AU2011265479B2

AU2011265479B2 - Fraud risk advisor

Info

Publication number: AU2011265479B2
Application number: AU2011265479A
Authority: AU
Inventors: David Helsper; Dennis Maicon
Original assignee: Digital Envoy Inc
Current assignee: Digital Envoy Inc
Priority date: 2004-09-17
Filing date: 2011-12-22
Publication date: 2013-05-30
Anticipated expiration: 2025-09-19
Also published as: AU2011265479A1

Abstract

Abstract There is provided a method comprising: determining, by a processor, a first access location based on a first internet (IP) address of a first client computer; 5 determining, by the processor, a first access time; determining, by the processor, a second access location based on a second IP address of a second client computer; determining, by the processor, a second access time; and calculating, by the processor, a travel velocity between the first access location and the second access location as a function of the first access location and the first access time and the io second access location and the second access time; and determining if an online transaction executed from one of the first IP address or the second IP address is fraudulent based on the travel velocity between the first access location and the second access location, the online transaction comprising one or more of banking account access, a credit card transaction, an online bill payment, a wire transfer, a is stock trade, or a transaction utilizing personal information. 22/12/11 3042991_1 (GHMaters) P71720AU.1 Online Fraud Mitigation Engine 110 input Parameters 105 Determine Correct Risk Score Model and Load 112 Evaluate Standard Rules and Determine Risk Value 114 User Supplied Evaluate Custom Rules and Determine Risk Value 116 External Function Execute Dynamic Risk Score Algorithm 118 Risk Score Exceeds Threshold Risk Score OK Generate Reason Return Code Passed Codes Return Code Failed 130 Output Data ONLINE FRAUD MITIGATION ENGINE

Description

AUSTRALIA Patents Act 1990 COMPLETE SPECIFICATION Standard Patent Applicant(s): Digital Envoy, Inc. Invention Title: Fraud risk advisor The following statement is a full description of this invention, including the best method for performing it known to me/us: - 2 FRAUD RISK ADVISOR Related Application This application is a divisional application of Australian Application No. 5 2005286866 the disclosure of which is incorporated herein by reference. Most of the disclosure of that application is also included herein, but reference may be made to the specification of Australian Application No. 2005286866 to gain further understanding of the invention claimed herein. 10 Background of the Invention 1. Field of the Invention The present invention relates to techniques for detecting fraudulent online transactions. The present invention provides methods, systems, and computer program products for operating a fraud engine that is capable of accepting an IP is address and a number of factors relating to an end user in order to determine whether a transaction is fraudulent. The present invention also relates to methods, systems, and computer program products for calculating a travel velocity between two access locations, determining if a transaction is fraudulent based on a user's travel velocity between two access 20 locations, and determining if a transaction is fraudulent based on a transaction frequency. 2. Description of the Related Art The ease of hiding an identity on the Internet makes it difficult for financial 25 services organizations to carry the "know your customer" mantra to the online world. la 2003 alone, Internet-related fraud accounted for 55% of all fraud reports according to the Federal Trade Commission, up nearly 45% from the previous year. In order for financial services organizations to continue successfully serving more of their customers online, creating a safe and secure environment is a top priority. Accordingly, 30 there is a need and desire for a methods, systems, and computer program products for detecting and preventing fraudulent online transactions utilizing the IP address of a user. Summary of the Invention In a first aspect, the present invention provides a method comprising: 35 determining, by a processor, a first access location based on a first internet (IP) address of a first client computer; determining, by the processor, a first access time; 22/12111 304291_1 (GHMatter) P71720.AU.1 -3 determining, by the processor, a second access location based on a second IP address of a second client computer; determining, by the processor, a second access time; and calculating, by the processor, a travel velocity between the first access location 5 and the second access location as a function of the first access location and the first access time and the second access location and the second access time; and determining if an online transaction executed from one of the first IP address or the second IP address is fraudulent based on the travel velocity between the first access location and the second access location, the online transaction comprising one io or more of banking account access, a credit card transaction, an online bill payment, a wire transfer, a stock trade, or a transaction utilizing personal information. In a second aspect, the present invention provides a method comprising: determining, by a processor, for a user, a first access location associated with a first client computer, and a first access time; 15 determining, by the processor, for the user, a second access location associated with a second client computer based on an IP address of the second client computer; determining, by the processor, for the user a second access time; and calculating, by the processor, the travel velocity of the user as a function of the first access location and the first access time and the second access location and the 20 second access time; and determining if an online transaction executed from one of the first I P address or the second IP address is fraudulent based on the travel velocity. In a third aspect, the present invention provides a method comprising: computing, by a processor, one or more factors based on an IP address of a 25 computer associated with a user, wherein at least one factor is a travel velocity of the user between a first access location and a second access location, one of the first access location or the second access location being associated with the IP address of the computer; and determining, by the processor, whether an online transaction executed from the 30 IP address of the computer is fraudulent based on the one or more factors. Brief Description of the Drawings The foregoing and other advantages and features of the invention will become more apparent from the detailed description of exemplary embodiments of the 35 invention given below with reference to the accompanying drawings. FIG. 1 is a flow chart illustrating one embodiment of the present invention for determining whether an online transaction is fraudulent using an Online Fraud 22112/11 304291.1 (GHMattes) P71720AU.1 -4 Mitigation Engine. FIG. 2 is a block diagram of a computer system for implementing embodiments of the present invention. FIG. 3 illustrates one embodiment of the present invention useful for calculating a 5 travel velocity. FIG. 4 illustrates another embodiment of the present invention useful for calculating a travel velocity. FIG. 5 illustrates one embodiment of the present invention useful for calculating a user's travel velocity. 10 FIG. 6 illustrates one embodiment of the present invention useful for determining a fraudulent transaction using a travel velocity. FIG. 7 illustrates one embodiment of the present invention useful for determining a fraudulent transaction using a transaction frequency. FIG. 8 shows a logical overview of a computer system which may be used to 15 carry out the various embodiments of the present invention. FIG. 9 illustrates logically the arrangement of computers connected to the Internet in one embodiment of the present invention. In the following detailed description, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration of 20 specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is to be understood that other embodiments may be utilized, and that structural, logical and programming changes may be made without departing from the spirit and scope of the present invention. 25 Detailed Description of the Invention The present invention provides methods, systems, and computer program products (hereinafter "method" or "methods" for convenience) for determining fraudulent online transactions. In one embodiment, an end user inputs parameters and 3 o rules concerning a particular transaction into the system. Based on the parameters, rules, and other information concerning a particular transaction, the system computes a score associated with the likelihood that the transaction is fraudulent. The score is then compared with various thresholds which may be set by the end user. If the score exceeds the thresholds, then the transaction is determined to be fraudulent. Data 35 regarding the transaction may also be output to the end user. Upon review, the end user may change the fraud status of a given transaction. Another embodiment of the present invention provides methods for calculating a 22/12/11 3042991_1 (GHMatters) P71720.AU.1 - 5 travel velocity between a first and second access location, utilizing a travel velocity to determine if a transaction is fraudulent, as well as determining if a transaction is fraudulent based upon a computed transaction frequency. It will be apparent to those skilled in the art that various devices maybe used to s carry out the systems, methods, or computer program products of the present invention, including cell phones, personal digital assistants, wireless communication devices, personal computers, or dedicated hardware devices designed specifically to carry out embodiments of the present invention. Unless otherwise expressly stated, it is in no way intended that any method or 10 embodiment set forth herein be construed as requiring that its steps be performed in a specific order. Accordingly, where a method, system, or computer program product claim.does not specifically state in the claims or descriptions that the steps are to be limited to a specific order, it is no way intended that an order be inferred, in any respect. This holds for any possible non-express basis for interpretation, including 15 matters of logic with respect to arrangement of steps or operational flow, plain meaning derived from grammatical organization or punctuation, or the number or type of embodiments described in the specification. Before the present methods, systems, and computer program products are disclosed and described, it is to be understood that this invention is not limited to 20 specific methods, specific components, or to particular compositions, as such may, of course, vary. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used in the specification and the appended claims, the singular forms "a," "an" and "the" include plural referents unless the context clearly dictates otherwise. 25 Thus, for example, reference to "an encoder" includes mixtures of encoders, reference to "an encoder" includes mixtures of two or more such encoders, and the like. The term "risk factor" includes any factor used in a transaction that has some level of risk associated with it. The term "static risk factor" includes any factor that does not change at run time. 30 The term "dynamic risk factor" includes any factor that has its value calculated at mn time. The term "risk value" includes any number associated with a factor. The term "risk weight" includes any number that determines how much influence a factor's risk value is to the outcome of a risk score. 35 The term "rule" includes any conditional statement that applies Boolean logic to risk values. The term "risk score" includes any aggregation of risk values based on a 22/12111 3042991_1 (GHMattIeC) P71720.AU.1 -6 computation of risk values and risk weights or a rule setting the risk score directly. The term "online fraud mitigation engine" (OFME) includes any component of the present invention that accepts an EP address along with a number of factors to thereby create a risk score for a given transaction which can be used to determine if the 5 transaction is fraudulent. The term "transaction" includes any type of online activity, such as online banking account access, credit card transactions, online bill pay, wire transfers, stock trades, transactions utilizing personal information, and the like. The term "transaction identifier" includes any unique system generated number 10 that identifies a particular risk score model. The term "risk score model" includes any set of logical rules, applicable static and dynamic factors, risk weights for the factors, a frau-score algorithm, a risk score threshold, and reason codes used to identify a fraudulent transaction. The term "user" or "client" includes one or more persons, entities, or computers. is The terms "method(s)," "system(s)," and "computer program product(s)" may be used interchangeably within various embodiments of the present invention. The methods of the present invention can be carried out using a processor programmed to carry out the various embodiments of the present invention. FIG. 8 is a block diagram illustrating an exemplary operating environment for performing the 20 various embodiments. This exemplary operating environment is only an example of an operating environment and is not intended to suggest any limitation as to the scope of use or functionality of operating environment architecture. Neither should the operating environment be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment. 25 The method can be operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the method include, but are not limited to, personal computers, server computers, laptop devices, and multiprocessor systems. Additional examples include set top 30 boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The method may be described in the general context of computer instructions, such as program modules, being executed by a computer. Generally, program 35 modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The method may also be practiced in distributed computing environments where tasks are performed by 22/12/11 30429911 (GHManers) P71720AU.A -7 remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices. The method disclosed herein can be implemented via a general-purpose 5 computing device in the form of a computer 801. The components of the computer 801 can include, but are not limited to, one or more processors or processing units 803, a system memory 812, and a system bus 813 that couples various system components including the processor 803 to the system memory 812. The processor 803 in Fig. 8 can be an x-86 compatible processor, including a 10 PENTIUM IV, manufactured by Intel Corporation, or an ATHLON 64 processor, manufactured by Advanced Micro Devices Corporation. Processors utilizing other instruction sets may also be used, including those manufactured by Apple, IBM, or *NEC. The system bus 813 represents one or more of several possible types of bus 15 structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures can include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, and a 20 Peripheral Component Interconnects (PCI) bus also known as a Mezzanine bus. This bus, and all buses specified in this description can also be implemented over a wired or wireless network connection. The bus 813, and all buses specified in this description can also be implemented over a wired or wireless network connection and each of the subsystems, including the processor 803, a mass storage device 804, an operating 25 system 805, application software 806, data 807, a network adapter 808, system memory 812, an Input/Output Interface 810, a display adapter 809, a display device 811, and a human machine interface 802, can be contained within one or more remote computing devices 814a,b,c at physically separate locations, connected through buses of this form, in effect implementing a fully distributed system. 30 The operating system 805 in Fig. 8 includes operating systems such as MICROSOFT WINDOWS XP, WINDOWS 2000, WINDOWS NT, or WINDOWS 98, and REDHAT LINUX, FREE BSD, or SUN MICROSYSTEMS SOLARIS. Additionally, the application software 806 may include web browsing software, such as MICROSOFT INTERNET EXPLORER or MOZILLA FIREFOX, enabling a user to view 35 HTML, SGML, XML, or any other suitably constructed document language on the display device 811. The computer 801 typically includes a variety of computer readable media. Such 22/12/11 30429911 (GHMafters) P71720.AIJ.1 - 8 media can be any available media that is accessible by the computer 801 and includes both volatile and non-volatile media, removable and non-removable media. The system memory 812 includes computer readable media in the form of volatile memory, such as random access memory (RAM), and/or non-volatile memory, such as read only 5 memory (ROM). The system memory 812 typically contains data such as data 807 and and/or program modules such as operating system 805 and application software 806 that are immediately accessible to and/or are presently operated on by the processing unit 803. The computer 801 may also include other removable/non-removable, io volatile/non-volatile computer storage media. By way of example, FIG. 8 illustrates a mass storage device 804 which can provide non- volatile storage of computer code, computer readable instructions, data structures, program modules, and other data for the computer 801. For example, a mass storage device 804 can be a hard disk, a removable magnetic disk, a removable optical disk, magnetic cassettes or other 15 magnetic storage devices, flash memory cards, CD-ROM, digital versatile disks (DVD) or other optical storage, random access memories (RAM), read only memories (ROM), electrically erasable programmable read-only memory (EEPROM), and the like. Any number of program modules can be stored on the mass storage device 804, including by way of example, an operating system 805 and application software 806. 20 Each of the operating system 805 and application software 806 (or some combination thereof) may include elements of the programming and the application software 806. Data 807 can also be stored on the mass storage device 804. Data 804 can be stored in any of one or more databases known in the art. Examples of such databases include, DB2*, Microsoft* Access, Microsoft* SQL Server, Oracle*, mySQL, 25 PostgreSQL, and the like. The databases can be centralized or distributed across multiple systems. A user can enter commands and information into the computer 801 via an input device (not shown). Examples of such input devices include, but are not limited to, a keyboard, pointing device (e.g., a "mouse"), a microphone, a joystick, a serial port, a 30 scanner, and the like. These and other input devices can be connected to the processing unit 803 via a human machine interface 802 that is coupled to the system bus 813, but may be connected by other interface and bus structures, such as a parallel port, serial port, game port, or a universal serial bus (USB). A display device 811 can also be connected to the system bus 813 via an 35 interface, such as a display adapter 809. For example, a display device can be a cathode ray tube (CRT) monitor or a Liquid Crystal Display (LCD). In addition to the display device 811, other output peripheral devices can include components such as 22/12/11 3042991_1 (GHMaters) P71720AU.1 - 9 speakers (not shown) and a printer (not shown) which can be connected to the computer 801 via Input/Output Interface 810. The computer 801 can operate in a networked environment using logical connections to one or more remote computing devices 814a, b, c. By way of example, 5 a remote computing device can be a personal computer, portable computer, a server, a router, a network computer, a peer device or other common network node, and so on. Logical connections between the computer 801 and a remote computing device 814a, b, c can be made via a local area network (LAN) and a general wide area network (WAN). Such network connections can be through a network adapter 808. A 10 network adapter 808 can be implemented in both wired and wireless environments. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet 815. For purposes of illustration, application programs and other executable program components such as the operating system 805 are illustrated herein as discrete blocks, is although it is recognized that such programs and components reside at various times in different storage components of the computing device 801, and are executed by the data processor(s) of the computer. An implementation of application software 806 maybe stored on or transmitted across some form of computer readable media. An implementation of the disclosed method may also be stored on or transmitted across 20 some form of computer readable media. Computer readable media can be any available media that can be accessed by a computer. By way of example, and not limitation, computer readable media may comprise "computer storage media" and "communications media." "Computer storage media" include volatile and non- volatile, removable and non-removable media implemented in any method or technology for 25 storage of information such as computer readable instructions, data structures, program modules, or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which 30 can be used to store the desired information and which can be accessed by a computer. Fig. 9 illustrates a logical overview of the Internet 815 of one embodiment of the present invention. One or more client computers 801, for example, such as the remote computing devices 814a, b, c depicted in Fig. 8, maybe connected to the Internet 815 35 as depicted at 901-1, 901-2, and 901-3. Additionally, one or more computers 902-1, 902-2, and 902-3 of the type depicted at 801 may act as servers, providing web pages via HTTP request, database access, remote terminal services, digital file download or 22/12/11 3042991.1 (GHMatters) P71720.AU.1 - 10 upload, or any other desired service. Furthermore, one or more client computers, such as 901-1, may act as an Internet accessible server computer 902-1, and vice versa. Online Fraud Mitigation Engine 5 FIG. 1 is a flow chart illustrating steps for performing an online fraudulent transaction determination in accordance with the present invention. At step 105, input parameters are input into the OFME by an end user, for example, a banking institution. The OFME provides a run-time environment for the selected risk score model. The OFME provides a rules based engine for receiving input parameters; for example, a io transaction identifier, an IP address, a date/time stamp, a unique identifier and a number of static factors for processing. The OFME subsequently retrieves relevant information regarding an Internet users IP address; for example, the Internet user's location from a NetAcuity server. The operation of the NetAcuity server is discussed in U.S. Patent Application No. 09/832,959, which is commonly assigned to the assignee 15 of the present application, which is herein incorporated by reference in its entirety. A transaction identifier, which is unique, associated with a given Internet based transaction is used by OFME to determine which risk score model should be utilized for a given transaction. The Fraud Risk Advisor uses the unique identifier for tracking purposes. The results are then stored in a database. 20 Additional input parameters may be input into the OFME through end user supplied data. For example, the end user may utilize a hot file, suspect IP list, etc., which would be used by the OFME in the determination process. Once the OFME receives the specified input parameters, the Fraud Risk Advisor proceeds to step 112. In step 112, the end user will select from a set of standard risk score models or end 25 user defined risk score models to be used for a particular determination. After the OFME loads the appropriate risk score model, the present invention proceeds to step 114 in which the OFME evaluates a given set of factors and determines a risk value for each given factor. Once the risk value has been determined for each factor associated with the OFME, the present invention proceeds to step 116 30 in which the OFME evaluates a given set of rules and determines a risk score. When the risk score has been determined by a rule match, the present invention proceeds to step 118 in which the OFME executes a risk score algorithm to determine an aggregate risk score. The OFME uses the standard risk value from the rules evaluation, as well as-an optional static risk score to determine an aggregate risk 35 score. For example, the rules based risk score could be assigned a value between 0 to 1,000. A risk score of 0 would be assigned to a transaction perceived to be highly fraudulent, while a risk score of 1,000 would be assigned to scores perceived to have a 22112/11 30429911 (GHMatlers) P71720AU.I - 11 low risk of fraud. Dependent on the risk score calculated in step 118 and threshold limits defined by an end user, the OFME determines whether the transaction proceeds to step 120 or step 122. If the score exceeds the predetermined threshold level, the OFME proceeds 5 to step 120 because the transaction is determined to be fraudulent. Accordingly, the transaction is flagged and forwarded to the end user for further review along with each factor value and a reason code for each factor value. If the score is within predetermined threshold limits, the OFME proceeds to step 122 because the transaction is determined to be valid. 10 At step 130, the end user receives output from the OFME for the pending transaction. If the transaction is determined to be fraudulent by the OFME, the end user receives the results from the OFME including factor values and reason codes for the transaction. In addition, the OFME will update the present invention's real-time statistics and store all relevant data, for example, the IP address, regarding the 15 transaction in a database, even if the transaction is deemed valid. The stored data is used for both reporting purposes as well as analysis purposes for updating the risk score model's risk weights or removing certain factors or rules. The end user has the ability to override the results of the OFME and may flag a transaction determined to be valid as suspicious or deem a suspicious transaction valid. 20 FIG. 2 illustrates is an exemplary processing system 200 with which the invention may be used. System 200 includes a user interface 220 in which an end user may input parameters, rules, and user defined functions to the OFME 202. User interface 220 may comprise multiple user interfaces. The user interface 220 also receives output data from the OFME 202 regarding a certain transaction. The user interface 220 may 25 be graphical or web based, or may use any other suitable input mechanism. Once the OFME 202 receives data from the user interface 220, the OFME 202 acquires information associated with this data from, for example, a NetAcuity server 206, a validation server 204 and a behaviour-tracking database 208. Validation server 204 validates email addresses and area codes supplied by the end user for a given 30 transaction. Behaviour tracking database 208 uses a unique identifier supplied by the end user associated with a given Internet user to determine whether a current Internet based transaction is in congruence with the normal behaviour of the Internet user. This unique identifier is stored in the searchable behaviour-tracking database 208. When 35 the Internet user performs an Internet based transaction, the behaviour-tracking database 208 is searched and geographic data along with an ISP and domain, which may also be stored with the unique identifier, is retrieved, if available. This information 22/12/11 3042991.1 (GHMaters) P71720.AU.1 - 12 is then compared to the geographic data, ISP, and domain information associated with a current IP address for the current pending Internet based transaction. The result of the comparison, an access behaviour factor, is used to determine whether the current pending Internet based transaction is fraudulent. If an access behaviour violation is 5 determined, an automated challenge/response could be used to validate the Internet user accessing an account in real time. If there is no history for the current - address available in the behaviour-tracking database 208 for the Internet user, the current geographic data, ISP and domain information associated with the current IP address is added to the behaviour-tracking database 208. Accordingly, when an Internet user is io creating an account, access behaviour would not be used as a factor for fraud detection. The unique identifier assigned to the Internet user may store multiple access, behaviours. In addition, because an Internet user may change their access behaviour due to, for example, extended travel, change of residence, etc., the end user may is override an access behaviour violation returned by the OFME 202. The OFME 202 uses the information supplied by the user interface 220, NetAcuity server 206, validation server 204 and behaviour-tracking database 208 to determine a risk score associated with a given transaction. Once the OFME 202 computes the risk score, the risk score is sent along with any relevant information 20 concerning the transaction to behaviour tracking database 208, real time statistics database 212, user interface 220, and OFME data storage database 210. In one embodiment, OFME data storage database 210 may transfer data received from OFME 202 to OFME output warehouse storage 218 for long-term storage. In addition, OFME data storage database 210 may transfer data received from 25 OFME 202 to both a Reporting subsystem 214 and a Forensics subsystem 216 for processing and output to the user interface 220. Forensics subsystem 216 provides the end user the ability to look-up information generated by running a risk score model. Thus, the end user can determine why a transaction is deemed suspicious or why a transaction was not deemed suspicious. 30 Reporting subsystem 214 provides various reports to the end user, for example, the number of transaction flagged as being suspicious. Calculating Travel Velocity In one embodiment of the present invention, a method is provided for calculating 35 a travel velocity between a first access point and a second access point using a first and second IP address. Calculating a travel velocity has several practical uses, including determining a fraudulent transaction, network analysis, user profiling, user 22/12/11 3042991_1 (GHMaIers) P71720.AU.1 - 13 account verification and tracking, network access provider analysis, and advertising. Travel velocity may also be a factor utilized by the OFME 202 to determine a fraudulent transaction. FIG. 3 illustrates one embodiment of the present invention useful for calculating s travel velocity. First, a first access location is determined based on a first Internet Protocol ("IP") address 301. Second, a first access time is determined 302. Third, a second access location is determined based on a second address 303. Fourth, a second access time is determined 304. Finally, the travel velocity between the first access location and the second access location is calculated 305 as a function of the io first access location 301 and the first access time 302, and the second access location 303 and the second access time 304. A further embodiment of the present invention useful for calculating a travel velocity is logically illustrated in FIG. 4. While the embodiment of FIG. 4 continues from step 305 of FIG. 3, no particular order of steps is expressly or implicitly required. In this 15 embodiment, a distance between the first access location 301 and the second access location 303 is computed 401. Second, a time difference is computed 402 between the first access time 302 and a second access time 304. Third, the travel velocity is calculated 403 between the first access location 301 and the second access location 303 by dividing the computed distance 401 by the computed time difference 402. 20 For illustration purposes only, according to the embodiment of FIG. 4, suppose that the first IP address is 24.131.36.54, and the first access time 302 is 1:00 PM EST. Methods for determining the location corresponding to an IP address, such as those provided by a NetAcuity server, are used to determine that the first IP address corresponds to the first location 301 of Atlanta, Georgia, USA. Next, a second IP 25 address of 144.214.5.246 is provided, and the second access time 304 is 1:05 PM EST. Again, methods are used to determine that 144.214.5.246 corresponds to a second access location 303 of Hong Kong, China. Next, the distance between the first access location 301 of Atlanta, and the second access location 303 of Hong Kong, is computed 401 to be approximately 8405 30 miles. The computed time difference 402 between the first access time 302 of 1:00 PM EST and the second access time 304 of 1:05 PM EST is 5 minutes. Then, the computed distance 401 of 8405 miles is divided by the time difference 402 of 5 minutes, to calculate a travel velocity 403 of 8405 miles / 5 minutes, or 100,860 miles per hour, which is suspiciously high. 35 Calculating a User's Travel Velocity In one embodiment of the present invention, a method is provided for calculating 29/04/13 42830782 (GHMattes) P71720.AU.I - 14 a user's travel velocity between a first access location and a second access location using a first and second IP address. Calculating a user's travel velocity has several practical uses, including determining a fraudulent transaction, network analysis, user profiling, user account verification and tracking, network access provider analysis, and s advertising. A user's travel velocity may also be a factor utilized by the OFME 202 to determine a fraudulent transaction. FIG. 5 illustrates one embodiment of the present invention useful for calculating a user's travel velocity. First, a first access location 501 is determined for a user. The first access location 501 may be determined in a variety of ways, such as using the user's 10 IP address to determine the first access location 501, retrieving the first access location 501 from the user's behaviour profile, or by using a user supplied first access location 501. Second, a first access time 502 is determined for the user. A second access location is then determined for the user 503 based on the IP address of the user. 15 Fourth, a second access time is determined for the user 504. Then, the method of the present embodiment calculates the travel velocity 505 of the user between the first access location 501 and the second access location 503. The user's travel velocity maybe calculated using a variety of methods, including the method embodied in FIG. 4. 20 In a further embodiment based on FIG. 5, the first access location 501 and the first access time 502 are determined from a behaviour profile associated with the user. In other embodiments, the first access location 501 can be determined based on the user's last valid access location, hi another embodiment, the second access location 503 and the second access time 504 are the user's current access location and current 25 access time. Determining a Fraudulent Transaction In one embodiment of the present invention, a method is provided for determining if a transaction is fraudulent by using a user's travel velocity as a fraud 30 factor. Determining if a transaction is fraudulent based upon a user's travel velocity has several practical uses, such as stopping and deterring the theft and use of personal information online, which may result from identify theft, phishing emails, hacking, spy ware, Trojans, and the like. Likewise, the same method may be used to determine if a transaction is legitimate. 35 One embodiment of a method for determining if a transaction is fraudulent based upon a user's travel velocity is illustrated in FIG. 6. First, the travel velocity of a user is computed 601 between a first access location and a second access location. One 29/04/13 42830782 (GHMalters) P71720.AU.I - 15 embodiment for calculating a user's travel velocity is provided in FIG. 5 in steps 501 through 505. Other methods for computing a travel velocity may also be employed in the embodiment of FIG. 6. The various embodiments included herein for determine a fraudulent transaction may utilize the OFME 202. 5 Behaviour profiles may be utilized in the embodiment of FIG. 6 and in other embodiments to determine if a transaction is fraudulent. For example, access locations, access times, IP addresses, geographical locations, area codes, telephone numbers, email addresses, transaction frequencies, and other factors may be stored in a behaviour profile. Behaviour profiles are useful because they allow one or more 10 variables corresponding to one or more, factors to be persistently stored, enabling embodiments to determine not only the travel velocity or likelihood of fraud between a first access location and a second access location, but to determine a pattern of fraudulent activity over a plurality of access locations, times, IP addresses, and the like. The behaviour profile may be stored in a database such as the behaviour tracking 15 database 208 of the embodiment of FIG. 2. Second, the method of FIG. 6 determines if one or more additional factors based upon the user's IP address will be computed. While only the users travel velocity need be computed at 601, additional factors, including factors based upon the users IP address may be used in various embodiments. The types and number of additional 20 factors computed 603 may vary among the different embodiments to optimize the determination of a fraudulent transaction. If an additional factor is determined to be remaining 602, then that additional factor is computed 603. Next, the method of FIG. 6 then determines 602 and computes 603 remaining additional factors until no factors remain to be computed, causing the 25 method of FIG. 6 to proceed to step 604. In one embodiment based on the embodiment of FIG. 6, an additional factor computed 603 comprises a country, region, or city associated with the IP address of the user. In another embodiment extending the embodiment of FIG. 6, a factor computed 603 maybe a proximity of the user in comparison to a purported location of 30 the user associated with the IP address. A factor computed 603 also may comprise the connection type of the user, such as dial-up, Integrated Services Digital Network (ISDN), cable modem, Digital Subscriber Line (DSL), Digital Signal 1 (TI), or Optical Carrier 3 (OC3). The factor 603 may also comprise a host type, such as personal network end point, corporate network end point, personal or corporate proxy, personal 35 or corporate firewall, and the like. Additional embodiments extending the embodiment of FIG. 6 may utilize factors supplied by the user, including an address supplied by a client for comparison with an 22/12/11 30429911 (GHMals) P71720AU.I - 16 address associated with the IP address, an area code and telephone number supplied by the client for comparison with an area code and telephone number stored in a database associated with the client, or an email address supplied by the client. User supplied factors are useful to various embodiments of the present invention where the 5 embodiments may assume that the user supplied factors are accurate as they are supplied directly by the user. Further factors may be utilized by the embodiment of FIG. 6, such as where a factor is an access behaviour associated with the user based on transaction habits stored in a database that are compared with a current transaction. A factor may also 10 comprise a frequency with which the transaction is attempted or executed within a predetermined amount of time, or a velocity with which a single IP address accesses or uses multiple unique identifiers within a specified period of time. In further embodiments of FIG. 6, a client may participate in the determination of factors to be computed at 603. For example, in one embodiment, a client may assign a 15 threshold level for one or more of the factors. The client may also create one or more user defined factors, and the client may also define constraint rules for one or more factors. Allowing the user to determine factors, assign threshold levels for factors, and constraint rules for factors allows the method of FIG. 6 to optimally determine if a 20 transaction is fraudulent in a method tailored to the user. Next, in the embodiment of FIG. 6, the method determines if the transaction is fraudulent based upon the user's travel velocity and zero or more additional factors, such as those described above. The determination 604 that a transaction is fraudulent or legitimate may occur in real time, near real time, or non-real time, based upon the 25 particular implementation of the method of FIG. 6. The user's travel velocity may be a factor utilized by the OFME 202 to determine a fraudulent transaction, and may be stored in a behaviour profile residing in a behaviour tracking database 208. Transaction Frequency 30 In one embodiment of the present invention, a method is provided for determining if a transaction is fraudulent by using a computed transaction frequency. A high transaction frequency may be useful, for example, where a user's personal information has been stolen and distributed to one or more individuals who intend to make multiple fraudulent online purchases with the personal information of the user. A 35 high transaction frequency may indicate a fraudulent transaction where a particular transaction is attempted repeatedly from the same IP address within a predetermined period of time. 22/12/11 3042991_1 (GHMaters) P71720AU.1 - 17 Likewise, a transaction may be fraudulent where the same or a similar transaction is attempted or executed multiple times and received by or at a single IP address. For example, suppose a person's credit card information is stolen and distributed among a group of persons who intend to use that information to make 5 fraudulent purchases at a particular online retailer who operates an e-commerce server at a particular IP address. According to one embodiment of the present invention, the frequency with which multiple IP addresses attempt or execute a transaction received at a single IP address, such as the address of an e-commerce server, may indicate that a transaction is fraudulent. In further embodiments, the factors discussed above 10 may be incorporated to determine a fraudulent transaction, such as travel velocity or access behaviours retrieved from user profiles. Determining if a transaction is fraudulent based transaction frequency has several practical uses, such as stopping and deterring the theft and use of personal information online, which may result from identify theft, phishing emails, hacking, spy 15 ware, Trojans, and the like. Likewise, the same methods may be used to determine if a transaction is legitimate. The embodiment illustrated in FIG. 7 provides one method for utilizing a transaction frequency to determine a fraudulent transaction. First, in the embodiment of FIG. 7, a frequency is computed with which a transaction is attempted from a first IP address within a predetermined period of time. 20 For example, if an online purchase transaction originating from a first IP address is attempted or executed a hundred times within an hour, then the embodiment of FIG. 7 may determine that the transaction is fraudulent 702 based upon the computed transaction frequency 701. The transaction frequency 701 may be computed in various ways, including by 25 dividing the number of times a transaction is attempted or executed over the time period in which those transaction were attempted or executed. The transaction frequency may also be a factor utilized by the OFME 202 of the embodiment of FIG. 2, and stored in a behaviour profile residing in a behaviour tracking database 208, also of FIG. 2. 30 Transaction frequency in another embodiment may be combined with the host type of the IP address or other factors to enhance the accuracy of the fraud determination. For example, extending the embodiment of Fig. 7, suppose that one or more transactions have been attempted from an IP address one hundred times within an hour. Without other information, a transaction frequency of 100 attempts per hour 35 from an IP address may indicate a fraudulent transaction. However, if that IP address represents a network proxy or firewall which provides Internet access to multiple users, then a transaction frequency of 100 attempts per hour may in fact not indicate a likely 22/12/11 3042991_1 (GHMatter) P71720AU.1 - 18 fraudulent transaction. Therefore, comparing the transaction frequency to the host type of the IP address can optimize the fraud determination by decreasing false positives when the IP address represents a proxy, firewall, or other Internet gateway which provides access for multiple users, several of whom may be conducting one or more 5 legitimate transactions. Other factors such as connection type, travel velocity, information retrieved from a behaviour profile, geographic location, user supplied factors, and the like, may also be combined with transaction frequency to enhance the accuracy of the fraud determination. While the invention has been described in detail in connection with exemplary 10 embodiments, it should be understood that the invention is not limited to the above disclosed embodiments. Rather, the invention can be modified to incorporate any number of variations; alternations, substitutions, or equivalent arrangements not heretofore described, but which are commensurate with the spirit and scope of the invention. In particular, the specific embodiments of the Fraud Risk Advisor described 15 should be taken as exemplary and not limiting. For example, the present invention may be used in a web-based application. Accordingly, the invention is not limited by the foregoing description or drawings, but is only limited by the scope of the appended claims. In the claims which follow and in the preceding description of the invention, 20 except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention. 25 22/12/11 30429911 (GHMatters) P71720AU.1

Claims

1. A method comprising: determining, by a processor, a first access location based on a first internet (IP) 5 address of a first client computer; determining, by the processor, a first access time; determining, by the processor, a second access location based on a second IP address of a second client computer; determining, by the processor, a second access time; and io calculating, by the processor, a travel velocity between the first access location and the second access location as a function of the first access location and the first access time and the second access location and the second access time; and determining if an online transaction executed from one of the first IP address or the second IP address is fraudulent based on the travel velocity between the first 15 access location and the second access location, the online transaction comprising one or more of banking account access, a credit card transaction, an online bill payment, a wire transfer, a stock trade, or a transaction utilizing personal information.

2. The method of claim 1, wherein the calculating step comprises the steps of: 20 computing a distance between the first access location and the second access location; computing a time difference between the first access time and the second access time; and calculating the travel velocity between the first access location and the second 25 access location by dividing the computed distance by the computed time difference.

3. A method comprising: determining, by a processor, for a user, a first access location associated with a first client computer, and a first access time; 30 determining, by the processor, for the user, a second access location associated with a second client computer based on an IP address of the second client computer; determining, by the processor, for the user a second access time; and calculating, by the processor, the travel velocity of the user as a function of the first access location and the first access time and the second access location and the 35 second access time; and determining if an online transaction executed from one of the first IP address or the second IP address is fraudulent based on the travel velocity. 22/12/11 3042991 1 (GHMatters) P71720.AU.1 - 20

4. The method of claim 3, wherein the first access location and the first access time are determined from a behavior profile associated with the user.

5 5. The method of claim 3, wherein the first access location is determined as a function of the user's IP address at the first access location.

6. The method of claim 3, further comprising storing the second access location in the behavior profile associated with the user, the behavior profile being stored in the io database coupled to the processor.

7. The method of claim 3, wherein the first access location is based on the user's last valid access location. is

8. The method of claim 3, wherein the second access location and the second access time are the user's current access location and current access time.

9. A method comprising: computing, by a processor, one or more factors based on an IP address of a 20 computer associated with a user, wherein at least one factor is a travel velocity of the user between a first access location and a second access location, one of the first access location or the second access location being associated with the IP address of the computer; and determining, by the processor, whether an online transaction executed from the 25 IP address of the computer is fraudulent based on the one or more factors.

10. The method of claim 9, wherein the determining step comprises determining whether the online transaction is fraudulent by applying one or more rules to at least one factor of the one or more factors. 30

11. The method of claim 9, wherein the user's travel velocity is determined according to the steps of: determining for the user, by the processor, the first access location based on a first IP address of a first client computer; 35 determining for the user, by the processor, a first access time; determining for the user, by the processor, the second access location based on a second IP address of a second client computer; 22/12/11 3042991_1 (GHMaters) P71720 AU.A - 21 determining for the user, by the processor, a second access time; and calculating, by the processor, the user's travel velocity between the first access location and the second access location as a function of the first access location and the first access time and the second access location and the second access time. 5

12. The method of claim 11, wherein the calculating the user's travel velocity step comprises the steps of: computing a distance between the first access location and the second access location; 1o computing a time difference between the first access time and the second access time; and calculating the travel velocity between the first access location and the second access location by dividing the computed distance by the computed time difference. 15

13. The method of claim 9, further comprising forwarding, by the processor, the determination to a client for further processing by the client.

14. The method of claim 9, further comprising generating, by the processor, a report based on the determination. 20

15. The method of claim 9, further comprising generating, by the processor, a risk score associated with the online transaction, the risk score comprising an aggregation of risk values based on one or more of a computation of risk values and risk weights or a computation of a rule setting the risk score. 25

16. The method of claim 15, further comprising storing, at a database functionally coupled to the processor, the risk score in a database.

17. The method of claim 15, wherein a client assigns a threshold level for 30 comparison with the risk score.

18. The method of claim 17, wherein the online transaction is determined to be fraudulent when the risk score exceeds the threshold level. 35

19. The method of claim 15, wherein the risk score is generated in real time.

20. The method of claim 9, further comprising accessing a result of the determining 22/12/11 30429911 (GHMae) P71720AU.1 - 22 step by a client.

21. The method of claim 9, wherein the client may designate whether or not the online transaction is fraudulent. 5

22. The method of claim 9, wherein at least one of the one or more factors is static or dynamic.

23. The method of claim 9, wherein a factor comprises a country, region or city io associated with the IP address.

24. The method of claim 9, wherein a factor is an address supplied by a client for comparison with an address associated with the IP address. 15

25. The method of claim 9, wherein a factor is an area code and a telephone number supplied by a client for comparison with an area code and a telephone number stored in a database that is associated with the client.

26. The method of claim 9, wherein a factor is an email address supplied by a client 20 for validation.

27. The method of claim 9, wherein a factor is an access behavior associated with the user based on transaction habits stored in a database functionally coupled to the processor that are compared with a current transaction. 25

28. The method of claim 9, wherein a factor is a frequency in which the online transaction is attempted within a predetermined period of time.

29. The method of claim 9, wherein a factor is a velocity with which a single IP 30 address accesses or uses multiple unique identifiers within a specified period of time.

30. The method of claim 9, wherein a client is configured to assign a threshold level for at least one of the one or more factors. 35

31. The method of claim 9, wherein a client is configured to create one or more user defined factors. 22/1211 30429911 (GHMatters) P71720AU.1 - 23

32. The method of claim 9, wherein a client is configured to define constraint rules for at least one of the one or more factors.

33. The method of claim 9, wherein the first access location is determined, by the s processor, from a behavior profile associated with the user.

34. The method of claim 9, wherein the first access location is based on the user's last valid access location. io

35. The method of claim 1, wherein the second access location and the second access time are the user's current access location and current access time.

36. The method of claim 9, wherein information about the second access location is stored in a database coupled to the processor in a behavior profile associated with the is user.

37. The method of claim 9, wherein information about the first access location and the second access location is stored in a database coupled to the processor. 20

38. The method of claim 9, wherein a factor comprises a connection type associated with the IP address, where connection type includes dial-up, Integrated Services Digital Network (ISDN), cable modem, Digital Subscriber Line (DSL), Digital Signal 1 (T1), or Optical Carrier 3 (OC3). 25

39. The method of claim 9, wherein a factor comprises a connection type stored in a behavior profile associated with the user, where connection type includes dial-up, Integrated Services Digital Network (ISDN), cable modem, Digital Subscriber Line (DSL), Digital Signal 1 (T1), or Optical Carrier 3 (OC3). 30

40. The method of claim 9, wherein a factor comprises a host type associated with the IP address of the user, and wherein the host type includes network end point, network proxy, or network firewall.

41. The method of claim 9, wherein a factor comprises a domain name stored in a 35 database coupled to the processor in a behavior profile associated with the user. 22/12/11 30429911 (GHMat1ers) P71720.AU.1