|
Trust is at the heart of all
successful transactions, including online commercial
transactions, as well as other confidential online
transactions.
It is therefore
imperative to the continuing growth and success of
the Internet as a viable marketplace, that all
parties involved in an online transaction can be
irrefutably verified as the lawful participants.
The patented Internet
Address Verification System provides this trust
between online transaction parties by verifying
the lawful physical location from which they
transact business.
The I-AVS implements, to
paraphrase a quote from Ronald Reagan: “Verify
And Trust”.
This system is much
needed in the online world to counter the growing
explosion of online fraud.
The Internet Address
Verification System (I-AVS) is a patented
business service for resolving the escalating
problem of Internet security and fraud.
I-AVS can be expected to have
at least the same market potential as other systems
and tools for addressing the problem, including web
site digital certificate issuers (Verisign, Thawte,
GlobalSign, etc.) and the various credit card
verification services (Visa,
MasterCard,
American Express, etc.). This is because of the
very growth of the Internet, its basic design
features and the explosion of financial and personal
profile data transferred over it.
There is a growing sense of
crisis in the attacks on privacy, fraud, theft of
personal information and criminal misuse of the web.
Rarely a week goes by without TV and press news
items about some identity theft, error by a credit
card processor in releasing confidential
information, or the prosecution of spam and phishing
artists.
I-AVS is a simple and
highly effective vehicle that operates on the
following principles:
- Automatic registration by
a user of an online service for various
confidential services including credit card
purchases and access to restricted web sites.
- The registration data
includes all of the physical locations where
confidential online transactions will be
transacted. These locations will typically
include a consumer’s home PC connection, or
office PC connection.
- Automatic activation of a
real-time authentication check on the validity
of where the user is executing a confidential
online transaction.
- Immediate authorization or
preventive action.
I-AVS will be implemented
as a trusted third party Internet service
provider similar to the services that digital
certificate providers, such as Verisign offers.
The distinctive
advantage of I-AVS is even if private data falls
into the hands of unauthorized users, it cannot
be used fraudulently except at the registered
physical locations that a lawful user authorizes
for transacting confidential business on the
Internet.
The Internet is providing
consumers, businesses and governments with a
huge market opportunity.
Unfortunately this
opportunity is accompanied by rising fraud
threats to confidential information.
These confidential threats take a variety of
forms including phishing, computer worms, social
engineering of identity theft, as well as other
threats.
In 2004 alone according to
the US Federal Trade Commission, identity theft
via phising and social engineering cost U.S.
businesses and consumers between $50 billion and
$60 billion. Banking activity accounts for 56%
of the reported incidents.
These thefts’ costs and
incidents are increasing every year, so much so,
that U.S regulators have ordered banks to
develop systems to quickly warn federal
officials and customers of suspected incidents
of identity theft. More
and more Americans are increasingly using credit
cards instead of cash.
In 2003, U.S consumers used credit cards to buy
$2.2 trillion in goods and services – roughly
20% of the U.S GDP. This is matched by an
increase of consumers
who purchase goods and services on the Internet.
Therefore, it is close to certain that there
will be a comparable increase in the volume of
online fraud in the immediate future.
It is important to note that not only is the credit
card industry at risk here, but so are other
businesses that rely on confidential web sites.
For example, in the managed business travel market, over 30% of all transactions
now occurs on the Internet. This is a $30 Billion market .
Another reported example of a market at risk by
online Identity Theft is the ATM (Automated Teller
Machine) industry. It is reported that fraudulent
ATM card information is obtained via phising on the
Internet, which is then used to commit fraud at an
ATM.
“Even as business
models and impressive advances in technology
fuel industry’s vision of the Internet as a
dynamic medium for commerce and
communication, security issues continue to
weaken confidence in online business. One
of the most vexing and serious issues is
related to identity verification. If
users and devices accessing the network are
not properly identified, enterprises risk
exposure to threats like fraud, phisihing,
identity theft, IP spoofing, and
denial-of-service attacks.”
(“Verisign Unified
Authentication”, Verisign White Paper)
Various proposals require
the use of an electronic token, e.g. that
attaches to a key ring, to be used in
conjunction with passwords, etc. when entering a
commercial online transaction.
Use of this technology has been around for quite
some time, but it has never been broadly adopted
in the marketplace. Such tools are cumbersome,
easy to lose and incompatible with the basic
principles of online services: convenience,
seamless access and simplicity.
Other services provided to combat online Identity
Fraud include;
- “Verified by Visa” and MasterCard SecureCode
- The Payment Card Industry (PCI) Data
Security Standard
- Internet Address Geo-location verification
- Fraud Protection services by various online
providers such as Verisign.
The problem with the “Verified by Visa” and
MasterCard SecureCode is that these solutions are
vulnerable to (a) phishing and (b) Trojan Horse
malware (malicious software) such as keyboard
loggers that record every keystroke that is entered
on a computer, and which then sends that data to an
Identity thief.
The PCI Data Security Standard should be
implemented on all web sites, etc. that handle
confidential information. Unfortunately, many
companies and organizations do not implement this
standard, as is revealed in the media almost every
week.
The Geo-location address verification service is
similar to I-AVS, except that is it limited in the
level of its verification. Geo-location can only
verify an Internet address to a city level. But,
there are hundreds, if not thousands of ID thieves,
for example in Manhattan, New York, Los Angeles,
California, etc. Geo-location is insufficient to
stop online ID Fraud.
A number of Internet companies, such as Verisign
and RSA Security, offer a suite of anti-Fraud
services. These suites are generally an amalgamation
of the previously mentioned anti-online fraud
services. Also included as an option in most of
these suites, is a service that looks for patterns
of purchasing behavior, i.e. a software driven
rules-based filtering process. American Express has
long implemented such a service for its cardholders,
even before the Internet took off commercially.
The table below highlights the above features of
today’s existing anti-Identity Fraud services on the
Internet.
|
Immunity to ID Fraud |
I-AVS |
Secure- Code, etc. |
Site Protection |
Anti-Fraud Suite |
Geo-location |
Electronic Token |
|
Phishing |
√ |
x 1 |
x |
√ |
√ 1+2 |
√ |
|
Trojan Horses |
√ |
x 3 |
x 3 |
x 2 3 |
√ 1+2 |
√ |
|
Weak Data Protection |
√ |
x |
√ |
√ |
x |
√ |
|
Con-Artists |
√ |
x 1 |
x 1 |
x |
√ 1+2 |
√ |
|
Bin-Diving |
√ |
√ |
x |
x |
x 2 |
√ |
|
Stolen Wallet, etc. |
|
√ |
x |
x |
x 2 |
x |
|
Credit Report Misuse |
√ |
x |
x |
x |
x 2 |
√ |
|
Lost item, e.g. token, password, etc. |
√ |
x |
x |
x |
x 2 |
x |
|
Ease of Use |
√ |
x |
x |
x |
√ |
x |
| Table 1 Today's
Anti-Identity Fraud Online Measures |
Table 1 Notes:
1 Susceptible to being
hoaxed into giving confidential data
2 Thief can still use proxies to simulate same city,
state and country
3 Key-loggers can capture and criminally share the
SecureCode
√ Anti-Identity Fraud protection good
x None, or too little effect
Today, parties involved in
an online commercial transaction usually execute
the transaction from a fixed, physical location.
For example, a consumer would use his bank to
pay his bills online, either from home or from
work. Phishing and other fraud techniques, such
as keyboard logging, steal a user’s online
identity and then execute a fraudulent
transaction at another location. It is extremely
rare that the thief would execute the fraudulent
online transaction at the location where the
party normally transacts online business.
The patented system
outlined in this paper, i.e. the Internet
Address Verification System (I-AVS) greatly
reduces the possibility for thieves to use
stolen identity and credit card information at
other online locations, which are not authorized
by the lawful customer.
The primary principal
behind the Internet Address Verification
System (I-AVS) is similar to the process
that credit card companies use to activate
and verify a consumer’s credit card.
For example, when a
consumer receives a new credit card, she
must activate the card from a pre-registered
telephone number, which is directly
associated with her credit card’s
application. This is usually either the
consumer’s home phone number, or her work
phone number. The credit card company uses a
Touch-Toneâ
data entry system, combined with the
telephone company’s caller-id feature to
verify, that the lawful owner of the card is
verifying the credit card.
The consumer’s telephone number’s
caller-id verifies the physical location
from where the consumer is calling. This is
central to the patented I-AVS solution, but
is applied to the online parties using the
Internet.
So, where does the
caller-id feature come from on the Internet?
Every customer connects to the Internet via
an Internet Service Provider (ISP).
Virtually all ISPs use a database system
called RADIUS (Remote Authentication Dial In
User Service) to authenticate, authorize and
provide accounting information on its
customers. Broadband ISPs also use RADIUS.
RADIUS
is an open Internet standard adopted by the
Internet Engineering Task Force (IETF),
which is responsible for the adoption and
dissemination of all other protocols that
currently make the Internet work
universally.
Table 1 illustrates a
number of the key RADIUS data that are used
by the I-AVS. As can be seen from the Table,
RADIUS maintains information of, from where
the customer is connecting to the Internet,
which of the ISP’s physical line numbers was
called to connect to the Internet, as well
as the status of the customer’s online
connection.
|
RADIUS Attribute |
Description |
|
User-Name |
The
name of the electronic commerce
party |
|
Called-Station-ID |
The phone,
or line number that the online
party called to connect to the
ISP. |
|
Calling-Station-ID |
The phone,
or line number that the call
came from. |
|
Acct-Status-Type |
Indicates
whether this accounting request
marks the beginning of the
online service, or the end. |
|
Acct-Terminate-Cause |
Indicates
how the session was terminated |
Table 1 RADIUS Database Attributes Used in
the I-AVS
At
any given moment in time, the ISP’s RADIUS
database knows exactly who is connected to
the Internet using its facilities, as well
as the physical location from where the
customer is electronically connected to its
facilities.
Figure 1
illustrates the sharing of data between
an ISP and the Internet Address
Verification System (I-AVS) Service
Provider.
Whenever a
customer, or merchant connects to the
Internet, the ISP provides the relevant
RADIUS data to the I-AVS.
The I-AVS
maintains its own secure database system
that lists all online parties (e.g. the
customer and online merchant) statuses,
i.e. whether or not they are currently
logged onto the Internet, as well as the
physical location of the various online
parties. Whenever the status of the
online party changes, for example they
log off from the Internet or their
connection is inactive, then this change
is provided by the ISP to the I-AVS
database. Hence at all times, the
precise status of all participating
online parties is tracked in the I-AVS
database.
 The sharing of the information between
the ISP and the I-AVS Service Provider
is secure. For example, use of Digital
Certificates
and SSL link encryption is used. The
Digital Certificates prevent fraudulent
connections to the I-AVS, for example,
by thieves pretending to be an ISP. SSL
is a standard technique used on the
Internet to ensure that only the online
parties have visibility to the data
transmitted between them.
Figure 2 illustrates the situation
in which multiple ISPs participate
in the Internet Address Verification
System.
Before
the I-AVS can be used, users, i.e.
consumers and merchants, need to
initially register themselves in the
system. This can be accomplished in
a number of ways, including direct
registration with the I-AVS Service
Provider, or via another party, for
example the user’s credit card
company.
Let us
consider a consumer registering via
his credit card company, because he
primarily uses his credit card to
purchase goods and services on the
Internet. Figure 3 illustrates an example of
how a consumer and an online
merchant (i.e. customers) register
with the Internet Address
Verification System.
Initially the customer logs onto a
secure web site using SSL. The web
site in this example is the
customer’s credit card issuing bank.
The bank provides a secure online I-AVS
registration form, which is obtained
from the I-AVS Service Provider and
integrated into the bank’s credit
card online customer service. The
customer fills in the web form,
which is verified by the bank, in
real-time against the bank’s
customer database.
Information that is collected by the
bank and stored in its secure,
temporary I-AVS database includes
the customer’s name, Internet
Protocol (IP) address and other
location data, for example contact
telephone number, etc. A device,
which is connected to the Internet,
has an IP address which the
customer’s ISP uniquely assigns. The
IP address is obtained from the
customer’s web browser and is used
to locate the customer’s Internet
Service Provider (ISP). Other
contact information is also
collected to verify the customer, as
well being able to contact the
customer in the event of any
questions.
The
bank securely transmits the
customer’s registration information
to the I-AVS Service Provider, which
securely stores the information in
an I-AVS Registration Database.
The I-AVS
Service Provider uses the
registration information to contact
the customer’s ISP online to
establish the necessary relationship
for the new customer. The customer’s
ISP confirms the registration
information for the new customer and
transmits the online status of the
customer to the I-AVS Service
Provider. The I-AVS Service Provider
stores this information in its
real-time Online Database. All
communication between the I-AVS
Service Provider and the ISP is
secure, for example by using Digital
Certificates and an SSL encrypted
link. This completes the
registration process.
If the
customer wishes to use an
additional, alternative location to
transact business on the Internet,
he would reapply, for example in
this application, to the bank, but
from the new location. The new
location could be the customer’s
work place. The registration process
is then repeated. A further level of
customer verification may be
necessary for registering an
alternative location. The added
level of verification could include
a request by the bank for the
customer to confirm the new location
from the initial registration
location, for example, from home. Or
confirmation via telephone, from the
initial I-AVS registration location
could also be accepted.
We now
consider the scenario in which I-AVS
is used during an online
transaction. Referring to Figure 4
below, Customer1 is already
registered in the I-AVS. Whenever
Customer1 logs onto the Internet via
his ISP1, his online status is
automatically logged in the I-AVS
Service Provider’s Online Database.
Customer1
wishes to log onto Online
Merchant2’s web site to purchase
goods. The Online Merchant2 is
already registered in the I-AVS. At
all times that her web site is
connected to the Internet, her ISP2
provides real-time status data to
the I-AVS Service Provider, which
logs this data in its Online
Database.
When the
Customer1 initiates payment for the
goods that he wants to buy from the
Online Merchant2 by using his
appropriate credit card, a number of
checks are executed:
1. The Online Merchant2 verifies
with the I-AVS Service Provider that
Customer1 is the lawfully registered
user of the credit card.
2. The I-AVS Service Provider
simply transmits, over a secure
link, a “yes”
or a “no”
response to the merchant’s query.
3.
If the I-AVS response is “yes”,
then the transaction is executed. On
the other hand, if the response is “no”,
then the merchant can deny the
transaction.
A
second layer of credit card I-AVS
verification can take place. This
layer is activated during the credit
card verification process. This time
it is the Credit Card Verification
Service Provider that checks with
the I-AVS Service Provider that both
the Customer1 and the Online
Merchant2 are who they claim to be.
This requires that the Online
Merchant provides the Credit Card
Verification Service Provider with
the relevant information about the
Customer1. Depending upon the
response from the I-AVS Service
Provider, the Credit Card
Verification Service Provider can
either allow or deny the online
transaction.
It is
also possible to provide an
enhancement to web browsers, i.e. a
web browser “plug-in” application,
that would automatically verify the
Online Merchant’s I-AVS status. This
would assist the customer to
determine if a web site is lawful or
not. As mentioned previously, it is
common practice among Phishers to
use fraudulent, look-alike, web
sites to obtain a customer’s
confidential information, such as
credit card details, online banking
logon credentials, etc.
Note
that if the I-AVS Service Provider’s
response is negative for any I-AVS
request, then the information
provided to it and stored in its
Online Database, can be used by law
enforcement to trace and possibly
prosecute the abusers of the online
transaction.
Trust is
at the heart of all successful
transactions, including online
commercial transactions, as well as
other confidential online
transactions.
It is
therefore imperative to the
continuing growth and success of the
Internet as a viable marketplace,
that all parties involved in an
online transaction can be
irrefutably verified as the lawful
participants.
The
patented Internet Address
Verification System provides this trust between online transaction
parties by verifying the lawful
physical location from which they
transact business.
The
I-AVS implements, to paraphrase a
quote from Ronald Reagan: “Verify
And Trust”.
This
system is much needed
in the online world to counter the
growing explosion of online fraud.
|
