SYSTEMS AND METHODS FOR SIGNALING AN ATTACK ON CONTACTLESS CARDS

§102 §103 §DP

DETAILED ACTION This communication is responsive to the application # 18/819,810 filed on August 29, 2024. By preliminary amendment Claims 21-40 are pending and are directed toward SYSTEMS AND METHODS FOR SIGNALING AN ATTACK ON CONTACTLESS CARDS. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.. Claims 21, 22, 25, 26, 29, 32-36, and 40 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable over Viola (US 11,157,912, PCT Filed: Dec. 21, 2016), hereinafter referred to as Viola. As per claim 21, Viola teaches A server, comprising: a processor; and a memory (The remote system 51 may be implemented using one or more computing devices or computers, such as one or more server computers, Viola, Column 19, lines 61-63), wherein the server: receives a one-time password (OTP) value generated by a contactless card, the OTP value indicative of a potential attack on the contactless card (generating a One Time Password (OTP) as a right random data. In this case, when a detection agent return no threat detected an OTP associated to this detection agent is generated by the processing unit 18a. When the controlling unit 18b receives the altered data, an OTP is generated to restore the altered data. When a detection agent return threat detected a random false data is generated. Viola, Column 18, lines 45-52), and after receipt of the OTP value, performs one or more actions (The controlling unit 18b sends, in step 44, an authorization request message comprising the cryptogram to the remote system 51. Based on a verification and a validation of the received cryptogram, the remote system 51 authorize or reject the ongoing transaction, Viola, Column 18, lines 8-12). As per claim 22, Viola teaches the server of claim 21, wherein the one or more actions comprise at least one selected from the group of: generating a plurality of event logs associated with the potential attack of the contactless card; transmitting a notification to threat response personnel; initiating a replacement request of the contactless card; and initiating a communication session with a device so as to indicate compromise of the contactless card (The remote system 51 can alert the user, informing him that his user device is compromised and should be denied authorization or otherwise banned from performing transactions. Viola, Column 18, lines 26-29). As per claim 25, Viola teaches the server of claim 21, wherein the one or more actions comprise establishing data communication with a risk-based analytics engine to adjust a risk level of a user (There are many possible forms of appropriate action the remote system 51 can take, and the following are some examples. In one embodiment, the remote system can apply a risk of management policy. In a non-limitative example the risk of management policy could be: if the verification of the cryptogram is successful, the transaction is allowed; if a device rooted is detected, the verification will failed but the transaction can be allowed. An observer mechanism can be trigger in the communication device 10 to check the use; if a debugging mode is detected, the verification will fail and the transaction is rejected. The user is notified. Etc ..... Viola, Column 19, lines 21-34). As per claim 26, Viola teaches the server of claim 21, wherein the potential attack comprises least one selected from the group of a code-modification attack, a fuzzing attack, a clock jitter attack, a code-tampering attack, an extreme temperature, and a removal of a protective coating (In a non-limitative enumerative list, a detection agent can be a function that detects if the communication device 10 is rooted. A detection agent can detect if the mobile application 18 is running into an emulator. A detection agent can detect if the mobile application 18 is in debugger mode or a debugger has been attached. Of course these examples of detection agents are merely examples, and others detection agents can be employed for indicating reverse engineering, code lifting, unauthorized analysis, debugging and access, and the like. Viola, Column 12, lines 53-62). As per claim 29, Viola teaches the server of claim 21, wherein the server receives the OTP value from the contactless card via one or more intermediary devices (In some implementations, the remote system 51 does not itself authorize the transaction, but securely transmits the 15 cryptogram to an issuer associated with the transaction. Viola, Column 18, lines 13-15). Claims 32-36 and 40 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 23, 24 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Viola (US 11,157,912, PCT Filed: Dec. 21, 2016), in view of Force et al. (US 5,533,123, Jul. 2, 1996), hereinafter referred to as Viola and Force. As per claim 23, Viola teaches the server of claim 21, but does not teach disabling, Force however teaches wherein the one or more actions comprise rendering the contactless card mute (A restricted access response would be to disable some functions from the normal mode of SPU operation. Force, Column 26, lines 11-12). Viola in view of Force are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Viola in view of Force. This would have been desirable because the final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set of countermeasures to any conceivable attack scenario (Force, Column 25, lines 15-16). As per claim 24, Viola in view of Force teaches the server of claim 23, wherein the server: transmits a mute instruction to the contactless card, and upon receipt of the mute instruction, the contactless card mutes (Examples include disabling the SPU totally for some period of time or until recertified in some manner, or disabling operations involving specific keys or passwords. Force, Column 26, lines 13-15). Viola in view of Force are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Viola in view of Force. This would have been desirable because the final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set of countermeasures to any conceivable attack scenario (Force, Column 25, lines 15-16). As per claim 27, Viola teaches the server of claim 21, but does not teach destroying a key, Force however teaches wherein the one or more actions comprises transmitting, to the contactless card, an instruction to destroy a key (TABLE II, Key Attack, Destroy keys, Force). Viola in view of Force are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Viola in view of Force. This would have been desirable because it is sometimes desirable to destroy certain confidential information (e.g., the keys) and preserve other confidential information (e.g., historical data, such as accounting information used in financial transactions) upon detection of intrusion (Force, Column 1, lines 30-34). Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claims 21-40 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of US patent No. 10542036. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 21-40 of the instant application correspond to elements of claims 1-20 of US patent No. 10542036. The above claims of the present application would have been obvious over claims 1-20 of US patent No. 10542036 because each element of the claims of the present application is anticipated by the claims of the US patent No. 10542036 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Claims 21-40 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-25 of US patent No. 10880327. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 21-40 of the instant application correspond to elements of claims 1-25 of US patent No. 10880327. The above claims of the present application would have been obvious over claims 1-25 of US patent No. 10880327 because each element of the claims of the present application is anticipated by the claims of the US patent No. 10880327 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Claims 21-40 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of US patent No. 11658997. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 21-40 of the instant application correspond to elements of claims 1-20 of US patent No. 11658997. The above claims of the present application would have been obvious over claims 1-20 of US patent No. 11658997 because each element of the claims of the present application is anticipated by the claims of the US patent No. 11658997 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Claims 21-40 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of US patent No. 12081582. Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 21-40 of the instant application correspond to elements of claims 1-20 of US patent No. 12081582. The above claims of the present application would have been obvious over claims 1-20 of US patent No. 12081582 because each element of the claims of the present application is anticipated by the claims of the US patent No. 12081582 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)). Allowable Subject Matter Claims 28, 30, 31, and 37-39 are indicated as allowable over prior art. The following is a statement of reasons for the indication of allowable subject matter: although the prior art of record provided in IDS 07/21/2022, such as EP 3185194, 28-06-2017 by FRANCESCO teaches that “In an embodiment , instead of prestored the mapping right data 23 , the processing unit 18a and the controlling unit 18b comprise respectively an embedding function for generating a One Time Password ( OTP ) as a right random data. In this case , when a detection agent return no threat detected an OTP associated to this detection agent is generated by the processing unit 18a . When the controlling unit 18b receives the altered data , an OTP is generated to restore the altered data . When a detection agent return threat detected a random false data is generated” (FRANCESCO, [0142]). Thus OTP is generated only for a right random data. In case of altered data a random false data is generated. Limitations of independent claims of instant application require different values of OTP to determine a type of potential attack, so OTP is generated every time but with different specific values. This is different from teachings of FRANCESCO. As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111(b) and MPEP § 707.07(a). Conclusion `Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938. The examiner can normally be reached on 5:00 AM- 4:00 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLEG KORSAK/ Primary Examiner, Art Unit 2492