Title of Invention

DYNAMIC PASSWORD SECURITY FOR MOBILE BANKING USING SMS TECHNOLOGY

Abstract This invention, in general, relates to banking and security therefore. Further, this invention relates to Wireless Security for mobile banking applications. More particularly, this invention relates to a method for dynamic password Security for Mobile Banking using SMS technology. This invention explains a method of secured SMS based mobile banking comprising the steps of: registering for the services by furnishing answers for pre-defined number of personal questions by the user; keying in the Application Access Password set by the user which act as a level of security; selecting the service to be used by the user; keying in the required service details by the user; generating a dynamic password for that instant of submission on the required service and attaching the said password to the outgoing SMS along with the details of that instant; extracting the service details and counter values when the message is received at the bank's server; running the same password generation process to generate the password at the receiving end; authenticating the user device if the generated password and the received password match; putting on hold the service for security by throwing random questions which were registered by the user previously; and allowing the said service if the user answers the said questions correctly.
Full Text

FIELD OF TECHNOLOGY
This invention, in general, relates to banking and security therefor. Further, this invention relates to Wireless Security for mobile banking applications. More particularly, this invention relates to a method for dynamic password Security for Mobile Banking using SMS technology.
DESCRIPTION OF RELATED ART
Mobile Banking in the present scenario can be provided by two mediums of communication - SMS Technology, Wireless Access Protocol (Internet on mobile). The SMS based mobile banking allows only non-critical services such as Balance Enquiry, Cheque Book Request, Last Five Transactions, etc.
The WAP based mobile banking services includes Transaction in addition to those provided by its SMS counterpart. Both the versions make use of some sort of static passwords (commonly referred to as PIN) for the purpose of user authentication. Once the password has been discovered by a third party, it can be used to spoof the valid user, potentially in perpetuity and without the real user knowing. The solution to this problem is to use dynamic passwords. Each time a password is required, a new one-time password is used. The password cannot be re-used, so it will be impervious to discovery - a discovered password will have no

practical value to a third party. Next time a password is required a different onetime password is used.
The user needs to carry a separate device (Token) which will give a random password every time it is used. The user has to type in the password for the required application/service. When a user submits the password, it is passed to the authentication server to be validated by comparing it against the next value that the authentication server would expect from that user's device. Therefore the passwords generated by such a mechanism are neither Time-Synchronized nor Random, and can thus be only pseudo-random. Pseudo-random passwords follow an inherent pattern. Spoofing over a period of time on one particular user, a spoofer can identify the pattern and be able to guess the next password successfully.
The passwords generated by the mechanism proposed in this invention make use of certain user specific information and a dynamic entity - time which render them uniqueness and randomness.
LIMITATIONS
1. SMS based Mobile Banking does not include transaction due to security concerns in the wireless environment. WAP based Mobile Banking tries to provide secure transactional services using various encryption schemes over the internet. But one key point to be noted is that, the data, in its initial stage is

still transmitted in the wireless environment which as already mentioned is not secure. This data i.e. Static Password/PIN once discovered by a third party, can be used to spoof the valid user, potentially in perpetuity and without the real user knowing at any later time,
2. The Dynamic Passwords that are used at present are neither Time-Synchronized nor Random, and can thus be only pseudo-random. Pseudorandom passwords follow an inherent pattern. Spoofing over a period of time on one particular user the spoofer can identify the pattern and be able to guess the next password successfully.
SUMMARY OF INVENTION
The principal object of the invention is, therefore, to invent a novel security system for SMS based mobile banking, which is unique.
It is another object of the invention to invent and design a novel Automated Dynamic Password Generation mechanism using time which brings in randomness.
It is another object of the invention to invent and design a novel Encryption tool (character set) using user specific details which brings in unique encryption for every user.

The invention proposed herein encompasses, inter alia, the following features, advantages and improvements over the existing system:
1. To provide a one time dynamic password for mobile banking which would provide for carrying a safe transaction using mobile banking.
2. Being an automated process, the user would neither be required to key-in the password nor remember it to use the service.
3. The generation of dynamic passwords would be random, which would be facilitated by the use of unique character set for every user and also the use of time - random entity in the password generation process.
4. The use of the Recipient mobile number and the amount to be transacted, in generating the password, prevent an attacker to modify with the data that is transmitted on the air.
5. Two additional level of security are provided via. Application access password and bank's random question.
6. Encryption of characters to numerals and numerals to characters is done using the unique user character set apart from the usual encryption mechanism of an SMS.
Accordingly, the invention explains a method of secured SMS based mobile banking comprising the steps of:
(a) registering for the services by furnishing answers for pre-defined number of personal questions by the user;

(b) keying in the Application Access Password set by the user which act as a level of security;
(c) selecting the service to be used by the user;
(d) keying in the required service details by the user;
(e) generating a dynamic password for that instant of submission on the required service and attaching the said password to the outgoing SMS along with the details of that instant;
(f) extracting the service details and counter values when the message is received at the bank's server;
(g) running the same password generation process to generate the password at the receiving end;
(h) authenticating the user device if the generated password and the received
password match; (i) putting on hold the service for security by throwing random questions which
were registered by the user previously; and (j) allowing the said service if the user answers the said questions correctly.
The said personal questions can be framed by the user also. The furnished answers to the said personal questions are used for generating a character set and act as responses to random questions thrown by the bank as a level of security. The said services include Balance Enquiry, Cheque book request, Transaction, etc. If dynamic password mismatches or user's response does not match the correct answer, the service request is terminated and the status is intimated to the user.

If the service is completed successfully, both, the sender and the recipient are intimated via SMS about the status. The answers given by the user for the random questions are used for generating a character set. The character set is a table containing a finite number of characters, where each character is mapped to a unique numerical value. Each user is allotted a character set which is unique to him.
A pre-defined number of characters from pre-determined positions of few / all answers provided by the user during registration are picked up to form an answer set. During character set formation all repeated characters in the answer set are deleted, resulting in a reduced set of unique characters and the said reduced set of characters are assigned unique index values. During character set formation each character from the reduced set is searched for in a dummy base set and a mathematical operation is performed on their respective indices where the result of the said operation result in a number, which is the index value of the character in the user's character set.
If the result of the mathematical operation exceeds the maximum permissible value defined for the character set, then the said value is wrapped around. During character set formation if the result of the mathematical operation yields an index position that is already occupied by another character then that position is skipped and the original character is inserted in the next immediate vacant position found in the set. If all the characters in the reduced set are filled up, the characters that

are absent in the reduced set, are inserted in the user's set as and when a vacant space is found completing the formation of the user's unique character set. The characters of the answer set are encoded using their respective index values in the user's character set; and the said answer set along with the user's character set is downloaded onto the user's mobile for rendering a service.
The other objects, features and advantages of the present invention will be apparent from ensuing the detailed description of the invention taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS Figure 1 shows the customer register in the proposed system.

present invention.
Figure 4 shows the successful bank intimation of the service to the recipient. Figure 5 illustrates the three-tier security model for SMS based mobile banking using dynamic passwords.
DETAILED DESCRIPTION OF THE INVENTION
The preferred embodiments of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that

the disclosed embodiments are merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the invention. However in certain instances, well-known or conventional details are not described in order not to unnecessarily obscure the present invention in detail.
The invention describes about safely carrying out transaction for mobile banking. This involves three levels of security.
1. Application access password.
2. Dynamic passwords (using unique character set).
3. Random Question Authentication.
Figure 1 shows the customer register in the proposed system. The proposed Security system requires the customer to register themselves first at the bank's premises. Here the user is supposed to fill in a personal questionnaire. The answers provided are processed to generate a unique character set and answer set for the user. The mobile banking software application along with the user's character set and numerical version of the answer set are downloaded onto the user's mobile.
Figure 2 shows the FORWARD CYCLE 1 and REVERSE CYCLE 1 as per the
present invention.
FORWARD CYCLE 1:Here the user sends a service request to the bank which

includes the details of the requested service along with the internally generated one time password (dynamic) and the counter value at that instant.
REVERSE CYCLE 1: On reception of the REQUEST SMS the bank segregates the service details, counter value and password. It uses the counter value and user's details available in the data base to generate a password. If both the passwords match the bank authenticates the user's mobile and sends a random question (only for Transaction) while keeping the request on HOLD.
Figure 3 shows the FORWARD CYCLE 2 and REVERSE CYCLE 2 as per the present invention.
FORWARD CYCLE 2: After receiving the random question the user is required to give the correct answer and send it through SMS.
REVERSE CYCLE 2: After receiving the SMS containing the answer the bank verifies it. Match will complete the request and send the acknowledgement to the user. If there is no match the bank terminates the request and informs the user.
Figure 4 shows the successful bank intimation of the service to the recipient. If the request for the transaction is successful the bank intimates the recipient about amount credited to his account via an SMS.
Before using this service, the user needs to register for it. To subscribe, the following steps need to be followed:

• The first and the foremost requirement is to have an operating account with the bank providing such a service.
• The customer will have to fill in an online application form in the bank premises. The form will include the following:

1. USER PROFILE - This includes general details like name, address, phone no., etc.
2. SERVICE DETAILS - This includes details like account number, mobile no., etc
3. PERSONAL QUESTIONNAIRE - When the user registers for the service he will be required to furnish answers for a few pre-defined number of personal questions, which can be framed by the user also.
Example:
Q1. Which is your favorite sport ?
A1. rugby
Q2. Name of your first girl-friend ?
A2. alice
The answer to these questions will serve the dual purpose of
1. Generating a character set and,
2. Acting as responses to random questions thrown by the bank as a third level of security.

Defining a Character set:
Character set is a table containing a finite number of characters (for example: a-z), each of which will be mapped to a unique numerical value (for example: 1-26). The set can be extended to include characters from the ASCII (American Standard Code for Information Interchange) and Unicode set. Each user will be allotted such a Character set which will be unique to him. Uniqueness here implies having the same set of characters mapped to different set of numbers for different users.

Character Set Generation:
A pre-defined number of characters from pre-determined positions of few/all
answers provided by the user during registration are picked up to form an Answer
set. All repeated characters in the answer set are deleted, leaving a reduced set
of unique characters. These characters are assigned unique index values.
Example:
Reduced set
A dummy base character set is selected. Example:


Each character from the reduced set is searched for in the dummy base set; a
mathematical operation (addition, subtraction, multiplication, etc) is performed on
their respective indices. The result of the operation will yield a number, which will
be the index value of that character in the user's character set.
Example:
Index of 'a' in reduced set: 9
Index of 'a' in dummy set: 11
Mathematical operation: Addition
Index of 'a' in User's character set: 9 + 11 =20
If the result of the mathematical operation exceeds the maximum permissible
value defined for the character set, then it is simply wrapped around. Also if the
result yields an index position that is already occupied by another character then
that position is skipped and the original character is inserted in the next immediate
vacant position found in the set.
Example:
Index of 'b' in reduced set: 21
Index of 'b' in dummy set: 25
Mathematical operation: Addition
Result of operation : 21 + 25 = 46
Wrapping around max. value (26) = remainder of (46/26) = 20
Since position 20 is already occupied by 'a', character 'b' will be inserted in the next vacant position i. e. 21.

nee all the characters in the reduced set are filled up, the characters that were absent in the reduced set, are inserted in the user's set as and when a vacant space is found (in order).
In this fashion all the characters are filled, thus completing the formation of the user's unique character set.
The characters of the answer set are encoded using their respective index values in the user's character set; and this along with the user's character set is downloaded onto the user's mobile as a part of the mobile banking application and also stored in the bank's database.
Figure 5 illustrates the three-tier security model for SMS based mobile banking using dynamic passwords. The following are the components of figure 5.
APPLICATION ACCESS PASSWORD:
This is the first level of security. This will be a password that can be configured by
the user using the mobile phone's in-built security settings or can be provided as a
part of the mobile banking application that will be downloaded on to the user's
mobile. This acts as a deterrent in case of theft of the mobile device, thus
preventing any unauthorized access to event the mobile -banking applications'
services.
DYNAMIC PASSWORD:

Dynamic passwords are one-time passwords generated using certain unique-to-user parameters (character set) in combination with the date and time (counter value) of the request of critical services such as transaction. The passwords thus generated are unique and truly random. Moreover the generated passwords are automatically embedded in the outgoing SMS request to the bank and so the user need not even know the password.
This feature will be responsible for preventing over-the-air modification of the user's confidential data as it also makes use of the service request information in the password generation process.
BANK'S RANDOM QUESTION:
On reception of the SMS service request and the subsequent verification of the dynamic password the bank is only in a position to authenticate the mobile device but not the operator of the mobile. Thus, the request is put on hold and the bank would generate a personal question in return, the answer to which is supposed to be known only to the authorized user of that account (again proves to be very useful in case of theft of mobile device). The choice of the question is random and it is picked from the set questions already answered by the user at the time of registration. This third level thus helps in authenticating the user of the mobile device and completion of the service request put on hold.
ADDITIONAL SECURITY MEASURES:

All messages sent and received between the bank and the user can be further encrypted by replacing all numerals entities with characters from the Unicode set and vice-versa, thus rendering the message totally unintelligent to the spoofer of the message.
Defining the system:
To use the mobile banking application the user needs to key-in the Application Access Password set by the user himself. This acts as the first level of security (in case of theft of mobile).
The user must then select the service to be used (Balance Enquiry, Cheque book request Transaction, etc). Transaction being the most critical service, subsequent discussions are based on it.
On keying the Transaction details (Recipient mobile number, amount) and pressing the submit button, a dynamic password is generated for that instant and attached to the outgoing SMS along with the details of that instant - Counter Value.
Generation of Dynamic Password:
The counter value is a number obtained by carrying out a sequence of mathematical operation on the date and time (in seconds). Using the instantaneous counter value, the recipient mobile number and the amount a series

of complex mathematical operations are performed on the encoded version of the answer set present in the user's mobile. Now values from pre-defined positions (unique for every user) in the modified answer set are picked up and converted into characters using the user's character set which is also present in the user's mobile application. Thus, a dynamic password is generated providing the on-air security for transaction.
When the message is received at the bank's server, it extracts the transactions details, counter value and runs the same password generation process to generate a password. If the generated password and the received password match, it has successfully authenticated the mobile device, but the transaction is put on hold. It now throws a random question, selected from those answered by the user at the time of registration, to the user via an SMS. The user should answer this question correctly for the transaction to get completed successfully. Thus the bank's random question as a third level of security (in case of theft of mobile).
In either case of dynamic password mismatch or user's response not matching the correct answer, the bank will terminate the transaction request and intimate the user. If the transaction is completed successfully, both, the sender as well as the recipient of the amount are intimated via SMS.
The above-presented description is of the best mode contemplated for carrying out the present invention. The manner and process of making and using it is in

such a full, clear, concise and exact terms as to enable to any person skilled in the art to which it pertains to make and use this invention. New embodiments in particular, which also lie within the scope of the invention can be created, in which different details of the different examples can in a purposeful way be combined with one another. This invention is however, susceptible to modifications and alternate constructions from that disclosed above which are fully equivalent. Consequently, it is not the intention to limit this invention to the particular embodiment disclosed. On the contrary, the intention is to cover all modifications and alternate constructions coming within the spirit and scope of the invention as generally expressed by the following claims which particularly point out and distinctly claim the subject matter of the invention.



WE CLAIM
1. A method of secured SMS based mobile banking comprising the steps of:
(a) registering for the services by furnishing answers for pre-defined number of personal questions by the user;
(b) keying in the Application Access Password set by the user which act as a level of security;
(c) selecting the service to be used by the user;
(d) keying in the required service details by the user;
(e) generating a dynamic password for that instant of submission on the required service and attaching the said password to the outgoing SMS along with the details of that instant;
(f) extracting the service details and counter values when the message is received at the bank's server;
(g) running the same password generation process to generate the password at the receiving end;
(h) authenticating the user device if the generated password and the received
password match; (i) putting on hold the service for security by throwing random questions which
were registered by the user previously; and Q) allowing the said service if the user answers the said questions correctly.

2. A method as claimed in claim 1 wherein the said personal questions are framed by the user.
3. A method as claimed in claim 1 wherein the furnished answers to the said personal questions are used for generating a character set and act as responses to random questions thrown by the bank as a level of security.
4. A method as claimed in claim 1 wherein the said services include Balance Enquiry, Cheque book request, Transaction, etc.
5. A method as claimed in claim 1 wherein if dynamic password mismatches or user's response does not match the correct answer, the service request is terminated and the status is intimated to the user.
6. A method as claimed in claim 1 wherein if the service is completed successfully, both, the sender and the recipient is intimated via SMS about the status.
7. A method as claimed in claim 1 wherein the answers given by the user for the random questions is used for generating a character set.

8. A method as claimed in claim 1 wherein the character set is a table containing a finite number of characters, where each character is mapped to a unique numerical value.
9. A method as claimed in claim 1 wherein each user is allotted a character set which is unique.
10. A method as claimed in claim 1 wherein a pre-defined number of characters from pre-determined positions of few/all answers provided by the user during registration are picked up to form an answer set.
11. A method as claimed in claim 1 wherein during character set formation all repeated characters in the answer set are deleted, resulting in a reduced set of unique characters and the said reduced set of characters are assigned unique index values.
12. A method as claimed in claim 1 wherein during character set formation each character from the reduced set is searched for in a dummy base set and a mathematical operation is performed on their respective indices where the result of the said operation result in a number, which is the index value of the character in the user's character set.

13. A method as claimed in claim 1 wherein during character set formation if the
result of the mathematical operation exceeds the maximum permissible value
defined for the character set, then the said value is wrapped around.
14. A method as claimed in claim 1 wherein during character set formation if the result of the mathematical operation yields an index position that is already occupied by another character then that position is skipped and the original character is inserted in the next immediate vacant position found in the set.
15. A method as claimed in claim 1 wherein during character set formation if all the characters in the reduced set are filled up, the characters that are absent in the reduced set, are inserted in the user's set as and when a vacant space is found completing the formation of the user's unique character set.
16. A method as claimed in claim 1 wherein the characters of the answer set are encoded using their respective index values in the user's character set; and the said answer set along with the user's character set is downloaded onto the user's mobile for rendering a service.
Dated this 11th day of August 2005


Documents:

1116-che-2005-abstract.pdf

1116-che-2005-claims.pdf

1116-che-2005-correspondnece-others.pdf

1116-che-2005-correspondnece-po.pdf

1116-che-2005-description(complete).pdf

1116-che-2005-drawings.pdf

1116-che-2005-form 1.pdf

1116-che-2005-form 26.pdf

1116-che-2005-form 9.pdf


Patent Number 227936
Indian Patent Application Number 1116/CHE/2005
PG Journal Number 10/2009
Publication Date 06-Mar-2009
Grant Date 27-Jan-2009
Date of Filing 11-Aug-2005
Name of Patentee KOTHARI, DEEPAK
Applicant Address 2076-B 1ST MAIN 9TH CROSS, R.P.C LAYOUT, VIJAYNAGAR,
Inventors:
# Inventor's Name Inventor's Address
1 BHANSALI RAHUL PRASANNA KRIPA APTS, 3RD FLOOR, NO 13 VALLIAMAL ROAD, VEPERY, CHENNAI 600 007,
2 SANKHLA, PULKIT KALAYANAM DELWARA ROAD, BEAWAR, DT AJMER, RAJASTHAN PIN 305 901,
3 HARIHARAN, SRIRAM T7 1/78 MEDAVAKKAM MAIN ROAD, ULLLAGARAM, CHENNAI 600 091,
4 KOTHARI, DEEPAK 2076-B 1ST MAIN 9TH CROSS, R.P.C LAYOUT, VIJAYNAGAR,
PCT International Classification Number H04L 9/00
PCT International Application Number N/A
PCT International Filing date
PCT Conventions:
# PCT Application Number Date of Convention Priority Country
1 NA