This invention relates to a method for containing the economic risk of fraudulent transactions conducted using microprocessor-based devices by implementing risk management on such devices. In a preferred embodiment of the present invention, the microprocessor-based devices are integrated circuit ("IC") cards, or "smart cards" as they are also commonly known.
Commerce involving IC cards is becoming increasingly commonplace. To support widespread commerce using such cards, it is critical that measures be established to prevent, detect, and contain counterfeiting and other fraudulent transactions on such cards.
The prevention of fraud has been addressed by the IC card industry by employing such measures as, for example, the authentication, verification, and authorization of transactions using cryptographic keys. Traditionally, to detect fraudulent activity that circumvents these preventive measures, the IC card industry has employed risk management analysis of IC card transactions. Two widely used methods of risk management analysis in the telecommunications and financial industries are the calculation of the "velocity" of transactions and the calculation of the statistical signature of transactions. The velocity method monitors the amount and number of transactions per a unit of time against preset maximum limits. The statistical signature method, on the other hand, monitors transactions on IC cards against past transactional patterns at multiple levels of use of IC cards (i.e., from the level of use of a single IC card to higher levels of use of IC cards, such as regional levels). While the statistical signature method is usually more robust and effective than the velocity method, the statistical signature method is also more computationally intensive and requires more infrastructure support than the velocity method.
To date, risk management analysis of IC card transactions has been performed exclusively on centralized computer systems. While generally effective, this traditional approach to risk management has some serious drawbacks. First, the analysis of IC transaction data on centralized computers requires the collection of a voluminous amount of data. The collection of such a voluminous amount of data requires a significant technical and economic investment in equipment and infrastructure to properly route transactional data from the point of transaction to the centralized computer system.
A second drawback is that the number of fraudulent transactions, at least in the early stages of a fraudulent transaction "attack," is very small in relation to the total number of legitimate transactions in a group of IC cards. Therefore, attempting to locate fraudulent transactions from among valid ones is truly a difficult task, comparable to finding the proverbial needle in a haystack.
Finally, even assuming the technical and economic challenges can be overcome, there are significant inherent delays in the traditional approach to risk management. These delays are associated with the collection and processing of the voluminous amount of data previously mentioned. Because of these delays, the response time for containment of the fraudulent transactions is limited. Clearly, because the ability to respond as quickly as possible to fraudulent threats is crucial to the containment of fraud, delays in response time are highly undesirable.
Accordingly, there exists a need for an approach to risk management of fraudulent transactions that is more economical, more efficient, and faster than the traditional approach.