US007444676B1
`
`(12) Ulllted States Patent
`Asghari-Kamrani et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,444,676 B1
`Oct. 28, 2008
`
`(54) DIRECT AUTHENTICATION AND
`AUTHORIZATION SYSTEM AND METHOD
`FOR TRUSTFD NETWORK OF FINANCIAL
`
`6,529,885 B1 *
`6,748,367 B1 *
`2001/0044787 A1 *
`
`3/2003 Johnson ..................... .. 705/64
`6/2004 Lee .............. ..
`705/66
`
`.............. .. 705/78
`11/2001 Shwaitz et al.
`
`INSTITUTIONS
`
`OTHER PUBLICATIONS
`
`(76)
`
`Inventors, Nader Asgha1.i_Kam1.ani, 6558
`Palisades Dr.’ Cemrevfllea VA (US)
`_
`_
`20121; Kamran ASgharl'Kamram’
`6547 Palisades Dr-s CemreVfl1es VA (US)
`20121
`
`( * ) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`0
`
`C0uncil_(Oct.
`Examination
`_ Institutions
`Financial
`Federal
`2005) ‘A/uthentication in an/Internet_Bar_1king Environment available
`at http.//www.fliec.g0v/pdf/ authenticati0n_guidance.pdf.
`“Will Financial Institutions Really by more Secure with 2-Factor
`Athentication?” available at http://www.securitypark.c0.uk/article.
`asp?aiticleid:25011&CategoryID:1%C2%A0.
`“Experts Struggle to Fight Online ‘Phishing”’ (May 4, 2006) avail-
`able at http://domainsmagazine.c0m/D0mains_14/D0main_2830.
`shtml.
`>1: Cited
`
`exalniner
`
`(21) Appl. No.: 11/239,046
`
`(22)
`
`Filed:
`
`Sep. 30, 2005
`
`Related U.S.Applicati0n Data
`.
`.
`.
`.
`.
`(63) C0IIIIIIIIaII0II'III'PaI'I Of aPP1ICaII0I1 N0~ 09/940535:
`filed 011 Aug 29: 2001-
`(60) Provisional application No. 60/615,603, filed on Oct.
`5, 2004.
`
`(51)
`
`[nt_ C1_
`(200501)
`G06}? 7/04
`(2005.01)
`G06F 19/00
`(2005.01)
`H04L 9/32
`(2005.01)
`H04L 9/00
`(52) U.s. Cl.
`........................... .. 726/21; 726/4; 713/168;
`713/170; 705/44; 705/64; 705/67
`(58) Field of Classification Search ................... .. 726/4,
`726/21; 713/168, 170; 705/643 67, 44
`See application file for Complete Search history.
`I
`References Clted
`U.S. PATENT DOCUMENTS
`
`(56)
`
`Primary Examiner—Benjamin E. Lanier
`Assistant Examiner—Abdulhakim Nobahar
`
`ABSTRACT
`(57)
`h
`d/
`.
`.
`h d f
`d.
`h
`d
`A
`system an met 0
`or
`irect aut entication an or aut o-
`rization oftransactions. The system includes a trusted Digital
`Identity (DID) Network connecting an Originating Partici-
`PaIIIIg FIIIaIICIa1 IIISIIIIIIIOII (OPFI) and 3 ReCeIVIIIg PaIIICI'
`pating Financial Institution (RPFI) through a DID Operator.
`The DID Operator may further be coupled to a DID System
`that calculates digital identities ‘for Originators. According to
`the method, direct authentication
`the Originator and/or
`authorization ofthe transaction. 1S initiated upon the.Origina-
`tor communicating its digital identity to. the.Receiver. The
`Receiver subsequently provides the digital identity to the
`RPFI The RPFI 15 then 8131619 Commumcate W1th.the.0I’FI
`for authentication of the Originator and/or authorization of
`‘he}ra¥1S?‘°‘19n‘hF°“gh‘he DID Qperator based 0“ Qrigma‘
`tor s digital identity. The transaction between the Originator
`and Receiver can be financial or non-financial and may
`include, for example, account-to-account transfers, identity
`authentication or express agreements. In another embodi-
`ment, authentication and/or authorization may be performed
`in real time.
`
`................. .. 382/115
`5,838,812 A * 11/1998 Pare etal.
`5,883,810 A *
`3/1999 Franklinetal.
`............. .. 705/39
`
`20 Claims, 11 Drawing Sheets
`
`Direct Authentication & Authorization
`System and Method
`
`40
`
`USAA 1015
`
`
`
`
`
`25
`OFF
`
`E
`
`20
`
`(customer)
`
`communication
`
`
`
`
`
`nlgiui Iuamny
`
`1
`
`USAA 1015
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 1 of 11
`
`US 7,444,676 B1
`
`Direct Authentication & Authorization
`System and Method
`
`Communication
`Network
`
`40
`
`Receiver
`(business)
`
`
`
`20
`
`Originator
`(customer)
`
`Digital Identity
`
`Figure 1
`
`2
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 2 of 11
`
`US 7,444,676 B1
`
`25, 35
`
`2
`
`3
`
`Figure 2
`
`3
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 3 of 11
`
`US 7,444,676 B1
`
`20
`
`
`
`
`
`
`
`Digital Identity System
`
`
`
`H <---
`
`40
`
`Receiver
`
`50
`
`1
`Direct Authentication & Authorization
`System and Method
`
`3 Digital Identity Network
`
`Figure 3
`
`4
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 4 of 11
`
`US 7,444,676 B1
`
`
`
`Customer's Bank
`
`Customer's Bank
`
`(°PF"
`
`| Digital Identity
`
`l
`
`‘RPH’
`
`50
`
`50
`
`Customer
`
`(Originator and Receiver are the same entity)
`
`OPFI: Originating Participating Financial Institution
`RPFI: Receiving Participating Financial Institution
`
`4——> Data Communication
`
`—"-—> Digital Identity flow
`
`- - -F Funds transfer flow
`
`Figure 4
`
`5
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 5 of 11
`
`US 7,444,676 B1
`
`100
`
`
`
`Customer (Originator) authenticates himl
`herself to the first financial institution (OPFI)
`
`
`
`Customer desires to transfer funds to his
`
`account at second financial institution (RPFI)
`
`
`
`Customer requests funds transfer from the
`OPFI over the communication network
`
`
`
`\
`
`
`
`
`The OPFI starts the funds transfer process by
`requesting a new digital identity for that
`customer from the DID Operator over Digital
`Identity Network
`
`\
`
`DID Operator calculates a new digital identity
`for the customer and fonuard it to the OPFI
`
`105
`
`110
`
`115
`
`120
`
`
`
`
`
`The OPFI records the digital identity along
`with the transaction information and presents
`it to the customer over the communication
`
`network
`
`To finalize the transfer, OPFI requests the
`customer to provide this digital identity to
`the RPFI for identification and prove of
`account ownership and authorization of the
`
`funds transfer
`
`140
`
`Figure 5
`
`125
`
`130
`
`6
`
`

`
`U.S. Patent
`
`Oct. 28, 2008
`
`Sheet 6 of 11
`
`US 7,444,676 B1
`
`V
`
`140
`
`145
`
`150
`
`155
`
`The customer authenticates
`himself to the RPFI
`
`
`
`Customer provides hislher
`digital identity to the RPFI to
`finalize the funds transfer
`
`The RPFI sends a Digital Identity
`Message containing the
`customer's digital identity to the
`DID Operator
`
`The DID Operator validates the
`customer's digital identity and
`identifies the customer
`
`160
`
`157
`
`The DID Operator sends a Digital
`Identity Message to the OPFI for
`
`processing
`
`No
`
`DID Operator sends a denial
`identification and authorization
`
`message to the RPFI
`
`{I
`
`180
`
`158
`
`RPFI sends a denial
`Identification and authorization
`
`message to the customer
`
`Figure 6
`
`7
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 7 of 11
`
`US 7,444,676 B1
`
`180
`
`
`
`OPFI receives the Digital Identity
`message and validates the
`transaction
`
`
`
`
`Yes
`
`OPFI sends a denial
`
`identification and authorization
`
`message to the RPFI through
`DID Operator
`
`
`RPFI sends a denial
`
`ldentlflcatlon and
`191
`
`authorization message to
`
`the customer
`
`OPFI records the Originators
`OPFI records the Originator's
`authorization and transfers the
`
`authorization and sends the
`customers account information
`back to the RPFI
`
`funds using the desired funds
`transfer network, such as ACH
`network
`
`
`
`
`
`RPFI finalizes the funds transfer
`transaction by transferring the
`funds using the desired funds
`transfer network
`
`OPFI sends an approval
`identification and authorization
`message back to RPFI
`
`RPFI notifies the customer
`
`
`
`Figure 7
`
`8
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 8 of 11
`
`US 7,444,676 B1
`
`
`
`customers Bank
`(OPFI)
`
`5°\I
`
`l
`
`--————-—~>
`
`Digital
`
`Identity
`
`T
`
`Customer's Bank
`(RPFI)
`
`1/50
`
`
`
`lndividuallcorporate
`custom”
`(Originator)
`
`Corporatetgustomer
`(R°°°“’°")
`
`OPFI: Originating Participating Financiai Institution
`RPFI: Receiving Participating Financial Institution
`
`4--5 Data Communication
`
`—-—--—> Digital Identity flow
`
`- - -> Funds transfer flow
`
`Figure 8
`
`9
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 9 of 11
`
`US 7,444,676 B1
`
`200
`
`205
`
`21 O
`
`215
`
`220
`
`Customer (Originator) desires to transfer funds to a third party
`(Receiver such as biller, merchant)
`
`Customer authenticates himself to the first financial institution
`
`(OPFI) over a communication network
`
`\ Customer requests to send payment to the third party (Receiver)
`from the OPFI over the communication network
`
`The OPFI starts the payment process by requesting a new digital
`identity from the DID Operator over the Digital Identity Network
`
`speclflc to that customer andlor transaction
`
`\
`
`DID Operator calculates a new digital Identity that may be
`specific to that customer andlor transaction, and forwards the
`
`customer's digital identity to the OPFI over the Digital Identity
`
`Network
`
`225
`
`OPFI presents the digital identity to the customer (Originator)
`over the communication network
`
`230
`
`To finalize the payment, OPFI requests the customer to provide
`this digital identity to the third party (Receiver) for identification
`and prove of account ownership and authorization of the
`
`payment
`
`1V 2
`
`40
`
`Figure 9
`
`10
`
`10
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 10 of 11
`
`US 7,444,676 B1
`
`245
`
`The customer provides the digital identity to the
`third party (Receiver) for authentication and
`authorization of the payment
`
`250 \ To process the payment, the third party
`
`(Receiver) forwards the customer's digital identity
`to the RPFI along with the transaction information
`using any communication network
`
`255
`
`260
`
`The RPFI may validate the information and may
`forward a Digital Identity Message containing the
`customer's digital identity to the DID Operator for
`authentication and transaction authorization.
`
`The DID Operator validates the digital identity and
`identifies and authenticates the customer
`
`/ 267
`
`DID Operator sends a denial
`identification and authorization
`
`message to the RPFI
`
`268
`
`
`
`Receiver sends a denial
`
`identification and authorization
`280
`message to the customer
`V
`
`Figure 10
`
`11
`
`
`The DID Operator sends a Digital
`Identity Message to the 0PFl for
`processing
`
`RPFI sends a denial
`identification and authorization
`
`message to the Receiver
`
`269
`
`11
`
`

`
`U.S. Patent
`
`Oct. 28,2008
`
`Sheet 11 of 11
`
`US 7,444,676 B1
`
`285
`
`
`
`The OPFI validates the customer's
`digital identity andlor verifies the
`transaction.
`
`
`
`287
`
`OPFI sends a denial
`identification and authorization
`message to the RPFI
`
`288
`
`RPFI sends a denial
`identification and authorization
`message to the Receiver
`
`296
`
`
`
`OPFI records the Originator's
`authorization and sends the
`customer's account information
`back to the RPFI
`
`OPFI records the Originators
`authorization and transfers the
`funds using the deslred funds
`transfer network. such as ACH
`network
`
`
`
`297
`
`292
`OPFI sends an approval
`
`identification and authorization
`message back to RPFI
`
`
`
`RPFI finalizes the funds transfer
`transaction by transferring the
`funds uslng the desired funds
`transfer network
`
`RPFI notifies the Receiver
`
`
`
`
`
`_Figure 11
`
`12
`
`12
`
`

`
`US 7,444,676 B1
`
`1
`DIRECT AUTHENTICATION AND
`AUTHORIZATION SYSTEM AND METHOD
`FOR TRUSTED NETWORK OF FINANCIAL
`INSTITUTIONS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation in part of and claims
`priority to U.S. patent application Ser. No. 09/940,635 filed
`Aug. 29, 2001. This application also claims priority to U.S.
`provisional patent application Ser. No. 60/615,603 filed Oct.
`5, 2004.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`The present invention generally relates to a direct authen-
`tication and authorization system and method for trusted net-
`work of financial
`institutions allowing them to directly
`authenticate their customers and receive their authorization of
`financial transactions over a communication network such as
`
`the Internet. More specifically, the present invention is based
`on a new identification and authentication scheme as digital
`identity that enables financial institutions to directly authen-
`ticate their account owners and/or receive their authorization
`of financial transactions over a communication network such
`as the Internet.
`
`2. Background of the Invention
`With the advent ofthe Internet, the number of online finan-
`cial
`transactions has increased dramatically. With this
`increase, concerns for the security of the financial transac-
`tions, proof of authorization for such transactions, and the
`need for direct authentication of the parties to these transac-
`tions have also risen. Therefore the Internet is more than just
`a different delivery charmel for online financial transactions.
`There are two unique characteristics of the Internet that
`require special considerations:
`The anonymity of the Internet creates an environment in
`which parties are not certain with whom they are doing
`business, which poses unique opportunities for fraud
`The Internet is an open network, which requires special
`security procedures to be deployed to prevent unautho-
`rized access to the consumer financial information
`
`These unique characteristics of the Internet needed to be
`addressed by financial institutions in order to maintain their
`dominance in the payment arena. Today, any authentication
`over a communication network such as the Internet is an
`
`indirect authentication. Meaning, customers provide confi-
`dential, personal and financial information, in the form of
`social security numbers, names, addresses, credit card and
`bank account numbers, and businesses verify this information
`by accessing external databases. This type of authentication is
`not sufiicient to truly identify the identity of customers and
`tell whether the customer is the actual account owner. This is
`
`why financial institutions have limited their online interbank
`and intrabank service offerings. For example,
`today,
`the
`financial institutions require their account owners to do their
`interbank funds transfer at a branch ofiice and send a physical
`check to the receiver of the funds for payment, both of which
`are inconvenient and burdensome to corporate and individual
`customers.
`
`NACHA (National Clearing House Association) operating
`rules and federal govemment regulations also require finan-
`cial institutions to authenticate their customers’ identity and
`receive their authorization for any type of financial transac-
`tion such as payment or funds transfer over the Internet. In the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`13
`
`2
`
`physical world, financial transactions are authorized by the
`account owners in writing and signed or similarly authenti-
`cated. In the online world however, financial institutions do
`not have any solution to meet these requirements. An elec-
`tronic authorization for an online transaction should be
`
`authenticated by a mctl1od that l) idcntifics the customer
`(account owner), and 2) manifests the assent of the customer
`to the authorization. Therefore, financial institutions must use
`a method that provides the same assurance as a signature in
`the physical world (a signature both uniquely identifies a
`person and evidences his assent to an agreement). These
`objectives should be met by whatever method or process a
`financial institution employs when obtaining a customers’
`authorization electronically.
`When dealing with customers over any communication
`network such as the Internet, financial institutions are facing
`numerous challenges:
`Be able to identify the identity of the customers;
`Be able to obtain transaction authorization from customers
`over the Internet;
`Be able to confirm that the customer is the account owner
`and is authorized to use such account
`
`Financial institutions must meet these challenges in order
`to expand their online service offerings (interbank and intra-
`bank) and maintain their dominance in the market. But lack of
`identification and real-time account verification methods
`
`have prevented financial institutions to achieve their goals.
`Today, there are three different identification and authen-
`tication schemes in the market:
`
`Knowledge-based, which involve allowing access accord-
`ing to what a user knows;
`token-based, which involve allowing access according to
`what a user possesses;
`biometrics-based, which involve allowing access accord-
`ing to what the user is.
`Due to various problems the current authentication
`schemes have, financial institutions have not been able to
`successfully use these technologies to perform direct authen-
`tication and authorization of their customers. Passwords are
`
`inexpensive and easy to use, but the static nature of pass-
`words, makes them vulnerable for replay attacks. Another
`drawback of passwords is that online banking password can-
`not be used for identification and verification of financial
`
`account at the third party web sites. Biometrics can also be
`useful for user identification, but one problem with these
`schemes is the difficult tradeoff between imposter pass rate
`and false alarm rate. In addition, many biometric systems
`require specialized devices, which may be expensive. Token-
`based schemes are problematic as well. These are expensive
`to implement and require users to install special devices and
`software. Most token-based authentication systems also use
`knowledge-based authentication to prevent impersonation
`through theft or loss of the token.
`National Clearing House Association (NACHA) and sev-
`eral financial institutions such as Visa and MasterCard have
`
`also attempted to develop authentication systems and meth-
`ods, such as ISAP (Internet Secure ATM Payments) and SET
`(Secure Electronic Transaction) using smart card technology,
`but due to aforementioned smart card problems they failed to
`achieve customer acceptance. Therefore, they are now experi-
`menting new password based programs such as VPAS (Visa
`Payer Authentication Service) and UCAF (MasterCard Payer
`Authentication Service) to allow registered cardholders to
`verify their purchases, a process known as payer authentica-
`tion, but unfortunately these have abovementioned password
`issues and are specific to credit card transactions and do not
`apply to bank account transactions. It is also very difficult for
`
`13
`
`

`
`US 7,444,676 B1
`
`3
`a customer to manage. Owning N different credit cards
`requires recalling N different passwords for payment at
`checkout. According to a survey from Jupiter Media Metrix
`(epaynews.com, Feb. 21 2002), these systems and methods
`are also complicating the picture for consumers, who are
`worried by thc mix of idcntification and authentication
`schemes.
`
`As for the financial account ownership verification, cur-
`rently, there are several companies that are attempting to
`bring systems and methods for verifying account ownership,
`such as Paypal (EBAY) and CashEdge.
`Paypal introduces a system that initiates one or more veri-
`fying transactions using financial account information given
`by the customer. Selected details of the transaction(s) are
`saved, particularly details that may vary from one transaction
`to another. Such variable details may include the number of
`transactions performed, the amount of a transaction, the type
`of transaction (e.g., credit, debit, deposit, withdrawal), the
`merchant name or account used by the system for the trans-
`action, etc. The customer then retrieves evidence ofthe trans-
`action(s) from his or her financial institution, which may be
`accomplished on-line, by telephone, in a monthly statement,
`etc., and submits the requested details to the Paypal system.
`The submitted details are compared to the stored details and,
`if they match, the account ownership is verified and the cus-
`tomer is then allowed to use the financial account. There are
`
`many drawbacks associated with the Paypal’s system, includ-
`ing:
`No real-time account verification: lt takes 2 to 3 days to
`verify customer’s financial account
`High cost: Paypal suggests sending two deposits (credits)
`to the user’s financial account, each ofwhich is less than
`$0.99 in value.
`Weak account verification: An unauthorized individual
`
`who has access to the details about verifying transac-
`tions would be verified as the account owner.
`
`CashEdge’s system requires the customer to provide bank
`account information along with the username and password
`of the online banking web site that the customer is using to
`access his/her bank account. The system then applies the
`customer’s username and password to login to the online
`banking system for verification ofthe account ownership. The
`drawback of CashEdge system includes:
`Security and Privacy Concerns: Requesting the customer
`to provide the online banking username and password to
`CashEdge raises customers’ security and privacy con-
`cerns.
`Weak account verification: An unauthorized individual
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`who has access to the customer’s username and pass-
`word would be verified as the account owner.
`
`50
`
`Fraud Risk: Without CashEdge’s system, a fraudster who
`has access to customer’s online banking username and
`password, is not able to transfer funds from the custom-
`er’s account, but CashEdge system provides this oppor-
`tunity to an unauthorized individual to commit fraud.
`Financial institutions need a system that eliminates the
`aforementioned problems and concerns by:
`verifying customers’ identity
`verifying account ownerships in real-time
`providing prove of transaction authorization
`being secure, inexpensive and easy to use
`not requiring financial institutions to change their existing
`systems and processes
`covering bank account as well as credit card transactions
`For convenience, the term “customer” is used throughout
`to represent a financial institution’s individual or corporate
`customer.
`
`55
`
`60
`
`65
`
`14
`
`4
`
`The term “financial institution” is used herein to denote any
`institution such as bank, credit card issuer, brokerage firm,
`debit card or credit card Company such as Visa, Master card,
`and AMEX or any other company that offers financial ser-
`vices.
`
`The term “financial account” is used herein to denote any
`bank account, brokerage account, debit card and credit card
`account.
`
`The term “account ownership verification” is used herein
`to denote the process of verifying that the financial account
`belongs to the customer and the customer is authorized to use
`such financial account.
`The term “communication network” is used herein to
`
`denote any private, wireless or public network such as Inter-
`net.
`The term “indirect authentication” is used herein to denote
`
`any authentication method that authenticates the customers
`based on customers’ information. Meaning, customers pro-
`vide confidential, personal and financial information, in the
`form of social security numbers, names, addresses, credit
`card and bank account numbers, and businesses verify this
`information by accessing external databases.
`The term “direct authentication” is used herein to denote
`
`any authentication method that authenticates the customers
`based on customers’ credentials such as biometric data or
`smart card.
`The term “funds transfer network” is used herein to denote
`
`any network that financial institutions use to transfer funds,
`such as ACH, Fed wire, Visa network.
`The term “interbank funds transfer” is used herein to
`denote account-to-account funds transfer between accounts
`at different financial institutions.
`
`The term “debit pull” is used herein to denote the way
`electronic payments and funds transfer are authorized and
`executed, where the receiver of funds is asking customer’s
`financial institution to debit the customer’s account.
`
`The term “credit push” is used herein to denote the way
`electronic payments and funds transfer are authorized and
`executed, where the customer instructs his/her financial insti-
`tution to credit the account of the receiver (e.g. merchant
`account).
`identity” is used herein to denote a
`The term “digital
`dynamic, non-predictable and time dependent alphanumeric
`code, or any other key, which may be given by customer’s
`financial institution to the customer over a communication
`
`network such as the lntemet, and may be valid for one-time
`use. The customer’s digital identity is used for identification,
`authentication and authorization purposes for processing
`transactions over the communication network. Digital iden-
`tity is calculated using a proprietary algorithm that may
`include any other customer and/or transaction specific infor-
`mation to make the digital identity customer and transaction
`specific.
`The term “identity authority” is used herein to denote any
`entity that offers direct authentication services to other busi-
`nesses. Identity authority issues and manages the digital iden-
`tity.
`The term “Digital Identity System” is used herein to denote
`the system that deals with the calculation, transformation and
`validation of the digital identity using a proprietary algo-
`rithm.
`
`The term “Digital Identity Network” is used herein to
`denote the trusted network between financial
`institutions
`
`using any communication network such as the Internet. The
`Digital
`Identity Network enables
`the
`communication
`between financial institutions to send and receive Digital
`
`14
`
`

`
`US 7,444,676 B1
`
`5
`Identity Messages for identification and authentication of
`account owners and authorization of financial transactions.
`
`The term “Digital Identity Message” is used herein to
`denote the message sent or received over the Digital Identity
`Network that may include customer’s digital identity and
`transaction information.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides solution to the aforemen-
`tioned problems and the challenges the financial institutions
`face today. The present invention relates to a direct authenti-
`cation and authorization system and method for trusted net-
`work of financial
`institutions allowing them to directly
`authenticate their customers and receive their authorization of
`financial or non-financial transactions over a communication
`network such as the Internet.
`
`To overcome the drawbacks of the known systems and
`methods discussed above, the present invention is based on a
`new identification and authentication method as digital iden-
`tity. The new digital identity-based identification and authen-
`tication system and method:
`verifies customers’ identity
`verifies account ownerships in real-time
`provides prove of transaction authorization
`reduces the risk of fraud and identity theft
`is secure, inexpensive and easy to use
`does not require financial institutions to change their exist-
`ing systems and processes
`could be utilized for bank account as well as credit card
`transactions
`
`The digital identity is an alphanumeric code and unlike
`password, biometric and smart card, the digital identity may
`be valid for one time use and is dynamic, non-predictable and
`may be time dependent, which is calculated using a propri-
`etary algorithm that may include other customer’s specific
`information, which makes the digital identity customer spe-
`cific. Thus, it is impossible to calculate the same digital iden-
`tity for two different customers or two different customers
`receive the same digital identity. Therefore, the digital iden-
`tity offers the benefits of a password, biometric and smart
`card, without their disadvantages. It’s as easy to use as pass-
`word and as secure as biometric and smart card.
`
`This invention comprises of Digital Identity System and
`Digital Identity Network. The Digital Identity System deals
`with the calculation, transformation and validation of the
`digital identity. The Digital Identity Network is the trusted
`network between financial institutions that enables the com-
`munication between financial institutions to send and receive
`Digital Identity Messages for identification and authentica-
`tion of account owners and authorization of financial or non-
`
`financial transactions. The Digital Identity Message may
`include customer’s digital identity and transaction informa-
`tion.
`
`Direct authentication and authorization system and
`method according to the present invention may include the
`following participants:
`Originator—the Originator is the individual or corporate
`customer ofthe Participating Financial Institution (PFI).
`The Originator receives a new digital identity from its
`Participating Financial Institution (PFI) each time the
`Originator desires to initiate and authorize any non-
`financial or financial transaction such as payment or
`funds transfer. The Originator provides the digital iden-
`tity to the Receiver for identification, authentication and/
`or authorization of the transaction.
`
`6
`Receiver: Receiver is the individual or corporate customer
`of the Participating Financial Institution (PFI) that
`receives Originator’s digital identity for identification,
`authentication and/or authorization of the non-financial
`
`or financial transaction such as payment or funds trans-
`fcr.
`
`PFI—the Participating Financial Institution is the financial
`institution that has an existing relationship with Origi-
`nators and/or Receivers and offers services to the Origi-
`nators and/or Receivers. When a PFI serves Originators,
`the PFI is acting as an Originating Participating Finan-
`cial Institution (OPFI) and when a PFI serves Receivers
`the PFI is acting as a Receiving Participating Financial
`Institution (RPFI). A Participating Financial Institution
`(PFI) may participate in the Digital Identity Network as
`an OPFI as well as a RPFI.
`
`DID Operator—the Digital Identity Operator is the digital
`identity authority that provides digital identity-based
`authentication and authorization services to the Partici-
`
`pating Financial Institutions (PFIs) by maintaining,
`operating and managing the Digital Identity System and
`Network. Each time the Originator desires to initiate and
`authorize any non-financial or financial transaction such
`as payment or funds transfer, its Participating Financial
`Institutions (OPFI) requests the DID Operator to calcu-
`late a new digital identity for that Originator.
`Financial institutions need to become the Digital Identity
`Network participants to perform identification and authenti-
`cation of their customers and/or receive their authorization of
`transactions.
`This invention enables financial institutions and their busi-
`
`ness customers to perform identification and authentication
`oftheir customers and/or to manifest their assent to the autho-
`
`identity,
`rization of transactions. The customer’s digital
`which has been provided to that customer by the customer’s
`financial institution, is issued and used at the time when third
`parties (e. g. merchant, billers) or other Participating Financial
`Institution needs to authenticate the customer’ s
`identity,
`verify the account ownership and/or receive the customer’s
`authorization for the financial or non-financial transaction.
`
`Participating Financial Institutions issue digital identities to
`their account holders and validate digital identities issued by
`other Participating Financial Institutions in real time. Using
`Digital Identity System and Network, financial institutions
`can establish an environment in which parties to a transaction
`can reliably verify the electronic identities of customers,
`engage in legally binding agreements, and maintain auditable
`electronic information trails. The resulting high level of secu-
`rity and trust enables financial institutions to better serve the
`customers by enhancing their online service offerings.
`This invention enables financial institutions to enhance
`
`security and reduce fraud by identifying their customers and
`account holders. This will allow them to provide various
`services to their customers.As an example, the invention may
`be used in interbank funds transfer transactions to perfonn
`identification and authentication, receive customers’ authori-
`zation and verify account ownership.As another example, the
`invention may be used in online payment transactions to
`perform identification and authentication of customers,
`receive customers’ authorization, obtain payments and
`receive account ownership verification.
`As another example, the invention may be used in identity
`verification service offered by financial institutions to provide
`customer identification in e-commerce.
`
`This invention relates to a system and method for verifica-
`tion of customers’ identity over a communication network
`such as the Internet.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`15
`
`15
`
`

`
`US 7,444,676 B1
`
`7
`Accordingly, it is a principal objective of the invention to
`perform account ownership verification in real-time over a
`communication network such as the Internet.
`
`It is another objective of the invention to allow all parties
`involved in a transaction to give and receive transaction
`authorization ovcr a communication nctwork such as thc
`Internet.
`
`It is another objective of the invention to provide a direct
`authentication and authorization system and method that is
`secure, inexpensive, easy to use and offers privacy to the
`financial institutions customers.
`
`It is another objective of the invention to provide a direct
`authentication and authorization system and method that does
`not require financial institutions to change their existing sys-
`tems.
`
`It is another objective of the invention to provide a direct
`authentication and authorization system and method that is
`independent from any financial institution and applies to vari-
`ous types of financial accounts.
`It is another objective of the invention to reduce fraud and
`identity theft and increase security.
`It is another objective of th