1. Field of the Invention
This application relates to e-commerce in general, and more particularly, to methods and apparatus for authenticating users of a service provider over a network using Captchas that are based on unique past transactions involving both the user and the service provider.
2. Related Art
A “Captcha” is a type of challenge-and-response test used by some web sites as a means to ensure that the response to the challenge is being generated by a human and not by a computer or other automated, “robotic intelligence.” Captchas are therefore sometimes described as “reverse Turing tests” because they are administered by computers to humans, and not vice-versa, and indeed, the term Captcha is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
A typical Captcha requires the user to type letters, words or digits from a distorted image that is displayed to the user on a computer display, which a human can discern relatively easily, but which a computer running automated software, including artificial intelligence (AI) and optical character recognition software (OCR), cannot. For example, FIG. 1 illustrates a type of Captcha used by the United States Patent and Trademark Office (USPTO) to restrict automated, non-human access to its public Patent Application Information Retrieval (PAIR) site. Captchas are typically used to prevent automated software or robot computers from performing actions on a system which would degrade the quality of the system provided to human users due to abuses of the system or overconsumption of its resources, such as “spamming” and automated posting to blogs, forums and wikis, resulting from commercial promotion activities, harassment or vandalism.
Users of a service provider, such as a financial service provider, e.g., an online bank, such as ING Direct, or a payment/collection service, e.g., PayPal, typically access their accounts and effect financial transactions using a combination of user identity data, such as a unique user name or number, and a password or Personal Identification Number (PIN). While this technique generally provides the user with a relatively secure method of accessing his or her accounts, it does not enable the service provider to determine whether the entity accessing the system is a human or a robot computer. However, while conventional Captchas can supply the latter need, they generally lack the requisite degree of security for the former because they can easily be solved by a human interloper, e.g., one possessing the user's identification data but not the user's password or PIN.
What are needed then, are network-based systems by which a service provider can securely authenticate a user, and at the same time, verify that the web flow is being remotely driven by a human.