1. Field of the Invention
The present invention generally relates to a direct authentication and authorization system and method for trusted network of financial institutions allowing them to directly authenticate their customers and receive their authorization of financial transactions over a communication network such as the Internet. More specifically, the present invention is based on a new identification and authentication scheme as digital identity that enables financial institutions to directly authenticate their account owners and/or receive their authorization of financial transactions over a communication network such as the Internet.
2. Background of the Invention
With the advent of the Internet, the number of online financial transactions has increased dramatically. With this increase, concerns for the security of the financial transactions, proof of authorization for such transactions, and the need for direct authentication of the parties to these transactions have also risen. Therefore the Internet is more than just a different delivery channel for online financial transactions. There are two unique characteristics of the Internet that require special considerations:                The anonymity of the Internet creates an environment in which parties are not certain with whom they are doing business, which poses unique opportunities for fraud        The Internet is an open network, which requires special security procedures to be deployed to prevent unauthorized access to the consumer financial information        
These unique characteristics of the Internet needed to be addressed by financial institutions in order to maintain their dominance in the payment arena. Today, any authentication over a communication network such as the Internet is an indirect authentication. Meaning, customers provide confidential, personal and financial information, in the form of social security numbers, names, addresses, credit card and bank account numbers, and businesses verify this information by accessing external databases. This type of authentication is not sufficient to truly identify the identity of customers and tell whether the customer is the actual account owner. This is why financial institutions have limited their online interbank and intrabank service offerings. For example, today, the financial institutions require their account owners to do their interbank funds transfer at a branch office and send a physical check to the receiver of the funds for payment, both of which are inconvenient and burdensome to corporate and individual customers.
NACHA (National Clearing House Association) operating rules and federal government regulations also require financial institutions to authenticate their customers' identity and receive their authorization for any type of financial transaction such as payment or funds transfer over the Internet. In the physical world, financial transactions are authorized by the account owners in writing and signed or similarly authenticated. In the online world however, financial institutions do not have any solution to meet these requirements. An electronic authorization for an online transaction should be authenticated by a method that 1) identifies the customer (account owner), and 2) manifests the assent of the customer to the authorization. Therefore, financial institutions must use a method that provides the same assurance as a signature in the physical world (a signature both uniquely identifies a person and evidences his assent to an agreement). These objectives should be met by whatever method or process a financial institution employs when obtaining a customers' authorization electronically.
When dealing with customers over any communication network such as the Internet, financial institutions are facing numerous challenges:                Be able to identify the identity of the customers;        Be able to obtain transaction authorization from customers over the Internet;        Be able to confirm that the customer is the account owner and is authorized to use such account        
Financial institutions must meet these challenges in order to expand their online service offerings (interbank and intrabank) and maintain their dominance in the market. But lack of identification and real-time account verification methods have prevented financial institutions to achieve their goals.
Today, there are three different identification and authentication schemes in the market:                Knowledge-based, which involve allowing access according to what a user knows;        token-based, which involve allowing access according to what a user possesses;        biometrics-based, which involve allowing access according to what the user is.        
Due to various problems the current authentication schemes have, financial institutions have not been able to successfully use these technologies to perform direct authentication and authorization of their customers. Passwords are inexpensive and easy to use, but the static nature of passwords, makes them vulnerable for replay attacks. Another drawback of passwords is that online banking password cannot be used for identification and verification of financial account at the third party web sites. Biometrics can also be useful for user identification, but one problem with these schemes is the difficult tradeoff between imposter pass rate and false alarm rate. In addition, many biometric systems require specialized devices, which may be expensive. Token-based schemes are problematic as well. These are expensive to implement and require users to install special devices and software. Most token-based authentication systems also use knowledge-based authentication to prevent impersonation through theft or loss of the token.
National Clearing House Association (NACHA) and several financial institutions such as Visa and MasterCard have also attempted to develop authentication systems and methods, such as ISAP (Internet Secure ATM Payments) and SET (Secure Electronic Transaction) using smart card technology, but due to aforementioned smart card problems they failed to achieve customer acceptance. Therefore, they are now experimenting new password based programs such as VPAS (Visa Payer Authentication Service) and UCAF (MasterCard Payer Authentication Service) to allow registered cardholders to verify their purchases, a process known as payer authentication, but unfortunately these have abovementioned password issues and are specific to credit card transactions and do not apply to bank account transactions. It is also very difficult for a customer to manage. Owning N different credit cards requires recalling N different passwords for payment at checkout. According to a survey from Jupiter Media Metrix (epaynews.com, Feb. 21 2002), these systems and methods are also complicating the picture for consumers, who are worried by the mix of identification and authentication schemes.
As for the financial account ownership verification, currently, there are several companies that are attempting to bring systems and methods for verifying account ownership, such as Paypal (EBAY) and CashEdge.
Paypal introduces a system that initiates one or more verifying transactions using financial account information given by the customer. Selected details of the transaction(s) are saved, particularly details that may vary from one transaction to another. Such variable details may include the number of transactions performed, the amount of a transaction, the type of transaction (e.g., credit, debit, deposit, withdrawal), the merchant name or account used by the system for the transaction, etc. The customer then retrieves evidence of the transaction(s) from his or her financial institution, which may be accomplished on-line, by telephone, in a monthly statement, etc., and submits the requested details to the Paypal system. The submitted details are compared to the stored details and, if they match, the account ownership is verified and the customer is then allowed to use the financial account. There are many drawbacks associated with the Paypal's system, including:                No real-time account verification: It takes 2 to 3 days to verify customer's financial account        High cost: Paypal suggests sending two deposits (credits) to the user's financial account, each of which is less than $0.99 in value.        Weak account verification: An unauthorized individual who has access to the details about verifying transactions would be verified as the account owner.        
CashEdge's system requires the customer to provide bank account information along with the username and password of the online banking web site that the customer is using to access his/her bank account. The system then applies the customer's username and password to login to the online banking system for verification of the account ownership. The drawback of CashEdge system includes:                Security and Privacy Concerns: Requesting the customer to provide the online banking username and password to CashEdge raises customers' security and privacy concerns.        Weak account verification: An unauthorized individual who has access to the customer's username and password would be verified as the account owner.        Fraud Risk: Without CashEdge's system, a fraudster who has access to customer's online banking username and password, is not able to transfer funds from the customer's account, but CashEdge system provides this opportunity to an unauthorized individual to commit fraud.        
Financial institutions need a system that eliminates the aforementioned problems and concerns by:                verifying customers' identity        verifying account ownerships in real-time        providing prove of transaction authorization        being secure, inexpensive and easy to use        not requiring financial institutions to change their existing systems and processes        covering bank account as well as credit card transactions        
For convenience, the term “customer” is used throughout to represent a financial institution's individual or corporate customer.
The term “financial institution” is used herein to denote any institution such as bank, credit card issuer, brokerage firm, debit card or credit card Company such as Visa, Master card, and AMEX or any other company that offers financial services.
The term “financial account” is used herein to denote any bank account, brokerage account, debit card and credit card account.
The term “account ownership verification” is used herein to denote the process of verifying that the financial account belongs to the customer and the customer is authorized to use such financial account.
The term “communication network” is used herein to denote any private, wireless or public network such as Internet.
The term “indirect authentication” is used herein to denote any authentication method that authenticates the customers based on customers' information. Meaning, customers provide confidential, personal and financial information, in the form of social security numbers, names, addresses, credit card and bank account numbers, and businesses verify this information by accessing external databases.
The term “direct authentication” is used herein to denote any authentication method that authenticates the customers based on customers' credentials such as biometric data or smart card.
The term “funds transfer network” is used herein to denote any network that financial institutions use to transfer funds, such as ACH, Fed wire, Visa network.
The term “interbank funds transfer” is used herein to denote account-to-account funds transfer between accounts at different financial institutions.
The term “debit pull” is used herein to denote the way electronic payments and funds transfer are authorized and executed, where the receiver of funds is asking customer's financial institution to debit the customer's account.
The term “credit push” is used herein to denote the way electronic payments and funds transfer are authorized and executed, where the customer instructs his/her financial institution to credit the account of the receiver (e.g. merchant account).
The term “digital identity” is used herein to denote a dynamic, non-predictable and time dependent alphanumeric code, or any other key, which may be given by customer's financial institution to the customer over a communication network such as the Internet, and may be valid for one-time use. The customer's digital identity is used for identification, authentication and authorization purposes for processing transactions over the communication network. Digital identity is calculated using a proprietary algorithm that may include any other customer and/or transaction specific information to make the digital identity customer and transaction specific.
The term “identity authority” is used herein to denote any entity that offers direct authentication services to other businesses. Identity authority issues and manages the digital identity.
The term “Digital Identity System” is used herein to denote the system that deals with the calculation, transformation and validation of the digital identity using a proprietary algorithm.
The term “Digital Identity Network” is used herein to denote the trusted network between financial institutions using any communication network such as the Internet. The Digital Identity Network enables the communication between financial institutions to send and receive Digital Identity Messages for identification and authentication of account owners and authorization of financial transactions.
The term “Digital Identity Message” is used herein to denote the message sent or received over the Digital Identity Network that may include customer's digital identity and transaction information.