(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(19) World Intellectual Property Organization
`International Bureau
`
`(43) International Puhlication Date
`2007 (04.01.2007)
`4 January
`
`peT
`
`(51) International
`Patent ClassiJication:
`G06Q 99/00 (2006.01)
`
`(21) International Application Numbcr:
`PCT fUS2005/035532
`
`(22) International
`
`Filing Date:
`29 September 2005 (29.09.2005)
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`(30) Priority Data:
`60/694,768
`
`English
`
`English
`
`27 June 2005 (27.06.2005)
`
`US
`
`(63) Related by continuation
`(CON) or continuation-in-part
`(CIP)
`to earlier application:
`US
`Filed on
`
`101791,439 (CIP)
`2 March 2004 (02.03.2004)
`
`(for all designaied States except US): THE 41st
`(71) Applicant
`[USfUS); 14301 North 87th Street,
`PARAl\-IETER,INC
`Suite 211, Scottsdale, AZ 85260 (US).
`
`(72)
`(75)
`
`and
`Inventor;
`tfor [JS only]: EISEN,Ori
`[OiUS);
`Inventor/Applicant
`6214 East IIillery Drive, Scottsdale, AZ 85254-2568 (US).
`
`11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
`
`(10) International Publication Number
`WO 2007/001394 A2
`
`(74) Agents:
`et al.; Wilson Sonsini
`ENG, U_, 1'_, Peter
`Goodrich & Rosati, 650 Page Mill Road, Palo Alto, CA
`94304-1050 (US).
`(81) Designated States (unless otherwise indicated, Jor every
`kind oJnatianal protection. available): AE, AG, AL, AM,
`AT, AU, AZ, BA, BB, BG, BR, BW, BY, BZ, CA, CIl, CN,
`CO, CR, CU, CZ, OE, DK, DM, DZ, EC, EE, EG, ES, 1"1,
`GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, KG,
`KM, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, LY, MA,
`MD, MG, MK, MN, MW, MX, MZ, NA, NG, NI, NO, NZ,
`OM, PG, PH, PL, PT, RO, RU, SC, SD, SE, SG, SK, SL,
`SM, SY, TI, TM, TN, TR, TT, TZ, UA, UG, US (patent),
`UZ, VC, VN, YU, ZA, ZM, zw.
`(84) Designated States (unless otherwise indicated, Jor every
`kind o] regional protection available): ARIPO (BW GIl,
`GM, KE, LS, MW, MZ, NA, SO, SL, SZ, TZ, UG, ZM,
`ZW), Eurasian (AM, AZ, BY, KG, KZ, MD, RU, TI, TM),
`European (AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, PI,
`FR, GB, GR, HU, IE, IS, n; tr, LU, LV, MC, NL, PL, PT,
`RO, SE, SI, SK, TR), OAPI (BF, BJ, CF, CG, CI, CM, GA,
`GN, GQ, GW, ML, MR, NIl, SN, TD, TG).
`
`Published:
`search report and to be republished
`international
`without
`-
`upon receipt o] that report
`refer to the "Guid(cid:173)
`For two-letter codes and other abbreviations,
`ance Notes on Codes and Abhreviations" appearing at the beg in(cid:173)
`ning oJ each regular issue oJ the peT Gazette.
`
`==-
`--
`-iiiiiiiiii-iiiiiiiiii
`~-
`==-
`-==
`
`iiiiiiiiii
`
`iiiiiiiiii
`!!!!!!!!
`
`!!!!!!!!-
`----==
`M<
`
`~0
`
`~~~
`
`\
`----------------------------------------------------------------
`~t::: (54) Title: METHOD AND SYSTEM FOR TDENTIFYING USERS AND DETECTING FRAlTD BY USE OF THE INTERNET
`o method and system uses adelta of time between the cloek of the computer used by the actual fraudulent use and the potentially
`
`~~
`
`(57) Abstract: A method and system for detecting and preventing Internet fraud in online transactions by utilizing and analyzing
`Manumber
`of pararneters to uniquely identify a cornputer user and putential Iraudulent
`transaction thruugh predictive modeling. The
`
`:;,
`~
`
`fraudulent user and the clock of the server computer
`preferahly the Browser TD.
`
`in conjunction with personal
`
`information and/or non-personal
`
`information,
`
`APPLE EXHIBIT 1005
`Page 1 of 39
`
`

`

`WO 2007/001394
`
`PCTIUS2005/035532
`
`USERS AND DETECTING
`METHOD AND SYSTEM FOR IDENTIFYING
`BY USE OF THE INTERNET
`
`FRAUD
`
`CROSS-REFERENCE
`application ofU.S. Patent Application Serial No. 10/791,439 filed
`This application is a continuation-in-part
`[0001]
`on March 2, 2004, and this application also claims the benefit of priority to D.S. Provisional Patent Application
`Serial No. 60/694,768 filed June 27, 2005, which are incorporated herein by reference in their entirety.
`
`BACKGROUND
`OF THE INVENTION
`The invention relates to Internet purchasing or e-tail transactions and specifically to detecting fraud in such
`[0002]
`transactions when ordering products, services, or downloading information over the Internet.
`Internet
`[0003]
`There is a continuing need to develop techniques, devices, and programs to detect and prevent
`fraud. The invention provides a method and a system for detecting and preventing Internet
`fraud by utilizing and
`analyzing a number ofparameters
`to uniquely identify a customer and a potential
`fraudulent
`Internet-based
`trans action.
`
`DESCRIPTION
`OF THE PRIOR ART
`[0004] Many methods and systems have been developed over the years to prevent or detect Internet fraud. Today,
`to gain consumer confidence and prevent revenue loss, a website operator or merchant desires an accurate and
`trustworthy way of detecting possible Internet
`fraud. Merely asking for the user name, address, phone number, and
`e-mail address will not suffice to detect and determine a probable fraudulent
`trans action because such information
`can be altered, manipulated,
`fraudulently obtained, or sirnply false.
`[0005]
`Typically, an Internet user who accesses a website for obtaining a service, product, or information, not only
`enters personal
`information as mentioned above, but is also requested to provide a credit card account nurnber,
`expiration date, and billing address. An online criminal seeking to obtain goods, services, or access to information
`(text and/or visuals over the Internet) commonly uses someone else's credit card information to obtain the services
`or products during the trans action. To prevent such occurrences, websites, via credit card companies and banks,
`often check to see ifthe address on the order corresponds or matches the address for the credit card owner.
`Although billing and shipping addresses can differ, such as when someone purchases a gift for another,
`it is a factor
`to consider
`in the verification process. Additionally, merchants utilize phone number matehing between that ofthe
`Internet order and the credit card company database. Another commonly used technique for order verification is e(cid:173)
`mail address verification where the website operator sends a message to the user e-mail address asking the customer
`to confirm the order prior to executing the same. Yet, online thieves frequently use email addresses from large
`portal sites that offer free e-mail accounts, These e-mail addresses are easily disposable and rnake it harder for the
`website operator
`to identify the fraudulent customer before executing the trans action.
`[0006] More sopbisticated websites now capture a variety of parameters
`from the user known as Common
`Gateway Interface parameters
`(CGI parameters). These parameters commonly inc1ude non-personal
`information
`such as a user Internet Protocol Address (IP Address). Every computer connected to the Internet
`is assigned a
`unique number known as its Internet Protocol
`(IP) Address. Much like a phone number in ahorne or office, an IP
`address can be used to identify the specific user or at least the particular computer used for an Internet
`transaction.
`In addition, since these numbers are usually assigned in country-based blocks, an IP address can often be used to
`identify the country from which a computer
`is connected to the Internet. Yet, IP addresses can change regularly if a
`
`-1-
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`APPLE EXHIBIT 1005
`Page 2 of 39
`
`

`

`WO 2007/001394
`
`PCTlUS2005/035532
`
`to
`
`user t!:öIl'necfsto t'h!;:'1l'it'etlret'vla'a"tlTal"urn~Ofinection or reboots their computer. Online thieves also have ways of
`IP address to make it nearly impossible
`for the website operator
`scrambling their IP addresses or adopting another
`identify the true user. Thus, websites typically use an IP address plus a further non-personal
`identifier
`such as a
`Browser
`ID (or user agent), a cookie, andlor a registration ID to try to identify a unique user and to prevent
`fraud in
`a second trans action.
`the website operator with a wealth of information ab out the user such as the
`ID provides
`[0007] A Browser
`the user
`software being used to browse or surf the Internet. Additionally,
`the Browser
`ID includes information about
`its Internet browser and the language. Thus,
`its current version,
`the Browser
`ID has
`computer operating system,
`valuable information
`for identifying a unique user. The Browser
`ID may also have more detailed information
`such
`as the type of content
`the user can receive;
`for example,
`this lets the website operator know if the user can run
`applications
`in FLASH-animation,
`open a PDF-file, or access a Microsoft Excel document. Yet, Browser
`IDs from
`different computers
`can be similar, as there are so many Internet users and thus many have similar computers with
`the same capabilities,
`programs, web browsers, operating systems, and other information. A cookie refers to a piece
`ofinformation
`sent from the web server to the user web browser which is saved on the resident browser
`software.
`Cookies rnight contain specific information such as login or registration information,
`online 'shopping cart'
`information,
`user preferences,
`etc. But cookies can easily be deleted by the computer user, by the browser, or turned
`off completely so that the server cannot save information on the browser
`software. Thus, cookies alone cannot serve
`as a unique identifier
`to thwart an Internet
`thief.
`[0008] Accordingly, what is needed is a method and system that overcomes the problems associated with a typical
`verification and fraud prevention system for Internet transactions particularly in the purchasing of services, products,
`or information by uniquely identifying each consumer. Then, when that consumer seeks a second fraudulent
`purchase, the website operator will detect the same and block the order or, at least, obtain more information to
`ensure the order is legitimate. The system should be easily implemented within the existing environment and should
`be adaptable and compatible with existing technology,
`
`SUMMARY OF THE INVENTION
`In accordance with the invention, a method and system is provided for detecting potentially fraudulent
`[0009]
`transactions over the Internet. The method and system comprises obtaining information relating to the transaction
`from the consumer and combining this information with a unit corresponding to the change oftime, adelta oftime
`parameter, to create a unique computer identifier. If a future transaction involves an identical computer identifier, as
`described below, which was previously engaged in a fraudulent transaction, the website operator can choose to
`cancel the transaction, pursue legal action, seek further verification, or the like. By using information relating to the
`first transaction, such as the IP address andlor Browser ID, and combining it with the delta oftime parameter, as
`detailed herein, the website host can more accurately preventively track fraudulent users online by comparing
`computer identifiers to each other. In so doing, an integrated fraud prevention system is provided which allows the
`website host, merchant, or the like, to accurately and efficiently deterrnine the validity or fraudulent quality of a
`transaction sought to be transacted over the Internet.
`[0010] Accordingly, the invention provides a method and system for improving fraud detection in connection with
`Internet transactions. Various embodiments ofthe invention utilize existing tecbnological capabilities to prevent
`online thieves from making second fraudulent transactions.
`[0011] Another aspect ofthe invention provides methods and systems for detecting and preventing Internet fraud
`comrnitted as a result of "scams" or deceptive practices developed to acquire personal, confidential and/or financial
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`-2-
`
`APPLE EXHIBIT 1005
`Page 3 of 39
`
`

`

`WO 2007/001394
`
`PCTlUS2005/035532
`
`i.n:fOrhia'trtlll~' Theh~o'fic~pts"'MtM;;hl1erifi6rl'&~scribedabove may be characterized as "fingerprinting" techniques
`and methods to identify and/or prevent fraud involving information obtained through Internet scams. These unlawful
`practices will1ikely continue as new techniques are developed in addition to schemes already known to those in
`field today such as phishing, pharrning, spoofing, session cloning and other deceptive practices. It shall be
`understood that the clock based or delta of time parameters provided herein can be used within the scope of the
`invention either alone or together with other known or future developed fraud parameters in the fight against online
`fraud and Internet scams. The various methods and systemsprovided in accordance with the invention offer
`improved and enhanced fraud detection and/or prevention solutions for e-commerce and Internet based transactions.
`These solutions provide a degree of invisibility to users and fraudsters alike and do not require any or all of the
`following: user interaction (less likelihood for mistakes or carelessness), opt-in (no adoption issues and full coverage
`of anti-fraud measures can be provided), change in customer behavior (no confusion as to what actions need be
`taken or avoided), downloads or cookies (no cornpatibilityissues with user computers or browsers). Moreover,
`these Internet based solutions generate low false-positives and false negatives so as to minimize loss ofbusiness for
`mistakenly turning down legitimate transactions and successfully rejecting transactions that are fraudulent. The
`invention can incorporate a type oflink analysis on user information from compromised accounts to identify a
`fraudster and/or the computer used to conduct fraudulent transactions online.
`[0012] The features and advantages to various aspects ofthe invention are readily apparent from the following
`detailed description ofthe best mode for carrying out the invention when taken in connection with the
`accompanying chart and other portions of the specification and figures herein.
`
`INCORPORATION BY REFERENCE
`[0013] All publications and patent applications mentioned in this specification are herein incorporated by reference
`to the same extent as if each individual publication or patent application was specifically and individually indicated
`to be incorporated by reference.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0014] FIG. 1 is achart that illustrates the versatility and accuracy ofthe invention in weeding out possible
`fraudulent online transactions.
`[0015] FIG. 2 describes a connection between a customer computer and a merchant website server whereby each
`device maintains respective times according to a resident clock.
`[0016] FIG. 3 is an index of different Time Zones around the world.
`[0017] FIG.4 is a flowchart describing an embodiment ofthe invention thatprovides a customer computer
`identifier.
`[0018] FIG. 5 describes components of a customer computer identifier provided in accordance with the invention.
`[0019] FIG. 6 illustrates a comparison of computer identifiers that provides a matehing parameter for consideration
`by an online merchant.
`[0020] FIG. 7 shows various components and parameters that may comprise a user computer identifier in
`accordance with an embodiment of the invention.
`[0021] FIG. 8 depicts the comparison between multiple computer identifiers to provide a matehing parameter that
`can be compared against a preselected matehing value.
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`-3-
`
`APPLE EXHIBIT 1005
`Page 4 of 39
`
`

`

`WO 2007/001394
`
`PCTlUS2005/035532
`
`'DElifmE'EiJij)ESCRIPTION OF THE INVENTION
`
`[0022] The present invention relates to a method and system for detecting potentially fraudulent transactions over
`the Intemet. Various modifications to the preferred embodiment will be readily apparent to those skilled in the art
`and the general principles herein may be applied to other embodiments. The present invention is not intended to be
`limited to the embodiment shown but is to be accorded the widest scope consistent with the principles and features
`described herein. It is to be understood that the website, its host, or operator does not have to be a merchant of
`goods.
`[0023] The present invention provides a ftaud prevention system for online transactions by uniquely identifying a
`customer based on a number of parameters at least one of which is adelta of time parameter and another of which is
`another Internet related parameter, preferably the Browser ID of a computer.
`[0024] Referring to the ehart shown in FIG. 1, what is shown is aseries oftypical transactions on the Internet
`between a merchant and several customers. Each customer establishes a connection between his computer and the
`merchant's website. Upon making this connection, the merchant's website receives some non-personal identification
`information from the customer. This non-personal information typically includes Common Gateway Interface
`(CGI) parameters such as the eustomer's Internet Protocol (IP) Address and the eomputer's Browser ID. While
`"hackers" ean change, disguise, andlor emulate the IP address to mask a ftaudulent transaction, most do not now
`have the capability nor the idea to do the same for the Browser ID. While some "hackers" can change the Browser
`ID, it is not a trivial tool and if one needs to change it all the time it is not allowing those thieves to easily steal,
`henee, they are likely to go to a site that does not check Browser IDs. In a typical embodiment, when the customer
`decides to purehase services, goods, or information from the website, the customer must input additional and more
`personal information. This personal identification information may commonly include the customer's name,
`address, billing and shipping information, phone number, andlor e-mail address. A key feature ofthe present
`invention is that the website server also captures the local time ofthe customer's computer, typically through a
`program such as Javaseript, as weIl as the local time of'the server's computer. The server then calculates the time
`difference (or delta oftime) between the customer's computer clock and the server's computer clock. This can be
`recorded in any desired format such as hours, minutes, seconds, or the like, but corresponds to adelta of time
`parameter. The delta of time parameter, the non-personal information, including but not limited to the preferred
`usage ofthe Browser ID, andlor the personal information are stored by the merchant and used to uniquely identify
`the customer.
`[0025] As shown in FIG. 2, a conneetion may be established between a customer computer 12 and a merchant
`website server 14. Upon making the online connection, various information is transmitted by the customer
`computer 12 that may operate as a unique user and/or computer identifier. This information may include personal
`information specific to the customer, non-personal information corresponding to the eustomer computer, and the
`local time according to the customer computer. The merchant website can receive non-personal customer
`information including CGI parameters such as the customers IP address and computer Browser ID. The customer
`can further input personal information when making a purehase from the website including a customer name,
`address, bi1ling and shipping information, phone number, and/or e-mail address(es). Inaccordance with this
`embodiment ofthe invention, the relative customer computer local time according to its resident clock may be
`captured, typically through a program such as Javascript or any other time indicator employed by
`telecommunications and networking systems such as timestamps within transmitted data packets (e.g., TCP
`timestamps in packets within a data stream wherein each packet includes a header portion containing a 32-bit
`
`-4-
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`APPLE EXHIBIT 1005
`Page 5 of 39
`
`

`

`WO 2007/001394
`
`PCTIUS2005/035532
`
`timeMiä:&pge:derätM"1)Y"~'ofi~in:1t'dtlg'cöh1IMeraccording to local resident time). The local time of a customer
`computer or client may be captured during any selected moment of action such as when the customer visits or is
`logging into a merchant site, at the time of a purchase or at times during an exchange of information that can be
`reflected in timestamp to data packets transmitted across a selected network or the Internet. At the same time, the
`merchant web server also maintains and measures a relative website server local time according to a resident c1ock.
`The time difference or delta of time as between the customer computer clock and the servers computer clock can be
`therefore calculated. This approach in determining when to measure a time of action or event may be characterized
`as opportunistic in that measurements are taken at selected moments in time. The delta of time can be measured,
`calculated and recorded by the merchant web server or any other computer operating with or connected to the
`merchant online system. The delta of time may be measured in any desired format or increments of time such as
`hours, minutes, seconds, milliseconds (microseconds) or the like. Over different periods oftime, the delta oftime
`parameters are generally persistent with relatively high degree of accuracy. Accordingly, the measured time
`difference between these computer clocks provides a fraud parameter in accordance with this aspect ofthe invention
`that may link or associate a particular customer computer with transactions that may involve fraud.
`[0026] The delta oftime (Time Diff) parameter provided in accordance with this aspect ofthe invention may
`function alone or combined with other parameters to provide what may be characterized as a "pe fingerprint." Such
`devices include personal computers or any other type of computing devices or computers including those from
`Apple Computer, Inc. (hereinafter collectively PC). Each PC connected to the Internet may be configured slightly
`different and may possess identifiable characteristics distinguishing it from other devices which can be exploited by
`the invention. A more accurate PC fingerprint may be generally developed by considering a greater number of
`available computer related parameters. The Time Diff parameter may serve as part of a PC fingerprint for
`identifying a device which serves as a distinctive mark or characteristic about a particular user device. In addition to
`a Time Diff parameter, the flow of information exchanged during an Internet session may be captured and provide
`significant information about the user device on the other end. This type of information exchange considered by the
`invention is preferably invisible and transparent to users, and does not rely on user action or modification of online
`behavior. The Time Diffparameter may thus link incidents involving fraud, hacking, phishing etc. by automatically
`correlating information such as login data, computer data and customer data. For examp1e,by analyzing data sent
`from the user device, information about the device and browser used by an individual may be obtained such as a
`Browser ID, the Browserldevice IP address and the particular Browser language. By formulating a more accurate
`PC fingerprint, there is less like1ihoodofmistakenly associating a user with a fraudulent transaction (false positive)
`during e-commerce transactions, or failing to detect a fraudster. Other applications of the invention inc1udenational
`security and law enforcement whereby a computer can be uniquely identified in a manner simi1arto way thieves can
`be identified by a physical fingerprint. Accordingly, a PC fingerprint provided by the invention enables the ability
`to link and connect different online accounts and activity to a same device.
`[0027] The Time Diffparameter provided in accordance with the invention may be captured or measured during
`various selected moments of action during an Internet session such as the login step or procedure. Today it is
`estimated that medium to large e-commerce merchants and financial institutions receive over 5,000 orders per day
`for digital and shipped goods, and over 100,000 logins per day. Many Intemet Service Providers (ISPs) also
`manage accounts and user logins on an enormous scale also. This aspect ofthe invention can be applied to broader
`applications online to authenticate a user or uniquely identify a computer on the Internet in addition to e-commerce
`transactions and fighting fraud or identify theft. For example, the invention may be applied where a merchant or
`financial institution (FI) server resides in California, USA and a valid customer (Customer) who also normally
`
`o
`
`-5-
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`APPLE EXHIBIT 1005
`Page 6 of 39
`
`

`

`WO 2007/001394
`
`PCT/US2005/035532
`
`resid'~sikdlitorwa~;USI}X;:;;ljI{s1ril1::b~:ühcfMtoodthat the following examples below describe login procedures
`which could be modified according to the invention for any other selected moment of action during an Internet
`session such as logout procedures, when a user clicks a "submit" button within a user interface, or transmission of
`any other :informationbetween users onl:ine.
`[0028] During a "valid" login procedure, the Customer may initiate a login procedure from a web browser on a
`computer that registers a time according to its clock as follows: Time = 11:00 am 1Time Zone: GMT -8 and an IP
`address from the California region. Meanwhile, from the perspective of the FI, the recorded time at the FI server
`according to its respective clock may be: Time = 11:01 am 1Time Zone: GMT -8 and an IP address from the
`California region. It shall be understood that the invention may incorporate IP address locator tools which
`determine an identifier for an online device and its location based on geographie regions within a country or around
`the world. Upon analysis of this information from the Customer that may be reflected on a conceptual or actual
`Score Card, which can be ca1culatedand stored in memory within the server of the Flor any its other network
`computers, the FI can determine whether there is a match indicating a valid user login. Accordingly, the exchange
`of information in the above described example may be reflected as a match on or as a Score Card that measures the
`validity of the customer: Time Diff = Match 1 Time Zone = Match I IP = Match.
`[0029] During a "suspect" log:inprocedure, a Customer may initiate a log:inprocedure from a web browser on a
`computer that registers a time according to its clock as follows: Time = 10:02 pm 1Time Zone: GMT +3 and an IP
`address from a region in Russia. Meanwhile, from the perspective of an FI, the recorded time at the FI server
`according to its respective clock may be: Time = 11:01 am 1Time Zone: GMT -8 and an IP address again from its
`California region. Upon analysis ofthis information from the Customer in accordance with the invention, the Time
`Diff and Time Zone measurements as between the Customer and the FI are different from prior valid logins and
`therefore not a match. Furthermore, the IP address received by the Fr indicating a device outside ofthe California
`region would not be a match and further suggest an invalid login attempt by a fraudster or other unauthorized
`individual. The Score Card for this login example measuring the validity of the customer can thus show: Time Diff
`=No Match 1Time Zone = No Match / IP = No Match. The FI would be thus alerted that the alleged Customer
`attempting to login was likely invalid.
`[0030] During a "valid" login procedure from a Customer traveling with a computer and browser in London, the
`Customer may initiate a login procedure at a registered time according to its clock as folIows: Time = 11:00 pm /
`Time Zone: GMT -8 and an IP address from a region around London. Meanwhile, from the perspective of an FI, the
`recorded time at the FI server according to its respective clock rnay be: Time = 11:01 am/ Time Zone: GMT -8 and
`an IP address again from its California region. Upon analysis ofthis information from the Customer, the Time Diff
`and Time Zone measurements as between the Customer and the FI are the same as prior valid logins and therefore a
`match. While the IP address received by the FI indicating a device outside ofthe California region would not be a
`match and suggest an invalid login attempt, the comparison of the Time Diff and the Time Zone measurements
`would be a match. Because the Time Diffparameter provided in accordance with the invention can be used in
`combination with other fraud parameters for authentication and identification, a Score Card for this login example
`measuring the validity of the customer could still show a match nevertheless: Time Diff= Match 1Time Zone =
`Match 1IP = No Match.
`[0031] The Time Diffparameter provides fraud detection tools for online merchants, fmancial institutions and
`other parties conducting commerce on the Web. These tools can be applied to combat weIl recognized problems
`such as reducing the number offalse positives which reduce possible revenue from mistakenly identified valid users.
`Inaddition, Time Diffbased tools provide an effective solution to identifying and preventing fraud during the course
`
`-6-
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`3S
`
`40
`
`APPLE EXHIBIT 1005
`Page 7 of 39
`
`

`

`WO 2007/001394
`PCTIUS2005/035532
`ofin~ei:r\'ä'tidhäiailc'i)o~er~e'äs'fran~act'J.öffs"w'lf&rethere are significantly increased risks offraudulent activity.
`Accordingly, the Time Diff parameters herein allow the creation of a more accurate and relevant geo-location or PC
`fingerprint for many different types of online transactions around the world.
`[0032]
`1t shall be understood that the Time Diffparameters provided in accordance in this aspeet ofthe invention
`may be defined as the difference in the registered computer times as measured in any unit of time (e.g., hours,
`rninutes, seeonds, rnilliseconds, microseconds) between any seleeted computers either alone, or in combination with
`the Time Zone herein or any other temporal characteristics. Furthermore, as with other embodiments described
`herein, the eoncepts ofthe invention can be preferably applied to e-commeree transactions to deter or identify fraud
`but is not lirnited thereto and are equally applicable to any other online application to uniquely identify and link a
`computer device on the Internet according to a Time Diffparameter. While consideration ofTime Diffparameters
`alone may not be completely effeetive as with any solution against fraud, phishing ete., the PC fingerprinting
`methods and techniques provided herein enables effective link analysis between computer devices and eompromised
`accounts or any other transaction having or associated with a fraudulent past or history. By following and learning
`from historical incidents of security breaches and fraud, the invention ean quickly pinpoint repeat offenders and
`build a stronger defense against different criminal behavior or sehemes now known and those that will be developed
`in the future.
`[0033] Another embodiment ofthe invention provides adelta oftime (Delta Time) parameter that ean be
`calculated based on the local time as indicated through the browser of a dient computer (Browser Time) and the
`local time as determined at a server (Server Time) - also applicable in FIG. 2. The Delta Time may operate as a
`fmgerprint for a particular client computer or computer and assists in uniquely identifying it from other computers
`on the Internet or selected network. Bach Iocal time for any dient or server connected to the Internet or other
`network system ean be measured according to the clock for that particular device. The measured Delta Time
`parameter for any seleeted moment of action in accordance with the invention may be perceived as having two
`temporal components: an actual time and a time zone. For example, the measured local time at a dient site may
`include a Browser Time ofFebruary 1, 2005 14:00:00 PM, and a Browser Time Zone of GMT -8. The measured
`local time at a server site may inc1udea Server Time ofFebruary 1,200517:01:13 PM, and a Server Time Zone of
`GMT -5. The Delta Time as between the Browser Time and the Server Time, and the Browser Time Zone in
`comparison to the Server Time Zone, can be therefore calculated in accordance with the invention.
`[0034] A preferable embodiment ofthe invention provides a Delta Time or time differential which takes into
`consideration daylight saving time (DST) in selected time zones and countries around the world such as those
`identified in FIG. 3. In addition to collecting respective loeal times and time zones from clients or customer
`computers and website servers at a current selected date or moment of action, a website server or any other network
`computer can also capture information relating to particular time and time zones for selected (future or even past)
`dates. A selected Delta Time during DST (DST Delta Time) can be determined for a particular customer or client
`computer when the registered time for such other date is different than the current selected date. For example, the
`Delta Time value for such other date(s) can be +/- one hour