System and method for preventing large-scale account lockout

US 8,302,187 B1
Filed: 09/27/2007
Issued: 10/30/2012
Est. Priority Date: 09/27/2007
Status: Active Grant

First Claim

Patent Images

1. A system for preventing large-scale account lockout, the system comprising:

a processor;

a memory coupled to the processor, wherein the memory comprises program instructions executable by the processor to;

receive one or more access requests for access to a user account associated with a user, wherein each access request includes an authorization code;

provide a count that indicates a number of incorrect account access requests that have been received, wherein each incorrect access request is one of said one or more access requests indicating an incorrect authorization code;

in response to determining that the count has reached a warning threshold that specifies a plurality of incorrect account access requests have been received, the warning threshold being less than a lockout threshold;

contact the user through a registered communication channel to alert the user that the warning threshold has been reached, wherein the registered communication channel is a communication channel specified by the user prior to said receiving one or more access requests; and

to prevent an attacker from locking access to the user account, place the user account in a hold state such that additional correct and incorrect access requests for the user account that are received while the user account is in the hold state are rejected, the hold state being removable responsive to receipt of valid account verification information;

subsequent to contacting the user and while the user account is in the hold state, receive account verification information specified by the user after being alerted;

in response to determining the received account verification information is valid, remove the user account from the hold state; and

in response to determining that the count has reached the lockout threshold, lock access to the user account such that unlocking the user account requires a different set of verification information than is required to remove the user account from the hold state.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of a system and method for preventing large-scale account lockout are described. The system and method for preventing large-scale account lockout may include an account access control component configured to prevent fraudulent individuals from locking access to user accounts. The account access control component may lock access to an account after a lockout threshold is tripped. To prevent an account from being locked by fraudulent individuals, the account access control component may utilize a warning threshold. When the account access control component detects a number of incorrect authorization attempts equal to the warning threshold, the control component may perform various actions to prevent a fraudulent individual from locking an account holder'"'"'s account, including, but not limited to, contacting the account holder through a registered communication channel to inform the user that the warning threshold has been reached or placing the account holder'"'"'s account in a particular hold state.

66 Citations

View as Search Results

21 Claims

1. A system for preventing large-scale account lockout, the system comprising:
- a processor;
  
  a memory coupled to the processor, wherein the memory comprises program instructions executable by the processor to;
  
  receive one or more access requests for access to a user account associated with a user, wherein each access request includes an authorization code;
  
  provide a count that indicates a number of incorrect account access requests that have been received, wherein each incorrect access request is one of said one or more access requests indicating an incorrect authorization code;
  
  in response to determining that the count has reached a warning threshold that specifies a plurality of incorrect account access requests have been received, the warning threshold being less than a lockout threshold;
  
  contact the user through a registered communication channel to alert the user that the warning threshold has been reached, wherein the registered communication channel is a communication channel specified by the user prior to said receiving one or more access requests; and
  
  to prevent an attacker from locking access to the user account, place the user account in a hold state such that additional correct and incorrect access requests for the user account that are received while the user account is in the hold state are rejected, the hold state being removable responsive to receipt of valid account verification information;
  
  subsequent to contacting the user and while the user account is in the hold state, receive account verification information specified by the user after being alerted;
  
  in response to determining the received account verification information is valid, remove the user account from the hold state; and
  
  in response to determining that the count has reached the lockout threshold, lock access to the user account such that unlocking the user account requires a different set of verification information than is required to remove the user account from the hold state.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein, while the account is placed in the hold state, the program instructions are executable to provide the user access to the user account through the registered communication channel.
  - 3. The system of claim 2, wherein to provide the user access to the user account the program instructions are executable to enable the user to complete a transaction through the registered communication channel while the account is placed in the hold state.
  - 4. The system of claim 1, wherein program instructions are configured to receive account verification information from the user through said registered communication channel, wherein said account verification information includes information specified by the user prior to said receiving one or more access requests.
  - 5. The system of claim 1, wherein, subsequent to alerting the user that the warning threshold has been reached, the program instructions are executable to reset the count to prevent the count from reaching the lockout threshold.
  - 6. The system of claim 1, wherein the program instructions are further executable to:
    - in response to determining that the count has reached a session threshold that indicates a number of incorrect account access requests received during a current session between the system and the user, cancel the current session.
  - 7. The system of claim 1, wherein the program instructions are further executable to:
    - in response to determining that the count has reached an initial threshold that indicates a number of incorrect account access requests received during a previously specified time period, temporarily lock access to the user account.

8. A method for preventing large-scale account lockout, the method comprising:
- receiving one or more access requests for access to a user account associated with a user, wherein each access request includes an authorization code;
  
  providing a count that indicates a number of incorrect account access requests that have been received, wherein each incorrect access request is one of said one or more access requests indicating an incorrect authorization code;
  
  in response to determining that the count has reached a warning threshold that specifies a plurality of incorrect account access requests have been received, the warning threshold being less than a lockout threshold;
  
  contacting the user through a registered communication channel to alert the user that the warning threshold has been reached, wherein the registered communication channel is a communication channel specified by the user prior to said receiving one or more access requests; and
  
  to prevent an attacker from locking access to the user account, placing the user account in a hold state such that additional correct and incorrect access requests for the user account that are received while the user account is in the hold state are rejected, the hold state being removable responsive to receipt of valid account verification information;
  
  subsequent to contacting the user and while the user account is in the hold state, receiving account verification information specified by the user after being alerted;
  
  in response to determining the received account verification information is valid, removing the user account from the hold state; and
  
  providing a lock component configured to, in response to determining that the count has reached the lockout threshold, lock access to the user account such that unlocking the user account requires a different set of verification information than is required to remove the user account from the hold state.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising providing the user access to the user account through the registered communication channel while the user account is placed in the hold state.
  - 10. The method of claim 9, further comprising enabling the user to complete a transaction through the registered communication channel while the user account is placed in the hold state.
  - 11. The method of claim 8, further comprising, receiving the account verification information from the user through said registered communication channel, wherein said account verification information includes information specified by the user prior to said receiving one or more access requests.
  - 12. The method of claim 8, further comprising, subsequent to alerting the user that the warning threshold has been reached, resetting the count to prevent the count from reaching the lockout threshold.
  - 13. The method of claim 8, further comprising:
    - in response to determining that the count has reached a session threshold that indicates a number of incorrect account access requests received during a current session between the system and the user, canceling the current session.
  - 14. The method of claim 8, further comprising:
    - in response to determining that the count has reached an initial threshold that indicates a number of incorrect account access requests received during a previously specified time period, temporarily locking access to the user account.

15. A non-transitory computer-readable storage medium, comprising program instructions computer-executable to:
- receive one or more access requests for access to a user account associated with a user, wherein each access request includes an authorization code;
  
  provide a count that indicates a number of incorrect account access requests that have been received, wherein each incorrect access request is one of said one or more access requests indicating an incorrect authorization code;
  
  in response to determining that the count has reached a warning threshold that specifies a plurality of incorrect account access requests have been received, the warning threshold being less than a lockout threshold;
  
  contact the user through a registered communication channel to alert the user that the warning threshold has been reached, wherein the registered communication channel is a communication channel specified by the user prior to said receiving one or more access requests; and
  
  to prevent an attacker from locking access to the user account, place the user account in a hold state such that additional correct and incorrect access requests for the user account that are received while the user account is in the hold state are rejected, the hold state being removable responsive to receipt of valid account verification information;
  
  subsequent to contacting the user and while the user account is in the hold state, receive account verification information specified by the user after being alerted;
  
  in response to determining the received account verification information is valid, remove the user account from the hold state; and
  
  provide a lock component configured to, in response to determining that the count has reached the lockout threshold, lock access to the user account such that unlocking the user account requires a different set of verification information than is required to remove the user account from the hold state.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The medium of claim 15, wherein the program instructions are further executable to provide the user access to the user account through the registered communication channel while the user account is placed in the hold state.
  - 17. The medium of claim 16, wherein the program instructions are further executable to enable the user to complete a transaction through the registered communication channel while the user account is placed in the hold state.
  - 18. The medium of claim 15, wherein the program instruction are further executable to receive account verification information from the user through said registered communication channel, wherein said account verification information includes information specified by the user prior to said receiving one or more access requests.
  - 19. The medium of claim 15, wherein the program instruction are further executable to, subsequent to alerting the user that the warning threshold has been reached, reset the count to prevent the count from reaching the lockout threshold.
  - 20. The medium of claim 15, wherein the program instructions are further executable to:
    - in response to determining that the count has reached a session threshold that indicates a number of incorrect account access requests received during a current session between the system and the user, cancel the current session.
  - 21. The medium of claim 15, wherein the program instructions are further executable to:
    - in response to determining that the count has reached an initial threshold that indicates a number of incorrect account access requests received during a previously specified time period, temporarily lock access to the user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Gupta, Diwakar, Yuen, Philip, Huang, Chih-Jen, Yuen, Gerald
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US11/862,979
Time in Patent Office

1,860 Days
Field of Search

726/3, 726/22, 726/28, 713/182
US Class Current

726/22
CPC Class Codes

H04L 65/1079 of unsolicited session atte...

System and method for preventing large-scale account lockout

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing large-scale account lockout

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links