In the modern world, more and more of us can, and do, access a wide and evolving range of services provided over electronic channels. We access these services via a relatively new range of devices from the mobile phone, through to the television and the personal computer. And this appears to have led to a common perception that the rate of change in our lives is increasing. A short time ago however, those forming the perception just mentioned, would surely have thought an impossible task the concept of an employee accessing an “in-office” experience from any location in the world with just a mobile phone and personal computer. It is commonplace now. This and other capabilities that have emerged have had, and are continuing to have, a dramatic effect on the way modern companies run and the way individuals live their lives.
Other previous periods of change created by the introduction of technology tell us though, that the ability to induce change is a critical aspect of successful and sustainable technology. This is especially so when looking at communication innovation. In fact, many commentators today reflect on the network effect potential when they analyse innovation. Or rather, they look more favourably on innovation that has the potential of introducing change, as a result of its introduction.
It is true that our lives are changing as a result of the introduction of technology, and this is especially so when considering communication technology. But a common problem exists; the problem of having access to a consistent and efficient system for automating the verification of identity. And with the inevitable improvements in access, price and capability of technology the problem will only get worse. Since with these improvements, the ability to sustain a globally connected world becomes a reality for the mass market.
Identity is critical element in the majority, if not all, communication we carry out across the available channels today and tomorrow. And without the problem of identity solved, the transfer of more and more business to electronic channels to achieve the efficiency gains that the new channels provide will continue to be severely hampered.
It is now commonplace, if not a business critical function, for modern companies and organisations to restrict access to both physical and electronic premises. In respect to physical premises access is usually controlled through the issuance of an identification card to all relevant employees or temporary employees. The employee identification card gives a company a simple and easy to use regime to control access to physical premises to a set of known people. The identification card is simply checked (often having a photograph of the employee to improve security) either manually or automatically as an employee enters and leaves.
There have been many schemes and technology solutions on offer to companies and organisation in order for them to protect their electronic premises, whether that be a private corporate network or increasingly Internet resources. The majority of solutions in place today use the same concept as an identification card where an employee is given identification information that is unique to them. In the same way that the employee is expected to show and have authenticated a identification card, an employee would be expected to enter their unique identification credentials in order for them to gain access to an electronic resource. However, these present schemes have major disadvantages including the overall security of access control systems based on this method.
The problem to which this invention is directed, relates to the current methods for identification and subsequent authorisation of an employee or customer to legitimately gain access to an electronic resource such as a corporate network or Internet service. In this case, access could be initiated by an employee or customer from devices such as, but not limited to, a personal computer, personal digital assistant, television or games console connected to the Internet. The Internet connection in this case could be over a fixed line, Wi-Fi or cellular data connection (for example GPRS or 3G network connection). Furthermore, the problem to which this invention is directed, relates to the current methods of identification and authorisation of an employee or customer to access a voice service such as a bank call centre or customer care call centre. In this case, a customer or employee from a mobile phone initiates access to a call centre, for example to discuss a banking service, and the invention provides a solution to the problem of pre-authentication into an automated call centre operation.
The current mechanisms for authentication of an individual include the issue and use by the individual of a username and password or the issue and use by the individual of a username, PIN and automatically generated numeric code from a token card. These mechanisms for authentication and verification have a number of serious disadvantages including (1) management of the user credentials by the corporate or merchant; (2) the associated cost with registration, issuing and ongoing maintenance of the credentials; and (3) the ability to maliciously gain access to a consumer or user's online credentials.
In the case of simple username and password authentication credentials, an individual is required to enter these when requested to identify him or herself. These credentials are usually electronically transmitted over a secure link to be verified and once verified the individual is granted access to the resource; for example this can be but not limited to access to a secure network or secure portion of an Internet application. In order for this authentication system to operate effectively, the corporate or merchant is required to operate the registration, verification and management operational procedures. Hence an employee or customer is required to register and either self choose or be issued with a unique username and password. These credentials have to be stored securely and when required, be compared with credentials entered by an individual to authenticate himself or herself for access to a resource.
In the case of username, PIN and token card credentials, an individual enters their username, PIN and current numeric value from the token card when requested. These credentials are usually transmitted over a secure link and verified by systems employed by the employer or merchant. In this case, verification includes algorithm-based verification to ensure that the username, PIN and generated numeric token are valid. If these credentials are proved correct then the employee or customer is allowed access to the Internet application or corporate network. It can be seen that the use of a token card significantly improves the strength of the authentication credentials since the token card mathematically generates a series of one-time, time-limited codes and as such the employee or customer is required to have the token card in their possession when authenticating themselves. Of course, this does require the issuance of token cards, with consequent costs, and also inconvenience for the user.
The management and control of authentication credentials require corporations and merchants to employ a wide range of services. These services include registration, secure delivery, verification and control processes in the case of users loosing or forgetting their personal credentials. As the number of internet-connected homes increases and the number of Internet services increases it follows that the associated operating costs to corporations and merchants will also increase.
Together with the operating costs associated with managing and controlling user credentials a severe problem exists with the inherent security of Internet connected devices. It is well understood by the information technology industry that the personal computer environment is prone to malicious attacks and this problem is increasing as the number of Internet connected homes increases. The Association of Payment and Clearing Services (APACS) have identified a number of methods used by fraudsters that severely affect the security of online resources that use a simple username and password. These methods include Phising attacks and Trojan horse attacks. The purpose of both of these attack types is to gain access to a customer or users Internet credentials enabling, therefore, the ability for a fraudster to assume the identity of the customer or user.
A phising attack usually takes the form of an electronic communication mechanism such as email that requests the customer or user to supply their Internet credentials via an email that purports to be from the corporate or merchant.
A Trojan horse attack is designed to collect keystroke information as the customer or user enters their credentials and automatically transfers these to the fraudster. Once the username and password has been gained it simply enables a third party to assume the identity of the customer or user to gain access to the specific Internet or corporate resource.
The invention aims to provide an alternative service access mechanism which reduces some of these problems.