Abstract: Broadly speaking, embodiments of the present invention provide systems and methods to provide a solution to the SIM swap attack problem for users that possess smartphones. In particular, the systems and methods require an online banking customer to authenticate a transaction using a combined one-time password (OTP) formed of a remotely generated OTP (generated remote to the smartphone) and a locally generated OTP (generated on the smartphone).

Abstract: The invention provides systems and method for securely inputting user data from a user into a mobile device and also for generating user data to be input by a user into a mobile device. For example, there is provided a mobile device case for securely inputting user data from a user into a mobile device, the case comprising: a microcontroller, a communication module for communicating with the mobile device and a user interface to enable the user to input the user data. The microcontroller is preferably configured to receive the user data which is input by a user via the user interface, process said user data to create processed data and communicate said processed data to said mobile device. Alternatively, the microcontroller is configured to receive a request to generate the user data; generate said user data and display said user data on the user interface.

Abstract: There is described a validation and authentication system and method for authenticating and validating messages. The system comprises a data store storing one or more digital fingerprints associated with user imaging devices. There is also a communication module configured to: receive a message M; receive a request for validation and authentication and receive an image PM of the message M captured using a user imaging device. The system comprises an image validation module for analysing the received image PM using one or more image processing techniques to determine if the image is valid and authentic. If the received image PM is determined to be authentic and valid, the image validation module generates a response to the request.

Abstract: A method for validating a signature request for a first message M, comprising: receiving, a validation challenge (VC) from a signature creation device (SCD), the VC created by the SCD, in response to receiving the signature request and message M from a user, using a second message M? which is based on message M and a secret shared between the SCD and user, the VC generated by encrypting message M? using the secret; generating, the message M? from the VC by decrypting the VC using the secret; displaying the message M? to the user; receiving confirmation from the user that the displayed message M? corresponds to the message M; generating, a validation code confirming the signature request to create a signature; and outputting the code to the SCD, to cause the SCD to generate the signature for the user for message M based on successfully verifying the code.

Abstract: There is described a validation and authentication system and method for authenticating and validating messages. The system comprises a data store storing one or more digital fingerprints associated with user imaging devices. There is also a communication module configured to: receive a message M; receive a request for validation and authentication and receive an image PM of the message M captured using a user imaging device. The system comprises an image validation module for analysing the received image PM using one or more image processing techniques to determine if the image is valid and authentic. If the received image PM is determined to be authentic and valid, the image validation module generates a response to the request.

Abstract: A method for validating a signature request for a first message M, comprising: receiving, a validation challenge (VC) from a signature creation device (SCD), the VC created by the SCD, in response to receiving the signature request and message M from a user, using a second message M? which is based on message M and a secret shared between the SCD and user, the VC generated by encrypting message M? using the secret; generating, the message M? from the VC by decrypting the VC using the secret; displaying the message M? to the user; receiving confirmation from the user that the displayed message M? corresponds to the message M; generating, a validation code confirming the signature request to create a signature; and outputting the code to the SCD, to cause the SCD to generate the signature for the user for message M based on successfully verifying the code.

Abstract: Embodiments of the present invention provide systems and methods of generating a secure transaction, particularly when the transaction is made using a mobile computing device. This is achieved by eliminating the need for cryptographic keys to be stored on the mobile computing device, by firstly creating a strong link between users and their devices, and storing this pre-defined link with a trusted authentication service (i.e. in a secure backend payment system), and secondly using the pre-defined link between user and device to generate a unique, electronic or digital signature for a transaction which will authorise a payment, wherein the digital signature having been generated by using authentication information comprising a first authentication identifier and a second authentication identifier.

Abstract: The invention provides systems and method for securely inputting user data from a user into a mobile device and also for generating user data to be input by a user into a mobile device. For example, there is provided a mobile device case for securely inputting user data from a user into a mobile device, the case comprising: a microcontroller, a communication module for communicating with the mobile device and a user interface to enable the user to input the user data. The microcontroller is preferably configured to receive the user data which is input by a user via the user interface, process said user data to create processed data and communicate said processed data to said mobile device. Alternatively, the microcontroller is configured to receive a request to generate the user data; generate said user data and display said user data on the user interface.

Abstract: Broadly speaking, embodiments of the present invention provide systems and methods to provide a solution to the SIM swap attack problem for users that possess smartphones. In particular, the systems and methods require an online banking customer to authenticate a transaction using a combined one-time password (OTP) formed of a remotely generated OTP (generated remote to the smartphone) and a locally generated OTP (generated on the smartphone).

Abstract: The invention provides systems and method for securely inputting user data from a user into a mobile device and also for generating user data to be input by a user into a mobile device. For example, there is provided a mobile device case for securely inputting user data from a user into a mobile device, the case comprising: a microcontroller, a communication module for communicating with the mobile device and a user interface to enable the user to input the user data. The microcontroller is preferably configured to receive the user data which is input by a user via the user interface, process said user data to create processed data and communicate said processed data to said mobile device. Alternatively, the microcontroller is configured to receive a request to generate the user data; generate said user data and display said user data on the user interface.

Abstract: A security core supports a networked banking app for a client application device communicating with a server, such as e.g. a smartphone. It provides a secure environment for the banking app to conduct registration, enrollment, and transaction workflows with corresponding back-end servers on the network. It includes defenses against static analysis, attempts at reverse engineering, and real-time transaction fraud. A principal defense employed is obfuscation of the protocols, APIs, algorithms, and program code. It actively detects, thwarts, misdirects, and reports reverse engineering attempts and malware activity it senses. A routing obfuscator is configured to operate at the outer layer. Previous core designs are retained as camouflage. An internal TLS library is used rather than the OS TLS layer. Cookies are managed internally in the core rather than in the webkit-browser layer.

Abstract: A method and system for generating a signature for a user are described. The system comprises a signature server, an initial transaction device for a user and a validation device for a user. The initial transaction device is configured to display a first message M and send a request to the signature server to create a signature for said first message M. The signature server is configured to generate a validation challenge using a second message M? which is based on said first message M? and a first secret shared between said user and said signature server and send said validation challenge to the validation device. The validation device is configured to regenerate said second message M? using said first shared secret, display said second message M?, receive user confirmation that the displayed second message M? corresponds to said first message M, generate a validation code confirming the request to create a signature; and send said validation code to said signature server.

Abstract: The invention provides systems and method for securely inputting user data from a user into a mobile device and also for generating user data to be input by a user into a mobile device. For example, there is provided a mobile device case for securely inputting user data from a user into a mobile device, the case comprising: a microcontroller, a communication module for communicating with the mobile device and a user interface to enable the user to input the user data. The microcontroller is preferably configured to receive the user data which is input by a user via the user interface, process said user data to create processed data and communicate said processed data to said mobile device. Alternatively, the microcontroller is configured to receive a request to generate the user data; generate said user data and display said user data on the user interface.

Abstract: A method and system for generating a signature for a user are described. The system comprises a signature server, an initial transaction device for a user and a validation device for a user. The initial transaction device is configured to display a first message M and send a request to the signature server to create a signature for said first message M. The signature server is configured to generate a validation challenge using a second message M? which is based on said first message M? and a first secret shared between said user and said signature server and send said validation challenge to the validation device. The validation device is configured to regenerate said second message M? using said first shared secret, display said second message M?, receive user confirmation that the displayed second message M? corresponds to said first message M, generate a validation code confirming the request to create a signature; and send said validation code to said signature server.

Abstract: A secure payment system provisions a payment transaction proxy with virtual EMV-type chipcards on secure backend servers. Users authorize the proxy in each transaction to make payments in the Cloud for them. The proxy carries out the job without exposing the cryptographic keys to risk. User, message, and/or device authentication in multifactor configurations are erected in realtime to validate each user's intent to permit the proxy to sign for a particular transaction on the user's behalf. Users are led through a series of steps by the proxy to validate their authenticity and intent, sometimes incrementally involving additional user devices and communications channels that were pre-registered. Authentication risk can be scored by the proxy, and high risk transactions that are identified are tasked by further incrementally linking in more user devices, communications channels, and user challenges to increase the number of security factors required to authenticate.

Abstract: A payment authorization system includes a network server configured to create strong bindings between individual user identifiers and a peculiar combination of devices corresponding users employ, and the associated communications services each utilizes. The combination of user-devices-services reduces the possibilities to the one user who is authorized to establish access to a set of security keys held by another secure server. The principal goal being to authorize a payment transaction without exposing the security keys. A secure backend payment server is configured to produce a surrogate output that will satisfy a payment processor when asked to do so by an authorized user. Such surrogate duplicates what a payment chip card or secure element would have presented in person, but here the security keys never have to leave the backend payment server.

Abstract: A security core supports a networked banking app for a client application device communicating with a server, such as e.g. a smartphone. It provides a secure environment for the banking app to conduct registration, enrollment, and transaction workflows with corresponding back-end servers on the network. It includes defenses against static analysis, attempts at reverse engineering, and real-time transaction fraud. A principal defense employed is obfuscation of the protocols, APIs, algorithms, and program code. It actively detects, thwarts, misdirects, and reports reverse engineering attempts and malware activity it senses. A routing obfuscator is configured to operate at the outer layer. Previous core designs are retained as camouflage. An internal TLS library is used rather than the OS TLS layer. Cookies are managed internally in the core rather than in the webkit-browser layer.

Abstract: A data certification system and method for signing electronic data with a digital signature in which a central server comprises a signature server and an authentication server. The signature server securely stores the private cryptographic keys of a number of users. The user contacts the central server using a workstation through the secure tunnel which is set up for the purpose. The user supplies a password or other token based on information previously supplied to the user by the authentication server through a separate authentication channel. The authentication server provides the signature server with a derived version of the same information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user. If they match, data received from the user is signed with the user's private key.

Abstract: A secure payment system provisions a payment transaction proxy with virtual EMV-type chipcards on secure backend servers. Users authorize the proxy in each transaction to make payments in the Cloud for them. The proxy carries out the job without exposing the cryptographic keys to risk. User, message, and/or device authentication in multifactor configurations are erected in realtime to validate each user's intent to permit the proxy to sign for a particular transaction on the user's behalf. Users are led through a series of steps by the proxy to validate their authenticity and intent, sometimes incrementally involving additional user devices and communications channels that were pre-registered. Authentication risk can be scored by the proxy, and high risk transactions that are identified are tasked by further incrementally linking in more user devices, communications channels, and user challenges to increase the number of security factors required to authenticate.

Abstract: A transaction security process includes authentication and identification parts for pushing an encrypted colorgram for user authentication and persona descriptors for user identification from a transaction server to a first personal trusted device. A decryption of the colorgram is displayed on the first personal trusted device. An image is captured by a second personal trusted device. An encryption of the image captured from the second personal trusted device is uploaded to the transaction server. The persona descriptors are used to build a composite rendering for identification of the first user to the second user. The second user clicks “OK” if they recognize the composite drawing as a reasonable persona of the first user.