Field of the Invention
The present invention relates to identity theft protection and, more particularly, to a system and method for protection against theft of personally identifiable information (PII) when conducting both online and offline purchase transactions and other non-purchase operations, such as registration and identity authentication procedures.
Discussion of the Related Art
Identity theft is one of the fastest growing crimes in the world, and is becoming increasingly sophisticated and difficult to prevent. In the United States alone, the Federal Trade Commission (FTC) reports that victim complaints have increased exponentially from the year 2000 to present. In many instances, identity thieves obtain personally identifiable information of a large number of individuals by stealing data from one or more databases. The personal information compromised often includes data elements such as Social Security numbers, account numbers, telephone numbers, addresses and driver's license numbers of millions of victims.
The Justice Department's Bureau of Justice Statistics estimates that 16.6 million people in the United States experienced at least one incident of identity theft in 2012. The financial losses attributed to identity theft totals $24.7 billion. In 2012, the most common type of identity theft included the misuse or attempted misuse of an existing account, such as a credit card account or bank account. Approximately 7.7 million reports of fraudulent use of a credit card and 7.5 million reports of fraudulent misuse of a bank account were made in 2012.
For people whose identities have been stolen, it can take months, and sometimes years, and thousands of dollars to correct the damage. Until the problem is resolved, victims of identity theft may lose job opportunities, be refused loans, and even get arrested for crimes they didn't commit. Additionally, criminals may open new credit card accounts in the victims' names and then run up charges that they will never pay. The victims' personally identifiable information may also be used to establish telephone or wireless service in the victims' names. Identity thieves have also been known to open bank accounts in victims' names and write bad checks on those accounts. In other instances, criminals may counterfeit checks, credit cards or debit cards, or authorize electronic bank transfers that drain the funds from a bank account.
Theft of personally identifiable information from computers and online (e.g. the Internet) environments is particularly problematic and widespread. The two primary means of misappropriating personally identifiable information in an online environment are database theft/hacking and phishing. Database hacking typically involves theft of identity information of a large number of victims from a centralized storage source, such as a merchant or credit card transaction processor database. Phishing scams involve fraudulent requests for information from consumers, usually via email messages, and are now the most rapidly expanding method of identity theft. Phishing scammers typically forge the “from” field of an email message so that it appears to be from a reputable company, such as a well-known merchant or bank. The message urges the recipient to click on a link in the email message in order to update account information under the premise that the company suspects that the email recipient's account has been tampered with. The link leads to a website that looks credible and requests the unsuspecting recipient to type in his/her personal information, which may include their Social Security number, bank account number and credit and debit card numbers.
As mentioned above, personally identifiable information of a large number of individuals is often obtained by stealing/hacking data from one or more databases. In virtually all cases, such thefts have occurred from encrypted and unencrypted databases. In many instances, theft of identity information from a central data storage location is a result of an “inside job” by an employee who may have authorized access to the database. In some instances, the employee may be lured into this criminal activity with payoffs from those who ultimately use the stolen identity information for their own monetary gain. In other cases, the criminal-minded employee may be a plant, having sought out the most opportunistic employment position for the primary purpose of gaining access to one or more databases containing valuable identity information of a large number of potential victims. Accordingly, the storage of personally identifiable information of a large number of individuals at a central data storage location is risky and renders such identity information vulnerable to theft by both “insiders” and outside hackers.
In other instances, sophisticated criminals steal a person's credit or debit card numbers by capturing the information in a data storage device in a practice known as “skimming”. Identity theft can also occur when making offline purchases, particularly when a credit card is used. A thief may swipe a victim's card to capture the number and other account information, or attach a capturing device to an ATM machine where the victim inserts his/her bank card. To protect consumers, credit card companies offer various products that attempt to stop thieves from stealing credit card account information. However, these various protection products do not enable a card user to make purchases with complete anonymity. Thus, transactions remain traceable to account information, and there is always a danger of theft of the user's personally identifiable information. The key to our technology is it protects the data itself, not the access to data.
The alarming concern surrounding the rapidly growing problem of personal identity theft and credit card fraud has led to numerous proposed systems and methods aimed at preventing or reducing risk of theft or misuse of personal and financial information.
For example, U.S. Pat. No. 6,839,692 B2 to Carrott et al. discloses a method and apparatus for providing secure credit facility transactions for purchasing goods and services over a computer network, such as the Internet. The method and apparatus disclosed in Carrott et al. stores a user's privileged information and other transactional data on the user's own computer. The method includes encryption of all information before or during its storage on the user's hard drive. The method and system includes the ability for the user to complete electronic commerce transactions without revealing certain elements of the encrypted information, such as credit card numbers, to the merchant. Further, the method and system creates and controls sub-accounts on a single credit card facility, such as a credit card account, and controls sub-account spending amounts and replenishment periods. However, unlike the present invention, as described more fully hereinafter, the method and system in Carrott et al. fails to provide maximum user anonymity throughout purchase transactions. When making an online purchase using the system and method in Carrott et al., the user must still provide his/her actual street address, email address and phone number. Further, the Carrott et al. system is not universally accessible in any respect. For instance, the system and method in Carrott et al. does not provide for access to all credit card accounts of a user or other forms of payment (e.g. bank accounts via direct debit or ACH, e-currency, electronic funds transfer, etc.) and may not allow for use at all merchant websites. Accordingly, the system and method in Carrott et al. is very limited in scope (i.e. not universal) and fails to fully protect theft of the user's personally identifiable information.
In U.S. Pat. No. 6,636,833 B1 and U.S. Patent Application Pub. No. US 2003/0028481 A1, both to Flitcroft et al., a credit card system and method is disclosed for providing limited use credit card numbers and/or cards to be used for a single- or limited-use transaction. The system can be used for both “card remote” transactions, such as by telephone or Internet, or for “card present” transactions. Methods for limiting, distributing and using a limited use card number, controlling the validity of a limited use credit card number, conducting a limited use credit card number transaction and providing remote access devices for accessing a limited use credit card number are also provided. However, unlike the present invention, as described more fully hereinafter, the Flitcroft et al. credit card system and method fails to provide for maximum universality and user anonymity. For instance, the Flitcroft et al. system is limited to credit card payment. Flitcroft et al. fails to provide universal payment options to the user, such as direct debit from a designated bank account, payment from any bank account via Automated Clearing House (ACH), e-currency, electronic funds transfer or any other legal form of payment in a purchase transaction. Furthermore, a user of the Flitcroft et al. credit card system is required to provide their real name and address to a merchant when making an online purchase. Also, for “card present” transactions, the Flitcroft et al. credit card system reveals a name and number on the card, and a signature may be required by the user when making a “card present” transaction. Additionally, the credit card system in Flitcroft et al. requires the user to enter the limited-use credit card numbers when conducting an online transaction. Moreover, the Flitcroft et al. credit card system may require the user to reveal his/her actual email address to online merchants.
U.S. Patent Application Pub. No. US 2002/0116341 A1 to Hogan et al. discloses a method and system for conducting secure payments over a computer network which uses a pseudo-expiration date in the expiration date field of an authorization request. Unlike the present invention, as described more fully hereinafter, the method and system in Hogan et al. fails to provide for universality and maximum user anonymity. More particularly, the user of the method and system in Hogan et al. has limitations of use and method of payment (i.e. credit card payment only) and must provide their name, address, email address and credit card number when making a purchase or payment over a computer network, such as the Internet.
The U.S. patent to Demoff et al., U.S. Pat. No. 6,456,984 B1, discloses a method and system for providing temporary credit authorizations in a consumer transaction which eliminates the need for a traditional credit card. According to Demoff et al., the system responds to a request for issuing a credit transaction number that is made concurrent with a particular transaction. The credit transaction number is then randomly generated and made valid only for the requested transaction, and automatically ages a short period of time after the request. The credit transaction numbers are continually recycled for subsequent requests irrespective of the customer identity. The request can be made from a mobile communication device or from a personal computer using an electronic commerce program. Transactions between customers and registered or known online merchants can be automatically carried out by a centralized service provider without generating the unique, temporary number, or without the need for the customer or merchant to exchange personal information. Unlike the system and method of the present invention, as described more fully hereinafter, the system disclosed in U.S. Pat. No. 6,456,984 B1 to Demoff et al. requires online merchants to first register with the system and be pre-approved for secure transactions. Thus, the method and system of Demoff et al. limits user access to only online merchants that have been pre-approved and registered with the system. Moreover, the system and method of Demoff et al. does not provide for universal access to any form of payment, including all credit cards, bank accounts (via ACH or direct debit), e-currency, electronic funds transfer, cash, or any other legal form of payment selected by the user. Further, the system and method in Demoff et al. fails to provide for maximum user anonymity throughout the purchase transaction.
The current financial marketplace offers a broad array of credit card and debit card products for both general and limited use. Despite attempts to provide for added security against fraud and identity theft, all of these products, when used for “card present” transactions, have significant limitations, particularly with protection of user identity. For instance, almost all credit cards and debit cards display a user name on the card. Also, a card number directly associated with the user's account is visible on the card, along with an expiration date. In most instances, a user of a credit card will be required to sign his/her name when conducting a “card present” transaction. Additionally, since all credit card products do not require PIN entry at the point of transaction, they are easily used for fraudulent purposes if stolen.
The present invention provides the following advantages over virtually all credit-card type products for use in conducting both “card-not-present” and “card present” transactions:                Universal access at virtually any location using any electronic device (e.g. PC, Apple, cell phone, PDA, land line phone), with any computer platform (operating system), on any Internet browser and at any website, web store and physical store.        Universal forms of payment from virtually any financial source of the Member/user        Use of any financial institution of the Member's choice        No name, card numbers or expiration date visible on card        Member signature is not required (provided electronically)        Of no value if stolen without PIN entry        Limited exposure by allowing the user to control the value of the card to an amount less than the full credit line        
The current financial industry also offers an array of products for both “card present” and “card-not-present” transactions. These products fall into a number of different major categories including:                Wallets or E currency (PAY PAL, YAHOO)—this is a system of prearranged charge “centers” that debit purchases against designated credit cards or financial accounts        Conventional Credit Cards (VISA, MASTERCARD, DISCOVER and AMERICAN EXPRESS)—cards with assigned account numbers that access the full credit lines of the established credit card accounts        Debit Cards—usually require entry of a PIN at place of transaction and are directly tied to a bank account or other financial accounts (not a credit card account) that are automatically debited after the purchase transaction. Theft or unauthorized use exposes the entire balance in the linked bank account to possible theft.        Association-Based Controlled Use Credit Cards (VERIFIED by VISA, MASTERCARD SECURECODE)—employ controlled use credit cards with use being generally limited to participating merchants        Card Issuer-Based Controlled Use Credit Cards (CITIBANK, MBNA)—similar to the above association-based controlled use credit cards, but usually not restricted to participating merchants        
The following table summarizes the considerable advantages of the system and method of the present invention versus these above-identified products:
AssociationIssuerControlledControlledPresentWalletCreditDebitUse CreditUse CreditDescription of BenefitInventione-currencyCardCardCardCardName not revealedPReal Credit Card #s not requestedAACiti Only Pduring online purchaseReal Credit Card #s or otherAAAusable account # not revealed toMerchantBilling information not revealedAAStreet address not revealedAShipping address not revealedPEmail address not revealedPPhone number not revealedPVirtual PasswordsAUsable both online (via Internet)PPPand offline (retail/physicallocations)Usable with any computerAplatformUsable from a variety ofAelectronic devicesUsable with any browserAUsable from any user locationA(home, work, travel, friend andfamily electronic devices)Usable through bank accountAwithout risk of account exposureUsable at any Merchant's physicalPAPlocationA (smartphoneapp)Personal Identity Info not storedAat Merchant central data locationsAccess to all credit cards MemberAAwishes to useUsable at any Merchant websiteAAPAutomatic Merchant form fill ofAanonymous personallyindentifiable informationOne-step access from MemberAAADiscoverdesktopOnly (P)No major extra steps by MemberAAAA (smartduring purchasephone app)A = Benefit always providedP = Benefit partially or sometimes provided based on the need of the user