Using mock tokens to protect against malicious activity

US 9,516,059 B1
Filed: 06/28/2011
Issued: 12/06/2016
Est. Priority Date: 06/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method of fraud protection, the method comprising:

providing a first mock token to first suspected fraudster equipment in response to a first phishing attempt, the mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate token is provided to the first suspected fraudster equipment in response to the first phishing attempt, and storing the first mock token in a first database entry associated with the legitimate user and the first suspected fraudster;

providing a second mock token to a second suspected fraudster equipment in response to a second phishing attempt, the mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate token is provided to the second suspected fraudster equipment in response to the second phishing attempt, and storing the second mock token in a second database entry associated with the legitimate user and the second suspected fraudster;

subsequent to providing the first and second mock tokens, receiving, from suspected fraudster equipment, an authentication request which includes one of the first and second mock tokens stored in the database, thereby identifying the suspected fraudster equipment as a true fraudster; and

in response to receiving the authentication request which uses the mock token from the true fraudster, performing a set of authentication server operations to protect against future activity by the true fraudster;

wherein each legitimate token is derived from a secret seed uniquely associated with a corresponding legitimate user account;

wherein providing the first mock token to the first suspected fraudster equipment in response to the first phishing attempt includes providing log-in information falsely appearing to allow access to a legitimate user account; and

wherein the method further includes performing an authentication operation which detects an attempt to use of one of the first and second mock tokens to prove authorization to access the legitimate user account; and

wherein performing the set of authentication server operations further includes performing a remedial operation in response to detected use of the mock token,wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes;

outputting a message to a set of authentication servers, the message identifying the fraudster equipment as a source of malicious activity,wherein the set of authentication servers includes a plurality of authentication servers which each control access to protected resources.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique provides protection against malicious activity. The technique involves providing a mock token to fraudster equipment. The mock token appears to be a legitimate user token that identifies a legitimate user (e.g., an actual user token, a token seed, etc.). The technique further involves receiving, from the fraudster equipment, an authentication request which uses the mock token and, in response to receiving the authentication request which uses the mock token from the fraudster equipment, performing a set of authentication server operations to protect against future activity by the fraudster equipment (e.g., deny access to the fraudster equipment, acquire specific information about the fraudster equipment, output a message to subscribers of an eFraud network, and so on).

37 Citations

View as Search Results

15 Claims

1. A method of fraud protection, the method comprising:
- providing a first mock token to first suspected fraudster equipment in response to a first phishing attempt, the mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate token is provided to the first suspected fraudster equipment in response to the first phishing attempt, and storing the first mock token in a first database entry associated with the legitimate user and the first suspected fraudster;
  
  providing a second mock token to a second suspected fraudster equipment in response to a second phishing attempt, the mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate token is provided to the second suspected fraudster equipment in response to the second phishing attempt, and storing the second mock token in a second database entry associated with the legitimate user and the second suspected fraudster;
  
  subsequent to providing the first and second mock tokens, receiving, from suspected fraudster equipment, an authentication request which includes one of the first and second mock tokens stored in the database, thereby identifying the suspected fraudster equipment as a true fraudster; and
  
  in response to receiving the authentication request which uses the mock token from the true fraudster, performing a set of authentication server operations to protect against future activity by the true fraudster;
  
  wherein each legitimate token is derived from a secret seed uniquely associated with a corresponding legitimate user account;
  
  wherein providing the first mock token to the first suspected fraudster equipment in response to the first phishing attempt includes providing log-in information falsely appearing to allow access to a legitimate user account; and
  
  wherein the method further includes performing an authentication operation which detects an attempt to use of one of the first and second mock tokens to prove authorization to access the legitimate user account; and
  
  wherein performing the set of authentication server operations further includes performing a remedial operation in response to detected use of the mock token,wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes;
  
  outputting a message to a set of authentication servers, the message identifying the fraudster equipment as a source of malicious activity,wherein the set of authentication servers includes a plurality of authentication servers which each control access to protected resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15)
- - 2. A method as in claim 1 wherein a mock token list includes a set of mock token entries corresponding to a set of mock tokens;
    - and wherein performing the authentication operation which detects use of one of the first and second mock tokens includes;
      
      during the authentication operation, matching the mock token to a particular mock token entry of the mock token list.
  - 3. A method as in claim 1 wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes:
    - preventing the fraudster equipment from accessing a protected resource.
  - 4. A method as in claim 1 wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes:
    - communicating with the fraudster to obtain device-specific information.
  - 5. A method as in claim 1 wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes:
    - preventing the fraudster equipment from accessing a protected resource; and
      
      communicating with the fraudster equipment to obtain device-specific information.
  - 6. A method as in claim 1 wherein providing the mock token to the fraudster equipment includes placing the mock token in a database that is accessible by the fraudster equipment in an unauthorized manner prior to receiving an attack.
  - 7. A method as in claim 1 wherein:
    - providing the first mock token includes generating the first mock token to be fake and detectable, and distributing the first mock token at locations that are susceptible to theft of sensitive data; and
      
      wherein the first mock token provides the fraudster equipment with a code that appears to allow access via a login operation to a protected resource, the code, in actuality, not providing access to the protected resource.
  - 8. A method as in claim 1 wherein providing the first mock token to fraudster equipment includes using the first mock token in a login attempt on the first suspected phishing fraudster equipment prior to receiving an attack.
  - 9. A method as in claim 1 wherein providing the first mock token to suspected fraudster equipment includes attempting to log onto the first suspected fraudster equipment in response to receiving a phishing attempt message including a link to the first suspected fraudster equipment.
  - 10. A method as in claim 1 wherein in response to receiving the authentication request which uses the mock token from the true fraudster, the method further includes performing adaptive risk-based authentication.
  - 11. A method as in claim 1 wherein:
    - the authentication servers of the set of authentication servers are eFraud network (EFN) subscriber authentication servers, each EFN subscriber authentication server being remote from its respective protected resources; and
      
      outputting the message includes sending the message from an EFN controller over a network connection to the EFN subscriber authentication servers of the set of authentication servers.
  - 15. A method as in claim 10 wherein performing adaptive risk-based authentication includes utilizing at least one of client IP address, client geographical location, and client browser capability.

12. A computer program product having a non-transitory computer readable medium which stores a set of instructions that, when performed by a computerized device, cause the computerized device to:
- provide a first mock token to a first suspected fraudster equipment in response to a first phishing attempt, the first mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate user token is provided to the first suspected fraudster equipment in response to a first phishing attempt, and storing the first mock token in a first database entry associated with the legitimate user and the first suspected fraudster;
  
  provide a second mock token to a second suspected fraudster equipment in response to a second phishing attempt, the mock token appearing to be a legitimate user token that identifies a legitimate user, wherein no legitimate token is provided to the second suspected fraudster equipment in response to a second phishing attempt, and store the second mock token in a second database entry associated with the legitimate user and the second suspected fraudster;
  
  subsequent to providing the first and second mock tokens, receive, from suspected fraudster equipment, an authentication request which includes the first mock token stored in the database, thereby identifying the suspected fraudster equipment as a true fraudster; and
  
  in response to receiving the authentication request which uses the mock token from the true fraudster, perform a set of authentication server operations to protect against future activity by the true fraudster;
  
  wherein each legitimate token is derived from a secret seed uniquely associated with a corresponding legitimate user account;
  
  wherein the first mock token includes log-in information falsely appearing to provide access to a legitimate user account;
  
  wherein performing the set of authentication server operations includes;
  
  performing an authentication operation which detects an attempt to use of one of the first and second mock tokens to prove authorization to access the legitimate user account; and
  
  performing a remedial operation in response to detected use of the mock token, wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes outputting a message to a set of authentication servers, the message identifying the fraudster equipment as a source of malicious activity, wherein the set of authentication servers includes a plurality of authentication servers which each control access to protected resources.
- View Dependent Claims (13, 14)
- - 13. A computer program product as in claim 12 wherein a mock token list includes a set of mock token entries corresponding to a set of mock tokens;
    - and wherein performing the authentication operation which detects use of one of the first and second mock tokens includes;
      
      during the authentication operation, matching the mock token to a particular mock token entry of the mock token list.
  - 14. A computer program product as in claim 12 wherein performing the remedial operation in response to detected use of one of the first and second mock tokens includes:
    - preventing the fraudster equipment from accessing a protected resource; and
      
      communicating with the fraudster equipment to obtain device-specific information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Monovich, Amit, Dotan, Yedidya, Friedman, Lawrence N., Volanis, Alexander
Primary Examiner(s)
Parsons, Theodore C

Application Number

US13/170,732
Time in Patent Office

1,988 Days
Field of Search

726/6, 726/23, 726/22
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Using mock tokens to protect against malicious activity

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Using mock tokens to protect against malicious activity

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others