Many services require real-world information about a user. Identifying a user and acquiring real-world information about him is herein defined as “user identification”. Such information includes, for example, first name, last name, full home address, telephone numbers for home and work, fax and mobile, and credit card information. This is true whether the service is obtained in person or over a network.
One type of service requiring user identification is a credit card purchase. In order to complete a purchase, the user must provide credit card information that will enable a retailer to process a credit card transaction in some cases, service providers enhance their services by using user identification information. For example, a chain-store delivery service can use the zip code of a user to direct an order to the closest branch.
The Internet is one type of a network, and it is used extensively today for providing a wide array of services and communications. It is, however, an anonymous medium, as it does not require its participants to identify themselves. The Internet provides many services that do not require such identification. For example, in a standard HTTP Internet session a user may access a server and view information without the server being notified of the identity of the user. In another example, users may participate in a “chat” session in which they exchange text messages without identifying themselves.
While the anonymous nature of the Internet is convenient for most users in most situations, it presents a significant barrier in services involving private or confidential information, financial applications, or any other service vulnerable to fraud or abuse Similar problems are present in other networks, such as the cellular and mobile networks.
Many methods have been offered to solve this problem. In the case of the Internet, the user is sometimes issued a software or hardware identity token by a trusted authority. This token is then verified over the Internet using cryptographic methods such as the Rivest, Shamir, Adleman algorithm (RSA algorithm) (U.S. Pat. No. 4,405,829 Cryptographic Communications System And Method). These methods are limited in that a user wishing to obtain such a token must go through a cumbersome off-line identification process with the trusted authority. In many cases, there is also some installation that requiring technical ability that is necessary before the system can be used. An example is a smart card, which is a physical package that stores the user id internally in such a manner that it cannot be changed.
Due to such problems, service providers on a network often ask users to voluntarily provide their identification information. For example, when purchasing items over a network, a user will usually manually provide his credit card account number by filling in an HTML form or by entering data on his cellular or mobile phone. This identification method is insecure, since by obtaining the credit card number, any person can impersonate the original cardholder.
There are a number of issues that arise when a user manually provides such identification information. These include data entry errors, purposeful entry of fraudulent information, and reluctance on the part of users to provide this information over a network. The user's reluctance may be caused by lack of trust in the service provider if, for example, it is an unfamiliar service provider. It may also be caused by privacy concerns on the part of the user that his personal information may be accessed improperly. The current rates of Internet credit card fraud are an indication of current Internet commerce problems