The continued growth of telecommunications infrastructure and proliferation of network devices, service providers, wireless technology and related software products have transformed the Internet into a tool for everyday use. Businesses are increasingly using the Internet as a method of communicating with customers, vendors, employees and shareholders and conducting business transactions. In theory, conducting business on the Internet is often efficient and cost effective, particularly when products and services can be distributed electronically. In practice, damage caused by hackers, identity theft, stolen credit cards, and other fraudulent activities can be enormously expensive and difficult to manage. At a minimum, these realities significantly increase the risks and costs associated with conducting business over the Internet specifically, and generally over any type of network.
While a number of methods are commonly used to make it safer to use the Internet and facilitate communication and business transactions, they all have inherent and exploitable weaknesses. Login names and passwords are one of the most widely used and accepted forms of basic network security, where access is limited to an exact match of a login and password combination. The identification of valid login names is often trivial, particularly on networks where logins are visible to observers and in organizations where users have a common login format, such as “firstinitial_lastname”. Since end-users often use common, simple and default passwords, share passwords, and write down more complicated passwords, passwords can be guessed, requested, or observed. Thus, the user name and password combination provides only a basic level of security and should not be relied upon exclusively, particularly to guard networks accessible via the Internet.
A secondary user authentication system goes a step beyond reliance on just user name and password and can greatly increase security. The secondary authentication relies on something the user has in their possession, such as a special purpose hardware device. For example, after entering a valid user name and password to access a network, a user may be given a code as part of the login process. The user enters the code into a device within a specified amount of time, and the device provides a secondary code/password for the user to enter as part of the login process. While significantly more secure, these systems are not perfect. More importantly, these systems can be impractical in protecting large networks accessible by the general public, and create significant barriers to entry.
A hardware key, sometimes referred to as a “dongle,” that might be connected to a computer by a USB port, is sometimes used to identify end-users connecting from a particular device. A fixed system component serial number and other hardware methods used to uniquely identify a specific network device are also used to limit access to ‘known’ devices. Unfortunately, these methods can be copied and simulated in software. These systems also create barriers and can be impractical in protecting large networks accessible by the general public.
The use of digital certificates and Trusted Third Party Certificate Authorities are increasingly popular methods of ensuring that the party connecting to a network is indeed who they claim to be. Unfortunately, certificates can be copied and even stolen remotely. Moreover, significant trust must be placed in third party verification groups that do not have a direct vested interest in the networks relying upon them. The requirement for network users to utilize certificates can also create a significant barrier, particularly for large networks accessible by the general public, and create significant barriers to entry.
An Internet Protocol (IP) address and geo-location services relying upon IP address are sometimes used to verify end-users or at least to cross reference likely physical location with known information about a user. These methods are limited by the fact that many Internet users obtain a new temporary IP address every time they connect to the Internet. Moreover, using IP addresses to pinpoint the actual location of a connected device is inherently flawed by the nature in which blocks of IP numbers are distributed and the relative ease of IP spoofing, a technique used by network intruders to make it appear that they are connecting from a trusted or different IP address.
The negative credit card databases and lists of identities used in fraudulent activities are reasonable screening tools and should be used to the extent that they are cost effective. However, such lists can never be relied upon exclusively because it is practically impossible for such lists to be up-to date and comprehensive. In addition, these lists offer absolutely no protection against so-called ‘friendly charge backs’, declined payments by credit card holders that make purchases using their own valid credit card who later claim that they did not make the purchase.
Screening services, such as RiskGardian provided by TrustMarque, and other risk assessment services are also reasonable screening tools and should be used to the extent that they are cost effective. These services utilize little concrete information about a specific user or device and only assign relative risks associated to a particular transaction based upon general information and trends. Finally, such services rely exclusively on historical trends and are poor at identifying new problems and emerging risk areas.
Fingerprints, voice recognition, retinal scans, face recognition, DNA, and other biometric identification methods will become increasingly more common. At this time, these methods of user identification are substantially cost prohibitive. Moreover, one or more of these methods must be widely distributed and generally accepted by end-users for consideration and use by most organizations conducting business over the Internet. Even if such a method was available and cost effective, once unique biometric identifiers are converted into electronic information, they too can be stolen, copied and otherwise compromised.
While all of these methods and others have their weaknesses and can be exploited, each has a place in network security. The types of access, level of security, nature of user populations, and other factors will dictate which group of methods will best serve each application. The present invention is not intended to replace any of these means of protecting networks and screening out unauthorized users. Organizations should use any and all cost effective means at their disposal to screen network access. The present invention enhances security by providing capabilities undeliverable by any other of the above typical systems and methods. Thus, it is desirable to provide a network security and fraud detection system and method and it is to this end that the present invention is directed.