GB2402792A - Verifying identity and authorising transactions - Google Patents

Verifying identity and authorising transactions Download PDF

Info

Publication number
GB2402792A
GB2402792A GB0313490A GB0313490A GB2402792A GB 2402792 A GB2402792 A GB 2402792A GB 0313490 A GB0313490 A GB 0313490A GB 0313490 A GB0313490 A GB 0313490A GB 2402792 A GB2402792 A GB 2402792A
Authority
GB
United Kingdom
Prior art keywords
request
person
location
transaction
action
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0313490A
Other versions
GB0313490D0 (en
Inventor
Sanjay Hora
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0313490A priority Critical patent/GB2402792A/en
Publication of GB0313490D0 publication Critical patent/GB0313490D0/en
Publication of GB2402792A publication Critical patent/GB2402792A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Abstract

A notification is received of a location where a request for action has been made. This location is compared with the location of the person's portable communication device and the request is verified as being from the person if the locations are the same. Contact details of a person's portable communication device may be recorded and a message sent to the portable communication device advising that a request has been made; any response received is analysed.

Description

Method of VerifvinE Identity and AuthorisinE Transactions This invention
relates to a method of verifying identity and authorising transactions.
There are many situations in which it is desirable to verify the identity of a person or confirm that a transaction which purports to have been authorised by a person is so authorised. Most commonly this requirement to verify identity or authorisation arises in financial transactions where goods and services are to be provided or financial operations carried out on behalf of a person. For example that person could attempt to make a purchase by credit card or request that a bank account should be opened. However, this usage is not limited to financial transactions only. The identity verification method can also be used to control access and to provide enhanced internal security in situations and industries where a high level of control or security is required and a user may need another level of checks to establish their credentials and so on.
It is well known in order to prevent fraud it is desirable to confirm the identity of the person attempting to carry out the transaction andlor that instructions to carry out the transaction have come from the person from which they should have come from.
Many methods of carrying out such identity verification and authorisation have been proposed or used, particularly in the financial field to prevent credit card fraud and fraud of the type generally referred to as "Identity Theft".
However, the problem with most known methods of verifying identity and transaction authorisation is that they rely either on method specific enhancements to the underlying card technology or on the vigilance of the staff processing the transaction to confirm the person's identity or check authorization, for example by comparing the signature or photograph on a credit card with the person presenting it or the signature they provide. The reliance on method specific technical enhancements has the problem that only cards having the enhancements can be used. This requires an expensive and slow process of issuing new cards in large numbers before a new approach can be used and raises problems of compatability between different card issuers. Further, the staffprocessing the transaction are commonly low skilled or have little motivation so that such verification is often not carried out or is based on only very cursory comparisons and checks. Further, the reliance on verification by the staffprocessing the transaction is completely unable to prevent fraud involving the staff. Finally, the approaches proposed in the past have resulted in solutions which work either in card physically present scenarios or card not present scenarios. These previous attempts have failed to provide a solution that is independent of card technology and can work in both Card Present as well as Card not Present scenarios with mimimal human decision making involved.
Accordingly, it is the object of the present invention to provide a method of verifying identity and authorizing transactions, which is independent of card technologies and can work in both Card present and card not present situations in a similar fashion plus other scenarios where card may not be a way of identifying a person, having an improved resistance to fraud.
In a first aspect, this invention provides, a method of identity verification comprising the steps of: recording contact details of a person's portable communication device; receiving notification that a request for action purporting to be on behalf of the person has been made and a location where the request was made; attempting to determine a location of the portable communication device; comparing the location where the request was made and the location of the portable communication device, if this can be determined; and verifying that the request is from the person if the locations are the same and not verifying that the request is from the person if the locations are not the same or the location of the portable communication device cannot be determined.
In a second aspect, this invention provides a method of authorising transactions, comprising the steps of: recording contact details of a person's portable communication device; receiving notification that a request for action purporting to be on behalf of the person has been made; sending a message to the portable communication device advising that the request has been made; analysing any response received and determining whether the request for action was on behalf of the person based on the analysis; and determining that the request was not on behalf of the person if no response is received.
The present invention is based upon the use of portable wireless communication devices.
At present the most common and readily available such device would be a mobile telephone and accordingly the use of the invention with a mobile phone will be discussed in the examples below. However, the invention can be used with other forms of portable wireless communication device such as pagers, personal digital assistants and similar devices. The main functionality required in order to be able to carry out the invention is that the device is portable and able to receive and preferably send messages. This is all that is required to carry out the basic invention, although further functionality may be required in some specific applications.
Preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying diagrammatic figures, in which: Figure 1 shows examples of operation of a first embodiment of the invention and; Figure 2 shows an example of a second embodiment of the invention.
A first embodiment of the invention will now be discussed in detail when applied to verifying the identity of a person attempting to carry out a credit card purchase.
In order for the invention to be used, the authorised credit card holder must have registered their mobile phone number with the credit card issuing bank, or the bank or other financial institution responsible for authorising the processing of transactions, such as purchases, using the card, when is not the same as the issuing bank.
As is conventional, in a situation where a credit card is used with the card present at the point of sale, when the credit card is presented for payment as part of a transaction the staff carrying out the transaction pass the credit card through an on line transaction terminal incorporating a card reader. The transaction terminal then reads data from the card and sends a transaction authorization request to the payment authorising financial institution.
This request includes data obtained or derived from the card which identifies the card and also includes any required details of the transaction such as the amount of the transaction and the account or entity to which payment is to be made. It should be understood that the authorization request must include information identifying the requesting transaction terminal in order for the required response authorising or refusing the transaction to be returned to the terminal from the payment authorising financial institution.
In this first embodiment using the method according to the invention, when the authorization request is received the authorising financial institution contacts the mobile telephone network services provider responsible for providing a service to the registered mobile telephone and requests location information identifying the current location of the mobile phone. When this location information is received from the mobile phone service provider the authorising institution compares the currently physical location of the mobile phone with the known physical location of the terminal requesting authorization.
The two locations are compared and depending upon whether they agree or the amount by which they disagree it can be assessed whether the authorised card user is physically present at the transaction terminal location. Preferably, this assessment is made as a probability that the authorised card user is physically present at the transaction terminal location. The authorising financial institution then sends a response to the transaction terminal authorising or not authorising the transaction based at least in part upon this measure of probability.
The decision to authorise or not authorise the transaction does not have need to be made solely based upon the assessment of the probability that the authorised card user is physically present at the same location as the transaction terminal. Other reasons for authorising or not authorising a transaction can also be taken into account, similarly to known fraud prevention measures.
It should be understood that this first embodiment of the invention is useful to authorise both type of transactions; that is, transactions of the type disclosed above where the card and a person claiming to be the authorised card user is present at the transaction location and also transactions where the person is not present and instead is transacting through internet by entering his/her card details on a web-based shopping cart (or a similar system) Accordingly, in order for the invention to be effective the authorised card user must accept that in order to reliably use their credit card they will need to have their mobile phone with them and switched on whenever they attempt to make a transaction. Since the great majority of authorised credit card holders will already own a mobile phone this should not be an obstacle to carrying out the invention. Further, in practice it is expected that most credit card holders will accept this limitation in order to protect themselves from possible fraud.
In order to carry out the first embodiment of the invention, where the card holder is physically present at the transaction terminal, the authorising institution must maintain a database of the location of all transaction terminals. This database can easily be produced and maintained because in order for on-line authorization of credit card transactions to take place it is already necessary that the authorization request messages uniquely identify the transaction terminal requesting the authorization and that the authorising institution has access to a database or listing of all possible transaction terminals.
In the same way, when a card is not physically present at the place of the transaction and instead the card details are entered through a shopping cart (or another similar system) in a web based purchasing system, the system will capture the IP address of the terminal from which the transaction has been initiated. This IP address can then be converted into a physical address or location in terms of latitude and longitude, or some other location defining system The physical location of the mobile phone can be obtained by the mobile phone service provider in a number of ways.
Firstly, in order for the mobile phone system to function the system controller must know the location of the mobile phone in order to allow the mobile phone to be contacted. Most mobile phone systems employ a network of base stations, each of which is able to communicate with mobile phones within a defined region, usually called a cell, around the base station. Accordingly, the mobile phone service provider will know the approximate location of the mobile phone, at least to the level of accuracy of which cell the mobile phone is in.
Secondly, it is possible for the location of the mobile phone within a cell to be determined to a greater level of accuracy by measuring parameters of radio signals passing between the mobile phone and one or more base stations such as signal strength, delay time and the like.
Thirdly, if the mobile phone has a GPS or similar on board system for determining its own position the location information can be obtained by enquiry from the mobile phone itself.
The present invention can be used with all of these methods of obtaining the location of mobile phones. However, the invention is not limited to the listed methods and can be used with any other methods which are known or developed in the future. All of these methods of determining the location of the mobile phone are subject to some error and uncertainty.
Further, the precise location of the transaction terminal may also be subject to some error, uncertainty or variation. Finally, the location of the hardware corresponding to IP addresses may also be subject to some error, uncertainty or variation. For instance, although the address or building in which the transaction terminal, which may be the in-store terminal or the user transaction terminal located at an IP address is located may be known, the precise location of the terminal within the building may be unknown or subject to change without notice. This is of course particularly the case where the transaction terminal itself is portable and carried about the premises by staff. In order to allow for this the location information held on the transaction terminal may include information regarding the expected error or variability in location in order to improve the efficiency of the invention.
This information may identify portable transaction terminals and/or the size of the building or business premises where the terminal is located. However, this is not essential.
The invention is based on the basic concept that location information is assessed to verify the alleged card users identity on the basis that if the authorised card user's mobile phone is physically present at the same location as the transaction terminal this verifies the identity of the person presenting the card as the authorised card user and the transaction should be authorised. Alternatively, if the authorised user's mobile phone is not physically present at the transaction terminal location the users identity is not verified and the transaction should not be authorised. Of course, even if the authorised user's mobile phone is judged to be present at the transaction location the transaction may still not be authorised if other criteria for transaction authorization are not met.
Further, action may optionally be taken against the person presenting the card and purporting to be the authorised card user when the authorised card user's mobile phone is not present at the transaction location. The action taken may vary, but may include seizure of the credit card. If action is to be taken, it is preferable to distinguish between failure to obtain a current location for the authorised card user's mobile phone and the location and time of the most recently detected past location, the "stale" location is compatible with the user currently being at the transaction location, in which case the transaction will not be authorised but no further action taken, and identifying the current or stale location of the authorised card user's mobile phone at a location different to or not compatible with the transaction location, in which case the transaction is not authorised and the attempted transaction is treated as a fraud attempt. Any appropriate action can then be taken similarly to any other detected fraud such as blocking further use of the card, notifying the police and seizing the card.
Preferably the action taken is based upon the calculated probability of the authorised card users mobile phone being present at the transaction location. As suggested above, where no location information regarding the authorised users mobile phone can be obtained, as ^8 will be the case if the mobile phone is switched offor not working, the most recently detected location and the time since this was detected are used to calculate the probability.
Alternatively, in a more secure system, if no current location of the authorised users mobile phone can be obtained the transaction is not authorised, but no further action is taken.
Where a current or stale location of the authorised card users mobile phone is obtained the action taken can be based upon the probability of this location being the transaction location. For example, the range of probabilities can be divided into high probability, medium probability and low probability and these cases can be responded to differently.
Where there is a high probability the transaction can be authorised, subject to the possibility that authorization may be refused on other grounds. Where the probability is medium the transaction will not be authorised but no further action is taken. Where the probability is low the transaction is not authorised and is treated as an attempted fraudulent transaction and further action such as blocking or seizure and retention of the card will be taken. The probability levels or probability related values corresponding to high, medium and low classification can be varied as required in any particular application.
Advantageously, the value of the transaction may be taken into account in setting the levels or values triggering different actions so that more valuable transactions require a higher probability to be authorised, or use the alternative suggestion above of The invention is primarily directed to immediate authorization or refusal of individual transactions. The record of attempted and authorised or non-authorised transactions and the corresponding location information may be retained over time to allow historical analysis to identify patterns of behaviour which may indicate fraud, if desired.
The first embodiment is described above in terms of the card issuer or the financial institution responsible for authorising transactions carrying out the entire method of the invention itself for clarity. It should be understood that this is not essential and it is expected that in practice it will be more convenient for the process to be carried out by a dedicated identity verification service provider on behalf of the bank, financial institution or any other institute which may need to verify a user's identity. This identity verification service provider can act as an interface between multiple banks and financial institutions and other type of institutes or government agencies, which may require identity verification and multiple mobile phone service providers or networks.
There are a number of ways for such a service to be carried out and some of them will now be described in more detail with reference to Figure 1.
In Figure 1 an identification verification service provider (IVSP) 1 provides identity verification services to a number of users to a 2B to 2C. In this example the identity verification is being carried out to prevent credit card fraud and the users 2A to 2C will be banks or other financial institutions.
In a first arrangement the first user 2A provides the IVSP1 with a mobile phone number only. The IVSP1 identifies the relevant mobile phone service provider 3 from the range of possible mobile phone service providers 3A to 3D and contacts the mobile phone service provider 3 requesting location information for the mobile phone. The mobile phone service provider then provides a response which identifies the current physical location of the mobile phone, or if no current location can be obtained, stale information identifying the last known position of the mobile phone and the time at which, or the length of time since is also provided. The IVSP1 then passes the location information to the first user 2A.
The location information could take any convenient form as required. Typically the location will be a specific location, for example latitude and longitude or national grid reference or an identification of a cell area within which the phone is located.
Identification of the cell area could take any convenient form such as the actual boundaries of the cell or a central location of the cell and its approximate shape and diameter. The means by which the location information was obtained may optionally be identified, for example, by interrogation of GPS data on the mobile phone or by current cell location.
Further the expected possible error in the position may be identified. Depending upon the degree of complexity or sophistication required each location information could have a specific possible error value attached. Alternatively, the user could treat all location information as having the same possible error or treat all location information obtained by a particular method as having the same possible error. In these cases the possible error may be regarded as implicit in the processing and not be explicitly stated.
In this case the first user 2A is provided with the location of the mobile phone, which may be the current position or a stale position, if found, with the transaction terminal location is carried out by the user 2A.
The second approach used by the second user 2B provides the IVSP 1 with the transaction terminal location information and the mobile phone number. The IVSP1 obtains the location information from the relevant mobile phone service provider 3 as before, compares this to the transaction terminal location information and, based on this comparison, sends the second user 2B information regarding the distance between the two locations, and if relevant, the time at which, or time since, any stale location was measured.
Or a probability, or other calculated score indicating the probability, that the mobile phone is at the transaction terminal location.
The calculated probability or score should take into account the time which has elapsed since any stale location was measured.
The second user 2B can then take action based on this distance, time or probability as discussed above.
Alternatively, the second user 2B could be supplied with a response indicating that the transaction should be authorized, (unless there is another reason for refusing authorization) should not be authorised, or possibly should be treated as fraud and further action taken.
It should be understood that the method being carried out is the same for both users 2A and 2B as in the earlier description, all that has been changed is the entity carrying out the different parts of the method. - 1 1
The transaction terminal location information may be in any convenient form such as a physical location defined by latitude and longitude or a grid reference or an address. The transaction terminal location information may also include information regarding the likely error in the location or any relevant information such as the size of the building or business premises and whether the transaction terminal is mobile.
In the second embodiment of the invention identify verification by transaction authorization is carried out by sending a message to the person whose identity is to be verified or whose authorization is required, having the person make a response and taking into account the response when deciding whether the persons identify is verified or a transaction is authorised.
When the second embodiment of the invention is to be used to verify the persons identify they must provide their mobile phone number to the verifying authority as part of the registration process. When a transaction of any kind is requested which requires the identity of the requester to be verified a message is sent to the persons mobile phone. If the person then sends a response to the message the decision as to whether the persons identity is verified is made based upon the return message.
There are a number of alternative ways in which this method can be carried out and so that the examples can be clearly understood they will be discussed as applied to preventing credit card fraud.
The first option is to send a message informing the authorised card user that a transaction has been requested and identifying the transaction in as much detail as is necessary. If no reply is received from the authorised user or a reply is received from the authorised user indicating that they are not aware of the transaction the transaction will not be authorised.
Alternatively if a reply is received from the authorised user indicating that they are aware that the transaction is taking place the transaction may be authorised. Of course, the transaction may still not be authorised for other reasons.
In this case the response could be as simple as yes or no. If the response is text this could merely be represented by the letters Y or N. or some other alphanumeric combination.
The messages to and from the mobile phone could be an automated voice message and a verbal response processed by voice recognition means or text messages. Generally, the use of text messages is preferred because these can be more reliably automatically processed and are currently cheaper to send.
The first embodiment of the invention and the first option to carry out the second embodiment described above are not infallible, but nor is any other method of identity verification. The embodiments described above will detect and prevent credit card fraud, even in cases where the fraud is carried out by staff generating duplicate transactions. The embodiments described above will not prevent fraud by a thief who has stolen both the credit card and the matching mobile phone. however, you requirement to have a mobile phone as well as a credit card presents a significant obstacle to fraud. Further, a theft victim is likely to notice theft of their mobile phone much more quickly than they will notice the theft of a credit card so that the theft will be noticed and notified more quickly, reducing the time window available for fraudsters to use a credit card before it is registered as stolen and its use blocked. Further, frauds carried out by use of cloned credit cards carrying identical information to legitimate credit cards or fraud by or with the connivance of the staffprocessing duplicate transactions or carry out ficticious transactions using the details of credit cards which have earlier been presented for legitimate transactions can be entirely prevented. This type of fraud has proved extremely hard to detect and prevent in the past because there is no requirement for any physical theft of the legitimate credit card from the authorised user so that fraudulent transactions are usually only identified long after the event when the authorised user notices unrecognized transactions on their credit
card statements.
Further options for carrying out the second embodiment of the invention can be used to prevent credit card fraud even by a thief who has the credit card and the corresponding mobile phone.
In the second option the message sent to the authorised credit card users through their mobile phone requires a prearranged specific response which must match a response expected by the transaction authorising institution. This required response may be a secret code such as a PIN number or password or may be information which although not strictly secret is unlikely to be known by a random thief such as the authorised card users mothers maiden name or the users date of birth.
If no reply is received or an incorrect reply is received the transaction will not be authorised.
Similarly to the first embodiment, in methods according to the second embodiment further action additional to not authorising the transaction may optionally be taken when an incorrect response is made. In both embodiments such further actions could include seisure of the credit card or identifying the card as stolen or potentially fraudulent and blocking all future transaction until the authorised user takes steps to rectify the situation.
The first and second embodiments of the invention can be both used together if desired.
In figure 1 the IVSP 1 is be able to support both embodiments of the invention. The third user 2C wishes to use the second invention. Accordingly the third user 2C sends the IVSP 1 a mobile phone number together with a message to be sent. The IVSP 1 sends the message to the mobile phone number through the appropriate mobile phones service provider 3A to 3C. The IVSP 1 then waits for a response and if a reponse is receivedthe IVSP 1 sends the received response to the third user 2C. The third user 2C may provide the IVSP 1 with the full message to be sent
or they may simply identify which of a number of prerecorded messages is to be sent. The IVSP1 may return to the third user 2C the actual response received, (if any) or may just reply as appropriate that no response was received. Alternatively, the IVSP1 may compare the response itself and provide the third user 2C only with the information as to whether the transaction was authorised.
Another use of the second embodiment of the invention is to prevent fraud based on "Identity Theft". And in particular a variant of identity theft commonly called "account takeover". This growing problem is currently the fastest growing type of fraud and is expected to become the dominant type of fraud in the future as many more common types of fraud are made effectively impossible by improvements in technology.
In account take over fraud the fraudster requires personal information about a person and uses the information to open new bank accounts or apply for loans, mortgages and similar financial benefits by pretending to be that person. The person who's identity is being misused may not come to know about the fraud for a considerable length of time, allowing the fraudster to potentially run up very large debts before any risk or suspicion arises.
Some financial services today allow persons who believe that may be at risk of or suffering from identity theft to register their address with a central authority which then relays a warning with Credit Rating Agencies. When the costumers or members of the Credit Rating Agencies such as Financial Institutions, mobile phone service providers, insurance companies, banks etc use the Credit Rating Agencies to authorising opening new accounts, loans or the like they will get a warning that requests for transactions on behalf of that person or address need special processing and verification.
This approach requires a person to take deliberate steps to register themselves as being at danger from Identity Theft but unfortunately it is very rare for anyone to know that they are at risk until after at least some fraudulent activity has occurred. Further, this general approach for requiring special action for verification in cases where identity theft is perceived as a particular risk cannot be used to protect people in general because it would be impractical to apply the special degree of verification in all instances.
This use of the second embodiment of the invention is shown in figure 2.
Using the second embodiment of the invention, the person 4 wishing to be protected provides their mobile phone number to a trusted institution 5, such as bank, which becomes their "Identity Protector".
The identity protector institution 5 then informs the credit rating agencies 6 that they are the identity protector for the person 4.
When any attempt is made to carry out a financial operation and purporting to be by the person 1, such as opening a new account or applying for a loan or credit card at a bank 7, or other organization, the bank 7 or other organization will contact the credit rating agency 6 to check the credit history of the person 4.
The credit rating agency 6, in real time, will then contact the identity protector institution 5 and inform them that the attempt has been made. In response the identity protector institution 5 will instruct the IVSP 1, again in real time, to send a message to the registered mobile phone advising that the attempt has been made and asking the person 4 to confirm that this is desired by them.
The IVSP 1 will then advise the identity protector institution 5 of any response, or of failure to receive a response. The identity protector institution 5 will assess whether any response received is acceptable and decide whether the requested transaction is on behalf of the person 4 and advise the credit rating agency of their decision. The response may be a simple yes or no. Alternatively, the response may require a PIN or other secret element which can be checked against an expected response by the identity protector institution 5.
This decision will then be used by the credit rating agency as the basis for their reply to the bank 7 as to whether the transaction should be allowed or whether fraud is being attempted.
This whole process of verifying a user's identity can be carried out in real time while the system is waiting for the verification results.
It should be noted that the invention does not require any sensitive financial information to be given to the IVSP 1. The IVSP 1 only needs to be given the mobile phone number of the relevant mobile phone and does not need to know the persons name. Further in applications using coded responses or PIN numbers the IVSP 1 does not need to know whether the reply is correct, the IVSP 1 just passes the responses to the user 3 or identity protector institution 5, which checks whether they are correct.
In the above example only a single credit rating agency is referred to for clarity. In practice there will be multiple credit rating agencies and the identity protector institution may contact one, some or all of them as necessary.
The examples described above relate to financial transactions and particularly to credit card transactions. This invention can be applied to other situations, for example to control access to a site or building.
The invention is described above as using mobile telephones. As stated above, these could be replaced with any suitable portable communication device. -1 '

Claims (13)

  1. Claims 1. A method of identity verification comprising the steps of:
    recording contact details of a person's portable communication device; receiving notification that a request for action purporting to be on behalf of the person has been made and a location where the request was made; attempting to determine a location of the portable communication device; comparing the location where the request was made and the location of the portable communication device, if this can be determined; and verifying that the request is from the person if the locations are the same and not verifying that the request is from the person if the locations are not the same or the location of the portable communication device cannot be determined.
  2. 2. A method according to claim 1 in which the probability that the locations are the same is assessed and the locations are regarded as being the same or not based upon this probability.
  3. 3. A method according to claim 1 or claim 2 in which the request for action is authorised to be carried out if the request is from the person and the request for action is not authorised to be carried out if the request is not from the person.
  4. 4. A method according to claim 3 in which the authorization to carry out the request for action is provisional and may be rescinded based on other criteria.
  5. 5. A method according to any preceding claim in which the portable communication device is a mobile telephone.
  6. 6. A method according to claim 5 in which the location of the mobile telephone is determined by the mobile telephone.
  7. 7. A method according to claims in which the location of the mobile telephone is given in the form of a network cell.
  8. 8. A method according to any preceding claim in which the requested action is a card transaction or a user identity presentation
  9. 9. A method of authorising transactions, comprising the steps of: i recording contact details of a person's portable communication device; receiving notification that a request for action purporting to be on behalf of the person has been made; sending a message to the portable communication device advising that the request has been I made; analysing any response received and determining whether the request for action was on behalf of the person based on the analysis; and determining that the request was not on behalf of the person if no response is received.
  10. 10. A method according to claim 9 and including the further step of recording validating information, in which the step of analysing any response includes comparing the response to the recorded validating information and determining that the request was on behalf of the person if the response agrees with the recorded validating information.
  11. 11. A method according to claim 9 or claim 10 in which the request for action is I authorised to be carried out if the request is on behalf of the person and the request for action is not authorised to be carried out if the request is not on behalf of the person.
  12. 12. A method according to claim 11 in which the authorization to carry out the request for action is provisional and may be rescinded based on other criteria.
  13. 13. A method according to any preceding claim in which the portable communication device is a mobile telephone.
GB0313490A 2003-06-11 2003-06-11 Verifying identity and authorising transactions Withdrawn GB2402792A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0313490A GB2402792A (en) 2003-06-11 2003-06-11 Verifying identity and authorising transactions

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0313490A GB2402792A (en) 2003-06-11 2003-06-11 Verifying identity and authorising transactions

Publications (2)

Publication Number Publication Date
GB0313490D0 GB0313490D0 (en) 2003-07-16
GB2402792A true GB2402792A (en) 2004-12-15

Family

ID=27589891

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0313490A Withdrawn GB2402792A (en) 2003-06-11 2003-06-11 Verifying identity and authorising transactions

Country Status (1)

Country Link
GB (1) GB2402792A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006096907A1 (en) * 2005-03-14 2006-09-21 Ian Charles Ogilvy A system and method for facilitating a transaction
EP1962238A1 (en) * 2007-02-26 2008-08-27 BIGG International Inc. A method for restricting a use of a credit or debit card
WO2012134330A1 (en) 2011-03-25 2012-10-04 Общество С Ограниченной Ответственностью "Аилайн Кэмьюникейшнс Снг" Method for presenting information when conducting distributed transactions and structure for implementing same
GB2490099A (en) * 2011-04-11 2012-10-24 Steven Mark Wright Multi-factor authentication through mobile device location based service
US11308477B2 (en) 2005-04-26 2022-04-19 Spriv Llc Method of reducing fraud in on-line transactions
US11354667B2 (en) 2007-05-29 2022-06-07 Spriv Llc Method for internet user authentication
US11792314B2 (en) 2010-03-28 2023-10-17 Spriv Llc Methods for acquiring an internet user's consent to be located and for authenticating the location information
US11818287B2 (en) 2017-10-19 2023-11-14 Spriv Llc Method and system for monitoring and validating electronic transactions

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000062262A1 (en) * 1999-04-12 2000-10-19 Sarl Smart Design Method and device for securing the use of cards comprising means of identification and/or authentication
GB2372860A (en) * 2000-10-04 2002-09-04 Nec Corp Authentication system using position information
WO2003036576A2 (en) * 2001-10-20 2003-05-01 Wojciech Wojciechowski Method and system of additional securing of payment card payments

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000062262A1 (en) * 1999-04-12 2000-10-19 Sarl Smart Design Method and device for securing the use of cards comprising means of identification and/or authentication
GB2372860A (en) * 2000-10-04 2002-09-04 Nec Corp Authentication system using position information
WO2003036576A2 (en) * 2001-10-20 2003-05-01 Wojciech Wojciechowski Method and system of additional securing of payment card payments

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006096907A1 (en) * 2005-03-14 2006-09-21 Ian Charles Ogilvy A system and method for facilitating a transaction
US11308477B2 (en) 2005-04-26 2022-04-19 Spriv Llc Method of reducing fraud in on-line transactions
EP1962238A1 (en) * 2007-02-26 2008-08-27 BIGG International Inc. A method for restricting a use of a credit or debit card
US11354667B2 (en) 2007-05-29 2022-06-07 Spriv Llc Method for internet user authentication
US11556932B2 (en) 2007-05-29 2023-01-17 Spriv Llc System for user authentication
US11792314B2 (en) 2010-03-28 2023-10-17 Spriv Llc Methods for acquiring an internet user's consent to be located and for authenticating the location information
WO2012134330A1 (en) 2011-03-25 2012-10-04 Общество С Ограниченной Ответственностью "Аилайн Кэмьюникейшнс Снг" Method for presenting information when conducting distributed transactions and structure for implementing same
US9226154B2 (en) 2011-03-25 2015-12-29 Eyeline Communications Cis, Llc. Method for presenting information when conducting distributed transactions and structure for implementing same
GB2490099A (en) * 2011-04-11 2012-10-24 Steven Mark Wright Multi-factor authentication through mobile device location based service
US11818287B2 (en) 2017-10-19 2023-11-14 Spriv Llc Method and system for monitoring and validating electronic transactions
US11936803B2 (en) 2019-12-22 2024-03-19 Spriv Llc Authenticating the location of an internet user

Also Published As

Publication number Publication date
GB0313490D0 (en) 2003-07-16

Similar Documents

Publication Publication Date Title
US11288676B2 (en) Private confirmation system
US7383988B2 (en) System and method for locking and unlocking a financial account card
US20170132631A1 (en) System and method for user identity validation for online transactions
US8745698B1 (en) Dynamic authentication engine
EP1469368B1 (en) Security method and system with cross-checking based on geographic location data
US7983979B2 (en) Method and system for managing account information
US8116731B2 (en) System and method for mobile identity protection of a user of multiple computer applications, networks or devices
US20070033139A1 (en) Credit applicant and user authentication solution
US20070198410A1 (en) Credit fraud prevention systems and methods
US20080162383A1 (en) Methods, systems, and apparatus for lowering the incidence of identity theft in consumer credit transactions
US20030195859A1 (en) System and methods for authenticating and monitoring transactions
US20080184351A1 (en) System and method for authenticating a person's identity using a trusted entity
US20040215574A1 (en) Systems and methods for verifying identities in transactions
WO2004079499A2 (en) System and method for verifying user identity
WO2014145566A1 (en) Financial account protection method utilizing a variable assigning request string generator and receiver algorithm
US10373246B1 (en) Method and apparatus of providing enhanced authentication and security for financial institution transactions
GB2402792A (en) Verifying identity and authorising transactions
US20210185036A1 (en) Secure authentication system
US20140337224A1 (en) Cardholder Changeable CVV2
WO2001054003A1 (en) Secure internet payment method
KR20030043866A (en) A password system
GB2469029A (en) Internet payment card verification using mobile location
KR20030090176A (en) Method of authenticating user's action by nomal or abnomal registration information

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)