(19)
(11) EP 0 147 837 A2

(12) EUROPEAN PATENT APPLICATION

(43) Date of publication:
10.07.1985 Bulletin 1985/28

(21) Application number: 84116154.0

(22) Date of filing: 21.12.1984
(51) International Patent Classification (IPC)4G07C 9/00, G07F 7/10, G06F 1/00, E05B 49/00
(84) Designated Contracting States:
AT BE CH DE FR GB IT LI LU NL SE

(30) Priority: 21.12.1983 JP 242954/83

(71) Applicant: OMRON TATEISI ELECTRONICS CO.
Kyoto 616 (JP)

(72) Inventor:
  • Kimizu, Ryuichi c/o Omron Tateisi Electr.Co.
    Nagaokakyo-Shi Kyoto (JP)

(74) Representative: WILHELMS, KILIAN & PARTNER Patentanwälte 
Eduard-Schmid-Strasse 2
81541 München
81541 München (DE)


(56) References cited: : 
   
       


    (54) Password number inputting device with variable key reassignment


    (57) A plurality of means for inputting digits of a password number are adapted to be manually operated. A means is provided for displaying the mapping between each of the plurality of digit inputting means and the digit which it currently represents and inputs when actuated, and also there is provided a means for altering this mapping. The altering means alters the mapping between the digit inputting means and the digits which they represents and input when actuated, every time a password number is inputted. Thereby, if an evilly intentioned person should watch a user actuating the digit inputting means, he will not be able to discern the user's password number by observing his finger movements. Optionally, a means is provided for restricting the visibility of the means for displaying the mapping between each of the plurality of digit inputting means and the digit which is currently represents to within a relatively narrow solid angle, so as to make peeking more difficult.


    Description

    BACKGROUND OF THE INVENTION



    [0001] The present invention relates to a password number inputting device for use in an automatic teller machine or cash dispenser machine, and in particular to an improvement of such a password number inputting device for ensuring that the password number of a user cannot be spied out by a person who is watching the process of password number inputting.

    [0002] In the case of a machine such as an automatic teller machine or cash dispenser machine, the user is typically provided with a plastic magnetic card which must be inserted into a slot of the machine for identifying him or her to the machine, and also typically knows and must input a password number (which is usually a fixed length series of digits) for further identification in order to obtain money from the machine. In the prior art, the input of such a password number has usually been performed by the use of a tenkey pad provided for the purpose.

    [0003] However, this has entailed the danger that, because the arrangement of the keys on such a tenkey pad is predetermined, if another person of criminal tendency should be watching the user as he or she inputs the password number via the tenkey pad into the machine, such a person may be able to determine what the password number is just by watching the movement of the user's finger on the tenkey pad. In such a case, the security of the machine becomes compromised. If subsequently such a criminally minded person should become possessed of the plastic magnetic card belonging to the user, as for example by theft, then it becomes possible for him or her to withdraw money from the user's account, by use of the card in conjunction with the password number thus illegitimately spied out as explained above.

    SUMMARY OF THE INVENTION



    [0004] Accordingly, it is the primary object of the present invention to provide a password number inputting device, for such a machine, which provides good password number security.

    [0005] It is a further object of the present invention to provide such a password number inputting device, which ensures that a person watching a user input a password cannot spy out the password by watching the movement of the finger of the user.

    [0006] It is a further object of the present invention to provide such a password number inputting device, which guards against illegitimate use of passwords.

    [0007] It is a further object of the present invention to provide such a password number inputting device, which makes it &s difficult as possible for an evilly intentioned person to discern the password of the user, even by peeking.

    [0008] According to the most general aspect of the present invention, these and other objects are accomplished by a password number inputting device, comprising: (a) a plurality of means for inputting digits of a password number, adapted to be manually operatedl (b) a means for displaying the mapping between each of said plurality of digit inputting means and the digit which it currently represents and inputs when actuated; and (c) a means for altering said mapping between each of said digit inputting means and the digit which it represents and inputs when actuated; (d) said altering means altering said mapping between said digit inputting means and the digits which they represents and input when actuated, every time a password number is inputted.

    [0009] According to such a structure, because the correspondence between the plurality of digit inputting means and the digits which they represent as shown by the display means is altered and is reset each time a new client approaches the cash dispenser in order to input a password number, (and said resetting may optionally and preferably be substantially random), thereby there is no way that, by observing the movement of a user's finger on the plurality of digit inputting means, another person can be able to learn said user's password number; because in fact, without knowledge of the current mapping between the digit inputting means and the digits which they represent, the movements of the user's finger are meaningless; and such knowledge is not available to anyone other than the current user, since this mapping is altered every time a new password is to be entered. Accordingly the security of the user's password number is enhanced.

    [0010] Further, according to a more particular aspect of the present invention, these and other objects are more particularly and concretely accomplished by such a password number inputting device as detailed above, further comprising a means for restricting the visibility of said means for displaying the mapping between each of said plurality of digit inputting means and the digit which it currently represents to within a relatively narrow solid angle.

    [0011] According to such a structure, even if a criminally minded person egregiously peeks at the user while said user is inputting his or her password number, still it will not be possible for said person to see to what digits of the password number the various digit inputting means correspond. Accordingly the security of the user's password number is further enhanced.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0012] The present invention will now be shown and described with reference to the preferred embodiment thereof, and with reference to the illustrative drawings. It should be clearly understood, however, that the description of the embodiment, and the drawings, are all of them given purely for the purposes of explanation and exemplification only, and are none of them intended to be limitative of the scope of the present invention in any way, since the scope of the present invention is to be defined solely by the legitimate and proper scope of the appended claims. In the drawings, like parts and spaces and so on are denoted by like reference symbols in the various figures thereof; in the description, spatial terms are to be everywhere understood in terms of the relevant 'figure; and:

    Fig. 1 is a schematic block diagram of the preferred embodiment of the password number inputting device of the present invention;

    Fig. 2 is an exploded perspective view of a major component of said preferred embodiment of the password number inputting device of the present invention including a keyboard unit and a display unit and a directivity providing device, all sandwiched together;

    Figs. 3A through 3E show examples of displays produced on said display unit, during an exemplary episode of operation of the shown preferred embodiment of the present invention;

    Fig. 4 shows the contents of a key correspondence table built up in the memory of an I/O control unit during said operational episode; and

    Figs. 5A through 5D are flow charts illustrating the operation of a program obeyed by a microcomputer incorporated in said I/O control unit, during said operational episode.


    DESCRIPTION OF THE PREFERRED EMDODIMENT



    [0013] The present invention will now be described with reference to the preferred embodiment thereof, and with reference to the appended drawings. Fig. 1 is a schematic block diagram of the preferred embodiment of the password number inputting device of the present invention, which is denoted as a whole by the reference numeral 1, and is installed into a machine such as an automatic teller machine or cash dispenser machine, not shown in the figures. This password number inputting device 1 is used by the user only for inputting his or her password to the automatic teller machine or cash dispenser machine, and other data required for the operation of this machine (such as the sum of money required by the user to be dispensed or being deposited) is inputted thereto via a conventional tenkey pad, not shown.

    [0014] In Fig. 1, the password number inputting device 1 comprises a keyboard unit 2, an I/O control unit 3, and a display unit 4. The I/O control unit 3 receives an input command from a CPU (central processing unit) of the main cash dispenser machine not shown in the figures via an input line 5, receives infomation from the keyboard unit 2 and shows information on the display unit 4 as will be explained hereinafter, and sends output to the CPU via an output line 6.

    [0015] Fig. 2 is an exploded perspective view of a major component of the preferred embodiment of the password number-inputting device of the present invention, said major component including the keyboard unit 2 and the display unit 4 and also including a directivity providing device 7, all these parts being sandwiched together with the directivity producing device 7 in between the keyboard unit 2 and the display unit 4.

    [0016] The keyboard unit 2 is a transparent flat keyboard which has twelve key switches Kl through K12 arranged in a three by four array. A cable, not denoted by any reference numeral, is connected to these key switches and leads to the I/O control unit 3.

    [0017] The display unit 4 is made of an LCD panel, which has twelve displays D1 through D12 arranged in a three by four array corresponding to the array of the keyboard unit 2. A cable, again not denoted by any reference numeral, is connected to these displays and leads to the I/O control unit 3. Of these twelve displays Dl through D12, the display D10 is structured to show the symbol "CL" only, and the display D12 is structured to show the symbol "E" only, in this preferred embodiment, while each of the other ten displays Dl through D9 and Dll is structured so as to be able to show any one of the digits "0" through "9" according to control signals dispatched to it through the cable from the I/O control unit 3. It is so arranged that the two displays D10 and D12 for "clear" and "entry" are always illuminated when the power is on and the password number inputting device of the present invention is functioning, while the other ten displays D1 through D9 and Dll (which hereinafter will be referred to as the ten digit displays) are controlled as will hereinafter be explained.

    [0018] Sandwiched between the keyboard unit 2 and the display unit 4 there is provided the directivity providing unit 7, in this preferred embodiment of the present invention. This directivity providing unit 7 is structured as an array of twelve rectangular tubes, arranged in a three by four array corresponding to the arrays of the keyboard unit 2 and the display unit 4. Thus, when the user looks at the superposed sandwich of the keyboard unit 2, the directivity providing unit 7, and the display unit 4 from the side of the keyboard unit 2, i.e. from the upper side from the point of view of Fig. 2, he or she will find that it is only possible to see the displays Dl through D12 from a point of view within quite a narrow solid angle about the perpendicular direction relative to said sandwich.

    [0019] The I/O control unit 3 will not be particulary explained herein with regard to its structure, but only in functional terms, because based upon the descriptions herein various structures for implementing the disclosed functions will be conceivable of to one skilled in the relevant art without undue experimentation. This I/O control unit 3 incorporates a microcomputer means of a per se conventional type which obeys a stored program and controls the keyboard unit 2 and the display unit 4 as will shortly be explained.

    [0020] Now, with reference to Figs. 3 through 5, the operation of this preferred embodiment of the present invention during a particular operational episode will be explained. Figs. 3A through 3E show examples of displays produced on the display unit 4, during this exemplary episode of operation; Fig. 4 shows the contents of a key correspondence table built up in the memory of the I/O control unit 3 during this operational episode; and Figs. 5A through 5D are flow charts illustrating the operation of the program obeyed by said microcomputer in the I/O control unit 3 during said operational episode.

    [0021] First, in the step 101 of the program (see Fig. 5A) the power is turned on, and then in the step 102 the display D10 of the display unit is controlled by the I/O unit 3 to light up and to show its indication "CL", and similarly the display Dl2 of the display unit is controlled by the 1/0 unit 3 to light up and to show its indication "E". This state of the display unit 4 is shown in Fig. 3A.

    [0022] Next, in the step 103, the I/O control unit 3 determines whether a command for inputting of a password number is being received from the CPU (not shown) of the main cash dispenser machine via the input line 5, and if the answer is NO then the flow of control is transferred back to this step 103 again, to perform a tight loop until such an input command is received; while, when on the other hand the answer becomes YES, then the flow of control proceeds next to the step 104.

    [0023] In this step 104, control is temporarily passed to a subroutine, illustrated in Fig. 5D, for generating a (possibly pseudo-) random digit, and then upon return of control to this step 104 the result is stored in a storage register designated as A. As will be explained later, the Fig. 5D routine is so contrived as to be prevented from returning certain digits, i.e. in fact to never return any digit which is currently stored in the key correspondence table shown in Fig. 4, but since this table is currently empty this is not a limitation, and in this step 104 any of the ten digits may be returned by the Fig. 5D routine. In this example, it is assumed that the digit "4" is returned. This digit "4", then, is stored in the register A.

    [0024] Next, in the step 105, the display Dl of the display unit 4 is controlled by the I/O unit 3 to light up and to show the indication stored in the register A, i.e. in this case "4". This state of the display unit 4 is shown in Fig. 3B.

    [0025] Next, in the step 106, the digit in the register A, i.e. this digit "4", is stored in the first register 01 of the key correspondence table of Fig. 4, so as to indicate that the first key Kl, under which the first display Dl is located and through which said first display Dl is visible as showing the indication "4", corresponds to this digit "4".

    [0026] Next, in the step 107, the program prevents the random digit generator routine of Fig. 5D from again providing this already provided digit "4". This may be implemented by having the random number generator check the entries in the key correspondence table of Fig. 4, or in some other manner.

    [0027] Next, in the step 108, again control is temporarily passed to the Fig. 5D subroutine to generate another random digit, and then upon return of control to this step 108 the result is stored in a storage register B. As has been just stated, the Fig. 5D routine now definitely does not return the digit "4", and so in this step 108 any of the nine remaining digits may be returned by the Fig. 5D routine. In this example, it is assumed that the digit "7" is returned. This digit "7", then, is stored in the register B.

    [0028] Next, in the step 109, the display D2 of the display unit 4 is controlled by the I/0 unit 3 to light up and to show the indication stored in the register B, i.e. in this case "7". This state of the display unit 4 is shown in Fig. 3C.

    [0029] Next, in the step 110, the digit in the register B, i.e. this digit "7", is stored in the second register 02 of the key correspondence table of Fig. 4, so as to indicate that the second key K2, under which the second display D2 is located and through which said second display D2 is visible as showing the indication "7", corresponds to this digit "7".

    [0030] Next, in the step 111, the program further prevents the random digit generator routine of Fig. 5D from again providing this next already provided digit "7". As mentioned before, this may be implemented by having the random number generator check the entries in the key correspondence table of Fig. 4, or in some other manner.

    [0031] Next, in the step 112, again control is temporarily passed to the Fig. 5D subroutine to generate another random digit, and then upon return of control to this step 112 the result is stored in a storage register C. As has been just stated, the Fig. 5D routine now definitely does not return the digit "4" or the digit "7", and so in this step 112 any of the eight remaining digits may be returned by the Fig. 5D routine. In this example, it is assumed that the digit "0" is returned. This digit "0", then, is stored in the register C.

    [0032] Next, in the step 113, the display D3 of the display unit 4 is controlled by the I/O unit 3 to light up and to show the indication stored in the register C, i.e. in this case "0". This state of the display unit 4 is shown in Fig. 3D.

    [0033] Next, in the step 114, the digit in the register C, i.e. this digit "0", is stored in the third register 03 of the key correspondence table of Fig. 4, so as to indicate that the third key K3, under which the third display D3 is located and through which said third display D3 is visible as showing the indication "0", corresponds to this digit "0".

    [0034] Next, in the step 115, the program further prevents the random digit generator routine of Fig. 5D from again providing this next already provided digit "0". As mentioned before, this may be implemented by having the random number generator check the entries in the key correspondence table of Fig. 4, or in some other manner. The program of Fig. 5A then continues into the program of Fig. 5B.

    [0035] In this Fig. 5B program, in the condensed steps 211 through 219, the same processes as above are repeated for the other seven displays D4 through D9 and Dll. In other words, new digits are generated at random by the random digit generator routine of Fig. 5D, never being duplicated, and are displayed on the displays D4 through D9 and Dll, and the corresponding digits are stored in the key correspondence table. of Fig. 4 so as to keep track of which digit is being assigned to which display and key. In the shown operational example, it is assumed that the random digit generator has supplied the digits 4, 7, 0, 1, 8, 3, 9, 2, 6, and 5 in succession, and the final state of the display unit 4 is shown in Fig. 3E, while the final state of the key correspondence table is as shown in Fig. 4. Thus, as a final result, when the flow of control arrives at the step 220 of the Fig. 5B program, each of the ten displays D1 through D9 and D11 is showing a different one of the ten digits, said digits having been randomly assigned to said displays, and the key correspondence table of Fig. 4 contains a record of the correspondence of these ten displays D1 through D9 and D11 (and their corresponding keys Kl through K9 and K11 which in this preferred embodiment lie directly above them) to these ten digits. Thus, the preferred embodiment of the password number inputting device of the present invention is now ready for input of a password number.

    [0036] Thus, next in the step 220, the value in a register N is set to 1, as a count value for indicating how many digits of the currently being inputted password number have up till now been inputted. And next, in the step 221, the I/O control unit 3 determines whether a keypress has been received from the keyboard unit 2, and if the answer is NO then the flow of control is transferred bach to this step 221 again, to perform a tight loop until such a keypress is received; while, when on the other hand the answer becomes YES, then the flow of control proceeds next to the step 222.

    [0037] In this step 222, a test is made as to whether it was the key K10 which was pressed, and if the answer is NO then control is transferred to the part of the program shown in Fig. 5C, while on the other hand if the answer is YES then control is transferred to the step 223.

    [0038] In this step 223, the contents of a buffer (not shown) in which the successive digits of the currently being inputted password number are being successively stored is cleared, and then next the flow of control is transferred back to the step 220, to set the number N which counts the number of digits of the password number already received to zero and to await the next keypress. This part of the program handles the pressing of the "CL" key, i.e. key K10, which is for clearing an improperly entered portion of a password number, when the user of the password number inputting device of the present invention has made a mistake in operation.

    [0039] Next, referring to Fig. SC, when the flow of control enters this portion of the program, first a test is made in the step 301 as to whether it was the key K12 which was pressed, and if the answer is YES then control is transferred to the step 302 to be explained later, while on the other hand, if the answer is NO, then the flow of control is transferred to the one of the steps 305 through 314 which corresponds to the actual key pressed, as indicated on the flow diagram of Fig. 5C by the headings to these blocks. (The actual decision tree by which the appropriate one of these steps is reached is per se conventional and is not shown here).

    [0040] These steps 305 through 314 are all alike, except for the actual key values involved; to discuss first the step 305 by way of an example, this step 305 is reached if the actual key pressed was the key Kl, and in it the following actions are performed: the I/O control unit 3 looks up the address of the key correspondence table of Fig. 4 corresponding to this key Kl, i.e. the address 01, and takes the digit stored therein, i.e. the digit "4", and copies it to the buffer, as being the next digit of the password number entered. Next, the flow of control passes to the step 315, in which the count N is increased by one in order to indicate that the buffer has one more digit in it, and then the flow of control is passed back to the step 221 (of Fig. 5B) to await the next keystroke.

    [0041] Similarly, if for example the next key pressed is the K5 key, then the flow of control is transferred to the step 309, in which the following actions are performed: the I/O control unit 3 looks up the address of the key correspondence table of Fig. 4 corresponding to this key K5, i.e. the address 05, and takes the digit Stored therein, i.e. the digit "8", and copies it to the buffer, as being the next digit of the password number entered. Next, again, the flow of control passes to the step 315, in which the count N is increased by one in order to indicate that the buffer has one more digit in it, and then the flow of control is passed back to the step 221 (of Fig. 5B) to await the next keystroke.

    [0042] Thus, the Buffer is built up to contain an ordered list of all the numerical values indicated by the displays corresponding to the keys pressed in order by the user. When, finally, the key K12 (the enter key "E") is pressed, then as mentioned above the flow of control passes to the step 302 of the Fig. 5C routine, and in this step the data stored in the buffer are all outputted by the I/O control unit 3 in the proper order (i.e. from the first to the last digit thereof in order) via the output line 6 to the CPU of the main cash dispenser machine (not shown), thus informing said CPU of the password number inputted by the user. And at this time the buffer is cleared.

    [0043] Next, in the step 303, the I/O control unit 3 turns off all the displays Dl through D9 and Dll, thus no longer showing any correspondence between the keys Kl through K9 and Kll with any digits; and then in the step 304 the values stored in the key correspondence table of Fig. 4 are likewise cleared, thus obliterating it. Finally, the flow of control is transferred back to the step 103 of Fig. 5A, to await the next command for-inputting of the next password number from the CPU of the main cash dispenser machine via the input line 5, so as to repeat the process described above for the next user.

    [0044] To explain the random digit generation subroutine of Fig. SD, first in the step 401 a random digit is generated by a per se known random or pseudo-random digit generator. Next, in the decision step 402, this random digit is checked against the random digits that have already been produced, during this episode of setting of the displays Dl through D9 and Dll; as has been mentioned, this can be done by having the_random number generator check the entries in the key correspondence table of Fig. 4, or in some other manner. If this random digit is not one that has already been produced during this episode, then the flow of control leaves the subroutine; but if on the other hand this digit repeats one that already has been produced during this episode, then the flow of control is transferred back to the step 401 again, in order to force the random digit generator to try again.

    [0045] Thus, it can be seen that according to this operation of the preferred embodiment of the present invention, because the correspondence between the keys Kl through K9 and Kll, and the digits which they represent as shown on the displays Dl through D9 and Dll of the display unit 4, is altered and is randomly set each time a new client approaches the cash dispenser in order to input a password number, thereby there is no way that, by observing the movement of a user's finger on the tenkey pad including the keys Kl through K12, another person can be able to learn said user's password number: because in fact, without knowledge of the current mapping between the keys Kl through K9 and Kll and the digits which they represent, the movements of the user's finger are meaningless; and such knowledge is not available to anyone other than the current user, since this mapping is altered at random every time a new password is to be entered. Accordingly the security of the user's password number is enhanced.

    [0046] Further, it is advantageous although not essential to the present invention that the directivity providing unit 7 is provided, as in the shown preferred embodiment; this unit 7 restricts the possible point of view of the user for seeing the displays Dl through D12 to within quite a narrow solid angle about the perpendicular direction relative to the sandwiched combination of the keyboard unit 2, the display unit 4, and said directivity providing unit 7. This means that even if a criminally minded person egregiously peeks at the user while said user is inputting his or her password number, still it will not be possible for said person to see to what digits of the password number the various keys which are being pressed correspond. Accordingly the security of the user's password number is further enhanced.

    [0047] Although the present invention has been shown and described with reference to the preferred embodiment thereof, and in terms of the illustrative drawings, it should not be considered as limited thereby. Various possible modifications, omissions, and alterations could be conceived of by one skilled in the art to the form and the-content of any particular embodiment, without departing from the scope of the present invention. Therefore it is desired that the scope of the present invention, and of the protection sought to be granted by Letters Patent, should be defined not by any of the perhaps purely fortuitous details of the shown preferred embodiment, or of the drawings, but solely by the scope of the appended claims, which follow.


    Claims

    1. A password number inputting device, comprising:

    (a) a plurality of means for inputting digits of a password number, adapted to be manually operated;

    (b) a means for displaying the mapping between each of said plurality of digit inputting means and the digit which it currently represents and inputs when actuated; and

    (c) a means for altering said mapping between each of said digit inputting means and the digit which it represents and inputs when actuated;

    (d) said altering means altering said mapping between said digit inputting means and the digits which they represents and input when actuated, every time a password number is inputted.


     
    2. A password number inputting device according to claim 1, further comprising a means for restricting the visibility of said means for displaying the mapping between each of said plurality of digit inputting means and the digit which it currently represents to within a relatively narrow solid angle.
     
    3. A password number inputting device according to claim 1, wherein said digit inputting means are switches.
     
    4. A password number inputting device according to claim 3, wherein said switches are transparent, and said means for displaying the mapping between each of said plurality of switches and the digit which it currently represents is located underneath said switches.
     
    5. A password number inputting device according to claim 1, wherein the operation of said altering means is substantially random.
     




    Drawing