The use of tokens and credit cards in today's financial world is pervasive. A token would be any inanimate object which coffers a capability to the individual presenting the object. Remote access of every financial account is through the use of tokens or plastic cards. Whether buying groceries with debit cards or consumer goods with credit cards, at the heart of that transaction is a money transfer enabled by a token, which acts to identify an individual and the financial account he is accessing.
The reason for the migration from metal coins to plastic cards is simple and straightforward: access to money in this money transfer system is vastly safer and more convenient for both merchants and consumers than handling large quantities of coins and notes.
Unfortunately, current technology in combination with this convenient token-based money transfer system results in a system that is prone to theft and fraud.
As verification of user identity is based solely on data placed on the token, which can be easily reproduced and transferred between individuals, such security must rely on both the diligence and the luck of the authorized user and merchant in maintaining this information as proprietary. However, by their very nature, tokens do not have a very strong connection with the individual. Identification of the rightful owner of the token through the token is tenuous at best. This is easily demonstrated by the fact that individuals other than the rightful owners of the tokens have been using these tokens to defraud merchants and other consumer goods suppliers.
The mammoth expansion of the consumer credit industry during the 1980s brought with it large profits for issuers, and newfound convenience for consumers. However, as consumer credit became easier for consumers to acquire, it also became a target for criminals. Much as the mobility of the automobile led to a rash of bank robberies in the late 1920's and early 1930's, so too did the ubiquity of consumer credit lead to vastly increased opportunities for criminals.
Initially, the banking industry was willing to accept a certain amount of loss due to fraud, passing the cost on to the consumer. However, as criminals became more organized, more technically adept, and as credit retail stations began to be manned by people who were more and more poorly trained in credit card security matters, the rate of increase of fraud losses skyrocketed. The staggering statistics on fraud and cost of preventive steps, has forced the credit card companies in particular, to look for other solutions to the problem.
Fraud losses in the credit card industry stem from many different areas due to the highly vulnerable nature of the system, but they are mainly due to either lost, stolen, or counterfeit cards. Credit cards operate without the use of a personal identification code (PIC), therefore a lost credit card can be turned into cash if the card falls into the wrong hands. While theft of a token constitutes the majority of fraud in the system, the use of counterfeit credit cards has been on the rise. Counterfeit credit cards are manufactured by a more technically sophisticated criminal by acquiring a cardholder's valid account number and then producing a counterfeit card using that valid number. The counterfeiter encodes the magnetic strip, and embosses the counterfeit plastic card with the account number. The card is then presented to merchants and charged up to the rightful cardholder's account. Another form of loss is by a criminal merchant who surreptitiously obtains the cardholder's account number. Yet another type of fraud is committed by the authorized cardholder when the token is used for making purchases and thereafter a claim is made that the token was either lost or stolen. It is estimated that losses due to all types of fraud exceeds $950 million dollars annually.
Generally, debit cards are used in conjunction with a personal identification code (PIC). Counterfeiting a debit card is more difficult as the criminal must acquire not only the account number, but also the PIC, and then manufacture the card as in the credit card example. However, various strategies have been used to obtain PICs from unwary cardholders; these range from Trojan horse automated teller machines, or ATMs, in shopping malls that dispense cash but record the PIC, to merchant point of sale devices that also record the PIC, to individuals with binoculars that watch cardholders enter PICs at ATMs. The subsequently manufactured counterfeit debit cards are then used in various ATM machines until the unlucky account is emptied.
The financial industry is well aware of the trends in fraud expense, and is constantly taking steps to improve the security of the card. Thus fraud and theft of token have an indirect impact on the cost to the system.
Card blanks are manufactured under very tight security. Then they are individualized with the account number, expiration date, and are then mailed to the cardholder. Manufacturing and distributing the card alone costs the industry approximately one billion dollars annually. The standard card costs the financial industry $2 for each, but only $0.30 of this $2 is associated with actual manufacturing cost.
Over the last ten years, the industry has altered the tokens because of counterfeiting fraud, without any fundamental changes in the use of the credit transaction system. The remedy has been mostly administrative changes such as having customers call the issuer to activate their card. Other changes include addition of a hologram, a picture ID, or an improved signature area. These type of changes in particular, are an indication that the systems susceptibility to fraud is due to lack of true identification of the individual. It is estimated that this could double the manufacturing cost to two billion dollars annually.
In the near future, the banking industry expects to move to an even more expensive card, called a "smart card". Smart cards contain as much computing power as did some of the first home computers. Current cost projections for a first-generation smart card is estimated at approximately $3.50, not including distribution costs, which is significantly higher than the $0.30 plastic card blank.
This significant increase in cost has forced the industry to look for new ways of using the power in the smart card in addition to simple transaction authorization. It is envisioned that in addition to storing credit and debit account numbers, smart cards may also store phone numbers, frequent flyer miles, coupons obtained from stores, a transaction history, electronic cash usable at tollbooths and on public transit systems, as well as the customer's name, vital statistics, and perhaps even medical records. Clearly, the financial industry trend is to further establish use of tokens.
The side effect of increasing the capabilities of the smart card is centralization of functions. The flip side of increased functionality is increased vulnerability. Given the number of functions that the smart card will be performing, the loss or damage of this monster card will be excruciatingly inconvenient for the cardholder. Being without such a card will financially incapacitate the cardholder until it is replaced. Additionally, losing a card full of electronic cash will also result in a real financial loss as well. Furthermore, ability of counterfeiters to one day copy a smartcard is not addressed.
Unfortunately, because of the projected concentration of functions onto the smart card, the cardholder is left more vulnerable to the loss or destruction of the card itself. Thus, after spending vast sums of money, the resulting system will be more secure, but threatens to levy heavier and heavier penalties for destruction or loss of this card on the consumer.
The financial industry recognizes the security issues associated with smartcards, and efforts are currently underway to make each plastic card difficult to counterfeit. Billions of dollars will be spent in the next five years in attempts to make plastic ever more secure. To date, the consumer financial transaction industry has had a simple equation to balance: in order to reduce fraud, the cost of the card must increase.
In addition to and associated with the pervasiveness of electronic financial transactions, there is now the widespread use of electronic facsimiles, electronic mail messages and similar electronic communications. Similar to the problem of lack of proper identification of individuals for financial transactions is the problem of lack of proper identification of individuals for electronic transmissions. The ease and speed of electronic communication, and its low cost compared to conventional mail, has made it a method of choice for communication between individuals and businesses alike. This type of communication has expanded greatly and is expected to continue to expand. However, millions of electronic messages such as facsimiles and electronic mail (or "E-mail" or "email") messages are sent without knowing whether they arrive at their true destination or whether a certain individual actually sent or received that electronic message. Furthermore, there is no way to verify the identify the individual who sent or who received an electronic message.
Recently, various attempts have been made to overcome problems inherent in the token and code security system. One major focus has been to encrypt, variablize or otherwise modify the PIC to make it more difficult for an unauthorized user to carry out more than one transaction, largely by focusing on manipulation of the PIC to make such code more fraud resistant. A variety of approaches have been suggested, such as introducing an algorithm that varies the PIC in a predictable way known only to the user, thereby requiring a different PIC code for each subsequent accessing of an account. For example, the PIC code can be varied and made specific to the calendar day or date of the access attempt. In yet another approach, a time-variable element is introduced to generate a non-predictable personal identification code that is revealed only to an authorized user at the time of access. Although more resistant to fraud that systems incorporating non-variable codes, such an approach is not virtually fraud-proof because it still relies on data that is not uniquely and irreproducibly personal to the authorized user. Furthermore, such systems further inconvenience consumers that already have trouble remembering constant codes, much less variable ones. Examples of these approaches are disclosed in U.S. Pat. No. 4,837,422 to Dethloff et al.; U.S. Pat. No. 4,998,279 to Weiss; U.S. Pat. No. 5,168,520 to Weiss; U.S. Pat. No. 5,251,259 to Mosley; U.S. Pat. No. 5,239,538 to Parrillo; U.S. Pat. No. 5,276,314 to Martino et al.; and U.S. Pat. No. 5,343,529 to Goldfine et al. all of which are incorporated herein by reference.
More recently, some have turned their attention from the use of personal identification codes to the use of unique biometrics as the basis of identity verification, and ultimately computer access. In this approach, authenticated biometrics are recorded from a user of known identity and stored for future reference on a token. In every subsequent access attempt, the user is required to enter physically the requested biometrics, which are then compared to the authenticated biometrics on the token to determine if the two match in order to verify user identity. Because the biometrics are uniquely personal to the user and because the act of physically entering the biometrics are virtually irreproducible, a match is putative of actual identity, thereby decreasing the risk of fraud. Various biometrics have been suggested, such as finger prints, hand prints, voice prints, retinal images, handwriting samples and the like. However, because the biometrics are generally stored in electronic (and thus reproducible) form on a token and because the comparison and verification process is not isolated from the hardware and software directly used by the individual attempting access, a significant risk of fraudulent access still exists. Examples of this approach to system security are described in U.S. Pat. No. 4,821,118 to Lafreniere; U.S. Pat. No. 4,993,068 to Piosenka et al.; U.S. Pat. No. 4,995,086 to Lilley et al.; U.S. Pat. No. 5,054,089 to Uchida et al.; U.S. Pat. No. 5,095,194 to Barbanell; U.S. Pat. No. 5,109,427 to Yang; U.S. Pat. No. 5,109,428 to Igaki et al.; U.S. Pat. No. 5,144,680 to Kobayashi et al.; U.S. Pat. No. 5,146,102 to Higuchi et al.; U.S. Pat. No. 5,180,901 to Hiramatsu; U.S. Pat. No. 5,210,588 to Lee; U.S. Pat. No. 5,210,797 to Usui et al.; U.S. Pat. No. 5,222,152 to Fishbine et al.; U.S. Pat. No. 5,230,025 to Fishbine et al.; U.S. Pat. No. 5,241,606 to Horie; U.S. Pat. No. 5,265,162 to Bush et al.; U.S. Pat. No. 5,321,242 to Heath, Jr.; U.S. Pat. No. 5,325,442 to Knapp; U.S. Pat. No. 5,351,303 to Willmore, all of which are incorporated herein by reference.
As will be appreciated from the foregoing discussion, a dynamic but unavoidable tension arises in attempting to design a security system that is highly fraud resistant, but nevertheless easy and convenient for the consumer to use. Unfortunately, none of the above-disclosed proposed improvements to the token and code system adequately address, much less attempt to balance, this tension. Such systems generally store the authenticated biometrics in electronic form directly on the token that can presumably be copied. Further, such systems do not adequately isolate the identity verification process from tampering by someone attempting to gain unauthorized access.
An example of token-based security system which relies on a biometrics of a user can be found in U.S. Pat. No. 5,280,527 to Gullman et al. In Gullman's system, the user must carry and present a credit card sized token (referred to as a biometrics security apparatus) containing a microchip in which is recorded characteristics of the authorized user's voice. In order to initiate the access procedure, the user must insert the token into a terminal such as an ATM, and then speak into the terminal to provide a biometrics input for comparison with an authenticated input stored in the microchip of the presented token. The process of identity verification is generally not isolated from potential tampering by one attempting unauthorized access. If a match is found, the remote terminal may then signal the host computer that access should be permitted, or may prompt the user for an additional code, such as a PIN (also stored on the token), before sending the necessary verification signal to the host computer.
Although Gullman's reliance of comparison of stored and input biometrics potentially reduces the risk of unauthorized access as compared to numeric codes, Gullman's use of the token as the repository for the authenticating data combined with Gullman's failure to isolate the identity verification process from the possibility of tampering greatly diminishes any improvement to fraud resistance resulting from the replacement of a numeric code with a biometrics. Further, the system remains somewhat cumbersome and inconvenient to use because it too requires the presentation of a token in order to initiate an access request.
Almost uniformly, patents that disclose token-based systems teach away from biometrics recognition without the use of tokens. Reasons cited for such teachings range from storage requirements for biometrics recognition systems to significant time lapses in identification of a large number of individuals, even for the most powerful computers.
In view of the foregoing, there has long been a need for a computer access system that is highly fraud-resistant, practical, and efficient for the user to operate and carry out electronic transactions and transmissions expeditiously.
There is also a need for a computer system that is completely tokenless and that is capable of verifying a user's personal identity, based solely upon a personal identification code and biometrics that is unique and physically personal to an authorized user, as opposed to verifying an individual's possession of any physical objects that can be freely transferred between different individuals. Such biometrics must be easily and non-intrusively obtained; must be easy and cost-effective to store and to analyze; and must not unduly invade the user's privacy rights.
A further need in computer access system design is user convenience. It is highly desirable for a consumer to able to access the system spontaneously, particularly when unexpected needs arise, with a minimum of effort. In particular, there is a need for a system that greatly reduces or eliminates the need to memorize numerous or cumbersome codes, and that eliminates the need to possess, carry, and present a proprietary object in order to initiate an access request.
Such systems must be simple to operate, accurate and reliable. There is also a need for a computer access system that can allow a user to access multiple accounts and procure all services authorized to the user, and carry out transactions in and between all financial accounts, make point of purchase payments, receive various services, etc.
There is further a great need for a computer access system that affords an authorized user the ability to alert authorities that a third party is coercing the user to request access without the third party being aware that an alert has been generated. There is also a need for a system that is nevertheless able to effect, unknown to the coercing third party, temporary restrictions on the types and amounts of transactions that can be undertaken once access is granted.
Furthermore, the computer system must be affordable and flexible enough to be operatively compatible with existing networks having a variety of electronic transaction and transmission devices and system configurations.
Finally, there is a need for secured sending and receipt of electronic mail messages and electronic facsimiles, where content of the electronic message is protected from disclosure to unauthorized individuals, and the identity of the sender or recipient can be obtained with a high degree of certainty.