The present invention relates to systems and methods for implementing secure transactions including but not limited to purchases over a computer network. More particularly, the methods described herein relate to a system which permits users of a network to perform transactions such as banking, purchases of merchandise and/or services and other transactions to be made over a computer network, whereby the purchaser may feel confident that information including but not limited to private personal information such as credit card or other payment information is not at risk of being diverted, misappropriated or stolen and the vendor may be more confident that the purchaser is bona fide.
The present invention permits one or more parties to a transaction to have confidence that the other party to the transaction is who he or she purports to be. This may be accomplished by the use of a “fingerprint” of the computer or other device used by such party and/or the use of a one time password. The fingerprint of the computer or other device used for the transaction provides significant security for parties to a transaction. If additional security is desired or if for example the computer or other device used in the transaction is not secure and available for use by third parties a one time password may also be used. The one time password concept of the present invention changes the password every time a request for authentication is made so that the next time the user of the computer or other device is the subject of an authentication request, the new password is required for this authentication and a new password is generated for the subsequent request. The one time password is described in further detail below.
It is well known for members of the public to access the global client/server network commonly referred to as the Internet, a part of which is the World Wide Web, for the purpose of searching for and purchasing merchandise from on-line vendors selling wares ranging from travel services and investment services to buying CD recordings; books, software, computer hardware and the like. Numerous patents teach methods or systems purporting to secure commercial credit card transactions carried out over the Internet. Examples of such patents include U.S. Pat. No. 5,671,279 to Elgamal, U.S. Pat. No. 5,727,163 to Bezos, U.S. Pat. No. 5,822,737 to Ogram, U.S. Pat. No. 5,899,980 to Wilf et al. and U.S. Pat. Nos. 5,715,314 and 5,909,492, both to Payne, et al-, the disclosures of which are incorporated by reference herein.
Most of the disclosed systems have the disadvantage that they rely on the transmission of sensitive information over unsecured network routes and lines for each transaction. Although practically speaking, the systems which rely solely on encryption are fairly safe, there is still some risk of credit card misappropriation and there is little psychological comfort given to potential users by their knowing that encryption is being used. In addition, the merchant does not know whether the person making the purchase is actually the person whose name is on the credit card
Generally speaking, the Internet is a network of computers, remote from one another linked by a variety of communications lines including telephone lines, cable television lines, satellite link-ups, wireless networks and the like. Internet service providers (hereinafter “ISPs”) provide the link to the main backbone of the Internet for small end users. The account for the end user is established in the normal manner usually by providing credit card information to the ISP by conventional means, such as by voice telephony, fax transmission or check. In most ISP-end user relationships, the ISP has been given credit card or other credit account information, which information is on file with the ISP and available to the ISP's computers. In return for receiving payment, the ISP provides a gateway to the Internet for the end-user's use. The end-user (or user) is provided with Identification codes for dialing directly into the ISP's computers and software means (for example, dialer software, browser software, electronic mail software, and the like) for doing so if necessary.
Most purchases are conducted in the following manner: a purchaser using a browser application on his local client computer connects via his computer's modem to a dial-up Internet Service Provider (hereinafter “ISP”) and makes connections through the ISP to various Web sites, i.e. Internet server locations assigned a URL (Uniform Resource Locator) address. The purchaser selects his merchandise and the vendor usually requests payment by one of several methods, one of which may include payment by providing credit card information.
According to surveys and other marketing data, there always has been and there still exists a high percentage of the population which is deterred from purchasing merchandise directly over the Internet. This large percentage of the population apparently fears that, despite all the efforts at security and cryptography promised by the vendors, there still exists the possibility that their credit account information will be intercepted on-line by a third party computer hacker and used illegally, at great expense and trouble for the cardholder.
An additional anxiety-inducing factor related to merchandising over the Internet, or e-Commerce, is that the vendor cannot always be certain that just because he has obtained credit card or account information, that he will actually be paid for the merchandise he ships. After all, credit card fraud and/or theft occurs regularly and may not be caught in time to stop the order from being shipped. When the cardholder discovers the theft and stops the card, it may be too late for the vendor to recover the shipped goods. At the very least, this situation leads to unnecessary aggravation and wasted resources for the vendor, credit card company and cardholder.