Networks, particularly the global computer network known as the Internet, are now used for many purchases and other business transactions, usually by means such as a credit card. A key component of these credit card transactions is the ability to authenticate the holder of the credit card, as the absence of signatures and face-to-face contact between the transacting parties makes authentication of the credit card holder difficult.
At present, malicious users can gain unauthorized access to online accounts and/or credit cards of account users by hacking, or stealing or phishing passwords or personal info. These accounts may include game accounts, bank accounts, and online payment processing systems like those offered by PayPal™ or credit card processors. Currently, the preferred way to offer significant security online is to request additional security questions from the user, which is an inconvenience to the user, and possibly a further security risk. Most online authentication systems therefore trade convenience for security.
Online banking tends to have significantly better security compared to payment systems for other account providers such as PayPal, or accounts for online games. This is because if a malicious user gains access to an online bank account, they can do a significant amount of damage, and the bank may be liable (they have no merchants on whom to offload the liability). Therefore, it is in the bank's best interest to ensure that it is difficult to access an online bank account. Some banks use cookies and additional security questions to secure their systems, but, as described above, this is an inconvenience to clients.
Most account providers, such as game companies and payment processors, have relatively weak authentication systems. Once a password is known, a malicious user may access accounts and misuse such accounts, usually from any computer. The account provider and/or the account user must take steps to protect their account. As an example, PayPal requests an account user to verify their account and address at registration, but once that is completed, only a single password is needed to allow access to the account.
Credit card processors typically ask account users for address verification and the Credit Card Verification (CCV) number on the back of the card; and may also ask account users for a password. If a malicious user accesses this information, they may make fraudulent orders with the credit card. Therefore, it is up to the merchant accepting the credit card to protect themselves against malicious users as the credit card payment processor will not usually take the necessary steps to do so (for example by comparing the Internet Protocol (IP) address of the client computer operated by the credit card user to the region in which the order is being made, or calling the credit card user).
Internet service providers (ISPs) may restrict access of users to the Internet, often based on the Media Access Control (MAC) address of the computer being used. If a user tries to connect a new computer to the ISP using an Internet connection, they may have to register the new MAC address with the ISP before receiving permission. The MAC address of a computer is a unique identifier that can correctly identify a particular computer on a local area network. It is possible to spoof or change a MAC address, but typically it is only possible to discover the MAC address of a computer from the same local area network.
Some account providers, such as online banks, use improved security systems which are cookie based. These systems ask an account user to “remember this computer” or “remember this password” after asking one or two security questions. Once the computer is registered, these extra questions are not asked again unless the cookies are deleted from the computer. A deficiency of this system is that it requires the use of cookies, which is not permitted by all account users and many account users do not want to provide answers to additional security questions to access their account.
There have been various attempts in the prior art to solve this account user authentication issue, including U.S. Patent Publication No. 2004/0117321 to Sancho, for a system and method for secure network purchasing. Sancho discloses that once a merchant/client transaction is initiated, that it can be traced back to the originating computer using the IP address of that computer, which does not change during the transaction.
U.S. Patent Publication No. 2005/0177442 to Sullivan et al., for a method and system for performing a retail transaction using a wireless device, discloses a method of identifying a wireless Internet connection for an online purchase, and matching a customer account with transaction data. This system is dependent on a customer account registered with the wireless device, and requires the computer to already have a registered customer account.
U.S. Patent Publication No. 2005/0033653 to Eisenberg et al., for an electronic mail card purchase verification, discloses a method of looking for additional information about the purchaser to verify that the transaction is not suspicious. This application discloses an automation process for standard security checks known in the art.
U.S. Patent Publication No. 2004/0243832 to Wilf et al., for a verification of a personal identifier received online, discloses a method of ensuring secure communication between two computers over a connection.
PCT Patent Application No. WO 2004/027620 to Freidman et al., for an authentication system and method, discloses an authentication system with proprietary identification codes, which must be installed on the client/authenticating computers. The MAC address of the computer is used along with other system details to produce a unique identifier for the client computer that is software dependent. A system that requires such a software installation may be difficult to implement (and account users may not want to install additional software). Such systems also limit the account user to a single computer, and must be reinstalled when making a purchase or accessing an account from a new computer. If any system is too complicated, while it may be secure, it may not practical in application. This is a reason why most current authentication systems (with the exception of bank accounts and very secure sites) are poor, as they trade convenience for security.
PCT Patent Application No. WO 2006/083063 to Park, for a system and method for mediating and conducting peer-to-peer electronic commerce, discloses a method of allowing people who don't have a commercial website to have their product details spidered and sold on a regular website.
U.S. Patent Publication No. 2006/0068785 to Kamijo et al., for a secure communication over a medium, discloses a process to assist in securing insecure communications using a cell phone.
U.S. Patent Publication No. 2005/0209876 to Linlor, for a secure money transfer between hand-held devices, discloses a method of storing a clients billing information in a database and then making a purchase from their computer using a Personal Identification Number (PIN) or biometrics to identify themselves.
It is an object of the present invention to obviate or mitigate the above disadvantages.