Abstract: Techniques of performing impersonation detection involve using encrypted access request data. Along these lines, an impersonation detection server stores historical access request data only in encrypted form and has no way to decrypt such data. When a new access request is received by a client, the client sends the username associated with the request to the server, which in turns sends the client the encrypted historical access request data. In addition, the server sends the client instructions to perform impersonation detection. The client then carries out the instructions based on the encrypted historical access request data and data contained in the new access request.

Abstract: A system, method, and server computer configured to authenticate a consumer device. The consumer device is authenticated via a mobile gateway using challenge-response authentication. If the consumer device is successfully authenticated, a secure channel is established between the consumer device and a first entity. The secure channel allows for secure communication between the consumer device and the first entity.

Abstract: Various embodiments include one or more of systems, methods, software, and data structures for validating a digital signature, wherein common information in a certification chain is maintained in one entry of a Document Secure Store (DSS). The DSS separates the Long Term Validation (LTV) information from the digital signature, allowing amendment of and addition to the LTV information in the DSS after a digital signature is applied to a document.

Abstract: Fraud and identity theft are enabled by two faulty assumptions about the way that the identity of a person is verified in our society. The first is that someone who demonstrates knowledge of certain items of personal or financial information about a particular person is presumed to be that person. The second assumption, which gives rise to the first assumption, is that these items of information can be kept confidential. Because fraudsters and identity thieves often seek to use their victim's personal and financial information, this invention proposes a direct authentication system and method that does not depend on these assumptions. The proposed method enables businesses to determine whether the customer is truly the person who he says he is by adopting a new “two-factor” authentication technique and authenticating customer's identity utilizing customer's trusted authenticator.

Abstract: Disclosed is a technique for establishing a secure communication session between a mobile device and a card reader. The technique can involve using a trusted, remote validation server to validate security information of both the card reader and a POS module in the mobile device prior to, and as a precondition of, the card reader and the POS module establishing a secure communication session with each other. In certain embodiments the POS module sends the security information of both the card reader and the POS module to the validation server. The security information can include cryptographic keys of the POS module and the card reader and additional security information related to the POS module and its software environment.

Abstract: In the approaches described herein, a data file storage service may control access to file system objects using corresponding “personal” or organization-related “work” identity information which may include encryption keys or passwords. To assist the user with identifying respective file system objects, the user is presented with a corresponding graphical user interface (GUI) which displays a corresponding personal or work identity icon next to a visual rendering of the file system objects. Keys that control access to work identity files and folders are purged from a local key store as soon as user authorization changes are detected. In this way, even a user who originated a data file will not be able to decrypt files stored in a folder shared using a work identity once that identity is canceled by the organization, while at the same time, the user's access to their personal files may continue.

Abstract: Systems and methods are provided for notifying a user regarding early consumption of a popular content item. In one or more aspects, a system includes an identification component configured to identify a user that was among a first X percentage of users to access a content item that is ranked as a popular content item based in part on total number of times the content item was previously accessed, a notification generation component configured to generate a notification identifying the user as being among the first X percentage of users to access the popular content item, and a notification posting component configured to send the notification to a device or an account of the user.

Abstract: A method transmits a signal using a unidirectional communications link, which is protected by an asymmetric cryptography method. A counter value is incremented by a transmitter during a transmission operation. Subsequently, a challenge is determined by the transmitter on the basis of the counter value and a control command that can be executed by a receiver and, on the basis of the challenge that is determined a response is in turn determined. The challenge and the response are transmitted from the transmitter to the receiver. The challenge received is then checked by the receiver to see whether the counter value used in the challenge is greater than a counter value previously stored by the transmitting transmitter. The response received is checked on the basis of the challenge. Following successful checking of the challenge and response, the control command transmitted in the challenge is executed.

Abstract: Establishing trust according to historical usage of selected hardware involves providing a usage history for a selected client device; and extending trust to a selected user based on the user's usage history of the client device. The usage history is embodied as signed statements issued by a third party or an authentication server. The issued statement is stored either on the client device, or on an authentication server. The usage history is updated every time a user is authenticated from the selected client device. By combining the usage history with conventional user authentication, an enhanced trust level is readily established. The enhanced, hardware-based trust provided by logging on from a trusted client may eliminate the necessity of requiring secondary authentication for e-commerce and financial services transactions, and may also be used to facilitate password recovery and conflict resolution in the case of stolen passwords.

Abstract: A method of managing access to enterprise resources is provided. An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.

Abstract: Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.

Abstract: According to an embodiment, a computer program product includes a computer-readable medium including program, when executed by a computer, to have a plurality of modules run by the computer. The computer includes a memory having a shared area, which is an area accessible to only those modules which run cooperatively and storing therein execution module identifiers. Each of the modules includes a first operation configured to store, just prior to a switchover of operations to an other module that runs cooperatively, an identifier of the other module as the execution module identifier in the shared area; and a second operation configured to execute, when the execution module identifier stored in the shared area matches with an identifier of own module immediately after a switchover of operations from the other module, a function inside the own module.

Abstract: Embodiments of the invention can provide systems and methods for device provisioning. According to one example embodiment of the invention, a method can be provided. The method can include identifying, from a computer-readable memory, provisioning information associated with a device; attaching the provisioning information to an item; and preparing the item to be sent to a location of the associated device, wherein the device is provisioned based at least in part on the item. In certain embodiments, one or more operations can be performed by one or more computers associated with a service provider.

Abstract: One of the objects of the present invention is to provide a communication system in which biometrics can be utilized without leaking to a third person so that a strict personal authentication can be conducted. The communication system includes, storing a correspondence table in a card, storing a reference password which is formed by converting a part of biometrics of an authorized user in the card by using the correspondence table, reading a part of biometrics of a user by the card, converting a part of the biometrics of the user into a password by the card using the correspondence table, and checking the password against the reference password by the card, wherein the card and the user are authenticated if a the password and the reference password match in the step of checking.

Abstract: An embodiment relates generally to a method of binding a token to a user. The method includes receiving a token embedded with an address and inserting the token into a computer. The method also includes connecting to the address stored on the token and binding a user to the token based on information from the address.

Abstract: Described is a mobile terminal. The mobile terminal includes: a SIM card identity registration module, configured to acquire registration information of a user; a security management module, configured to encrypt the registration information to acquire encrypted registration information; and a NFC authentication module, configured to acquire and transmit information about an intelligent card to the security management module which is also configured to decrypt the encrypted registration information to acquire the decrypted information, match the information about the intelligent card with the decrypted information, and if the matching is successful, output a balance and/or transaction information stored in the intelligent card. Described also is a method and a system for inquiring information stored in an intelligent card by using a mobile terminal.

Abstract: A method for crediting a customer account maintained by a vendor of services in response to payment received from a customer is disclosed herein. The method includes issuing, to the customer, a membership account number associated with at least the customer account. A membership account number and a payment corresponding to a requested amount of a service offered by the vendor are received from the customer at a point-of-sale. The method further includes generating, at the point-of-sale, an authorization message including at least the membership account number and embedded transaction information identifying the service offered by the vendor and the requested amount. The embedded transaction information is then communicated from the point-of-sale to a database server. The customer account is credited, in response to the embedded transaction information, based upon an amount of the payment.

Abstract: Establishing trust according to historical usage of selected hardware involves providing a usage history for a selected client device; and extending trust to a selected user based on the user's usage history of the client device. The usage history is embodied as signed statements issued by a third party or an authentication server. The issued statement is stored either on the client device, or on an authentication server. The usage history is updated every time a user is authenticated from the selected client device. By combining the usage history with conventional user authentication, an enhanced trust level is readily established. The enhanced, hardware-based trust provided by logging on from a trusted client may eliminate the necessity of requiring secondary authentication for e-commerce and financial services transactions, and may also be used to facilitate password recovery and conflict resolution in the case of stolen passwords.

Abstract: A smart card transaction allows a consumer to load value onto a smart card and to make purchases using a smart card with a mobile telephone handset over the telecommunications network. For loading, the system includes: a mobile telephone handset including a card reader; a gateway computer; a funds issuer computer; and an authentication computer. The mobile telephone handset receives a request from a user to load a value onto the smart card. The handset generates a funds request message which includes the value and sends the funds request message to a funds issuer computer. The funds issuer computer debits an account associated with the user. Next, the handset generates a load request message with a cryptographic signature and sends the load request message to an authentication computer which authenticates the smart card. The handset receives a response message which includes a cryptographic signature and an approval to load.

Abstract: A system and method for generating an authentication token which is used by an issuer associated with a integrated circuit card to authenticate a transaction. A personal card reader receives data, including an authentication cryptogram, from the integrated circuit card. The personal card reader uses the data received from the integrated circuit card to select one of at least two default bitmaps stored in a memory portion of the personal card reader. The personal card reader uses the selected default bitmap and the authentication cryptogram to build the authentication token.

Abstract: A method and a system is provided for establishing a communications path over a communications network between a personal security device (PSD) and a remote computer system without requiring the converting of high-level messages such as API-level messages to PSD-formatted messages such as APDU-formatted messages (and inversely) to be installed on a local client device in which the PSD is connected.

Abstract: Methods of and systems for securely monitoring a balance of a payment account include storing, in a first database, ledger data and storing, in a second database, wallet data. Wallet data includes a wallet balance value for the payment account. When a transaction is initiated using the payment account, an access operation is performed on the wallet table. Illicit or improper modifications can be detected by deriving a ledger comparison value from the ledger data and comparing the derived ledger comparison value to a wallet comparison value from the wallet data.

Abstract: A method for generating tokens for use in an email-based e-commerce transaction between third party vendor and a customer that is facilitated by a payment server is disclosed. The method may comprise generating a token for use with an email checkout, wherein the token comprises a customer name, and customer email address. The processor may generate an email message for at least one recipient, the email message including a mailto hyperlink including the token, wherein the mailto hyperlink generates an email response message addressed to the payment server including the token. The method may comprise receiving a notification from the payment server indicating that the at least one recipient that the email response message was successfully received by the payment server and the email-based e-commerce transaction is successful.

Abstract: In some example embodiments, a system and method is shown that includes receiving a purchase request through an Electronic Payment Financial Network (EPFN), the purchase request including a token to identify a merchant server. The system and method further includes comparing the token against a merchant identifier value to determine that that token is assigned to the merchant server. Additionally, the system and method includes transmitting a purchase request authorization authorizing an online transaction, where the token and merchant identifier value are equivalent.

Abstract: A data security system includes providing a unique identification from a first system to a second system; copying the unique identification in the second system by the first system; and unlocking a memory in the first system or the second system only when the unique identifications in the first system and the second system are the same.

Abstract: The invention provides systems and methods of authenticating a customer device, in conjunction with a requested interaction, the customer device associated with a customer, the method performed by an authentication entity processing portion in the form of a tangibly embodied computer.

Abstract: In some embodiments, a method comprises receiving a request from a customer to temporarily associate a token issued to the customer with a payment account associated with the customer, and temporarily associating the token with the payment account in response at least in part to the request. In some embodiments, a method comprises issuing a token to a customer before the token is associated with a payment account; and arranging for the customer to have an ability to request that the token be associated with a payment account and usable as a payment token. In some embodiments, a method comprises receiving a mapping associating an identifier of a token with a payment account; receiving the identifier from a point of sale system; and determining the payment account based at least in part on the mapping and the identifier received from the point of sale system.

Abstract: A smart card transaction allows a consumer to load value onto a smart card and to make purchases using a smart card with a mobile telephone handset over the telecommunications network. For loading, the system includes: a mobile telephone handset including a card reader; a gateway computer; a funds issuer computer; and an authentication computer. The mobile telephone handset receives a request from a user to load a value onto the smart card. The handset generates a funds request message which includes the value and sends the funds request message to a funds issuer computer. The funds issuer computer debits an account associated with the user. Next, the handset generates a load request message with a cryptographic signature and sends the load request message to an authentication computer which authenticates the smart card. The handset receives a response message which includes a cryptographic signature and an approval to load.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: Embodiments of the present disclosure provide a method and system for guided implicit authentication. The system first receives a request to access the controlled resource from a user. The system then determines whether the user request is inconsistent with regular user behavior by calculating a user behavior measure derived from historical contextual data of past user events. Next, the system allows the user to provide information associated with regular user behavior and/or current contextual data. The system further updates the user behavior measure based on current contextual data.

Abstract: The present application relates to a system and method for managing a plurality of accounts. A plurality of accounts is provided, with each account being associated with a customer. Account activity information associated with at least one action regarding one of the plurality of accounts is received at a first predetermined frequency. The received account activity information is analyzed, and at least one term of another account amongst the plurality of accounts is modified based upon a result of the analysis at a second predetermined frequency.

Abstract: A transponder-initiated transaction system is electromagnetically coupled to an account transponder device at the point of sale. The account transponder device may be embedded within a watch, key chain or other personal article for convenience or affinity. The transponder device may communicate account information to an RF-enabled point of sale device, enabling transactions to take place without resort to remote data processing facilities. In other embodiments partial or complete account information may be accessed or stored at co-located or remote sources. New account registrants may access a Web site to enter a transponder ID and activate a new account, which may be a credit account, debit account, cash account, special purpose vending account, or other types of accounts.

Abstract: A method of transferring money from a first user to another user through a cellular network is disclosed. The method includes a the first user buying a voucher of a specified money from market and sending a USSD string to a cellular network, the cellular network authorizing details provided by the first user, sending a notification to the first user confirming transfer of the money to the second user, sending the second user a notification informing receipt of the money from the first user, sending the second user a secret code, a vendor confirming details provided by second user by contacting the cellular network, the cellular network further confirming the second user, authorizing the vendor to pay the specified money to the second user, crediting the money to the vendor account, and sending a confirmation to the first user notifying the second user has received the cash.

Abstract: A Universal Positive Pay Database (UPPD) method, system and/or computer useable medium to reduce financial transaction fraud. A UPPD database is configured to store thereon transaction records associated with financial transactions corresponding to customers of the UPPD database. A particular financial transaction is initiated between a payer and a payee by providing parameters associated with the financial transaction to the UPPD database. An issue File is provided to the UPPD database that includes parameters associated with the particular financial transaction. A correspondence determination is made between the financial transaction parameters from the Issue File and the financial transaction parameters provided to the UPPD database at every point along the financial transaction clearing process.

Abstract: A method for providing fast and secure access to MIFARE applications installed in a MIFARE memory being configured as a MIFARE Classic card or an emulated MIFARE Classic memory, comprises: keeping a repository of MIFARE memories and user identifications assigned to said MIFARE memories as well as of all MIFARE applications installed in the MIFARE memories, wherein, when a new MIFARE application is to be installed in a MIFARE memory identified by a user identification the present memory allocation of said MIFARE memory is retrieved, an appropriate sector of said MIFARE memory is calculated, a key is calculated for said MIFARE application and the MIFARE application together with the assigned sector and key are linked to the user identification and are stored in the repository.

Abstract: A payment processing system for accepting manually-entered payment-card numbers. Rather than entering a payment-card account number into an application module, the card number is instead captured and stored within a tokenizer prior to being sent to the application module. The tokenizer then returns a random token to the calling application as a pointer to the original payment-card number. The token has no algorithmic relationship with the original payment-card number, so that the payment-card number cannot be derived based on the token itself. Since the token is not considered cardholder data, the token may be used in an application module without the module or its connected hardware from being subject to regulatory standards compliance. Some embodiments involve browser-based schemes, and some embodiments involve PIN-entry device-based schemes.

Abstract: Various embodiments are directed to methods for generating proxy account data for a financial account and authorizing payment from an account of a customer based on proxy account data. Example methods may comprise selecting a serial number for a first customer and storing an association between the serial number and an account of the first customer. The methods may further comprise encrypting the serial number and consolidating the encrypted serial number with checkable data. An association between the encrypted serial number and the checkable data may be stored and the consolidated encrypted serial number and checkable data may be encrypted to generate proxy account data.

Abstract: A purchase card system configured in accordance with the invention offers purchase card products that facilitate online purchases of life sciences research products and/or services via an e-commerce application. The acquisition and use of such purchase card products complies with mandated procurement, spending, and appropriations rules, regulations, and laws, such as the Federal Acquisition Regulation, the Anti-Deficiency Act, and the Department of Defense “bona fide needs” rule.

Abstract: Systems, methods, and devices are disclosed which allow a mobile device user to complete financial transactions even when the mobile device is not connected to a wireless network. The systems, methods, and devices of the present disclosure may utilizing a combination of an encrypted lockbox containing out of network payment codes on the mobile device and a matching set of out of network payment codes stored on a server of a payment authority.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: A method of conveying monetary value between at least two parties, may utilize a computer system or a vending machine. A first party requests an amount of monetary value to be in one or more desired incremental monetary amounts, and provides a payment. A system administrator requests a personal identification number (PIN), which is associated, within an administrator database, with a Globally Unique Identifier (GUID) that is located on one or more QwikCash tickets, which are thereby activated, and thereafter issued to the first party. The GUID is machine scannable, and each QwikCash ticket may comprise a textual reference denoting its incremental monetary amount, and a textual reference identifying issuance of the PIN. The first party may use the PIN and remit the QwikCash ticket: to a second party, as a person-to-person monetary transfer; to a merchant for making a purchase; or to a bank ATM in exchange for cash.

Abstract: Methods, systems, and computer-readable media are disclosed for access control. A particular method receives a resource access identifier associated with a shared computing resource and embeds the resource access identifier into a link to the shared resource. The link to the shared resource is inserted into an information element. An access control scheme is associated with the information element to generate a protected information element, and the protected information element is sent to a destination computing device.

Abstract: A method includes: establishing a first connection between a first ID token and a first computer system via a second computer system for reading at least one first attribute from the first ID token, establishing a second connection between a second ID token and the first computer system via the second computer system for reading at least one second attribute from the second ID token, sending the first and second attributes from the first computer system to a third computer system, receiving the data from the third computer system by the first computer system, writing the data into the second ID token via the second connection by the first computer system thereby storing the data in the second ID token, where the first connection still exists, wherein the first and the second connection are respectively connection with end-to-end encryption and a connection oriented protocol.

Abstract: In a value transfer scheme, users are provided with programmable devices, for example, smart cards, capable of carrying data representing at least one available commodity value. Data representing user accounts is held at a remote processing station. Transactions between users are effected by the off-line exchange of data between users'respective smartcards, the exchanged data containing a record of each transaction entered into. The user account data for each user's account held at the remote processing station is updated only subsequently when the user's smartcard is on-line to the remote processing station and data therefrom is uploaded to the remote processing station. The scheme of the invention can, conveniently, be based around the ITSO scheme which is used to govern the secure transfer of data. The scheme is capable of providing a secure multi-commodity value transfer system.

Abstract: An authentication token using a smart card that an organization would issue to its customer, the smart card having a processor for executing a software application that is responsive to a user input to generate a one-time password as an output. The smart card co-operates with an interface device for inputting the user input and displaying the one-time password. The authentication token may be used in combination with a remote authentication server for validation of the password and hence authentication of the user.

Abstract: A method of diagnosing a mobile device is provided. The method comprises obtaining an access key from a key store based on an identity of the mobile device and based on an identity associated with an issuer of a confidential information, wherein the access key is associated with a secure element of the mobile device storing the confidential information. The method also comprises wirelessly transmitting a message from a station associated with the issuer to the mobile device to initiate diagnostics of at least the secure element of the mobile device, the message comprising the access key, wherein the diagnostics are performed by diagnostic instructions stored on the mobile device. The method also comprises displaying the result of the diagnostics.

Abstract: A system may include a point-of-sale system that gathers payment card track data from a payment card and a payment card gateway that processes the track data to authorize purchase transactions. The point-of-sale system may remove sensitive data such as a portion of a primary account number from the track data and may compress the removed data. The compressed version of the data may be appended to a discretionary field in the track data. The discretionary field may be encrypted following insertion of the compressed data. Track data that has been modified in this way may be conveyed to the payment gateway for processing.

Abstract: A method for operating a signal receiver which authorizes controlled access, comprising providing an authentication token device having a predetermined usage limit stored therein, providing a reading device for reading the authentication token device, and for implementing the predetermined usage limit while deauthorizing the authentication token device for use with other reading devices, comprising a signal generator for communicating with a signal receiver through a wireless transmission, receiving the wireless transmission at the signal receiver, to permit access based on the received transmission, and upon exceeding the predetermined usage limit, deauthorizing further access.

Abstract: A personal digital key (e.g., which can be carried by a human) contains a memory having different service blocks. Each service block is accessible by a corresponding service block access key. As the personal digital key (PDK) moves around, it is detected by sensors. The sensors report position data, thus enabling location tracking of the PDK. The sensors also provide a data path to various applications. An application that has access to a service block access key can therefore access the corresponding service block on the PDK. The sensors themselves may also contain service block access keys.

Abstract: Facilitating transactions using non-traditional devices and biometric data to activate a transaction device is disclosed. A transaction request is formed at a non-traditional device, and communicated to a reader, wherein the non-traditional device may be configured with an RFID device. The RFID device is not operable until a biometric voice analysis has been executed to verify that the carrier of the RFID equipped non-traditional device is the true owner of account information stored thereon. The non-traditional device provides a conduit between a user and a verification system to perform biometric voice analysis of the user. When the verification system has determined that the user is the true owner of one or more accounts stored at the verification system, a purchase transaction is facilitated between the verification system. Transactions may further be carried out through a non-RF device such as a cellular telephone in direct communication with an acquirer/issuer or payment processor.