`
`
`(19) United States
`
`
`
`
`
`
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2006/0282660 A1
`
`
`
`
`
`
`
`
`
`
` Varghese et a1. (43) Pub. Date: Dec. 14, 2006
`
`US 20060282660A1
`
`
`
`
`(54) SYSTEM AND METHOD FOR FRAUD
`
`
`
`
`
`MONITORING, DETECTION, AND TIEREI)
`
`
`
`USER AUTHENTICATION
`
`
`
`
`
`(76)
`
`
`
`Inventors: Thomas Emmanual Varghese, San
`
`
`
`
`
`Mateo, CA (US); Jon Bryan Fisher,
`
`
`
`
`
`
`
`
`
`Tiburon, CA (US); Steven Lucas
`Harris, Foster City, CA GIS); Don
`
`
`
`
`
`
`
`
`Bosco Durai, Fremont, CA (US)
`
`
`
`Correspondence Address:
`
`
`WINSTON & STRAWN IiIiP
`
`
`,
`
`
`
`1700K§IREEI,N.W.
`WASHINGTON, DC 20006 (US)
`
`
`
`
`
`
`
`
`(21) Appl. No:
`
`
`(22) Filed:
`
`
`
`
`
`11/412,997
`
`
`
`
`
`
`APE 23, 2006
`Related US. Application Data
`
`
`
`
`(60) Provisional application No. 60/676,141, filed on Apr.
`
`
`
`
`
`
`29, 2005.
`
`
`
`Publication Classification
`
`
`
`
`
`
`(51)
`
`Int. Cl.
`
`
`(2006.01)
`H04L 9/00
`
`
`
`(52) US. Cl.
`.............................................................. 713/155
`
`
`
`
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`The present invention provides systems and methods for
`
`
`
`
`
`
`
`
`authenticating access requests from user devices by present-
`
`
`
`
`
`
`
`ing one of a plurality of graphical user interfaces selected
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`depending on a perceived risk of fraud associated with the
`dev1ces. User dev1ces are identified With fingerprinting
`
`
`
`
`
`
`
`.
`d h'
`d "k
`.
`ff
`d
`d
`’f
`
`
`
`
`
`
`
`
`
`inormation, an t eirassoc1ate
`ris s o
`rau are . eter-
`mined from past experience With the deVice or With similar
`
`
`
`
`
`
`
`
`
`devices and from third party information. In preferred
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`embodiments, diiferent graphical user interfaces are pre—
`sented based on both fraud risk and, in the case of a known
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`user, usability. In preferred embodiments, this invention is
`implemented as a number of communicating modules that
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`identify user devices, assess their risk of fraud, present
`selected user interfaces, and maintain databases of fraud
`
`
`
`
`
`
`
`
`experiences. This invention also includes systems providing
`
`
`
`
`
`
`
`these authentication services.
`
`
`
`
`
`
`400
`
`
`
`Receive user request for
`
`
`
`
`web page a! web sewer
`
`
`
`
`
`402
`
`
`
`
`
`
`Capture identity
` 404
`
`
`information (SD)
`from user device
`
`
`
`
`
`
`
`
`Cornpare
`
`device's identity
`
`
`
`
`information with
`stared lD's
`
`
` 410
`
`
`Existing
`ID?
`
`Yes
`
` Add [D to device
`
`histary
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`416
`
`
`
`
`
`Page 1 of 50
`
`GOOGLE EXHIBIT 1018
`
` 414
` Create New 1D for device
` 418
`
`
`Send New ID to user device
`and store thereon
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 1 of 50
`
`GOOGLE EXHIBIT 1018
`
`

`

`
`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 1 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`5
`\.
`
`Q ‘
`
`
`
`L
`
`QC
`
`
`\wwx
`
`
`
`7.431112%;
`
`
`
`,.2025an
`
`:0cu:
`
`a.Luna
`
`
`
`
`
`Page 2 of 50
`
`Page 2 of 50
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 2 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`d i
`
`j'anaaa
`EDIE—ll
`
`
`
`967.3P/Q/an4/37‘
`
`
`
`Page 3 of 50
`
`Page 3 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 3 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`Receive user request for
`
`
`
`
`web page at web sewer
`
`402
`
`
`
`
`
`
`
`
`Capture identity
`
`
`information (i0)
`_
`from user device
`
`
`
`
`
`‘404
`
`
`
`
`
`
`
`
`
`
`
`Compare
`
`
`device's identity
`
`
`
`
`information with
`
`stored lD‘s
`
`
`
`
`
`410
`
`
`
`
`
`
`
`ID?
`
`
`
`
`
`
`
`
`Create device history for ID
`
`
`
`
`
`
`
`
`
`
`
` Existing
`
`
`
`
`
`Create New D for device
`
`
`
`
`Add ID to device
`
`
`history_
`
`
`
`414
`
`
`
`
`Send New ID to user device
`
`
`
`
`
`and store thereon
`
`
`
`
`
`
`
`416
`
`
`
`18
`
`
`
`
`F/e, <4
`
`Page 4 of 50
`
`Page 4 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 4 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`
`Em film“
`
`
`
`
`d’a‘yle’byflh the
`
`
`
`sammsév
`
`
`:mww
`
`
`
`
`
`
`
`
`
`
`
`
`Mainland“
`fainflisom'bsdhflis
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Generate-new
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`hum
`
`
`
`FIG. 43
`
`Page 5 of 50
`
`Page 5 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 5 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`309,
`
`
`
`
`
`Continued from figure 4
`
`
`
`(Got’ Device ID)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Perform action in
`
`
`
`accordance with mies
`
`
`
`
`
`engine determination
`
`
`
`
` Is a Pre-
`
`
`
`
`
`
`
`
`
`
`determined
`
`
`
`
`
`
`user interface to be provided to device
`
`
`according
`
`to rule?
`
`
`
`
`
`‘
`
`
`
`interface to device
`
`
`
`
`.
`
` Provide predetermined user
`
`
`'e arm 3 Ion in
`
`
`
`
`
`
`
`
`
`
`accordance with
`Are other forms of authenticatlon
`
`
`
`
`verification to be performed?
`authenthicationl
`
`
`
`verification arocess
`
`
`
`No
`
`
`
`
`
`
`
`
`
`
`No-—-
`
`
`
`518
`
`
`-
`' = . ect user
`
`
`en‘or message
`
`
`I a- :
`
`
`Valid user?
`
`
`
`
`
`
`Page 6 of 50
`
`Page 6 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 6 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`LVVVSVQvkaimwvmwm
`
`HawthhEQ,
`
`
`
`
`
`MmVVV
`
`:3\.HfluSAVANEbdmfifi
`
`$36.»MmbSmRawuxatE
`
`
`hi):ghtwk<ufiukMZxNh
`
`
`hat.
`
`.
`
`
`VEVZSQEVKEQ:
`
`«mmMMmusv\€un
`
`
`
`NaVSQVwasgm3%;
`
`
`
`HushVémEQHm\.aNV
`
`
`
`E\§N\.8233.wEH3
`
`
`
`Eskitfi923%
`
`_
`
`_QV
`
`
`
`
`
`93;
`
`
`
`
`
`
`
`
`
`
`
`Page 7 of 50
`
`[6NEWéfiunfimwAeé3m
`
`‘.tV
`
`_
`
`
`
`
`«VX5353;Amigo“3m
`
`
`
` _&\_\nnsuptem‘3»ch3m
`
`Page 7 of 50
`
`
`
`
`
`

`

`Patent Application Publication Dec. 14, 2006 Sheet 7 0f 20
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`
`
`
`
`QQB«Eutegfist.
`
`
`
`
`
`
`
`omfi\:
`
` ¢§E\Qqlakpmth_ENEafihi_I'll:llil.[III].
`
`
`
`
`
`POR.
`
`Page 8 of 50
`
`Page 8 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 8 0f 20
`
`
`
`US 2006/0282660 A1
`
`Vs
`
`a
`0Q
`
`.
`
`Q
`
`i
`
`‘
`
`39
`be
`
`no
`
`
`
`F/S,E?
`
`Page 9 of 50
`
`Page 9 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 9 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`
`
`
`Q
`
`\tf
`
`0\
`
`
`
`O
`@
`
`Page 10 of 50
`
`Page 10 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 10 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`Page 11 of 50
`
`Page 11 of 50
`
`

`

`
`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 11 0f 20
`
`US 2006/0282660 A1
`
`
`
`0M?
`
`
`
`
`
`\Aflfi\vjumnufiéwfixfib$.3me
`
`
`
`
`
`
`
`3:
`
`\\wt
`
`
`
`dagav.
`
`b0tfiufiw
`
`.wv38h QflmExfiwQ
`
`«QCNurb§>§~i
`9pm.:
`
`
`
`
`
`
`
`
`
`
`
`Page 12 of 50
`
`Page 12 of 50
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 12 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`
`
`.VQGutfi..Hwfii...35i.......-.
`OMAR»_ESQ_MSEWE3m?:3EEeéi..
`..35;qum236w\m\<\w2%~§k§§§x§
`
`
`
`PbquxxfrmfiffimmAFPu
`
`
`
`_.HwtwwmmmmWE
`
`.m\3K
`
`Mum:ngh
`VbxhwmwQWr
`
`
` 2e:QQEixlrtnn.
`
`
`GS§\<\\§ESQ\N\@m.N\Eugutmfiufix»?,
`
`
`
`Page 13 of 50
`
`Page 13 of 50
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 13 0f 20
`
`
`
`US 2006/0282660 A1
`
`1 302
`
`
`
`
`
`
`
`
`
`
`
`
`
`1306
`AUTHENTICATION
`
`
`
`SERVICE PROVIDER
`SERVER
`
`
`
`SERVER
`
`
`
`
`
`
`DCR
`
`
`
`
`
`
` Sewer app.
`
`
`DCR services
`Database
`
`1308
`I Locaidevice-
`
` I Device-based auth. Z
`
`
`
`
`
`
`
`
`
`
`2 based auth.
`2
`services
`‘
`
`
`
`
`
`
`3
`1 services
`2
`1
`
`
`
`
`...................................
`SERVICE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PROVIDER
`
`
`SERVER
`
`
`
`Firewall
`Sewer app. A
`
`
`
`
`Sewer app. B
`.4
`_.
`.
`._.
`.
`
`
`
`
`
`
`
`
`Sewer app. C
`
`
`
`Server app. D
`
`
`
`
`
`FIG. 13A
`
`
`
`
`
`
`
`
`
`
`
`
`1320
`
`
`
`
`
`
`
`—
`
`
`
`
`h. services
`
`
`
`
`
`
`
`Server app,
`receives user
`
`
`
`
`request
`
`
`
`
`
`a a
`Fingerprint
`UseLretquest
`
`
`
`process
`
`
`
`
`
`
`
`
`Jasneuawo'Paiul
`seuiue
`
`
`
`
`
`User
`
`GUI
`
`
`
`
`
`.
`Device ID;
`
`andirisk
`
`
`f
`.
`
`DCR
`mg
`
`
`
`
` M
`
`Device ID info.
`
`
`
`
`
`
`
`________
`Authenticator
`User/xaction
`m
`
`
`
`valid/not
`
`
`""""
`valid
`
`
`
`
`
`
`Server app,
`
`
`continues
`
`
`FDM
`
`m
`
`
`FIG. 138
`
`
`
`
`Page 14 of 50
`
`Page 14 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 14 0f 20
`
`
`
`US 2006/0282660 A1
`
`1321
`
`
`
` Firewall
`
`
`receives user
`
`
`
`input
`..........................
`
`
`
`
`
`
`User input
`data
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Basic auth. services
`
`
`
`
`
`
`
`Rules engine
`Rules
`
`M
`
`(OCR/3rd party)
`
`
`
`
`
`
`
`User input
`valid/not
`
`valid
`
`
`
`
`1309
`
`
`
`
`
`1323
`
`
`
`Firewall
`
`
`
`proceeds
`
`
`FIG. 13C
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` Policy Set #1
`
`Securlty Policy
`
`
`- Medal .1 --—————-S‘W
`
`S’W
`- Model '2
`
`
`
`- Madol '3 ——————sw
`
`
`
`
`
`
`
`
` Business Policy
`- Modal M——-S‘W
`
`
`
`- Model l5——————$‘W
`
`
`Request
`
`
`
`
`(User. Location.
`Dulce I:
`
` Risk Scoring Engine
`
`
`
`Yransacflnn)
`
`
`
`
`
`
`Workflow Policy
`. Mod-I 55......S‘w
`
`
`- Mndcl fl————-—4‘W
`
`
`
`
`
`
`Total Score
`
`
`
`
`
`
`
`
`
`
`
`
` 3rd Party Data Policy ‘
`
`
`
`
`
`-Madel w——s~w
`“
`
`
`
`
`
`
`
`FIG. 16C
`
`
`
`Page 15 of 50
`
`Page 15 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 15 0f 20
`
`US 2006/0282660 A1
`
`
`
`5:23.1—>.t&Em\.illA.1>:.J.y},Liliiabmyfluxi
`
`
`
`0mmo<$33322338...
`
`
`
`85.3%...m...
`:63%3:29.2533.3552.28852.25%
`
`
`
`
`
`853535.52,
`
`3‘.6.”—
`
`282825:w._z<
`
`Efigmézg
`
`
`
`maflm_m>w_cofin.
`
`maflm9532?.
`
`.332:
`
`
`
`£335..m
`
`
`
`
`
`
`
`5383553raucouumxrmEtn
`
`
`
`36538338.58%
`
`
`
`§325£=<322....
`
`mzm«.2.ca
`
`:55“cage.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`.
`
`,
`
`Page 16 of 50
`
`éggzm9:3563.3.229...:_u...E...u.~._Hmini;
`
`‘girlie;
`
`
`
`
`
`
`
`
`
`rem...3:33«Em.5.83600.
`
`>322838.3%25:...5.:
`
`
`
`
`“creams“.323.332:953:5383
`
`
`:wumo32.533:
`
`i.«\1.rl\ctr.vrlil‘Llll
`
`
`
`
`
`
`
`
`
`
`
`32439503..cox...88.505383:23.1.3332.
`
`
`
`
`
`
`
`Page 16 of 50
`
`
`
`
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 16 0f 20
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`.2.2.3933.523....-3.2.0.“.255.33
`
`
`
`2.2aEsau—582.5.
`
`
`
`<2..0."—
`
`
`
`sou—.353332.5.
`
`852m.
`
`230$.
`
`383:8.2»
`
`8%Ex.
`
`voaan33>>3..
`
`
`
`:21wm~cw>mnounso:.a>>ox.
`
`
`
`«CO—«969.55Coawuwncu.
`
`osmcwmazouw
`
`
`
`
`
`«22.325033.5335.395833;}
`
`
`
`3.2.0.“.mwosmam
`
`
`
`mu_u:On_Eta—00$
`
`
`
`$259.30326on.
`
`aoEoE.
`
`2802.
`
`
`
`Em5:8L
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 17 of 50
`
`Page 17 of 50
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 17 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`
`Block users from
`
`
`restricted device list
`
`
`
`
`
`'User'from a
`
`
`dtfferent OOUHtW
`
`
`Wl‘hln a: Specifed
`
`time
`
`
`
`User using multiple
`
`
`Location in short
`
`
`time frame
`
`
`
`
`Consecutive
`failures for a device
`
`
`
`
`
`
`
`'*
`
`-
`
`a device
`
`
`
`
`Multipleusers from
`
`
`
`
`
`User using multiple
`
`
`devices in short
`time frame
`
`
`
`
`
`
`. COnsecutive
`
`
`fallu res for an user
`
`
`
`Consecutive
`
`
`
`failuresfor an IP
`
`
`
`
`Device from a
`
`
`difierentCity within
`
`
`
`a specified time
`
`
`
`
`
`Block logins from
`
`
`restricted lP list
`
`
`
`Block user from
`
`
`
`
`restricted Location
`
`List
`
`
`
`
`FIG. 153
`
`
`
`Page 18 of 50
`
`Page 18 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 18 0f 20
`
`
`
`US 2006/0282660 A1
`
`Groups
`
`
`
`Models
`
`
`
`
`Pre—Authentication ‘
`
`
`
`DeviceGroupA v Model A
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Business Model A
`User Group #1
`Session #1
`User A
`USEI' A
`Action 3
`
`
`
`
`Device C
`User 8
`Aiert 7
`
`
`
`
`Location J
`User C
`
`
`
`Action 2
`
`Workflow D
`
`
`Alert 5
`
`
`
`Workflow Group #1
`
`
`
`Workflow 0
`
`
`
`
`Workflow Y
`
`Workflow C
`
`
`
`
` Device Group #6
`
`
`
`
`Device A
`
`
`
`
`
`Device X
`
`
`
`Device C
`
`
`
`
`Security Model A
`Action 1
`
`
`
`
`
`Location Group #2
`
`
`Alert 4
`Location A
`
`
`
`Location 0
`
`Location J
`
`
`
`
`
`
`
`
`
`Rule 989
`
`
`
`
`
`
`Rule 445
`
`
`
`
`Rule 743
`
`
`
`
`
`Action 3
`
`
`Alert 5
`
`
`FIG. 1GB
`
`
`
`Page 19 of 50
`
`Page 19 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 19 0f 20
`
`
`
`US 2006/0282660 A1
`
`, a—u , m . mam... mm
`
`
`
`
`
`Wall“!
`WN‘MM1
`nunuusuull
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 173
`
`
`
`Page 20 of 50
`
`Page 20 of 50
`
`

`

`
`
`
`
`
`
`
`Patent Application Publication Dec. 14, 2006 Sheet 20 0f 20
`
`
`
`US 2006/0282660 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`hum ”hush-humH-«Jhl. .ululuu—\
`um»;- my
`Alums 90M.ltl;i.ml.lrlllllu an. _
`
`
`
`
`
`
`
`
`
`
`— ..,.......... M... mm
`.-. r77 7
`.7
`
` u». u:- -m ‘MIIMI
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`"cm W w.“ V“
`
`:
`cm:
`
` u.“ .‘ .,...' J”...
`O"?
`
`lnflnr‘"v v
`
`
`
`
`
`[“21
`
` - m A”:
`
`
`
`
`
`
`
`
`
`
`
`
`
`ma
`
`
`
`
`um" m Fun“
`\n’ A. N.- _~'w
`310‘
`,
`
`
`
`
`”#qu :1 101-- n
`
`am
`
`N
`
`
`
`twp.» rm mnnv
`
`cw
`fi
`
`
`
`
`
`
`
`#:X‘“"“* Ian»
`at
`
`
`
`
`Rani?
`:3‘
`"“ w
`w
`Khan.”
`t
`.
`
`3‘2?» a.» m..-
`ti
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 17C
`
`
`
`"ml
`.
`mow com. um Wcm
`
`
`
`
`
`
`
`leumwr Cam 5 raw Gula‘du
`
`
`
`
`
`
`
`wv‘
`
`
`
`‘
`
`*
`
`ng:- lds m
`“It.“ Fair;
`
`
`‘IVMIYI
`Rah
`
`
`
`
`
`
`
`
`Nam
`
`
`
`
`
`
`
`
`
`
`
`FIG. 17D
`
`
`
`Page 21 of 50
`
`Page 21 of 50
`
`

`

`US 2006/0282660 A]
`
`
`
`
`
`Dec. 14, 2006
`
`
`
`
`
`
`
`
`SYSTEM AND lVIETHOD FOR FRAUD
`
`
`
`
`MONITORING, DETECTION, AND TIERED USER
`
`
`
`
`AUTHENTICATION
`
`
`CROSS REFERENCE TO RELATED
`
`
`APPLICATION
`
`[0001] This application claims the benefit of US. provi-
`
`
`
`
`
`
`
`
`sional application Ser. No. 60/676,141 filed Apr. 29, 2005
`
`
`
`
`
`
`
`
`
`and which is incorporated herein by reference in its entirety
`
`
`
`
`
`
`
`for all purposes.
`
`
`
`FIELD OF INVENTION
`
`
`[0002] The invention relates generally to systems and
`
`
`
`
`
`
`
`methods for providing protection against identity theft over
`
`
`
`
`
`
`
`
`
`
`a computer network.
`BACKGROUND OF INVENTION
`
`
`[0003] The growth in the volume of online transactions
`
`
`
`
`
`
`
`conducted by businesses and individuals over the Internet
`
`
`
`
`
`
`
`has been staggering. Sensitive private identity information is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`typically used for authenticating a user for conducting online
`transactions. The increased use of identity infonnation for
`
`
`
`
`
`
`
`Internet transactions has been accompanied by an increased
`
`
`
`
`
`
`danger of interception and theft of that information. Identity
`
`
`
`
`
`
`
`theft occurs when someone uses the password, username,
`
`
`
`
`
`
`
`
`Social Security rrurrrber, credit card number, or other iden-
`
`
`
`
`
`
`
`
`tifying personal information of another without consent to
`
`
`
`
`
`
`commit fraud. According to a September 2003 Federal Trade
`
`
`
`
`
`
`
`Commission (FTC) survey, 27.3 million Americans have
`
`
`
`
`
`
`
`been victims of identity theft in the last five years, including
`
`
`
`
`
`
`
`
`
`9.9 million people in the year 2002 alone. Identity theft
`
`
`
`
`
`
`
`
`
`losses to businesses and financial institutions in 2002 totaled
`
`
`
`
`
`
`
`nearly $48 billion and consumer victims reported $5 billion
`
`
`
`
`
`
`
`
`in out-of-pocket expenses, according to the FTC survey.
`
`
`
`
`
`
`
`[0004] To enter into a transaction with an E—commerce
`
`
`
`
`
`
`
`
`server, a user typically needs to provide sensitive and
`
`
`
`
`
`
`
`
`confidential data including authentication data, data describ-
`
`
`
`
`
`
`
`ing the transaction, and the like. This data is commonly
`
`
`
`
`
`
`
`
`
`entered by using a keyboard and/or a mouse connected to a
`
`
`
`
`
`
`device local to the user that is running a web browser that is
`
`
`
`
`
`
`
`
`
`linked to the Internet (or other computer network). FIG. 1 is
`
`
`
`
`
`
`
`
`a diagram illustrating an exemplary system 10 used for
`
`
`
`
`
`
`
`
`
`entering user authentication and transaction data. In this
`
`
`
`
`
`
`
`
`exarrrple, the authentication information to be entered by a
`
`
`
`
`
`user comprises a user ID and password. In known systems,
`
`
`
`
`
`
`
`the user ID and password are composed of a string of
`
`
`
`
`
`
`
`
`
`characters entered via a keyboard 12 while executing a web
`
`
`
`
`
`
`
`browser on a computing device 14. A typical user entry
`
`
`
`
`
`
`
`interface 18 provided by the browser to the user on a display
`
`
`
`
`
`
`16 is shown.
`
`
`[0005] After entry, a user’s sensitive information is typi-
`
`
`
`
`
`
`
`cally transmitted to a
`remote server preferably in an
`
`
`
`
`
`
`
`
`encrypted form over secure connections. For example, the
`
`
`
`
`
`
`
`
`widely-used TCP/IP communication protocol includes secu-
`
`
`
`
`
`
`rity protocols built on the secure socket layer (SSL) protocol
`
`
`
`
`
`
`
`
`to allow secure data transfer using encrypted data streams.
`
`
`
`
`
`
`
`
`
`SSL offers encryption, source authentication, and data integ—
`
`
`
`
`
`
`
`
`rity as a means for protecting information exchanged over
`
`
`
`
`
`
`
`
`insecure, public networks. Accordingly, many E-commerce
`
`
`
`
`
`
`servers and applications use SSL, or similar security proto-
`
`
`
`
`
`
`
`
`cols, to exchange data between remote servers and local user
`
`
`
`
`
`
`
`
`
`systems.
`If the entered authentication infonnation is
`
`
`
`
`
`
`
`
`
`
`Page 22 of 50
`
`
`
`approved by the server, the user is permitted to send and
`
`
`
`
`
`
`
`receive data from the server’s website.
`
`
`
`
`
`
`[0006] The source of messages received at a web server is
`
`
`
`
`
`
`
`often determined from the IP address of the device from
`
`
`
`
`
`
`
`
`
`
`which the message is sent and/or from a cookie included
`
`
`
`
`
`
`
`
`with data from the user. A cookie generally refers to a packet
`
`
`
`
`
`
`
`
`
`of information, often sensitive information, sent by a web
`
`
`
`
`
`
`
`server to a browser resident on the user’s computer system
`
`
`
`
`
`
`
`for saving to a file and for transmitting back to the server
`
`
`
`
`
`
`
`
`
`whenever the user’s browser makes additional requests from
`
`
`
`
`
`
`
`the server. The IP address is generally included in a message
`
`
`
`
`
`
`
`header, and the cookie is usually one that has been previ-
`
`
`
`
`
`
`
`
`
`
`ously sent by the server, often at login. The server compares
`
`
`
`
`
`
`
`
`the user login data with the message IP address and the
`
`
`
`
`
`
`
`
`
`
`returned cookie to determine the identity of the user sending
`
`
`
`
`
`
`
`the message and whether the user is currently logged into the
`
`
`
`
`
`
`
`
`
`server. The IP address of the user is also confirmed.
`
`
`
`
`
`
`
`[0007] Despite these known precautions, a user’s sensitive
`
`
`
`
`
`
`
`information remains vulnerable because it
`is in a raw
`
`
`
`
`
`
`
`unsecured form between its entry by the user and its encryp-
`
`
`
`
`
`
`
`tion prior to remote trarrsrrrissiorr. Also, sensitive data sent
`
`
`
`
`
`
`
`
`from the server is vulnerable during the period after its
`
`
`
`
`
`
`
`
`
`decryption and until its display. This unsecured information
`
`
`
`
`
`
`
`
`can be surreptitiously captured in a number of ways. For
`
`
`
`
`
`
`example, cookie hijackers copy sensitive information from
`
`
`
`
`
`
`
`cookies. Further, keyboard loggers and mouse click loggers
`
`
`
`
`
`
`
`
`are hidden software that intercept and copy mouse clicks and
`
`
`
`
`
`
`
`
`
`
`depressed keys after user entry but before processing by a
`
`
`
`
`
`
`
`
`browser or other software. Logger software can readily
`
`
`
`
`
`
`
`intercept the user’s secure information. Keyboard loggers
`
`
`
`
`
`
`
`and mouse click loggers might also take the form of hard—
`
`
`
`
`
`
`
`
`
`
`ware connected between the keyboard and mouse cable and
`
`
`
`
`
`
`
`
`
`the computer or the hardware inside the keyboard and mouse
`
`
`
`
`
`
`
`
`
`device.
`
`[0008] Even graphical user interfaces that represent on-
`
`
`
`
`
`
`
`screen keypads and keyboards with selectable graphics for
`
`
`
`
`
`
`
`
`user entry (instead or in addition to providing fields for text
`
`
`
`
`
`
`
`
`entry) are vulnerable to mouse click loggers, screen capture
`
`
`
`
`
`
`
`
`loggers, and other schemes. FIGS. 1, 2, and 3 illustrates
`
`
`
`
`
`
`
`
`prior art examples of such interfaces. Each alphanumeric
`
`
`
`
`
`
`
`character in the graphical
`interface is represented by a
`
`
`
`
`
`
`
`
`unique graphical image, e. g., the pixels forming the number
`
`
`
`
`
`
`
`
`
`“l”. Screen capture loggers utilize optical character recog-
`
`
`
`
`
`
`
`
`nition (OCR) technology to decipher characters selected by
`
`
`
`
`
`
`mouse clicks and the corresponding alphanumeric graphics
`
`
`
`
`
`
`
`in order to ascertain the actual alphanumeric text characters
`
`
`
`
`
`
`
`
`of a user’s ID and password. Sophisticated screen capture
`
`
`
`
`
`
`
`
`loggers might also utilize checksum and size characteristics
`
`
`
`
`
`
`
`
`of the graphic images in order to ascertain which the data
`
`
`
`
`
`
`
`
`
`item corresponding to a graphic image selected by a user’s
`
`
`
`
`
`
`mouse click during data entry. In these ways, the screen
`
`
`
`
`
`
`
`
`
`
`capture loggers may acquire the personal information even
`
`
`
`
`
`
`
`
`when the graphical user interface has rearranged the order of
`
`
`
`
`
`
`
`
`alphanumeric characters on the keypad or keyboard,
`
`
`
`
`
`[0009] Sensitive information can also be intercepted by
`
`
`
`
`
`
`
`espionage software,
`including snoopware, spyware, non-
`
`
`
`
`
`
`viral malware, hackers utilities, surveillance utilities, Trojan
`
`
`
`
`
`
`
`horses, etc. Espionage software aids in the unauthorized
`
`
`
`
`
`
`
`
`acquisition of information about a person or organization
`
`
`
`
`
`
`without their knowledge or consent. It typically installs itself
`
`
`
`
`
`
`
`on a user’s computer without consent and then monitors or
`
`
`
`
`
`
`
`
`controls the use of the device. Every user keystroke, all chat
`
`
`
`
`
`
`
`
`
`Page 22 of 50
`
`

`

`US 2006/0282660 A1
`
`
`
`
`
`Dec. 14, 2006
`
`
`
`
`
`
`conversations, all websites visited, every user interaction
`
`
`
`
`
`
`
`with a browser, every application executed, every document
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`text and images, might be captured by the
`printed, all
`
`
`
`
`
`
`espionage software. Espionage software typically is capable
`of locally saving or transmitting the captured data to third
`
`
`
`
`
`
`
`
`parties over the Internet, most often without the user’s
`
`
`
`
`
`
`
`
`
`knowledge or consent,
`
`
`[0010] Another fraudulent acquirer of sensitive personal
`
`
`
`
`
`information is an “over-the shoulder” spy who surrepti-
`
`
`
`
`
`
`tiously reads a user’s display to acquire the information.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0011] Known anti-virus and anti-spyware software prod-
`ucts attempt to enable a user to protect against such mali—
`
`
`
`
`
`
`
`
`cious software. However, use of outdated anti-virus and
`
`
`
`
`
`
`
`
`anti-spyware files provides minimal protection, at best, of
`
`
`
`
`
`
`
`computer data against outside threats. Consequently, a draw-
`
`
`
`
`
`
`
`back of these products is that the information used by the
`
`
`
`
`
`
`
`
`anti-virus and anti-spyware program must be constantly
`
`
`
`
`
`
`
`updated to reflect newly discovered schemes in order to keep
`
`
`
`
`
`
`
`the protection current. In addition to keeping the virus
`
`
`
`
`
`
`
`
`
`information current,
`the system must be periodically
`
`
`
`
`
`
`
`scanned for potential infections.
`
`
`
`
`[0012] Further, certain geographic locations are known to
`
`
`
`
`
`
`
`contain an inordinate number of identity thieves.
`is
`It
`
`
`
`
`
`
`
`
`therefore advantageous to knon where an attempt to access
`
`
`
`
`
`
`a server originates from. IP addresses are one readily avail-
`
`
`
`
`
`
`
`
`
`able source of location information. But IP addresses have
`
`
`
`
`
`
`
`drawbacks in that, for many users, the IP address is not
`
`
`
`
`
`
`
`
`constant. Known network protocols and facilities can lead to
`
`
`
`
`
`
`
`
`variable IP addresses. For example, proxy servers are used
`
`
`
`
`
`
`
`
`to provide a gateway between a local area network of an
`
`
`
`
`
`
`
`organization and the Internet. The local network is protected
`
`
`
`
`
`
`
`
`by firewall software installed on the proxy server. Proxy
`
`
`
`
`
`
`
`
`
`servers dynamically assign new IP addresses to a user device
`
`
`
`
`
`
`
`each time a new message is sent therefrom. As a result, there
`
`
`
`
`
`
`
`
`is no constant IP address assigned to an individual user
`
`
`
`
`
`
`
`
`
`device for users connected to the Internet via a proxy server.
`
`
`
`
`
`
`
`
`
`[0013] Another source of IP address variability is the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`commonly used dynamic host configuration protocol
`(DHCP protocol) which assigns IP addresses dynamically
`
`
`
`
`
`
`
`and automatically to the devices on a TCP/IP network. A
`
`
`
`
`
`
`DHCP server assigns an IP address to a device from a list of
`
`
`
`
`
`
`
`available addresses when the device connects to the net-
`
`
`
`
`
`
`
`
`work. The device retains this IP address only for the duration
`
`
`
`
`
`
`
`
`
`
`of the current session. Some DHCP server systems can
`
`
`
`
`
`
`
`
`
`dynamically change the user’ s IP address during the session.
`
`
`
`
`
`
`
`
`The use of a proxy or DI ICP server means that the IP address
`
`
`
`
`
`
`
`
`alone may not be enough to identity a particular user device.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0014] Security systems and methods that protect against
`the above—identified risks should also meet the usability
`
`
`
`
`
`
`
`
`concerns of an average user. A service provider wants to
`
`
`
`
`
`
`
`encourage online use in a secure manner. But a cumbersome
`
`
`
`
`
`
`
`and prolonged user interface or a less user friendly interface
`
`
`
`
`
`
`
`
`might discourage or even intimidate and frustrate users, or
`
`
`
`
`
`
`
`
`cause user errors, or the like. Also a security system should
`
`
`
`
`
`
`
`
`
`institute precautions to prevent execution of a fraudulent
`
`
`
`
`
`
`transaction once it has been found that the user’s informa-
`
`
`
`
`
`
`
`
`
`tion andfor system is at risk of being compromised. A
`
`
`
`
`
`
`
`
`security system should also alert the service provider based
`
`
`
`
`
`
`
`
`
`on a particular device attempting to access the provider’s
`
`
`
`
`
`
`
`system irrespective of the user.
`
`
`
`
`[0015] Also, a security system and method should enable
`
`
`
`
`
`
`
`a service provider to strike a proper balance between secu-
`
`
`
`
`
`
`
`
`
`
`
`Page 23 of 50
`
`[0023]
`
`
`
`rity and usability of the system. In other words, a system and
`
`
`
`
`
`
`
`
`method is needed to enable a service provider to provide an
`
`
`
`
`
`
`easy to use and lower security interface when no security
`
`
`
`
`
`
`
`
`risk is identified, and a higher security interface when one is
`
`
`
`
`
`
`
`
`identified. Additionally, desirable security systems and
`
`
`
`
`
`
`methods should depend as little as possible upon human
`
`
`
`
`
`
`
`
`action to maintain their state of security. For example, it not
`
`
`
`
`
`
`
`
`advantageous to require users to keep and maintain tokens or
`
`
`
`
`
`
`
`digital certificates or the like. A token can be lost, damaged,
`
`
`
`
`
`
`
`
`stolen and the like.
`
`
`
`
`
`
`
`
`
`
`the
`[0016] But
`security systems protecting against
`described threats and having the described properties are not
`
`
`
`
`
`
`
`
`generally known in the art. What is needed but currently
`
`
`
`
`
`
`
`lacking in the art is a security system and method with the
`
`
`
`
`
`
`
`
`following features and aspects:
`
`
`
`
`is a device-based fraud monitoring system;
`
`
`
`
`
`
`[0017]
`
`
`
`
`
`
`
`[0018]
`provides robust fraud monitoring and detection
`along with robust fraud analysis and risk assessment so
`
`
`
`
`
`
`
`
`that online service providers have real time information
`
`
`
`
`
`
`
`
`needed to determine how and whether to allow a device
`
`
`
`
`
`
`
`
`
`
`
`
`to access the provider’s system;
`[0019]
`provides selectable levels of secure user authen-
`
`
`
`
`
`
`tication as a function of usability and/or security con—
`
`
`
`
`
`cems;
`
`ascertains the security risk that a user’s infor-
`[0020]
`
`
`
`
`
`
`
`
`mation and/or system have been compromised and if
`
`
`
`
`
`
`
`so, provides a more secure login interface to guard
`
`
`
`
`
`
`
`
`against fraudulent activity;
`
`
`
`a repository of information for identifying legiti-
`[0021]
`
`
`
`
`
`
`mate and fraudulent users based on more reliable and
`
`
`
`
`
`
`
`robust fingerprinting of the user device that can be
`
`
`
`
`
`
`
`
`integrated with other repositories of security tracking
`
`
`
`
`
`information;
`
`is a purely software based solution to identity
`[0022]
`
`
`
`
`
`
`theft that does not require hardware devices to be
`
`
`
`
`
`
`
`
`issued and maintained;
`
`
`
`is convenient for online users.
`
`
`
`
`
`SUMMARY OF THE INVENTION
`
`
`
`[0024] The systems and methods of the present invention
`
`
`
`
`
`
`
`fill gaps in the prior art by providing improved authentica-
`
`
`
`
`
`
`
`tion services.
`
`
`
`
`
`
`
`
`
`[0025] An advantage of the systems and methods accord—
`ing to the present invention is that they provide infonnation
`
`
`
`
`
`
`
`
`and selectable user interfaces for enabling a service provider
`
`
`
`
`
`
`
`
`to take action to authorize, deny, or put on hold online
`
`
`
`
`
`
`
`
`
`
`
`transactions in real time as a function of the risk presented
`
`
`
`
`
`
`by both the user and the device attempting to conduct a
`
`
`
`
`
`
`
`
`
`transaction.
`
`[0026] Another advantage of the present invention is that
`
`
`
`
`
`
`it enables a service provider to identify possible in-process
`
`
`
`
`
`
`
`fraudulent authentication transactions, based on both user
`
`
`
`
`
`
`and device historical data analysis. Transactions can be
`
`
`
`
`
`
`
`
`approved, declined, or put on hold for verification based an
`
`
`
`
`
`
`
`a set of predetermined rules.
`
`
`
`
`[0027] Another advantage of the present invention is that
`
`
`
`
`
`it provides both user and device based robust fraud moni—
`
`
`
`
`
`
`
`
`
`toring and detection along with robust fraud analysis and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 23 of 50
`
`

`

`US 2006/0282660 A]
`
`
`
`
`
`Dec. 14, 2006
`
`
`
`
`
`
`risk assessment to give a service provider real time infor-
`
`
`
`
`
`
`
`
`mation needed to determine how and whether to allow a
`
`
`
`
`
`
`
`device to access the provider’s system.
`
`
`
`
`
`[0028] Another advantage of the present invention is the
`
`
`
`
`
`
`enabling of a selection of levels of secure user graphical
`
`
`
`
`
`
`
`
`
`authentication as a function of predetermined usability and/
`
`
`
`
`
`or security concerns.
`
`
`
`[0029] Another advantage of the present invention is that
`
`
`
`
`
`
`there is no dependence on tokens, cards and other similar
`
`
`
`
`
`
`
`
`hardware devices, digital certificates, anti-virus software, or
`
`
`
`
`
`
`personal firewall solutions for protecting end users against
`
`
`
`
`
`
`
`
`online identity theft.
`
`
`
`[0030] Another advantage of the present invention is the
`
`
`
`
`
`acquisition and development of a blacklist and/or white list
`
`
`
`
`
`
`that is device based rather than only user based.
`
`
`
`
`
`
`
`
`[0031] Broadly stated, according to an embodiment, the
`
`
`
`
`
`
`
`present invention fingerprints a user’s device by obtaining
`
`
`
`
`
`
`device identifying information that can be used to assess the
`
`
`
`
`
`
`
`
`fraud risk posed by a user at that user device. According to
`
`
`
`
`
`
`
`
`another embodiment, the present invention performs fraud
`
`
`
`
`
`
`
`analysis and alerting of the risk associated with the device
`
`
`
`
`
`
`
`
`
`being used to access a service provider’s server. According
`
`
`
`
`
`
`
`to another embodiment, this invention includes a database of
`
`
`
`
`
`
`
`user devices and their historical known fraud risks available
`
`
`
`
`
`
`
`
`
`in a central repository. According to another embodiment,
`
`
`
`
`
`
`this
`invention presents user authentication interfaces
`
`
`
`
`
`
`selected from a plurality of user authentication interfaces
`
`
`
`
`
`
`
`that provide a plurality of levels of security and usability.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0032] Accordingly, the present invention provides sys-
`tems and methods for providing levels of fraud monitoring,
`
`
`
`
`
`
`
`
`detection, and a tiered user authentication comprising a
`
`
`
`
`
`
`fingerprinting module for identifying a user device that has
`
`
`
`
`
`
`
`
`requested connection to a server; an authenticato