has been generated from a biometric or characteristic of the cardholder.
In the preferred embodiment the biometric will be the cardholder's signature, fingerprint, and/or voiceprint.
Other potentially useful biometrics can include a scan of the retina of the cardholder, as well as a scan of the face of the cardholder.
When the cardholder first obtains an omnibus smartcard 80, the cardholder will provide the card issuer with a true exemplar of his or her biometric. Assume that the card will be issued by a local bank. The cardholder will go to the bank and provide a signature and/or a finger- print and/or a voiceprint (e. g., enunciating the cardholder's name or some other word (s) that will be remembered). However, it is within the scope of the present invention that the biometric may include a reti- nal scan as well as a scan of the cardholder's face.
Using a signature biometric, note that as the cardholder writes the signature, the signature capture device cap- tures relative amount of force used to write different portions of the signature, as well as relative time spent writing different portions of the signature. Such data is richer in biometric content than if a photocopy of signature were merely scanned electronically to generate a token.
The card issuer will electronically scan or otherwise process the cardholder-biometric exemplar to represent that data as a unique token number. Techniques for re- ducing a signature, or a portion of a fingerprint, or a voiceprint to a digital token representation are known in the art and need not be described in detail here. Suf- fice to say that for each instance of the same user's signature, fingerprint, or voiceprint, a token value may be generated. Although there may be some variations between signatures or voiceprints made by the same user at different times, the algorithm used to generate the signature or voiceprint token number will look at the common features, and will generate essentially the same
value each time. It is this signature, fingerprint, voiceprint (or indeed other reproducible cardholder biometric) token value that is stored as data 100 within omnibus smartcard 80, for use as a PIN during transac- tions made with the card.
It will be appreciated that one advantage of a signature, fingerprint, or voiceprint PIN token is that the card- holder need not memorize any number. All the cardholder must remember is to write his or her signature essential- ly the same way each time, or speak essentially the same each time, something most people do automatically. (In the case of a cardholder biometric that is a fingerprint, reproducibility of the fingerprint is essentially assured time after time.) Because there is no PIN value for the cardholder to memo- rize (indeed the cardholder need never know his/her stored biometric PIN token), the PIN is not readily com- promised. As will be seen, the only way a dishonest third party coming into possession of omnibus smartcard 80 can re-generate the relevant signature PIN value 100 is to perfectly forge the cardholder's signature or imi- tate the voice during the time of a transaction or some- how have a finger that will reproduce the cardholder's fingerprint.
Assume that the cardholder (or indeed a third party com- ing into possession of omnibus smartcard 80) wishes to make a transaction using the card. Referring to Fig. 3A, at the time and place of the transaction, the person presenting the smartcard will be asked to make a signa- ture 110 using a stylus 120 upon the screen surface 130 of a signature capture device 140. An exemplary such signature capture device is the PenWare 3000, available from Mobilnetics Systems, Inc. of Delaware. Of course other such devices may instead be used.
Internal to or associated with device 140 will be elec- tronics 150. Electronics 150 captures and signal pro- cesses the signature data from screen 130. Electronics 150 also executes an algorithm to represent the just- captured signature data as a real-time signature PIN token. Preferably the algorithm executed by or associat- ed within device 140 will be similar to what was used to generate a signature PIN token such as is stored as data 100 within an omnibus smartcard, according to the present invention.
Before or after signature 110 is made during the transac- tion, the person intending to use smartcard 80 will caus- es the relevant portions of memory 90 to be read, e. g., preferably by device 140 or an equivalent device. Among the data to be read will be the actual signature PIN token data 100 that is known to represent the actual signature of the true owner of smartcard 80.
Electronics 150, which can be disposed within a host system 160 coupled to system 140 via a communications port 165, will now compare the genuine signature PIN token data 100 (read from card 80) with the just-generat- ed signature PIN token data. If these two data are in substantial agreement, the subject transaction will go forward. Thus, relevant account data 40, or 40-1, or 70, or 70-1 will be read from memory 90 in smartcard 80, e. g., using device 140 (or the equivalent). The data read can be processed by remote host system 160 to make the transaction. In a commercial environment, device 140 will typically be at the cash register of a merchant's store, whereas system 160 may be the store's LAN computer system, or may be a remote databank-type system sub- scribed to by the merchant.
If, however, there is substantial disagreement between genuine signature PIN token data 100 and the just-gener- ated signature PIN token data, further inquiry must be made. As noted, there is some signature-to-signature
deviation and the algorithm (s) used to examine the trans- action can take such deviation into account. For example if the deviation appears to be just slightly out of the normal range of acceptance, electronics 150 can advise the merchant (e. g., through a message appearing on screen 130, or by audible beeps, etc.) to have the user re-sign his or her name on screen 130 for further analysis.
In some instances it may be desired to have the user produce a driver's license or other signature-bearing identification. If desired, system 140 could be augment- ed to permit document scanning of a signature, e. g., from the user's driver's license, for electronic comparison against the just-generated signature and/or against the true signature PIN token data 100. If desired, the docu- ment-scanned signature could be used to generate a third token value for comparison with genuine PIN token data 100.
Fig. 3B depicts the user of stored data 100 that repre- sents a cardholder biometric that is a fingerprint, a voiceprint, a scan of the retinal portion of the cardholder's eye, and/or a scan of at least a portion of the cardholder's face. At the time and place of a trans- action, the person presenting the smartcard will be asked to provide a fingerprint 170 upon a capture screen 175, and/or a voiceprint (shown as sound waves 180 emitted by the person 185 presenting the smartcard) detected by a microphone or the like 190 associated with an appropriate device 140'. For a retinal or face biometric, a TV cam- era or the like and associated electronics 195 will cap- ture an image of the retina or face of the person 185 presenting the card. In a manner known in the art, the retinal scan or facial scan will be signal processed and reduced to an electronic token value. (In these embodi- ments, the cardholder would have presented himself or herself to the institution providing the smartcard, at which time the relevant biometric would have been cap-
tured, signal processed, and stored as compressed data 100 within memory 90 in smartcard 80.
Device 140'may be similar to device 140, except that it will now be augmented to capture fingerprints and/or soundwaves and/or video images for signal processing and reduction to a PIN token value.
Assume that electronics 150 captures and signal processes the fingerprint, voiceprint, or video (e. g., retinal scan or portion or all of a facial scan) data and also exe- cutes an algorithm to represent the just-captured data as a real-time fingerprint or voiceprint PIN token. Pref- erably the algorithm executed by or associated within device 140'will be similar to what was used to generate the fingerprint, voiceprint, or video PIN token such as is stored as data 100 within an omnibus smartcard, ac- cording to the present invention.
Similarly to what was above-described with respect to Fig. 3A, during the transaction, relevant portions of memory 90 are read from the smartcard, preferably by device 140'or an equivalent device. Among the data read will be the actual fingerprint, voiceprint, video PIN token data 100 that is known to represent the actual fingerprint or voiceprint of the true owner of smartcard 80.
As has been described, an electronic comparison is now made of the genuine fingerprint, voiceprint, video PIN token data 100 (read from card 80) with the just-generat- ed fingerprint or voiceprint PIN token data. If these two data are in substantial agreement, the subject trans- action will go forward, as was described. If, however, there is substantial disagreement between the genuine PIN token data 100 and the just-generated PIN token data, further inquiry will typically be made.
It will be appreciated that data 100 stored in memory 90 within smartcard 80 is not limited to a single biometric per user. For example, signature and fingerprint tokens may be compressed and stored in a few hundred bytes of memory each. Depending upon the storage capacity of memory 90, it is possible that all of the above-described parametrics could be stored for each user, or perhaps just two or three parametrics per user. It will be ap- preciated that if more than one user is permitted to use the smartcard, one or more appropriate parametrics per user may be stored within the smartcard memory.
Fig. 4 depicts the methodology practiced with the present invention. At step 200, the purported card owner must provide a real-time signature, fingerprint, voiceprint, or video image. As noted, this commonly would be done using an appropriate device such as shown in Fig. 3A or 3B. Typically at a point of transaction, perhaps a cash register area, the person using the card will write a signature, or provide a fingerprint, speak into a micro- phone, and/or allow a video image of his/her face or perhaps eye retina to be made.
At step 210, the just-generated biometric is scanned and/or signal processed electronically to generate real- time PIN token data. This real-time data will be the token-equivalent of the just-generated signature, finger- print, voiceprint, and/or video image.
At method step 220, data 100 stored in smartcard 80 is read to access genuine PIN token data 100 stored within.
At method step 230, a comparison is made, electronically, between the real-time PIN token data and the genuine signature, fingerprint, voiceprint, video image PIN token data read from the smartcard memory. This comparison, is preferably carried out by an algorithm executed by elec- tronics 150, such as shown in Fig. 3B.
Next the results of the comparison is examined at method step 240. If there is no substantial discrepancy, the person presenting the smartcard is the smartcard owner whose signature, fingerprint, voiceprint, video image (or other parametric) PIN token data is stored within the smartcard. Using the present example, the transaction may proceed, and at step 250, the relevant data stored in smartcard memory 100 may be read, e. g., with a smartcard reader (or equivalent).
But if step 240 indicates is a substantial discrepancy, e. g., by flashing a message on screen 130 in device 140 (or an equivalent visual message on an equivalent device), or by audibly sounding a signal, the transaction should not automatically proceed without further investi- gation. As noted by the phantom line, it may be desired to have the person presenting the smartcard re-sign his/her name on the signature capture device, again pro- vide a fingerprint 170, again speak into microphone 190 (being sure to enunciate the same words stored as a token in the smartcard), and/or again be video scanned with device 195. For example, the person may have been ner- vous and wrote a somewhat abnormal signature the first time at step 200. If this new signature (or other re- peated biometric) now passes muster at step 240, the transaction may safely proceed. Otherwise, absent inde- pendent investigation of the bona fides of the person presenting the smartcard, the transaction should not pro- ceed.
In short, it is seen that the present invention permits a single omnibus smartcard 80 to securely retain consider- able data that otherwise would be stored in a plurality of cards that collectively are rather bulky. The use of the present invention need not be limited to commercial transactions. Further, data stored within the omnibus smartcard need not of course be limited to credit card account numbers, but may include (without limitation) medical records, confidential telephone numbers that can
only be read upon presenting a genuine signature to a device 140. For example, a corporation might issues omnibus smartcards 80 to key employees, wherein memory 90 stores confidential client data. Each smartcard 80 would also store genuine signature, fingerprint, voiceprint, video (and/or other biometric) PIN token data 100 for the card recipient. Thus, should the smartcard be lost or stolen, a third party could not gain access to the confi- dential data stored within.
To further promote confidentiality, it is understood that memory 90 may be fabricated so as to self-destruct in the event card 80 is broken into to gain physical access to memory 90. This may be accomplished by encrypting data stored in memory 90 with encryption keys maintained in memory 90, which keys are erased if the physical integri- ty of card 80 and/or memory 90 is violated. Techniques for protecting stored data in this fashion are known in the art and need not be further described herein.
It will also be appreciated that in some contexts, it may be desired that multiple users can share a single smart- card 80. In such instance, data 100 will include sepa- rate PIN token data for each individual user (be it sig- nature, fingerprint, or both, PIN token data). During the course of a transaction (or course of gaining access to confidential data stored in memory 90), the relevant stored PIN token data 100 will be accessed, either be- cause it is identical to the just-generated data, or because the user may be asked to enter his or her ini- tials or employee number or the like as a pointer to the relevant stored PIN token data 100.
Modifications and variations may be made to the disclosed embodiments without departing from the subject and spirit of the present invention.