System and method for blocking unauthorized network log in using stolen password

US 7,676,834 B2
Filed: 07/15/2004
Issued: 03/09/2010
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for selectively granting a user access to data, comprising:

at a Web server, receiving a user name and password from a user computer;

if the password or user name is not valid, refusing validation, and only if both the password and user name are valid, determining whether a cookie was previously deposited on the user computer by the Web server prior to the receiving act and if so, whether the cookie is valid, and only if the cookie, the user name, and the password are valid, granting access to the data to the user computer;

otherwise,always initiating a user validation process if the user computer has been previously validated at least if the password is valid but the cookie is not, wherein the cookie includes a first machine ID and a first login key and is downloaded from the Web server to the user computer without requiring software on the user computer to generate the cookie, wherein, if the cookie, user name, and password are valid and access is granted to the user computer, a new cookie is downloaded to the user computer, the new cookie including the first machine ID and a second login key different from the first login key, the new cookie being used by the Web server to test for validation in a subsequent login to the Web server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To limit access to thieves of passwords, at initial registration with a Web server, a user is given a password and user name, and a cookie including a login key and machine ID is downloaded to the user. For subsequent log ins, the user inputs the user name and password and if they are correct, the server checks the cookie on the user computer to determine whether the login key and machine ID matches the record stored in the server before granting access. If access is successful a new login key is sent in a new cookie to be used in the next subsequent login so that the login key changes every login. If the cookie check is unsuccessful, the server refuses access until a user validation process has been completed.

103 Citations

View as Search Results

29 Claims

1. A computer-implemented method for selectively granting a user access to data, comprising:
- at a Web server, receiving a user name and password from a user computer;
  
  if the password or user name is not valid, refusing validation, and only if both the password and user name are valid, determining whether a cookie was previously deposited on the user computer by the Web server prior to the receiving act and if so, whether the cookie is valid, and only if the cookie, the user name, and the password are valid, granting access to the data to the user computer;
  
  otherwise,always initiating a user validation process if the user computer has been previously validated at least if the password is valid but the cookie is not, wherein the cookie includes a first machine ID and a first login key and is downloaded from the Web server to the user computer without requiring software on the user computer to generate the cookie, wherein, if the cookie, user name, and password are valid and access is granted to the user computer, a new cookie is downloaded to the user computer, the new cookie including the first machine ID and a second login key different from the first login key, the new cookie being used by the Web server to test for validation in a subsequent login to the Web server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 26)
- - 2. The method of claim 1, wherein the Web server is an online banking server.
  - 3. The method of claim 1, wherein the Web server is a content subscription server.
  - 4. The method of claim 1, wherein N≧
    - 1 machines are allocated to the user and the method further comprises, prior to initiating a user validation process when a valid cookie is not found on the user computer, determining whether all N≧
      
      1 machines allocated to the user have accessed the server, and if not, downloading to the user computer attempting access a cookie having a second machine ID different from the first machine and a second login key different from the first login key.
  - 5. The method of claim 1, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new cookie valid for accessing the data may be obtained.
  - 6. The method of claim 5, wherein access to the Web site at which a new cookie valid for accessing the data may be obtained is disabled after the user clicks on the hyperlink.
  - 7. The method of claim 1, wherein the validation process includes prompting the user to call a telephone number to verify predetermined information.
  - 8. The method of claim 1, wherein the validation process includes prompting the user to access a Web site to verify predetermined information online.
  - 9. The method of claim 1, wherein the user computer may be used to access the data for only a limited period of time, after which access is denied.
  - 26. The method of claim 9, wherein access is denied by designating the verification string to be expired.

10. A system for impeding a thief possessing a password of a user from accessing, from a user computer associated with the user, information intended to be accessed by the user, comprising:
- a server computer controlling access to the information, the server computer granting access to the information only upon receipt of a valid password and determination that a valid verification string previously deposited on the user computer resides on the user computer, the server computer otherwise initiating a validation process at least under the condition of the password being valid and the verification string not being valid, wherein the verification string is a cookie and the cookie includes at least a login key and a machine ID, and further wherein the login key is a first login key, and wherein, if the cookie and password are valid and access is granted to the user computer, the server downloads a new cookie to the user computer, the new cookie including the machine ID and a second login key different from the first login key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 20, 27)
- - 11. The system of claim 10, wherein a valid verification string is downloaded to the user computer during a registration process.
  - 12. The system of claim 10, wherein the Web server is an online banking server.
  - 13. The system of claim 10, wherein the Web server is a content subscription server.
  - 14. The system of claim 10, wherein the server, prior to initiating a user validation process when a valid cookie is not found on the user computer, determines whether all N machines allocated to the user have accessed the server, and if not, the server downloads to the user computer attempting access a cookie having a second machine ID different from the first machine ID and a second login key different from the fast login key.
  - 15. The system of claim 10, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new string valid for accessing the data may be obtained.
  - 16. The system of claim 15, wherein access to the Web site at which a new string valid for accessing the data may be obtained is disabled after the user clicks on the hyperlink.
  - 17. The system of claim 10, wherein the validation process includes prompting the user to call a telephone number to verify predetermined information.
  - 18. The system of claim 10, wherein the validation process includes prompting the user to access a Web site to verify predetermined information online.
  - 20. The system of claim 10, wherein the user computer may be used to access the information for only a limited period of time, after which access is denied.
  - 27. The system of claim 20, wherein access is denied by designating the verification string to be expired.

19. A computer system, comprising:
- a Web server computer comprising;
  
  means for sending a verification string to a user computer, the verification string including a machine ID unique to the user computer and a login key that is refreshed each time the user computer logs in to the Web server by a user, wherein N≧
  
  1 machines are associated with the user;
  
  means for, subsequent to sending the verification string to the user computer and in response to an attempted log-in from a login computer that may or may not be the user computer to gain access to information the access to which is controlled by the Web server, determining whether at least a password sent from the login computer is valid, and whether the verification string resides on the login computer;
  
  means for granting access to the user computer if both the password is valid and the verification string resides on the user computer;
  
  means for performing a validation process wherein if the password is valid but the verification string does not reside on the login computer, refusing access pending a successful validation and then determining whether all N≧
  
  1 machines associated with the user have accessed the Web server.
- View Dependent Claims (21, 22, 23, 24, 25, 28, 29)
- - 21. The system of claim 19, wherein if not all N machines have accessed the server, the server downloads to the login computer a verification string having a machine ID different from the machine ID of the user computer and a login key different from the login key of the user computer.
  - 22. The system of claim 19, wherein a valid verification string is downloaded to the user computer during a registration process.
  - 23. The system of claim 19, wherein the Web server is at least one of an online banking server, and a content subscription server.
  - 24. The system of claim 19, wherein the validation process includes sending an email to the user, the email containing at least one hyperlink to a Web site at which a new verification string valid for accessing the data may be obtained.
  - 25. The system of claim 19, wherein the validation process includes prompting the user to call a telephone number and/or to access a Web address to verify predetermined information.
  - 28. The system of claim 19, wherein the user computer may be used to access the information for only a limited period of time, after which access is denied.
  - 29. The system of claim 28, wherein access is denied by designating the verification string to be expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Anakam, Inc. (Equifax, Inc.)
Original Assignee
Anakam, Inc. (Equifax, Inc.)
Inventors
Robb, Robert, Camaisa, Allan
Primary Examiner(s)
Pich; Ponnoreay
Assistant Examiner(s)
Moran; Randal D

Application Number

US10/892,584
Publication Number

US 20060015742A1
Time in Patent Office

2,063 Days
Field of Search

713182-185, 726 2- 9, 705/50, 705/56, 705 64- 67, 705 70- 72, 705 75- 76
US Class Current

726/9
CPC Class Codes

G06F 21/31   User authentication

H04L 63/083   using passwords cryptograph...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

System and method for blocking unauthorized network log in using stolen password

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

System and method for blocking unauthorized network log in using stolen password

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others