1. Field of the Invention
This invention pertains to security systems that restrict access to an account or other asset. The invention also pertains to computerized systems and user interfaces for configuring access criteria and security rules responsive to primary and secondary passwords. The invention also relates to improved means for reducing the risk of theft or misuse of assets, and for protecting related accounts, including measures to reduce identity theft and other forms of fraud.
2. Description of the Related Art
Passwords have been described as the weak link in modern computer security. In many cases, all that stands between would-be thieves and a bank account, email account, corporate records, or even control of many aspects of a business is a string of several characters. The growing problem of identify theft is exacerbated by inadequate password security. Guidelines for “strong passwords” have been promulgated to make it more difficult for others to guess passwords. Unfortunately, even complex, hard-to-guess passwords can be stolen or discovered in many ways, such as by spyware that monitors keystrokes on a computer, keystroke logging devices attached to a computer, by guessing or brute-force techniques to discover simple passwords, by careless actions of the password owner who may write a password down and leave it available for others to see, by an observer simply watching to see what password is typed, and so forth.
Further, even security-conscious users may sometimes face situations in which they feel they must use their passwords in insecure settings where the password may be exposed to others. In addition to these threats, there is also the risk of criminal intimidation to force a person to reveal a password, PIN, or other security code in order for the thief to gain access to an account, to a safe, a secured vehicle, or other secured item. In other situations, an account owner may face a need to voluntarily share a password or other credential with another party, with the risk that it may be obtained by others and misused. In all these cases, there is a need to add new levels of security to password-protected assets or to security-related information to prevent problems such as account hijacking and identify theft, or to reduce the risks of misusing an account or information from an account.
Security theft is a growing problem that requires increased security means on many fronts. Protection of passwords and other personal information is a vital concern, and previous attempts to improve security associated with a user's assets and identity have a variety of shortcomings, often failing to provide users with the flexibility they need to control access and establish rules for protecting their assets while allowing access under various circumstances.
One aspect of identify theft involves the abuse of basic account information such as a Social Security numbers, which can in turn be used to access still other information to gain access to accounts or commit other acts of fraud against a person. Indeed, thieves can use Social Security numbers in a variety of ways to commit identity theft. For example, the customer service operators of some companies associated with user assets (e.g., banks, online brokerages, credit card companies, etc.) treat SSNs as if they were passwords or shared secrets to authenticate the identify of a user, often allowing a person armed with an SSN and perhaps a few easily obtained facts (address, zip code, full name, birthdate, etc.) to be authenticated as the account owner, and thus be allowed to make major transactions, for example. SSNs are requested and stored by employers, banks, insurers, universities, various non-profit organizations, etc., and may appear printed on insurance cards and numerous mailings from employers or other institutions, making them easy to be stolen from a person's trash. Numerous people may see and handle such information, providing many routes for theft. U.S. Pat. No. RE38572, “System and Method for Enhanced Fraud Detection in Automated Electronic Credit Card Processing,” issued Aug. 31, 2004 to Tetro et al., as well as U.S. Pat. No. 6,715,672 of the same name, issued Apr. 6, 2004 to Tetro, discuss separation of an SSN database from a credit card user database to reduce the risks, but the very use of SSNs or even partial SSNs to be given over a telephone in such systems poses risk. There is a need for improved means for users to protect account information, including information related to SSNs or other personal identifying information to reduce the threat of identity theft.
One step toward improved security involves the use of hardware-based authentication for gaining access to an account, typically in the form of two-part authentication (hardware authentication plus a user-provided password) as opposed to single-factor authentication. Such approaches can include the use of smart cards, which have an embedded chip that can hold a digital certificate allowing authentication to be accomplished through a public key infrastructure (PKI). In addition to entering the user's password or PIN, the user's smart card must be read by a smart-card reader. Reading of the chip can be achieved using a variety of devices that can communicate with a network or computer, including USB devices, such as the Gem e-Seal® of GemPlus International SA (Luxemburg), a USB token with an embedded smart card. Biometric authentication is another approach, requiring hardware and software for scanning and analyzing a unique physiological characteristic. While biometric authentication is often proposed as a one-part authentication scheme, it can be a hardware-based component of a two-part authentication scheme in combination with a user-supplied password or PIN.
Another hardware-related solution involves password synchronization, in which a hardware “token” meant to be in the possession of an authorized user generates an alphanumeric string that changes periodically (e.g., every 15 seconds, 30 seconds, or 60 seconds) according to a secret algorithm. Typically, the time is combined with user credentials to generate the seemingly random string. To gain access the user must enter the currently displayed string and, typically but not necessarily in all system, also enter a fixed or static password. A central server can then determine if the temporary string is correct and also verify that the correct password is entered. In this manner, even if the entered password is observed or intercepted, it will no longer be valid after a brief interval of time, resulting in a two-part authentication scheme that provides a one-time password (OTP). One example of password synchronization to provide an OTP is the RSA SecurID® system of RSA Security Inc. (Bedford, Mass.). Another example is the VeriSign® One-Time Password Token of VeriSign (Mountain View, Calif.) and related payment gateway systems, such as the system being used by PayPal and Ebay in partnership with Verisign.
Password synchronization (also known as time synchronous OTP) is not the only OTP method. Event synchronous and challenge-response schemes are among other approaches to consider. In each approach, an algorithm is applied to the credentials of the user (e.g., a unique key) to generate a string that can serve as an OTP (or be coupled with a PIN to form the OTP). In event synchronous schemes, an OTP is generated in response to an event such as inserting a USB device, pressing a button, entering a keystroke or clicking on a button on a graphical user interface. In challenge-response schemes, a challenge is entered or sent to the token, and an OTP is generated in response based on a combination of the challenge with the user credential according to an algorithm. Various hybrid approaches are also known based on combinations of these schemes. General principles for OTP systems are described in the white paper from RSA Security, “Open Specifications Integrate One-Time Passwords with Enterprise Applications” available at http://www.rsa.com/rsalabs/otps/datasheets/OTP_WP—0205.pdf, as viewed Feb. 6, 2007. Also see the “Extensible Authentication Protocol (EAP)” described in by B. Aboba et al., available at http://www.ietf.org/rfc/rfc3748.txt, as viewed Apr. 23, 2006. Further information is provided in United States Application 20050166263, “System and Method Providing Disconnected Authentication,” published Jul. 28, 2005 by Nanopoulos et al., parts of which are herein incorporated by reference to the extent that they is noncontradictory herewith, said parts being the description found in paragraphs 21 to 35 of one-time password verification systems, with associated figures. (In general, incorporation by reference of other documents, as practice herein, is intended to provide useful background information for implementing technical aspects of methods and systems described herein, and is not meant to limit any definitions or descriptions given herein.)
The variable or machine-generated component of a two-part authentication scheme can be provided by a dedicated physical device with the user's credentials such as key fob, card, PIN pad, a USB-connected device, and the like. Alternatively, a multifunctional tool can be provided with software to also provide the changing machine-generated component. In this case, the hardware-generated component of the two-part authentication scheme is actually provided through proprietary software installed on an electronic device such as another computer, a Pocket PC, personal digital assistants (PDAs) such as Palm Powered® handhelds (Palm, Sunnyvale, Calif.), BlackBerry® (Research in Motion, Charlotte, N.C.) handhelds and wireless phones marketed by Ericsson (Stockholm, Sweden), Nokia (Helsinki, Finland), and others.
A related tool is the Aladdin eToken Pro system of Aladdin Knowledge Systems Ltd. (Kiryat Arye, Petach Tikva, Israel), and the related eToken NG-OTP, a hybrid USB and One-Time Password (OTP) token that can be used to provide access when the USB device is connected to a computer or in detached mode can display one component of a two-component OTP.
Even with hardware-assisted two-part authentication schemes, there is the risk of theft and account hijacking. For example, a thief may use physical intimidation to compel a user to hand over a hardware token and provide the PIN and instructions for use, or in an insecure environment a thief may observe how the hardware component is used, observe or detect the PIN, and then physically steal the hardware component to gain access to an account.
In the art for automated teller machines (ATM), one security system is that of R. K. Russikoff in U.S. Pat. No. 6,871,288, “Computerized Password Verification System and Method for ATM Transactions,” issued Mar. 22, 2005, FIGS. 1 through 3 thereof and columns 3-5 thereof being herein incorporated by reference in a manner that is noncontradictory herewith. In the ATM system of Russikoff, after reading the personal access card (ATM card) and verifying the personal identification number of the customer, the system then generates and displays a plurality of transaction acceptance passwords in the central computer, wherein one of the passwords has been pre-assigned to the customer. If a password other than the pre-assigned password is selected, the requested cash is still dispensed, but the authorities are alerted to indicate that the customer request for cash withdrawal is being made under duress. A related system is that of Brown et al. in U.S. Pat. No. 6,679,422, “Automatic Teller System and Method of Marking Illegally Obtained Cash,” issued Jan. 20, 2004. See also U.S. Pat. No. 5,354,974, “Automatic Teller System and Method of Operating Same,” issued Oct. 11, 1994 to Eisenberg, which describes an automatic teller system that can receive a personalized normal PIN number and emergency PIN number from a user. Also see U.S. Pat. No. 5,731,575, “Computerized System for Discreet Identification of Duress Transaction and/or Duress Access,” issued Mar. 24, 1998 to Zingher and Zingher, from which FIGS. 2, 3, 4, and 6 and the associated description of said figures are herein incorporated by reference for the purpose of describing examples of duress PIN implementation for ATM machines that can be adapted for use according to present invention, to the extent that such description is noncontradictory herewith. The Zingher and Zingher patent describes a system and method for the discrete identification of a duress transaction at an ATM banking machine.
For both one-part and multi-part authentication schemes, there is a need to provide improved security to reduce the potential for harm when a password is stolen. In particular, there is a need to provide password authentication schemes that can help a user in an emergency or provide added security features in an insecure setting, without the risk of losing highly valuable assets. Further, there is a need to allow users to have new levels of security, such that at least some security measures can be in place should another party obtain the user's password.
Regarding credit card security, an authorization system in which a duress signal can be sent by a vendor to authorities when the vendor suspects that a crime is in progress is described in U.S. Pat. No. 6,685,087, “Security System for Validation of Credit Card Transactions,” issued Feb. 3, 2004 to Brown et al., the portions dealing with an Interactive Voice Response System (IVRS) and other methods for conveying information to authorities being herein incorporated by reference to the extent that they are noncontradictory herewith.
In spite of the many efforts made to increase the security of password-accessible systems, there remains a need to provide more flexible, convenient systems in which users can configure security rules for access to secured assets. Further, for many users there is a need to provide customizable means to provide primary and secondary password schemes with associated security rules. Further, there is a need for some users to be able to protect their assets with security systems having primary and secondary passwords with varying security-related rules and actions associated therewith, including options for the primary and secondary passwords to be differentiated via a variety of means, including schemes with both overt and covert components (e.g., hidden secret actions coupled with the entry of conventional passwords). In some security-related situations, there is also a need to provide a user improved security means to placate a thief or appear to provide access to an asset, without actually jeopardizing the asset or selected components of the asset. One or more of these needs may be addressed in the various aspects of the invention described below, but it should be recognized that particular aspects of the invention as defined by the claims may provide utility in a variety of other areas and need not specifically address any of the needs previously set forth or any objectives or advantages explicitly or implicitly found elsewhere in the specification.