System and method for blocking unauthorized network log in using stolen password
First Claim
Patent Images
1. A method for selectively granting a user access to data, comprising:
- at a Web server, receiving a user name and password from a user computer;
only if a cookie previously deposited on the user computer by the server, the user name, and the password are valid, granting access to the data to the user computer; and
displaying a user-approved secret on at least one page for presentation thereof to the user so that the user can view the secret for anti-phishing confirmation.
3 Assignments
0 Petitions
Accused Products
Abstract
The authenticity of a website is determined using a unique string of characters known only to the user and the website on each page of the website that is displayed to the user, with a false site being incapable of displaying this unique string of characters, thereby putting the user on notice that the current site is not the authentic one the user desires to access. Voice methods for conveying one-time pass codes to users and for permitting customer institutions to select authentication rules are also disclosed.
339 Citations
38 Claims
-
1. A method for selectively granting a user access to data, comprising:
-
at a Web server, receiving a user name and password from a user computer;
only if a cookie previously deposited on the user computer by the server, the user name, and the password are valid, granting access to the data to the user computer; and
displaying a user-approved secret on at least one page for presentation thereof to the user so that the user can view the secret for anti-phishing confirmation. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for impeding a thief possessing a password of a user from accessing information intended to be accessed by the user from a user computer, comprising:
a server computer controlling access to the information, the server computer granting access to the information only upon receipt of a valid password and determination that a valid verification string resides on the user computer, the server computer also presenting, on plural web pages presented to the user, a secret previously approved by the user and correlated to a user identification. - View Dependent Claims (7, 8, 9, 10, 11)
-
12. A method for selectively granting a user access to data, comprising:
-
at a server, receiving a user name and password from a user computer;
at a server, determining whether a cookie previously deposited on the user computer includes a machine ID matching a machine ID stored in a database and a login key matching a login key stored in a database, and if so, granting the user computer access to the data, and refreshing the login key; and
retrieving a secret associated with an identification of the user and presenting the secret on at least one web page presented to the user. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A method for selectively granting a user access to data, comprising:
-
at a Web server, receiving a user name and password from a user computer;
selectively providing a one-time pass code to the user over a phone link; and
only if the user name, the password, and when provided to the user the one-time pass code are valid, granting access to the data to the user computer. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. A system for impeding a thief possessing a password of a user from accessing information intended to be accessed by the user from a user computer, comprising:
a server computer controlling access to the information, the server computer granting access to the information only upon receipt of a valid password and determination that a valid verification string resides on the user computer and further upon reception of a valid one-time pass code, the pass code being selectively provided to the user over a phone link. - View Dependent Claims (27, 28, 29, 30, 31)
-
32. A method for selectively granting a user access to data, comprising:
-
at a server, receiving a user name and password from a user computer;
at a server, determining whether a cookie previously deposited on the user computer includes a machine ID matching a machine ID stored in a database and a login key matching a login key stored in a database, and if so, granting the user computer access to the data, and refreshing the login key;
if the machine ID does not match the machine ID stored in a database, sending a pass code to a telephone associated with the user, and granting access only if the pass code is received from the user computer. - View Dependent Claims (33, 34, 35, 36)
-
-
37. A service for permitting a customer institution to establish authentication rules for end users to access information at a server operated by the institution, comprising:
-
permitting the customer institution to access at least one authentication web page listing plural authentication factors selected from the group consisting of;
security questions being properly answered, one-time pass code being correctly input, pass code delivery to user via email, pass code delivery to user via short message service (SMS), pass code delivery to user via interactive voice response (IVR), pass code delivery to user using voice biometrics, proper cookie on user machine seeking access, authentication based on satisfactory geographic location of user machine seeking access, authentication based on proper browser version of machine seeking access, authentication based on acceptable internet service provider of machine seeking access; and
permitting the customer institution to select one or more factors on the list for implementation thereof in allowing end users to access information at the server operated by the institution. - View Dependent Claims (38)
-
Specification