Systems and methods for detection of session tampering and fraud prevention
First Claim
1. A method for detecting a potential session hijacking of an online session, the method comprising:
- establishing an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier generated at least partly based on information received about the user device;
initiating a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website;
receiving the set of device fingerprints over the network in response to the request;
analyzing the set of device fingerprints for indications of non-matched data;
extracting device information associated with the set of device fingerprints;
determining that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session;
detecting session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and
in response to detecting the session hijacking, providing session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.
-
Citations
20 Claims
-
1. A method for detecting a potential session hijacking of an online session, the method comprising:
-
establishing an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier generated at least partly based on information received about the user device; initiating a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website; receiving the set of device fingerprints over the network in response to the request; analyzing the set of device fingerprints for indications of non-matched data; extracting device information associated with the set of device fingerprints; determining that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session; detecting session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and in response to detecting the session hijacking, providing session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer system for detecting online session tampering, the computer system comprising:
-
a network interface which establishes a connection with a user device over a network; a processor configured to execute software instructions to cause the computer system to; establish an online session regarding a transaction with the user device over a network, the online session comprising a session identifier (ID) generated at least partly based on information received about the user device; initiate a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts a second location of the website; receive the set of device fingerprints over the network in response to the request; analyze the set of device fingerprints for indications of non-matched data; extract device information associated with the set of device fingerprints; determine that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session; detect session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and in response to detecting the session hijacking, provide session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking; and a non-transitory data storage configured to; communicate with the processor; and store information comprising at least one of the following;
the session ID, information received about the user device, or the set of device fingerprints. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. Non-transitory computer storage having stored thereon a computer program, the computer program including executable instructions that instruct a computer system to at least:
-
establish an online session regarding a transaction between a computer and a user device over a network, the online session comprising a session identifier (ID) generated at least partly based on information received about the user device; initiate a request to collect at the user device a set of device fingerprints associated with the session ID during the online session, the set of device fingerprints comprising a first device fingerprint collected when the user device interacts with a first location of the website and a second device fingerprint collected when the user device interacts with a second location of the website; receive the set of device fingerprints over the network in response to the request; analyze the set of device fingerprints for indications of non-matched data; extract device information associated with the set of device fingerprints; determine that the extracted device information and the received information about the user device indicate that the more than one user device is associated with the session ID and that an unauthorized device has likely gained access to the online session; detect session hijacking in response to a determination that the extracted device information and the received information about the user device indicates more than one user device is associated with the session ID; and in response to detecting the session hijacking, provide session hijacking alert data comprising information that the online session is hijacked, the session hijacking alert data being used to flag the online session as an instance of the session hijacking or to flag the transaction based on the session hijacking. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification