AUTHENTICATING ONLINE USERS WITH DISTORTED CHALLENGES BASED ON TRANSACTION HISTORIES
In one embodiment, a system includes one or more processors having memory coupled thereto. The memory stores instructions executable to cause the system to perform a method that includes generating a request based on 1) transaction information that is available to a user and a service provider and relating to one or more transactions by a user, and 2) at least one user-specified preference as to a type of the transaction information upon which the request is based, communicating the request to a device of the user, receiving a response to the request from the user device, and determining the authenticity of the user based on the response. The request can be in visually or audibly form, such as a Captcha.
This application is a continuation of U.S. App. Ser. No. 13/077,535, filed Mar. 31, 2011, now U.S. Pat. No. ______, issued ______.
BACKGROUND1. Field of the Invention
This application relates to e-commerce in general, and more particularly, to methods and apparatus for authenticating users of a service provider over a network using Captcha-like requests that are based on unique past transactions involving both the user and the service provider.
2. Related Art
A “Captcha” is a type of challenge-and-response test used by some web sites as a means to ensure that the response to the challenge is being generated by a human and not by a computer or other automated, “robotic intelligence.” Captchas are therefore sometimes described as “reverse Turing tests” because they are administered by computers to humans, and not vice-versa, and indeed, the term Captcha is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
A typical Captcha requires the user to type letters, words or digits from a distorted image that is displayed to the user on a computer display, which a human can discern relatively easily, but which a computer running automated software, including artificial intelligence (AI) and optical character recognition software (OCR), cannot. For example,
Users of a service provider, such as a financial service provider, e.g., an online bank, such as ING Direct, or a payment/collection service, e.g., PayPal, typically access their accounts and effect financial transactions using a combination of user identity data, such as a unique user name or number, and a password or Personal Identification Number (PIN). While this technique generally provides the user with a relatively secure method of accessing his or her accounts, it does not enable the service provider to determine whether the entity accessing the system is a human or a robot computer. However, while conventional Captchas can supply the latter need, they generally lack the requisite degree of security for the former because they can easily be solved by a human interloper, e.g., one possessing the user's identification data but not the user's password or PIN.
What are needed then, are network-based systems by which a service provider can securely authenticate a user, and at the same time, verify that the web flow is being remotely driven by a human.
SUMMARYIn accordance with the present invention, systems are provided by which a service provider, e.g., a financial service provider, can simultaneously authenticate a user over a network and verify that the user is human by using Captcha-like challenges which are based on past transactions involving and known by both the user and the service provider.
In one embodiment, a system comprises one or more processors having memory coupled thereto. The memory stores instructions executable to cause the system to perform a method that includes generating a request based on 1) transaction information that is available to a user and a service provider and relating to one or more transactions by the user, and 2) at least one userspecified preference as to a type of the transaction information upon which the request is based, communicating the request to a device of the user, receiving a response to the request from the user device, and determining the authenticity of the user based on the response. The request can be in a visually or audibly altered form, such as a Captcha.
In another embodiment, a non-transitory machine-readable medium comprises a plurality of machine-readable instructions which, when executed by one or more processors of a server, are adapted to cause the server to perform a method comprising receiving data identifying a user, generating a request based on 1) transaction information, available to the user and a service provider and relating to one or more transactions by the user, and 2) at least one user-specified preference as to a type of the transaction information upon which the request is based, communicating the request to a device of the user, receiving a response to the request from the user device, and determining whether the user is authentic based on the response.
In yet another embodiment, an apparatus for authenticating a user by a service provider comprises means for receiving user identification data sent by the user to the service provider, means for generating a request based on 1) transaction information, known by the user and the service provider and relating to one or more transactions by the user, and 2) at least one userspecified preference as to a type of the transaction information upon which the request is based, means for communicating the request to a device of the user, means for receiving a response to the request from the user device, and means for determining whether the user is authentic based on the response.
A better understanding of the above and other features and advantages of the novel user authentication systems of the present invention may be obtained from a consideration of the detailed description of some example embodiments thereof presented below, particularly if such consideration is made in conjunction with the several views of the appended drawings, wherein like elements are referred to by like reference numerals throughout.
The Captcha 100 may further include a number of user selectable function icons 108, 110 and 112. These include a “reload” icon that functions to present the user with an alternative word pair challenge 102 to type in, an “audio” icon 110 that functions to present a visually impaired user with an alternate set of challenge words 102 that are audible to the user through speakers or headphones connected to the user's computer, and a “help” icon 112 that functions to present the user with detailed information on how to use the Captcha,
In the particular example Captcha 300 of
It should be noted that the nature of the past transaction queries of the Captchas 300 need not necessarily be just monetary in nature. For example, in some embodiments, the Captcha 300 can take the form of, “Before your last purchase of shoes, what did you purchase with PayPal?” or the like.
In other embodiments, a user “customization/preferences” setting can be used to “bias” the Captchas 300 toward, e.g., specific types of items, colors of items, specific vendor names, or the like, or alternatively, combinations of the foregoing.
Additionally, based on user and/or service provider settings, the Captcha 300 could comprise a collage of iconic (i.e., visual) representations of past purchases with a textual challenge such as, “Of the above items, what did you purchase in Austin at the Domain?” That is to say, the challenge of the Captcha 300 could just as easily have a visual component based on transaction history as well as a textual component.
In some embodiments, at S2, upon receipt of the user identification data, the service provider may retrieve transaction history data of the user with the service provider from, e.g., a user account database, and at S3, may generate, transmit and present to the user a distorted visual or audible challenge based on at least one previous transaction involving and known by both the user and the service provider. The at least one previous transaction may be one exclusively between the user and the service provider, such as the amount of a recent deposit to a particular account, or may involve a third party, such as an online vendor of products or services, and the challenge may take the form of the challenge 302 of the Captcha 300 discussed above in connection with
At S4, the service provider receives the purported user's response or answer to the challenge of the Captcha, and at S5, determines whether the answer is correct, and based thereon, determines whether the purported user is both authentic and human. The user's response may again take different forms and be transmitted via different devices, such as discussed above with respect to step S1. If the user's response to the challenge is correct, then at S6, the service provider may grant the user access to the user's account(s) at, and/or the services of, the service provider.
The process 400 may also be used for other purposes, such as retrieving a lost or forgotten password. Determination of whether the received response is correct may depend on the question being asked. For example, if the user is asked to provide the date of the user's most recent transaction with the service provider or the amount of the most recent purchase, the service provider may deem a response to be correct even if not exactly correct. In this example, if the actual amount was $145.23, and the user responded with $145.22, this may be deemed “close enough” for the service provider to authenticate the user. Similarly, if the user responds with a date that is one day early or late for a transaction that was performed several months ago, that again may be deemed a correct answer. So, the service provider may have different ways of concluding whether a response is “correct” and thereby authenticating the user. Alternatively, if the answer is not correct, then at S7, the service provider may deny the purported user access to the user's account(s) at, and/or the services of, the service provider.
In some embodiments, the service provider may provide the user with more than one opportunity to be authenticated. For example, as illustrated in
By using a distorted challenge based on information known by the user and the service provider, the service provider can determine whether the user is both human and authentic with a single response from the user.
The user's device 502 may comprise, for example, a personal computer, such as a desktop or laptop computer, a portable tablet computer, a smart phone or a personal digital assistant (PDA), each of a well-known type, and may include a modem 508 for connecting the user to the service provider via the network 506, a processor 510, a data storage device 512, such as a hard disk drive or flash memory, an input device 514, such as a key board, a key pad, and/or a microphone (for inputting audible responses), loud speakers or head phones (for hearing audible challenges), and a display 516, such as a liquid crystal display (LCD), for displaying to the user a visual Captcha 300 useful for authenticating the user to the service provider in the manner described above. In some embodiments, the key pad function may be incorporated in the display 516, e.g., such as in a touch-screen display.
As further illustrated in
As discussed above in connection with
As above, the user may then input an answer or response to the challenge of the Captcha 300 using the input device 514 of the user's device 502 and return it to the service provider via the network 506 and, if the response received by the service provider is correct, the service provider may then deem the user to be both authentic and human and grant the user access to the user's accounts and/or the services provided by the service provider.
In some embodiments, the service provider may be a financial service provider, e.g., a online payments/collections intermediary, such as PayPal, which may serve, for example, to effect the financial aspects of online purchases from or sales to selected third parties on behalf the user. In some embodiments, the third party may comprise a vendor or purchaser of goods or services, and as illustrated in
Alternatively, where the vendor's account 526 resides at a bank or other financial institution not affiliated with the service provider, the network 506 of the apparatus 500 may comprise an electronic network component, such as the Automated Clearing House (ACH) or the Electronic Payments Network (EPN) and a clearing house 528, that enable the service provider to effect transfers of funds between the user's accounts 524 and the vendor's accounts 526 electronically via the network 506.
Thus, as those of skill in this art will by now appreciate, although Captchas are conventionally used simply to distinguish humans from machines, in accordance with the present invention, they can also be used to credential a given individual from others, in addition to merely determining whether a subject is a human being and not a script running on a remote computer.
Although the methods and apparatus of the present invention have been described and illustrated herein with reference to certain specific example embodiments thereof, it should be understood that a wide variety of modifications and variations may be made to these without departing from the spirit and scope of the invention, as defined by the claims appended hereafter and their functional equivalents.
Claims
1. A system, comprising:
- one or more processors; and
- memory, coupled to the one or more processors and having stored thereon instructions executable to cause the system to perform a method comprising:
- generating a request based on: 1) transaction information, available to a user and a service provider and relating to one or more transactions by the user; and 2) at least one user-specified preference as to a type of the transaction information upon which the request is based;
- communicating the request to a device of the user;
- receiving a response to the request from the user device, and
- determining the authenticity of the user based on the response.
2. The system of claim 1, wherein the request communicated to the user in a visually or audibly altered form.
3. The system of claim 1, wherein the request is communicated to the user in the form of a Captcha.
4. The system of claim 1, wherein the method further comprises storing and retrieving transaction information of the user at a service provider based on identification data of the user.
5. The system of claim 4, wherein the service provider comprises a financial service provider.
6. The system of claim 4, wherein the identification data of the user comprises a name or a number.
7. The system of claim 1, wherein the method further comprises granting the user access to a user's account at a service provider based on the response.
8. The system of claim 1, wherein the one or more processors are in communication with at least one network, the at least one network comprising the internet, the Automated Clearing House (ACH) or the Electronic Payments Network (EPN).
9. The system of claim 1, wherein the method further comprises effecting a financial transaction with at least one third party on behalf of the user using the one or more processors and based on the determining of the authenticity of the user.
10. The system of claim 9, wherein the financial transaction is exclusively between the user and a service provider or involves a third party.
11. A non-transitory machine-readable medium comprising a plurality of machine-readable instructions which when executed by one or more processors of a server are adapted to cause the server to perform a method comprising:
- receiving data identifying a user;
- generating a request based on: 1) transaction information, available to the user and a service provider and relating to one or more transactions by the user; and 2) at least one user-specified preference as to a type of the transaction information upon which the request is based;
- communicating the request to a device of the user;
- receiving a response to the request from the user device, and
- determining whether the user is authentic based on the response.
12. The medium of claim 1, wherein the request communicated to the user in a visually or audibly altered form.
13. The medium of claim 11, wherein the response comprises text data, voice data or both text data and voice data.
14. The medium of claim 11, wherein the method further comprises retrieving a lost or forgotten password or personal identification number (PIN) and transmitting it to the user's device.
15. An apparatus for authenticating a user to a service provider, the apparatus comprising:
- means for receiving user identification data sent by the user to the service provider;
- means for generating a request based on: 1) transaction information, known by the service provider and the user and relating to one or more transactions by the user; and 2) at least one user-specified preference as to a type of the transaction information upon which the request is based;
- means for communicating the request to a device of the user;
- means for receiving a response to the request from the user device; and,
- means for determining whether the user is authentic based on the response.
16. The apparatus of claim 15, wherein the request is communicated to the user in a visually or audibly altered form.
17. The apparatus of claim 15, wherein at least one of the receiving means, generating means, communicating means and/or determining means comprises a data server, a personal computer, a tablet computer, a smart phone and/or a personal digital assistant.
18. The apparatus of claim 15, wherein the service provider is a financial service provider and further comprising means for effecting financial transactions between the user and the service provider using at least one network.
19. The apparatus of claim 18, further comprising means for effecting a financial transaction with a third party on behalf of the user over the at least one network.
20. The apparatus of claim 19, wherein the at least one network comprises the internet, the Automated Clearing House (ACH) or the Electronic Payments Network (EPN).
Type: Application
Filed: Jul 7, 2014
Publication Date: Oct 23, 2014
Inventor: Kevin M. Raper (Austin, TX)
Application Number: 14/325,085
International Classification: H04L 29/06 (20060101); G06Q 20/40 (20060101);