The continued utilization and growth of electronic bank account transactions (such as checking, savings, debit, and credit types, for instance) has led to an undesirable increase in account invasions and thefts, leaving banks and other financial institutions with huge potential liabilities and losses. Additionally, some consumers have been susceptible to credit rating problems due to the unauthorized use of individuals' stolen bank account (for example, credit card) information. In essence, criminal activity involving concerning electronic financial account information, particularly in this age of computerized systems for such transactions, is substantial and causes enormous problems around the globe, tallying well into the billions in terms of annual cash losses. Of particular concern are situations that do not allow for financial institutions to guarantee remedies to account holders (such as for on-line checking account deductions; banks are typically not liable for any electronic thefts due to outside invasions of account information), since the innocent and unsuspecting account holder may be out a significant amount of money.
Certainly, such accounts are highly convenient and widely used; from the ease of transfer at gasoline pumps to swiping cards at retail establishments, even utilizing such payment systems to transact business over the Internet, debit/credit cards, e-checks, and other like accounts are utilized everyday by millions (if not billions) of people worldwide. In the computer realm, however, the information embedded within such accounts (and in particular cards) is a constant lure for unsavory actors. From the potential for accessing an individual's credit card identifications (such as account numbers, expiration dates, even extra access codes) through hacking operations, to planting insurgent devices to read magnetic strip records, to utilizing surreptitious cameras, and the like, to uncover an individual's inputted password or pass code information, there is a constant barrage from criminal enterprises to steal such information in as widespread fashion as possible. Even within certain settings, such as, for instance, restaurants, and the like, the trust a patron places on a server or like individual with his or her debit/credit card has, on occasion, led to theft of such information through unauthorized copying and use. Once such information is in a criminal's possession, such thieves can purchase thousands of dollars worth of merchandise within mere minutes, and the unsuspecting consumer eventually pays one way or another. Whether through account payments or price increases absorbed by multiple consumers in the long run, the financial institution and/or the retailer seeks recompense for such stolen moneys as well, particularly since such theft costs are typically charged back to the retailer (about 80%, generally, at least). In any event, such criminal actions will undoubtedly continue unabated as debit, credit, checking, savings, retirement, investment, etc., account information modifications have been slow to enter the financial industry, leaving such accounts susceptible to mere copying by sight or through digital signal interception, as some examples. Thus, it is evident that there continues to be a rather significant need to provide some means to avert the unauthorized use of such stolen bank account information, whether if procured in front of the account holder or through other illegal, surreptitious means. The ability to do so through a non-invasive method that provides a high degree of reliability for both the account holder and account backer would be highly prized, certainly.
There have been many attempts to prevent the illegal or fraudulent use of credit cards and/or debit cards in shopping malls, over the Internet, and at Automated Teller Machines (ATMs). These efforts include Personal Identification Numbers (PINs), the use of mother's maiden names (or other specific information) as a secret identification, and requiring credit/debit card holders to use additional ID cards such as a driver license. All attempts to use static information such as these are not completely secure, since such information can be easily learned or stolen and passed on to other users. Once the static identification number is learned, it may be used to make fraudulent debit/credit card purchases until the fraud is detected and the debit/credit card account is closed.
In addition to the PIN system mentioned above, the CVV (card verification and validation) number is an additional security system currently in place for purchases using a debit and/or credit card where the card is not physically present, such as for interne or telephone transactions. The CVV number may be alternatively called CVV2 or CID (card identification) or CCV (credit card verification or validation) by various debit/credit card companies. The CVV number is typically printed on the back of the subject card, as with MasterCard or VISA, but may be on the front of the card, as with American Express, as examples. This number typically includes three or four digits. Merchants are not allowed to store CVV numbers in their database with the account number, as a security measure, meaning that, in principle, at least, such numbers will not be disseminated if a merchant's database is compromised. Also, since the CVV number is not in the database, each transaction must be accompanied by a new request for the number from the cardholder. Nevertheless, since the CVV numbers are disclosed to the merchants, their employees, and anyone in the communications chain, they may easily be recorded and passed on in a fraudulent manner. Not to mention, in certain establishments, such as restaurants, the permissive grant, temporarily, of one's debit and/or credit card to a server or like employee for the purpose of payment at a specific financial transfer device location allows ample opportunity for a person to review and record all such necessary information to then utilize the card at a future date and time.
Alternatively, there are other nefarious operations that attempt to prod such account information from unsuspecting individuals. For example, phishing has become a standard manner of having unsophisticated persons actually provide their bank account information to unidentified on-line actors posing as a trustworthy institution or entity. In such an exercise, for example, an unexpected email or other communication may be sent to an individual indicating a problem or issue has arisen with his or her account. In order to remedy such a situation, the phishing site (a link, for instance, within an email) that appears affiliated with the individual's bank or like entity, will request verification of identity through the input of information such as the individual's name, account number, other protected information (such as a password, social security number, etc.), even addresses, as examples. Once such information is unwittingly shared, the bad actor can then access the individual's account(s) and electronically steal as many assets as desired, particularly since such an actor now has all the necessary verification information of the account holder him- or her-self.
Additionally, there are currently devices of relatively low cost that may be employed surreptitiously by a bad actor to read and/or swipe embedded information from a person's card or cards via the magnetic strips, chips, or other like card information storage devices present thereon. Such reader devices may be placed in card readers that are typically accessed by consumers for payment purposes, or even within ATMs. Furthermore, however, and far more sinister, are devices that may be utilized in such a secretive fashion as to “bump” against a person's pocket or handbag (or the like) and automatically read such embedded card information. The information is thus instantly transferred to the device from which the bad actor(s) may make a copy (or copies) thereof in a new card, allowing for implementation within the new card's own magnetic strip (or like storage device). In such a fashion, the bad actor(s) can access the account through such stolen information and without the need for any further verification (since the user in that instance, being the bad actor, has the card information in hand and the standard purchasing/transferring protocols followed today require nothing further for most retail establishments, at least, to accept such a presentation).
Even more interesting is the potential for a funds transfer system to be supplied within a person's on-line account (such as Google, Pay Pal, etc.) or permitted through access from a person's phone alone (such as Google Wallet, Google Money, and the like), which actually store and utilize the person's own underlying financial accounts (whether checking, savings, credit, debit, retirement, etc., in nature). If such an on-line account is hacked or the phone is stolen, the bad actor may easily access all the underlying financial accounts linked thereto to withdraw and/or use such funds, or even just utilize the on-line system itself to make purchases, transfers, etc., on demand. Password technology is currently used to protect such possible problems, but, as noted above, sophisticated bad actors can detect and/or discover such information (even through answering certain general questions, the answers to which may be easily understood or at least uncovered). As such, mere hacking or physical theft could lead to such financial account invasions. If the phone or on-line account user leaves an email or other account open on his or her computer or phone, then the bad actor's accomplishments in this manner are made that much easier. Furthermore, such a bad actor could also set up new accounts in this type of theft situation, particularly if certain background information (social security number, etc., for example) has also been absconded with, thereby allowing for further fraudulent activity in this manner, all through a hard-to-detect new unauthorized account.
Some banks and other card providers have a monitoring system in place to at least attempt to prevent suspicious activity. For instance, the utilization of a card in a foreign location, for a rather large purchase, or other like potentially unlikely situation, may trigger a financial institution to call or otherwise try to communicate directly with the card holder for verification purposes. If such a communication fails to reach the card holder, the transaction may be held pending a reliable response. However, if the number involved, for example, is picked up by the bad actor in such an instance (such as through a stolen phone or even if the person is at the card holder's own home), then the financial institution, despite attempts to prevent such a problematic occurrence, may be forced to pay for such a mistaken identity (regardless of the malfeasance involved). Even more troublesome is that such suspicious activities have been uncovered through the utilization of certain algorithms by the subject financial institution searching for anomalies in account use. Unfortunately, though, some criminals have developed (or have had developed) similar programs to emulate these anomaly-searching types of financial institutions' in order to predict such situations and thus to provide initial warnings of probable unacceptable account activity in relation to the financial institution operations. In this manner, these bad actors are provided with a means to avoid such questionable account transactions (whether geographic location, threshold amount, type of merchant, etc.) and undertake those that will more likely be accepted, thereby skirting the supposed failsafe measures currently in place. Additionally, a typical operation known as “cramming” involves the accumulation of small charges ($10-50, for instance) sporadically over a significant time period so as to increase the chances that such actions go unnoticed by both the account holder and the financial institution, particularly if monitoring by either party is limited. In essence, in each situation, the criminal element has realized a means to evade the security measures implemented by the financial institutions; there are thus great needs, again, to overcome these potential pitfalls.
Of particular importance is the typical scenario wherein the financial institution (bank or creditor, for example) detects suspicious activity and tries to contact the account holder. If such a communication fails (at least at that moment, such as if the account holder is asleep or otherwise indisposed), then much of the time the actual transaction is actually processed (depending, for instance, on the amount of money involved; the lower the amount, the more likely the transaction will proceed to any inconvenience at that time for either the presenter or the retailer). Otherwise, the potential for an interruption during the communication attempt may prove problematic to the degree that any account suspension due to such glitches may be too great a problem for the bank/creditor to want to cause such possible distress and/or other inconvenience to the account holder customer. As such, it is currently a common exercise to avoid such temporary suspensions unless proper communication is achieved or, alternatively, if the transaction is below a certain amount threshold, as noted above.
Furthermore, other systems have been developed that try to implement verification processes (passwords, etc., for example) to permit further financial account activity. However, even the most advanced versions of these systems utilize a single certification point and require the use of an easily (in most instances, at least) stolen password to verify identity. Even if verifications are attempted, particularly if there is questionable activity involved, certain communication platforms may still be insufficient to thwart unwanted and potentially criminal activity. For instance, the simplest of communication operations, such as SMS notifications, may still not get to the actual user until after a suspicious credit card transaction occurs. The lack of any other verification techniques for such a purpose leaves the financial institution, and the user, for that matter, at the mercy of almost happenstance; if the user is, again, not by or near his or her phone, or not at another registered phone or other communication device (even if the communication is made by email, text, etc.), then the entire transaction will fail. If it is an actual desired transaction (if it is true in that sense), it could be prevented rather than permitted, leaving the actual, verifiable user unable to complete a transaction. In other words, the systems currently in place are noticeably deficient in that they either provide too stringent a system of protection (leaving, again, the account holder/user at the mercy of having a communication device that is, for instance, fully powered, at the point of purchase, for verification purposes) or a system that could permit a bad actor too easy a manner of avoiding the preventive measures sought through such a base security procedure. In those instances, it could be, for instance, greater than 24 hours before such a fraud is noticed, leaving, again, all the entities involved at the mercy of a fraud already committed by someone (or many persons) (or some entity), leaving an innocent party (or parties) forced to pay for such an illegal transaction.
Further attempts to protect account information during transactions include the implementation of a verification enrollment program involving a merchant and an account holder. Such a program allows for such parties to utilize a verification technique whereby the merchant notifies an intermediate verifier that has access to the account holder's communication device number in order to call and request input of a specific pass code. The system requires the account holder to download an application unto a specific communication device to link with the verifier; the merchant must also utilize the verifier service in this manner for the overall system to function properly, apparently, as well. Upon request of a transaction, the system realizes the account holder's information and automatically communicates with the enrolled communication device and awaits input of the aforementioned pass code. If the pass code matches a stored pass code, then the merchant is allowed to proceed with the transaction. Although such a system appears viable on its face, in actuality it is open to many attacks by a bad actor, particularly since such verifications are limited to a single contact point. If the communication device (such as a cell phone, for instance) has been stolen, the potential to uncover the pass code through analysis of past inputs leaves the user susceptible to identity theft. Additionally, a bad actor has the capability of forwarding the necessary communication link to another device if access to the enrolled device has been permitted (even after return of a stolen phone, for instance, particularly in a surreptitious situation wherein the initial enrollee does not realize such has occurred). If an account number has been stolen, as well, and the pass code has been uncovered, as noted above, then the bad actor may still have the capability of raiding the enrollee's account, unbeknownst to either the account holder or the merchant. Otherwise, the overall limitations of such a system are further noticed as there is always a need to, apparently, have the account holder provide the pass code verification in person and/or in public, leaving the possibility that a bad actor may view such an input. Additionally, the system does not take into account the financial institution itself; if a bad actor undertakes such a possible illegal theft scheme, there is no prevention of liability on behalf of the financial institution itself. Lastly, the overall system is taxing to undertake in terms of bandwidth; in actuality, the utilization of short message service (SMS) pathways to provide such verification capabilities are virtually impossible within such a structured program. The input of information in reply to a specific request must be performed by a party, not through a latent response mechanism. To achieve such a result, larger bandwidth relays are necessary, leaving the system as a rather significant tax on the overall communications systems in place to begin with, as well as one that is highly susceptible to hacking and information theft. As such, these overall downloadable application enrollment processes are extremely limited in effectiveness without significant changes to their basic configurations. As well, these are limited to merchant/account holder transactions and do not provide further protections for other financial transactions that may be sought in other situations.
There have also been proposed (and, in certain locations, implemented) more exotic and technical systems and methods for validating credit card holder identities. However, these systems likewise exhibit significant drawbacks. Some are too complex and require new card types to be issued and/or new merchant hardware for their use, and others are too easily learned and passed on to other users. Others have been avoided by the financial industry due to the necessity of changing such card articles at too great an expense (such as, for instance, including microchips, RF sensors, and the like, within the card bodies). Other activities have included the attempt to couple photos of the user in an on-line environment, at least, to a system present within a retailer's establishment. In all such scenarios, the difficulties in implementation were greater than the industry was willing to withstand, ranging from costs to privacy concerns for the card users themselves.
Basically, it is clear that even within the most advanced system a continuous link is needed in order to verify identity through a mobile device. A password is required and any break in signal causes a transaction to be declined. Such identity verification systems all lack the capability of multiple certification points. They also lack the ability to accept different types of simultaneous verification points such as the requirement of SMS and email verification for a specified transaction, not to mention the ability to leave a transaction as pending while awaiting secondary verification. Overcoming such deficiencies would thus be a benefit for corporate customers and for on-line shopping, at least. Additionally, and in a slightly different vein, such systems also lack the ability to offer certain benefits to card users, such as, for instance, shopping bargains from competitors of a certain store (wherein such competitors may be paying clients of the card holder's backing financial institution or even of the specific internet search engine utilized for a specific on-line shopping transaction). Certainly, pop-up ads and the like may be possible through on-line websites, but to specific cell phones and other like mobile devices, such possibilities are currently lacking, particularly since it is difficult to pinpoint locations correlated to desires of such a potential card-holding, cell phone-carrying, customer (and thus the utilization of ads in this manner directed to such specific individuals, rather than to a widespread population of phone users). Such versatility, particularly in conjunction with a verification system for bank account fraud elimination would be desirable to many consumers. Such base systems, let alone those with this versatile ad supply function, are nonexistent as of today. Furthermore, such typical verification systems also lack the ability of buyer-seller portals for pending on-line transactions for the transfer of desired information before a secondary verification identifier to permit the reliable completion of such a transaction. Finally, there is currently lacking, as well, the ability to provide a central monitoring system for emergency requests sent from bank account customers' cell phones using, as an alternative, at least, solely an SMS platform to reduce bandwidth usage for such necessary communications. In essence, although many resourceful measures for preventing bank account fraud have been published in existing patent literature, none have offered a system in which security may be enhanced with infinite scalability to best ensure verification of identity, etc., of the instant account holder (or, at least, of the instant transferor of account information for a financial transaction).
As such, as outlined above, despite the large amount of attempts for such reliable theft and/or fraud prevention procedures, there remains a distinct need for a simple verification method for ensuring account use is by the proper account holder, thus allowing for the detection of stolen or other type of fraudulent bank account information use at the moment of actual activation. To date, as noted above, the possible options have been deficient or too complicated to establish as a suitable means for this purpose, particularly on a large-scale, widespread basis. A development that permits ease in not only implementation but utilization, coupled with complete (if not substantial) reliability that any such account transaction is authorized, would be highly desired within the industry from the financial as well as the consumer standpoint.