In the modern world, computerized systems are responsible for collecting, transmitting, and storing an ever-increasing amount of information. These systems are necessary as the need to quickly and accurately access information has become critical in everyday operations upon which business and economy are dependent. While technological advances have helped protect sensitive data from unauthorized access during transmission and storage, little has changed in the means by which data is entered and accessed by authorized individuals.
Through advances in encryption and more powerful computer systems, data storage and transmission have reached a level of security never before known by human civilization. Once data is gathered by a system, it can be stored and shared among other systems with little or no chance of unauthorized disclosure. Even highly technical methods for acquiring stored or transmitted data which has been properly protected through unauthorized means are impractical at best, and pose no significant threat to data security.
There exist a number of weaknesses in the methods commonly used for secure data entry and improperly secured transmission, all of which have been exploited to gain access to secure information. These exploitations range from the use of multiple electronic devices to simple observation. The weakest points in data security management are typically the individuals themselves and the human-machine interfaces (HMI) through which data is accessed and stored.
Individuals should always guard any sensitive information to prevent the acquisition of the information by others. Such measures include: refraining from discussion of sensitive information while in unsecure settings, restricting any conveyance of information to secure methods, avoiding documentation practices such as recording information using unsecure methods through writing or storage on personal computers, protecting identification devices such as badges and cards from being lost or stolen, and other methods considered by most to be common-sense practices.
Many HMI's are designed with measures in place to help prevent unplanned disclosure of secure information. Unfortunately, many of these measures have proven to be insufficient as these interfaces have become increasingly prolific in society. One such practice is to obscure values, once entered, by masking them with a generic character, such as an asterisk. While this actively hides the final data provided to the system from onlookers, it does nothing to conceal the action of selecting the individual values as the data is entered. Another less common practice is the repositioning of virtual keys on graphical display devices between uses. This design helps to ensure that observance of data entry from a distance will not disclose the entered information through the movements of the individual using the interface. Once again, however, this provides no protection from close observation.
One of the most common uses of secure data access in society today is focused around the use of automated teller machines (ATMs) and debit card transactions. Despite methods to protect financial account access, billions of dollars are stolen annually in the United States alone through debit and credit card fraud. In the case of ATM and debit transactions, the only pieces of information required to gain account access are an account number and its associated personal identification number (PIN). Of these two, only the PIN is kept secret and is controlled by the individual owning the account.
The PIN, a four digit number, only allows for ten thousand possible combinations. Additionally, some PIN combinations are statistically preferred over others due to their ease of being remembered, their association with physical patterns on the numeric keypad used during PIN entry, and the association of numbers with groups of letters, allowing the PIN to be translated in to words. These commonly used PINs can be exploited to increase the probability of correctly guessing a PIN to match a given account.
Several methods may be used to obtain an account number and the associated PIN. Shoulder surfing is the act of observing an individual while entering their PIN with the goal of gaining the individual's PIN for future use. A similar scheme involves the use of a skimming device, which is attached over the card entry location and is designed to appear as part of the ATM, in conjunction with a strategically placed camera. When an individual inserts their card into the ATM, the skimming device also reads the account number encoded on the card. The camera then records the PIN as the individual provides it to the system, thereby collecting both the account number and the associated PIN.
Debit transactions occurring at a point of sale are in many cases stored on local systems, then processed as a group periodically or at the end of the business day. Such storage of account numbers and PINs can be a target in an attempt to acquire the information, especially since they are stored in large quantities.
Other common points of weakness are, data line monitoring, data center breaches, and lost, stolen, or fraudulent cards. Data line monitoring can be a security weakness if the data is not encrypted properly before transmission or if the encryption is compromised; however, proper implementation and maintenance can prevent this being an issue. Lost, stolen, or fraudulent cards and data center breaches only put at risk the account numbers, not their associated PINs.
The present invention addresses all of these weaknesses, as well as offers improved measures of protection to areas which are not considered immediate risks.
Accordingly, it can be seen that there exists a need for a better way for preventing passcode fraud. It is to the provision of solutions to this and other problems that the present invention is primarily directed.