Consumers are commonly asked to provide sensitive and private information to public devices in order to complete transactions, withdraw money from an automated teller machine (ATM), gain access to a secure location, complete online tasks when away from their trusted computer, or any number of other tasks. However, interacting with public or unknown devices can be risky. Any devices (e.g., ATM, Gas Pump, Vending Machine, Kiosk, POS Device, a friend's computer, etc.) in public can be tampered with in a manner such that the devices may skim or otherwise obtain sensitive information from a user when they engage in a transaction or try to perform any task that requires sensitive or personal information.
However, today's transaction infrastructure, processes, and consumer habits often require consumers to interact with unknown devices and enter private and/or sensitive information (PIN, birthdate, social security number, usernames and passwords, answers to security questions, etc.) into these unknown or public devices. For example, any device that can read credit card information can be tampered with, and unattended devices such as ATMs, vending machines, and gas pumps are especially attractive targets. Consumers cannot be sure these devices have not been tampered with or that their interactions with these devices are not being observed by a camera to capture their personal information. Sometimes these devices are altered externally with hardware being added to these kiosks in order to capture account access details. Alternatively, these devices may be tampered with internally by installation of software on the devices in order to capture secure information.
FIG. 1 illustrates some examples of the many ways in which a public device (e.g., an ATM) may be tampered with such that a consumer's sensitive information may be obtained. As can be seen in FIG. 1A, malicious third parties can install keypad overlays 1B over an ATM keypad 1A to track a consumer's entered PIN or other credentials during an ATM transaction, may install a hidden camera 3B, 4B in a screen cover 3A or brochure holder 4A, and may install a card skimmer 2B over the card reader 2A of the ATM 5. As can be seen in FIG. 1, these devices may be made to look like they are a part of the ATM. Accordingly, consumers may swipe their card and have their account information stolen through the skimmer as well as have their PIN number stolen either through the keypad overlay 1B or by a malicious third party recording the PIN entered during the transaction through a hidden camera 3B, 4B. Many other methods may be implemented to steal such information through a wide variety of different public devices. These examples are provided only as a background on some possible methods in which data entry into a public device may be captured by a malicious third party.
Accordingly, there is a need for a method for a consumer to complete a transaction with a public device without providing sensitive information directly to any of the inputs or outputs of a device.
Additionally, another problem facing consumers is “familiar fraud,” or fraud that occurs when an authorized person takes advantage of an account holder's permitted use of an account. For example, a father may give his daughter his payment card and ask them to buy something from the grocery store. At the checkout, the daughter may ask for $20 cashback and pocket it or may charge items they are not authorized to purchase. As such, there is a need for a system that allows an account holder control over a transaction, even from a remote location.
Embodiments of the present invention solve these and other problems, individually and in combination.