As credit card and debit card purchases have expanded both in number and in the methods by which they can be accomplished, particularly electronic purchases, the opportunity for fraudulent, invalid or unauthorized purchases has increased. The expansion of such purchase opportunities has resulted in an increase in monetary losses to sellers, merchants, financial institutions and authorized holders of the authorized credit card and debit cards. In response, methods and systems have been developed to reduce the number of fraudulent purchases through verification processes and systems.
Merchants, in concert with the providers of consumer payment systems, are currently migrating away from the use of magnetic stripes on debit and credit cards which require a swipe through a magnetic card reader. So-called “tap & pay” devices contain an embedded chip and radio frequency antenna which, in the presence of an appropriate radio frequency query, transmit the user's account information to a merchant's receiver device. The use of such radio frequency identification (“RFID”) devices adds convenience and speed to payment transactions. Such devices are also used to unlock security doors and gates, admitting to secure areas only those individuals who are in possession of the appropriate RFID device. A variation that is growing in popularity eliminates the credit card entirely by placing such RFID devices within consumers' mobile phones or other personal wireless devices. As used herein, “credit card tap” and “tap & pay” will refer to both card-based and mobile phone- and wireless device-based embodiments of the technology.
In theory, because an RFID device does not need to leave the user's hand, and typically has a broadcast range measured in inches, security is improved relative to magnetic stripe devices which are susceptible to surreptitious swiping by dishonest employees. However, an RFID device can be induced to broadcast the owner's account and identity information to a receiver operated by a fraudster or data thief. An illicit receiver placed close to the point of sale can capture the broadcast information at the time the tap & pay transaction is being made. A data thief can also carry on his person a transmitter and receiver that induce nearby RFID devices to transmit their owners' financial and personal information. With such a device, it is possible to “harvest” personal data from a large number of RFID devices merely by getting physically close to victims' wallets or purses, an easy task in a crowded store or elevator. In a process known as “cloning”, the harvested information is later used by the thief, or by persons who have paid the thief for the data, to program counterfeit RFID devices that can be used to impersonate the rightful owner in fraudulent “tap & pay” transactions, or to access locations that are secured by RFID identification tags. An Internet-based underground market already exists for supplying criminals with the necessary equipment and software, and for the distribution and sale of the harvested data.
Traditional credit card transactions can be completed in about a minute, whereas RFID-mediated transactions require only a few seconds. For this reason, there is a need for accelerated means of verifying identity and authenticating “tap & pay” transactions in less than a second.
An example of a method of increasing the security of payments made by credit and cash cards is set forth in U.S. Patent Publication No. 20040073519.
Another example of a method of increasing the security of payments made by credit and cash cards is set forth in U.S. Patent Publication No. 20040254868.
US Patent Publication No. 20040219904 sets forth methods of improving the security of transactions using geographic locations.
International Patent Application No. WO 2004/079499 of Eden et al. describes a method of verifying user identity in which the geographic location of a mobile network device, which is known to be carried by a user, is compared with the geographic location from which a transaction request is initiated. A substantially similar system is disclosed in US Patent Publication No. 20030169881 (U.S. Pat. No. 7,376,431), which describes a fraud prevention system employing geographic comparison of a position sensor on a person and a separate position sensor at the point of sale.
A cellular telephone location system for automatically recording the location of one or more mobile cellular telephones, known as Time Difference on Arrival (TDOA), is described, for example, in U.S. Pat. No. 5,327,144. The system comprises a central site system operatively coupled to at least three cell sites. Each of the cell sites receives cellular telephone signals and integrates a timing signal common to all the cell sites. The central site calculates differences in times of arrival of the cellular telephone signals arriving among the cell sites and thereby calculates the position of the cellular telephone producing the cellular telephone signals. Additional examples of known methods for locating phones are cell sector and cell site. The full disclosure of U.S. Pat. No. 5,327,144 is hereby incorporated by reference in its entirety.
The need for rapid and accurate geolocation of mobile voice devices is not limited to the authentication of commercial transactions. Federal Communications Commission (FCC) has mandated wireless Enhanced 911 (E911) rules to improve the effectiveness and reliability of wireless 911 service. One requirement is that 95% of a network operator's in-service phones must be E911 compliant, i.e., location capable, whether via GPS circuitry in the handset or via radiolocation through the network. At present, carriers must provide 911 dispatchers at a Public Safety Answering Point (PSAP) with the telephone number of a wireless 911 caller, and the location of the antenna that received the call, but the rules call for the provision of more accurate geolocation data in the future. There is, accordingly, a need in the field of public safety for the rapid and automatic acquisition of cell phone location information.
Prior art transaction authentication methods based on geolocation of a mobile voice device are, in general, not capable of authenticating transactions in a matter of a few seconds, or in less than a second. In particular, they do not suggest capturing automatically the user's mobile voice device broadcast information while the user is at the point of sale, and using such broadcast information to request the mobile voice device location information from the carrier, before the credit card transaction takes place or before the user provides the credit card information to the merchant. Prior art methods request the mobile phone location after the initiation of a transaction and the provision of the credit card information, therefore the time required for authentication is extended by the time needed to locate the mobile phone.