`(12) Patent Application Publication (10) Pub. No.: US 2006/0282660 A1
`(43) Pub. Date:
`Dec. 14, 2006
`Varghese et al.
`
`US 20060282660Al
`
`(54)
`
`(76)
`
`SYSTEM AND METHOD FOR FRAUD
`MONITORING, DETECTION, AND TIERED
`USER AUTHENTICATION
`
`Inventors: Thomas Emmanual Varghese, San
`Mateo, CA (US); Jon Bryan Fisher,
`Tiburon, CA (US); Steven Lucas
`Harris, Foster City, CA (US); Don
`Bosco Durai, Fremont, CA (US)
`
`Correspondence Address:
`WINSTON & STRAWN LLP
`1700 K STREET, N.W.
`WASHINGTON, DC 20006 (US)
`
`(21)
`
`(22)
`
`Appl. No.:
`
`11/412,997
`
`Filed:
`
`Apr. 28, 2006
`
`Related US. Application Data
`
`(60)
`
`Provisional application No. 60/676,141, ?led on Apr.
`29, 2005.
`
`Publication Classi?cation
`
`(51) Int. Cl.
`(2006.01)
`H04L 9/00
`(52) Us. or. ............................................................ ..713/155
`
`(57)
`
`ABSTRACT
`
`The present invention provides systems and methods for
`authenticating access requests from user devices by present
`ing one of a plurality of graphical user interfaces selected
`depending on a perceived risk of fraud associated With the
`devices. User devices are identi?ed With ?ngerprinting
`information, and their associated risks of fraud are deter
`mined from past experience With the device or With similar
`devices and from third party information. In preferred
`embodiments, di?ferent graphical user interfaces are pre
`sented based on both fraud risk and, in the case of a knoWn
`user, usability. In preferred embodiments, this invention is
`implemented as a number of communicating modules that
`identify user devices, assess their risk of fraud, present
`selected user interfaces, and maintain databases of fraud
`experiences. This invention also includes systems providing
`these authentication services.
`
`Receive user request for
`web page at web sewer
`
`402
`
`Capture identity
`information (D)
`from user device
`
`404 /_
`
`V
`
`Compare
`device's identity /
`infonnation with
`stored lD's
`
`O6
`
`’
`
`410
`
`Create device history for ID
`
`Add iD to device
`history
`
`1
`
`Create New ID for device
`
`414
`/
`
`l
`
`Send New ID to user device
`and store thereon
`
`/416
`
`418
`
`IA1005
`
`Page 1 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 1 0f 20
`
`US 2006/0282660 A1
`
`no swwm
`
`9 non:
`
`
`
`, .Eozinun
`
`‘
`
`
`
`1%? QEWQ \ 6K
`
`IA1005
`
`Page 2 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 2 0f 20
`
`US 2006/0282660 A1
`
`QM“
`
`
`
`u - a?u in?ufmn?g
`
`
`
`334%....5i?. %@_
`
`
`
`
`
`. swam-A V‘: macs-a Emu...
`
`\EGAEEZEEQ in
`EEEEEHEEEE w E
`
`
`
`LQW MSQQ
`
`MMQMQ
`
`IA1005
`
`Page 3 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 3 0f 20
`
`US 2006/0282660 A1
`
`400
`
`Receive user request for
`web page at web server
`
`402
`
`Capture identity
`
`information (it?) from user device
`
`404
`
`V
`Compare
`device's identity
`information with
`stored ID's
`
`/i0s
`
`410
`
`/
`
`Existing
`ID‘?
`
`Create device history for ID
`
`Add ID to device
`history
`
`414
`Create New ID fer device /
`
`l
`
`Send New ID to user device
`and store thereon
`
`416
`/
`
`'
`
`41s
`
`F/e, 4r
`
`IA1005
`
`Page 4 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 4 0f 20
`
`US 2006/0282660 A1
`
`Usal enters Iogn
`Id and nsawmd
`
`(mm mm!
`(m or ?ash)
`
`FIG. 4B
`
`IA1005
`
`Page 5 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 5 0f 20
`
`US 2006/0282660 A1
`
`59%
`
`Continued from ?gure 4
`(Got Device ID)
`
`)02
`‘
`-
`Send Identity information to rules ,
`engine
`
`‘
`Perform action in
`accordance with rules ‘
`‘engine determination
`
`04 -
`‘
`
`Is a Pre-
`determined
`'
`user interface to be provided to device
`according
`to rule?
`
`Yes_> '
`'
`
`508\
`Invoke Authenticator for
`generating user interface
`
`Provide predetermined user
`interface to device
`
`Are other forms of authentication
`veri?cation to be performed?
`
`~
`51
`Yes—-->
`
`Perform actlon in
`accordance with
`authenthication/
`veri?cation Qrocess
`
`Valid user?
`
`Yes
`y
`C Continue with login process
`
`5 O
`
`518
`
`. = ' ed USQI’ I
`error message
`I a ;
`
`IA1005
`
`Page 6 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 6 0f 20
`
`US 2006/0282660 A1
`
`v _ _ _
`_ _ _
`
`_ _ _ _ _ _ .
`
`Qua
`
`\
`
`_
`
`_ _
`
`_
`
`
`
`
`
`Ii hglhlnéim xéi 3m
`
`_ gévmmw Em @€<Q.
`
`
`
`If". ‘ill-lull J
`
`Ill‘lIlI-llllllrl‘Fl-lllilli'l
`
`IA1005
`
`Page 7 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 7 0f 20
`
`US 2006/0282660 A1
`
`
`
`6 QB mguteégw .
`
`*I I l I I l
`
`\/ OR.
`
`IA1005
`
`Page 8 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 8 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 9 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 9 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 10 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 10 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 11 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 11 0f 20
`
`US 2006/0282660 A1
`
`IA1005
`
`Page 12 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 12 0f 20
`
`US 2006/0282660 Al
`
`_ _
`
`_
`
`_
`
`_ _
`
`_ _ _ _ _
`
`_ , omrm“
`
`as:
`
`_ y _ _
`
`_ _ _ _
`
`_
`
`IA1005
`
`Page 13 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 13 0f 20
`
`US 2006/0282660 A1
`
`1302
`
`SERVICE PROVIDER
`
`AUTHSEE'ECEIQT'ON
`
`SERVER
`
`. . .
`
`.
`
`.
`
`.
`
`. . . .
`
`. . . .
`
`.
`
`.
`
`.
`
`1306
`
`Server app_
`
`DCR services
`
`
`
`I s v u s o n s I u n s I e I I I Local device-
`
`
`I based auth.
`I services
`
`
`
`' I Device-based auth. I l
`I services
`‘
`
`. . .
`
`.
`
`. .
`
`. . . . - . . . .
`
`. '
`
`.
`
`. .
`
`.
`
`. . . .
`
`. .
`
`.
`
`. . .
`
`. . . .
`
`DCR
`
`m
`
`Firewall
`...._..
`baslc
`auth
`
`1304
`
`PROVIDER
`SERVER
`
`Server app. A
`Server app. B
`Server app. C
`Server app. D
`
`. .
`
`.
`
`.
`
`.
`
`. . .
`
`.
`
`.
`
`serv
`
`Post
`
`. .
`
`.
`
`.
`
`.
`
`.
`
`.
`
`auth.
`services
`
`1305
`
`FIG. 13A
`
`SerYe' app’
`receives user
`request
`
`1320
`
`User request
`data
`
`.
`-
`Fingerprint
`process
`M C ;
`
`-
`
`h. services
`
`g (:3
`7
`Device ID info.
`g 53',
`FAAS
`m m
`Rules
`engine
`
`.
`
`.
`
`‘
`
`. . . . .
`
`.
`
`User/xaction
`valid/not
`valid
`
`1308
`
`~
`
`Authenticator
`m
`
`,
`User I
`GUI
`
`-
`
`‘3*
`
`3
`Device ID;
`andIrisk
`;
`
`FDM
`1200
`
`DCR
`111g
`
`serverapp'
`continues
`
`1322
`
`FIG. 13B
`
`IA1005
`
`Page 14 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 14 0f 20
`
`US 2006/0282660 A1
`
`Firewall
`receives user
`input
`
`User input
`data
`
`-
`
`- -
`
`- -
`
`~
`
`- - ~ .
`
`- -
`
`I
`
`. . . .
`
`. . . - - -
`
`- .
`
`-
`
`Basic auth. services
`
`Rules engine
`701
`
`Rules
`(OCR/3"’ party)
`
`User input
`valid/not
`valid
`
`1323
`
`Firewall
`proceeds
`
`FIG. 13C
`
`Policy Set #1
`Securlty Policy
`
`- Model .1 -_--s‘w
`- Model .2
`S’W
`- Model I3 --—--~S‘W
`
`Business Pol Icy
`
`- Model l4-—-——-S'W
`- Model l5-----£‘W
`
`RCQUESI
`(User. Location.
`
`Risk Scoring Englne
`
`Policy
`_ 3rd Party Data
`
`-Model “ED-.8’ W
`
`Total Score
`
`est Mode
`
`FIG. 16C
`
`IA1005
`
`Page 15 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 15 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`5:83:05:raucouuQEnEtn
`
`
`
`33338338.58%
`
`
`
`533355343826
`
`:252.9.8
`
`m5«.2.c...
`
`
`
`gm05.35a3.335083.33.982.5
`
`[\iillvilI!~i;.4(It?xi;
`
`L»,zv\i
`
`
`,Buzzocfioa..cox...88.5358.828,$0592....
`
`
`
`
`
`
`
`
`rem...3:83Was:$53.80.:3m>3328333%53.%
`
`
`
`r82:.8:
`
`.3.0038.83.:
`
`“5.335".3.23.33
`
`
`2.29.03:5:33
`“£8.35”.3.o)1":er,eStigicr
`
`
`
`1.1»...Infrekl.»|\l
`
`
`5:93qu>39.Em8mm3.5."..m:3ill
`
`8.».25.333:.3pc
`
`
`tau.3Oman—.203.300;...292322.28852.25%
`
`Sceasou,,
`
`8.23352.59.5:xom_m\2_§>
`
`mu_u\uEu.cssz,
`
`3‘.6."—
`
`
`
`.__.a§_o%_.,,os;
`
`2.5%m2_>=c<
`
`=§§E
`
`
`
`
`
`wamwm_w>w_:0qu
`
`,
`
`$053.5...
`
`wc2§8BEw._z<
`
`Page 16 of 50
`
`MIOOS
`
`IA1005
`
`Page 16 of 50
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 16 0f 20
`
`2
`
`m0Mm
`
`m<m_..9".m1llllllllllllI.
`
`m:3333>>3..
`
`5%Ex.
`
`
`
`3.2325323.2230.
`
`osmcwmEBuw
`
`
`
`23m.3:.3290?.
`
`
`
`acouuaeBay—:23“..
`
`
`
`2.2aofiausofisu.
`
`mew2:26
`
`
`
`amazon.mwasmsm
`
`
`
`«c3832.c2399.....
`
`uoaaa33>>3..
`
`
`
`3.2.9“.325.25
`
`
`
`28:995....3.555.
`
`852m.
`
`230$.
`
`
`
`23ban..2»
`
`
`
`3.3.0.“.2.58.0,
`
`
`
`2823833:6on.
`
`$52,..
`
`2302.
`
`6mEonL
`
`30360”.
`
`
`
`
`
`.5335;a8:80.5333:33
`
`Page 17 of 50
`
`MIOOS
`
`IA1005
`
`Page 17 of 50
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`Dec. 14, 2006 Sheet 17 0f 20
`
`US 2006/0282660 A1
`
`User from a
`different country
`within a specifed
`time
`
`User using multiple
`Location in short
`time frame
`
`Block users from
`restricted device list
`
`Consecutive
`failures for a device
`
`Multiple-uéers from
`a device
`
`User using multiple
`devioe$ in shod
`time frame
`
`_ Obnsecutive
`fallu was for an user
`
`Consecutive
`failures-for an EP
`
`Device from a
`di?‘erentcity within
`a speci?ed time
`
`Block logins from
`vrestricted IP list
`
`Block user from
`restricted Location
`List
`
`FIG. 15B
`
`IA1005
`
`Page 18 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 18 0f 20
`
`US 2006/0282660 A1
`
`Pre-Authentication _
`
`Models
`
`Model A
`
`Model B
`
`Groups
`
`Device Group A
`
`Location Group A
`
`User Group A
`
`work?ow Group A
`
`Session #1
`User A
`Device c
`
`Location J
`Work?ow 0
`
`User Group #1
`User A
`User a
`
`User C
`
`FIG . 1 6A
`
`Business Model A
`Action 3
`Alert 7
`
`Rule 257
`
`A '
`2
`Rule 989 < “(:22
`
`Work?ow Group #1
`\ Work?ow D
`Work?ow Model A
`work?owv
`Work?ow C \ Action 6
`Rule 256 < Men 8
`
`Device Group #6
`Device A
`Device X
`Dew“ c
`
`Action 5
`“"‘e 9‘4 <A|en 1
`
`Security Model A
`
`Location Group #2
`Location A
`Location 0 \ Action 3
`Location J
`“"‘e "3 <Alert 5
`
`Rule 445 <2|¢$>2 1
`
`FIG. 16B
`
`IA1005
`
`Page 19 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 19 0f 20
`
`US 2006/0282660 A1
`
`alum In w lulu-Han ia?"
`
`u
`
`h
`if
`
`n
`
`n
`
`i u
`
`a
`
`n
`
`I!
`
`u
`
`I
`
`u
`
`FIG. 17A
`
`aim-awn}: indium-Mm
`
`FIG. 17B
`
`IA1005
`
`Page 20 of 50
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 20 0f 20
`
`US 2006/0282660 A1
`
`
`
`hum uncut-mummwml. .ulultun-\
`Alli-fl .DM.lll;3.ml|Nl§KlH lull! .
`
`,
`
`.
`
`,,
`
`..
`
`,
`
`__
`
`.
`
`A
`
`.
`
`,i
`
`
`
`— ..,........‘-. M... mm
`M». .u:- an ‘wnu:
`
`
`
`
`or». .3 \ln' Kiln. .'
`
`
`maven.“ “a...
`
`an:
`:
`
`.um n .A...’
`.0"...
`
`
`‘1‘")
`tun aa’
`“mar-n. \
`
`Iflfi
`y... A"
`
`
`
`
`
`nun-Mm mmF‘!; 1
`i
`am
`ow...“- n um" m m”
`A“?
`
`
`‘0”! I. ”it 3"”...
`gr).
`,
`m-uwu u «H» u
`'1’!"
`
`Q‘Vf.A~D‘DI
`em
`
`
`”4......
`
`:I“'AV|‘ 'b ,m’
`cm
`" v
`
`
`_., wrw ~
`
`.—.~ ~
`
`m"
`
`
`
`«
`mu;
`-« m
`Ewan-um ,m
`
`
`
`
`FIG. 17C
`
`“a”,
`"ml
`ham am. new» Wcm m
`
`cmlumar Cam 5 Cos:- Oman.
`
`fl
`ugh
`9"“;
`W
`“““1,“
`ll“ —) ‘Jdn
`IIVMIVI
`Rah
`
`.
`
`‘
`
`
`
`FIG. 17D
`
`Page 21 of 50
`
`MIOOS
`
`IA1005
`
`Page 21 of 50
`
`
`
`US 2006/0282660 A1
`
`Dec. 14, 2006
`
`SYSTEM AND METHOD FOR FRAUD
`MONITORING, DETECTION, AND TIERED USER
`AUTHENTICATION
`
`CROSS REFERENCE TO RELATED
`APPLICATION
`
`[0001] This application claims the benefit of US. provi-
`sional application Ser. No. 60/676,141 filed Apr. 29, 2005
`and which is incorporated herein by reference in its entirety
`for all purposes.
`
`FIELD OF INVENTION
`
`[0002] The invention relates generally to systems and
`methods for providing protection against identity theft over
`a computer network.
`
`BACKGROUND OF INVENTION
`
`[0003] The growth in the volume of online transactions
`conducted by businesses and individuals over the Internet
`has been staggering. Sensitive private identity information is
`typically used for authenticating a user for conducting online
`transactions. The increased use of identity information for
`Internet transactions has been accompanied by an increased
`danger of interception and theft of that information. Identity
`theft occurs when someone uses the password, username,
`Social Security number, credit card number, or other iden-
`tifying personal information of another without consent to
`commit fraud. According to a September 2003 Federal Trade
`Commission (FTC) survey, 27.3 million Americans have
`been victims of identity theft in the last five years, including
`9.9 million people in the year 2002 alone. Identity theft
`losses to businesses and financial institutions in 2002 totaled
`
`nearly $48 billion and consumer victims reported $5 billion
`in out-of—pocket expenses, according to the FTC survey.
`
`[0004] To enter into a transaction with an E-commerce
`server, a user typically needs to provide sensitive and
`confidential data including authentication data, data describ-
`ing the transaction, and the like. This data is commonly
`entered by using a keyboard and/or a mouse connected to a
`device local to the user that is running a web browser that is
`linked to the Internet (or other computer network). FIG. 1 is
`a diagram illustrating an exemplary system 10 used for
`entering user authentication and transaction data. In this
`example, the authentication information to be entered by a
`user comprises a user ID and password. In known systems,
`the user ID and password are composed of a string of
`characters entered via a keyboard 12 while executing a web
`browser on a computing device 14. A typical user entry
`interface 18 provided by the browser to the user on a display
`16 is shown.
`
`[0005] After entry, a user’s sensitive information is typi-
`cally transmitted to a remote server preferably in an
`encrypted form over secure connections. For example, the
`widely-used TCP/IP communication protocol includes secu-
`rity protocols built on the secure socket layer (SSL) protocol
`to allow secure data transfer using encrypted data streams.
`SSL offers encryption, source authentication, and data integ-
`rity as a means for protecting information exchanged over
`insecure, public networks. Accordingly, many E-commerce
`servers and applications use SSL, or similar security proto-
`cols, to exchange data between remote servers and local user
`systems.
`If the entered authentication information is
`
`approved by the server, the user is permitted to send and
`receive data from the server’s website.
`
`[0006] The source of messages received at a web server is
`often determined from the IP address of the device from
`
`which the message is sent and/or from a cookie included
`with data from the user. A cookie generally refers to a packet
`of information, often sensitive information, sent by a web
`server to a browser resident on the user’s computer system
`for saving to a file and for transmitting back to the server
`whenever the user’s browser makes additional requests from
`the server. The IP address is generally included in a message
`header, and the cookie is usually one that has been previ-
`ously sent by the server, often at login. The server compares
`the user login data with the message IP address and the
`returned cookie to determine the identity of the user sending
`the message and whether the user is currently logged into the
`server. The IP address of the user is also confirmed.
`
`[0007] Despite these known precautions, a user’s sensitive
`information remains vulnerable because it
`is in a raw
`
`unsecured form between its entry by the user and its encryp-
`tion prior to remote transmission. Also, sensitive data sent
`from the server is vulnerable during the period after its
`decryption and until its display. This unsecured information
`can be surreptitiously captured in a number of ways. For
`example, cookie hijackers copy sensitive information from
`cookies. Further, keyboard loggers and mouse click loggers
`are hidden software that intercept and copy mouse clicks and
`depressed keys after user entry but before processing by a
`browser or other software. Logger software can readily
`intercept the user’s secure information. Keyboard loggers
`and mouse click loggers might also take the form of hard-
`ware connected between the keyboard and mouse cable and
`the computer or the hardware inside the keyboard and mouse
`device.
`
`[0008] Even graphical user interfaces that represent on-
`screen keypads and keyboards with selectable graphics for
`user entry (instead or in addition to providing fields for text
`entry) are vulnerable to mouse click loggers, screen capture
`loggers, and other schemes. FIGS. 1, 2, and 3 illustrates
`prior art examples of such interfaces. Each alphanumeric
`character in the graphical
`interface is represented by a
`unique graphical image, e. g., the pixels forming the number
`“1”. Screen capture loggers utilize optical character recog-
`nition (OCR) technology to decipher characters selected by
`mouse clicks and the corresponding alphanumeric graphics
`in order to ascertain the actual alphanumeric text characters
`of a user’s ID and password. Sophisticated screen capture
`loggers might also utilize checksum and size characteristics
`of the graphic images in order to ascertain which the data
`item corresponding to a graphic image selected by a user’s
`mouse click during data entry. In these ways, the screen
`capture loggers may acquire the personal information even
`when the graphical user interface has rearranged the order of
`alphanumeric characters on the keypad or keyboard.
`
`Sensitive information can also be intercepted by
`[0009]
`espionage software,
`including snoopware, spyware, non-
`viral malware, hackers utilities, surveillance utilities, Trojan
`horses, etc. Espionage software aids in the unauthorized
`acquisition of information about a person or organization
`without their knowledge or consent. It typically installs itself
`on a user’s computer without consent and then monitors or
`controls the use of the device. Every user keystroke, all chat
`
`Page 22 of 50
`
`MIOOS
`
`IA1005
`
`Page 22 of 50
`
`
`
`US 2006/0282660 A1
`
`Dec. 14, 2006
`
`conversations, all websites Visited, every user interaction
`with a browser, every application executed, every document
`printed, all
`text and images, might be captured by the
`espionage software. Espionage software typically is capable
`of locally saving or transmitting the captured data to third
`parties over the Internet, most often without the user’s
`knowledge or consent.
`
`[0010] Another fraudulent acquirer of sensitive personal
`information is an “over-the shoulder” spy who surrepti-
`tiously reads a user’s display to acquire the information.
`
`[0011] Known anti-virus and anti-spyware software prod-
`ucts attempt to enable a user to protect against such mali-
`cious software. However, use of outdated anti-virus and
`anti-spyware files provides minimal protection, at best, of
`computer data against outside threats. Consequently, a draw-
`back of these products is that the information used by the
`anti-virus and anti-spyware program must be constantly
`updated to reflect newly discovered schemes in order to keep
`the protection current. In addition to keeping the virus
`information current,
`the system must be periodically
`scanned for potential infections.
`
`[0012] Further, certain geographic locations are known to
`contain an inordinate number of identity thieves.
`It
`is
`therefore advantageous to know where an attempt to access
`a server originates from. IP addresses are one readily avail-
`able source of location information. But IP addresses have
`
`drawbacks in that, for many users, the IP address is not
`constant. Known network protocols and facilities can lead to
`variable IP addresses. For example, proxy servers are used
`to provide a gateway between a local area network of an
`organization and the Internet. The local network is protected
`by firewall software installed on the proxy server. Proxy
`servers dynamically assign new IP addresses to a user device
`each time a new message is sent therefrom. As a result, there
`is no constant IP address assigned to an individual user
`device for users connected to the Internet via a proxy server.
`
`[0013] Another source of IP address variability is the
`commonly used dynamic host configuration protocol
`(DHCP protocol) which assigns IP addresses dynamically
`and automatically to the devices on a TCP/IP network. A
`DHCP server assigns an IP address to a device from a list of
`available addresses when the device connects to the net-
`
`work. The device retains this IP address only for the duration
`of the current session. Some DHCP server systems can
`dynamically change the user’s IP address during the session.
`The use of a proxy or DHCP server means that the IP address
`alone may not be enough to identity a particular user device.
`
`Security systems and methods that protect against
`[0014]
`the above-identified risks should also meet the usability
`concerns of an average user. A service provider wants to
`encourage online use in a secure manner. But a cumbersome
`and prolonged user interface or a less user friendly interface
`might discourage or even intimidate and frustrate users, or
`cause user errors, or the like. Also a security system should
`institute precautions to prevent execution of a fraudulent
`transaction once it has been found that the user’s informa-
`
`tion and/or system is at risk of being compromised. A
`security system should also alert the service provider based
`on a particular device attempting to access the provider’s
`system irrespective of the user.
`
`[0015] Also, a security system and method should enable
`a service provider to strike a proper balance between secu-
`
`rity and usability of the system. In other words, a system and
`method is needed to enable a service provider to provide an
`easy to use and lower security interface when no security
`risk is identified, and a higher security interface when one is
`identified. Additionally, desirable security systems and
`methods should depend as little as possible upon human
`action to maintain their state of security. For example, it not
`advantageous to require users to keep and maintain tokens or
`digital certificates or the like. A token can be lost, damaged,
`stolen and the like.
`
`the
`security systems protecting against
`[0016] But
`described threats and having the described properties are not
`generally known in the art. What is needed but currently
`lacking in the art is a security system and method with the
`following features and aspects:
`
`[0017]
`
`is a device-based fraud monitoring system;
`
`provides robust fraud monitoring and detection
`[0018]
`along with robust fraud analysis and risk assessment so
`that online service providers have real time information
`needed to determine how and whether to allow a device
`
`to access the provider’s system;
`
`provides selectable levels of secure user authen-
`[0019]
`tication as a function of usability and/or security con-
`cems;
`
`ascertains the security risk that a user’s infor-
`[0020]
`mation and/or system have been compromised and if
`so, provides a more secure login interface to guard
`against fraudulent activity;
`
`a repository of information for identifying legiti-
`[0021]
`mate and fraudulent users based on more reliable and
`
`robust fingerprinting of the user device that can be
`integrated with other repositories of security tracking
`information;
`
`is a purely software based solution to identity
`[0022]
`theft that does not require hardware devices to be
`issued and maintained;
`
`[0023]
`
`is convenient for online users.
`
`SUMMARY OF THE INVENTION
`
`[0024] The systems and methods of the present invention
`fill gaps in the prior art by providing improved authentica-
`tion services.
`
`[0025] An advantage of the systems and methods accord-
`ing to the present invention is that they provide information
`and selectable user interfaces for enabling a service provider
`to take action to authorize, deny, or put on hold online
`transactions in real time as a function of the risk presented
`by both the user and the device attempting to conduct a
`transaction.
`
`[0026] Another advantage of the present invention is that
`it enables a service provider to identify possible in-process
`fraudulent authentication transactions, based on both user
`and device historical data analysis. Transactions can be
`approved, declined, or put on hold for verification based an
`a set of predetermined rules.
`
`[0027] Another advantage of the present invention is that
`it provides both user and device based robust fraud moni-
`toring and detection along with robust fraud analysis and
`
`Page 23 of 50
`
`MIOOS
`
`IA1005
`
`Page 23 of 50
`
`
`
`US 2006/0282660 A1
`
`Dec. 14, 2006
`
`risk assessment to give a service provider real time infor-
`mation needed to determine how and whether to allow a
`
`device to access the provider’s system.
`
`[0028] Another advantage of the present invention is the
`enabling of a selection of levels of secure user graphical
`authentication as a function of predetermined usability and/
`or security concerns.
`
`[0029] Another advantage of the present invention is that
`there is no dependence on tokens, cards and other similar
`hardware devices, digital certificates, anti-virus software, or
`personal firewall solutions for protecting end users against
`online identity theft.
`
`[0030] Another advantage of the present invention is the
`acquisition and development of a blacklist and/or white list
`that is device based rather than only user based.
`
`[0031] Broadly stated, according to an embodiment, the
`present invention fingerprints a user’s device by obtaining
`device identifying information that can be used to assess the
`fraud risk posed by a user at that user device. According to
`another embodiment, the present invention performs fraud
`analysis and alerting of the risk associated with the device
`being used to access a service provider’s server. According
`to another embodiment, this invention includes a database of
`user devices and their historical known fraud risks available
`
`in a central repository. According to another embodiment,
`this
`invention presents user authentication interfaces
`selected from a plurality of user authentication interfaces
`that provide a plurality of levels of security and usability.
`
`[0032] Accordingly, the present invention provides sys-
`tems and methods for providing levels of fraud monitoring,
`detection, and a tiered user authentication comprising a
`fingerprinting module for identifying a user device that has
`requested connection to a server; an authenticator module
`for enabling selection from of a plurality of login graphical
`user interfaces as a function of predetermined selection
`criteria for presentation on the user device, wherein the
`selection criteria is in the form of rules regarding usability
`and security; a fraud analyzer and alert module for analyzing
`and assessing the risk associated with the user device as a
`function of historical tracking of use of the user device; and
`a device central repository for identifying legitimate and
`fraudulent users based on the fingerprinting module and
`other repositories of tracking information. This invention
`provides variously architected systems that implement the
`methods of this invention to provide authentication services
`to one or more service providers.
`
`[0033] An example of the present invention’ s usability and
`security features is provided by users who have forgotten
`their login id or password. Such a user typically accesses a
`system from a limited number of user devices, and the fact
`that authentication attempts of this type were made from
`such a device is recognized by the present invention and can
`be used to present a helpful interface to the user. If the device
`is unknown to the system, this can signal that a hacker is
`trying to break into the system and can be used to present an
`authentication interface of heightened security. Additionally,
`such users typically enter his user/password information that
`is almost but not entirely accurate. This can be recognized by
`the present invention and used to further guide user authen-
`tication. In preferred embodiments, these options are repre-
`sented by rules processed by a rules engine.
`
`[0034] A further example of this invention’s usability and
`security features is provided by the ability to distinguish user
`behaviors. If an access originates from a user device that has
`not previously accessed a service provider (e.g., as detected
`by the absence of a device token stored on the user device),
`system rules can required that this access pass a higher level
`of authentication or challenge. However, the user may be a
`savvy user who routinely removes application tokens from
`their user device (almost 15% of Internet users). Further, on
`the basis of previous accesses, this user may be associated
`with a behavior pattern indicating routine access from
`not-readily-identifiable devices. Then, this user is preferably
`not challenged or subject to a higher level of scrutiny. In
`contrast, systems with authentication systems that do not
`adjust the authentication process on the basis past user
`behavior would always challenge such a user. Accordingly,
`the present invention provides a better user experience for
`all the users, whether they are savvy or not.
`
`In further detail, the systems and methods of the
`[0035]
`present invention verify each user’s computer and location
`(“something you have”) along with behavioral usage pat-
`terns on a site to confirm identity (“something you are”).
`These verifications are added on top of existing enterprise
`requirements for login/password credentials (“something
`you know’). This offers the enterprise several strong addi-
`tional layers of anti-fraud protection.
`
`invention includes secure cookies,
`[0036] The present
`flash objects and other technologies to recognize and to
`fingerprint the from which device a user access an applica-
`tion, whether it is a computer, laptop, mobile device or any
`other. These user devices thus become additional authenti-
`
`cation factors without requiring any change in user behavior.
`Information concerning these user devices is fingerprinted
`and stored into a device token or device id for one-time use.
`The id or token is stored on the user device and saved in a
`
`database for later comparison with tokens retrieved from
`subsequent user device accesses. The token is invalidated if
`a user attempts to reuse it.
`
`[0037] The present invention also includes user device
`tokens or device ids that have a unique number which is
`randomly generated by the methods of this invention. Such
`device tokens are then assigned to the particular user device,
`stored on the particular user device as persistent data (e.g.,
`a cookie), and also stored so as to be accessible to the
`authentication services of this invention. The particular user
`device can be thereby identified upon a subsequent access by
`retrieving the device token from the user device and com-
`paring the unique number with the stored information. If the
`data matches, this particular device is identified. Then a new
`unique identifier number is created and is stored on the user
`device and by the methods of this invention for use in a
`further access.
`
`[0038] The present invention enables application service
`providers score risk for each online login and transaction
`and to increase authentication security in real time, at login
`and in session, for transactions that may be high risk or
`potential fraud. It evaluates the pre, post and in-session
`characteristics of each transaction to ensure fraud detection
`
`integrity. The methods then provide a
`and transactional
`service provider with scores, actions, and alerts. For
`example, if a transaction has a high risk score and is thus
`potentially fraudulent, one preferred action is to hold the
`
`Page 24 of 50
`
`MIOOS
`
`IA1005
`
`Page 24 of 50
`
`
`
`US 2006/0282660 A1
`
`Dec. 14, 2006
`
`transaction and to then seek secondary authentication or
`secondary challenge. The user is, e.g., asked to call service
`provider personnel
`to confirm the validity of the held
`transaction. Another action is to reject
`the transaction.
`Different actions may be appropriate to different transaction
`types. In the case of banking service providers, viewing
`account balances is acceptable but wire transfers are not
`acceptable; or in the case of ecommerce/ASP service pro-
`viders, download of sensitive documents may restricted
`based on the risk score. These actions are preferably invoked
`by rules evaluated during transaction evaluation.
`
`[0039] The systems and methods of the present invention
`include the following features: device,
`location and user
`behavior (“workflow”) fingerprinting; user profiling through
`capture and recording of user workflows; real-time risk
`scoring; real-time, rules-based fraud alerts and response;
`alerts; automatic internal flagging of suspicious activity;
`configurable, out-of-band end-user optional
`secondary
`authentication (via e-mail, SMS, voice print other); 3rd party
`integration via open APIs; support for shared authentication
`and fraud services infrastructure; case management tools for
`reviewing individual client
`logs; customer care tool for
`servicing inbound customer care; a dashboard for real time
`fraud and activity monitoring; reporting for risk manage-
`ment and trending analysis; and administration for system
`and rules configuration and maintenance. The methods and
`systems include the following components and features:
`rules engine; risk scoring/forensics; real-time response; pro-
`prietary fingerprinting of devices,
`locations, workflows;
`models and rules; intelligent algorithms; and comprehensive
`administrative tools such as a dashboard, reports, and cus-
`tomer care
`
`[0040]