1. Field of the Invention
The present invention relates to identity theft protection and, more particularly, to a system and method for protection against theft of personal identity information when conducting both online and offline purchase transactions.
2. Discussion of the Related Art
Identity theft is one of the fastest growing crimes in the world, and is becoming increasingly sophisticated and difficult to prevent. In the United States alone, the Federal Trade Commission (FTC) reports that victim complaints have increased exponentially between the years 2000 and 2004. In many instances, identity thieves obtain personal identity information of a large number of individuals by stealing data from one or more databases. The personal information compromised often includes data elements such as Social Security numbers, account numbers, telephone numbers, addresses and driver's license numbers of thousands of victims.
The FTC estimates that since the year 2000 at least 10 million people have had criminals open new credit card or bank accounts, secure utilities services, or apply for mortgages or other loans under the victims' names with the use of stolen identity information. Moreover, it is reported that the personal data of nearly 50 million Americans have been exposed in the year 2005 alone, with as many as 1 in 6 people now being vulnerable to identity theft.
For people whose identities have been stolen, it can take months, and sometimes years, and thousands of dollars to correct the damage. Until the problem is resolved, victims of identity theft may lose job opportunities, be refused loans, and even get arrested for crimes they didn't commit. Additionally, criminals may open new credit card accounts in the victims' names and then run up charges that they will never pay. The victims' personal identity information may also be used to establish telephone or wireless service in the victims' names. Identity thieves have also been known to open bank accounts in victims' names and write bad checks on those accounts. In other instances, criminals may counterfeit checks, credit cards or debit cards, or authorize electronic bank transfers that drain the funds from a bank account.
Theft of personal identity information from computers and online (e.g. the Internet) environments is particularly problematic and widespread. The two primary means of misappropriating personal identity information in an online environment are database theft/hacking and phishing. Database hacking typically involves theft of identity information of a large number of victims from a centralized storage source, such as a merchant or credit card transaction processor database. Phishing scams involve fraudulent requests for information from consumers, usually via email messages, and are now the most rapidly expanding method of identity theft. Phishing scammers typically forge the “from” field of an email message so that it appears to be from a reputable company, such as a well-known merchant or bank. The message urges the recipient to click on a link in the email message in order to update account information under the premise that the company suspects that the email recipient's account has been tampered with. The link leads to a website that looks credible and requests the unsuspecting recipient to type in his/her personal information, which may include their Social Security number, bank account number and credit card numbers.
As mentioned above, personal identity information of a large number of individuals is often obtained by stealing/hacking data from one or more databases. In virtually all cases, such thefts have occurred from unencrypted databases. In many instances, theft of identity information from a central data storage location is a result of an “inside job” by an employee who may have authorized access to the database. In some instances, the employee may be lured into this criminal activity with payoffs from those who ultimately use the stolen identity information for their own monetary gain. In other cases, the criminal-minded employee may be a plant, having sought out the most opportunistic employment position for the primary purpose of gaining access to one or more databases containing valuable identity information of a large number of potential victims. Accordingly, the storage of personal identity information of a large number of individuals at a central data storage location is risky and renders such identity information vulnerable to theft by both “insiders” and outside hackers.
In other instances, sophisticated criminals steal a person's credit or debit card numbers by capturing the information in a data storage device in a practice known as “skimming.” Identity theft can also occur when making offline purchases, particularly when a credit card is used. A thief may swipe a victim's card to capture the number and other account information, or attach a capturing device to an ATM machine where the victim inserts his/her bank card. To protect consumers, credit card companies offer various products that attempt to stop thieves from stealing credit card account information. However, these various protection products do not enable a card user to make purchases with complete anonymity. Thus, there is always a danger of theft of the user's personal identity information.
The alarming concern surrounding the rapidly growing problem of personal identity theft and credit card fraud has led to numerous proposed systems and methods aimed at preventing or reducing risk of theft or misuse of personal and financial information.
For example, U.S. Pat. No. 6,839,692 B2 to Carrott et al. discloses a method and apparatus for providing secure credit facility transactions for purchasing goods and services over a computer network, such as the Internet. The method and apparatus disclosed in Carrott et al. stores a user's privileged information and other transactional data on the user's own computer. The method includes encryption of all information before or during its storage on the user's hard drive. The method and system includes the ability for the user to complete electronic commerce transactions without revealing certain of the encrypted information, such as credit card numbers, to the merchant. Further, the method and system creates and controls sub-accounts on a single credit card facility, such as a credit card account, and controls sub-account spending amounts and replenishment periods. Unlike the present invention, as described more fully hereinafter, the method and system in Carrott et al. fails to provide maximum user anonymity throughout purchase transactions. Additionally, the system and method in Carrott et al. does not provide for access to all major credit card accounts of a user and may not allow for use at all merchant websites. When making an online purchase using the system and method in Carrott at el., the user must still provide his/her actual street address, email address and phone number. Accordingly, the system and method in Carrott at el. fails to fully protect theft of the user's personal identity information.
In U.S. Pat. No. 6,636,833 B1 and U.S. Patent Application Pub. No. US 2003/0028481 A1, both to Flitcroft et al., a credit card system and method is disclosed for providing limited use credit card numbers and/or cards to be used for a single- or limited-use transaction. The system can be used for both “card remote” transactions, such as by telephone or Internet, or for “card present” transactions. Methods for limiting, distributing and using a limited use card number, controlling the validity of a limited use credit card number, conducting a limited use credit card number transaction and providing remote access devices for accessing a limited use credit card number are also provided. Unlike the present invention, as described more fully hereinafter, the Flitcroft et al. credit card system and method fails to provide for maximum user anonymity. For instance, a user of the Flitcroft et al. credit card system is required to provide their real name and address to a Merchant when making an online purchase. Moreover, for “card present” transactions, the Flitcroft et al. credit card system reveals a name and number on the card. Additionally, a signature may be required by the user when making a “card present” transaction. According to the system of the present invention, as described hereinafter, no user identification number appears on the card for “card present” transactions and no signature is required. Additionally, the credit card system in Flitcroft et al. requires the user to enter the limited-use credit card numbers when conducting an online transaction. The system of the present invention offers greater user convenience, accuracy and security by taking responsibility for entering the controlled use card number rather than having the user/Member do so. Security is further enhanced in the system of the present invention by eliminating the distribution of single-use numbers to users/Members. Moreover, the Flitcroft et al. credit card system may require the user to reveal his/her actual email address to online Merchants. The secure email service provided under the system of the present invention provides for total anonymity so that online Merchants are unable to determine the Purchaser's email address. Further, online transmission of transaction records to Members using the system of the present invention are more secure because these transmissions occur through the System's secure email service which is less susceptible to fraud/theft than conventional user-identified emails.
U.S. Patent Application Pub. No. US 2002/0116341 A1 to Hogan et al. discloses a method and system for conducting secure payments over a computer network which uses a pseudo-expiration date in the expiration date field of an authorization request. Unlike the present invention, as described more fully hereinafter, the method and system in Hogan et al. fails to provide for maximum user anonymity. More particularly, the user of the method and system in Hogan et al. must provide their name, address, email address and credit card number when making a purchase or payment over a computer network, such as the Internet.
The U.S. Patent to Demoffet al., U.S. Pat. No. 6,456,984 B1, discloses a method and system for providing temporary credit authorizations in a consumer transaction which eliminates the need for a traditional credit card. According to Demoff et al., the system responds to a request for issuing a credit transaction number that is made concurrent with a particular transaction. The credit transaction number is then randomly generated and made valid only for the requested transaction, and automatically ages a short period of time after the request. The credit transaction numbers are continually recycled for subsequent requests irrespective of the customer identity. The request can be made from a mobile communication device or from a personal computer using an electronic commerce program. Transactions between customers and registered or known online Merchants can be automatically carried out by a centralized service provider without generating the unique, temporary number, or without the need for the customer or Merchant to exchange personal information. Unlike the system and method of the present invention, as described more fully hereinafter, the system disclosed in U.S. Pat. No. 6,456,984 B1 requires online Merchants to first register with the system and be pre-approved for secure transactions. Thus, the method and system of Demoff et al. limits user access to only online Merchants that have been pre-approved and registered with the system. Moreover, the system and method of Demoff et al. does not provide for access to all major credit cards, as selected by the user. Further, the system and method in Demoff et al. fails to provide for maximum user anonymity throughout the purchase transaction.
The current financial marketplace offers a broad array of credit card and debit card products for both general and limited use. Despite attempts to provide for added security against fraud and identity theft, all of these products, when used for “card present” transactions, have significant limitations, particularly with protection of user identity. For instance, almost all credit cards and debit cards display a user name on the card. Also, a card number directly associated with the user's account is visible on the card, along with an expiration date. In most instances, a user of a credit card will be required to sign his/her name when conducting a “card present” transaction. Additionally, since all credit card products do not require PIN entry at the point of transaction, they are easily used for fraudulent purposes if stolen.
The present invention provides the following advantages over virtually all credit-card type products presently used for “card present” transactions:                No name on card        No card numbers are visible        No expiration date is visible        Member signature is not required (provided electronically)        Of no value if stolen without PIN entry        Limited exposure by allowing the user to control the value of the card to an amount less than the full credit line.        
The current financial industry also offers an array of products for “card-not-present” transactions. These products fall into a number of different major categories including:                Wallets (PAY PAL, YAHOO)—this is a system of prearranged charge “centers” that debit purchases against designated credit cards or financial accounts.        Conventional Credit Cards (VISA, MASTERCARD, DISCOVER and AMERICAN EXPRESS)—cards with assigned account numbers that access the full credit lines of the established credit card accounts.        Debit Cards—usually require entry of a PIN at place of transaction and are directly tied to a bank account or other financial accounts (not a credit card account) that are automatically debited after the purchase transaction. Theft or unauthorized use exposes the entire balance in the linked bank account to possible theft.        Association-Based Controlled Use Credit Cards (verified by VISA, MASTER SECURE)—employ controlled use credit cards with use being generally limited to participating Merchants.        Card Issuer-Based Controlled Use Credit Cards (CITIBANK, MBNA)—similar to the above association-based controlled use credit cards, but usually not restricted to participating Merchants.        
The following table summarizes the considerable advantages of the system and method of the present invention versus these above-identified products:
AssociationIssuerControlledControlledPresentCreditDebitCreditCreditDescription of BenefitInventionWalletCardCardCardCardName not revealedPReal Credit Card #s not requestedAAduring online purchaseReal Credit Card #s or otherAAAusable account # not revealed toMerchantBilling information not revealedAAStreet Address not revealedAShipping address not revealedPEmail address not revealedPPhone number not revealedPVirtual PasswordsAUsable at any merchant siteAAPersonal Identity Info not storedAat Merchant central data locationsAccess to all credit cards MemberAAwishes to useUsable at any Merchant websiteAAPAutomatic Merchant form fill ofAstandard purchase informationOne-step access from MemberAAADiscoverdesktopOnly (P)No major extra steps by MemberAAAduring purchaseA = Benefit always providedP = Benefit partially or sometimes provided