While the emergence of the internet and other wide area network technologies have fostered the deployment of computer servers for conducting sensitive transactions, such as e-commerce transactions, the anonymous nature of such transactions has, in turn, fostered the growth of fraudulent activities aimed at the collection and subsequent use of confidential information for financial gain. While cryptographic protocols and algorithms have been developed to impede such fraudulent activities, to-date no single software solution has been able to ensure that financial information will not be used for fraudulent purposes.
Hardware-based solutions have been developed to limit the unauthorized use of confidential financial information during an e-commerce transaction. For example, Berardi (U.S. Pat. No. 7,239,226) describes a point-of-sale (POS) transaction system that includes a contactless fob, a POS device, and a RFID reader that is coupled to the POS device. The fob and the RFID reader store encryption keys. The fob also stores the user's financial account information. A consumer initiating an on-line transaction presents the assigned fob to the RFID reader, which causes the fob and the RFID reader to attempt wireless mutual authentication of each other. If mutual authentication is successful, the fob transmits the consumer's account information to the RFID reader. The RFID reader transmits the account information to the POS device if the RFID reader is able to authenticate a PIN that the user enters at a keypad attached to the RFID reader.
Kozlay (US 2007/15041.9) describes a dongle-based payment system. The dongle includes a fingerprint sensor, and secure memory that stores encryption keys. The customer initiates an e-commerce transaction by accessing a merchant website from a host computer, interfacing the dongle with the host computer, and pressing his/her finger against the fingerprint sensor. If the dongle is able to validate the customer's fingerprint, the dangle and the merchant website attempt mutual authentication of each other via an application service provider (ASP). If mutual authentication is successful, the ASP authorizes the merchant website to proceed with the transaction.
Since these hardware-based solutions require both a hardware device and personal information (e.g. PIN, fingerprint) to complete the transaction, these solutions also provide some assurance as to the identity of the consumer and that the consumer's financial account information has not been fraudulently obtained. However, these solutions only provide limited assurance that the consumer's financial account information will only be transmitted to trusted devices.