1. Field of the Inventions
The field of the invention relates generally to electronic transactions and more particularly to the authentication of such transactions.
2. Background Information
Electronic transactions, including electronic commerce, are becoming more prevalent, fueled of course by increasing Internet use. As the number and type of electronic transactions increase, so to does the need to verify the identity of participants in these transactions. Electronic commerce provides a good example. In a typical electronic commerce scenario, a user uses a web browser running on their computer to access a merchants web page via the Internet. Once the user has accessed the web page, they can typically browse product offerings, select products for purchase, and then purchase the selected products. The purchasing step often requires the user to supply identifying information, e.g., name and address, and a charge account number against which the transaction can be charged.
Unlike an off-line transaction, however, the merchant has no ability to verify the identifying information supplied in the electronic commerce scenario. In other words, in an electronic commerce transaction, the merchant cannot verify that the user is who they say they are, or therefore that the charge account belongs to the user making the purchase. In fact, the Gartner Group estimates that in 2001 1.14% of the $61.8 billion in online transactions involved fraud. The resulting $776.34 million dollars in losses is 5-20 times the losses for off-line sales transactions. With U.S. households predicted to spend $184 billion on-line by the year 2004, such losses clearly present a serious problem that is only going to get worse.
Fear of fraud, however, may prevent on-line sales from rising to predicted levels. The Gartner group estimates that 1 in 20 on-line customers are victims of credit card fraud. As a result, Jupiter reports that 60% of users avoid using their credit card in online transactions. Further, fraud losses often fall on the merchant, even though the merchant currently has no way to verify the identity provided by the user. Thus, both users and merchants need greater protection from fraud.
In response, many major credit card associations have promulgated new authentication mandates to reduce the massive losses resulting from online credit card fraud. While these mandates do not necessarily provide an increased ability to verify the identity of the user, they do shift the liability for fraud to card issuers. Accordingly, card issuers need to reliably authenticate their users when the users are involved in an online transaction.
Essentially, the new mandates allow merchants to request that the issuer authenticate the transaction, i.e., verify the identity of the user. The issuer can then, for example, verify the account number and some form of personal identifier, such as a Personal Identification Number (PIN), presented by the user. Once verified, the issuer will authenticate the transaction; however, the issuer is also liable if it turns out that the user is not who they are supposed to be.
Unfortunately for issuers, verification methods currently available still fail to match that of off-line transactions. In an off-line transaction, there is strong two factor authentication. The first factor being the actual presence of the card (card present), the second factor being the ability to verify that the person is who they say they are, e.g., via a signature, PIN, photo identification, etc. The combination of physical card presence and evidence of identification can provide sufficient authentication to reduce fraud to acceptable levels. But in the online environment, the first factor—card present verification—is often not available. Therefore, it is difficult even with the new authentication mandates to achieve a satisfactory level of authentication.
Physical, or actual, card present detection should be discerned from a card present detection generated in compliance with some of the new mandates. For example, in some of the new mandates, the user provides their account number, which is verified. The user is then requested to supply a PIN. If the PIN verifies correctly, then a “card present” indication is generated; however, the actual presence of the card was not in fact verified. In other words, these new mandates at best provide a surrogate card present verification that is inferior to an actual card present verification.
Smart cards, i.e., cards with a special integrated circuit embedded in them, and smart card readers are currently available to address the card present issue in online transactions. A smart card reader can be purchased and connected with a user's computer. During an online transaction, the user can then insert the smart card into the smart card reader, which can then authenticate the smart card.
There are, however, several drawbacks to smart card technology. For example, the user must become educated about how to use the smart card. The user is also often required to purchase a smart card reader and attempt to interface the reader with their computer. Alternatively, the user may be forced to pay extra for a computer with a smart card reader already attached or installed. The cost of an exemplary smart card reader can be, for example, $40. And once interfaced with the user's computer, software must typically be downloaded into the smart card reader, which again requires some education of the user regarding how to download and configure the software. Thus, adoption of smart card technology has been slow, e.g., as low as 1% market penetration or lower, and therefore not very effective at reducing fraud.