Abstract: A method performed by an eCommerce risk assessment system includes receiving eCommerce transaction reports, each containing transaction metrics and transaction attributes having values. A statistic is separately generated for each different type of the transaction metrics based on the values of the transaction attributes. One type of the transaction metrics is selected for analysis. For each combination of a different type of the transaction attributes and a different value among the values occurring for the type of the transaction attribute, a transaction metric statistic is generated for the selected type of the transaction metrics having the combination of the type of the transaction attribute and the value. An analytical model of the eCommerce transactions is trained based on the values of the transaction attributes for the transaction metric statistics. Risk scores are output from the analytical model based on content of eCommerce transactions input to the analytical model.

Abstract: An application analysis computer obtains reports from user terminals identifying operational states of instances of an application being processed by the user terminals. Sequences of the operational states that the instances of the application have transitioned through while being processed by the user terminals are identified. Common operational states that occur in a plurality of the sequences are identified. For each of the common operational states, a frequency of occurrence of the common operational state is determined. For each state transition between the common operational states in the sequences, a frequency of occurrence of the state transition is determined. State predictive metrics are generated based on the frequencies of occurrence of the common operational states and the frequencies of occurrence of the state transitions. The state predictive metrics are communicated, such as to an application server to control access to the application by user terminals.

Abstract: Data is received that corresponds to an image presented at a location of a transaction involving a user device and a terminal device. It is determined that the user device and the terminal device are engaged in the transaction based at least in part on the data and local interactions of a payment device with the terminal device are virtualized based on authenticating the transaction. Virtualizing the interactions can include exchanging messages with the terminal device over a network according to a protocol corresponding to the payment device and the terminal device.

Abstract: An application analysis computer obtains reports from user terminals containing application performance metrics and dimensions having values characterizing the applications and the user terminals. Statistics for each different type of the performance metrics across the reports are generated. One of the statistics, for one type of the performance metrics, that has changed at least a threshold amount between two time intervals is identified, and that performance metric is selected for analysis. For each combination of a different type of the characteristic dimensions and a different value among the values occurring for the type of the characteristic dimension, a statistic is generated for the selected type of the performance metrics from the reports. Information is communicated based on an active warning ID that was selected based on being associated with a combination of the type of the characteristic dimension and one of the statistics that changed at least a threshold amount.

Abstract: Security and convenience are provided by a system, apparatus, method, and computer program product that stores two or more encryption keys that correspond to two or more levels of authentication. The encryption keys may be encrypted and decrypted utilizing an endorsement key and trusted computing techniques. Or the encryption keys may be stored in a secure manner utilizing key protection techniques, such as cryptographic camouflaging. A first encryption key is recovered automatically for the first level of authentication. And input is requested to recover the second encryption key for the second level of authentication.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: A method is provided for generating a human readable passcode to an authorized user including providing a control access datum and a PIN, and generating a unique machine identifier for the user machine. The method further includes modifying the controlled access datum, encrypting the controlled access datum using the PIN and/or a unique machine identifier to camouflage the datum, and generating a passcode using the camouflaged datum and the PIN and/or the unique machine identifier. A mobile user device may be used to execute the method in one embodiment. The passcode may be used to obtain transaction authorization and/or access to a secured system or secured data. The unique machine identifier may be defined by a machine effective speed calibration derived from information collected from and unique to the user machine.

Abstract: A technique for mapping a biometric credential of a user to a data value such as a key or password. A database stores multiple entries of biometric templates and associated data values for different users. One of the entries is a match for a particular user, and the remaining entries are randomly selected. The number of entries is reasonably large to provide a desired degree of randomness for a given entry, but smaller than a key space of the data values. Based on an input of a biometric sample of the user, a best match is selected from the entries of biometric templates, and the associated data value is used to authenticate the user. Two- or three-factor authentication can be provided. Additional factors can include a password provided by the user and a key which is encrypted by the data value of the matching entry.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: Systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions are disclosed. Embodiments of the present disclosure read an image displayed on a display of an external device using a mobile device associated with a user authorized to access a secure resource, decode transaction information encoded in the image, transmit the transaction information and an identifier of the mobile device from the mobile device to an authentication system, and grant access to the secure resource if the transaction information and the identifier satisfy an authentication test performed at the authentication system.

Abstract: A method and system is provided for generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider. The DCV may be configured for use as a card verification value (CVV), also known as a card security code (CSC), a primary account number (PAN), or a portion of a PAN. The DCV may be generated using a DCV generator which may include an algorithm and a DCV generation key. The DCV generation key may be camouflaged. Obtaining a DCV from the user device may require inputting a PIN, a device identifier, a challenge or transaction information. The DCV may be used for any transaction requiring the input of a user identification number and a verification value, including, credit card transactions, debit card transactions, online or telephonic transactions.

Abstract: Systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions are disclosed. Embodiments of the present disclosure read an image displayed on a display of an external device using a mobile device associated with a user authorized to access a secure resource, decode transaction information encoded in the image, transmit the transaction information and an identifier of the mobile device from the mobile device to an authentication system, and grant access to the secure resource if the transaction information and the identifier satisfy an authentication test performed at the authentication system.

Abstract: A system and method is provided for generating a one-time passcode (OTP) from a user device. The method includes providing a passcode application and a cardstring defined by a provider account to the user device. The passcode application is configured to generate a passcode configured as a user OTP for the provider account, using the cardstring. The cardstring is defined by at least one key camouflaged with a personal identification number (PIN). The key may be camouflaged by modifying and encrypting the modified key under the PIN. The key may be configured as a symmetric key, a secret, a seed, and a controlled datum. The cardstring may be an EMV cardstring; and the key may be a UDKA or UDKB. The cardstring may be an OTP cardstring, and the key may be a secret configurable to generate one of a HOTP, a TOTP, and a counter-based OTP.

Abstract: A method and system is provided for generating a one-time passcode (OTP) configured for use as a personal identification number (PIN) for a user account from a user device. The OTP may be generated using an OTP generator which may include an algorithm an user account-specific OTP key. The OTP key may be camouflaged by encryption, obfuscation or cryptographic camouflaging using a PIN or a unique machine identifier defined by the user device. Obtaining an OTP from the user device may require inputting a data element which may be one of a PIN, a character string, an image, a biometric parameter, a user device identifier such as an machine effective speed calibration (MESC), or other datum. The OTP may be used for any transaction requiring a user PIN input, including ATM and debit card transactions, secure access and online transactions.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: A technique for mapping a biometric credential of a user to a data value such as a key or password. A database stores multiple entries of biometric templates and associated data values for different users. One of the entries is a match for a particular user, and the remaining entries are randomly selected. The number of entries is reasonably large to provide a desired degree of randomness for a given entry, but smaller than a key space of the data values. Based on an input of a biometric sample of the user, a best match is selected from the entries of biometric templates, and the associated data value is used to authenticate the user. Two- or three-factor authentication can be provided. Additional factors can include a password provided by the user and a key which is encrypted by the data value of the matching entry.

Abstract: A method and system for identifying a machine used for an online session with an online provider includes executing a lightweight fingerprint code from a provider interface during an online session to collect and transmit machine and session information; generating and storing a machine signature or identity including a machine effective speed calibration (MESC) which may be used to identify the machine when the machine is used in a subsequent online session by a method of matching the machine signature and MESC to a database of machine identities, analyzing a history of the machine's online sessions to identify one or more response indicators, such as fraud indicators, and executing one or more responses to the response indicators, such as disabling a password or denying an online transaction, where the response and response indicator may be provider-designated.

Abstract: A method and system is provided for generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider. The DCV may be configured for use as a card verification value (CVV), also known as a card security code (CSC), a primary account number (PAN), or a portion of a PAN. The DCV may be generated using a DCV generator which may include an algorithm and a DCV generation key. The DCV generation key may be camouflaged. Obtaining a DCV from the user device may require inputting a PIN, a device identifier, a challenge or transaction information. The DCV may be used for any transaction requiring the input of a user identification number and a verification value, including, credit card transactions, debit card transactions, online or telephonic transactions.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: Security and convenience are provided by a system, apparatus, method, and computer program product that stores two or more encryption keys that correspond to two or more levels of authentication. The encryption keys may be encrypted and decrypted utilizing an endorsement key and trusted computing techniques. Or the encryption keys may be stored in a secure manner utilizing key protection techniques, such as cryptographic camouflaging. A first encryption key is recovered automatically for the first level of authentication. And input is requested to recover the second encryption key for the second level of authentication.