Unauthorized use of credit cards costs credit companies billions of dollars per year. Most security measures currently in place provide inadequate security. A primary security measure used is the signature on the card which can easily be forged. Secondary measures include requesting the cardholder's postal code, however postal code information can often be easily obtained from other items in the cardholder's wallet (in the case of a stolen wallet), or by retrieving address information from public telephone directories. Furthermore, the use of postal codes to verify a transaction is actually illegal in some states and jurisdictions. Some credit card companies attempt to monitor a cardholder's normal usage patterns and call the user to verify a transaction that falls outside such patterns. However, such monitoring is time consuming, error prone, and obtrusive to the user as the user's current transaction is often denied while the credit card company attempts to telephone the user and obtain verification.
In addition, using a user's credit card without authorization for on-line transactions is often quite difficult to detect. The measures used in authenticating on-line users has led credit card companies to enact question-based verification. For example, the credit card company may store questions and answers provided by the user. Challenges with this approach are that the answers to the questions can often be found on-line with little research as well as the fact that the questions are static in nature.
Additional countermeasures to credit card fraud have been developed by credit card companies, but each of these also has limitations. For example, one measure is use of a username/password prompt, however this can easily be cracked by a computer given enough time and based on the strength of the password. Another measure used is called “CAPTCHA” which presents distorted letter/number images that the user has to type at a keyboard. While CAPTCHA has the advantage of defeating computers, the measure requires no special knowledge in that any person capable of seeing the CAPTCHA can enter the answer. Another measure uses knowledge based authentication (KBA)—This is the question answer prompts that are often used as an extra layer of security or to recover a forgotten password, however the questions and answers are static in nature and are provided by the user long before the verification is requested. For example, a question might be “What is your hometown?”, but the answer to such question can often be found through online resources, or in the case of a stolen wallet, such information is often on identification cards and such found in the user's wallet. In addition, the question/answer combination in KBA systems is static in nature (e.g., the name of the user's hometown does not change over time, etc.).