|Publication number||US20060083408 A1|
|Application number||US 11/245,662|
|Publication date||Apr 20, 2006|
|Filing date||Oct 7, 2005|
|Priority date||Feb 9, 1998|
|Also published as||US6980670|
|Publication number||11245662, 245662, US 2006/0083408 A1, US 2006/083408 A1, US 20060083408 A1, US 20060083408A1, US 2006083408 A1, US 2006083408A1, US-A1-20060083408, US-A1-2006083408, US2006/0083408A1, US2006/083408A1, US20060083408 A1, US20060083408A1, US2006083408 A1, US2006083408A1|
|Inventors||Ned Hoffman, David Pare, Jonathan Lee, Philip Lapsley|
|Original Assignee||Ned Hoffman, Pare David F Jr, Lee Jonathan A, Lapsley Philip D|
|Export Citation||BiBTeX, EndNote, RefMan|
|Referenced by (8), Classifications (40), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application is a continuation of copending U.S. Ser. No. 09/794,810, filed Feb. 26, 2001, now pending, which is a continuation of U.S. Ser. No. 09/020,363, filed Feb. 9, 1998, now abandoned.
The invention relates generally to electronic rewards computer systems designed to calculate and store incentive rewards, and more specifically to biometric tokenless computer systems which do not require the recipient to use any man-made portable memory devices such as smart cards or magnetic swipe cards.
Consumer-oriented rewards systems have become an integral part of retail point of sale and interriet commerce marketing. Retailers have multiple objectives: to attract consumers to increase the price-point of their purchases; to induce consumers to increase the frequency of their purchases from a particular retailer, and establishing a loyal purchasing pattern by the consumer with that retailer; to increase the number of consumers who purchase from a particular retailer, and to obtain demographic data from consumers about their purchasing. Rewards systems are often customized for each reward provider, hence the recipient must carry a different rewards token for each retailer in order to receive that retailer's consumer incentive rewards. Hence, in addition to their debit and credit cards, consumers are now encumbered with additional cards to carry, all of which can easily be lost, damaged or stolen. After initially signing up with these incentive programs, consumers soon dispense with their incentive cards, therefore, either the consumer incentive program offered by the retailer fails or is not as successful as it was once thought to be.
Such rewards systems may take many forms, such as providing the consumer with immediate discounts on purchased goods, accrued miles on frequent flyer programs offered by airlines, or accrued points towards the purchase of a product.
Additionally, the use of cards by consumers for accessing such rewards systems is costly and disadvantageous. Namely, retailers must absorb the cost of producing such tokens and then distributing them to consumers. Furthermore, as tokens are lost, damaged, or stolen, retailers absorb the cost of replacing the token to the consumer. Further, retailers use these tokens to only identify the consumer's rewards account, rather than being able to identify the consumer directly.
Last, such tokens have additional costs to the retailer in that the desired demographic and purchasing-pattern data can be easily de-linked once the token is separated from the consumer. This occurs because a fraudulent party makes purchases with a token that incorrectly identifies the user's rewards account as the original consumer's, thereby attributing such purchases by the fraudulent party to the original consumer's purchasing profile. At the same time, when the genuine consumer demands their rightful rewards upon making their own purchases without their appropriate rewards token, the retailer must use another, likely generic (e.g., store account), rewards account in order to accommodate that consumer's requirement of benefiting from the incentives rightly due to them based on their purchases. Hence, the retailer's franchise on accurate consumer purchasing patterns can be significantly diluted by such unreliable information, thereby causing the retailer additional losses as their target-marketing campaigns and inventory-efficiency strategies are adversely affected by this inaccurate demographic data.
The use of various biometrics, such as fingerprints, hand prints, voice prints, retinal images, handwriting samples and the like have been suggested for identification of individuals. However, because the biometrics are generally stored in electronic (and thus reproducible) form on a token and because the comparison and verification process is not isolated from the hardware and software directly used by the recipient attempting access, the problem of having to carry cards is not alleviated.
It has also been suggested that smartcards can also be used for tracking the rewards accrued by a consumer. However, smartcard-based system will cost significantly more than the “dumb” card. A smartcard costs in excess of $3, and a biometric smartcard is projected to cost in excess of $5. In addition, each point of sale station would need a smartcard reader. Furthermore, the net result of “smartening” the token is centralization of function. This may look interesting during design, but in actual use results in increased vulnerability for the consumer. Given the number of functions that the smartcard will be performing, the loss or damage of this all-controlling card will be excruciatingly inconvenient for the cardholder. Losing a card fill of accrued rewards will result loss of the accumulated rewards.
There is a need for an electronic rewards transaction system that uses a strong link to the person being identified, as opposed to merely verifying a recipient's possession of any physical objects that can be freely transferred.
A further need in an electronic rewards transaction system is ensuring consumer convenience by providing authorization without forcing the consumer to possess, carry, and present one or more proprietary tokens, such as man-made portable memory devices, in order to accumulate the rewards. Anyone who has lost a card, left it at home, had a card stolen knows well the keenly and immediately-felt inconvenience caused by such problems. Therefore, there is a need for an electronic biometric rewards transaction system that is entirely tokenless.
There is another need in the industry for a transaction system that is sufficiently versatile to accommodate both consumers who desire to use personal identification numbers (PINs) for added security and also consumers who prefer not to use them.
Lastly, such a system must be affordable and flexible enough to be operatively compatible with existing networks having a variety of electronic transaction devices and system configurations.
It is an object of the invention therefore to provide a computer system that eliminates the need for a user to possess and present a man-made memory device, such as a smart card or magnetic swipe card, in order to initiate a system access request.
It is another object of the invention to provide a computer system that is capable of verifying a user's identity, as opposed to verifying possession of propriety objects and information.
It is yet another object of the invention to verify user identity based on one or more unique characteristics physically personal to the user.
Yet another object of the invention is to provide a computer system wherein access is secure, yet designed to be convenient and easy for a consumer to use. Yet another object of the invention is to enable a user to earn incentive rewards which are either immediately provided to the user or are stored for later access by the user.
Yet another object of the invention is to enable retailers to correctly identify a consumer using the computer system so that their purchasing patterns can be linked to their personal demographic data. In this way, the retailer can more efficiently deliver products and services to pre-identified or interested consumers.
A method for processing tokenless electronic consumer rewards is described between a reward provider and a recipient using an electronic identicator comparator and at least one recipient biometric data. The method comprises creating an electronic registry of a reward provider's products or services each having a predetermined rewards value, the rewards being disbursed to recipients based upon the occurrence of predetermined criteria; a recipient registration step, wherein the recipient registers with the electronic identicator comparator at least one registration biometric sample, and recipient specific data; a recipient identification step, wherein the identicator comparator compares a recipient bid biometric sample with previously registered biometric samples for producing either a successful or failed identification of the recipient; and recipient rewards issuance step, wherein the rewards provider issues rewards to the recipient, wherein an electronic consumer rewards transaction is conducted without the recipient using any tokens, such as any plastic card or driver's licenses, or man-made portable memory devices, during the identification step.
The present invention satisfies these needs by providing a significantly improved system and method for processing tokenless electronic consumer rewards between a reward provider and a recipient using an electronic identicator comparator and at least one recipient biometric data, comprising; creating an electronic registry of a reward provider's products or services each having a predetermined rewards value, the rewards being disbursed to recipients based upon the occurrance of predetermined criteria; recipient registration, wherein the recipient registers with the electronic identicator comparator at least one registration biometric sample, and recipient specific data; recipient identification, wherein the identicator comparator compares a recipient bid biometric sample with previously registered biometric samples for producing either a successful or failed identification of the recipient; and recipient rewards issuance, wherein the rewards provider issues rewards to the recipient. The above-mentioned method and system processes an electronic consumer rewards transaction without the recipient using any tokens such as any plastic card or drivers licenses, or man made portable memory devices such as smart cards, or magnetic stripe cards.
According to one embodiment of the invention, there is a system and a method for processing tokenless electronic rewards transactions between a reward provider and a recipient comprising: recipient rewards registry recordation, wherein an electronic record is created of a registry of a reward provider's products and the rewards that accrue to a recipient based upon the recipient's purchase of said products; recipient registration, wherein the recipient registers with the electronic identicator system at least one registration biometric sample; a proposal, wherein the reward provider proposes a commercial transaction to the recipient; recipient identification, wherein the electronic identicator compares a recipient bid biometric sample with previously registered biometric samples for producing either a successful or failed identification of the recipient; electronic rewards calculation, wherein upon the successful identification of the recipient, the recipient's rewards are calculated resultant from the recipient's product purchases pursuant to the reward provider's proposed commercial transaction and pursuant to the recipient purchasing registry; recipient notification, wherein pursuant to the consummation of the commercial transaction, the recipient is notified of the results of the electronic rewards calculation; and, wherein a tokenless electronic rewards transaction is conducted without the recipient using any portable man-made memory devices such as smartcards or magnetic stripe cards.
According to several embodiments of this invention, the recipient rewards registry may take many forms: it may be a registry of immediate cash discounts or rebates provided to recipient during a commercial transaction; it may be the accrual of points which are credited towards the future purchase of a product or service, such as an automobile, frequent flyer miles, or free air time for phone calls. The rewards within said registry may be tied, for example, to certain product purchases, certain purchasing patterns reflecting frequency or loyalty, or certain purchase dollar amounts.
According to another embodiment of this invention, the system and the method may further provide a commercial transaction adjustment step, wherein the reward provider's proposed commercial transaction is adjusted pursuant to the electronic rewards calculation.
In yet another embodiment of the invention, there is a system and method for processing tokenless electronic rewards transactions between a reward provider and a recipient comprising: recipient rewards registry recordation, wherein an electronic record is created of a registry of a reward provider's products and the rewards that accrue to a recipient based upon the recipient's purchasing of said products; recipient registration, wherein the recipient registers with the electronic identicator system at least one registration biometric sample and an electronic rewards account; a proposal, wherein the reward provider proposes a commercial transaction to the recipient; recipient identification, wherein the electronic identicator compares a recipient bid biometric sample with previously registered biometric samples for producing either a successful or failed identification of the recipient; electronic rewards calculation, wherein upon the successful identification of the recipient, the recipient's rewards are calculated resultant from the recipient's product purchases in the reward provider's proposed commercial transaction and pursuant to the recipient purchasing registry; recipient rewards account adjustment, wherein the recipient's rewards account is adjusted pursuant to the electronic rewards calculation; recipient notification, wherein pursuant to the consummation of the commercial transaction, the recipient is notified of the results of the recipient rewards account adjustment; and, wherein a tokenless electronic rewards transaction is conducted without the recipient using any portable man-made memory devices such as smartcards or magnetic stripe cards.
In yet another embodiment of the invention, the accrued rewards resultant from recipient's purchases are stored in the recipient's or user's rewards account, along with the recipient's corresponding demographic data and purchasing patterns.
For some rewards transactions, it is not appropriate to conduct an immediate adjustment of either the commercial transaction or the recipient's rewards account. These cases include transactions where the exact reward to be credited is not known at the time of commercial transaction, or when a recipient's purchasing patterns or demographics need to be analyzed in order to determine the appropriate award. As a result, in an alternate embodiment of the invention, the computer system stores the recipient's purchases, purchasing patterns, and/or demographic data for subsequent analysis, instead of executing an immediate rewards calculation.
In yet another embodiment of the invention, the computer system communicates with one or more external computer systems in order to perform various functions, including determining if the recipient has multiple rewards that are linked to certain purchases.
In another embodiment of the invention, the recipient is co-located with the reward provider, and transaction proposals and other information is transmitted from reward provider to recipient and vice versa using a computer network such as an Intranet. In another embodiment of the invention, the recipient is remote from the reward provider, and transaction proposals and other information is transmitted from reward provider to recipient and vice versa using a computer network such as the Internet.
In most instances, the recipient being identified and the computer system are remote and physically separate from each other. All electronic communications to and from the computer system are encrypted using industry standard encryption technology, preferably the DES (Data Encryption Standard) with 112-bit encryption keys. Each identification station has its own set of encryption keys that are known only to that particular station and the computer system.
In another embodiment of the invention, the rewards transaction computer system further comprises a fraud detector engine further comprising a fraud biometric comparator and fraud biometric data bases containing a subset of the biometric samples stored in the master computer. The biometric samples of individuals who have previously attempted fraud upon the identification computer system are stored within the fraud biometric database. Thereafter, the biometric samples of those who are registering with the system are compared against the biometric samples in the fraud biometric sample database to screen for fraud attempts. This system therefore will eliminate registration of repeat offenders.
In another embodiment of the invention, the recipient uses a PIN as a secondary security means in addition to his biometric. As such, the invention incorporates something the recipient uniquely possesses (his biometric) with something the recipient uniquely knows (his PIN).
In another embodiment of the invention, the recipient may create his own PIN. The computer system then conducts a comparison of the biometric gathered with any biometrics already grouped with the selected PIN. Such a grouping of any biometrics associated with the same PIN is known herein as a PIN basket. In the event the new registrant's biometric is too similar to any of the registered biometrics currently in the selected PIN basket, that PIN is rejected and an alternative PIN is selected by the recipient for another such biometric comparison. Once the computer system is presented with a PIN basket that has no confusingly similar biometrics, the new registrant's biometric is stored in that PIN basket.
In another embodiment of the invention, the recipient may select a PIN from several generated for him by the computer system. This is done by having the computer system automatically conduct comparisons of the new registrant's biometric with any biometries resident in various PIN baskets. Once the computer system has generated several PIN options without a confusingly similar biometric, these PINS are presented to the new registrant from which the recipient may select one PIN.
In another embodiment of the invention, in the unlikely event of the theft of biometric information, the situation can be remedied by simply changing the PIN basket in which the person's biometric samples reside. After this is done, the criminal can no longer use the biometric sample to authorize transaction.
In another embodiment of the invention, the transaction rewards computer system utilizes a method for rapid search of previously stored biometric samples from individuals using at least two biometric baskets, at least one biometric basket containing at least two algorithmically unique biometric samples from different individuals. Each biometric basket is represented by the recipient's PIN and contains less than the total number of samples registered with the system. Therefore, each biometric basket is identified by the recipient's personal identification number, and is known herein as a “biometric basket code” or “BBC”. The method comprises: a storage step further comprising gathering a biometric from an individual; selection of a recipient's personal identification number that indexes a biometric basket, hence creating the BBC; locating the biometric basket identified by the BBC; comparing the biometric sample gathered from said individual with all previously stored biometric samples in the BBC to make sure that the biometric sample gathered from the individual is algorithmically unique from all biometric samples currently stored in said biometric basket, for producing a successful or failed uniqueness result. Upon return of a successful uniqueness result, the gathered biometric sample is stored in the selected biometric basket. There is a bid step further comprising: a) entering a bid personal identification number by a candidate individual, and; b) entering a bid biometric sample by said candidate individual. There is also a comparison step comprising: a) locating the BBC that is entered by said candidate individual, and; b) comparison of the bid biometric sample from said candidate individual with all of the biometric samples stored in the identified BBC for producing either a successful or failed identification result.
In another embodiment of the invention, the transaction rewards computer utilizes a system and method for rapid search of previously stored biometric samples using conversion of an image-enhanced digitized raster biometric sample, such as a fingerprint image, to vector lines in order to generate an identification value for the biometric sample. Any biometric can be used, such as a fingerprint, retina of the eye, iris of the eye, voice print, facial vascular patterns and the like. In the example of fingerprints, the raster image pixels are converted to vector lines along the fingerprint ridges and the vector lines are classified and converted according to type. The line types are then analyzed and a list of identification features corresponding to the vector line types is generated. The identification features between the vector lines types are compared and the image is classified according to fingerprint class. The computer system then generates a numerical encoding to classify the biometric sample's identifying features. This number is known herein as a biometric sorting number, or “BSN”.
The BSN may be a number shared by several registered biometrics which have similar principle biometric characteristics, or it may be a number containing one singular biometric. In the case of fingerprints, the present fingerprint identification system, based on well-known research performed by Sir Edward Richard Henry and further by the United States Federal Bureau of Investigation, uses such main number classifications as arches, loops, and whorls. Therefore, all fingerprints with a similar loop pattern may be located within the same BSN. Subsequent to this initial search, the biometric will then have to be compared to all biometrics in that BSN in order to make a determination that the submitted biometric matches the correlated registration biometric. Alternatively, the computer may directly generate a BSN specifying that unique fingerprint and placing it in a file with no other biometrics. This BSN is generated directly by a more detailed analysis of the biometric sample's characteristics in order to determine that it is distinct from all previously registered biometrics, whether they reside in a BSN or whether they are in their own singular file. Such algorithmically-based biometric characteristic sorting and classification systems, using mathematical algorithms, are known in the art for fingerprints and for other biometrics such as retina of the eye, voice print, and face vascular patterns.
In another embodiment of the invention, the transaction rewards computer system has a use-sensitive tokenless identification means for rapidly determining a frequent user's identity by performing a comparison of the frequent user's biometric with other frequent user biometric stored in a local computer which contains a subset of the total system's biometric samples. This same means can be used for rapidly accessing and amending a recipient's rewards account. This system comprises at least two local computer systems and a master computer system. The master computer has a master computer comparison engine, also referred to as a comparator. The master computer comparator further has a master user biometric database which contains or stores the biometric samples or rewards accounts of all users registered with the rewards transaction computer system. The computer system further comprises at least two local computers which are physically remote from each other. Each local computer further comprises a local user biometric database containing a subset of the biometric samples or rewards accounts contained in the master central database. If upon submission of a bid biometric or a bid rewards account, a local computer returns a failed identification result, the bid biometric or rewards account is transmitted to the master computer for comparison of the entered bid biometric sample or rewards account to the biometric samples or rewards accounts stored in the master comparator for producing either a failed or successful second identification result.
In another embodiment of the invention, the local computers are connected to each other by third interconnecting means such as an ATM network, the Internet, a private intranet, a telephone network, or a cable TV network. If a first local computer. returns a failed identification result, in addition to or independent of the search of the master computer biometric sample or rewards database, the biometric sample or rewards database of a second local computer can also be searched, as the local computers' biometric sample or rewards account databases contain a subset of biometric samples or rewards accounts from the master computer and different sets of biometric samples or rewards accounts from each other.
Another embodiment of the invention utilizes an identification computer system authenticator wherein a private code, distinct from a personal identification number and not used to gain access to the computer system, is previously gathered from the user and recorded in the central computer data bases, and is presented to only the user after an identification attempt, whereby the user is assured that the authentic computer system was used to process the account access because a false computer system would not be able to present the customer's private code.
The present invention is clearly advantageous over the prior art in a number of ways. First, it is extremely easy and efficient for the consumer to use because it eliminates the need to carry and present any tokens in order to access one's rewards accounts. The present invention eliminates all the inconveniences associated with carrying, safeguarding, and locating tokens. Further, because tokens are often specific to a particular computer system that further requires remembering a secret PIN code assigned to the particular token, this invention offers eliminates all such tokens and also offers the option of eliminating the need for memorization and recollection of any PIN. The consumer is now uniquely empowered, by means of this invention, to conveniently conduct his personal and/or professional electronic rewards transactions at any time without dependence upon tokens which may be stolen, lost, damaged, or forgotten.
The invention is clearly advantageous from a convenience standpoint to retailers by making electronic rewards transactions less cumbersome and more spontaneous. The paperwork of electronic rewards transactions is significantly reduced as compared to card purchases wherein separate receipts are generated and must be retained by the reward provider and the consumer.
Because the system of the invention is designed to provide a consumer with simultaneous direct access to all of his rewards accounts, the need for transactions involving cash money, checks, credit drafts and the like will be greatly reduced, thereby reducing the cost of equipment and staff required to collect, account, and process such 30 transactions and their associated paperwork.
Moreover, the invention is markedly advantageous and superior to existing systems in being highly fraud resistant. As discussed above, present authorization systems are inherently unreliable because they base determination of a user's identity on the physical presentation of a manufactured object along with, in some cases, information that the user knows. Unfortunately, both the token and information can be transferred to another, through loss, theft or by voluntary action of the authorized user. Thus, unless the loss or unintended transfer of these items is realized and reported by the authorized user, anyone possessing such items will be recognized by existing authorization systems as the consumer to whom that token and its corresponding rewards accounts are assigned.
The invention further prevents fraud by storing authentication information and carrying out identity verification operations at a location that is operationally isolated from the user requesting authorization, thereby preventing the user from acquiring copies of the authentication information or from tampering with the verification process. Such a system is clearly superior to existing token-based systems wherein the biometric authentication information are stored on and can be recovered from the token, and wherein the actual identity determination is performed at the same location as the user during the authorization process.
These and other advantages of the invention will become more fully apparent when the following detailed description of the invention is read in conjunction with the accompanying drawings.
The invention provides a tokenless method for identifying recipients for the purpose of authorizing an electronic rewards transactions. In a preferred embodiment, consumers conduct these transactions without the use of a personal identification number (“PIN”) or any tokens, such as cards, badges or identification cards including drivers licenses, or telephone numbers.
Turning now to the figures, the overall configuration of an embodiment of the invention and its components are shown in
Alternatively, in other embodiments, no BSN is used and the Gateway machine's comparator compares bid biometric samples to all registered biometric samples in the system.
The biometric scanner can be any one of fingerprint scanner, voice input device (microphone), palm print scanner, retinal scanner or the like, although the fingerprint scanner will be used as an example. The biometric input device is further equipped with computing modules 16, device drivers, and erasable and non-erasable memory modules. The biometric input device communicates with the terminal through preferably a serial port 17. The terminal 2 communicates through a modem 18 with the DPC 1 through messages 19 and responses 20 using one of the interconnecting means in
Biometric Input Apparatus (BIA):
The BIA is a combination of hardware and software whose job is to gather, encode, and encrypt biometric data for use in identification of the users or recipient. Actions of the BIA are directed by an outside controlling entity called a terminal, which issues commands and receives results over the BIA's serial line.
BIA software can be tailored for various BIA hardware such as: personal computer (or “PC”), retail, registration, internal, issuer, and integrated remote. Each software load provides a different, use-specific command set. For instance, the registration software load does not accept requests to form retail transaction messages. Likewise, the retail software command set cannot send recipient registration messages. In a preferred embodiment, to provide another layer of security, the DPC knows what software package is loaded into each BIA; any attempts by a BIA to send a message that it is normally not able to send is rejected by the DPC and the event is treated as a major security violation.
In a preferred embodiment, each BIA has unique encryption codes that are known only to the DPC, and specific BIA embodiments are only allowed to perform operations limited to its designated function. Each biometric input apparatus has a hardware identification code previously registered with the DPC, which makes the biometric input apparatus uniquely identifiable to the DPC in each subsequent transmission from that biometric input apparatus.
Depending on the task at hand, BIA models are either partially or fully integrated with the terminal. Partially integrated devices are physically separate from the terminal, and they include wireless and retail point of sale BIAS. Fully integrated devices are contained within the physical enclosure of the terminal itself, for instance a telephone. It is preferred that the BIA never disclose any secret encryption codes to any external source.
The external interface to the BIA is much like a standard modem; commands are sent to it from a controlling terminal using the external serial line. When a command completes, a response code is sent from the BIA to the terminal. The particulars of the BIA software command interface detailed below illustrate one particular embodiment; other embodiments may mimic popular Key pad interfaces, such as magnetic stripe card readers.
All BIA data fields are preferably in printable ASCII, with fields separated by field separator control characters, and records separated by new lines. Encrypted fields are binary converted to 64-bit ASCII using the base-64 conversion library (all known in the industry).
Terminals interface with BIAS and connect with the DPC via well known mechanisms for digital networking such as modem, X.25 packet network, telephone network, the internet, a private intranet, or even a Cable TV network. In a different embodiment, terminals require different versions of the BIA to perform their tasks. Any electronic device that can issue commands to and receive results from the biometric input device is considered to be a terminal.
Some terminals are application programs that run on a general-purpose microcomputer, while other terminals are combinations of special-purpose hardware and software as show in
While terminals are able to read some parts of BIA messages to validate that the data was processed properly by the BIA, terminals cannot read biometric identification information including the biometric data, encryption keys, or any account index codes.
It is understood that there are many different types of terminals could be employed depending on their location and manner of use; for example cable-TV point of sale terminal, Phone point of sale terminal, retail point of sale terminal and the like; which each is connected to a specific model BIA.
System Description: Data processing Center
The Data Processing Center (DPC), also known as the identicator, handles recipient registration, recipient identification electronic rewards transactions, and in some cases: reward provider identification, and registration of reward providers. Each DPC site is made up of a number of computers and databases connected together over a LAN as illustrated in
DPC components fall into three categories: hardware, software, and databases. A preferred embodiment of the invention contains the following;
FW Firewall Machine: the entry point of the DPC site.
GM Gateway Machine: the system coordinator and message processor.
DPCLAN DPC Local Area Network: connects the DPC sites
IBD Individual Biometric Database: identifies recipients either from their biometric data and a BSN or only from biometric data.
PFD Prior Fraud Database: lists recipients who have defrauded the system and can check if a biometric matches any of these recipients.
VAD Valid Apparatus Database: stores information required to validate and decrypt BIA messages.
AOD Apparatus Owner Database: stores information about the owners of BIA devices. Issuer Database: identifies issuing retailers that participate with the system.
ID Issuer Database: identifies issuing retailers that participate with the system.
AID: Authorized Individual Database: stores the list of people allowed to use personal or issuer BIA devices.
RSD Remote Reward provider Database: stores information necessary to process transactions with telephone and cable television reward providers.
RDD Recipient Demographics Database: Stores information related to specific characteristics of individual users such as gender, age, etc.
RRD Reward Registry Database: Stores information related to rewards that are to be disbursed to users, their amount, and predetermined conditions for disbursement.
RAD Recipient Account Database: Stores information related to the assignment of one or more account numbers to users for accounting accumulation of rewards by a user.
PIN Personal Identification Number: In embodiments which require a user to submit a personal identification number for security reasons only, this database stores information regarding the personal identification numbers of users.
MPM Message Processing Module: handles the processing of each message by coordinating with the other software modules and databases required to perform the message's task.
SNM Sequence Number Module: handles DUKPT sequence number processing.
MACM Message Authentication Code Module: handles MAC validation and generation.
MDM Message Decrypt Module: handles encrypting and decrypting of BIA requests and responses.
BGL IBD Machine List: handles the lookup of the main and backup database machines dedicated to holding IBD records for a given biometric group.
IML IBD Machine List: handles the lookup of the main and backup database machines dedicated to holding IBD records for a given biometric group.
BSN Biometric Sorting Number: The BSN is a number that is derived using several possible methods in order to compartmentalize the registered biometrics of users in algorithmically dissimilar groups.
When describing database storage requirements, the term “expected” means the expected condition of a fully loaded system. Terminals send identification and transaction request messages to a DPC site. The DPC site sends back a response packet containing the status of a successful or failed operation.
The request message contains a BIA message part and a terminal message part:
The BIA message part is constructed by a BIA device. It includes biometrics data, authorization amounts, and the contents of the general resisters which are set by the terminal. The MAC in the BIA message part only applies to the BIA part and not to the terminal part.
A terminal may place additional data for the message in the terminal message part. The BIA provides a message key to allow the terminal to secure the terminal part data. The BIA automatically includes the message key in the packet's encrypted biometric block when necessary. However, the terminal performs the message key encryption itself, however.
The response packet contains a standard header and two optional free-form message parts: one with a MAC and one without:
In a preferred embodiment, the message part of the response packet with a MAC is sent to the BIA so that it may validate that this part of the response has not been tampered with. The message part of the response packet without a MAC is used for transmitting large amounts of data that are not sent to the BIA for MAC validation as the BIA to terminal connection may be of limited bandwidth.
In an embodiment of the invention with multiple DPC sites, a terminal need only send its message to one of the DPC sites, typically the physically closest, because that site automatically handles updating the others by running distributed transactions as necessary.
When one of the DPC's Firewall Machines receives a packet, it forwards it to one of the GM Machines for actual processing. Each GM has a Message Processing Module that handles the coordination between the DPC components required to process the message and sends the response back to the sender.
All packets the DPC receives, with the exception of those not constructed by a BIA, contain a BIA hardware identification code (the BIA Identification of the packet), a sequence number, and a Message Authentication Code (MAC). The GM asks the MAC Module to validate the packet's MAC and then checks the sequence number with the Sequence Number Module. If both check out, the GM passes the packet to the Message Decrypt Module for decryption. If any one of the checks fail, the GM logs a warning, terminates processing for the packet, and returns an error message to the BIA device.
Each packet the DPC receives may contain an optional response key stored in the encrypted biometric block of the packet. Before the DPC replies to a message that includes a response key, it encrypts the response packet with the response key. It also generates a Message Authentication Code and appends it to the packet.
The DPC has several procedures commonly used while processing messages, which includes those shown in
The accrued rewards resultant from recipient's purchases are stored in the recipient's account, along with the recipient's corresponding demographic data and purchasing patterns.
In another embodiment of the invention, the recipient selects a PIN which is used for security purposes such as those commonly used in today's commercial transactions. Alternatively, a PIN is used as a sorting mechanism to identify the biometric group where the user's biometric data resides in.
Alternatively, the rewards computer system searches previously stored biometric samples from individuals using at least two biometric baskets, and at least one biometric basket containing at least two algorithmically unique biometric samples from different individuals. Each biometric basket containing less than the total number of samples registered with the system, and each biometric basket identified by a recipient's personal identification number, also known as a “biometric basket code” (BBC).
The identicator DPC computer retrieves all the IBD records contained in the “basket” identified by the submitted bid personal identification number. The identicator DPC comparator then compares each biometric sample contained in the basket or group of the individual's bid biometric. Preferably, if no biometric has a close enough comparison score, the comparisons are repeated using the secondary biometrics. If none of the secondary biometrics have a close enough comparison score, then the computer comparator returns an “individual not found” error. Otherwise, the IBD machine returns the full IBD record of the individual, from which such fields such as account numbers, titles, and so on are accessed.
In another embodiment of the invention, the rewards computer system searches previously stored biometric samples using conversion of an image-enhanced digitized raster biometric sample, such as a fingerprint image, to vector lines in order to generate an identification value for the biometric sample. Any biometric can be used, such as a fingerprint, retina of the eye, iris of the eye, voice print, facial vascular patterns and the like. In the example of fingerprints, the raster image pixels are converted to vector lines along the fingerprint ridges and the vector lines are classified and converted according to type. The line types are then analyzed and a list of identification features corresponding to the vector line types is generated. The identification features between the vector lines types are compared and the image is classified according to fingerprint class. The computer system then generates a numerical encoding to classify the biometric sample's identifying features. This number is known herein as a biometric sorting number, or “BSN”. The BSN may be a number shared by several registered biometrics which have similar principle biometric characteristics, or it may be a number containing one singular biometric.
In the case of fingerprints, the present fingerprint identification system (“FIS”), based on well-known research performed by Sir Edward Richard Henry and further by the United States Federal Bureau of Investigation, uses such main number classifications as arches, loops, and whorls. Therefore, all fingerprints with a similar loop pattern may be located within the same BSN. Subsequent to this initial search, the biometric will then have to be compared to all biometrics in that BSN in order to make a determination that the submitted biometric matches the correlated registration biometric. Alternatively, the computer may directly generate a BSN specifying that unique fingerprint and placing it in a file with no other biometrics. This BSN is generated directly by a more detailed analysis of the biometric sample's characteristics in order to determine that it is distinct from all previously registered biometrics, whether they reside in a BSN or whether they are in their own singular file. Such algorithmically-based biometric characteristic sorting and classification systems, using mathematical algorithms, are known in the art for fingerprints and for other biometrics such as retina of the eye, voice print, and face vascular patterns.
As shown in
If upon submission of a bid biometric or a bid rewards account, a local computer returns a failed identification result, the bid biometric or rewards account is transmitted to the master computer for comparison of the entered bid biometric sample or rewards account to the biometric samples or rewards accounts stored in the master comparator for producing either a failed or successful second identification result. In another embodiment of the invention, the local computers are connected to each other by third interconnecting means such as an ATM network, the Internet, a private intranet, a telephone network, or a cable TV network. If a first local computer returns a failed identification result, in addition to or independent of the search of the master computer biometric sample or rewards database, the biometric sample or rewards database of a second local computer can also be searched, as the local computers' biometric sample or rewards account databases contain a subset of biometric samples or rewards accounts from the master computer and different sets of biometric samples or rewards accounts from each other.
Any combination of the above-mentioned search embodiments may be used to increase the identification or transaction process time, or decrease the likelihood of a false positive identification result.
For messages that require the DPC to identify a recipient using a BSN, the DPC uses a unique biometric identification value derived from the bid biometric data, to search the IBD Machine List for the main and backup IBD machines responsible for handling identifications for the given BSN code. Next, the DPC sends the identification message to either the main or backup machines depending on which is the least loaded. The IBD machine responds with the IBD record for the recipient or a “recipient not found” error message.
The IBD machine retrieves all the IBD records for the given BSN. The IBD machine then compares each IBD record's primary registered biometric sample with the recipient's bid biometric sample arriving at a comparison score indicating the similarity of the two biometrics. If no biometric has a close enough comparison score, the comparisons are repeated using the registered secondary biometric samples. If none of the secondary biometric have a close enough comparison score, then the IBD machine returns a “recipient not found” error. Otherwise, the IBD machine returns the full IBD record of the recipient, from which such fields such as the private code, recipient reward account numbers, recipient or user demographics data, and so on may be obtained.
The following sections describe each protocol request message/response and the actions the DPC takes to perform them.
The list of protocol packets are:
Electronic rewards Transaction
Issuer Batch List Accounts
Recipient Identification Message
The Recipient Identification message includes a biometric block which the DPC uses with the recipient identification procedure to identify the recipient. If the recipient is identified, then the DPC responds with the recipient's name, biometric identification, and private code. Otherwise, the DPC responds with an “unknown recipient” error.
Electronic Rewards Transaction Message
There are two basic electronic rewards transaction subtypes: retail and remote. There are two basic rewards transaction types: debit and draft. Drafts tabulate purchasing based rewards that are subsequently cashed or used towards purchasing products or services by the recipient. No debit to the proposed commercial transaction occurs immediately. Many current rewards transactions are done via draft. In one embodiment, these steps are accomplished using a pair of ISO 8583 messages: an authorization message followed by a rewards transaction message.
Debit transactions result in immediate debit of money from the reward provider's proposed commercial pursuant to the recipient's rewards account. If the deduction to the reward provider's proposed commercial transaction occurs immediately, the system considers the transaction type to be debit, regardless of the rewards account type used as the source of funds, or which external computer system is used to move the money around.
The DPC identifies the recipient by the biometric block of the message. For instance, if the transaction type is a draft, the DPC constructs a credit authorization draft request and transmits it to the appropriate external computer system (e.g. VISA., Net, MAPP, etc.). The external computer system is responsible, in this embodiment, for performing the resource determination to see if the recipient can pay. If the external computer system approves the transaction, the DPC returns an “OK” response code to the BIA device, while a disapproval results in a “failed” code. The contents of the response message from the external computer system (called an “authorization request response”, see ISO 8583) are added to the response as well along with the recipient's private code.
In an alternate embodiment, the accounts and their balances are stored at the DPC Ned: which database, which performs resource determination, draft generation or credit/debit instead of sending the transaction to an external computer system.
Remote authorization are generated by telephone, mail order, the Internet, or cable television reward providers. The DPC handles remote authorizations the same way it does a retail authorization but with the following modifications:
When the user enters their bid biometric sample into a first local computer, the first local computer comparator compares the bid biometric sample against the subset of the registered biometric samples contained in the first local computer databases to produce either a failed or successful first identification result. If the first local computer returns a failed identification result, the bid biometric sample is transmitted to the master computer for comparison of the entered bid biometric sample to the biometric samples stored in the master computer for producing either a failed or successful second identification result. The result of the first or second identification result is externalized from the identification computer system to the user by at least one display unit.
Upon return of a failed first identification result and return of a successful second identification result, the master computer transmits the biometric sample of the identified user to the first local computer. Therefore, in future bid biometric samples presented by the same individual, only the biometric sample database of the first local computer need be searched.
In another embodiment of the invention the identification computer system further comprises a purge engine for deleting biometric samples and BSNs from the central computer and local computer databases. In order to store only biometric samples from those individuals who use the system more often and prevent the overload of biometric sample databases with biometric samples from individuals who do not use the system often or use the local computers sparsely, the biometric sample of a user is deleted from the local computer biometric databases if there has been no attempt to identify an individual upon expiration of a predetermined time limit.
The local computers further comprise at least one terminal apparatus that is functionally partially or fully integrated with the biometric scanner; at least one key pad; and second interconnecting means for interconnecting the biometric scanner, terminal apparatus and the key pad.
In order to make communications between the master computer and the local computers more safe the identification computer system further comprises encryption and decryption means, wherein communications between the master computer and local computer are encrypted.
Master, Intermediary and Local DPCs
The master DPC which is also referred to as the identicator system, is responsible for storage of the entire set of biometric samples registered with the computer system.
Each master DPC site is preferably made up of a number of computers and databases connected together over a LAN (known in the industry) as illustrated in the master computer overview
It is preferred that the master and intermediary computers have a firewall machine which is the entry point of data and messages into these computers, and a gateway machine which is a system coordinator and message processor.
Comparator For requests that require the master, intermediary, or local DPCs or computer systems to identify an individual, each of the indicated computers searches the individual biometric database using the identicator system comparator.
The computer retrieves all the IBD records for the submitted bid personal identification number. The comparator then compares each biometric sample contained in the individual's bid biometric. Preferably, if no biometric has a close enough comparison score, the comparisons are repeated using the secondary biometrics. If none of the secondary biometrics have a close enough comparison score, then the computer comparator returns an “individual not found” error. Otherwise, the IBD machine returns the full IBD record of the individual, from which such fields such as the private code, account numbers, titles, and so on are accessed.
Master Computer LAN
The master computer Local Area Network (LAN) links the machines of the master computer sites together using a fiber optic token ring. The fiber optic token ring provides both high bandwidth and good physical security.
The network interfaces used by the machines on the DPC LAN include encryption hardware to make tapping or intercepting packets useless without the encryption key. The encryption key is the same for all machines on the LAN and is stored in the encryption hardware.
A properly configured network sniffer acts as an intruder detector as backup for the FW. If an anomalous message is detected, the intruding messages are recorded in their entirety, an operator is alerted, and the FW is physically shut down by the sniffer.
Recipients register with the DPC via a Recipient Registration Terminal (BRT). The BRT sends the DPC a registration packet containing primary and secondary biometrics, along with ancillary data such as the recipient's name, address, a list of rewards accounts, and any the private code. Optionally, the recipient may include a Social Security Number (or “SSN”). In a modification step any previously entered data can be modified or deleted.
At any given moment, only one DPC site acts as the registration site, for implementation simplicity. Registration messages received by non-registration DPC sites are forwarded to the current registration site. The registration DPC site performs the entire registration check, assigning of IBD records to IBD machines, and the distributed transaction required to update all other DPC sites.
The registration DPC site selects the BSN for registration messages, stores the IBD record on the main and backup IBD machines (as specified in the BSN Group List), and checks the BSN and the biometric suitability of the registration packet before running the distributed transaction to update the other DPC sites.
The DPC runs a BSN and biometric sample duplication check step wherein the biometric and BSN from the registration step is checked against all previously registered biometrics currently associated with the identical BSN. The DPC may reject the registration for the following reasons: the biometrics are confusingly similar to another biometric, thereby generating a BSN that is already assigned. Alternatively, the biometrics may be too similar to other biometrics stored under the BIV chosen by the computer system, resulting in an unacceptable false accept rate or false reject rate.
Issuer Batch Message
The Issuer Batch message allows an issuing retailer or other authority to perform routine maintenance on the Individual Biometric Database. The DPC logs a security violation warning if it receives any Issuer Batch messages from non-issuer BIA devices, and it also refuses to process the message.
The DPC identifies the employee submitting the batch message by following the recipient identification procedure. The DPC then checks that the employee is registered in the Authorized Individual Database to use the BIA device embedded in the sending Issuer Terminal.
The DPC also uses the issuer code in the message to look up the apparatus owner Identification in the Issuer Database and compare it against the apparatus owner Identification stored in the Valid Apparatus Database to ensure that the issuer code is not forged.
The DPC then executes the add and delete commands in the message-key encrypted batch list. The batch list is a newline separated list of commands. Valid commands are: add <biometric Id> <rewards account index code> <rewards account>
The add command adds the rewards account to the rewards account list at the specified rewards account index code. If the rewards account currently stored in the rewards account list does not belong to the issuer, the command fails. This feature prevents one retailer from adding or removing rewards accounts from other retailer's customers without the recipient's knowledge or authorization. remove <biometric Id> <rewards account index code> <rewards account>
The remove command clears the recipient's rewards account stored at the specified rewards account index code in the rewards account list. If the rewards account currently stored in the rewards account list does not match the rewards account the issuer is attempting to remove, the command fails.
For each command in the batch that failed to execute correctly, the GM logs a security violation warning and appends an entry to the failed list of the response. The failed entry includes the text for the command and the error code.
List Accounts Message
The list accounts message allows recipients to determine which rewards accounts match particular rewards account index codes. This is useful when recipients forget which rewards accounts and index codes are available.
The GM identifies the recipient by the packet's biometric and retrieves the appropriate information from the recipient's record.
The FW Machines provide a first line of defense against network viruses and computer hackers. All communication links into or out of the DPC site first pass through a secure FW Machine. Preferably, the FW Machine, an Internet-localnet router, only handles messages destined for the GM Machines. BIA-equipped terminals send packets to a single DPC site via modem X.25, or other communication medium. The DPC relies on a third party to supply the modem banks required to handle the volume of calls and feed the data onto the DPC backbone.
For DPC to DPC communication, primarily for distributed transactions and sequence number updates, the FW Machines send out double-length DES encrypted packets. The DPC LAN component handles the encryption and decryption: the FWs do not have the ability to decrypt the packets. A properly configured network sniffer acts as an intruder detector as backup for the FW. If an anomalous message is detected, the intruding messages are recorded in their entirety, an operator is alerted, and the FW is physically shut down by the sniffer.
The FW disallows any transmissions from the internal network to the rest of the Internet. An electronic rewards transaction message requires about 400 bytes and registration packets require about 2 KB. To handle 1000 electronic rewards transactions per second and 1 registration packet per second, the FW Machines are able to process about 400 KB per second .
Gateway Machine The GM Machine (GM), through the FW Machines, link the outside world (BIA-equipped terminals and other DPCs) to the internal components of the DPC. Preferably, the DPC has multiple GMs.
The GM supervises the processing of each BIA message, communicates with the various DPC components as necessary, and sends any encrypted results of the message back to the sender. The software performing this task is called the Message Processing Module. Preferably, the GM logs all messages it receives and any warnings from components it communicates with. For example, the GM logs any silent alarms, sequence number gaps, and invalid packets. Processing a message may require the GM to inform GMs at all other DPCs of a change in the DPC databases. When this happens, the GM runs a distributed transaction to update the remote databases.
Distributed transactions fall into two categories: synchronous and asynchronous. Synchronous distributed transactions require the GM to wait for the distributed transaction to commit before continuing to process the packet. Asynchronous distributed transactions do not require the GM to wait for the commit, and allow it to finish processing the message regardless of whether the distributed transaction commits or not. Asynchronous distributed transactions are only used to update data for which database consistency is not an absolute requirement: sequence numbers and biometric checksum recordings may be performed asynchronously, whereas creating database records, such as Recipient Biometric records, may not.
When executing a synchronous distributed transaction, the requesting GM only considers the entire transaction successful if all sites can successfully commit the transaction locally. Otherwise, the GMs back out the changes locally and reject the request due to a transaction error.
The list of valid DPC sites is normally all of the sites. In the case of an extreme site failure, however, a system administrator may manually remove that site from the valid site list. The most likely cause of distributed transaction failures, however, are temporary network failures that are unrelated to any DPC equipment. Messages that require a synchronous distributed transaction cannot be performed until network connectivity is restored or the site is removed from the valid site list. Before a site can be added back to the valid site list, the system administrator brings the site's databases up to date with those of a currently active site.
Each GM runs the following software components locally for performance reasons:
Message Processing Module
Message Authentication Code Module
Message Decrypt Module
Individual Biometric Database Machine List
The message bandwidth required by the GMs is similar to that required by the FW Machines. A FDDI network interface provides 100 MBits per second and easily covers any bandwidth requirements.
The DPC Local Area Network (LAN) links the machines of the DPC sites together using a fiber optic token ring. The fiber optic token ring provides both high bandwidth and good physical security.
The network interfaces used by the machines on the DPC LAN include encryption hardware to make tapping or intercepting packets useless without the encryption key. The encryption key is the same for all machines on the LAN and is stored in the encryption hardware. The master computer Local Area Network (LAN) links the machines of the master computer sites together using a fiber optic token ring. The fiber optic token ring provides both high bandwidth and good physical security.
The network interfaces used by the machines on the DPC LAN include encryption hardware to make tapping or intercepting packets useless without the encryption key. The encryption key is the same for all machines on the LAN and is stored in the encryption hardware.
A properly configured network sniffer acts as an intruder detector as backup for the FW. If an anomalous message is detected, the intruding messages are recorded in their entirety, an operator is alerted, and the FW is physically shut down by the sniffer.
Message Processing Module
The Message Processing Module (MPM) handles the processing for a message. It communicates with other components of the DPC as necessary to perform its tasks. The presence of an MPM on a machine brands it as a GM.
The MPM maintains a message context for each message it is currently processing. The message context includes the information necessary to maintain the network connection to the terminal making the message, the BIA device information, the response key, and the response packet.
Message Authentication Code Module
The Message Authentication Code Module's (MACM) tasks are to validate the Message Authentication Code on inbound packets and to add a Message Authentication Code to outbound packets.
The MACM maintains an in-memory hash table of 112-bit MAC encryption keys keyed by BIA hardware identification code.
When the MACM receives a request from the GM to validate a packet's MAC, it first looks up the packet's hardware identification code in the hash table. If no entry exists, then the MACM replies to the GM with an “invalid hardware identification code” error.
Otherwise, the MACM performs a MAC check on the BIA message part of the packet using the 112-bit MAC encryption key. If the MAC check fails, then the MACM replies to the GM with an “invalid MAC” error. Otherwise, the MACM replies with a “valid MAC” message.
If the packet contains a reward provider identification code, the MACM also checks the reward provider identification code against the owner identification code in the hash table. If the codes don't match, then the MACM replies with an “invalid owner” error.
When the MACM receives a request from the GM to generate a MAC for a packet, it looks up the MAC encryption key using the packet's hardware identification code. With the MAC encryption key, the MACM generates a MAC and adds it to the packet. If the MACM cannot find the hardware identification code in its hash table, it replies with an invalid hardware identification code error instead.
Message Decrypt Module
The Message Decrypt Module's (MDM) task is to reconstruct the DUKPT transaction key and with it decrypt the biometric block of the packet. It maintains a list of the DUKPT Base Keys that are required to generate the transaction key.
The MDM constructs the DUKPT transaction key using the packet's sequence number as the DUKPT transaction counter, the upper 22 bits of the BIA hardware identification code as the DUKPT tamper resistant security module (or “TRSM”) Identification, and the low 10 bits of the BIA hardware identification code as the DUKPT Key Set Identification.
The DUKPT standard specifies how the transaction key is generated. The Key Set Identification is used to look up a Base Key from the Base Key List. The Base Key is used to transform the TRSM Identification into the initial key via a DES encrypt/decrypt/encrypt cycle. The transaction counter is then applied to the initial key as a series of DES encrypt/decrypt/encrypt cycles to generate the transaction key.
For additional security, two Base Key Lists are maintained, one for low security BIA devices and one for high security devices. The MDM chooses which Base Key List to use depending on the security level of the device.
Biometric Group List
In embodiments employing the BSN or BBC, the Biometric Group List (BGL), in conjunction with the Individual Biometric Database Machine List, defines the configuration of the IBD machines. The BGL stores a list of the BSNs or BBCs in the system which is used to simplify the management of the biometrics. A BGL exists on each GM Machine (GM).
The BGL, when given a BSN, searches through its list of biometric groups for the group containing the BSN. The BGL maintains the list of goups in order and uses a binary search to quickly find the correct group. The initial configuration for the BGL is one single biometric group containing all possible biometrics. After a threshold number of BSNs are assigned, the giant biometric group is split in two. Thereafter, this process is applied to all succeeding biometric groups.
When a biometric group splits, the BGL assigns a new main and backup IBD machine based on available storage on a first-come-first serve basis. The BGL coordinates with the IBD machines to first copy the affected records from the old main and backup machines to the new ones, update the IML record, and last remove the old main and backup copies. Splitting a biometric group is an involved task. The BGL batches split requests to be run when the DPC is lightly loaded.
The system administrator may also change the main and backup IBD machines for a given biometric group if the machines' free storage falls below a level required for handling the expected amount of new registrations.
Individual Biometric Database Machine List
The IBD Machine List (IML), in conjunction with the Biometric Group List, codifies the configuration of the IBD machines. The IML maps a biometric value to the main and backup IBD machines storing IBD records for the biometric. The IML is actually keyed by Biometric Group (a set of consecutive biometric values). An IML exists on each GM Machine (GM).
When a GM processes a message that requires a biometric identification, the GM finds the IML record keyed by the biometric group. The GM then knows the main and backup IBD machines to use for the biometric identification.
Most IBD records will be recipients, who will use the system to purchase products from reward providers at points of sale. The rest of the records will be generally associated with people who perform administrative functions such as registration, or customer support.
Sequence Number Module
The Sequence Number Module's (SNM) primary function is to prevent replay attacks by validating packet sequence numbers. Its secondary task is to minimize the effects of a resubmission attack by informing other SNMS in remote DPC sites of sequence number updates and to periodically update the sequence numbers in the Valid Apparatus Database.
The SNM maintains an in-memory hash table of sequence numbers keyed by BIA hardware identification code codes to allow quick validation of packet sequence numbers. When the SNM receives a validate request from the GM for a given hardware identification code and sequence number, it looks up the hardware identification code in the hash table. If no entry exists, then the SNM replies to the GM with an “invalid hardware identification code” error.
Otherwise, the SNM checks the given sequence number against the sequence number stored in the hash table entry. If the sequence number is less than or equal to the stored sequence number, the SNM replies with an “invalid sequence number” error. Otherwise, the SNM sets the sequence number in the hash table entry to the given sequence number and replies with a “valid sequence number” message.
From time to time, the SNM may observe a sequence number gap. A sequence number gap occurs when the SNM receives a sequence number that is more than one greater than the sequence number stored in the hash table entry. In other words, a sequence number was skipped. When the SNM discovers a sequence number gap, it replies with a “sequence number gap” message to the GM instead of a “valid sequence number” message. The GM treats the packet as valid, but it also logs a “sequence number gap” warning.
Sequence number gaps usually occur when network connectivity is lost: packets are dropped or can't be sent until the network is restored to working order. However, sequence number gaps occur for fraudulent reasons as well: malicious parties could intercept packets preventing them from arriving at the DPC or they could even attempt to counterfeit packets (with a large sequence number so that it isn't immediately rejected).
The SNM's secondary function is to inform other DPCs of the updated sequence numbers. Quickly updating sequence numbers at all DPC sites thwarts resubmission attacks wherein a malicious entity monitors packets destined for one DPC site and immediately sends a copy to a different DPC site in the hope of exploiting the transmission delay of sequence number updates from one DPC site to another resulting in both sites accepting the packet as valid, when only the first site should accept the packet.
The SNMs send update messages to each other whenever they receive a valid sequence number. If an SNM receives an update message for a sequence number that is less than or equal to the sequence number currently stored in its hash table, that SNM logs a sequence number resubmission warning. All resubmission attacks are detected in this manner.
In another embodiment, to thwart resubmission attacks completely, only one SNM validate packets. Under this scheme there is no update transmission delay window to exploit with a resubmission attack. Alternately, multiple SNM's is can be active at the same time provided none of them handle sequence number validation for the same BIA-equipped device.
Sequence Number Maintenance
When the SNM boots up, it loads the sequence number hash table from the sequence numbers for active BIA stored in the VAD.
The VAD is responsible for sending add-entry and remove- entry messages to the SNMs for any BIA-equipped devices that are activated or deactivated to keep the SNM hash table up-to-date.
Apparatus Owner Database
The Apparatus Owner Database (AOD) stores information on recipients or organizations that own one or more BIA-equipped devices. This information is used to double check that the BIA devices are used only by their rightful owners, to provide rewards account information for proposed commercial transactions, and to allow identification of all BIAs owned by a specific recipient or organization.
Most BIA devices will be owned by reward providers, i.e. reward providers engaged in selling to recipients wishing to buy products.
Each AOD record includes a rewards account to credit or debit the owner when the DPC processes a rewards transaction submitted by one of the owner's BIA-equipped devices.
Valid Apparatus Database
The Valid Apparatus Database (VAD) is a collection of records representing all of the BIAs that have been manufactured to date. The VAD record contains the Message Authentication Code encryption key for each BIA, as well as an indication of whether a BIA is active, awaiting shipment, or marked as destroyed. In order for a message from a BIA to be decrypted, the BIA must exist and have an active record in the VAD.
When manufactured, each BIA has a unique public identification code. In addition, each BIA is injected with a unique MAC encryption key, and an initial DUKPT key, all of which are entered into the VAD record prior to BIA deployment.
When a BIA is first constructed, it is given a unique hardware identification code. When a BIA is placed in service, its hardware identification code is registered with the system. First, the owner or responsible party of the BIA is entered into the Apparatus Owner Database (AOD). Then, the VAD record is pointed to the AOD record, and the BIA is then set active. Messages from that BIA are accepted by the DPC.
Each BIA type and model has a device security assessment performed on it during its design and construction. This represents the basic ability of the device to resist attempts to monitor the BIA's internal functioning, the ability of the BIA to keep both past and current encryption keys stored on the BIA secret, and the BIA's ability to resist reprogramming by criminals.
The number of failed messages, recent messages, and the average number of messages performed by a given apparatus are recorded in the VAD record, to assist the security factors module in detecting fraudulent messages. Periodically, the recentReqs and the failedReqs fields are cleared.
Individual Biometric Database Individual Biometric Database (IBD) records store personal information on recipients for both identification as well as authentication. This information may include their primary and secondary biometrics, one or more biometric values, a list of rewards accounts, perhaps a rewards account index code, account index names, private code, address, and phone number. The recipient may optionally include this SSN. This information is necessary for identifying a recipient either by biometric or personal information, for accessing related information, or for providing an address or phone number to remote reward providers for additional verification.
Recipients are added to the system during the recipient enrollment process at registered Recipient Registration Terminals located in retail establishments worldwide, or in local system offices. During enrollment, recipients add rewards accounts to their biometric and biometric sorting number combination.
Recipients may be removed from the database due to fraudulent activity reported by any issuing member. If this occurs, the recipient's record is moved from the IBD to the Prior Fraud Database (PFD) by an authorized internal systems representative. The biometric Ids for records in the PFD may not be used for records in the IBD.
The IBD exists on multiple machines, each of which is responsible for a subset of the IBD records with a copy of each record stored on two different machines, both for redundancy and for load-sharing. The IBD Machine List, stored on the GM, maintains which machines hold which biometric values.
Recipient Demographics Database
Stores information related to specific characteristics of individual users such as gender, age, etc.
Rewards Registry Database
Stores information related to rewards that are to be disbursed to users, their amount, and predetermined conditions for disbursement.
Recipient Account Database
Stores information related to the assignment of one or more account numbers to users for accounting accumulation of rewards by a user.
In embodiments which require a user to submit a personal identification number for security reasons only, this database stores information regarding the personal identification numbers of users.
Authorized Individual Database
For each issuer or personal BIA-equipped device, the Authorized Individual Database (AID) maintains a list of recipients who are authorized, by the owner of the device, to use it.
The AID exists for two reasons. The first is that it provides restricted access to a terminal. For example, the Issuer Terminal can only be used by an authorized retailer representative. The second reason for the AID is to prevent criminals from secretly replacing the BIA in a retail point of sale terminal with that of a personal BIA from a phone Terminal and thus routing all purchases to a remote rewards account set up by the criminals.
Prior Fraud Database
The Prior Fraud Database (PFD) is a collection of records representing recipients who have defrauded member issuers at some point in the past. This database allows the DPC to perform a re-registration check on every new registrant quickly, since only a small number of recipients will be designated as having defrauded member issuers. The PFD also runs background transactions during periods of low system activity to weed out recipients in the IBD who have matching records in the PFD.
The system does not automatically put recipients in the PFD, unless it detects that they are attempting to register again. Placing a recipient in the PFD is a sensitive policy matter which is outside the scope of this document.
Before a new IBD record is marked as active, the recipient's primary and secondary biometrics are checked against each and every biometric in the PFD using the same biometric comparison techniques as those used in the recipient identification procedure. If a match is found for the new IBD record, the IBD record's status is designated with a label of “prior fraud”, and the GM logs a “registering recipient with prior fraud” warning.
It is assumed that the PFD will remain relatively small. The cost to run the PFD is expensive, as it is an involuntary biometric search, so it is important to add only those recipients to the PFD who have imposed a significant cost to the system.
The Issuer Database (ID) stores information on retailers and other institutions that allow their rewards accounts to be accessed through the system. For many rewards accounts, the issuing institutions are the only entities that can add or remove their rewards account numbers to a given recipient's IBD record.
The DPC uses the ID to validate messages from Issuer Terminals by searching the ID for a record containing the Issuer Terminal's issuer code. The owner Identification stored in the record must match up with the owner stored in the Valid Apparatus Database for the BIA stored in the Issuer Terminal.
Remote Reward provider Database
The Remote Reward provider Database (RSD) stores information on reward providers that provide goods or services over telephones, cable television networks, or the Internet. Each order sent by a recipient using a properly-equipped terminal is routed through the reward provider's order terminal to the system.
Once a recipient's remote electronic rewards transaction is received and the MAC validated by the DPC, the reward provider identification code is compared against the reward provider identification code in the RSD. The reward provider identification code, be it phone number, reward provider-product credential, or Internet address, exists in the RSD record under the correct reward provider identification code or the DPC terminates the message and returns an invalid reward provider identification code error to the sending BIA terminal device.
1. MACM checks the MAC (local)
2. SNM checks the sequence number (network message)
3. MDM decrypts the biometric block (local)
4. Find IBD machine (local)
5. Send identify message to the IBD machine (nehvork message)
In IBD machine:
6. Retrieve all IBD records for the Biometric Value (x seeks and x reads, where x is the number of pages required to store the biometric records).
7. For each record, compare against its primary biometric (y/2 ms where y is the number of records retrieved).
8. If no reasonable match, repeat step 9 but compare against the secondary biometric (z*y/2 ms, where y is the number of records retrieved and z is the probability no match is found).
9. Update the best matching IBD record's checksum queue and check for possible replay attacks (1 seek, 1 read, and 1 write).
10. Return the best matching IBD record or an error if the match is not close enough (network message).
11. Authorize message with an external processor (network message)
12. GM encrypts and MACs the response (local).
13. Sends response packet back (network message).
From the foregoing, it will be appreciated how the objects and features of the invention are met. First, the invention provides a computer identification system that eliminates the need for a user to possess and present a physical object, such as a token, in order to authorize a transaction. Second, the invention provides a computer identification system that is capable of verifying a user's identity, as opposed to verifying possession of proprietary objects and information. Third, the invention verifies the user's identity 10 based upon one or more unique characteristics physically personal to the user. Fourth, the invention provides an identification system that is practical, convenient, and easy use. Fifth, the invention provides a system of secured access to a computer system that is highly resistant to fraudulent transaction authorization attempts by non-authorized users.
Although the invention has been described with respect to a particular tokenless identification system and method for its use, it will be appreciated that various modifications of the apparatus and method are possible without departing from the invention, which is defined by the claims set forth below.
Authorized Individual Database: contains the list of individuals authorized to use personal and issuer BIA devices.
Apparatus Owner Database: central repository containing the geographic and contact information on the owner of each BIA.
A person or entity that proposes transactions or rewards to recipients, generally for the purpose of selling goods and services recipients.
Biometric Basket Code: a personal identification number which may accompany the user's bid biometric in order to facilitate a rapid database search of the biometric database. The BBC functions as a basket in which algorithmically distinct biometric samples are stored, such BBC's being some subset of all of the biometrics stored in the master comparator database.
Biometric Group List: a software module in the DPC that is responsible for maintaining the configuration of the IBD machines.
Biometric input apparatus; collects biometric identity information, encodes and encrypts it, and makes it available for authorizations. Comes in different hardware models and software versions.
A measurement taken by the system of some aspect of a recipient's physical person that can be used to repeatedly and uniquely identify an individual, such as a fingerprint, retina of the eye, face vascular patterns, voice prints, iris scan, and the like.
An identifier used-by the system to uniquely identify an individual's biometric record (IRID-Individual Record ID)
a collection of algorithmically dissimilar biometric samples linked to the same biometric sorting number
Recipient Registration Terminal; located at retail outlets, BRTs combine recipient registration information with selected personal information to register recipients with the system.
Biometric Sorting Number: an identification number, which may or may not be unique, which is generated by numerically encoding the classified identification features of the submitted biometric and which thereby sorts the biometrics into subsets.
Cipher Block Chaining: an encryption mode for the DES.
Electronic Commercial Transaction:
A commercial transaction involves a reward provider proposing an electronic transaction to a recipient. If the recipient approves, he appends his biometric to the transaction, and sends it to the DPC for authorization and execution.
A program or subroutine residing in the DPC that performs a specific task, activated by a request message sent from a BIA-equipped terminal.
Cable-TV Point-of-Sale Terminal: combines an onscreen display simulcast digital signal informing TV-top cable box of product information with product video, and a BIA controller remote which performs the biometric validation using the CATV communications network. Order/autho/mailing-address/item-id forwarded to reward provider. Results of authorization are displayed on the TV.
Customer Service Terminals: provide system customer service personnel with varying degrees of access (based on access privilege) the ability to retrieve and modify information on recipients in order to help people with account problems.
An individual user of the system or recipient, who can authorize transactions at a point of sale using nothing more than a biometric.
DATA SEALING STEP:
The conversion of plain text to cipher text (known as “encryption”) in combination with the encrypted checksumming of a message that allows information to remain in plain text while at the same time providing a means for detecting any subsequent modification of the message.
Data Encryption Standard: a standard for the cryptographic protection of digital data. See standard ANSI X3.92-1981
A data processing center, also known as the computer system, which represents the place and the entity where the hardware, software, and personnel are located that support a multigigabyte biometric identity database. A DPC processes electronic messages, most of which involve performing biometric identity checks as a precursor to performing a rewards transaction.
Digital Signal Processor: a class of integrated circuits that specialize in the mathematical operations required by the signal processing applications.
Derived Unique Key Per Transaction: See standard ANSI/ABA X9.24-1992
ELECTRONIC IDENTICATOR SYSTEM:
The computer system or the DPC.
EMERGENCY ACCOUNT INDEX CODE:
The alpha-numeric digit or sequence selected by a recipient which, when accessed, will result in a transaction being labelled by the system as an emergency transaction, potentially causing the display of false screens and/or the notification of authorities that the recipient has been coerced into performing a transmission or transaction.
FAR (False Accept Rate):
The statistical likelihood that one recipient's biometric will be incorrectly identified as the biometric of another recipient.
Fiber Digital Device Interface: a networking device that utilizes a fiber optic token ring.
Firewall Machine: the Internet-local net router that regulates traffic into and out of the DPC.
Gateway Machine: the main processing computers in the DPC; runs most of the software.
Individual Biometric Database: central repository for biometric, rewards account, and other personal information. Queries against the biometric database are used to verify identity for electronic rewards transactions and transmissions.
Issuer Database: central repository containing the institutions that are allowed to add and delete rewards account numbers with the system.
IBD Machine List: a software module in the DPC determines which IBD machines are responsible for which biometric sorting numbers.
Internet Reward Provider:
A party selling services or goods to recipients by means of the Internet electronic network
Internet Point-of-Sale Terminal: retrieves items and reward provider identification code from the Internet, gathers BIA biometric for validation, sends using Internet, autho/order/PO # forwarded to reward provider who in turn forwards to DPC. DPC response forwarded by reward provider to IPT using Internet as well, which displays results on screen.
a rewards account issuer for rewards assests to be registered with the DPC.
A collection of “add” and “delete” instructions complete with biometric IDs, rewards accounts, and account index codes verified and submitted by an issuer to the DPC.
Issuer Terminals; provides a batch connection to the system for issuers to add and remove (their own) rewards account numbers from specific recipient's IBD records.
Message Authentication Code: an encrypted checksum algorithm, the MAC provides assurance that the contents of a message have not been altered subsequent to the MAC calculation. See standard ANSI X9.9-1986
Message Authentication Code Module: a software module in the DPC that handles MAC validation and generation for inbound and outbound packets.
Message Decrypt Module: a software module in the DPC that encrypts and decrypts packets from or destined to a BIA device.
Message Processing Module: a software module in the DPC that performs the processing of request packets.
Personal identification number: an alphabetical, numerical or alpha-numerical code which the recipient may use in combination with his biometric.
Prior Fraud Database: central repository for IBD records which have had prior fraud associated with them. During registration, every new applicant's biometrics are checked to see if a re-registration is occuring against all PFD records with the intent of reducing recidivism.
Random Access Memory
Radio Frequency: generally refers to radio frequency energy emitted during the normal operation of electrical devices.
Memory reserved for a specific purpose, data set aside on chips and stored operands to instructions
Electronic instructions from the BIA to DPC instructing the DPC to identify the recipient and thereby process the recipient's command in the event the identification is successful.
REWARDS ACCOUNT INDEX CODE:
A digit or an alpha-numeric sequence that corresponds to a particular rewards account
Remote Reward provider Database: contains all reward provider identification codes for reward provider telephone and Cable TV order shops; indexed by reward provider ID. Contains per-reward provider system encryption codes as well.
Reward provider Computing Apparatus: In the cache computing embodiment, wherein there is a master comparator biometric database containing the biometric samples of all users registered with the computer system, and at least one local database, physically remote from the master comparator biometric database containing a subset of the biometric samples contained in the master comparator biometric database, the SCA can be either a BIA or the reward provider computer containing the local database.
Secure Computing Apparatus: In the Internet or Intranet computing embodiment, the SECA is a device for: a) recipient data entry, whereby the recipient enters directly into the SECA at least one registration biometric sample and at least one recipient rewards account, together comprising the recipient personal authentication information, and; b) for encryption, whereby all data entered into the secure computing apparatus is encrypted so that the data, when transmitted from the secure computing apparatus, cannot be read or altered by a recipient's personal computer;
Sequence Number Module: a software module in the DPC that handles the DUKPT sequence number processing for inbound request packets. Sequence number processing protects against replayattacks.
A device that uses the BIA to collect biometric samples and form request messages that are subsequently sent to the DPC for authorization and execution. Terminals almost always append ancillary information to request messages, identifying counterparties and the like.
An inanimate object conferring a capability.
An electronic financial, service or product exchange.
Valid Apparatus Database: central repository in which each BIA (with associated unique encryption codes) is identified, along with the owner of the BIA.
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7327859 *||Feb 14, 2007||Feb 5, 2008||Lam Ko Chau||Methods and systems for automated fingerprint recognition|
|US7474773||Nov 16, 2007||Jan 6, 2009||Lam Ko Chau||Methods and systems for automated fingerprint recognition|
|US7698322 *||Sep 14, 2009||Apr 13, 2010||Daon Holdings Limited||Method and system for integrating duplicate checks with existing computer systems|
|US8286242 *||Sep 30, 2010||Oct 9, 2012||At&T Intellectual Property I, L.P.||System and method for providing network security|
|US9038173 *||Sep 6, 2012||May 19, 2015||At&T Intellectual Property I, L.P.||System and method for providing network security|
|US20130014255 *||Sep 6, 2012||Jan 10, 2013||At&T Intellectual Property I, L.P.||System and Method for Providing Network Security|
|WO2008098357A1 *||Feb 12, 2008||Aug 21, 2008||Chau Lam Ko||Methods and systems for automated fingerprint recognition|
|WO2010108084A1 *||Mar 19, 2010||Sep 23, 2010||Mastercard International Inc.||Method and apparatus for mobile offer fulfillment|
|U.S. Classification||382/115, 705/14.27, 705/14.34, 705/14.36|
|International Classification||G06F21/00, G07C9/00, G06Q30/00, G06Q20/00, G06K9/00, G07G1/14|
|Cooperative Classification||G06Q30/0236, G07C9/00158, G06F21/32, G06Q20/18, G06Q20/4014, G06Q20/40, G07C9/00142, G06F21/31, G06Q30/0225, G06Q20/387, G06Q30/0226, G06Q30/0222, G06Q20/02, G06Q30/02, G06Q30/0234|
|European Classification||G06Q30/02, G06F21/32, G06Q30/0236, G06Q20/18, G06Q30/0225, G06Q20/4014, G06Q20/40, G06F21/31, G06Q20/387, G06Q20/02, G06Q30/0222, G06Q30/0234, G06Q30/0226, G07C9/00C2B, G07C9/00C2D|
|Dec 20, 2007||AS||Assignment|
Owner name: THE BANK OF NEW YORK, AS AGENT, AS SECURED PARTY,T
Free format text: GRANT OF PATENT SECURITY INTEREST;ASSIGNOR:INDIVOS CORPORATION;REEL/FRAME:020279/0105
Effective date: 20071219