The use of a token, an inanimate object which confers a capability to the buyer presenting it, is pervasive in today""s financial world. Whether a consumer is buying groceries with a debit card or shopping in a department store with a credit card, at the heart of that transaction is a money transfer enabled by a token, which acts to identify both the consumer as well as the financial account being accessed.
From their inception in the late 1950s, token-based financial transactions have grown increasingly more prevalent at the point of sale. However, as token-based transfers have become more popular with consumers, they have also become more popular with criminals intent on fraud. Currently, fraud losses in the industry stem from many different areas, but they are mainly due to either lost, stolen, or counterfeit cards.
Credit cards operate without the use of a personal identification number (PIN). This means that a lost credit card can easily be turned into cash if the card falls into the wrong hands. While theft of a token constitutes the majority of fraud in the system, fraud from counterfeit credit cards is rising rapidly. Counterfeit credit cards are manufactured by a more technically sophisticated criminal who acquires a cardholder""s valid account number, produces a valid-looking counterfeit card, encodes the magnetic strip, and embosses the counterfeit plastic card with the account number. The card is then repeatedly presented to merchants until the account""s credit limit is reached. Another form of loss is caused by a criminal seller or his employees who surreptitiously obtains the cardholder""s account number and enter fictitious transactions against the card and then take cash out of the till. It is estimated that losses due to all types of fraud exceeds one billion dollars annually.
Generally, debit cards are used in conjunction with a personal identification number (PIN). Lost debit cards do not generally result in fraud, unless the owner of the card wrote his PIN on the card. Furthermore, successfully counterfeiting a debit card is more difficult than with a credit card, since the criminal must acquire not only the account number, but also the PIN, and then manufacture the card as in the credit card example. However, various strategies have been used to obtain PINs from unwary cardholders; these range from Trojan horse automated teller machines (ATMs) in shopping malls that dispense cash but record the PIN, to fraudulent seller point of sale devices that also record the PIN, to criminals with binoculars that watch cardholders enter PINs at ATMs. The subsequently manufactured counterfeit debit cards are then used in various ATM machines until the unlucky account is emptied.
Customer fraud, for both credit and debit cards, is also on the rise. Customers intent on this sort of fraud will claim that they lost their card, say that their PIN was written on the card, and then withdraw money from their account using card, and then refuse to be responsible for the loss.
The financial industry is well aware of the trends in fraud, and is constantly taking steps to improve the security of the card. However, the linkage between the buyer and his token is tenuous, and that is the fundamental reason behind card fraud today
One possible solution to stolen-card fraud involves placing PIN protection for magnetic stripe credit cards, much as debit cards have PINs today. This will raise the administrative costs for each card, since cardholders will undoubtedly wish to select their own PIN for each of their 3.4 cards. In addition, this solution still doesn""t address the problem of counterfeit cards.
Another solution that solves both stolen-card fraud and greatly reduces counterfeit-card fraud involves using a smartcard that includes either a biometric or a PIN. In this approach, authenticated biometrics are recorded from a user of known identity and stored for future reference on a token. In every subsequent access attempt, the user is required to physically enter the requested biometric, which is then compared to the authenticated biometric on the token to determine if the two match in order to verify user identity.
Various biometrics have been suggested, such as fingerprints, hand prints, voice prints, retinal images, handwriting samples and the like. However, because the biometrics are generally stored in electronic (and thus reproducible) form on a token and because the comparison and verification process is not isolated from the hardware and software directly used by the buyer attempting access, a significant risk of fraud still exists. Examples of this approach to system security are described in U.S. Pat. No. 4,821,118 to Lafreniere; U.S. Pat. No. 4,993,068 to Piosenka et al.; U.S. Pat. No. 4,995,086 to Lilley et al.; U.S. Pat. No 5,054,089 to Uchida et al.; U.S. Pat. No. 5,095,194 to Barbanell; U.S. Pat. No. 5,109,427 to Yang; U.S. Pat. No. 5,109,428 to Igaki et al.; U.S. Pat. No. 5,144,680 to Kobayashi et al.; U.S. Pat. No. 5,146,102 to Higuchi et al.; U.S. Pat. No. 5,180,901 to Hiramatsu; U.S. Pat. No. 5,210,588 to Lee; U.S. Pat. No. 5,210,797 to Usui et al.; U.S. Pat. No. 5,222,152 to Fishbine et al.; U.S. Pat. No. 5,230,025 to Fishbine et al.; U.S. Pat. No. 5,241,606 to Horie; U.S. Pat. No. 5,265,162 to Bush et al.; U.S. Pat. No. 5,321,242 to Heath, Jr.; U.S. Pat. No. 5,325,442 to Knapp; U.S. Pat. No. 5,351,303 to Willmore, all of which are incorporated herein by reference.
An example of another token-based biometric smartcard system can be found in U.S. Pat. No. 5,280,527 to Gullman et al. In Gullman""s system, the user must carry and present a credit card sized token (referred to as a biometric security apparatus) containing a microchip in which is recorded characteristics of the authorized user""s voice. In order to initiate the access procedure, the user must insert the token into a terminal such as an ATM, and then speak into the terminal to provide a biometric sample for comparison with an authenticated sample stored in the microchip of the presented token. If a match is found, the remote terminal signals the host computer that the transaction should be permitted, or may prompt the user for an additional code, such as a PIN which is also stored on the token, before authorizing the transaction.
Although Gullman""s reliance of comparison biometrics reduces the risk of unauthorized access as compared to PIN codes, Gullman""s use of the token as the repository for the authenticating data combined with Gullman""s failure to isolate the identity verification process from the possibility of tampering greatly diminishes any improvement to fraud resistance resulting from the replacement of a numeric code with a biometric. Further, the system remains inconvenient to the consumer because it too requires the presentation of a token in order to authorize a transaction.
Uniformly, the above patents that disclose commercial transaction systems teach away from biometric recognition without the use of tokens. Reasons cited for such teachings range from storage requirements for biometric recognition systems to significant time lapses in identification of a large number of individuals, even for the most powerful computers.
Unfortunately, any smartcard-based system will cost significantly more than the current magnetic stripe card systems currently in place. A PIN smartcard costs perhaps $3, and a biometric smartcard will cost $5. In addition, each point of sale station would need a smartcard reader, and if biometrics are required, a biometric scanner will also have to be attached to the reader as well. With 120 million cardholders and 5 million stations, the initial conversion cost is from two to five times greater than the current annual fraud losses.
This large price tag has forced the industry to look for new ways of using the power in the smartcard in addition to simple commercial transaction. It is envisioned that in addition to storing credit and debit account numbers and biometric or PIN authentication information, smart cards may also store phone numbers, frequent flyer miles, coupons obtained from stores, a transaction history, electronic cash usable at tollbooths and on public transit systems, as well as the buyer""s name, vital statistics, and perhaps even medical records.
The net result of xe2x80x9csmarteningxe2x80x9d the token is centralization of function. This looks good during design, but in actual use results in increased vulnerability for the consumer. Given the number of functions that the smartcard will be performing, the loss or damage of this monster card will be excruciatingly inconvenient for the cardholder. Being without such a card will financially incapacitate the cardholder until it is replaced. Additionally, losing a card full of electronic cash will also result in a real financial loss as well.
Thus, after spending vast sums of money, the resulting system will definitely be more secure, but will result in heavier and heavier penalties on the consumer for destruction or loss of the card.
To date, the consumer financial transaction industry has had a simple equation to balance: in order to reduce fraud, the cost of the card must increase. As a result, there has long been a need for a commercial transaction system that is highly fraud-resistant, practical, convenient for the consumer, and yet cost-effective to deploy.
There is also a need for a commercial transaction system that uses a strong link to the person being identified, as opposed to merely verifying a buyer""s possession of any physical objects that can be freely transferred. This will result in a dramatic decrease in fraud, as only the buyer can authorize a transaction.
A further need in a commercial transaction system is ensuring consumer convenience by providing authorization without forcing the consumer to possess, carry, and present one or more proprietary objects in order to authorize a transaction. All parties intent on fighting fraud recognize that any system that solves the fraud problem must take the issue of convenience into account, however the fundamental yet unrecognized truth of the situation is, the card itself can be very inconvenient for the consumer. This may not be initially obvious, but anyone who has lost, left at home, or had a card stolen knows well the keenly and immediately-felt inconvenience during the card""s absence.
Yet another need in the industry is for a transaction system that greatly reduces or eliminates the need to memorize multiple or cumbersome codes. Such a system must allow a user to access all of his accounts, procure all services to which he is entitled, and carry out transactions in and between all financial accounts, make point of purchase payments, etc.
There is further a need for a commercial transaction system that affords a consumer the ability to alert authorities that a third party is coercing the transaction without the third party being aware that an alert has been generated. There is also a need for a system that is nevertheless able to effect, unknown to the coercing third party, temporary restrictions on the types and amounts of transactions that can be undertaken.
Lastly, such a system must be affordable and flexible enough to be operatively compatible with existing networks having a variety of electronic transaction devices and system configurations.
The invention as described provides a method and system for tokenless authorization of commercial transactions between a buyer and a seller using a computer system. The method comprises the steps of registering a buyer, wherein the buyer registers with the computer system a PIN, at least one registration biometric sample, and at least one buyer financial account. The method also includes a seller registration step, wherein the seller registers with the computer system at least one seller financial account. In a proposal step, the seller offers a proposed commercial transaction to the buyer usually comprising price information. If the buyer accepts the seller""s proposal, in an acceptance step, the buyer signals his/her acceptance by adding to the proposed commercial transaction the buyer""s personal authentication information comprising a PIN and at least one bid biometric sample which is obtained from the buyer""s person. In a transmission step, the bid biometric sample and PIN are forwarded to the computer system. The computer system compares the bid biometric sample with registration biometric samples for producing either a successful or failed identification of the buyer in a buyer identification step. Upon determination of sufficient resources, a financial account of the buyer is debited and a financial account of the seller is credited, in a payment step. Therefore, a commercial transaction is conducted without the buyer having to use any portable man-made memory devices such as smartcards or swipe cards. In a presentation step, any combination of the results of any of the above-mentioned steps is presented to the buyer or seller.
In an alternate embodiment, the computer system constructs a transaction given the buyer and seller financial accounts, the transaction amount, and the associated transaction information, and forwards the transaction to an external computer system, such as one operated by VISA International, where the money transfer occurs and any status of success or failure returned by the external computer system is forwarded by the computer system to the buyer and seller. Alternatively, the transaction is forwarded to an external computer system such as Visa through an acquirer such as First Data Corporation.
When the computer system completes an operation, such as a registration of a buyer or a seller, or a particular transaction succeeds or fails, a presentation step provides the results of the operation to the buyer and/or the seller.
In this manner, commercial transactions are conducted without the buyer having to use any portable man-made memory tokens such as smartcards or magnetic stripe cards.
In a preferred embodiment of the invention, the identification step occurs in less than two seconds, which is a commercially acceptable timeframe.
In some situations, it may be possible for people intent on fraud to substitute fake transaction stations for actual transaction stations in order to capture an unsuspecting buyer""s biometric and PIN. To counter this, another embodiment of the invention provides a way for the buyer to authenticate the system. During registration, the buyer selects a private code in addition to biometric, PIN, financial accounts, and account index codes. Alternatively, the computer system selects the account index codes for the buyer""s financial accounts. The private code is unrelated to the PIN, and is not used to gain access to the system. The private code is displayed to the buyer at the end of each transaction. Only the computer system and the buyer know the private code, which is never entered by the buyer during the transaction. Since a fake station cannot display the private code to the buyer, any attempt to steal biometric and PIN information is immediately obvious to a buyer.
For some transactions, it is not appropriate to conduct an immediate debit/credit of accounts. These cases include transactions where the exact amount to be transferred is not known at the time of authorization, or when a deposit is reserved by the seller for security reasons that will probably never be collected. As a result, in an alternate embodiment of the invention, the computer system causes a credit authorization draft to be constructed up to the limit supplied in the commercial transaction, instead of executing an immediate debit/credit transaction.
In yet another embodiment of the invention, the computer system communicates with one or more external computer systems in order to perform various functions, including determining if the buyer has sufficient resources, the debiting of a buyer""s financial account, the crediting of the seller""s financial account, or the construction of a credit authorization draft.
In another embodiment of the invention, the buyer is remote from the seller, and transaction proposals and other information is transmitted from seller to buyer and vice versa using a computer network such as the Internet.
In yet another embodiment of the invention, the seller identification code is identical to the seller""s financial account. In another embodiment of the invention, each account index code has associated with it a name assigned by the account owner during registration. This account name can be displayed during authorization in the event the owner forgets which accounts are available for use.
In most instances, the buyer being identified and the computer system are remote and physically separate from each other. All electronic communications to and from the computer system are encrypted using industry standard encryption technology, preferably the DES (Data Encryption Standard) with 112-bit encryption keys. Each identification station has its own set of encryption keys that are known only to that particular station and the computer system.
It is preferred that the invention include a method for comparing the biometric samples during registration with a collection of biometric samples from buyers who have been designated as having previously attempted to perpetrate fraud or who have actually perpetrated fraud upon the system, thus eliminating registration of repeat offenders.
Yet another embodiment of the invention creates increased assurance of accurate identification by comparing a buyer""s biometric from among a basket of other biometrics, the basket being a subset of all stored biometrics in the system. This is done by first comparing the buyer""s biometric with all others in the basket and storing his in that basket only when it is deemed to be sufficiently dissimilar from the other biometrics therein.
In another embodiment of the invention, the buyers choose their own PIN from a group of PINs provided by the computer system. Once the buyer""s biometric is gathered, the data processing center selects several PINs at random which may be conducive to being memorized. The computer system then conducts a comparison of the biometric gathered with those already in those PIN baskets. In the event the new registrant""s biometric is too similar to any of the registered biometrics currently in the particular PIN basket, that PIN is rejected and an alternative PIN is selected for another such biometric comparison. Once the computer system has generated several PIN options without a confusingly similar biometric, these PINs are presented to the new registrant from which the buyer may select one PIN.
In another embodiment of the invention, in the unlikely event of the theft of biometric information, the situation can be remedied by simply changing the PIN basket in which the person""s biometric samples reside. After this is done, the criminal can no longer use the biometric sample to authorize transactions.
The present invention is clearly advantageous over the prior art in a number of ways. First, it is extremely easy and efficient for the consumer to use because it eliminates the need to carry and present any tokens in order to access one""s accounts. The present invention eliminates all the inconveniences associated with carrying, safeguarding, and locating tokens. Further, because tokens are often specific to a particular computer system that further requires remembering a secret PIN code assigned to the particular token, this invention eliminates all such tokens and thereby significantly reduces the amount of memorization and diligence increasingly required of consumers by providing protection and access to all financial accounts using only one personal identification number. The consumer is now uniquely empowered to conveniently conduct his personal and/or professional electronic transactions at any time without dependence upon tokens which may be stolen, lost or damaged.
The invention is clearly advantageous from a convenience standpoint to retailers and financial institutions by making purchases and other financial transactions less cumbersome and more spontaneous. The paperwork of financial transactions is significantly reduced as compared to credit card purchases wherein separate receipts are generated and must be retained by the seller and the consumer.
Because the system of the invention is designed to provide a consumer with simultaneous direct access to all of his financial accounts, the need for transactions involving money, checks, credit drafts and the like will be greatly reduced, thereby reducing the cost of equipment and staff required to collect, account, and process such transactions.
Further, the substantial manufacturing and distributing costs of issuing and reissuing all tokens such as credit cards, debit cards, telephone calling cards and the like will be eliminated, thereby providing further economic savings to issuing banks, and ultimately to consumers.
Moreover, the invention is markedly advantageous and superior to existing systems in being highly fraud resistant. As discussed above, present authorization systems are inherently unreliable because they base determination of a user""s identity on the physical presentation of a manufactured object along with, in some cases, information that the user knows. Unfortunately, both the token and information can be transferred to another, through loss, theft or by voluntary action of the authorized user. Thus, unless the loss or unintended transfer of these items is realized and reported by the authorized user, anyone possessing such items will be recognized by existing authorization systems as the consumer to whom that token and its corresponding financial accounts are assigned.
By contrast, the present invention virtually eliminates the risk of granting access to unauthorized users by determining identity from an analysis of a user""s unique characteristics. Even in the very rare circumstance of coercion, where an authorized buyer is coerced by a coercing party to access his accounts, the system anticipates an emergency account index code, whereby the authorized user can alert authorities of the transgression without the knowledge of the coercing party.
The invention further prevents fraud by storing authentication information and carrying out identity verification operations at a location that is operationally isolated from the user requesting authorization, thereby preventing the user from acquiring copies of the authentication information or from tampering with the verification process. Such a system is clearly superior to existing token-based systems wherein the biometric authentication information are stored on and can be recovered from the token, and wherein the actual identity determination is performed at the same location as the user during the authorization process.
It is an object of the invention therefore to provide a commercial transaction system that eliminates the need for a user to possess and present a physical object, such as a token, in order to authorize a transaction.
It is another object of the invention to provide a commercial transaction system that is capable of verifying a user""s identity based on one or more unique characteristics physically personal to the user, as opposed to verifying mere possession of proprietary objects and information.
Yet another object of the invention is to provide a commercial transaction system that is practical, convenient, and easy to use, where buyers no longer need to remember multiple PINs to protect multiple accounts.
Another object of the invention is to provide increased security in a very cost-effective manner, by completely eliminating the need for ever more complicated and expensive tokens.
Still another object of the invention is to provide a commercial transaction system that is highly resistant to fraudulent access attempts by non-authorized users.
Yet another object of the invention is to provide a commercial transaction system that enables a consumer to notify authorities that a particular transaction is being coerced by a third party without giving notice to said third party of the notification.
Another object of the invention is to provide a commercial transaction system that automatically restricts a consumer""s transaction capabilities according a desired configuration provided by the user when a transaction is being coerced.
Still another object of the invention is to authenticate the system to the user once the commercial transaction is complete, so the user can detect any attempt by criminals to steal their authentication information.
Another object of the invention is to be added in a simple and cost-effective manner to existing online credit and debit terminals currently installed at points of sale around the world.
These and other advantages of the invention will become more fully apparent when the following detailed description of the invention is read in conjunction with the accompanying drawings.