ceBerg: Innovative solutions to everyday challenges

Home Our Business Our Marketplace Our Focus Our Products Our Company Contact Us
Google
 
Web www.ceBerg.com

Looking for solutions to the growing wave of Identity Fraud on the Internet? 

 

The Internet Address Verification System patent prevents the use of any stolen identities on the Internet.

 


|Overview|      |White Paper (HTML)|       |White Paper (PDF)|      | Patent Application (HTML) |     | Patent Application (PDF) |       |Brochure (PDF)|

 

Below is the White Paper describing the I-AVS patent in more detail, which can also be downloaded as a PDF file.

 

The Internet Address Verification System (I-AVS) patent is currently available for licensing.

 


Table of Contents:

 


 

Executive Summary

 Trust is at the heart of all successful transactions, including online commercial transactions, as well as other confidential online transactions.

 

It is therefore imperative to the continuing growth and success of the Internet as a viable marketplace, that all parties involved in an online transaction can be irrefutably verified as the lawful participants.

 

 The patented Internet Address Verification System provides this trust between online transaction parties by verifying the lawful physical location from which they transact business.

 

 The I-AVS implements, to paraphrase a quote from Ronald Reagan: “Verify And Trust”.

 

 This system is much needed in the online world to counter the growing explosion of online fraud.

Introduction

The Internet Address Verification System (I-AVS) is a patented business service for resolving the escalating problem of Internet security and fraud.

 

I-AVS can be expected to have at least the same market potential as other systems and tools for addressing the problem, including web site digital certificate issuers (Verisign, Thawte, GlobalSign, etc.) and the various credit card verification services (Visa, MasterCard, American Express, etc.).  This is because of the very growth of the Internet, its basic design features and the explosion of financial and personal profile data transferred over it.

 

 There is a growing sense of crisis in the attacks on privacy, fraud, theft of personal information and criminal misuse of the web. Rarely a week goes by without TV and press news items about some identity theft, error by a credit card processor in releasing confidential information, or the prosecution of spam and phishing artists.

 

 I-AVS is a simple and highly effective vehicle that operates on the following principles:

  1. Automatic registration by a user of an online service for various confidential services including credit card purchases and access to restricted web sites.
     
  2. The registration data includes all of the physical locations where confidential online transactions will be transacted. These locations will typically include a consumer’s home PC connection, or office PC connection.

  3. Automatic activation of a real-time authentication check on the validity of where the user is executing a confidential online transaction.

  4. Immediate authorization or preventive action.

I-AVS will be implemented as a trusted third party Internet service provider similar to the services that digital certificate providers, such as Verisign offers.

 

 The distinctive advantage of I-AVS is even if private data falls into the hands of unauthorized users, it cannot be used fraudulently except at the registered physical locations that a lawful user authorizes for transacting confidential business on the Internet.

Online Confidentiality Challenges

The Internet is providing consumers, businesses and governments with a huge market opportunity.

 

Unfortunately this opportunity is accompanied by rising fraud threats to confidential information. These confidential threats take a variety of forms including phishing, computer worms, social engineering of identity theft, as well as other threats.

 

In 2004 alone according to the US Federal Trade Commission, identity theft via phising and social engineering cost U.S. businesses and consumers between $50 billion and $60 billion. Banking activity accounts for 56% of the reported incidents.

 

These thefts’ costs and incidents are increasing every year, so much so, that U.S regulators have ordered banks to develop systems to quickly warn federal officials and customers of suspected incidents of identity theft.

 More and more Americans are increasingly using credit cards instead of cash. In 2003, U.S consumers used credit cards to buy $2.2 trillion in goods and services – roughly 20% of the U.S GDP. This is matched by an increase of consumers who purchase goods and services on the Internet. Therefore, it is close to certain that there will be a comparable increase in the volume of online fraud in the immediate future.

 

It is important to note that not only is the credit card industry at risk here, but so are other businesses that rely on confidential web sites.

For example, in the managed business travel market, over 30% of all transactions now occurs on the Internet. This is a $30 Billion market .

 

Another reported example of a market at risk by online Identity Theft is the ATM (Automated Teller Machine) industry. It is reported that fraudulent ATM card information is obtained via phising on the Internet, which is then used to commit fraud at an ATM.


The Need for Better Online Authentication

 “Even as business models and impressive advances in technology fuel industry’s vision of the Internet as a dynamic medium for commerce and communication, security issues continue to weaken confidence in online business. One of the most vexing and serious issues is related to identity verification.  If users and devices accessing the network are not properly identified, enterprises risk exposure to threats like fraud, phisihing, identity theft, IP spoofing, and denial-of-service attacks. (“Verisign Unified Authentication”, Verisign White Paper)

 Various proposals require the use of an electronic token, e.g. that attaches to a key ring, to be used in conjunction with passwords, etc. when entering a commercial online transaction. Use of this technology has been around for quite some time, but it has never been broadly adopted in the marketplace. Such tools are cumbersome, easy to lose and incompatible with the basic principles of online services: convenience, seamless access and simplicity.

 

Other services provided to combat online Identity Fraud include;

 

  • “Verified by Visa” and MasterCard SecureCode
  • The Payment Card Industry (PCI) Data Security Standard
  • Internet Address Geo-location verification
  • Fraud Protection services by various online providers such as Verisign.

 

The problem with the “Verified by Visa” and MasterCard SecureCode is that these solutions are vulnerable to (a) phishing and (b) Trojan Horse malware (malicious software) such as keyboard loggers that record every keystroke that is entered on a computer, and which then sends that data to an Identity thief.

 

The PCI Data Security Standard should be implemented on all web sites, etc. that handle confidential information. Unfortunately, many companies and organizations do not implement this standard, as is revealed in the media almost every week.

 

The Geo-location address verification service is similar to I-AVS, except that is it limited in the level of its verification. Geo-location can only verify an Internet address to a city level. But, there are hundreds, if not thousands of ID thieves, for example in Manhattan, New York, Los Angeles, California, etc. Geo-location is insufficient to stop online ID Fraud.

 

A number of Internet companies, such as Verisign and RSA Security, offer a suite of anti-Fraud services. These suites are generally an amalgamation of the previously mentioned anti-online fraud services. Also included as an option in most of these suites, is a service that looks for patterns of purchasing behavior, i.e. a software driven rules-based filtering process. American Express has long implemented such a service for its cardholders, even before the Internet took off commercially.

 

The table below highlights the above features of today’s existing anti-Identity Fraud services on the Internet.

 

Immunity to ID Fraud I-AVS Secure- Code, etc. Site Protection Anti-Fraud Suite Geo-location Electronic Token
Phishing x 1 x 1+2
Trojan Horses x 3 x 3 x 2 3 1+2
Weak Data Protection x x
Con-Artists x 1 x 1 x 1+2
Bin-Diving x x x 2
Stolen Wallet, etc.   x x x 2 x
Credit Report Misuse x x x x 2
Lost item, e.g. token, password, etc. x x x x 2 x
Ease of Use x x x x
Table 1 Today's Anti-Identity Fraud Online Measures

Table 1 Notes:
  1 Susceptible to being hoaxed into giving confidential data
  2 Thief can still use proxies to simulate same city, state and country
  3 Key-loggers can capture and criminally share the SecureCode
  Anti-Identity Fraud protection good
  x None, or too little effect

 

Today, parties involved in an online commercial transaction usually execute the transaction from a fixed, physical location. For example, a consumer would use his bank to pay his bills online, either from home or from work. Phishing and other fraud techniques, such as keyboard logging, steal a user’s online identity and then execute a fraudulent transaction at another location. It is extremely rare that the thief would execute the fraudulent online transaction at the location where the party normally transacts online business.

 

 The patented system outlined in this paper, i.e. the Internet Address Verification System (I-AVS) greatly reduces the possibility for thieves to use stolen identity and credit card information at other online locations, which are not authorized by the lawful customer.

How Does The Patented Address Verification Work On The Internet?

The primary principal behind the Internet Address Verification System (I-AVS) is similar to the process that credit card companies use to activate and verify a consumer’s credit card.

 

 For example, when a consumer receives a new credit card, she must activate the card from a pre-registered telephone number, which is directly associated with her credit card’s application. This is usually either the consumer’s home phone number, or her work phone number. The credit card company uses a Touch-Toneâ data entry system, combined with the telephone company’s caller-id feature to verify, that the lawful owner of the card is verifying the credit card.

 

The consumer’s telephone number’s caller-id verifies the physical location from where the consumer is calling. This is central to the patented I-AVS solution, but is applied to the online parties using the Internet.

The Internet Service Provider’s RADIUS Database

So, where does the caller-id feature come from on the Internet? Every customer connects to the Internet via an Internet Service Provider (ISP). Virtually all ISPs use a database system called RADIUS (Remote Authentication Dial In User Service) to authenticate, authorize and provide accounting information on its customers. Broadband ISPs also use RADIUS.

 

 RADIUS is an open Internet standard adopted by the Internet Engineering Task Force (IETF), which is responsible for the adoption and dissemination of all other protocols that currently make the Internet work universally.

 

 Table 1 illustrates a number of the key RADIUS data that are used by the I-AVS. As can be seen from the Table, RADIUS maintains information of, from where the customer is connecting to the Internet, which of the ISP’s physical line numbers was called to connect to the Internet, as well as the status of the customer’s online connection.

RADIUS Attribute

Description

User-Name

The name of the electronic commerce party

Called-Station-ID

The phone, or line number that the online party called to connect to the ISP.

Calling-Station-ID

The phone, or line number that the call came from.

Acct-Status-Type

Indicates whether this accounting request marks the beginning of the online service, or the end.

Acct-Terminate-Cause

Indicates how the session was terminated

Table 1  RADIUS Database Attributes Used in the I-AVS

 
At any given moment in time, the ISP’s RADIUS database knows exactly who is connected to the Internet using its facilities, as well as the physical location from where the customer is electronically connected to its facilities.

 

The Relationship Between The ISP And The I-AVS Service Provider

 Figure 1 illustrates the sharing of data between an ISP and the Internet Address Verification System (I-AVS) Service Provider.

 

 Whenever a customer, or merchant connects to the Internet, the ISP provides the relevant RADIUS data to the I-AVS.

 

The I-AVS maintains its own secure database system that lists all online parties (e.g. the  customer and online merchant) statuses, i.e. whether or not they are currently logged onto the Internet, as well as the physical location of the various online parties. Whenever the status of the online party changes, for example they log off from the Internet or their connection is inactive, then this change is provided by the ISP to the I-AVS database. Hence at all times, the precise status of all participating online parties is tracked in the I-AVS database.

The sharing of the information between the ISP and the I-AVS Service Provider is secure. For example, use of Digital Certificates and SSL link encryption is used. The Digital Certificates prevent fraudulent connections to the I-AVS, for example, by thieves pretending to be an ISP. SSL is a standard technique used on the Internet to ensure that only the online parties have visibility to the data transmitted between them.


Figure 2 illustrates the situation in which multiple ISPs participate in the Internet Address Verification System.

 

Registration With The Internet Address Verification System Service Provider

Before the I-AVS can be used, users, i.e. consumers and merchants, need to initially register themselves in the system. This can be accomplished in a number of ways, including direct registration with the I-AVS Service Provider, or via another party, for example the user’s credit card company.

 

Let us consider a consumer registering via his credit card company, because he primarily uses his credit card to purchase goods and services on the Internet.

Figure 3 illustrates an example of how a consumer and an online merchant (i.e. customers) register with the Internet Address Verification System.

 

Initially the customer logs onto a secure web site using SSL. The web site in this example is the customer’s credit card issuing bank.

 

The bank provides a secure online I-AVS registration form, which is obtained from the I-AVS Service Provider and integrated into the bank’s credit card online customer service. The customer fills in the web form, which is verified by the bank, in real-time against the bank’s customer database.

 

Information that is collected by the bank and stored in its secure, temporary I-AVS database includes the customer’s name, Internet Protocol (IP) address and other location data, for example contact telephone number, etc. A device, which is connected to the Internet, has an IP address which the customer’s ISP uniquely assigns. The IP address is obtained from the customer’s web browser and is used to locate the customer’s Internet Service Provider (ISP). Other contact information is also collected to verify the customer, as well being able to contact the customer in the event of any questions.

 

 The bank securely transmits the customer’s registration information to the I-AVS Service Provider, which securely stores the information in an I-AVS Registration Database.

 

The I-AVS Service Provider uses the registration information to contact the customer’s ISP online to establish the necessary relationship for the new customer. The customer’s ISP confirms the registration information for the new customer and transmits the online status of the customer to the I-AVS Service Provider. The I-AVS Service Provider stores this information in its real-time Online Database. All communication between the I-AVS Service Provider and the ISP is secure, for example by using Digital Certificates and an SSL encrypted link. This completes the registration process.

Registering Additional, Alternate Locations with the I-AVS

 If the customer wishes to use an additional, alternative location to transact business on the Internet, he would reapply, for example in this application, to the bank, but from the new location. The new location could be the customer’s work place. The registration process is then repeated. A further level of customer verification may be necessary for registering an alternative location. The added level of verification could include a request by the bank for the customer to confirm the new location from the initial registration location, for example, from home. Or confirmation via telephone, from the initial I-AVS registration location could also be accepted.


 Automatic Verification of the Identities of Parties in an Online Transaction

 We now consider the scenario in which I-AVS is used during an online transaction. Referring to Figure 4 below, Customer1 is already registered in the I-AVS. Whenever Customer1 logs onto the Internet via his ISP1, his online status is automatically logged in the I-AVS Service Provider’s Online Database.

 

Customer1 wishes to log onto Online Merchant2’s web site to purchase goods. The Online Merchant2 is already registered in the I-AVS. At all times that her web site is connected to the Internet, her ISP2 provides real-time status data to the I-AVS Service Provider, which logs this data in its Online Database.

 

 When the Customer1 initiates payment for the goods that he wants to buy from the Online Merchant2 by using his appropriate credit card, a number of checks are executed:

1.   The Online Merchant2 verifies with the I-AVS Service Provider that Customer1 is the lawfully registered user of the credit card. 

2.   The I-AVS Service Provider simply transmits, over a secure link, a “yes” or a “no” response to the merchant’s query.

3.   If the I-AVS response is “yes”, then the transaction is executed. On the other hand, if the response is “no”, then the merchant can deny the transaction.

 A second layer of credit card I-AVS verification can take place. This layer is activated during the credit card verification process. This time it is the Credit Card Verification Service Provider that checks with the I-AVS Service Provider that both the Customer1 and the Online Merchant2 are who they claim to be. This requires that the Online Merchant  provides the Credit Card Verification Service Provider with the relevant information about the Customer1. Depending upon the response from the I-AVS Service Provider, the Credit Card Verification Service Provider can either allow or deny the online transaction.

 It is also possible to provide an enhancement to web browsers, i.e. a web browser “plug-in” application, that would automatically verify the Online Merchant’s I-AVS status. This would assist the customer to determine if a web site is lawful or not. As mentioned previously, it is common practice among Phishers to use fraudulent, look-alike, web sites to obtain a customer’s confidential information, such as credit card details, online banking logon credentials, etc.

 

 Note that if the I-AVS Service Provider’s response is negative for any I-AVS request, then the information provided to it and stored in its Online Database, can be used by law enforcement to trace and possibly prosecute the abusers of the online transaction.

Conclusion

 Trust is at the heart of all successful transactions, including online commercial transactions, as well as other confidential online transactions.

 

 It is therefore imperative to the continuing growth and success of the Internet as a viable marketplace, that all parties involved in an online transaction can be irrefutably verified as the lawful participants.

 

 The patented Internet Address Verification System provides this trust between online transaction parties by verifying the lawful physical location from which they transact business.

 

 The I-AVS implements, to paraphrase a quote from Ronald Reagan:  “Verify And Trust”.

 

 This system is much needed in the online world to counter the growing explosion of online fraud.


 

 

Home | Contact Us | Top