Commerce over computer networks has become very popular. Such commerce takes many forms, from purchasing books and merchandize from on-line vendors such as books from amazon.com and hockey equipment from epuck.com to conducting online banking and stock trading. Common to all such transactions is the need to communicate private secure information. Typically, the transactions are carried out over secure encrypted connections. However, there are still opportunities for the devious to contrive schemes to capture the private information that is used during online transactions, for example, to obtain passwords, personal identification numbers (PIN), Social Security Numbers, driver's license numbers and account numbers. Illegal procurement of such information and using such information in a fraudulent manner is commonly referred to as identity theft. According to the Federal Trade Commission, in the year 2002 alone, there were 9.9 million identity theft victims. The thefts cost businesses $47.6 billion and $5 billion in out-of-pocket expenses to individuals in 2002 (Federal Trade Commission, “Federal Trade Commission Identity Theft Survey Report,” September, 2003,).
Transactions over the Internet will be used herein for exemplary purposes. While the Internet is by far the largest and most pervasive computer network, the problems and solutions discussed herein can occur and apply on other networks as well. For example, identity theft can occur entirely within the confines of a corporate network or a university network wherein a dishonest individual uses an across-network transaction to steal PIN's giving access to employee or student records. While it is convenient to discuss the identity theft problem in the context of the Internet, that should not be construed to limit the scope of this invention.
One form of conducting online identity theft is to use keystroke logger to log individual keystrokes and to extract information, such as password and credit card number, from the logs. Two known cases are the Kiniko's case in New York and the Boston College case (Jesdanun, A., “Thief captures every keystroke to access accounts,” Seattle Post, July, 2003,
Poulsen, K., “Guilty Plea in Kinko's Keystroke Caper,” SecurityFocus, Jul. 18, 2003). In both cases, the thieves installed keystroke logger software in public Internet computers, in Kinko's stores or in the college campus. They captured user ID's, user names, and passwords, using them to access or even open bank accounts online, making purchases, and entering buildings illegally.
The keystroke logger is either software that one installs on a computer, or a piece of hardware that one connects between the keyboard cable and the computer, or a hardware that is built into the keyboard. Online identity thieves typically use software keystroke logger because it is invisible to the user.
In a typical online transaction, creating a new account or accessing an existing account, a user does the online transaction through a graphical human interface on the computer screen and using a keyboard to enter information requested by the human interface. This graphical human interface typically represents an Internet client application of a bank or an online retailer. The user types in confidential personal information, such as name, password, social security number, credit card number, and so on, using the keyboard. This confidential information flows in clear text from the keyboard to the computer. The Internet client application may use the computer or the smart card connected to the computer to encrypt the information before sending to the remote server. But the keystroke logger or screen capturer could capture the confidential personal information before it is encrypted. Many of the current security mechanisms assume the computer and its keyboard or other input devices are secure, which might not be true.
FIG. 1 illustrates the identity theft problem that can be achieved using a keyboard logger or similar program or hardware. FIG. 1(a) is a schematic of the normal information from a keyboard 101. The information might be displayed on a screen 103 connected to a computer 105 used by a customer of an online service, e.g., a bank e-commerce site. A cryptographic processor 107 either in the computer 105 or in a smart card (not shown) might also encrypt the information before it is sent to the Internet 110. This cryptographic processor 107 can either be a hardware device or implemented entirely in software running on computer 105. FIG. 1(b) illustrates the information flow when keystroke logger software 109 is installed on the computer 105. The keystroke logger 109 captures the information typed in on the keyboard 101 by the user before the information goes anywhere else, and hence, before the existing security mechanism is applied, e.g., before the cryptographic processor 107 has a chance to even encrypt the information. FIG. 1(c) illustrates the configuration and the information flow when a hardware keystroke logger 111 is installed. The hardware keystroke logger 111 is between the keyboard 101 and the computer 105. Alternatively, the hardware keystroke logger 111 may be built into the keyboard 111. In both cases, the information is captured before it enters the computer 105.
A related problem to keyboard loggers is presented by various forms of malicious software (malware) or unwanted code that anti virus software is powerless to fight. These unwanted code, such as keystroke logger, spyware, snoopware, Trojan, and so on, are invisible and non-reproducible. This kind of software may be installed locally or distributed remotely. Some keystroke logger, for example, not only record keystrokes silently but also transmit the key logs to a remote Internet node silently. A variety of anti-non-virus malware programs, such as anti-keyloggers, fight against these unwanted code. Most these products detect and fight against known malicious programs. On the other hand, cleverly designed malicious programs may have anti-detection mechanisms to fight back. New malicious software comes out and requires the development of new anti-malicious software. The battle is similar to the fight between bacteria and antibiotics in medicine.
There are several prior art approaches for providing secure Internet commerce and other online transactions. One method is to ensure that all messages between two nodes involved in a transaction are encrypted. If one of the Internet nodes is compromised by malicious software, which captures the message before it is encrypted, the secure communication mechanism does not help because it is too late. For example, encryption does not solve the problem of identity theft that is perpetrated using keyboard loggers, screen capture and other techniques for capturing the information entered by a user of a computer because, as discussed above, the encryption is performed too late, namely, after the information has already been captured.
Another form of protecting the security of online commerce is the authentication of an individual involved in a transaction, for example, though identity federation or federation of authentication, such as Kerberos (“Kerberos: The Network Authentication Protocol,”) and Microsoft Passport (Microsoft .Net Passport, Microsoft Cooperation,). However, these mechanisms also do not protect against keyboard loggers and similar schemes.
In an effort to stem the growth in credit card fraud and raise consumer confidence during online transactions, several credit card companies (e.g. Citibank) are providing virtual credit card numbers. These credit card numbers are for one-time use only and help protect the user's actual credit card number during an online transaction. Instead of using the actual number, the user enters the virtual number when shopping online. Even if the virtual number is stolen it is of little use since it cannot be reused after the first transaction.
Although this approach helps protect the user against malicious use of his actual credit card number, it has two drawbacks with respect to a broader identity theft prevention framework. First, the approach is limited to credit card numbers and cannot be extended to other confidential information. Secondly, in order to get a one-time use credit card number, the user still has to authenticate himself to the bank. This online authentication process itself can be a weak link because it is suspect to keyboard logger attacks. Malicious users can impersonate the user and get virtual credit card numbers on his behalf. In this scenario, user's actual credit card number is secure, but his identity is not.
Smart cards may also be used to improve online security. A smart card is a tamper resistant, secure, and portable microprocessor card. It has been used for security in a variety of applications (Jurgensen, T. M. and Guthery, S. B. Smart Cards, Pearson Education, Inc., 2002.). The smart card is a security token for computer and network access, and for secure communications. When using the smart card, the card is connected to a host computer. Using Public Key Infrastructure (PKI) to secure communication, the card keeps the private key of its owner. To send a message from one user to another user through Internet, the computer of the sender generates a random shared key, encrypts the message using the shared key, and encrypts the shared key using the receiver's public key. Both the encrypted message and the encrypted key are sent to the receiver. The receiver's computer uses the receiver's private key stored in the receiver's smart card to decrypt the encrypted shared key. It then uses the shared key to decrypt the message. In this way, only the intended receiver can read the message. However, if a keystroke logger compromises the user's computer, the logger would capture the information before the smart card mechanism is applied.
Another existing method is to store user's confidential information on the smart card. For online transactions, the middleware running on the computer obtains the information from the smart card and fills in the appropriate fields in a web form. This approach requires special software on the computer. It does not provide any more security than manual entry of the web form because the confidential information is in an unencrypted form in the web browser. In this respect, it is a convenience feature instead of a security feature.
Thus, there is a need for further systems and methods for combating identity theft that can be achieved by employing a keyboard logger at a public workstation and thereby capturing a user's private information that the user used in carrying out secure transactions over the internet.