The invention relates generally to fingerprinting a user for identification purposes.
The Internet has become a pervasive platform for electronic commerce where merchants typically sell products or services to their visitors worldwide on the merchants' websites. Products and services are increasingly exchanged online. However, while being a fast media to facilitate transactions, due to anonymity, the internet has also attracted fraudulent activities. By default internet users visit websites anonymously without any trusted identification and such visits leave the online transactions dependent on the information provided by the users. Fraudsters quickly take advantage of this anonymous nature of internet—they steal credit cards, bank accounts by phishing account owners or by direct hacking into the bank or credit card database, then use the credit cards stolen to purchase product or service online. Each year billions of dollars are reportedly lost in a single country by this type of fraudulent transactions, which leads both consumers and merchants to lose money and lose trust to each other. Although user identification is available at its source ISP (Internet Service Provider), in theory the fraudster can be tracked according to logging information (time, computer, IP address among others), the tracking requires enforceable search warrant to the ISP, often located in foreign countries, which is not feasible for the merchants or consumers to acquire. As a result, fraudsters can keep defrauding the same merchants and consumers with impunity.
Efforts have been made by the merchants to detect fraudulent payments by using the information retrieved from each transaction. Such efforts include comparing the country the payer enters with the country the credit card BIN represents and the country of the payer's IP address, comparing the address entered with the address associated with the credit card, email verification, phone verification, among others. These efforts have limited success. First, with millions of credit cards being made available through hacking, fraudsters can access the complete information associated with the credit cards: name, card number, expiry date, verification code, address and phone number, among others. They can enter the information that match information associated with the card, thus easily pass through the check points. Second, the above verifications are primitive and thus limited in securing the credit cards. For instance, information like IP address may not be reliable since the fraudsters can use publicly available web proxy to hide their real IP address, therefore the fraudsters can pretend to be a buyers from USA while they are physically located in Morocco, for example. Third, due to the lack of automated analyzing tools, most merchants organize these check points one by one, and check the items intuitively and manually. As a result, mistakes can be easily made when the transaction volume increases.
Other efforts have been made to detect fraudulent payments by analyzing the buying patterns of the credit card holder, including time of purchase, value of purchased items etc. While there is no predictable buying pattern being developed, this method can help when a big item is purchased, but can't distinguish the abnormal purchase when the purchased items are of smaller or medium value. Also, the detection occurs only after payment, which means the damage has been incurred.
Because the verification process is primitive and often intuitive, the pattern is often too vague to be recognized. As a result, the fraudsters can use the same defrauding technique to attack multiple merchants—they can simply use the same stolen credit card to buy service from different merchants in succession to run up large charges before the credit card is cancelled.