Security systems for protecting assets are described, including password-based security systems that can provide different levels of access responsive to entry of a primary or secondary password. In some versions, user-configurable security rules can provide customized responses to entry of primary or secondary passwords, including feigned or limited access, security alerts, etc. Passwords comprising overt and covert components can be used to provide enhanced security and improved user control over system response. Improved security systems involving transactions between multiple parties are also considered, with options for user-customized security rules including primary and secondary passwords, and reverse challenge and response methods. Systems for Limited Use Credentials are also disclosed to reduce the risk of identity theft.
This application claims priority to U.S. Patent Appl. Ser. No. 60/745,461, filed Apr. 24, 2006, and U.S. Patent Appl. Ser. No. 60/889,540, filed Feb. 13, 2007, both of which are hereby incorporated by reference in their entireties for all purposes.
BACKGROUND1. Field of the Invention
This invention pertains to security systems that restrict access to an account or other asset. The invention also pertains to computerized systems and user interfaces for configuring access criteria and security rules responsive to primary and secondary passwords. The invention also relates to improved means for reducing the risk of theft or misuse of assets, and for protecting related accounts, including measures to reduce identity theft and other forms of fraud.
2. Description of the Related Art
Passwords have been described as the weak link in modern computer security. In many cases, all that stands between would-be thieves and a bank account, email account, corporate records, or even control of many aspects of a business is a string of several characters. The growing problem of identify theft is exacerbated by inadequate password security. Guidelines for “strong passwords” have been promulgated to make it more difficult for others to guess passwords. Unfortunately, even complex, hard-to-guess passwords can be stolen or discovered in many ways, such as by spyware that monitors keystrokes on a computer, keystroke logging devices attached to a computer, by guessing or brute-force techniques to discover simple passwords, by careless actions of the password owner who may write a password down and leave it available for others to see, by an observer simply watching to see what password is typed, and so forth.
Further, even security-conscious users may sometimes face situations in which they feel they must use their passwords in insecure settings where the password may be exposed to others. In addition to these threats, there is also the risk of criminal intimidation to force a person to reveal a password, PIN, or other security code in order for the thief to gain access to an account, to a safe, a secured vehicle, or other secured item. In other situations, an account owner may face a need to voluntarily share a password or other credential with another party, with the risk that it may be obtained by others and misused. In all these cases, there is a need to add new levels of security to password-protected assets or to security-related information to prevent problems such as account hijacking and identify theft, or to reduce the risks of misusing an account or information from an account.
Security theft is a growing problem that requires increased security means on many fronts. Protection of passwords and other personal information is a vital concern, and previous attempts to improve security associated with a user's assets and identity have a variety of shortcomings, often failing to provide users with the flexibility they need to control access and establish rules for protecting their assets while allowing access under various circumstances.
One aspect of identify theft involves the abuse of basic account information such as a Social Security numbers, which can in turn be used to access still other information to gain access to accounts or commit other acts of fraud against a person. Indeed, thieves can use Social Security numbers in a variety of ways to commit identity theft. For example, the customer service operators of some companies associated with user assets (e.g., banks, online brokerages, credit card companies, etc.) treat SSNs as if they were passwords or shared secrets to authenticate the identify of a user, often allowing a person armed with an SSN and perhaps a few easily obtained facts (address, zip code, full name, birthdate, etc.) to be authenticated as the account owner, and thus be allowed to make major transactions, for example. SSNs are requested and stored by employers, banks, insurers, universities, various non-profit organizations, etc., and may appear printed on insurance cards and numerous mailings from employers or other institutions, making them easy to be stolen from a person's trash. Numerous people may see and handle such information, providing many routes for theft. U.S. Pat. No. RE38572, “System and Method for Enhanced Fraud Detection in Automated Electronic Credit Card Processing,” issued Aug. 31, 2004 to Tetro et al., as well as U.S. Pat. No. 6,715,672 of the same name, issued Apr. 6, 2004 to Tetro, discuss separation of an SSN database from a credit card user database to reduce the risks, but the very use of SSNs or even partial SSNs to be given over a telephone in such systems poses risk. There is a need for improved means for users to protect account information, including information related to SSNs or other personal identifying information to reduce the threat of identity theft.
One step toward improved security involves the use of hardware-based authentication for gaining access to an account, typically in the form of two-part authentication (hardware authentication plus a user-provided password) as opposed to single-factor authentication. Such approaches can include the use of smart cards, which have an embedded chip that can hold a digital certificate allowing authentication to be accomplished through a public key infrastructure (PKI). In addition to entering the user's password or PIN, the user's smart card must be read by a smart-card reader. Reading of the chip can be achieved using a variety of devices that can communicate with a network or computer, including USB devices, such as the Gem e-Seal® of GemPlus International SA (Luxemburg), a USB token with an embedded smart card. Biometric authentication is another approach, requiring hardware and software for scanning and analyzing a unique physiological characteristic. While biometric authentication is often proposed as a one-part authentication scheme, it can be a hardware-based component of a two-part authentication scheme in combination with a user-supplied password or PIN.
Another hardware-related solution involves password synchronization, in which a hardware “token” meant to be in the possession of an authorized user generates an alphanumeric string that changes periodically (e.g., every 15 seconds, 30 seconds, or 60 seconds) according to a secret algorithm. Typically, the time is combined with user credentials to generate the seemingly random string. To gain access the user must enter the currently displayed string and, typically but not necessarily in all system, also enter a fixed or static password. A central server can then determine if the temporary string is correct and also verify that the correct password is entered. In this manner, even if the entered password is observed or intercepted, it will no longer be valid after a brief interval of time, resulting in a two-part authentication scheme that provides a one-time password (OTP). One example of password synchronization to provide an OTP is the RSA SecurID® system of RSA Security Inc. (Bedford, Mass.). Another example is the VeriSign® One-Time Password Token of VeriSign (Mountain View, Calif.) and related payment gateway systems, such as the system being used by PayPal and Ebay in partnership with Verisign.
Password synchronization (also known as time synchronous OTP) is not the only OTP method. Event synchronous and challenge-response schemes are among other approaches to consider. In each approach, an algorithm is applied to the credentials of the user (e.g., a unique key) to generate a string that can serve as an OTP (or be coupled with a PIN to form the OTP). In event synchronous schemes, an OTP is generated in response to an event such as inserting a USB device, pressing a button, entering a keystroke or clicking on a button on a graphical user interface. In challenge-response schemes, a challenge is entered or sent to the token, and an OTP is generated in response based on a combination of the challenge with the user credential according to an algorithm. Various hybrid approaches are also known based on combinations of these schemes. General principles for OTP systems are described in the white paper from RSA Security, “Open Specifications Integrate One-Time Passwords with Enterprise Applications” available at http://www.rsa.com/rsalabs/otps/datasheets/OTP_WP—0205.pdf, as viewed Feb. 6, 2007. Also see the “Extensible Authentication Protocol (EAP)” described in by B. Aboba et al., available at http://www.ietf.org/rfc/rfc3748.txt, as viewed Apr. 23, 2006. Further information is provided in United States Application 20050166263, “System and Method Providing Disconnected Authentication,” published Jul. 28, 2005 by Nanopoulos et al., parts of which are herein incorporated by reference to the extent that they is noncontradictory herewith, said parts being the description found in paragraphs 21 to 35 of one-time password verification systems, with associated figures. (In general, incorporation by reference of other documents, as practice herein, is intended to provide useful background information for implementing technical aspects of methods and systems described herein, and is not meant to limit any definitions or descriptions given herein.)
The variable or machine-generated component of a two-part authentication scheme can be provided by a dedicated physical device with the user's credentials such as key fob, card, PIN pad, a USB-connected device, and the like. Alternatively, a multifunctional tool can be provided with software to also provide the changing machine-generated component. In this case, the hardware-generated component of the two-part authentication scheme is actually provided through proprietary software installed on an electronic device such as another computer, a Pocket PC, personal digital assistants (PDAs) such as Palm Powered® handhelds (Palm, Sunnyvale, Calif.), BlackBerry® (Research in Motion, Charlotte, N.C.) handhelds and wireless phones marketed by Ericsson (Stockholm, Sweden), Nokia (Helsinki, Finland), and others.
A related tool is the Aladdin eToken Pro system of Aladdin Knowledge Systems Ltd. (Kiryat Arye, Petach Tikva, Israel), and the related eToken NG-OTP, a hybrid USB and One-Time Password (OTP) token that can be used to provide access when the USB device is connected to a computer or in detached mode can display one component of a two-component OTP.
Even with hardware-assisted two-part authentication schemes, there is the risk of theft and account hijacking. For example, a thief may use physical intimidation to compel a user to hand over a hardware token and provide the PIN and instructions for use, or in an insecure environment a thief may observe how the hardware component is used, observe or detect the PIN, and then physically steal the hardware component to gain access to an account.
In the art for automated teller machines (ATM), one security system is that of R. K. Russikoff in U.S. Pat. No. 6,871,288, “Computerized Password Verification System and Method for ATM Transactions,” issued Mar. 22, 2005, FIGS. 1 through 3 thereof and columns 3-5 thereof being herein incorporated by reference in a manner that is noncontradictory herewith. In the ATM system of Russikoff, after reading the personal access card (ATM card) and verifying the personal identification number of the customer, the system then generates and displays a plurality of transaction acceptance passwords in the central computer, wherein one of the passwords has been pre-assigned to the customer. If a password other than the pre-assigned password is selected, the requested cash is still dispensed, but the authorities are alerted to indicate that the customer request for cash withdrawal is being made under duress. A related system is that of Brown et al. in U.S. Pat. No. 6,679,422, “Automatic Teller System and Method of Marking Illegally Obtained Cash,” issued Jan. 20, 2004. See also U.S. Pat. No. 5,354,974, “Automatic Teller System and Method of Operating Same,” issued Oct. 11, 1994 to Eisenberg, which describes an automatic teller system that can receive a personalized normal PIN number and emergency PIN number from a user. Also see U.S. Pat. No. 5,731,575, “Computerized System for Discreet Identification of Duress Transaction and/or Duress Access,” issued Mar. 24, 1998 to Zingher and Zingher, from which FIGS. 2, 3, 4, and 6 and the associated description of said figures are herein incorporated by reference for the purpose of describing examples of duress PIN implementation for ATM machines that can be adapted for use according to present invention, to the extent that such description is noncontradictory herewith. The Zingher and Zingher patent describes a system and method for the discrete identification of a duress transaction at an ATM banking machine.
For both one-part and multi-part authentication schemes, there is a need to provide improved security to reduce the potential for harm when a password is stolen. In particular, there is a need to provide password authentication schemes that can help a user in an emergency or provide added security features in an insecure setting, without the risk of losing highly valuable assets. Further, there is a need to allow users to have new levels of security, such that at least some security measures can be in place should another party obtain the user's password.
Regarding credit card security, an authorization system in which a duress signal can be sent by a vendor to authorities when the vendor suspects that a crime is in progress is described in U.S. Pat. No. 6,685,087, “Security System for Validation of Credit Card Transactions,” issued Feb. 3, 2004 to Brown et al., the portions dealing with an Interactive Voice Response System (IVRS) and other methods for conveying information to authorities being herein incorporated by reference to the extent that they are noncontradictory herewith.
In spite of the many efforts made to increase the security of password-accessible systems, there remains a need to provide more flexible, convenient systems in which users can configure security rules for access to secured assets. Further, for many users there is a need to provide customizable means to provide primary and secondary password schemes with associated security rules. Further, there is a need for some users to be able to protect their assets with security systems having primary and secondary passwords with varying security-related rules and actions associated therewith, including options for the primary and secondary passwords to be differentiated via a variety of means, including schemes with both overt and covert components (e.g., hidden secret actions coupled with the entry of conventional passwords). In some security-related situations, there is also a need to provide a user improved security means to placate a thief or appear to provide access to an asset, without actually jeopardizing the asset or selected components of the asset. One or more of these needs may be addressed in the various aspects of the invention described below, but it should be recognized that particular aspects of the invention as defined by the claims may provide utility in a variety of other areas and need not specifically address any of the needs previously set forth or any objectives or advantages explicitly or implicitly found elsewhere in the specification.
SUMMARYThe present invention is directed toward improving the security of protected assets, particularly assets protected with a password system, including personal identification numbers. In one aspect of the invention, users are provided with primary and secondary passwords for controlling access to an asset, with a primary access providing more complete access (e.g., privileges regarding the asset or use of the asset or its components) relative to the more limited access provided when a secondary password is used. In some cases, the secondary password can be a secondary password that can be used when under duress or in emergencies (e.g., a thief forcing the user to reveal or enter a security code to gain access to an account, a safe, etc.) or in other insecure situations (e.g., using a public computer where entered passwords may be monitored). The secondary password may provide temporary access, limited access, or feigned (simulated) access to the asset, while optionally also providing other security measures. Through preconfigured systems for limited or simulated access, a would-be thief can be placated by the appearance that full access has been provided, but wherein key assets still remain secure.
Thus, in one aspect, a security system is provided for controlling access to an asset, the system comprising a password-protected access interface and asset access means, the access interface comprising means for receiving user credentials comprising a password, wherein the access interface accepts user credentials in which the password is one of a recognized primary password and one or more recognized secondary passwords, the asset access means being operably associated with the access interface such that when the accepted user credentials comprise the primary password, the asset access means provides access to the asset, and when the accepted user credentials comprise one of the one or more secondary passwords, the asset access means provides relatively limited or feigned access to the asset, and when the user credentials do not comprise one of the primary password and the one or more secondary passwords, the asset access means denies access to the asset. In stating that the system accepts user credentials comprising a password that is a primary password or a secondary password, it is to be understood that the user credentials may also include a user ID or other information such as an account number, and that in such cases the password must be a recognized or valid password associated with that specific user ID or other information, as stored in a database or other memory associated with the security system. In accepting credentials, the system from a user's perspective behaves at least in appearance as if valid credentials have been entered, and indeed, the primary and secondary passwords (or in other words, the valid passwords for that user) are recognized as credentials properly associated with the asset, but the degree of access provided may range from full access to merely feigned access, in contrast to unrecognized user credentials that may, for example, result in denied access indicated by an error message, a readily recognized denial of service (e.g., being logged off by a system, the inability to operate a device, the inability to open a door or container, etc.), a request to re-enter credentials, an alarm signal, etc. The asset access means may be customizable by the user (e.g., the asset owner), either directly or indirectly by an administrator on behalf of the user, via an administrative interface for establishing preconfigured security rules, wherein said access interface is operably associated with asset access means responsive to said preconfigured security rules, wherein said security rules may also include means for specifying a security alert or invoking other security-related actions to be executed in response to subsequent entry of one or more secondary passwords.
In another aspect of the invention, a tangible asset is protected by a password-based security system governing access to the asset, the security system comprising password input means in communication with stored password information, such that the system recognize input of a password matching stored password information, the password being selected from a primary password and at least one secondary password, the security system also comprising asset access means that provides full access to the asset in response to input of a primary password and one of limited and feigned access in response to input of one of the at least one secondary passwords, and, in response to input of an unrecognized password, the access means denying access to the asset, wherein at least one of the primary password and the at least one secondary password is a complex password comprising an overt password component and a covert password component. In one embodiment of this aspect, full access to the asset requires human passage through a door or other entryway that is closed to unauthorized users. In another embodiment, full access does results in an electronic signal that releases a lock. Alternatively, full access can result in the ability to operate a mechanical or electronic device, or a vehicle.
In another aspect of the invention, an administrative security system is provided to allow a user to configure security rules governing the behavior of the security system for an asset, such that customized rules can be established to configure the system's response to either a primary password or one or more secondary passwords. The means for custom configuration of the security system may comprise a graphical user interface, verbal interface, or other interface to receive user commands to configure the security system that protects an asset. In some embodiments, a Web-based system is provided with a graphical user interface that allows a user to configure on or more systems with primary and secondary passwords and rules governing system response to each, including options for security alerts in response to one or more secondary passwords.
Another aspect of the invention pertains to a security management system for providing controlled access to a secure electronic account accessible via an electronic account access interface in communication with an account server, the security management system comprising an administrative interface for defining security rules for governing account access via the account access interface, the security rules being stored on the account server or on a machine readable medium in electronic communication with the account server, wherein said administrative interface allows an authorized user to customize the security rules to provide different levels of account access responsive to entry via the electronic account access interface of user credentials comprising either a primary password or a secondary password. In a related embodiment, the security rules further define conditions for issuing a security alert in response to specific actions taken with the account access interface, and wherein the account access interface is in electronic communication with a security alert generation tool capable of issuing a security alert according to the defined conditions. The administrative interface may be, for example, a Web-based interface for communication between an electronic input device and an administrative server, the administrative server being in electronic communication with an account server managing the secure electronic account, wherein selection of security rules via the administrative interface results in a signal sent to the account server providing information about the security rules.
In some embodiments, the administrative interface can be used to configure security rules associated with one-time password devices, such as password synchronization devices for two-part or multi-part authentication, wherein the synchronization device displays a one-time password (OTP) that changes periodically. The customized security rules may be used to override system defaults and allow the user to define a primary password that comprises a modified form of the OTP, such as the currently displayed OTP wherein one or more of the characters displayed are incremented, transposed, duplicated or otherwise replicated, deleted, shifted, augmented with another string, etc., according to rules selected by the user. Thus, one aspect of the invention is the aforementioned administrative interface, wherein the account access means comprises a password synchronization system adapted to generate one-time password components for comparison with a component of passwords entered into the account access interface, and wherein the primary password is a multi-part password comprising the one-time password component and at least one other component, the one-time password component being different from but having a relationship to a one-time password root generated by a password synchronization device associated with the electronic account, the relationship being defined by an algorithm that modifies the one-time password root to yield the one-time password component, and wherein the account access means is adapted to recognize entry of a password comprising the one-time password root as a possible attempt at unauthorized access to the asset. The algorithm may be a simple one that can be readily executed by an adult human user of average intelligence, such as transposing the first two digits, deleting or adding a digit, subtracting one from the first digit that is not zero, etc.
For example, a user may configure rules in the administrative interface for a password synchronization devices for use with a PayPal or other payment account such that use of the displayed string (e.g., a six-digit string) will not be accepted as a primary password, specifying instead that the proper OTP to enter into an account access interface should be a modified form of the displayed OTP in which the second and third digits are transposed, or in which the first digit is replaced with the corresponding letter of the alphabet (1=“A”, 2=“B”, etc.), etc. In such cases, the user may wish to specify that use of the unmodified OTP as a component of a password will be recognized, either with or without the proper second component of the primary password, as a secondary password with specified limitations on the account and/or automatically invoked security measures, such as alerting authorities, freezing the account, or resetting the one-time password component to be unrelated to the one-time password root displayed by the password synchronization device. Since use of the unmodified OTP may be indicative of theft or attempted fraud, wherein someone has gained unauthorized access to the user's synchronization device or its principles of operation, specification of security-related actions in response to entry of the unmodified OTP can be helpful in some circumstances. The user may also wish to identify a class of secondary passwords comprising any entered password string that comprises the unmodified current OTP in either the leading or trailing portion of the password string (e.g., the first six characters or last six characters of the string, for the case of an OTP having a length of six), since entry of such a password may indicate that some has access to the synchronization device but does not know that static password component (PIN) that typically should be entered in combination with the OTP string. In some cases, more complex OTP rules can be created, such as rules requiring that two consecutively displayed OTPs be concatenated, added, have the digits intermeshed, or otherwise combined (e.g., commingled, compounded, or convolved) to yield a new OTP based on an algorithmic treatment of two or more displayed OTPs from different time periods.
In another aspect of the invention, a computerized password security system is provided for protecting access to an asset pertaining to a user, comprising: (a) a database on a server comprising account information for the user, said account information comprising a user ID, a primary password, at least one secondary password, and a rules record specifying actions to be taken if one of the least one secondary passwords is entered, said actions comprising the level of access to the asset to be granted, the at least one secondary password being other than a guest password or default password; (b) input means for a user to enter the user ID and a password into the security system; (c) account access means wherein the entered user ID and entered password are compared to the information in the database to determine the level of account access granted to the user according to the rules record based on the entry of a primary password or the at least one secondary password, and (d) security system administration means which allow the user to customize the rules record, including the option to specify that in response to entry of the at least one secondary password, the account access means will provide the user's choice of either partial account access or feigned account access.
In another aspect of the invention, a method is provided for securing sensitive information within a password-protected account controlled by a computer system, the account containing sensitive and less sensitive information, the method comprising: (a) a database on a server comprising account access information for a user's account, said account information comprising a user ID, a primary password, at least one secondary password, and configuration information for distinguishing sensitive and less sensitive information, and optionally wherein the primary password comprises an overt component and a covert component; (b) a configuration interface for identifying sensitive information (e.g., by manual selection of sensitive items, creation of heuristics to define sensitive items, or manual selection of sensitive items based on criteria entered by user or agent of the user), said identified information being stored as configuration information in the database; and (c) an account access interface in which a party can gain access to the account by entering a password, wherein use of the primary password provides full account access to both sensitive and less sensitive information, and wherein use of a secondary password provides access limited account access only to less sensitive information according to the configuration information, and wherein the interface for the limited account access simulates full account access, with no obvious indication to parties unfamiliar with details of the user's account that sensitive information has been concealed (e.g., there may be no apparent indication that folders are hidden, or that emails are hidden, etc.).
In another aspect of the invention, a security object is provided for use in a password-based security system for protecting an asset, the security system being adapted to recognize primary and secondary passwords for providing different levels of access to the asset, wherein the security object comprises a password revelation device for providing a one-time password, said security object being responsive to an external factor controllable by a user of the security object, such that the one-time password provided is either a primary password for providing full access to the account, or a secondary password for providing limited access to the account. In various versions of this aspect of the invention, the external factor may be based on a hidden action that can be executed by a user of the card at will. Alternatively or in addition, the external factor may selected from one of object orientation, mechanical pressure applied to a portion of the object, a physical motion made with the object, and the presence of light on one or more portions of the object. The object may be a device weighing between 5 and 300 grams, with a length of between about 1 cm and 20 cm, a width between about 1 cm and 15 cm, and a thickness less than 1 cm. In some versions, the password may be provided graphically or as a wireless signal.
In other aspects of the invention, any of the methods described herein can be implemented as a computer-readable medium having embodied thereon a computer program executable on a computer for implementing for implementing the selected method. Alternatively, the selected method can be embodied in a computer program resident in physical signals transmitted over a transmission medium, said computer program being executable on a computer for use in a security system, comprising the any or all of the steps of the selected method or compatible combinations or subcombinations of the steps in two or more aspects of the invention described herein.
In some embodiments of the invention, the security system is adapted to distinguish primary and secondary passwords that may be configured to have overt and/or covert components. In such systems, entry of the overt component can be recognized by an observer as entry of a password, whereas entry of the covert component is ordinarily difficult for an observer to recognize as an entry of security-related information. For example, in a computer login screen to access an account, the overt component may be entry of a password in a field clearly labeled as a password field, whereas the covert component may comprise a detail of timing in entering keystrokes or clicking a mouse, an action of a stylus, a specific form of contact with a touch-sensitive screen or other contact-sensitive device, or a detail of precisely where on a button the user clicks, or some other “hidden action” during, before, or after entry of the overt component of the password. In this manner, an observer such as a bystander looking over the shoulder of a user at a computer monitor or a hidden observer such as a hacker monitoring keystroke activity with a keylogger would be unlikely to readily recognize that security-related information was being entered, and might believe that the “normal” (primary) password of the user had been entered when, in fact, the hidden action or lack thereof conveys a signal to the security system that the entered password (with recognition of overt and covert components) is a secondary password that invokes application of the preconfigured security rules responsive to the secondary password, wherein the rules can include directions for providing limited or feigned access to the account, and may call for alerting authorities or providing other security alerts.
For example, the access interface of a brokerage or bank account may be configured to recognize a secondary password (e.g., a PIN) that appears to provide access to the user's account. Use of the secondary password, however, may be preconfigured to provide only limited access to a portion of the user's account (e.g., showing less than $1,000 available funds) or can provide access to a sham account (feigned access), wherein the amounts shown and any transactions apparently completed have no effect on the user's account. Alternatively, access to the user's account is provided, but all transactions or changes are purely simulated or, when possible, completed but then rescinded shortly thereafter before actual loss (beyond a predetermined threshold, if desired) can occur. Thus, a thief may be able to transfer up to $1000, for example, from the user's account to another account, but greater amounts may be simulated or rescinded after the apparent transfer command has been issued, while the account access interface (a graphical or other interface for account access) appears to confirm that the transaction has been completed. The user may be provided with several options as to what kind of access is provided and how transactions will be treated, depending on how the account is configured and optionally depending on details pertaining to the secondary password (e.g., a secondary password root of 4459 can be entered as 44590 to mean zero access, resulting a purely simulated account, while 44591 may be a signal calling for access to the real account but with simulated or rescinded transactions only, and so forth).
The establishment of such secondary passwords, or means for distinguishing primary and secondary passwords, and rules to be implemented in response to entry of a secondary password using the security system protecting an asset, can be preconfigured by a user or asset administrator using the previously mentioned administrative system to allow customization of a security system.
For access to a VPN (virtual private network) or other computer system, a secondary password can limit access to only “relatively safe” portions of the directories thereon, or can provide a simulated environment where little or no harm can be done, resulting in a “Potemkin village” desktop or LAN. For example, users or system administrators may preconfigure a set of directories and files free of sensitive information that can be accessed using a secondary password, or the system can show the presence of actual files (optionally with modified or nonsense file names), and simulate copying the files to media, if so directed, while only writing harmless information. In one embodiment, access to a user's computer can be complete except for pre-selected directories and files which remain invisible and inaccessible when the secondary password is used to gain entry. In related embodiments, use of the secondary password may automatically result in complete deletion of sensitive files, in addition to issuance of an alarm signal. In another embodiment, use of a secondary password not only prevents access to sensitive files, directories, or devices, while simulating full access, it also initiates a program that will, after a period of time, automatically destroy all files or even the entire hard disk or other components of the computer that has been stolen or accessed under duress, optionally simulating a “normal” disk error or hardware problem. One such hardware problem can be apparent failure of the power supply or battery, optionally occurring at the time of file erasure, making further access impossible until a hardware setting has been reset or a component replaced. Fuses, relays, and other electrical components can be used to achieve controlled failure of the computer in response to entry of a secondary PIN after a predetermined period of time.
For assets such as safes, use of a secondary password (combination) results in opening of the safe while also signaling an alarm, and in one embodiment can result in one portion of the safe remaining inaccessible, such as a false bottom or false back of the safe. Thus, the thief may think that access to the contents has been gained, but key documents or assets may remain hidden in response to using the secondary password.
For password-based access to a motorized vehicle or other mechanized device or vehicle, use of a secondary password may cause limitations in the performance of the device to reduce the harm that may be done. For example, use of a secondary password to gain access to an automobile may result in a simulated mechanical failure of the vehicle after a short distance, or cause the gas tank gauge to display a near-empty condition to be followed by a simulated out-of-gas even after a short distance has been traveled.
For access to PIN-protected billing features associated with cell phones, PDAs, smart cards, and other devices, a secondary password (PIN) can be provided that can create alarms when used, limit or cancel transactions, and so forth, optionally according to predetermined rules and selections from the user entered through a graphical user interface on the device itself or on a separate application such as a Web site in communication with a central computer operated by the service provider.
A secondary password may be preconfigured to be a one-time password, such that attempts to use it a second time fail. Alternatively, it may be a limited-used password, such that it can be used repeatedly during a fixed period of time such as 5 minutes, 10 minutes, or 30 minutes, allowing a thief to verify that it is not a one-time password. In another version of the invention, the password may be reused any number of times until the user changes the password scheme for the account, but with an unlimited-use password, access to the account or other assets may be restricted, limited, or simulated.
In another version, the secondary password is used in a single-factor authentication system and is a predetermined static password that will provide only one-time use or limited-time use. This allows the user to access a bank account, email account, or other secure account from a public computer that may have compromised security, without risk that a keylogger, password snooper or third party observing the entered password will be able to gain access to the system. This form of secondary password may provide full access to the account, or limited access. Limited access may include limitations on what data is displayed, on what size transactions can be made, what directories can be accessed, etc. The limitation may also be temporal, providing only, for example, 5 minutes of full access to the account. Such secondary passwords are intended for actual authorized account use but in insecure settings. Thus, they can be considered as static, memorizable, pre-approved OTPs.
In one version, a security system can comprise use of a text-based password coupled with a non-text-based authentication component such as biometrics or related means for identification of the user. An alarm signal can be sent by use of a secondary password or by a predetermined modification to the way the non-password authentication component is used. For example, a smart card or access portal with a finger pad for identifying the user through fingerprints or other biometric means can have a predetermined protocol to signify that the user is in a state of duress. For example, the finger pad may be set to authenticate the user based on contact with the right index finger, but may be configured to also recognize another finger such as the left index finger, right middle finger, etc., as an indication of duress. Systems that can be adapted for this version of the invention include the finger scanners of Nanoident Technologies (Linz, Austria), which detect patterns and blood content in the tissue within the finger, as described at http://www.technologyreview.com/read_article.aspx?id=17040&ch=biztech as viewed Jun. 27, 2006.
The security methods of the present invention can be adapted to any suitable combinations of hardware and software. For example, payment transaction systems of numerous kinds can be adapted to have any of the enhanced security features of the present invention. Such transaction systems may include, for example, dedicated wireless terminals, dedicated cell phone terminals, customer-owned cell phone and PDA systems, etc. Dedicated wireless terminals typically have a MagStripe reader and printer built into them, as well as a display and (optionally) a keyboard or other data entry means such as a touch-screen. Cell-phone terminals use cell phones for the required computing power and data entry and display. They may have MagStripe readers and PIN pads for PIN-debit transactions. They may have integrated printers or may communicate with a printer via infrared or RF technology. An example of a system for user-owned cell phones and PDAs is the ePNMobile system of eProcessing Network, LLC (Houston, Tex.) for use with the eProcessingNetwork Merchant Support Center, which requires Java® ME (J2ME) compatible cell phones and/or PDAs, as described at http://www.eprocessingnetwork.com/mobile.html as viewed Jan. 20, 2007.
Other systems involving PINs or other passwords, whose security features can be adapted according to aspects of the present invention, include security systems for automobiles (e.g., PINs for entry or starting of the vehicle), safes (including bank vaults, safety deposit boxes, home safes, lockboxes, etc.), gated entry systems, home security systems (PINs to gain entry, activate or deactivate features, etc.), gun cases, safety features on weapons and weapon systems, security portals in public or private buildings, airport security systems and aircraft access, computer-controlled systems of all kinds, document security systems, wireless locks such as the wireless locks of Schlage Lock (Colorado Springs, Colo.), and the like.
For embodiments in which login or access to an asset can be achieved through a single interface without the use or peripheral electronic or security devices such as additional OTP card or tokens, the use of primary and secondary passwords can be considered as two-part or multi-part authentication systems using a single hardware system (e.g., the system used for logging in or gaining access to asset), or, in other words, a “single device” multi-part authentication system.
In some other aspects of the present invention, relatively non-secure information such as a Social Security number is modified to serve as a limited-use password that can be configured by a user via a security administration system. In one approach, for example, a relationship between a government agency and a security administration system allows a new pseudo-Social Security number or pseudo-user credentials for limited use with third parties to be associated with the actual Social Security number or other user credential information required by the government agency, with substantially reduced risk that a hostile party gaining access to the pseudo-Social Security number or pseudo-user credentials could perpetrate fraud with such information, since it is not valid identity information per se and can only be recognized as valid according to rules and restrictions crafted by the user using, for example, an administrative security system of the present invention.
Thus, as an extension of the password protection aspects of the present invention, another aspect of the present invention includes a system for providing a user with a Limited Use Credential (e.g., a pseudo-Social Security number or Limited User Social Security number) from an authorizing agency (e.g., the IRS) to share with a third party in place of a permanent unique credential from the authorizing agency (e.g., to be used when accessing the account or associated services such as technical support or consumer services), comprising: (a) a security service server; (b) a user interface for accessing the security service server adapted to receive and transmit to the security service server personal user information and one or more specified third parties for whom a Limited Use Credential is requested; (c) an authorizing agency server in communication with the security service server, the server adapted to operate a Limited Use Credential generator for assigning a Limited Use Credential to a user for use only with the one or more specified third parties; and (d) an authorizing agency database in communication with the authorizing agency server for linking user information with the Limited Use Credential and the one or more specified third parties, wherein the user information comprises the permanent unique credential from the authorizing agency.
The system may further comprise fraud detection means wherein attempted transactions or reported information associated with the Limited Use Credential but not reported by one of the one or more specified third parties is flagged for investigation as a potentially fraudulent matter.
Also within the scope of the present invention is a method for providing a user with a Limited Use Credential from an authorizing agency to share with a third party in place of a permanent unique credential from the authorizing agency, comprising: providing a user with a permanent credential from the authorizing agency; receiving from the user a request to provide a Limited Use Credential for use with one or more specified third parties; generating a unique Limited Use Credential; storing the Limited Use Credential in an authorizing agency database, wherein the Limited Use Credential is also associated with user information, the permanent credential, and the one or more specified third parties; and providing the user with the Limited Use Credential for use with the specified third parties.
The method may further comprise providing a fraud detection filter to identify attempted use of the Limited Use Credential with respect to a party other than one of the one or more specified third parties as a potential fraud. Thus, if the Limited Use Credential uniquely associated with, say, an employer of the user is stolen by someone within the company or a thief gaining access to company records, and the thief attempts to use it to gain access to a bank account or other assets of the user, the entry of Limited Use Credential into a banking system or other asset protection system can be recognized as an invalid Limited Use Credential possibly associated with fraudulent activities.
Another aspect of the systems and methods of the present invention pertains to means for improved credit card security involving the use of verification codes. In placing orders with credit cards, the user typically must provide the merchant with the user's name as written as displayed on the card, the account number, the expiration date, and optionally a non-embossed verification code (or verification number) on the back of the card known variously as the CVV2 (Visa), CVC2 (MasterCard), or CID (American Express) code, which may be a three- or four-digit number. The verification code is increasingly being used to provide added security for online transactions, telephone transactions, as well as some transactions at a retail establishment or other facility. Because credit card companies do not allow the verification code to be stored with other credit card information, it is much more difficult for thieves to obtain this number. Nevertheless, there is the possibility that a thief may obtain the code by stealing a card, observing a card, overhearing a telephone conversation, observing computer actions with spyware, or by conducting scams in which a cardholder is asked to give a purported credit card representative or government agent the verification code. To increase the level of security provided by the verification code, methods of the present invention may be applied.
In one version, the printed verification code on the rear of the credit card as printed actually serves as a secondary password to indicate that predetermined security measures may be needed, such as limiting the amount that can be spent, sending a security alert, or even inactivating the card immediately or after a period of time, or to provide feigned access in the sense that an apparently authorized transaction (from the perspective of a user) is not actually authorized. The primary password for full access by the card may require a hidden action in addition to entry of the verification code, or may comprise a covert password component not displayed or not readily recognizable on the card. The covert password may be used instead of, in addition to, or in conjunction with the printed verification code to create a primary password for full access. Further examples of the use of modified verification codes and related tools are described hereafter.
In other embodiment of the present invention, an administrative graphical user interface is provided by a central service for administering an electronic security system that provides an asset access graphical user interface controlling access to a protected asset through the use of a primary password, the administrative graphical user interface comprising: a) user authentication means for entry of administrator credentials, wherein entry of valid administrator credentials identifies an authorized administrator of the security system; b) a security rule editing function accessible after entry of valid user credentials by the user authentication means, wherein the security rule editing function provides a display of security rules governing the response of the security system to attempted user access via the asset access graphical user interface and provides means for customizing the security rules, wherein the security rules can be edited to define a response of the security system to an entry in the asset access graphical user interface of one or more of a covert password component required for acceptance of a primary password, the absence of a covert password component required for acceptance of the primary password, and at least one predetermined secondary password other than the primary password.
The aforementioned administrative graphical user interface may, for example, be used in managing security for a credit account, wherein the asset access interface is associated with a Web-based payment processing system, and wherein one or more of the primary password and the at least one predetermined secondary password comprises a covert password component. The aforementioned administrative graphical user interface may also be operable associated with a Limited Use Credential generation service, wherein the user credentials required by one or more of the asset protection services may contain sensitive information that must be shared with an external agency. In one embodiment, the administrative graphical interface is provided by a first party and the electronic security system is provided by a second party, the first party and the second party each having an independent relationship (which may be contractual, based on a legal requirement, or a collaborative agreement, etc.) with an external agency, and wherein the user credentials comprise a Limited Use Credential used in place of a sensitive information item that is normally shared by the second party with an external agency, wherein the Limited Use Credential is agreed upon between the first party and the external agency as an acceptable substitute in place of the sensitive information item if provided by the second party or other agreed-upon party, but wherein the Limited Use Credential is not accepted as a valid substitute in place of the sensitive information item if provided by a third party outside the scope of the agreement between the first party and the external agency.
BRIEF DESCRIPTION OF THE DRAWINGSAs used herein, “password” refers to credential information comprising a shared secret that allows authentication of a user's security privileges regarding an asset by conveying the shared secret or related information to a security system. A password can be or can include a PIN (personal identification number). Passwords are commonly entered as a string of alphanumeric characters, but can also include other means of authenticating a user or providing secure access For example, for the purposes of this invention, the combination used to access a safe or other lock system with numerical or alphanumeric input can be considered a password. Passwords can also be in the form of identifying sounds (e.g., spoken words or a predetermined tone or series of tones), identifying motions (e.g., hand gestures or facial expressions to be read by a machine vision system), or particular taps or motions of stylus, such as the Picture Password security software of SoftAva (Novosibirsk, Russia) for PDAs, which allows a user to tap certain points of picture to create a unique input that can serve as a password rather than alphanumeric strings. Passwords can include two or more components, such as a static user password plus a machine-generated password to form a single two-part string. Alternatively, the two-parts can be entered separately or can even comprise different input types, such as a machine-generated digital string and a speech-based password, or a machine-generated string plus a motion-based password or picture-based password (e.g., one that is tapped by a user on key parts of a picture). In one embodiment, however, passwords or any of the overt or covert components of password may be restricted to alphanumeric strings.
As used herein, a “primary password” is a password that, for a given user ID, can provide full or a relatively high level access to the user's asset (e.g., the user's account, etc.). Generally, a primary password provides the highest level of access normally available to the user for a particular mode of access (e.g., Internet access, live on-site access, telephone access, etc.). In many cases, the primary password is the password that the user would normally use when there is no security risk during access of the asset. “Access” in this context refers to the privileges granted relative to the asset, such as the ability to execute transactions including selling all or part of the asset, transferring it, transferring ownership, using it, entering it (where applicable), changing its location, viewing sensitive information, etc.
As used herein, a “secondary password” is a password that, for a given user ID, provides less than full access to the user's asset, and typically provides substantially limited access or may provide feigned access (simulated access).
As used herein, a “hidden action” refers to an action taken during login, account access, account use, or some other phase of accessing or attempting to access an asset, which covertly conveys information relative to user credentials or the security status of a user, such that an observer is unlikely to recognize that such information has been conveyed. The hidden action may be or may comprise part of a covert component of a primary password or secondary password. In some cases, the hidden action involves a detail in the use of graphical user interface, such as precisely where a cursor is with respect to a button when the mouse is clicked, or details of the time when the mouse if clicked (e.g., when the displayed seconds of an on-screen clock ends with the number “5”), or how the cursor is moved on the screen (e.g., making a loop around a graphical element before or after logging in), or how an error is made and corrected (or deliberately made and not corrected) in a challenge and response system, etc. For example, the hidden action may involve a response to an alert box that arises after login having “OK” and cancel buttons. The hidden action may require clic