EP2095221A2 - Systems and methods for identification and authentication of a user - Google Patents
Systems and methods for identification and authentication of a userInfo
- Publication number
- EP2095221A2 EP2095221A2 EP07873624A EP07873624A EP2095221A2 EP 2095221 A2 EP2095221 A2 EP 2095221A2 EP 07873624 A EP07873624 A EP 07873624A EP 07873624 A EP07873624 A EP 07873624A EP 2095221 A2 EP2095221 A2 EP 2095221A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- user
- machine
- data
- device data
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/385—Payment protocols; Details thereof using an alias or single-use codes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/12—Payment architectures specially adapted for electronic shopping systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
Definitions
- the present invention generally relates to computer security and more specifically to systems and methods for identifying and authenticating a user.
- the buyer simply types a credit card number into an on-line payment webpage to pay for the goods or services provided by an on-line merchant.
- the buyer uses an on-line payment service to pay for the goods or services provided by an on-line merchant.
- the on-line payment service allows the buyer to pay the on-line merchant via the Internet using funds that are available in a bank account or on a credit card.
- the on-line payment service holds the account information, not the on-line merchant, and therefore the on-line payment service may protect the buyer from unlawful use of the buyer's account.
- on-line payment services are effective in providing a more secure means of on-line payment between the buyer and the on-line merchant as compared to paying by a credit card number or a personal check
- on-line payment services typically require a single factor of authentication to verify that the buyer is actually the owner of the account.
- the on-line payment service may require the buyer to input an email address and a password to make an on-line payment.
- the single factor of authentication such as the email address and password, can be easily stolen by a computer hacker. This may result in the unlawful use of the buyer's account, which is a common form of identity theft.
- On-line banking allows a customer to perform routine transactions, such as account transfers, balance inquiries, bill payments, and stop-payment requests from a remote computer.
- some banks allow their customers to apply for loans and credit cards on-line as well.
- a bank Similar to on-line payment services, to access the account information or apply for a loan or a credit card online, a bank usually requires only one factor of authentication to verify that an on-line customer is actually the owner of the account. For example, the bank may require the customer to input a username and a password to access the account. Again, the single factor of authentication, such as the username and password, can be easily stolen by a computer hacker, which may result in the unlawful use of the customer's account.
- the present invention generally relates to a computer security system for use in the identification and authentication of a user prior to an on-line transaction.
- a method for enrolling a user in a system configured to identify and authenticate the user includes collecting a username and password to identify the user.
- the method further includes extracting device data from a user machine to uniquely identify the machine.
- the method also includes generating a user profile based upon the device data and the username and password. Additionally, the method includes transmitting the user profile to a server machine to be stored.
- a computer-readable medium including a set of instructions that when executed by a processor cause the processor to enroll a user in a system configured to identify and authenticate the user.
- the processor performs the step of collecting a username and password to identify the user.
- the processor also performs the step of extracting device data from a user machine to uniquely identify the machine. Further, the processor performs the step of generating a user profile based upon the device data and the username and password. Additionally, the processor performs the step of transmitting the user profile to a server machine to be stored.
- a system for identifying and authenticating a user includes a server machine that includes a user profiles database.
- the system also includes a computing device having a processor and a memory.
- the memory includes a security agent program configured to collect a username and password to identify the user.
- the security agent program is also configured to extract device data from a user machine to uniquely identify the machine. Further, the security agent program is configured to generate a user profile based upon the device data and the username and password. Additionally, the security agent program is configured to transmit the user profile to the server machine for storage in the user profiles database.
- Figure 1 is a conceptual block diagram of a system configured to identify and authenticate the identity of a user, according to one embodiment of the invention.
- Figure 2 is a flow chart of method steps for enrolling a user in a security service, according to one embodiment of the invention.
- Figure 3 is a flow chart of method steps for securely accessing a user account, according to one embodiment of the invention.
- Figures 4A and 4B are a flow chart of method steps for making a secured payment, according to one embodiment of the invention.
- FIG. 5 is a conceptual block diagram of a system through which a secured payment may be made, according to one embodiment of the invention.
- Figures 6-8 are conceptual illustrations depicting how the security agent of Figure 1 interacts with a merchant payment web page when a secured payment is made, according to one embodiment of the invention.
- the invention relates to a computer security system for use in the identification and authentication of a user prior to an on-line transaction.
- the system will be described herein in relation to a single user. However, it should be understood that the systems and methods described herein may be employed with any number of users without departing from the principles of the present invention.
- the description of the invention is separated into four sections: the architecture, the enrollment process, a secure access transaction, and a secure payment transaction.
- FIG. 1 is a conceptual block diagram of a system 100 configured to identify and authenticate the identity of a user, according to one embodiment of the invention.
- the system 100 includes a user machine 105, which may be any type of individual computing device such as, for example, a desk-top computer, a lap-top computer, a hand-held phone device, or a personal digital assistant.
- the user machine 105 is configured to be a communication link between the user and the other components in the system 100.
- the user machine 105 includes a security agent 110.
- the security agent 110 is a software entity that runs on the user machine 105.
- the security agent 110 is configured to create an identity profile 115 of a user and of user machine 105, collect certain data from the user machine 105 or manage secure access or secure payment transactions made from user machine 105. Additionally, the security agent 110 is designed to offer protection against phishing, pharming, Trojan programs or worms.
- the user machine 105 includes the profile 115, which represents the identity of the user.
- the profile 115 is unique for each user. As described in further detail herein, once the profile 115 has been created for the user, the identity of the user can be subsequently verified by a series of interactions between the security agent 110 and the authentication server 125 based on the profile 115.
- the profile 115 includes data about the user and the user machine 105 and can be used to establish a multif actor identification for the user whenever the user attempts to conduct transactions via the user machine 105.
- the first factor of authentication is a username and/or password, which relates to "what the user knows.”
- the second factor of authentication is unique information about the user machine 105, which relates to "what the user has.”
- the third factor of authentication is unique information about the user, such as biometric identity, which relates to "who the user is.”
- the username and/or password is created by the user after the identity of the user is established.
- the username and/or password are typically a combination of characters and numbers, which the user can easily remember.
- the user machine 105 transmits the username and/or password in a cryptographically protected form, so access to the actual username and/or password will be difficult for a snooper who gains internal access to the user machine 105.
- the unique information about the user machine 105 is generally a combination of select information associated with the user machine 105.
- the information may be static or dynamic.
- the information may include the International Mobile Equipment Identity (IMEI), which is a number unique to every mobile phone, the International Mobile Subscriber Identity (IMSI), which is a unique number associated with network mobile phone users, and/or the geolocation of the user machine 105, which is a real- world geographic location of a network connected computer or mobile device.
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- the information about the user machine 105 may also include machine-level attributes.
- the information may include various parameters available through a PCI configuration space, like the Device ID or the Vendor ID for different system devices, the data residing in the SMM memory space, or other memory hardware attributes, such as memory type, memory clock speed, amount of memory, hard drive serial number, size of hard drive, maker of hard drive etc., and/or chipset information or graphics card information, which can be used to read hidden and/or unhidden registers within those subsystems.
- the information may include data at different locations in firmware or BIOS or information available in a Microcode patch or a checksum of a portion of the firmware within the user machine 105.
- the information about the user machine 105 may also be system-level attributes.
- the information may include a MAC address, hard drive serial number, hardware configuration information, such as interrupt routing, GPIO routing, PCI Device Select routing or a hardware configuration map, operating system registry, CPU type, CPU version or CPU clock speed.
- the information about the user machine 105 may also include system pattern extraction.
- the information may include a directory structure and/or a list of installed applications, such as a word processor or other computer tools.
- the third factor of authentication consists of unique information about the user, such as a biometric identity.
- the biometric data may include the specific typing pattern of the user since each user's typing behavior is unique. Typically, typing authentication works by requesting that a user seeking access to a computer or a password-protected file just type a short passage into the computer so that the user's typing pattern can be analyzed and matched against a known pattern. Additionally, the biometric data may also be generated by a biometric device, such as a fingerprint device or an iris pattern device, included within the user machine 105.
- the system 100 further includes a network 120, which may be any type of data network, such as a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), or the Internet.
- the network 120 is configured to act as a communication pathway between the user machine 105, the authentication server 125, and an institution server 140.
- the authentication server 125 stores a copy of the profile 115 generated during the enrollment process in a user profiles database 130. Additionally, the authentication server 125 interacts with the agent 110 via the network 120 during the secure access transaction and the secure payment transaction, as described below.
- the institution server 140 stores sensitive information for the user e.g. financial account information, confidential data, etc.
- the institution server 140 may be part of a bank, a building society, a credit union, a stock brokerage, or other businesses holding sensitive data. Generally, the institution server 140 interacts with the agent 110 via the network 120 during the enrollment process, a secure access transaction or a secure payment transaction, as described below.
- FIG. 2 is a flow chart of method steps for enrolling a user in a security service, according to one embodiment of the invention.
- the enrollment process 200 is used to verify the identity of the user, establish multi-factors of authentication and bind the verified identity of the user to the multi-factors of authentication.
- verifying the user identity during the enrollment process 200 may include having the user answer specific personal questions e.g. amount of last check deposited, date of last withdrawal, previous residential address, etc.
- the answers are then checked against a known answer from a data source, such as the institution and/or third party consumer data base to verify that the user is who the user claims to be.
- a data source such as the institution and/or third party consumer data base
- Some examples of the multi factors of authentication are - the identification of the user, the identification of the machine, the biometric identity of the user, etc.
- the enrollment process is a onetime process for each user. After the enrollment process 200 is complete, the user is able to perform the secure access transaction 300 or the secure payment transaction 400, described below, without having to repeat the enrollment steps.
- the process of verifying identity significantly reduces the chance of a malicious party claiming to be the user.
- the process of binding the verified identity to the multi-factors of authentication eliminates the cumbersome process of proving the identity of the user at every transaction while providing the same level of security as though the user answered the identity questions, such as the specific personal questions each time.
- the enrollment process 200 begins in step 205, where the user accesses an enrollment webpage.
- the enrollment webpage is generated by the institution server 140 and downloaded to the user machine 105 when the user attempts to electronically access an account held with the institution.
- the enrollment webpage is configured to educate the user about the enrollment process and subsequently start the user identification process of step 210.
- step 210 the user is asked specific personal questions in which only the user knows the answer in order to generate a verified user identity.
- the questions may relate to dynamic data that frequently changes and is known only by the institution, such as "when was your last deposit,” “what was the last check number,” “who was the check written to” or “who last deposited money in the financial institution", “what was your last take home pay amount.”
- the personal questions may relate to static data that does not change, such as "what car did you drive before your current car,” “what is your social security number, date of birth, mother's maiden name” or "what address did you live at before your current address.”
- step 215 the answers given by the user is compared to known answers in a data source, such as data at the institution or data held at third party data bases, to verify the identity of the user.
- an exception process is activated.
- the exception process may include a verification of the user over the phone. Additionally, the exception process may include the user making a personal appearance at a specific location.
- the exception process in step 220 may be any type of process known in the art to verify the identity of the user.
- the security agent 110 is downloaded to the user machine 105 after the identity of the user is established.
- the security agent 110 is downloaded directly from the institution server 140 via the network 120.
- the security agent 110 is downloaded via the network 120 from the authentication server 125.
- the security agent 110 is configured to interact with both the authentication server 125 and the institution server 140.
- a user name and password is selected to establish the first factor of authentication.
- the user selects the user name and password.
- the authentication server 125 or the institution sever 140 generates the user name and/or the password.
- the user name and/or password are used during the secure access transaction 300 and the secure payment transaction 400, described below.
- step 235 unique information from the user machine 105 is extracted by the security agent 110 to establish the second factor of authentication.
- the information may include any number of different types of data associated with the user machine 105.
- the information may include the IMEI or the EVISI which relate to mobile devices.
- the information may include the geolocation of the user machine 105.
- the information may also include machine level attributes, such as a Device ID, a Vendor ID, data at a SMM memory space, a memory type, a memory clock, hard drive serial number, chipset information, data at different locations in firmware, or information available in Microcode patch, a checksum of firmware, or BIOS.
- the information may include system level attributes, such as a MAC address, a hard drive serial number, interrupt routing, GPIO routing, PCI DevSel routing, a map of hardware configuration, or an operating system registry. Additionally, the information may relate to system pattern extraction, such as a directory structure or a list of installed applications. No matter what type of select data is extracted from the user machine 105, the data or a combination of dfferent types of data should be unique to the user machine 105 in order to establish the second factor of authentication.
- system level attributes such as a MAC address, a hard drive serial number, interrupt routing, GPIO routing, PCI DevSel routing, a map of hardware configuration, or an operating system registry.
- system pattern extraction such as a directory structure or a list of installed applications. No matter what type of select data is extracted from the user machine 105, the data or a combination of dfferent types of data should be unique to the user machine 105 in order to establish the second factor of authentication.
- the biometric information is collected in order to establish the third factor of identity.
- the biometric data may include specific typing patterns of the user or biometric data generated by a biometric device, such as a fingerprint device or an iris pattern device.
- a biometric device such as a fingerprint device or an iris pattern device.
- step 245 the verified user identity from step 215 is connected (or bound) to the the user identity profile 115 which generally comprises the data collected in steps 230-240.
- the connecting (or binding) of the verified user identity to the factors of authenication allows the user to engage in the secure access transaction 300 or the secure payment transaction 400 without having to repeat the enrollment steps.
- the binding of the identity with the factors of authenication eliminates the cumbersome process of proving the identity of the user at every transaction while providing the same level of security as though the user answered the identity questions (the specific personal questions) every time.
- a copy of the profile 115 is stored in the user profiles database 130 in the authentication server 125.
- the security agent 110 interacts with the authentication server 125 by comparing the data from the user and the user machine with the user profile 115 stored in the user profiles database 130 to establish the identity of the user before proceeding with the transaction.
- the user is able to use the secure access transaction 300 and the secure payment transaction 400 without providing any sensitive personal data, such as a credit card number, a debit card number, etc.
- the user interacts directly with an institution to verify the identity of the user. Then the institution issues a one-time credential, such as an account number and/or password. The one-time credential is used during the authentication process of the user to establish the identity of the user before proceeding with the secure access transaction 300 or the secure payment transaction 400.
- FIG. 3 is a flow chart of method steps for securely accessing a user account, according to one embodiment of the invention.
- the secure access transaction 300 is a transaction where the user attempts to electronically access an account held at the institution via the institution server 140.
- an institution may be a financial institution, a government agency, a medical institution or a business.
- the security agent 110 interacts with the authentication server 125 via the network 120 to ensure that the user is properly authenticated prior to giving the user access to the relevant accounts held at the institution.
- the secure access transaction 300 begins with the security agent 110 interacting with the user at a log-on webpage of the institution.
- the security agent 110 automatically activates after the security agent 110 detects the log-on webpage of the institution.
- the security agent may detect the institution log-on webpage by reading the source code of the webpage, such as the HTML code or by reading a trigger, such as a header or an identification number embedded in the log-on webpage.
- the user activates the security agent 110 to perform the secure access transaction 300.
- the user may select a button on the webpage to activate the security agent 110.
- the institution activates the security agent 110 and requires the user to use the security agent 110 during the secure access transaction 300.
- step 305 the security agent 110 prompts the user to enter his or her username and/or password in order to determine the first factor of authentication.
- step 310 the username and/or password entered in step 305 is compared to the username and/or password previously stored in the user profiles database 130. If the username and/or password does not match the user profile in the user profiles database 130, then an exception process is activated in step 315 to determine that the user is who the user claims to be.
- the exception process in step 315 may be any type of standard industry process known in the art to aid a user who has forgotten a user name and/or password. For instance, the exception process may include requiring the user to go through the enrollment process 200 again to create a new user name and/or password. The exception process may also include having the user answer a security question in order to determine that the user is who the user claims to be.
- the exception process may also include sending the user name and/or password to a user email address or sending a text message to a user cellphone.
- the security agent 110 collects information which is associated with the user machine 105 in order to establish the second factor of authentication.
- the information associated with the user machine 105 may include a variety of different information, such as information related to the EMEI, the IMSI, the geolocation, machine level attributes, system level attributes, or system pattern extraction.
- the security agent 110 collects biometric information from the user in order to establish the third factor of identity.
- the biometric data may include specific typing patterns of the user or biometric data generated by a biometric device, such as a fingerprint device or an iris pattern device.
- a biometric device such as a fingerprint device or an iris pattern device.
- the authentication server 125 verifies that the identity data collected in steps 320 and 325 matches the data included in the user profile previously stored in the user profiles database 130 on the authentication server 125. If the idenity data collected in steps 320 and 325 does not match the user profile in the user profiles database 130, then an exception process is activated in step 340. Depending on the type of mismatch, the exception process in step 340 may include limited access to the account or the exception process may require the collection of additional data or that the user to go through the enrollment process 200 again.
- the user may still be allowed access to the account after collecting additional data. If there is a large mismatch, then the user may be required to go through the enrollment process 200 again in order to establish the identity of the user and the factors of authenication. If the idenity data collected in steps 320 and 325 does match the user profile in the user profiles database 130, then the user is allowed access in step 345 to the account at the institiution. Secure Payment Transaction
- Figures 4A and 4B are a flow chart of method steps for making a secure payment
- Figure 5 is a conceptual block diagram of a system 500 through which a secure payment may be made, according to one embodiment of the invention.
- the secure payment transaction 400 is a transaction where the user purchases a product or a service from an on-line merchant 505.
- the security agent 110 interacts with the authentication server 125 via the network 120 to ensure that the user is properly identified and authenticated prior to the user finalizing the purchase of the product or the service from the on-line merchant 505.
- the security agent 110 also is configured to interact with the different elements of system 500 to facilitate the actual on-line payment.
- the institution server 140 is represented as a user financial institution server.
- the secure payment transaction 400 begins with the security agent 110 interacting with the user at a payment webpage of the online merchant 505.
- the security agent 110 automatically activates after the security agent 110 detects the payment webpage of the online merchant 505.
- the security agent may detect the online merchant 505 payment webpage by reading the source code of the webpage, such as the HTML code for credit card information e.g. card type, expiry date, CVV2 code, etc. or by reading a trigger, such as a header or an identification number embedded in the payment webpage.
- the user activates the security agent 110 to perform the secure payment transaction 400. For instance, the user may select a button on the webpage to activate the security agent 110.
- the online merchant 505 activates the security agent 110 and requires the user to use the security agent 110 during the secure payment transaction 400.
- step 405 the security agent 110 prompts the user to enter his or her username and/or password in order to determine the first factor of authentication.
- the user enters his or her username and/or password through the standard key entry method of the user machine 105.
- the security agent refering now to Figure 6, the security agent
- a keypad 610 on the security agent 110 prompts the user to enter a username and/or password directly in a box 615 by using a keypad 610 on the security agent 110.
- the keypad 610 is manupulated by using a mouse (not shown) to push the buttons on the keypad 610.
- Placing the keypad 610 on the security agent 110 is a security mechanism designed to prevent a keylogger from monitoring and stealing the password. In other words, if the password were entered into the box 615 by using a standard keyboard (not shown), then a keylogger may be able to monitor the keystrokes of the user and steal the password.
- the location of the keys on keypad 610 will systematically change between uses to prevent a mouse logger from monitoring and stealing the password.
- the security agent 110 directly communciates with the authentication server 125 rather than through a conventional webpage, the threat of "phishing" by presenting the user with bogus webpages is eliminated.
- the security mechanisms set forth herein may be equally applicable to any transaction that involves the security agent 110, such as the enrollment process 200 or the secure access transaction 300.
- the security agent 110 is also configured to encrypt the data transmissions generated by the security agent 110 as the security agent 110 interacts with other components in the system.
- the security agent 110 has a cryptographic system that uses two keys, such as a public key that is known by other components in the system 500 and a private key that is known only to the recipient of the data transmission. For instance when the security agent 110 wants to send a secure data transmission to the authentication server 125, the security agent 110 uses the public key to encrypt the data. The authentication server 125 then uses the private key to decrypt the data.
- the public and private keys are related in such a way that only the public key can be used to encrypt data and only the corresponding private key can be used to decrypt the data.
- the public private key pair may be randomly changed for each session or from time to time.
- the security mechanisms set forth herein may be equally applicable to any transaction that involves the security agent 110, such as the enrollment process 200 or the secure access transaction 300.
- step 410 the username and/or password entered in step 405 is compared to the username and/or password previously stored in the user profiles database 130. If the username and/or password does not match the data in the user profiles database 130, then an exception process is activated in step 415 to determine that the user is who the user claims to be.
- the exception process in step 415 may be any type of Standard industry process known in the art to aid a user who has forgotten a user name and/or password.
- the exception process may include requiring the user to go through the enrollment process 200 again to create a new user name and/or password.
- the exception process may also include having the user answer a security question in order to determine that the user is who the user claims to be.
- the exception process may also include sending the user name and/or password to a user email address or sending a text message to a user cellphone.
- the security agent 110 collects information which is associated with the user machine 105 in order to establish the second factor of authentication.
- the information associated with the user machine 105 may include a variety of different information, such as information related to the IMEI, the IMSI, the geolocation, machine level attributes, system level attributes, or system pattern extraction.
- the security agent 110 collects biometric information from the user in order to establish the third factor of authentication.
- the biometric data may include specific typing patterns of the user or biometric data generated by a biometric device, such as a fingerprint device or an iris pattern device.
- a biometric device such as a fingerprint device or an iris pattern device.
- the authentication server 125 verifies that the identity data collected in steps 420 and 425 matches the data included in the user profile previously stored in the user profiles database 130 on the authentication server 125. If the idenity data collected in steps 420 and 425 does not match the user profile in the user profiles database 130, then an exception process is activated in step 440. Depending on the type of mismatch, the exception process in step 440 may allow a payment of a reduced amount to be made during the secured payment transaction or the exception process may require the user to go through the enrollment process 200 again.
- the security agent connects to the user financial institution server 140 in step 445 via the network 120.
- the security agent 110 requests financial account information from the institution server 140 about the user's account(s) held at the institution.
- the financial information relates to the different accounts that are available to make a payment to the on-line merchant 505, such as a savings account or a checking account.
- the financial information may include credit cards, lines of credit, equity lines of credit, and the like.
- a bank line of credit can be established during the enrollment process or during the merchant transaction process. The bank line of credit then can be considered a virtual credit card for purposes of the merchant transaction. Therefore, in addition to a conventional credit card, this virtual credit card and/or savings account and/or checking account may be used as a payment means for the on-line transaction in step 460, below.
- step 455 the user selects an account for payment in the secure payment transaction 400.
- the security agent 110 displays an account list 705 which is a list of accounts available to pay the on-line merchant 505.
- the security agent 110 becomes an automatic teller machine, whereby the user selects the account from the list of accounts presented by the security agent 110, and then the security agent 110 facilitates the payment to the on-line merchant 505, as discussed below.
- the authentication server 125 creates a one-time use personal account number which is used in the secured payment transaction 400.
- the one-time use personal account number is a sixteen digit number. Similar to the conventional credit card number, the one-time use personal account number includes a number prefix, commonly referred to as Network Identification Number, which is the sequence of digits at the beginning of the number that indicates the entity to which a credit card number belongs.
- the authentication server 125 creates an expiration date which is used in the secured payment transaction 400. In another embodiment, the authentication server 125 creates a one time use security code.
- the one-time use personal account number is entered into the merchant webpage.
- the security agent 110 populates a payment field 810 of the payment page 625 of the on-line merchant 505 with the one-time use personal account number. In another embodiment, the security agent 110 populates an expiration date field 815 of the payment page 625 of the on-line merchant 505 with the expiration date. In one embodiment, the security agent 110 may hide data in the payment field 810 with a phrase such as "securepay," as shown in Figure 8. Alternatively, the security agent 110 can hide data in the payment field 810 of the payment page 625 with "********* » reflecting the format of a conventional credit card number. In another embodiment, the user may populate the payment field 810 with the one-time use personal account number. In another embodiment, the user may populate the expiration date field 815 with the expiration date. In a further embodiment, the user may select a button on the payment page 625 to input the onetime use personal account number.
- the utilization of the one-time use personal account number has several benefits.
- the one-time use personal account number has the same format as a conventional credit card number and therefore the on-line merchant 505 does not have to modify the format of the payment webpage 625 in order to accept the payment from the security agent 110.
- Another benefit of the one-time use personal account number is that the personal account number can only be used one time and therefore even if the number is stolen, the personal account number has no value beyond the current transaction. Further, the number cannot be processed through traditional credit card processing networks due to the format of the number.
- the one-time personal account number is sent to a payment processor 510.
- the payment processor 510 extracts server data from the one-time personal account number, such as the Network Identification Number, which is the sequence of digits at the beginning of the one-time use personal account number, in order to determine the personal account number belongs to the authentication server 125.
- the payment processor 510 sends the one-time personal account number and transaction details to the authentication server 125.
- the transaction details may include the merchant name, the merchant ID, and the amount of the transaction.
- step 485 the authentication server 125 replaces the one-time personal account number with a user real personal account number that relates to the account which the user selected in step 455.
- step 490 the authentication server 125 sends the real personal account number and the transaction details to the user financial institution for authorization.
- the user financial institution server 140 verifies that the user account has sufficient funds to cover the payment transaction. If there are insufficient funds in the selected account, then the security agent 110 prompts the user to select another account for payment. If there are sufficient funds in the selected account, then a payment authorization is sent to the payment processor 510 and security agent 110 in step 495.
- step 498 the institution server 140 interacts with the merchant financial server 515 via the settlement network 520 to transfer the funds from the institution server 140 to the merchant financial server 515.
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/562,353 US7548890B2 (en) | 2006-11-21 | 2006-11-21 | Systems and methods for identification and authentication of a user |
US11/562,330 US8661520B2 (en) | 2006-11-21 | 2006-11-21 | Systems and methods for identification and authentication of a user |
PCT/US2007/085332 WO2008127431A2 (en) | 2006-11-21 | 2007-11-21 | Systems and methods for identification and authentication of a user |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2095221A2 true EP2095221A2 (en) | 2009-09-02 |
EP2095221A4 EP2095221A4 (en) | 2010-08-18 |
Family
ID=39864549
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP07873624A Ceased EP2095221A4 (en) | 2006-11-21 | 2007-11-21 | Systems and methods for identification and authentication of a user |
Country Status (2)
Country | Link |
---|---|
EP (1) | EP2095221A4 (en) |
WO (1) | WO2008127431A2 (en) |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2466676A (en) | 2009-01-06 | 2010-07-07 | Visa Europe Ltd | A method of processing payment authorisation requests |
GB2466810A (en) | 2009-01-08 | 2010-07-14 | Visa Europe Ltd | Processing payment authorisation requests |
EP2396742A2 (en) * | 2009-02-10 | 2011-12-21 | Uniloc Usa, Inc. | Web content access using a client device identifier |
US20100325424A1 (en) * | 2009-06-19 | 2010-12-23 | Etchegoyen Craig S | System and Method for Secured Communications |
US9047450B2 (en) | 2009-06-19 | 2015-06-02 | Deviceauthority, Inc. | Identification of embedded system devices |
US9047458B2 (en) | 2009-06-19 | 2015-06-02 | Deviceauthority, Inc. | Network access protection |
US20100332400A1 (en) * | 2009-06-24 | 2010-12-30 | Craig Stephen Etchegoyen | Use of Fingerprint with an On-Line or Networked Payment Authorization System |
US9075958B2 (en) | 2009-06-24 | 2015-07-07 | Uniloc Luxembourg S.A. | Use of fingerprint with an on-line or networked auction |
US8213907B2 (en) * | 2009-07-08 | 2012-07-03 | Uniloc Luxembourg S. A. | System and method for secured mobile communication |
TW201121280A (en) * | 2009-12-10 | 2011-06-16 | Mao-Cong Lin | Network security verification method and device and handheld electronic device verification method. |
US9667626B2 (en) | 2010-01-27 | 2017-05-30 | Keypasco Ab | Network authentication method and device for implementing the same |
GB2484268A (en) | 2010-09-16 | 2012-04-11 | Uniloc Usa Inc | Psychographic profiling of users of computing devices |
AU2011100168B4 (en) | 2011-02-09 | 2011-06-30 | Device Authority Ltd | Device-bound certificate authentication |
AU2011101295B4 (en) | 2011-06-13 | 2012-08-02 | Device Authority Ltd | Hardware identity in multi-factor authentication layer |
AU2011101297B4 (en) | 2011-08-15 | 2012-06-14 | Uniloc Usa, Inc. | Remote recognition of an association between remote devices |
AU2011101296B4 (en) | 2011-09-15 | 2012-06-28 | Uniloc Usa, Inc. | Hardware identification through cookies |
US9143496B2 (en) | 2013-03-13 | 2015-09-22 | Uniloc Luxembourg S.A. | Device authentication using device environment information |
US9286466B2 (en) | 2013-03-15 | 2016-03-15 | Uniloc Luxembourg S.A. | Registration and authentication of computing devices using a digital skeleton key |
AU2013100802B4 (en) | 2013-04-11 | 2013-11-14 | Uniloc Luxembourg S.A. | Device authentication using inter-person message metadata |
US8695068B1 (en) | 2013-04-25 | 2014-04-08 | Uniloc Luxembourg, S.A. | Device authentication using display device irregularity |
GB2534693B (en) * | 2013-11-08 | 2017-02-08 | Exacttrak Ltd | Data accessibility control |
US20170303111A1 (en) * | 2016-04-18 | 2017-10-19 | Mastercard International Incorporated | System and method of device profiling for transaction scoring and loyalty promotion |
CN110472420B (en) * | 2019-07-19 | 2021-05-11 | 深圳中电长城信息安全系统有限公司 | Binding identification method, system, terminal equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6000832A (en) * | 1997-09-24 | 1999-12-14 | Microsoft Corporation | Electronic online commerce card with customer generated transaction proxy number for online transactions |
US20020053035A1 (en) * | 2000-06-06 | 2002-05-02 | Daniel Schutzer | Method and system for strong, convenient authentication of a web user |
WO2003038719A1 (en) * | 2001-10-31 | 2003-05-08 | Arcot Systems, Inc. | One-time credit card number generator and single round-trip authentication |
US20040010685A1 (en) * | 2002-02-25 | 2004-01-15 | Sony Corporation | Service providing apparatus and server providing method |
US20060124756A1 (en) * | 2004-12-10 | 2006-06-15 | Brown Kerry D | Payment card with internally generated virtual account numbers for its magnetic stripe encoder and user display |
WO2006118968A2 (en) * | 2005-04-29 | 2006-11-09 | Bharosa Inc. | System and method for fraud monitoring, detection, and tiered user authentication |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7031945B1 (en) * | 2000-07-24 | 2006-04-18 | Donner Irah H | System and method for reallocating and/or upgrading and/or rewarding tickets, other event admittance means, goods and/or services |
WO2006047694A1 (en) * | 2004-10-25 | 2006-05-04 | Orsini Rick L | Secure data parser method and system |
US20060212407A1 (en) * | 2005-03-17 | 2006-09-21 | Lyon Dennis B | User authentication and secure transaction system |
-
2007
- 2007-11-21 WO PCT/US2007/085332 patent/WO2008127431A2/en active Application Filing
- 2007-11-21 EP EP07873624A patent/EP2095221A4/en not_active Ceased
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6000832A (en) * | 1997-09-24 | 1999-12-14 | Microsoft Corporation | Electronic online commerce card with customer generated transaction proxy number for online transactions |
US20020053035A1 (en) * | 2000-06-06 | 2002-05-02 | Daniel Schutzer | Method and system for strong, convenient authentication of a web user |
WO2003038719A1 (en) * | 2001-10-31 | 2003-05-08 | Arcot Systems, Inc. | One-time credit card number generator and single round-trip authentication |
US20040010685A1 (en) * | 2002-02-25 | 2004-01-15 | Sony Corporation | Service providing apparatus and server providing method |
US20060124756A1 (en) * | 2004-12-10 | 2006-06-15 | Brown Kerry D | Payment card with internally generated virtual account numbers for its magnetic stripe encoder and user display |
WO2006118968A2 (en) * | 2005-04-29 | 2006-11-09 | Bharosa Inc. | System and method for fraud monitoring, detection, and tiered user authentication |
Non-Patent Citations (2)
Title |
---|
E. R. Harold: "Virtual account numbers" 29 August 2006 (2006-08-29), XP002588797 Retrieved from the Internet: URL:http://web.archive.org/web/20060829000813/http://www.elharo.com/blog/privacy/2006/05/17/virtual-account-numbers/ [retrieved on 2010-06-21] * |
See also references of WO2008127431A2 * |
Also Published As
Publication number | Publication date |
---|---|
WO2008127431A2 (en) | 2008-10-23 |
EP2095221A4 (en) | 2010-08-18 |
WO2008127431A3 (en) | 2009-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7548890B2 (en) | Systems and methods for identification and authentication of a user | |
US8661520B2 (en) | Systems and methods for identification and authentication of a user | |
WO2008127431A2 (en) | Systems and methods for identification and authentication of a user | |
US11556926B2 (en) | Method for approving use of card by using blockchain-based token id and server using method | |
US11475445B2 (en) | Secure authentication system with token service | |
US9426134B2 (en) | Method and systems for the authentication of a user | |
RU2645593C2 (en) | Verification of portable consumer devices | |
US9904919B2 (en) | Verification of portable consumer devices | |
US10298396B1 (en) | Identity management service via virtual passport | |
US8768837B2 (en) | Method and system for controlling risk in a payment transaction | |
JP5608081B2 (en) | Apparatus and method for conducting secure financial transactions | |
US8079082B2 (en) | Verification of software application authenticity | |
US20080120507A1 (en) | Methods and systems for authentication of a user | |
US20010051924A1 (en) | On-line based financial services method and system utilizing biometrically secured transactions for issuing credit | |
US20120116976A1 (en) | Verification of portable consumer device for 3-d secure services | |
US20120317018A1 (en) | Systems and methods for protecting account identifiers in financial transactions | |
TWI653588B (en) | Method of cross-platform payment in mobile devices | |
US20230245125A1 (en) | Identity verification using a virtual credential | |
Vidal et al. | Online Banking and Finance | |
KR20070021867A (en) | Wireless authentication system interworking with wireless terminal and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20090521 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC MT NL PL PT RO SE SI SK TR |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: SHAKKARWAR, RAJESH, G. |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: SHAKKARWAR, RAJESH, G. |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: G06F 7/04 20060101AFI20090618BHEP Ipc: G06F 21/00 20060101ALI20100630BHEP Ipc: G07F 7/10 20060101ALI20100630BHEP |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20100716 |
|
17Q | First examination report despatched |
Effective date: 20110412 |
|
DAX | Request for extension of the european patent (deleted) | ||
APBK | Appeal reference recorded |
Free format text: ORIGINAL CODE: EPIDOSNREFNE |
|
APBN | Date of receipt of notice of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA2E |
|
APBR | Date of receipt of statement of grounds of appeal recorded |
Free format text: ORIGINAL CODE: EPIDOSNNOA3E |
|
APAF | Appeal reference modified |
Free format text: ORIGINAL CODE: EPIDOSCREFNE |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
APBT | Appeal procedure closed |
Free format text: ORIGINAL CODE: EPIDOSNNOA9E |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20200204 |