(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2006/0282660 A1
`(43) Pub. Date:
`Dec. 14, 2006
`Varghese et al.
`
`US 20060282660Al
`
`(54)
`
`(76)
`
`SYSTEM AND METHOD FOR FRAUD
`MONITORING, DETECTION, AND TIERED
`USER AUTHENTICATION
`
`Inventors: Thomas Emmanual Varghese, San
`Mateo, CA (US); Jon Bryan Fisher,
`Tiburon, CA (US); Steven Lucas
`Harris, Foster City, CA (US); Don
`Bosco Durai, Fremont, CA (US)
`
`Correspondence Address:
`WINSTON & STRAWN LLP
`1700 K STREET, N.W.
`WASHINGTON, DC 20006 (US)
`
`(21)
`
`(22)
`
`Appl. No.:
`
`11/412,997
`
`Filed:
`
`Apr. 28, 2006
`
`Related US. Application Data
`
`(60)
`
`Provisional application No. 60/676,141, ?led on Apr.
`29, 2005.
`
`Publication Classi?cation
`
`(51) Int. Cl.
`(2006.01)
`H04L 9/00
`(52) Us. or. ............................................................ ..713/155
`
`(57)
`
`ABSTRACT
`
`The present invention provides systems and methods for
`authenticating access requests from user devices by present
`ing one of a plurality of graphical user interfaces selected
`depending on a perceived risk of fraud associated With the
`devices. User devices are identi?ed With ?ngerprinting
`information, and their associated risks of fraud are deter
`mined from past experience With the device or With similar
`devices and from third party information. In preferred
`embodiments, di?ferent graphical user interfaces are pre
`sented based on both fraud risk and, in the case of a knoWn
`user, usability. In preferred embodiments, this invention is
`implemented as a number of communicating modules that
`identify user devices, assess their risk of fraud, present
`selected user interfaces, and maintain databases of fraud
`experiences. This invention also includes systems providing
`these authentication services.
`
`Receive user request for
`web page at web sewer
`
`402
`
`Capture identity
`information (D)
`from user device
`
`404 /_
`
`V
`
`Compare
`device's identity /
`infonnation with
`stored lD's
`
`O6
`
`’
`
`410
`
`Create device history for ID
`
`Add iD to device
`history
`
`1
`
`Create New ID for device
`
`414
`/
`
`l
`
`Send New ID to user device
`and store thereon
`
`/416
`
`418
`
`IA1005
`
`Page 1 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 1 0f 20
`
`US 2006/0282660 A1
`
`no swwm
`
`9 non:
`
`
`
`, .Eozinun
`
`‘
`
`
`
`1%? QEWQ \ 6K
`
`IA1005
`
`Page 2 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 2 0f 20
`
`US 2006/0282660 A1
`
`QM“
`
`
`
`u - a?u in?ufmn?g
`
`
`
`334%....5i?. %@_
`
`
`
`
`
`. swam-A V‘: macs-a Emu...
`
`\EGAEEZEEQ in
`EEEEEHEEEE w E
`
`
`
`LQW MSQQ
`
`MMQMQ
`
`IA1005
`
`Page 3 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 3 0f 20
`
`US 2006/0282660 A1
`
`400
`
`Receive user request for
`web page at web server
`
`402
`
`Capture identity
`
`information (it?) from user device
`
`404
`
`V
`Compare
`device's identity
`information with
`stored ID's
`
`/i0s
`
`410
`
`/
`
`Existing
`ID‘?
`
`Create device history for ID
`
`Add ID to device
`history
`
`414
`Create New ID fer device /
`
`l
`
`Send New ID to user device
`and store thereon
`
`416
`/
`
`'
`
`41s
`
`F/e, 4r
`
`IA1005
`
`Page 4 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 4 0f 20
`
`US 2006/0282660 A1
`
`Usal enters Iogn
`Id and nsawmd
`
`(mm mm!
`(m or ?ash)
`
`FIG. 4B
`
`IA1005
`
`Page 5 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 5 0f 20
`
`US 2006/0282660 A1
`
`59%
`
`Continued from ?gure 4
`(Got Device ID)
`
`)02
`‘
`-
`Send Identity information to rules ,
`engine
`
`‘
`Perform action in
`accordance with rules ‘
`‘engine determination
`
`04 -
`‘
`
`Is a Pre-
`determined
`'
`user interface to be provided to device
`according
`to rule?
`
`Yes_> '
`'
`
`508\
`Invoke Authenticator for
`generating user interface
`
`Provide predetermined user
`interface to device
`
`Are other forms of authentication
`veri?cation to be performed?
`
`~
`51
`Yes—-->
`
`Perform actlon in
`accordance with
`authenthication/
`veri?cation Qrocess
`
`Valid user?
`
`Yes
`y
`C Continue with login process
`
`5 O
`
`518
`
`. = ' ed USQI’ I
`error message
`I a ;
`
`IA1005
`
`Page 6 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 6 0f 20
`
`US 2006/0282660 A1
`
`v _ _ _
`_ _ _
`
`_ _ _ _ _ _ .
`
`Qua
`
`\
`
`_
`
`_ _
`
`_
`
`
`
`
`
`Ii hglhlnéim xéi 3m
`
`_ gévmmw Em @€<Q.
`
`
`
`If". ‘ill-lull J
`
`Ill‘lIlI-llllllrl‘Fl-lllilli'l
`
`IA1005
`
`Page 7 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 7 0f 20
`
`US 2006/0282660 A1
`
`
`
`6 QB mguteégw .
`
`*I I l I I l
`
`\/ OR.
`
`IA1005
`
`Page 8 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 8 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 9 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 9 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 10 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 10 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 11 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 11 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 12 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 12 0f 20
`
`US 2006/0282660 Al
`
`_ _
`
`_
`
`_
`
`_ _
`
`_ _ _ _ _
`
`_ , omrm“
`
`as:
`
`_ y _ _
`
`_ _ _ _
`
`_
`
`IA1005
`
`Page 13 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 13 0f 20
`
`US 2006/0282660 A1
`
`1302
`
`SERVICE PROVIDER
`
`AUTHSEE'ECEIQT'ON
`
`SERVER
`
`. . .
`
`.
`
`.
`
`.
`
`. . . .
`
`. . . .
`
`.
`
`.
`
`.
`
`1306
`
`Server app_
`
`DCR services
`
`
`
`I s v u s o n s I u n s I e I I I Local device-
`
`
`I based auth.
`I services
`
`
`
`' I Device-based auth. I l
`I services
`‘
`
`. . .
`
`.
`
`. .
`
`. . . . - . . . .
`
`. '
`
`.
`
`. .
`
`.
`
`. . . .
`
`. .
`
`.
`
`. . .
`
`. . . .
`
`DCR
`
`m
`
`Firewall
`...._..
`baslc
`auth
`
`1304
`
`PROVIDER
`SERVER
`
`Server app. A
`Server app. B
`Server app. C
`Server app. D
`
`. .
`
`.
`
`.
`
`.
`
`. . .
`
`.
`
`.
`
`serv
`
`Post
`
`. .
`
`.
`
`.
`
`.
`
`.
`
`.
`
`auth.
`services
`
`1305
`
`FIG. 13A
`
`SerYe' app’
`receives user
`request
`
`1320
`
`User request
`data
`
`.
`-
`Fingerprint
`process
`M C ;
`
`-
`
`h. services
`
`g (:3
`7
`Device ID info.
`g 53',
`FAAS
`m m
`Rules
`engine
`
`.
`
`.
`
`‘
`
`. . . . .
`
`.
`
`User/xaction
`valid/not
`valid
`
`1308
`
`~
`
`Authenticator
`m
`
`,
`User I
`GUI
`
`-
`
`‘3*
`
`3
`Device ID;
`andIrisk
`;
`
`FDM
`1200
`
`DCR
`111g
`
`serverapp'
`continues
`
`1322
`
`FIG. 13B
`
`IA1005
`
`Page 14 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 14 0f 20
`
`US 2006/0282660 A1
`
`Firewall
`receives user
`input
`
`User input
`data
`
`-
`
`- -
`
`- -
`
`~
`
`- - ~ .
`
`- -
`
`I
`
`. . . .
`
`. . . - - -
`
`- .
`
`-
`
`Basic auth. services
`
`Rules engine
`701
`
`Rules
`(OCR/3"’ party)
`
`User input
`valid/not
`valid
`
`1323
`
`Firewall
`proceeds
`
`FIG. 13C
`
`Policy Set #1
`Securlty Policy
`
`- Model .1 -_--s‘w
`- Model .2
`S’W
`- Model I3 --—--~S‘W
`
`Business Pol Icy
`
`- Model l4-—-——-S'W
`- Model l5-----£‘W
`
`RCQUESI
`(User. Location.
`
`Risk Scoring Englne
`
`Policy
`_ 3rd Party Data
`
`-Model “ED-.8’ W
`
`Total Score
`
`est Mode
`
`FIG. 16C
`
`IA1005
`
`Page 15 of 50
`
`

`

`Patent Application Publication Dec. 14,2006 Sheet 15 of 20
`
`US 2006/0282660 A1
`
`5aeeetepestSeomnbtenenoa!
`
`
`vlSls
`Sd1D/auesjuieyy
`
`
`(1219“quisdaojoAr)soprowoig
`
`JOJeaJUaYyINYesoueUg
`jewy=SuxO)
`SWSWATDd
`BegJl9}40}S]H
`
`Moysiy4957)
`
`quyadsoBuy4MOUIOM
`
`qUpAdsaBuyj4UOYeI04
`ceRAMSRAE
`
`yujsdsoButgeojaog’
`
`
`
`SUO)NIOSPNed}BTW
`
`
`
`
`
`SNIE}S[BAS]YO}EG
`
`
`
`SNyeysSNUIAMUY
`
`yWemadt
`
`uojyesBoquyAyegpigeedAyied,€
`osswe3SSNOYsIeEMBECFfquowsBouewosegouablijaqu!di
`oougiiduio99oan
`
`
`
`”YudsIBUUOIENDBunsi|Yoe|g/ONUAA
`
`
`
`$2),Ajeuepneiy
`
`SI0OL
`
`
`
`UOPeQUEYINYAsepuodas/AIeLUIJd
`
`
`
`Aioysiy89/499syndlpi
`
`2b,mnt
`
`
`
`menetteettmayPLeea,dott
`
`4Buyioos9sopAjeuyouy-1eoumeen
`
`
`
`
`
`
`
`OVSMOIPUOM.uojyuBbaoa,wadedSO{SUaI0}AJOMPON,
`
`
`
`Auoysiyv0}72207ow,U0119907-095)‘
`
`Page 16 of 50
`
`1A1005
`
`IA1005
`
`Page 16 of 50
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Dec. 14,2006 Sheet 16 of 20
`
`US 2006/0282660 A1
`
`VSbSls
`
`
`
`Spjoysoitpyspqezjwuoysns-
`
`
`
`aujBugBuyioos
`
`
`
`a1098481)payyByaay-
`
`
`
`guoposojqezjwojsn3-
`
`
`
`GYO/OVIGUZJWOEND-
`
`ASIBYSUGAR
`
`
`
`$3]9110dgMOIPUOAA
`
`
`
`uospeduwossojaeyag-
`
`ejeqAuedpic
`
`ByEpHSM°
`
`
`
`peseqenjeaAvy-
`
`
`
`$3]d};OgAyinsas
`
`
`
`yosedwossojaeyog-
`
`Se]YOld-
`
`S|apow-
`
`8SAallodj
`
`
`
`
`
`ssaulsngSUOPIBSURHUOISsas-Uy-S3|9||Og
`
`
`
`peseqonjeaAvy-
`
`SONbsy
`
`
`
`
`
`(uepoesueay9@9)A9Q‘UONes0}43957)
`
`Page 17 of 50
`
`1A1005
`
`IA1005
`
`Page 17 of 50
`
`
`
`
`
`

`

`Patent Application Publication
`
`Dec. 14, 2006 Sheet 17 0f 20
`
`US 2006/0282660 A1
`
`User from a
`different country
`within a specifed
`time
`
`User using multiple
`Location in short
`time frame
`
`Block users from
`restricted device list
`
`Consecutive
`failures for a device
`
`Multiple-uéers from
`a device
`
`User using multiple
`devioe$ in shod
`time frame
`
`_ Obnsecutive
`fallu was for an user
`
`Consecutive
`failures-for an EP
`
`Device from a
`di?‘erentcity within
`a speci?ed time
`
`Block logins from
`vrestricted IP list
`
`Block user from
`restricted Location
`List
`
`FIG. 15B
`
`IA1005
`
`Page 18 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 18 0f 20
`
`US 2006/0282660 A1
`
`Pre-Authentication _
`
`Models
`
`Model A
`
`Model B
`
`Groups
`
`Device Group A
`
`Location Group A
`
`User Group A
`
`work?ow Group A
`
`Session #1
`User A
`Device c
`
`Location J
`Work?ow 0
`
`User Group #1
`User A
`User a
`
`User C
`
`FIG . 1 6A
`
`Business Model A
`Action 3
`Alert 7
`
`Rule 257
`
`A '
`2
`Rule 989 < “(:22
`
`Work?ow Group #1
`\ Work?ow D
`Work?ow Model A
`work?owv
`Work?ow C \ Action 6
`Rule 256 < Men 8
`
`Device Group #6
`Device A
`Device X
`Dew“ c
`
`Action 5
`“"‘e 9‘4 <A|en 1
`
`Security Model A
`
`Location Group #2
`Location A
`Location 0 \ Action 3
`Location J
`“"‘e "3 <Alert 5
`
`Rule 445 <2|¢$>2 1
`
`FIG. 16B
`
`IA1005
`
`Page 19 of 50
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 19 0f 20
`
`US 2006/0282660 A1
`
`alum In w lulu-Han ia?"
`
`u
`
`h
`if
`
`n
`
`n
`
`i u
`
`a
`
`n
`
`I!
`
`u
`
`I
`
`u
`
`FIG. 17A
`
`aim-awn}: indium-Mm
`
`FIG. 17B
`
`IA1005
`
`Page 20 of 50
`
`

`

`Patent Application Publication Dec. 14,2006 Sheet 20 of 20
`
`US 2006/0282660 Al
`
`
`
`
`BaerRitty Pld i. ued dabees Liesee tH Oe eedad By ae
`ARTO847.6255 NAN ENa OG
`
`SQ eeere
`Aes a
`
`
`z
`7
`weate a>”
`2
`cnetete +
`"own
`
`
`
`i,
`wun
` weeny
`
`
`an es SHASgyMeOR Crom Dall >
`
`
`
`nen” .; ry
`
`
`
`:
`Se
`Pomwpeeere
`taohenes Ay
`Ceteny
`*
`au
`
`
`2,
`an
`2
`gt
`ran
`ow
`Manse ms. Shire
`3h®
`WARS we
`
`faea ee toe
`ew,
`ke
`OLE Y Re
`a
`awe
`Tt
`Pi
`*
`
`
`BeveA daeLehaha ~ ate teat Hae
`
`
`
`sepenn
`~
`Zs
`TRAP TO Ebia
`‘
`SRE
`
`nen ee
`ete Act et ae ARa 6 Sen mens anne
`:
`en
`ah
`5
`=
`TetaRim ATED
`tae
`od
`eonae
`\
`
`
`
`.
`Ware otes
`Lie
`a
`>
`oF
`ie
`=~
`=
`Onna:
`
`
`
`
`
`
`me
`ads,
`oe
`yareenys + Edd
`a
`¥
`hahiiend
`
`
`
`
`
`
`
`FIG. 17C
`
`oe
`hea
`Dastdcard Quenes Ade Custamer Core Pulp
`
`Customer Garg
`> Core Gutails
`
`
`Pa
`
`!
`tage
`
`tteae part
`Saweettys
`rh
`
`eve
`erat 3 Rardo
`
`
`
`FIG. 17D
`
`Page 21 of 50
`
`1A1005
`
`IA1005
`
`Page 21 of 50
`
`€
`

`

`US 2006/0282660 Al
`
`Dec. 14, 2006
`
`SYSTEM AND METHOD FOR FRAUD
`MONITORING, DETECTION, AND TIERED USER
`AUTHENTICATION
`
`CROSS REFERENCE TO RELATED
`APPLICATION
`
`[0001] This application claims the benefit of U.S. provi-
`sional application Ser. No. 60/676,141 filed Apr. 29, 2005
`and which is incorporated herein by reference in its entirety
`for all purposes.
`
`FIELD OF INVENTION
`
`[0002] The invention relates generally to systems and
`methods for providing protection against identity theft over
`a computer network.
`
`BACKGROUND OF INVENTION
`
`[0003] The growth in the volume of online transactions
`conducted by businesses and individuals over the Internet
`has been staggering. Sensitive private identity information is
`typically used for authenticating a user for conducting online
`transactions. The increased use of identity information for
`Internet transactions has been accompanied by an increased
`danger of interception and theft of that information. Identity
`theft occurs when someone uses the password, username,
`Social Security number, credit card number, or other iden-
`tifying personal information of another without consent to
`commit fraud. According to a September 2003 Federal Trade
`Commission (FTC) survey, 27.3 million Americans have
`been victims of identity theft in the last five years, including
`9.9 million people in the year 2002 alone. Identity theft
`losses to businesses and financialinstitutions in 2002 totaled
`nearly $48 billion and consumervictims reported $5 billion
`in out-of-pocket expenses, according to the FTC survey.
`
`[0004] To enter into a transaction with an E-commerce
`server, a user typically needs to provide sensitive and
`confidential data including authentication data, data describ-
`ing the transaction, and the like. This data is commonly
`entered by using a keyboard and/or a mouse connected to a
`device local to the user that is running a web browserthatis
`linked to the Internet (or other computer network). FIG. 1 is
`a diagram illustrating an exemplary system 10 used for
`entering user authentication and transaction data. In this
`example, the authentication information to be entered by a
`user comprises a user ID and password. In known systems,
`the user ID and password are composed of a string of
`characters entered via a keyboard 12 while executing a web
`browser on a computing device 14. A typical user entry
`interface 18 provided by the browserto the user on a display
`16 is shown.
`
`[0005] After entry, a user’s sensitive information is typi-
`cally transmitted to a remote server preferably in an
`encrypted form over secure connections. For example, the
`widely-used TCP/IP communication protocol includes secu-
`rity protocols built on the secure socket layer (SSL) protocol
`to allow secure data transfer using encrypted data streams.
`SSL offers encryption, source authentication, and data integ-
`rity as a means for protecting information exchanged over
`insecure, public networks. Accordingly, many E-commerce
`servers and applications use SSL, or similar security proto-
`cols, to exchange data between remote servers and local user
`systems.
`If the entered authentication information is
`
`approved by the server, the user is permitted to send and
`receive data from the server’s website.
`
`[0006] The source of messages received at a web serveris
`often determined from the IP address of the device from
`
`which the message is sent and/or from a cookie included
`with data from the user. A cookie generally refers to a packet
`of information, often sensitive information, sent by a web
`server to a browserresident on the user’s computer system
`for saving to a file and for transmitting back to the server
`wheneverthe user’s browser makes additional requests from
`the server. The IP address is generally included in a message
`header, and the cookie is usually one that has been previ-
`ously sent by the server, often at login. The server compares
`the user login data with the message IP address and the
`returned cookie to determinethe identity of the user sending
`the message and whetherthe useris currently logged into the
`server. The IP address of the user is also confirmed.
`
`[0007] Despite these knownprecautions, a user’s sensitive
`information remains vulnerable because it
`is in a raw
`
`unsecured form between its entry by the user and its encryp-
`tion prior to remote transmission. Also, sensitive data sent
`from the server is vulnerable during the period after its
`decryption and until its display. This unsecured information
`can be surreptitiously captured in a number of ways. For
`example, cookie hijackers copy sensitive information from
`cookies. Further, keyboard loggers and mouseclick loggers
`are hidden software that intercept and copy mouseclicks and
`depressed keys after user entry but before processing by a
`browser or other software. Logger software can readily
`intercept the user’s secure information. Keyboard loggers
`and mouseclick loggers might also take the form of hard-
`ware connected between the keyboard and mouse cable and
`the computeror the hardware inside the keyboard and mouse
`device.
`
`[0008] Even graphical user interfaces that represent on-
`screen keypads and keyboards with selectable graphics for
`user entry (instead or in addition to providing fields for text
`entry) are vulnerable to mouse click loggers, screen capture
`loggers, and other schemes. FIGS. 1, 2, and 3 illustrates
`prior art examples of such interfaces. Each alphanumeric
`character in the graphical
`interface is represented by a
`unique graphical image,e.g., the pixels forming the number
`“1”. Screen capture loggers utilize optical character recog-
`nition (OCR) technology to decipher characters selected by
`mouse clicks and the corresponding alphanumeric graphics
`in order to ascertain the actual alphanumeric text characters
`of a user’s ID and password. Sophisticated screen capture
`loggers might also utilize checksum andsize characteristics
`of the graphic images in order to ascertain which the data
`item corresponding to a graphic image selected by a user’s
`mouse click during data entry. In these ways, the screen
`capture loggers may acquire the personal information even
`whenthe graphical user interface has rearranged the order of
`alphanumeric characters on the keypad or keyboard.
`
`Sensitive information can also be intercepted by
`[0009]
`espionage software,
`including snoopware, spyware, non-
`viral malware, hackersutilities, surveillance utilities, Trojan
`horses, etc. Espionage software aids in the unauthorized
`acquisition of information about a person or organization
`withouttheir knowledgeor consent.It typically installs itself
`on a user’s computer without consent and then monitors or
`controls the use of the device. Every user keystroke, all chat
`
`Page 22 of 50
`
`1A1005
`
`IA1005
`
`Page 22 of 50
`
`

`

`US 2006/0282660 Al
`
`Dec. 14, 2006
`
`conversations, all websites visited, every user interaction
`with a browser, every application executed, every document
`printed, all
`text and images, might be captured by the
`espionage software. Espionage software typically is capable
`of locally saving or transmitting the captured data to third
`parties over the Internet, most often without the user’s
`knowledge or consent.
`
`[0010] Another fraudulent acquirer of sensitive personal
`information is an “over-the shoulder” spy who surrepti-
`tiously reads a user’s display to acquire the information.
`
`[0011] Known anti-virus and anti-spyware software prod-
`ucts attempt to enable a user to protect against such mali-
`cious software. However, use of outdated anti-virus and
`anti-spyware files provides minimal protection, at best, of
`computer data against outside threats. Consequently, a draw-
`back of these products is that the information used by the
`anti-virus and anti-spyware program must be constantly
`updatedto reflect newly discovered schemesin order to keep
`the protection current. In addition to keeping the virus
`information current,
`the system must be periodically
`scanned for potential infections.
`
`[0012] Further, certain geographic locations are known to
`contain an inordinate number of identity thieves.
`It
`is
`therefore advantageous to know where an attempt to access
`a server originates from. IP addresses are one readily avail-
`able source of location information. But IP addresses have
`
`drawbacks in that, for many users, the IP address is not
`constant. Known network protocols and facilities can lead to
`variable IP addresses. For example, proxy servers are used
`to provide a gateway between a local area network of an
`organization and the Internet. The local network is protected
`by firewall software installed on the proxy server. Proxy
`servers dynamically assign new IP addressesto a user device
`each time a new messageis sent therefrom.As a result, there
`is no constant IP address assigned to an individual user
`device for users connected to the Internet via a proxy server.
`
`[0013] Another source of IP address variability is the
`commonly used dynamic host configuration protocol
`(DHCPprotocol) which assigns IP addresses dynamically
`and automatically to the devices on a TCP/IP network. A
`DHCPserver assigns an IP address to a device from a list of
`available addresses when the device connects to the net-
`
`work. The device retains this IP address only for the duration
`of the current session. Some DHCP server systems can
`dynamically change the user’s IP address during the session.
`The use of a proxy or DHCPserver meansthat the IP address
`alone maynot be enoughto identity a particular user device.
`[0014]
`Security systems and methods that protect against
`the above-identified risks should also meet the usability
`concerns of an average user. A service provider wants to
`encourage online use in a secure manner. But a cumbersome
`and prolonged userinterface or a less user friendly interface
`might discourage or even intimidate and frustrate users, or
`cause usererrors, or the like. Also a security system should
`institute precautions to prevent execution of a fraudulent
`transaction once it has been found that the user’s informa-
`tion and/or system is at risk of being compromised. A
`security system should also alert the service provider based
`on a particular device attempting to access the provider’s
`system irrespective of the user.
`[0015] Also, a security system and method should enable
`a service provider to strike a proper balance between secu-
`
`rity and usability of the system. In other words, a system and
`method is needed to enable a service provider to provide an
`easy to use and lower security interface when no security
`risk is identified, and a higher security interface when oneis
`identified. Additionally, desirable security systems and
`methods should depend as little as possible upon human
`action to maintain their state of security. For example, it not
`advantageousto require users to keep and maintain tokens or
`digital certificates or the like. A token can be lost, damaged,
`stolen and thelike.
`
`the
`security systems protecting against
`[0016] But
`described threats and having the described properties are not
`generally known in the art. What is needed but currently
`lacking in the art is a security system and method with the
`following features and aspects:
`
`[0017]
`
`is a device-based fraud monitoring system;
`
`provides robust fraud monitoring and detection
`[0018]
`along with robust fraud analysis and risk assessment so
`that online service providers have real time information
`needed to determine how and whetherto allow a device
`
`to access the provider’s system;
`
`provides selectable levels of secure user authen-
`[0019]
`tication as a function of usability and/or security con-
`cerns;
`
`ascertains the security risk that a user’s infor-
`[0020]
`mation and/or system have been compromised and if
`so, provides a more secure login interface to guard
`against fraudulentactivity;
`
`arepository of information for identifying legiti-
`[0021]
`mate and fraudulent users based on more reliable and
`robust fingerprinting of the user device that can be
`integrated with other repositories of security tracking
`information;
`
`is a purely software based solution to identity
`[0022]
`theft that does not require hardware devices to be
`issued and maintained;
`
`[0023]
`
`is convenient for online users.
`
`SUMMARY OF THE INVENTION
`
`[0024] The systems and methods of the present invention
`fill gaps in the prior art by providing improved authentica-
`tion services.
`
`[0025] An advantage of the systems and methods accord-
`ing to the present invention is that they provide information
`and selectable user interfaces for enabling a service provider
`to take action to authorize, deny, or put on hold online
`transactions in real time as a function ofthe risk presented
`by both the user and the device attempting to conduct a
`transaction.
`
`[0026] Another advantage of the present inventionis that
`it enables a service provider to identify possible in-process
`fraudulent authentication transactions, based on both user
`and device historical data analysis. Transactions can be
`approved, declined, or put on hold for verification based an
`a set of predeterminedrules.
`
`[0027] Another advantage of the present inventionis that
`it provides both user and device based robust fraud moni-
`toring and detection along with robust fraud analysis and
`
`Page 23 of 50
`
`1A1005
`
`IA1005
`
`Page 23 of 50
`
`

`

`US 2006/0282660 Al
`
`Dec. 14, 2006
`
`risk assessment to give a service provider real time infor-
`mation needed to determine how and whether to allow a
`
`device to access the provider’s system.
`
`[0028] Another advantage of the present invention is the
`enabling of a selection of levels of secure user graphical
`authentication as a function of predetermined usability and/
`or security concerns.
`
`[0029] Another advantage of the present invention is that
`there is no dependence on tokens, cards and other similar
`hardware devices, digital certificates, anti-virus software, or
`personal firewall solutions for protecting end users against
`online identity theft.
`
`[0030] Another advantage of the present invention is the
`acquisition and developmentof a blacklist and/or whitelist
`that is device based rather than only user based.
`
`[0031] Broadly stated, according to an embodiment, the
`present invention fingerprints a user’s device by obtaining
`device identifying information that can be used to assess the
`fraud risk posed by a user at that user device. According to
`another embodiment, the present invention performs fraud
`analysis and alerting of the risk associated with the device
`being used to access a service provider’s server. According
`to another embodiment, this invention includes a database of
`user devices andtheir historical known fraud risks available
`in a central repository. According to another embodiment,
`this
`invention presents user authentication interfaces
`selected from a plurality of user authentication interfaces
`that provide a plurality of levels of security and usability.
`
`[0032] Accordingly, the present invention provides sys-
`tems and methods for providing levels of fraud monitoring,
`detection, and a tiered user authentication comprising a
`fingerprinting module for identifying a user device that has
`requested connection to a server; an authenticator module
`for enabling selection from of a plurality of login graphical
`user interfaces as a function of predetermined selection
`criteria for presentation on the user device, wherein the
`selection criteria is in the form ofrules regarding usability
`and security; a fraud analyzer and alert module for analyzing
`and assessing the risk associated with the user device as a
`function of historical tracking of use of the user device; and
`a device central repository for identifying legitimate and
`fraudulent users based on the fingerprinting module and
`other repositories of tracking information. This invention
`provides variously architected systems that implement the
`methods of this invention to provide authentication services
`to one or more service providers.
`
`[0033] Anexample ofthe present invention’s usability and
`security features is provided by users who have forgotten
`their login id or password. Such a user typically accesses a
`system from a limited numberof user devices, and the fact
`that authentication attempts of this type were made from
`such a device is recognized by the present invention and can
`be used to present a helpful interface to the user. If the device
`is unknownto the system, this can signal that a hacker is
`trying to break into the system and can be usedto present an
`authentication interface of heightened security. Additionally,
`such users typically enter his user/password information that
`is almost but not entirely accurate. This can be recognized by
`the present invention and used to further guide user authen-
`tication. In preferred embodiments, these options are repre-
`sented by rules processed by a rules engine.
`
`[0034] A further example of this invention’s usability and
`security features is provided bythe ability to distinguish user
`behaviors. If an access originates from a user device that has
`not previously accessed a service provider(e.g., as detected
`by the absence of a device token stored on the user device),
`system rules can required that this access pass a higher level
`of authentication or challenge. However, the user may be a
`savvy user who routinely removes application tokens from
`their user device (almost 15% of Internet users). Further, on
`the basis of previous accesses, this user may be associated
`with a behavior pattern indicating routine access from
`not-readily-identifiable devices. Then,this user is preferably
`not challenged or subject to a higher level of scrutiny. In
`contrast, systems with authentication systems that do not
`adjust the authentication process on the basis past user
`behavior would always challenge such a user. Accordingly,
`the present invention provides a better user experience for
`all the users, whether they are savvy or not.
`
`In further detail, the systems and methods of the
`[0035]
`present invention verify each user’s computer and location
`(“something you have”) along with behavioral usage pat-
`terns on a site to confirm identity (“something you are”).
`These verifications are added on top of existing enterprise
`requirements for login/password credentials (“something
`you know’). This offers the enterprise several strong addi-
`tional layers of anti-fraud protection.
`
`invention includes secure cookies,
`[0036] The present
`flash objects and other technologies to recognize and to
`fingerprint the from which device a user access an applica-
`tion, whether it is a computer, laptop, mobile device or any
`other. These user devices thus become additional authenti-
`cation factors without requiring any change in user behavior.
`Information concerning these user devices is fingerprinted
`and stored into a device token or device id for one-time use.
`The id or token is stored on the user device and saved in a
`
`database for later comparison with tokens retrieved from
`subsequent user device accesses. The token is invalidated if
`a user attempts to reuseit.
`
`[0037] The present invention also includes user device
`tokens or device ids that have a unique number which is
`randomly generated by the methods of this invention. Such
`device tokensare then assignedto the particular user device,
`stored on the particular user device as persistent data (e.g.,
`a cookie), and also stored so as to be accessible to the
`authentication services of this invention. The particular user
`device can be thereby identified upon a subsequent access by
`retrieving the device token from the user device and com-
`paring the unique number with the stored information.If the
`data matches, this particular device is identified. Then a new
`unique identifier numberis created and is stored on the user
`device and by the methods of this invention for use in a
`further access.
`
`[0038] The present invention enables application service
`providers score risk for each online login and transaction
`and to increase authentication security in real time, at login
`and in session, for transactions that may be high risk or
`potential fraud. It evaluates the pre, post and in-session
`characteristics of each transaction to ensure fraud detection
`
`integrity. The methods then provide a
`and transactional
`service provider with scores, actions, and alerts. For
`example, if a transaction has a high risk score and is thus
`potentially fraudulent, one preferred action is to hold the
`
`Page 24 of 50
`
`1A1005
`
`IA1005
`
`Page 24 of 50
`
`

`

`US 2006/0282660 Al
`
`Dec. 14, 2006
`
`transaction and to then seek secondary authentication or
`secondary challenge. The useris, e.g., asked to call service
`provider personnel
`to confirm the validity of the held
`transaction. Another action is to reject
`the transaction.
`Different actions may be appropriate to different transaction
`types. In the case of banking service providers, viewing
`account balances is acceptable but wire transfers are not
`acceptable; or in the case of ecommerce/ASP service pro-
`viders, download of sensitive documents may restricted
`based on the risk score. These actions are preferably invoked
`by rules evaluated during transaction evaluation.
`
`[0039] The systems and methods of the present invention
`include the following features: device,
`location and user
`behavior (“workflow”) fingerprinting; user profiling through
`capture and recording of user workflows; real-time risk
`scoring; real-time, rules-based fraud alerts and response;
`alerts; automatic internal flagging of suspicious activity;
`configurable, out-of-band end-user optional
`secondary
`authentication (via e-mail, SMS, voice print other); 3rd party
`integration via open APIs; support for shared authentication
`and fraud services infrastructure; case managementtools for
`reviewing individual client
`logs; customer care tool for
`servicing inbound customer care; a dashboard for real time
`fraud and activity monitoring; reporting for risk manage-
`ment and trending analysis; and administration for system
`and rules configuration and maintenance. The methods and
`systems include the following components and features:
`rules engine; risk scoring/forensics; real-time response; pro-
`p