Detecting man-in-the-middle attacks in electronic transactions using prompts

US 8,917,826 B2
Filed: 07/31/2012
Issued: 12/23/2014
Est. Priority Date: 07/31/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authenticating an electronic banking transaction, the method comprising:

receiving an electronic banking transaction request from a user, the electronic transaction request originating at a client system;

determining an Internet Protocol (IP) address associated with the client system from which the received electronic banking transaction request originates;

providing the user with a one time password associated with the electronic banking transaction request;

providing the user with a third party verification number associated with the electronic banking transaction request;

receiving a telephonic communication to the third party verification number from a telephonic device associated with the user;

prompting the user, via a voice response unit, to input the password using the telephonic device, the telephonic device having a user number;

authenticating the user based on a comparison of the inputted password and the provided one time password and the user number where the authenticating is performed by a third-party service provider, wherein the third-party provider is not a participant in the electronic banking transaction;

determining a probable location of the user based on the determined IP address of the client system;

communicating to the user, via the voice response unit, the probable location of the user based on the determined IP address associated with the client system; and

prompting the user to confirm the probable location of the user based on the IP address associated with the client system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the invention provide a solution for detecting man-in-the-middle attacks in electronic transactions using prompts. One embodiment includes a method for authenticating an electronic transaction. The method includes: receiving an electronic transaction request from a user, determining an IP address associated with a client system from which the electronic transaction request originates, providing the user with a password associated with the electronic transaction request, receiving a telephonic communication from a telephonic device associated with the user, prompting the user, via a voice response unit, to input the password using the telephonic device, authenticating the user by comparing the inputted password and the provided password, determining a probable location of the user based on the determined IP address of the client system, communicating to the user the probable location of the user based on the determined IP address, and prompting the user to confirm the probable location of the user.

Citations

21 Claims

1. A method of authenticating an electronic banking transaction, the method comprising:
- receiving an electronic banking transaction request from a user, the electronic transaction request originating at a client system;
  
  determining an Internet Protocol (IP) address associated with the client system from which the received electronic banking transaction request originates;
  
  providing the user with a one time password associated with the electronic banking transaction request;
  
  providing the user with a third party verification number associated with the electronic banking transaction request;
  
  receiving a telephonic communication to the third party verification number from a telephonic device associated with the user;
  
  prompting the user, via a voice response unit, to input the password using the telephonic device, the telephonic device having a user number;
  
  authenticating the user based on a comparison of the inputted password and the provided one time password and the user number where the authenticating is performed by a third-party service provider, wherein the third-party provider is not a participant in the electronic banking transaction;
  
  determining a probable location of the user based on the determined IP address of the client system;
  
  communicating to the user, via the voice response unit, the probable location of the user based on the determined IP address associated with the client system; and
  
  prompting the user to confirm the probable location of the user based on the IP address associated with the client system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising processing the electronic banking transaction request for the user in response to the user confirming the probable location of the user based on the determined IP address is substantially similar to an actual location of the user.
  - 3. The method of claim 1, wherein the telephonic device includes at least one of a mobile device or a telephone.
  - 4. The method of claim 1, wherein the user number is pre-registered with the third-party service provider.
  - 5. The method of claim 1, further comprising cancelling the electronic banking transaction request in response to one of:
    - receiving a telephonic communication from a distinct telephonic device that is not associated with the user,determining the inputted one time password differs from the provided one time password, orreceiving a notification from the user indicating the user has cancelled the electronic banking transaction request in response to the probable location of the user differing from an actual location of the user.
  - 6. The method of claim 1, further comprising:
    - determining if the IP address associated with the client system is included on a server proxies list; and
      
      performing one of;
      
      excluding the user from confirming the probable location of the user based on the IP address in response to determining the IP address associated with the client system is included on the server proxies list, orallowing the user to confirm the probable location of the user, independent of an actual location of the user, in response to determining the IP address associated with the client system is included on the server proxies list.
  - 7. The method of claim 1, wherein the determining of the probable location of the user based on the determined IP address associated with the client system is performed by a third party service provider who is not a participant in the electronic banking transaction.

8. A computer system comprising:
- at least one computing device configured to authenticate an electronic banking transaction by performing actions including;
  
  receiving an electronic banking transaction request from a user, the electronic banking transaction request originating at a client system;
  
  determining an Internet Protocol (IP) address associated with the client system from which the received electronic banking transaction request originates;
  
  providing the user with a one time password associated with the electronic banking transaction request;
  
  providing the user with a third party verification number associated with the electronic banking transaction request;
  
  receiving a telephonic communication to the third party verification number from a telephonic device associated with the user;
  
  prompting the user, via a voice response unit, to input the password using the telephonic device, the telephonic device having a user number;
  
  authenticating the user based on a comparison of the inputted password and the provided password and the user number where the authenticating is performed by a third-party service provider, wherein the third-party provider is not a participant in the electronic banking transaction;
  
  determining a probable location of the user based on the determined IP address of the client system;
  
  communicating to the user, via the voice response unit, the probable location of the user based on the determined IP address associated with the client system; and
  
  prompting the user to confirm the probable location of the user based on the IP address associated with the client system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, further comprising:
    - processing the electronic banking transaction request for the user in response to the user confirming the probable location of the user based on the determined IP address is substantially similar to an actual location of the user.
  - 10. The computer system of claim 8, wherein the telephonic device includes at least one of a mobile device or a telephone.
  - 11. The computer system of claim 8, wherein the user number is pre-registered with the third-party service provider.
  - 12. The computer system of claim 8, further comprising:
    - cancelling the electronic banking transaction request in response to one of;
      
      receiving a telephonic communication from a distinct telephonic device that is not associated with the user,determining the inputted one time password differs from the provided one time password, orreceiving a notification from the user indicating the user has cancelled the electronic banking transaction request in response to the probable location of the user differing from an actual location of the user.
  - 13. The computer system of claim 8, further comprising:
    - determining if the IP address associated with the client system is included on a server proxies list; and
      
      performing one of;
      
      excluding the user from confirming the probable location of the user based on the IP address in response to determining the IP address associated with the client system is included on the server proxies list, orallowing the user to confirm the probable location of the user, independent of an actual location of the user, in response to determining the IP address associated with the client system is included on the server proxies list.
  - 14. The computer system of claim 8, wherein the determining of the probable location of the user based on the determined IP address associated with the client system is performed by the third party service provider who is not a participant in the electronic banking transaction.

15. A computer program product for authenticating an electronic banking transaction, the computer program product comprising a non-transitory computer readable medium having program code embodied therewith, the program code executable by at least one computer system to perform a method comprising:
- receiving an electronic banking transaction request from a user, the electronic transaction request originating at a client system;
  
  determining an Internet Protocol (IP) address associated with the client system from which the received electronic banking transaction request originates;
  
  providing the user with a one time password associated with the electronic banking transaction request;
  
  providing the user with a third party verification number associated with the electronic banking transaction request;
  
  receiving a telephonic communication to the third party verification number from a telephonic device associated with the user;
  
  prompting the user, via a voice response unit, to input the password using the telephonic device, the telephonic device having a user number;
  
  authenticating the user based on a comparison of the inputted password and the provided password and the user number where the authenticating is performed by a third-party service provider, wherein the third-party provider is not a participant in the electronic banking transaction;
  
  determining a probable location of the user based on the determined IP address of the client system;
  
  communicating to the user, via the voice response unit, the probable location of the user based on the determined IP address associated with the client system; and
  
  prompting the user to confirm the probable location of the user based on the IP address associated with the client system.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15 further comprises:
    - processing the electronic banking transaction request for the user in response to the user confirming the probable location of the user based on the determined IP address is substantially similar to an actual location of the user.
  - 17. The computer program product of claim 15, wherein the telephonic device includes at least one of a mobile device or a telephone.
  - 18. The computer program product of claim 15, wherein the user number is pre-registered with the third-party service provider.
  - 19. The computer program product of claim 15 further comprises:
    - cancelling the electronic banking transaction request in response to one of;
      
      receiving a telephonic communication from a distinct telephonic device that is not associated with the user,determining the inputted one time password differs from the provided one time password, orreceiving a notification from the user indicating the user has cancelled the electronic banking transaction request in response to the probable location of the user differing from an actual location of the user.
  - 20. The computer program product of claim 15 further comprises:
    - determining if the IP address associated with the client system is included on a server proxies list; and
      
      performing one of;
      
      excluding the user from confirming the probable location of the user based on the IP address in response to determining the IP address associated with the client system is included on the server proxies list, orallowing the user to confirm the probable location of the user, independent of an actual location of the user, in response to determining the IP address associated with the client system is included on the server proxies list.
  - 21. The computer program product of claim 15, wherein the determining of the probable location of the user based on the determined IP address associated with the client system is performed by a third party service provider who is not a participant in the electronic banking transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bravo, Jose F., Crume, Jeffery L.
Primary Examiner(s)
Tsang, Fan
Assistant Examiner(s)
BEZUAYEHU, SOLOMON G

Application Number

US13/562,491
Publication Number

US 20140037074A1
Time in Patent Office

875 Days
Field of Search

379/67.01, 705/64, 705/75, 705/14.51
US Class Current

379/88.01
CPC Class Codes

H04L 2101/65   Telephone numbers

H04L 61/106   across networks, e.g. mappi...

H04L 63/067   using one-time keys cryptog...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/107   wherein the security polici...

H04L 67/52   specially adapted for the l...

H04W 12/068   using credential vaults, e....

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

Detecting man-in-the-middle attacks in electronic transactions using prompts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting man-in-the-middle attacks in electronic transactions using prompts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links