Transaction Verification On Rfid-Enabled Payment And Transaction Instruments

Brief Description

A new method that allows users to verify the transaction details (e.g., the amount being charged) and explicitly approve them on RFID enabled payment and transaction instruments.

Full Description

RFID tags are commonly used as payment and transaction instruments (e.g., credit, debit, ATM and voting cards). In such settings, a malicious reader can easily mislead the tag into signing or authorizing a transaction different from the one that is communicated to, or intended by, the user. This is possible because there is no direct channel from a tag to its user (i.e., no secure user interface) on regular RFID tags and the only information a user gets (e.g., a receipt, or an amount displayed on the cash register) is under the control of a potentially malicious reader. Thus, it seems impossible for a user to verify (in real time) transaction details, e.g., the amount or the currency. This problem becomes especially important with current electronic credit cards.

UCI researchers have developed an approach to transaction amount verification that is designed to work with any RFID-enabled payment instrument. Its primary goal is to provide simple, secure and usable transaction verification at a Point-of-Sale (PoS).

The Protocol

1. Display enabled RFID tag (DERT) receives transaction details from the reader (seller/merchant).
2. DERT verifies that the details (e.g., issuing bank, account number, etc.) match their counterparts in the reader PKC. Protocol is aborted in case of a mismatch.
3. DERT extracts and displays user-verifiable data, i.e, the amount and, optionally, the currency code. It then enters a countdown stage that lasts for a predetermined duration (e.g., 10 seconds).
4. User observes transaction information and, if the transaction amount and other details are deemed correct, presses accept button on DERT before the timer runs out. At this point, DERT signs the time-stamped transaction statement and sends it to the reader. This signed statement is then sent to the payment gateway and eventually to the financial institution that issued the payment DERT.

Suggested uses

RFID enabled payment instruments

Advantages

This solution takes a proactive approach (instead of reacting to fraudulent transactions after they occur) and doesn’t allow any transactions to go through without user’s approval of its details (e.g, the amount for a credit card transaction). It is also important that users verify transaction details at the time of the transaction in our solution (not few days later).

Patent Status