1. Field of the Invention
This invention relates to the field of security access to structures, credit accounts, and the like, especially credit card accounts, and concerns an improved method and apparatus for improving the security of such structures and accounts by significantly restricting unauthorized access yet keeping legitimate accessing simplistic for an authorized user. Although the invention can be employed for use with both structures and credit accounts, it will be described primarily in connection with credit accounts. The extension to structures, being simpler in concept, will be readily evident.
2. Brief Description of the Prior Art
In this specification, the term "credit account" will be used as a generic term for any kind of account that is accessible to a user by entering "account information" and an "access code". Such credit accounts include, but are not to be limited to, credit card accounts and telephone credit card accounts. An example of "account information" is the telephone number of the user of a telephone credit card or calling card. When making a call to be charged to a telephone credit account, the user dials a 0, the area code he or she is calling, and the 7-digit telephone number of the called party. The user is then prompted to input his or her "account information" which in this case is the user's phone number (the one to be charged) followed by a 4-digit "access code" or user identification code, more commonly known as a personal identification number or PIN.
In this discussion, the phrases "access code", "user identification code", "personal identification number", and "PIN" will be used interchangeably, the first being considered generic.
Also, in this discussion, the term "transaction" will mean that activity for which a credit account is established to promote, e.g. the completion of a bank transaction through an ATM, the successful line connection between a calling party and the called party, or the unlocking of a door to a protected structure such as a building or automobile.
For convenience, this description will presume that a standard telephone keypad is used in which alphabetic symbols are grouped and distributed along the numeric keys 0-9. Also, the keypad is assumed to have pound sign (#) and asterisk or star sign (*) keys.
Finally, again for convenience, the term "digit" is used in describing the alphanumeric characters that comprise the account information data or the access code. Thus, even though "digit" suggests numerals, it is to be understood that any alphanumeric character, ASCII character, or the like may be substituted for the term "digit".
Telephone fraud has become a $500 Million Dollar a year revenue loss which is primarily paid for, albeit indirectly, by the credit card user. In the last year, in addition to phone credit card theft, other problems in this area have emerged, such as unauthorized access into direct dialing, PBX remote access, Voice Mail exchange fraud, and the like.
In the Visa and MasterCard and Department Store credit card industries, the dollar losses are commensurate. This industry has felt escalated losses of six billion dollars. To date, there is no reprieve in sight, and no countermeasures appear to be forthcoming to relieve these serious crimes. The bulk of the crimes come from the use of credit cards or credit card numbers that are stolen by the people through whose hands a credit card, or credit card number, passes, or by a person who observes someone making use of account information and a user identification code such as at a public telephone. It is not unusual for a credit card or credit card number to pass through a thousand hands per year.
Security of credit account systems has been improved in the last several years by the use of personal identification numbers (PINs). Although any of the aforementioned types of credit accounts could be used in this discussion to exemplify prior attempts to improve the security of such systems, the telephone credit card or "calling card" will be used as exemplary. In the use of such credit card, as mentioned above, the caller will enter the telephone number to be charged to his or her account. The system will then respond with a prompt for entry of the PIN. The PIN is a 4-digit number which is then compared against a stored 4-digit number in the computer of the phone company, and if a match is made between the entered PIN and the stored PIN, completion of the call will be made, and the cost for the call will be charged against the account recognized by the computer as being associated with the entered user phone number. Of course, there is always a possibility that an incorrect digit will be entered by the user, and for that reason, the phone company repeats the request for entry of an appropriate PIN, and if a successful match is made on the second or subsequent time, the call will be completed. After a certain number of attempted tries without success, any further attempts to enter a PIN will be rejected, even if a match would have otherwise been made. The termination of accepting inputted PINs after a certain number of failures is to prevent "hackers" from inputting a large number of PINs at random in order to attempt to gain access to the account by a fortuitous match.
A similar system is employed by many banks in their automatic teller machine apparatus. Again, a user is prompted, after inserting his or her credit card (or other bank account) into a slot, for a PIN, and upon a proper match, access to the account is made.
The problem with both of these described systems is that it is not too difficult for one to gain access to an account by looking over the shoulder of a user inputting numbers on a keyboard which is usually mounted on a vertical panel and is easily seen by one who is serious about gaining access to an account. Of course, an automatic teller machine would require reading of the physical card prior to the user entering the PIN, but telephone credit card account information and its access code can be obtained by an unauthorized user simply by observing the digits being inputted and memorizing them or writing them down for future reference. A more violent thief might steal a "calling card" or rob its owner of such card after the thief learns the access code or PIN.
Other systems, such as PBX systems, can be tampered with at night when no one is in the facility by a computer hacker who can quickly attempt thousands of tries to access the system in a short period of time so as to gain access to an outgoing line to place local or long distance telephone calls from within the PBX system by remote control of the hacker.
All of these systems, even those with which a PIN is required in order to complete the full identification of the user and give access to the system, have similar problems. When a thief enters the exact duplication of the access code a legitimate user has previously entered, he (the thief) is rewarded and encouraged to try it again with another credit account. Further, once the access code (including the PIN) for a particular account is known, the unauthorized user can repeatedly use the account over and over until such time as he or she is caught, decides to move on to another account, or exhausts the credit limit of the legitimate owner of the account.
Some solutions that have been proposed to reduce these crimes include the following: make access codes longer, thus complicating the problem of discovering them; cancel the codes of employees once they leave a company; train personnel to recognize the signs of rip-off schemes; block all calls to countries in which the company has no dealings; monitor calling on a daily basis; increase hired security personnel to guard protected structures; and the like. All have failed to make a significant reduction in such crimes.
It would therefore be an improvement in this industry to provide a method and apparatus for frustrating or eliminating the ability for an unauthorized user to gain access to a protected structure or credit account. The present invention provides a method and apparatus for improving such security and in some cases completely eliminating the possibility of fraudulent access.
It has been estimated that the present invention can decrease telephone fraud by at least 90%, immediately after the program is implemented. Some of the features and benefits of the present invention are: reduction in budget, e.g., reduction in cost for fraud related problems, reduction in size of credit card fraud department at credit card company, reduce computer access time attributed to fraud users, and reduce sales staffs time to be taken up by fraud inquiries; no additional hardware, e.e., no costly expense to install special hardware to implement the invention; utilizes existing credit card standards, i.e. no need to change, replace, or add digits to the existing system codes or account numbers; totally adaptable, i.e. the invention can be applied to any credit card system or computer system dependable on security codes; and each call or transaction is 100% unrelated to the other, keeping the card number in a constant check.