In the cyber world we live in, the issue of security has risen to new heights of awareness and concern. This can range from the security of your financial and personal data to even issues of physical security. The concept of right to enter and authorized access are under siege from relatively new innovations such as the Internet that have made so much information available to anyone with the simple press of a button. Want to know something—just Google® it!
As wonderful as the connectivity we enjoy today is, it has also opened many avenues for hackers and criminals to exploit our personal information, as well as our data and even access to secure physical locations. With the invention described in this disclosure, the inventor's goal is to provide the rightful owners of data, accounts, applications and property with a digital hardware key that validates the identity of a local/mobile computing device that initiates an access or authorization request in order to protect themselves against sophisticated hackers and criminals.
The methods described in this disclosure can be used to provide multi-factor authentication of authorization and access requests by creating a digital hardware key which may be used to validate the identity of a local/mobile computing device that is initiating the request and determine if said local/mobile computing device has previously been registered for use in this transaction by the rightful owner of the account. The inventors consider this invention to be an important development in the use of multi-factor security schemes designed to insure the rightful use of said accounts. There are many potential uses of the technology and by way of background, let us examine a number of the various security scenarios that can be addressed by this invention.
Unauthorized Access to Credit/Debit Card and Bank Accounts:
The problem of credit/debit card and back account fraud, as well as identity theft, has become so wide spread that Americans today regard it as the major crime threat that might directly affect them. This has been well documented by the Gallup organization (http://www.gallup.com/poll/178856/hacking-tops-list-crimes-americans-worry.asp) where it was found that “62% of Americans worry about computer and smart phone hacking”.
The widespread revelations regarding security breaches at major retailers, businesses and some government entities have unsettled the consumer market. Consumers are becoming very apprehensive about using their credit/debit cards, both in stores, as well as with e-Commerce purchases. To understand the gravity of the situation, one needs to look no further than the customer relations damage inflicted on the retailer Target when it became known that their customer information databases had been breached and had affected as many as 110 million people.
And these breaches continue at an accelerated pace, as evidenced by the recent disclosures of financial data breaches at additional major retailers and banks such as Home Depot and Chase Bank. In addition, approximately 80 million user's medical and financial information have recently been compromised by a breach of the Anthem Blue Cross medical network.
The financial industry defines two major types of consumer credit/debit card usage:                Card Not Present Transaction: A credit or debit card transaction that is initiated over a network such as the Internet during an e-Commerce transaction, whereby the credit/debit card is not physically available for inspection and verification by the merchant.        Card Present Transaction: A credit or debit card transaction that is typically made at a point of sale (POS) terminal or an Automated Teller Machine (ATM) where the physical account card is present and used to initiate the transaction.        
In particular, e-Commerce card not present credit/debit card and bank type account (checking/savings etc) fraud is growing at an alarming rate and threatens to further to erode consumer confidence in their ability to securely make purchases via e-Commerce websites on the Internet.
The problem that exists in the e-Commerce ecosystem is the ability of hackers/criminals to use the massive amounts of personal identification and financial account information from the types of data breaches that have been referenced earlier. The hackers/criminals can use this information for illicit financial gain by initiating a massive amount of fraudulent e-Commerce transactions, without the knowledge or consent of the rightful account owner. This is typically done by using breached credit/debit or bank account information. In today's e-Commerce ecosystem, the consumer has very few reliable tools available to insure that their information is safe and cannot be used to complete fraudulent e-Commerce transactions. The inventor's goal is to massively reduce the scale from which these hackers/criminals can unjustly benefit from these widespread data breaches, with an ultimate goal of totally eliminating this threat.
Some steps are already being taken by the financial community to reduce card not present financial fraud. Visa and MasterCard, which act as branding networks in the credit/debit card market, are both introducing enhanced security measures that allow the rightful account owner to add a password to their account, which is then required when a card not present transaction occurs. Visa Verified and MasterCard Secure Code are being rolled out through their participating financial card issuers. While the inventors welcome this step, history has shown us how vulnerable even a strong password can be to hacking. While these steps are a good start to improving card not present security, given the sophistication of the modern hacker/criminal, a password alone cannot be counted on to eliminate or massively scale down this epidemic of fraudulent transactions.
With regard to card present transactions, once again, the problem that exists today is this ability of hackers/criminals to obtain massive amounts of personal identification and financial account information from the types of data breaches that have been referenced earlier. The hackers/criminals then use this information for illicit financial gain in a number of ways. Because most credit/debit cards in use in the United States still use a magnetic stripe on the physical card that contains the account owner's information, the hackers/criminals have become adept at duplicating these cards and incorporating magnetic strips that include the data obtained via the data breaches. In today's credit/debit card ecosystem, the consumer has very few reliable tools available to insure that their information is safe and cannot be used to complete fraudulent card present financial transactions.
Steps are also being taken by the financial community to reduce card present financial fraud. There is a major transition taking place in late 2015 that will see the replacement of physical credit/debit cards with magnetic strips to a newer generation of cards that have a semiconductor chip embedded within the card. These new “Chip & Pin” cards will also require that the account owner select and use a personal identification number (PIN) in order for the new chip & PIN card to complete a card present transaction at a POS terminal. This step is similar to the PIN requirement present today when using an ATM card for a transaction. Once again, the inventors strongly applaud this industry security upgrade and believe that the inclusion of the semiconductor chip embedded in the card will help reduce the fraudulent duplication of credit and debit cards. However, here again we may continue to be at the mercy of these sophisticated hackers/criminals as they develop new methods to breach these chipped cards.
There is also another transition taking place in the card present environment whereby credit and debit accounts are no longer being represented by a physical card, but that account information is being embedded within mobile computing devices which communicate directly with the POS and ATM terminals. Foremost among these new security schemes is Apple Pay, developed by Apple Computer. With the Apple Pay system, the account owner's financial information is secured within the mobile device. The Apple mobile device communicates credit/debit card account information directly to the POS or ATM terminal via a short range communication protocol. In the case of Apple Pay, the communication is established over a Near Field Communication (NFC) link. The completion of the card present transaction also requires the account owner to supply a bio metric marker, in this case a fingerprint scanned by the mobile device, or a pre-established password that can be entered via the keypad of the mobile computing device.
While the Apple Pay release has generated interest, the inventors feel there are several major concerns in the ability of the consumer market to adopt Apple Pay:                1. First and foremost is the requirement that the mobile computing device used in the account transaction must be manufactured and supported by Apple. While Apple iPhone mobile computing devices have a sizable world-wide following, other mobile computing devices from other companies and using different operating software (such as Android) compose the majority of the mobile computing devices available in the worldwide marketplace. Because these other mobile computing devices are not supported by Apple, they do not have the ability to run the Apple Pay system, and thus cannot be used to complete a card present transaction.        2. The account owner must embed personal and financial information within a mobile computing device that lends itself to being lost or stolen. This can create additional security concerns for users of Apple Pay. Although Apple has used its best efforts to insure that this information cannot be accessed in the event the mobile computing device falls into the wrong hands, we must understand that even these best efforts may not be sufficient. If there is anything we should take away from the rash of data breaches we have experienced recently, it is that there is never a guarantee that data cannot be breached. That threat of breach even extends to data breaches at the governmental level, where despite the presence of almost unlimited resources, breaches still occur.        
The third concern has to do with the need for a new experiences such as Apple Pay to affect a change in habits among consumers using credit/debit cards. It is what is referred to as a learning curve, and the inventors experience has been that the steeper the learning curve, the slower the adoption rate. Almost every consumer in the world understands the basics of how to use a credit/debit card to complete a card present transaction. Our wallets are stuffed with credit/debit cards and most of us have grown up understanding how to use this card technology. Old habits sometime die hard and we question the willingness of a substantial part of the card using population to abandon that method for what may be an even more flawed technology. The inventors realize that the march of technology moves on, and that a number of other companies such as Google, are already working on card present authentication schemes to rival Apple Pay. The inventors welcome these advances but we continue to believe that the best solution available for insuring the validation of a credit/debit card in a card present transaction is the approach respectfully submitted in this disclosure.
Another area of concern addressed by this invention is the verification of paper checks being submitted for purchases of goods or services. Given the sophistication of modern printing techniques and the ability of hackers/criminals to obtain your complete banking records, the use of this invention can serve as a validation step in the processing of these paper checks.
Given the risk of financial card fraud described above, the inventors would ask one very basic question: Why is it necessary that your credit/debit card or bank type account (checking/savings etc) have the ability to initiate and complete a financial card transaction initiated from the billions of local computing devices in use all around the world? The obvious answer is that account owners do not require, nor need this type of universal access for their authorized transactions. Research reveals for instance, that typically an average e-Commerce user will use three to five local/mobile computing devices to complete their transactions. This includes local/mobile computing devices such as their personal computers, tablet devices, PDA's and their ever present Smart Phones that are used to complete these card transactions.
Unauthorized Website Access:
The average person visits many websites each month and often has an account on said website. These website visits may be to make an online purchase, pay a bill, check email, reconcile a bank account or it may even just be a web surfing adventure. Many of these websites encourage/demand that the visitor create an account with the website in order to gain access to the website. In most cases, the only security requirement needed to establish this account and access to the website is the creation and entry of a user name and password. In the inventors view, this represents a very low security bar and easily falls prey to exploitation by hackers/criminals.
In addition, the problem of unauthorized website access has grown rapidly as users have become more comfortable with the use of remote storage, more commonly referred to as Cloud Storage, to store and access their various data files, including pictures, videos and documents considered highly personal.
Not only has this type of unauthorized website access been used to generate financial gain for the hacker/criminal, it can also cause major embarrassment, as has happened in many instances with the continual stream of racy/explicit photos and videos of celebrities (and others) that the rightful owners of the account thought were safe from view in the cloud, but end up being splashed across the Internet and other venues. In addition, the growth in use of email and social media around the world has led to unauthorized breaches (think Sony breach) of even personal communications such as email or tweets, once again causing major embarrassment, and even harm to the rightful owner of the account.
Here again, the inventors are convinced that the use of the basic concepts of this invention will add a new layer of data security for the rightful account owners.
Unauthorized Physical Access to Places or Things:
The Internet of Things is upon us and growing rapidly. Its influence is expected to grow rapidly in the years to come. This Internet of Things will extend to our homes, businesses, hobbies, education and just about every other facet of our lives. Secured spaces and things that are connected to a network/Internet will be common place and given the sophistication of hackers/criminals, it is realistic to believe that as this market matures, so too will attempts to gain unauthorized access to these systems.
One of the most reasonable areas of growth in the use of the Internet of Things is in securing access to physical spaces and things. This may include physical access doors, safes and safety deposit boxes, filing cabinets, automobiles and other vehicles as well as many other physical devices, locations or functions. The key to this development is the ability of these network connected locking devices to communicate with local/mobile computing devices via a network and/or the Internet.
As this method of securing physical spaces and things becomes mainstream, it will be important to safeguard against unauthorized access by hackers/criminals in order to make sure that the level of security we believe we have achieved, is in fact really secure and not subject to exploitation.
If for instance, the locks on our home doors are electronic and those locks are connected to the local network/Internet, the access to entry may be exposed to an attack by a hacker/criminal.
For many years we have seen the use of electronic locks primarily in hotels and businesses that use a physical card that uses a magnetic stripe on the card, or may even use a short range communications protocol such as Near Field Communications (NFC) or Radio Frequency Identification (RFID) to communicate between the physical card and the electronic locking mechanism to authorize access. At hacker's convention in Las Vegas in 2012, a simple digital hack to unlock hotel doors using a magnetic strip card reader door lock was revealed. Over 4 million hotel rooms are at risk using a similar $50 home built electronic device and as of this writing, the lock manufacturer has not retro fitted their door locks to prevent this hack.
As the Internet of Things moves forward and the world is even more connected, we will see the continued expansion of the use of electronic locking devices that communicate with both our local/mobile computing devices and a network/Internet, in order to authorize access to physical spaces and things. This access door analogy only represents the tip of the iceberg and network/Internet connected electronic locks will be used to regulate access to anything physical that the rightful owner wishes to keep secure.
However, for this expansion to continue, it will become extremely import to insure that authorization for physical access is not compromised and misused. The inventors are confident that the ability of our technology to validate the identity of a local/mobile computing device being used to gain access to the secured space or thing will greatly increase real world security.
Unauthorized Access to Applications and Data:
Basic electronic security today is under serious assault. This even extends to the ability of hackers/criminals to turn on and breach applications and data on our local/mobile computing devices, without our knowledge or consent. In most cases, all that is required is a simple hack that collects the rightful account owners user name and password and from there, access to the users applications and data. Malicious code can be implanted on an electronic device which gives the hacker/criminal complete control of the local/mobile computing device. We receive a steady stream of updates for Windows, Android and Apple operating systems and from application providers because as fast as these companies react to these hack threats, new ones appear and this appears to be a never ending cycle.
This problem also extends to the developers of software applications who may sell/lease their software applications and operating systems (OS) based on a specific license for use that only entitles the purchaser of the application to use said application/OS on a defined number of local/mobile computing devices. While these developers attempt to control this situation with a process that provides serialization of the application and the hope for accountability, it is unfortunate that the hackers/criminals have countered this move by releasing software programs that allow the serialization of the application/OS to be breached, and thus allows the use of said application/OS on more local/mobile computing devices than authorized by the purchase/lease license arrangement. The net result of this is billions of dollars in lost sales and profits to the legitimate companies that pioneer and support these applications and OS's.
It is also common today for business users in particular to provide a means of security for some or all of the data present on their local/mobile computing devices and this trend is slowly making it way to the consumer segment of the market.
A common method of securing the desired data is a process known as encryption. Encryption is a mathematical algorithm that scrambles the data elements in a systematic fashion in order to make them unrecognizable. Once encrypted, the data is unusable in the event that an account is breached and the encrypted data stolen. Access to the encrypted information is typically handled by a manager type software program which controls and validates access to the encrypted data.
However, encrypted data can be returned to its original state by a process known as un-encrypting. During the process, the encrypted data is run through another mathematical process based on the original algorithm used to encrypt the data. If this process is completed successfully, the data becomes recognizable.
Because of the sophistication of the hacker/criminal community, encryption is not always as safe as one might believe. Hackers have had great success with reversing the process and gaining access to the recognizable data. While encryption levels of sophistication vary, even the most stringent encryption methods may not be immune from hacking and exposure of the data. This point has been recently demonstrated as earlier this week, security experts disclosed a new vulnerability called the FREAK flaw that affects web encryption, Android and Apple devices, as well as approximately 10% of the top 10,000 websites are vulnerable to it.
Once again, the inventors believe that the introduction of the local/mobile computing device as a digital hardware key into the security equation will have a profound effect on cyber security in general.