Online security is essential for a provider when rendering a service to any subscriber. As a common security feature, a subscriber login authentication is often required in order for a subscriber to access these services. Normally the provider will ask the subscriber for a username and login password to authenticate the user in future transactions, and the subscriber must input this information before gaining access to the services requested.
Common security issues are found during the process of logging in or keying in a user's credentials, such as his username and password. In order for a subscriber to log on to any service, the username and login password are requested is in one process, usually one right after the other. If the security protecting this login process is compromised, a hacker can get into the user's account because the username and login password are inputted simultaneously, thus providing access to both. In the alternative to when a hacker accesses a user's account by “stealing” their username and password, a security breach is also possible when a hacker either imitates the service provider or steals credential information directly from the service provider. When this happens, the provider's services can be illegally duplicated by a bogus site. Once the subscriber's username and password are inputted into a phony site, a hacker is able to steal subscriber credentials through phishing, and in turn access any information connected to that username. Hackers can also compromise the security of online services by accessing the information stored in the subscriber unit (hereinafter “SU”) whenever a subscriber uses the “auto login feature.” Recently, barcode and QR code payment schemes have been proposed, where the code is used to pass the subscriber's identity directly to the merchant. All of these scenarios present issues that require a secure method of user login to prevent theft of authentication information, either from the subscriber or the service provider.
The present invention discloses a new method for protecting confidential information during online transactions which aims to solve all the aforementioned dilemmas. The process utilizes an intermediary, called a Credential Information Manager (“CIM”), which transmits confidential information between a subscriber and internet service provider. The CIM provides a CyberID to the service provider which authorizes the transaction. It uses both a transaction ID, provided by the service provider to represent that single transaction, and confidential security information, provided by the subscriber for validation of his identity. This process occurs automatically upon the subscriber's attempt to enter into a transaction with the service provider, based on a pre-existing agreement between the service provider and the CIM. The present invention serves two functions: it certifies the validity of both parties to the transaction to ensure that neither the subscriber nor the service provider are fraudulent, and it also provides an added level of security to prevent hackers from gaining access to a user's login information and thus their accounts. The present invention creates an additional step which causes difficulty for a hacker to access since the transfer of information is being sent in a triangular fashion rather than back and forth between only two entities. The barcode and QR code example mentioned include an information flow that is essentially opposite from that of the CyberID solution of the present invention.