Systems and methods for detection of session tampering and fraud prevention

US 9,754,311 B2
Filed: 11/03/2015
Issued: 09/05/2017
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a potential session hijacking of an online session, the method comprising:

establishing an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier generated at least partly based on information received about the user device;

initiating a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website;

receiving the set of device fingerprints over the network in response to the request;

analyzing the set of device fingerprints for indications of non-matched data;

extracting device information associated with the set of device fingerprints;

determining that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session;

detecting session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and

in response to detecting the session hijacking, providing session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Citations

20 Claims

1. A method for detecting a potential session hijacking of an online session, the method comprising:
- establishing an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier generated at least partly based on information received about the user device;
  
  initiating a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website;
  
  receiving the set of device fingerprints over the network in response to the request;
  
  analyzing the set of device fingerprints for indications of non-matched data;
  
  extracting device information associated with the set of device fingerprints;
  
  determining that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session;
  
  detecting session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and
  
  in response to detecting the session hijacking, providing session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - determining a transaction type for the online session; and
      
      determining a level of suspected fraud based at least partly on the transaction type.
  - 3. The method of claim 2, wherein one or more device fingerprints in the set of device fingerprints are collected more frequently when the level of suspected fraud is high.
  - 4. The method of claim 2, wherein the set of device fingerprints comprises more fingerprints when the level of suspected fraud is high.
  - 5. The method of claim 2, wherein one or more device fingerprints in the set of device fingerprints are collected less frequently when the level of suspected fraud is low.
  - 6. The method of claim 1, wherein the information received about the user device is unique to the user device.
  - 7. The method of claim 1, wherein the information received about the user device comprises one or more of the following:
    - IP address of the user device, browser identifier of the user device, a clock skew of the user device, or a time difference between the user device and the computer.

8. A computer system for detecting online session tampering, the computer system comprising:
- a network interface which establishes a connection with a user device over a network;
  
  a processor configured to execute software instructions to cause the computer system to;
  
  establish an online session regarding a transaction with the user device over a network, the online session comprising a session identifier (ID) generated at least partly based on information received about the user device;
  
  initiate a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts a second location of the website;
  
  receive the set of device fingerprints over the network in response to the request;
  
  analyze the set of device fingerprints for indications of non-matched data;
  
  extract device information associated with the set of device fingerprints;
  
  determine that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session;
  
  detect session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and
  
  in response to detecting the session hijacking, provide session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking; and
  
  a non-transitory data storage configured to;
  
  communicate with the processor; and
  
  store information comprising at least one of the following;
  
  the session ID, information received about the user device, or the set of device fingerprints.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the processor is further configured to execute software instructions to:
    - determine a transaction type for the online session; and
      
      determine a level of suspected fraud based at least partly on the transaction type.
  - 10. The system of claim 9, wherein the processor configured to execute software instructions to cause device fingerprints to be collected more frequently when the level of suspected fraud is high.
  - 11. The system of claim 9, wherein the processor configured to execute software instructions to cause more device fingerprints for the set of device fingerprints to be collected when the level of suspected fraud is high.
  - 12. The system of claim 9, wherein the processor configured to execute software instructions to cause device fingerprints to be collected less frequently when the level of suspected fraud is low.
  - 13. The system of claim 8, wherein the information received about the user device is unique to the user device.
  - 14. The system of claim 8, wherein the information received about the user device comprises one or more of the following:
    - IP address of the user device, browser identifier of the user device, a clock skew of the user device, or a time difference between the user device and the computer system.

15. Non-transitory computer storage having stored thereon a computer program, the computer program including executable instructions that instruct a computer system to at least:
- establish an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier (ID) generated at least partly based on information received about the user device;
  
  initiate a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website;
  
  receive the set of device fingerprints over the network in response to the request;
  
  analyze the set of device fingerprints for indications of non-matched data;
  
  extract device information associated with the set of device fingerprints;
  
  determine that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session;
  
  detect session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and
  
  in response to detecting the session hijacking, provide session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer storage of claim 15, wherein the executable instructions further instruct the computer system to:
    - determine a transaction type for the online session; and
      
      determine a level of suspected fraud based at least partly on the transaction type.
  - 17. The non-transitory computer storage of claim 16, wherein one or more device fingerprints in the set of device fingerprints are collected more frequently when the level of suspected fraud is high.
  - 18. The non-transitory computer storage of claim 16, wherein the set of device fingerprints comprises more fingerprints when the level of suspected fraud is high.
  - 19. The non-transitory computer storage of claim 15, wherein the information received about the user device is unique to the user device.
  - 20. The non-transitory computer storage of claim 15, wherein the information received about the user device comprises one or more of the following:
    - IP address of the user device, browser identifier of the user device, a clock skew of the user device, or a time difference between the user device and the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The 41st Parameter, Inc. (Experian plc)
Original Assignee
The 41st Parameter, Inc. (Experian plc)
Inventors
Eisen, Ori
Primary Examiner(s)
LEWIS, LISA C

Application Number

US14/931,799
Publication Number

US 20160203487A1
Time in Patent Office

672 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 20/3825   Use of electronic signatures

G06Q 20/4016   involving fraud or risk lev...

G06Q 30/0635   Processing of requisition o...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

Systems and methods for detection of session tampering and fraud prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detection of session tampering and fraud prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links