System and method for blocking unauthorized network log in using stolen password

US 20060015742A1
Filed: 07/15/2004
Published: 01/19/2006
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method for selectively granting a user access to data, comprising:

at a Web server, receiving a user name and password from a user computer;

only if a cookie previously deposited on the user computer by the server, the user name, and the password are valid, granting access to the data to the user computer;

otherwise initiating a user validation process at least if the password is valid but the cookie is not.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To limit access to thieves of passwords, at initial registration with a Web server, a user is given a password and user name, and a cookie including a login key and machine ID is downloaded to the user. For subsequent log ins, the user inputs the user name and password and if they are correct, the server checks the cookie on the user computer to determine whether the login key and machine ID matches the record stored in the server before granting access. If access is successful a new login key is sent in a new cookie to be used in the next subsequent login so that the login key changes every login. If the cookie check is unsuccessful, the server refuses access until a user validation process has been completed.

Citations

33 Claims

1. A method for selectively granting a user access to data, comprising:
- at a Web server, receiving a user name and password from a user computer;
  
  only if a cookie previously deposited on the user computer by the server, the user name, and the password are valid, granting access to the data to the user computer;
  
  otherwise initiating a user validation process at least if the password is valid but the cookie is not.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 28, 29)
- - 2. The method of claim 1, wherein the cookie includes at least a login key and a machine ID.
  - 3. The method of claim 2, wherein the login key is a first login key, and wherein, if the cookie, user name, and password are valid and access is granted to the user computer, a new cookie is downloaded to the user computer, the new cookie including the machine ID and a second login key different from the first login key, the new cookie being used in a subsequent login to the Web server.
  - 4. The method of claim 1, wherein the Web server is an online banking server.
  - 5. The method of claim 1, wherein the Web server is a content subscription server.
  - 6. The method of claim 2, wherein the machine ID is a first machine ID and the login key is a first login key, and the method further comprises, prior to initiating a user validation process when a valid cookie is not found on the user computer, determining whether all N≧
    - 1 machines allocated to the user have accessed the server, and if not, downloading to the user computer attempting access a cookie having a second machine ID different from the first machine ID and a second login key different from the first login key.
  - 7. The method of claim 1, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new cookie valid for accessing the data may be obtained.
  - 8. The method of claim 7, wherein access to the Web site at which a new cookie valid for accessing the data may be obtained is disabled after the user clicks on the hyperlink.
  - 9. The method of claim 1, wherein the validation process includes prompting the user to call a telephone number to verify predetermined information.
  - 10. The method of claim 1, wherein the validation process includes prompting the user to call access a Web site to verify predetermined information online.
  - 28. The method of claim 1, wherein the user computer may be used to access the data for only a limited period of time, after which access is denied.
  - 29. The method of claim 28, wherein access is denied by designating the verification string to be expired.

11. A system for impeding a thief possessing a password of a user from accessing information intended to be accessed by the user, comprising:
- at least one user computer associated with the user; and
  
  a server computer controlling-access to the information, the server computer granting access to the information only upon receipt of a valid password and determination that a valid verification string resides on the user computer, the server computer otherwise initiating a validation process at least under the condition of the password being valid and the verification string not being valid.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 30, 31)
- - 12. The system of claim 11, wherein a valid verification string is downloaded to the user computer during a registration process.
  - 13. The system of claim 11, wherein the verification string is a cookie and the cookie includes at least a login key and a machine ID.
  - 14. The system of claim 13, wherein the login key is a first login key, and wherein, if the cookie, user name, and password are valid and access is granted to the user computer, the server downloads a new cookie to the user computer, the new cookie including the machine ID and a second login key different from the first login key.
  - 15. The system of claim 11, wherein the Web server is an online banking server.
  - 16. The system of claim 11, wherein the Web server is a content subscription server.
  - 17. The system of claim 13, wherein the machine ID is a first machine ID and the login key is a first login key, and the server, prior to initiating a user validation process when a valid cookie is not found on the user computer, determines whether all N machines allocated to the user have accessed the server, and if not, the server downloads to the user computer attempting access a cookie having a second machine ID different from the first machine ID and a second login key different from the first login key.
  - 18. The system of claim 11, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new string valid for accessing the data may be obtained.
  - 19. The system of claim 18, wherein access to the Web site at which a new string valid for accessing the data may be obtained is disabled after the user clicks on the hyperlink.
  - 20. The system of claim 11, wherein the validation process includes prompting the user to call a telephone number to verify predetermined information.
  - 21. The system of claim 11, wherein the validation process includes prompting the user to call access a Web site to verify predetermined information online.
  - 30. The system of claim 11, wherein the user computer may be used to access the information for only a limited period of time, after which access is denied.
  - 31. The system of claim 30, wherein access is denied by designating the verification string to be expired.

22. A computer system, comprising:
- a Web server comprising;
  
  means for sending a user name and a password to a user computer;
  
  means for sending a verification string to the user computer, the verification string including a machine ID substantially unique to the user computer and a login key that is refreshed each time the user computer logs in to the Web server;
  
  means for, subsequent to sending the verification string to the user computer and in response to an attempted log in from a login computer that may or may not be the user computer to gain access to information the access to which is controlled by the Web server, determining whether at least a password sent from the login computer is valid, and whether the verification string resides on the login computer;
  
  means for granting access to the user computer if both the password is valid and the verification string resides on the user computer;
  
  means for, if the password is valid but the verification string does not reside on the login computer, refusing access pending successful validation and then undertaking at least one of;
  
  initiating a validation process; and
  
  determining whether all N≧
  
  1 machines associated with the user have accessed the server.
- View Dependent Claims (23, 24, 25, 26, 27, 32, 33)
- - 23. The system of claim 22, wherein if not all N machines have accessed the server, the server downloads to the login computer a verification string having a machine ID different from the machine ID of the user computer and a login key different from the login key of the user computer.
  - 24. The system of claim 22, wherein a valid verification string is downloaded to the user computer during a registration process.
  - 25. The system of claim 22, wherein the Web server is at least one of:
    - an online banking server, and a content subscription server.
  - 26. The system of claim 22, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new verification string valid for accessing the data may be obtained.
  - 27. The system of claim 22, wherein the validation process includes prompting the user to call a telephone number and/or to access a Web address to verify predetermined information.
  - 32. The system of claim 22, wherein the user computer may be used to access the information for only a limited period of time, after which access is denied.
  - 33. The system of claim 32, wherein access is denied by designating the verification string to be expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Anakam, Inc. (Equifax, Inc.)
Original Assignee
Anakam, Inc. (Equifax, Inc.)
Inventors
Robb, Robert, Camaisa, Allan

Granted Patent

US 7,676,834 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/31   User authentication

H04L 63/083   using passwords cryptograph...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

System and method for blocking unauthorized network log in using stolen password

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for blocking unauthorized network log in using stolen password

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links