1. Field of the Invention
The present invention relates to a method and system for establishing trust between a service provider and a client of the service provider.
2. Description of the Related Technology
Identity theft (also known as identity fraud) is a relatively common occurrence in the present day. It is possible, for example, to purchase personal details of another person over the internet, which may be sufficient to gain access to services using that person's identity. Such details may be sufficient, for example, to open up a bank account or claim state benefits in a person's name, or to make payments from a person's bank account etc. As many services are now provided without face-to-face contact (over the internet, for example), it is ever more difficult to spot identity theft.
As a particular example, online merchants who sell products or services from an internet site often provide online payment services. However, many such payment services have minimal security, and it is possible to purchase products and/or services from an online merchant by simply providing credit card details, a name and an address; all of which can be easily bought online. A true account holder, whose details have been stolen and used fraudulently, can repudiate the fraudulent payment, by claiming against the payment, causing an online merchant to lose money if the services/products have already been provided/dispatched. As the range of personal identifiable information that can be bought online increases, more stringent measures need to be taken to verify that a client providing account details for payment to an online merchant is actually authorized to use that account.
There is also a need to establish a level of trust between a service provider and a client of a service provider outside the field of monetary transactions. For example, a client may attempt to enroll a party with a service provider (such as a university, for example), and it may be important that the service provider knows the client is authorized by the party to enroll that party.
A system and method for establishing a level of trust between a service provider (in this case an online merchant) and a client of the service provider is described in US App. Pub. No. 2002/0138450. With this system, the client is an application running on a device used by a user; the client contacts a service provider via a first communication network and provides details that unambiguously identify a party (for example bank account details, which identify an account holder). These details may relate to a party that is the actual owner and authorized user of the device, or, in the case that the details have been stolen, to another party, who is not authorized to use the details. Thus, at this stage, the service provider simply knows that there is an association of sorts between the party using the device and the client application running on the device being used to submit the details. Importantly, the service provider does not trust that the client is authorized to use the submitted details.
In order to verify the association between the party using the device and the client thereon, the service provider sends the details to an identity provider that can validate the identity of the party who submitted the details. Such an identity provider could, for example, be an issuing bank. On the basis of records held by the identity provider for the party corresponding to the submitted details, the identity provider then determines an address of a second device on a second communication network, which it knows to be associated with the party that owns the details submitted via the client, and sends a secret number to that second device.
If the user of the first device is also in possession of the second device, they can receive the secret number on the second device and then supply the secret number to the client so that the secret number can be sent from the first device to the service provider in order to verify the payment. Upon receipt of a secret number, the service provider then sends the secret number to the identity provider so that the identity provider can check whether the number received from the client matches the number sent to the second device. If the numbers match, the identity provider indicates to the service provider that the service provider can trust the client. However, if the numbers do not match, the identity provider indicates to the service provider that the client should not be trusted.
It will be appreciated that, in the case that the user of the first device has both stolen the details of a party and also has access to messages sent to the second device, the user of the device can obtain access to the secret number via the second device and can provide this secret to the client, thus providing the user of the device with access to services provided by the service provider using the personal details of the party who actually owns the submitted details.