Abstract: A person-to-person (P2P) payment system provides payment from a payer to a payee without the payer identifying a payee payment receiving preference, such as the payee account into which funds are to be posted. The payment system includes a setup system for setting up payment between the payer and the payee and a messaging system for handling messages between the payer and the payment system and the payee and the payment system, including communications with the payee by way of a payee phone number or email address provided by the payer. A risk assessment system determines a risk score for the P2P transaction and, based on that score, the bank of the payer provides a guarantee to the bank of the payee.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: To validate a user's identity a network validation server receives a smartphone image of a preexisting user credential, including both a user biometric and a unique identifier associated with the credential and stores them in a database. The validation server also receives the unique identifier from a registrar network device seeking to validate the user, and in response transmits a validation code to the user's smartphone for display by the user's smartphone and/or the registrar's network device for display by the registrar's network device. The validation server additionally receives confirmation from the registrar's network device that a validation code displayed on the user's smartphone is the transmitted validation, thereby confirming that the user has been validated by the registrar.

Abstract: A security server receives a request of a user to activate a secure communications channel over the network and, in response, transmits an activation code for delivery to the user via another network. The security server receives an activation code from the user network device via the network, compares the received activation code with the transmitted activation code to validate the received activation code, and activates the secure communications channel based on the validation. The security server next receives a query including a question for the user from an enterprise represented on the network, transmits the received enterprise query to the user network device via the secure communications channel, and receives, from the user network device via the secure communications channel, a user answer to the transmitted enterprise query. The security server then transmits the received user answer to the enterprise to further authenticate the user to the enterprise.

Abstract: To validate a user's identity a network validation server receives a smartphone image of a preexisting user credential, including both a user biometric and a unique identifier associated with the credential and stores them in a database. The validation server also receives the unique identifier from a registrar network device seeking to validate the user, and in response transmits a validation code to the user's smartphone for display by the user's smartphone and/or the registrar's network device for display by the registrar's network device. The validation server additionally receives confirmation from the registrar's network device that a validation code displayed on the user's smartphone is the transmitted validation, thereby confirming that the user has been validated by the registrar.

Abstract: A network server is operated so as to facilitate legal eavesdropping by receiving, from the first user via a network, a session key (SK) encrypted with a second user's public key, kpubU2, and the SK encrypted with an escrow server's (ES) public key, kpubES. The kpubU2 key is the public key of the second user asymmetric private/public key pair kpriU2/kpubU2 The kpubES key is the public key of the ES asymmetric private/public key pair kpriES/kpubES. The received SK encrypted with kpubES is stored. The SK encrypted with kpubU2 is transmitted to the second user via the network. A message encrypted with the SK is received from one of the first and the second users via the network, stored, and transmitted to the other of the first and the second users via the network.

Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: Transaction authentication with techniques and geolocation are combined to provide privacy and security enhanced geolocation. In an example implementation, a user initiates a transaction at a web service which in turns triggers a security server. The security server uses its always on connection with the combined client on user security device to perform geolocation, proximity and transaction authentication. These results may be used by the web service to make a decision on whether to proceed with the transaction.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: A network server is operated so as to facilitate legal eavesdropping by receiving, from the first user via a network, a session key (SK) encrypted with a second user's public key, kpubU2, and the SK encrypted with an escrow server's (ES) public key, kpubES. The kpubU2 key is the public key of the second user asymmetric private/public key pair kpriU2/kpubU2 The kpubES key is the public key of the ES asymmetric private/public key pair kpriES/kpubES. The received SK encrypted with kpubES is stored. The SK encrypted with kpubU2 is transmitted to the second user via the network. A message encrypted with the SK is received from one of the first and the second users via the network, stored, and transmitted to the other of the first and the second users via the network.

Abstract: To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

Abstract: To validate a user's identity a network validation server receives a smartphone image of a preexisting user credential, including both a user biometric and a unique identifier associated with the credential and stores them in a database. The validation server also receives the unique identifier from a registrar network device seeking to validate the user, and in response transmits a validation code to the user's smartphone for display by the user's smartphone and/or the registrar's network device for display by the registrar's network device. The validation server additionally receives confirmation from the registrar's network device that a validation code displayed on the user's smartphone is the transmitted validation, thereby confirming that the user has been validated by the registrar.

Abstract: A network server is operated so as to facilitate legal eavesdropping by receiving, from the first user via a network, a session key (SK) encrypted with a second user's public key, kpubU2, and the SK encrypted with an escrow server's (ES) public key, kpubES. The kpubU2 key is the public key of the second user asymmetric private/public key pair kpriU2/kpubU2. The kpubES key is the public key of the ES asymmetric private/public key pair kpriES/kpubES. The received SK encrypted with kpubES is stored. The SK encrypted with kpubU2 is transmitted to the second user via the network. A message encrypted with the SK is received from one of the first and the second users via the network, stored, and transmitted to the other of the first and the second users via the network.

Abstract: To notify a person of the availability of electronic billing information, billing information associated with bills of a biller for its customers is stored in a first data store, and identify information identifying unregistered persons having billing information stored in the first data store, is stored in a second data store. Registration information identifying a person who is currently unregistered is received via a wide area network. The received registration information is compared with the identity information stored in the second data store. Based on the comparison, it is determined if the received registration information identifies a customer of the biller. If so, a notice of the availability of the stored billing information of the biller is transmitted to the person via the wide area network.

Abstract: Systems and methods for making a payment on behalf of a payer to a payee are provided. A request to make a payment on behalf of a payer to a payee is received at a first payment service provider. The first payment service provider supports a first payment network within a plurality of payment networks that each include a respective plurality of payers and payees. The payer is one of the plurality of payers and payees associated with the first payment network, and the payor is not one of the plurality of payers and payees associated with the first payment network. A second payment network within the plurality of payment networks with which the payee is associated is identified by the first payment service provider. A payment instruction to make the payment to the payee is transmitted by the first payment service provider to a second payment service provider associated with the second payment network.

Abstract: To authenticate a user of a mobile communication device for login or transaction authorization, a first application on the device directs transmission of a request for authentication of the user to a security server. A second application on the device receives the request for authentication from the security server and directs presentation of the received request for authentication to the user by the device. The second application receives a user input to the device indicating that the requested authentication should proceed and in response directs transmission of an indication that the requested authorization should proceed, to the security server. In response to this latter transmission, the second application receives a PIN from the authentication server. The first application directs transmission of the PIN received by the second application to the network site, which validates the transmitted PIN, in order to authenticate the user or the transaction to the network site.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.