ACCOUNT HIJACKING COUNTER-MEASURES

US 20100199338A1
Filed: 02/04/2009
Published: 08/05/2010
Est. Priority Date: 02/04/2009
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user prior to providing access to the user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying the user'"'"'s credentials, comprising:

determining that a device is accessing the sign-in page;

obtaining an identifier associated with the device accessing the sign-in page;

determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device;

identifying data contained in the user'"'"'s account;

upon verifying the user'"'"'s credentials, generating at least one security question based on the data randomly selected from the user'"'"'s account; and

providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing an additional layer of authentication prior to accessing a user'"'"'s account even though the user'"'"'s credentials have previously been verified. User accounts are often accessed via a sign-in page that verifies the user'"'"'s credentials. Upon detecting a device accessing the sign-in page, an identifier associated with the device is obtained. One such type of identifier is the IP address assigned to the device. Based on the identifier, it is determined whether the device is trusted or not. Even thought the user'"'"'s credentials are verified via the sign-in page, if the device is not trusted, a second authentication page is presented to the user prior to proceeding to the account. The second authentication page presents at least one security question. The security question is based on information contained in the user'"'"'s account (e.g., contact information, event information, electronic messages, etc.). The user is required to correctly answer the security question in order to access the account.

108 Citations

View as Search Results

20 Claims

1. A method for authenticating a user prior to providing access to the user'"'"'s account, the user'"'"'s account being accessible via a sign-in page upon verifying the user'"'"'s credentials, comprising:
- determining that a device is accessing the sign-in page;
  
  obtaining an identifier associated with the device accessing the sign-in page;
  
  determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device;
  
  identifying data contained in the user'"'"'s account;
  
  upon verifying the user'"'"'s credentials, generating at least one security question based on the data randomly selected from the user'"'"'s account; and
  
  providing the at least one security question to the user via a user interface, wherein the user is required to correctly answer the at least one security question in order to access the user'"'"'s account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, wherein the step of obtaining an identifier associated with a device comprises:
    - obtaining an internet protocol address associated with the device accessing the sign-in page.
  - 3. The method as recited in claim 1, wherein the step of obtaining an identifier associated with a device comprises the step of:
    - obtaining a device identification associated with the device accessing the sign-in page.
  - 4. The method as recited in claim 1, wherein the step of obtaining an identifier associated with a device comprises the step of:
    - determining a geographical location associated with the device accessing the sign-in page.
  - 5. The method as recited in claim 2, wherein the step of determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device comprises the steps of:
    - accessing a known bot database, wherein the known bot database contains a list of internet protocol addresses that have been associated with a bot;
      
      comparing the internet protocol address associated with the device accessing the sign-in page with the list contained in the know bot database; and
      
      determining that the internet protocol address associated with the device accessing the sign-in page is located on the list.
  - 6. The method as recited in claim 2, wherein the step of determining that the identifier associated with the device accessing the sign-in page is not associated with a trusted device comprises the steps of:
    - accessing a database containing internet protocol addresses associated with devices that have been associated with successfully accessing the user'"'"'s account;
      
      comparing the internet protocol address associated with the device accessing the sign-in page with the internet protocol addresses contained in the database; and
      
      determining that the internet protocol address associated with the device accessing the sign-in page is not located in the trusted device database.
  - 7. The method as recited in claim 1, wherein the data contained in the user'"'"'s account includes at least one of the following:
    - contact information stored in an address book, event information associated with a calendar, electronic messages sent by the user, electronic messages received by the user, group affiliations, and recent account activity.
  - 8. The method as recited in claim 7, wherein the step of generating at least one security question comprises the steps of:
    - accessing the address book;
      
      selecting at least one contact name from the address book;
      
      generating at least one fictitious contact name;
      
      presenting the at least one contact name selected from the address book and the at least one fictitious contact name to the user via an interface; and
      
      requesting the user to select only the at least one contact name selected from the address book.
  - 9. The method as recited in claim 7, wherein the step of generating at least one security question comprises the steps of:
    - accessing the electronic messages received by the user, wherein each electronic message received by the user includes a header containing a sender name and a subject line;
      
      selecting at least one electronic message received by the user;
      
      obtaining the subject line from the header of each of the at least one selected electronic messages;
      
      generating at least one fictitious subject line;
      
      presenting the subject line obtained from the header of each of the selected electronic messages and the subject line from each one of the at least one fictitious subject lines to the user; and
      
      requesting the user to select only the subject lines from electronic message actually received by the user.
  - 10. The method as recited in claim 1, further comprising:
    - if the security question is answered incorrectly, limiting access to the user'"'"'s account.
  - 11. The method as recited in claim 10, wherein the step of limiting the access to the user'"'"'s account comprises the step of granting read-only access to the user.

12. A method for authenticating a user prior to proceeding to a landing page that has access to an account storing the user'"'"'s data, comprising:
- obtaining an identifier associated with a device accessing a sign-in page, the sign-in page requires entry of credentials associated with the user before proceeding to the landing page;
  
  designating the device as not trusted based on the identifier associated with the device accessing the sign-in page;
  
  identifying categories of user data stored in the account;
  
  selecting a first category of user data stored in the account;
  
  generating a first security question using user data from the first category of data;
  
  selecting a second category of user data stored in the account;
  
  generating a second security question using user data from the second category of data; and
  
  after successful authentication of the user by verifying the credentials entered in the sign-in page, providing the first and second security questions to the user via a user interface, wherein the user is required to correctly answer the first and second security questions in order to proceed to the landing page.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method as recited in claim 12, wherein the step of obtaining an identifier associated with a device accessing the sign-in page comprises the step of:
    - obtaining at least one of the following identifiers associated with the device accessing the sign-in page;
      
      Internet Protocol address, device identification, geographical location, subnet, network access identifier, and autonomous system number.
  - 14. The method as recited in claim 13, wherein the step of designating the device as not trusted comprises the steps of:
    - identifying the Internet Protocol address associated with the device accessing the sign-in page;
      
      accessing a database containing Internet Protocol addresses previously associated with the user'"'"'s account;
      
      comparing the Internet Protocol address associated with the device accessing the sign-in page with the Internet Protocol addresses contained in the database; and
      
      determining that the Internet Protocol address associated with the device accessing the sign-in page is not located in the database.
  - 15. The method as recited in claim 12, wherein the data contained in the user'"'"'s account includes at least two of the following categories of data:
    - contact information stored in an address book, event information associated with a calendar, electronic messages sent by the user, electronic messages received by the user, group affiliations, and recent account activity.
  - 16. The method as recited in claim 15, wherein the first category of data is electronic messages sent by the user and the, the step of generating the first security question comprises the steps of:
    - selecting an electronic message sent by the user contained in the user'"'"'s account, wherein the electronic message sent by the user includes a header that includes a recipient address and a subject line;
      
      obtaining the recipient address from the header of the selected electronic message;
      
      generating at least two fictitious recipient addresses;
      
      generating the first security question, the first security questions presents the recipient address obtained from the electronic message sent by the user and the at least two fictitious recipient addresses and requests the user to select the recipient address obtained from the electronic message sent by the user.

17. A method for providing account hijacking countermeasures in an online communications service environment, comprising:
- providing a sign-in page requiring verification of a user'"'"'s credentials prior to proceeding to the user'"'"'s account, wherein the user'"'"'s credentials include a unique user identification and a password;
  
  determining that a device accessing the sign-in page is not a trusted device;
  
  after the user'"'"'s credentials have been verified via the sign-in page, providing an authentication page containing at least two security questions, wherein each security question is based on information obtained from the user'"'"'s account; and
  
  proceeding to the user'"'"'s account if each of the at least two security questions provided in the authentication page are answered correctly.
- View Dependent Claims (18, 19, 20)
- - 18. The method as recited in claim 17, wherein the user'"'"'s account contains data associated with the user'"'"'s unique user identification and includes at least one of the following types of data:
    - contact information stored in an address book, event information associated with a calendar, electronic messages sent by the user, electronic messages received by the user, group affiliations, and account activity.
  - 19. The method as recited in claim 18, wherein the step of providing an authentication page containing at least two security questions comprises the steps of:
    - selecting an electronic message sent by the user, wherein the electronic message sent by the user includes a header having a recipient address and a subject line;
      
      obtaining the recipient address from the header of the selected electronic message;
      
      generating at least two fictitious recipient names;
      
      selecting a contact name from the user'"'"'s address book;
      
      generating at least two fictitious contact names;
      
      generating a first security question that presents the recipient address obtained from the electronic message sent by the user and the at least two fictitious recipient addresses to the user via an interface and requests that the user select the recipient address obtained from the electronic message sent by the user; and
      
      generating a second security question that provides the contact name selected from the address book and the at least two fictitious contact names and requests that the user select the contact name selected from the address book.
  - 20. The method as recited in claim 17, further comprising the step of:
    - Denying access to the user'"'"'s account if each of the at least two security questions are not correctly answered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Craddock, Richard S., Vitaldevara, Krishna C.

Granted Patent

US 8,707,407 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/31   User authentication

G06F 21/40   by quorum, i.e. whereby two...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

ACCOUNT HIJACKING COUNTER-MEASURES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

ACCOUNT HIJACKING COUNTER-MEASURES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others