U.S. patent application number 12/423928 was filed with the patent office on 2010-10-21 for website authentication.
Invention is credited to Jose Bravo, Jeffery L. Crume.
Application Number | 20100269162 12/423928 |
Document ID | / |
Family ID | 42982005 |
Filed Date | 2010-10-21 |
United States Patent
Application |
20100269162 |
Kind Code |
A1 |
Bravo; Jose ; et
al. |
October 21, 2010 |
WEBSITE AUTHENTICATION
Abstract
Embodiments of website authentication including receiving a
request from a user to view a website within a graphical user
interface (GUI); generating a one time password (OTP); storing the
generated OTP in a database; displaying the generated OTP on the
GUI; verifying an identity of the user by receiving an
identification datum from a communication device; receiving an
entered OTP from the user; comparing the entered OTP with the
generated OTP; and communicating whether the website is
authenticated.
Inventors: |
Bravo; Jose; (Mamaroneck,
NY) ; Crume; Jeffery L.; (Raleigh, NC) |
Correspondence
Address: |
HOFFMAN WARNICK LLC
75 STATE ST, 14 FL
ALBANY
NY
12207
US
|
Family ID: |
42982005 |
Appl. No.: |
12/423928 |
Filed: |
April 15, 2009 |
Current U.S.
Class: |
726/6 ;
726/7 |
Current CPC
Class: |
H04L 63/1483 20130101;
H04L 63/0838 20130101; H04L 9/3228 20130101; G06F 21/31 20130101;
G06F 21/83 20130101 |
Class at
Publication: |
726/6 ;
726/7 |
International
Class: |
G06F 7/04 20060101
G06F007/04; G06F 17/30 20060101 G06F017/30; H04L 9/00 20060101
H04L009/00 |
Claims
1. A method for website authentication, using at least one computer
hardware device for performing the steps of: receiving a request
from a user to view a website within a graphical user interface
(GUI); generating a one time password (OTP); storing the generated
OTP in a database; displaying the generated OTP on the GUI;
verifying an identity of the user by receiving an identification
datum from a communication device; receiving an entered OTP from
the user; comparing the entered OTP with the generated OTP; and
communicating whether the website is authenticated.
2. The method of claim 1, wherein the identification datum includes
at least one of an identification datum automatically generated by
the communication device and an identification datum input by the
user.
3. The method of claim 1, wherein the verifying compares the
identification datum with a stored identification datum in the
database.
4. The method of claim 2, wherein the identification datum is at
least one of a caller ID, an account number, a password and a first
geographical location.
5. The method of claim 3, further comprising determining a second
geographical location from the request from the user to view the
website and storing the second geographical location in the
database.
6. The method of claim 1, wherein the communicating includes at
least one of storing a fake website in the database and alerting an
authentic website administrator of the fake website.
7. A website authentication system, including a computer hardware
device comprising: a one time password (OTP) generator system for
generating a OTP; a voice response unit (VRU) system for receiving
at least one identification datum from a communication device; a
user verification system for verifying an identity of the user by
receiving an identification datum from the communication device; a
comparison system for receiving an entered OTP from the user and
comparing the entered OTP with the generated OTP; and a security
alert system for communicating whether the website is
authenticated.
8. The system of claim 7, wherein the OTP generator system receives
a request from the user to view a website within a graphical user
interface (GUI).
9. The system of claim 7, wherein the comparison system
communicates whether the website is authenticated.
10. The system of claim 7, wherein the OTP generator system stores
the generated OTP in a database.
11. The system of claim 7, wherein the identification datum
includes at least one of an identification datum automatically
generated by the communication device and an identification datum
input by the user.
12. The system of claim 7, wherein the verification system compares
the identification datum with a stored identification datum in the
database.
13. The system of claim 11, wherein the identification datum is at
least one of a caller ID, an account number, a password and a first
geographical location.
14. The system of claim 13, wherein the OTP generator system
determines a second geographical location from the request from the
user to view the website and storing the second geographical
location in the database.
15. The system of claim 7, wherein the communicating includes at
least one of storing a fake website in the database and alerting an
authentic website administrator of the fake website.
16. A computer readable medium storing a program product for
website authentication, comprising: program code for receiving a
request from a user to view a website within a graphical user
interface (GUI); program code for generating a one time password
(OTP); program code for storing the generated OTP in a database;
program code for displaying the generated OTP on the GUI; program
code for verifying an identity of the user by receiving an
identification datum from a communication device; program code for
receiving an entered OTP from the user; program code for comparing
the entered OTP with the generated OTP; and program code for
communicating whether the website is authenticated.
17. The program product of claim 16, wherein the identification
datum includes at least one of an identification datum
automatically generated by the communication device and an
identification datum input by the user.
18. The program product of claim 16, wherein the verifying compares
the identification datum with a stored identification datum in the
database.
19. The program product of claim 18, wherein the identification
datum is at least one of a caller ID, an account number, a password
and a first geographical location.
20. The program product of claim 19, further comprising determining
a second geographical location from the request from the user to
view the website.
Description
FIELD OF THE INVENTION
[0001] The present invention relates generally to website
authentication, and more particularly to website authentication
using a one time password and a voice response unit.
BACKGROUND OF THE INVENTION
[0002] Computers and other devices, as well as secure facilities,
services and financial accounts, often contain proprietary,
personal and/or sensitive information, which could be compromised
if accessed by unauthorized individuals. Thus such devices,
facilities, services and accounts (hereinafter "restricted items")
often incorporate security techniques, such as database access
control mechanisms, to prevent unauthorized users from accessing,
obtaining, or altering the proprietary, personal and/or sensitive
information. Authentication techniques allow users to prove their
identity and obtain authorized access to a given restricted
item.
[0003] In a phishing attack, a user is tricked into providing login
credentials and/or sensitive information by an attacker
impersonating an authentic website. The reason the attack succeeds
is that the user is unable to determine whether the website is
authentic or fake. Most existing defenses require the user to
discern an authentic from fake website based upon the overall
appearance of the website, a specially chosen website
authentication image, or verification of the website's digital
certification. Appearances may be imitated by the attacker or
overlooked by the user.
[0004] Website authentication, either in addition to or as an
alternative to appearance based defenses against phishing attacks,
improves security for both users and the entities that utilize
websites in communicating with users.
SUMMARY OF THE INVENTION
[0005] The present invention provides a method, system and program
product to improve website authentication. In particular, the
present invention allows users to authenticate the website that
they are visiting.
[0006] In a first aspect, the invention provides a method for
website authentication, using at least one computer hardware device
for performing the steps of: receiving a request from a user to
view a website within a graphical user interface (GUI); generating
a one time password (OTP); storing the generated OTP in a database;
displaying the generated OTP on the GUI; verifying an identity of
the user by receiving an identification datum from a communication
device; receiving an entered OTP from the user; comparing the
entered OTP with the generated OTP; and communicating whether the
website is authenticated.
[0007] In a second aspect, the invention provides a website
authentication system, including a computer hardware device
comprising: a one time password (OTP) generator system for
generating a OTP; a voice response unit (VRU) system for receiving
at least one identification datum from a communication device; a
user verification system for verifying an identity of the user by
receiving an identification datum from the communication device; a
comparison system for receiving an entered OTP from the user and
comparing the entered OTP with the generated OTP; and a security
alert system for communicating whether the website is
authenticated.
[0008] In a third aspect, the invention provides a computer
readable medium storing a program product for website
authentication, comprising: program code for receiving a request
from a user to view a website within a graphical user interface
(GUI); program code for generating a one time password (OTP);
program code for storing the generated OTP in a database; program
code for displaying the generated OTP on the GUI; program code for
verifying an identity of the user by receiving an identification
datum from a communication device; program code for receiving an
entered OTP from the user; program code for comparing the entered
OTP with the generated OTP; and program code for communicating
whether the website is authenticated.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The above and other objects, features and advantages of the
invention will be better understood by reading the following more
particular description of the invention in conjunction with the
accompanying drawings.
[0010] FIG. 1 depicts one embodiment of a website authentication
system in accordance with this invention.
[0011] FIG. 2 is a flow chart of one embodiment of the main steps
for website authentication in accordance with this invention.
[0012] The drawings are not necessarily to scale. The drawings are
merely schematic representations, not intended to portray specific
parameters of the invention. The drawings are intended to depict
only typical embodiments of the invention, and therefore should not
be considered as limiting the scope of the invention. In the
drawings, like numbering represents like elements.
DETAILED DESCRIPTION OF THE INVENTION
[0013] FIG. 1 shows an illustrative embodiment of the invention in
which a computer system 10 having a web server 40 provides web
pages to a user 16 via a graphical user interface (GUI) 32. In
addition to web server 40, a website authentication system 20 is
also provided to allow user 16 to authenticate content allegedly
being served from web server 40. Website authentication system 20,
as well as web server 40, may be implemented as a software program
product that can be stored in memory 18 and be executed on any type
of computer system 10. A person skilled in the art will recognize
that the invention may be implemented on one or more computer
systems and this disclosure is not intended to limit such potential
embodiments. In this illustrative embodiment, website
authentication system 20 includes a one time password (OTP)
generator system 22; a voice response unit (VRU) system 24; a user
verification system 26; a comparison system 28; and a security
alert system 38.
[0014] In operation, website authentication system 20 receives a
request from the user 16 to view a website on the GUI 32. An
input/output (I/O) system 14 is provided on the computer system 10
for communications with the user 16 via GUI 32 and/or a
communication device 34. Communication device 34 may be implemented
using any type of communication device including, for example, a
telephone, a cell phone, a personal digital assistant (PDA) and a
radio. GUI 32 may be implemented using any type of device or
software that permits website access including, for example, a
browser, a desktop computer, a laptop computer, a PDA, a cell
phone. GUI 32 and communication device 34 may reside on different
devices or the same device.
[0015] OTP generator system 22 generates a one time password (OTP)
when the user 16 attempts to view the website. The generated OTP
may include at least one number, letter, and other symbol. In one
embodiment of the invention, the generated OTP is limited to
numeric digits for easy phone keypad entry. The generated OTP is
stored in a database 30 and displayed on the GUI 32.
[0016] Once displayed, user 16 reads the generated OTP from the GUI
32 which can then be used to authenticate the website via the
communication device 34. As used herein "reads" means accesses the
generated OTP by visual, audio, tactile or any other communication
method between GUI 32 and user 16.
[0017] At some point after the OTP is generated, voice response
unit system (VRU) 24 receives a communication, e.g., a telephone
call, from user 16 by communication device 34. In one embodiment, a
VRU phone number is previously communicated to user 16 through a
communication channel other than the website thereby preventing the
phishing attack from posting a fake VRU phone number. VRU 24 may
receive an identification datum from the communication device 34.
The identification datum may include an identification datum
automatically generated by the communication device or an
identification datum input by the user 16. The identification datum
may include a caller ID, an account number, a password or a first
geographical location. VRU may prompt user 16 to enter
identification datum over the communication device 34, e.g., via a
key pad, by speaking, etc.
[0018] User verification system 26 can verify an identity of the
user 16 in a number of ways. In one approach, user verification
system 26 may verify the user 16 by comparing at least one
identification datum with a previously stored identification datum
in the database. User verification system 26 may determine a second
geographical location by detecting the location of the GUI 32 where
the request from the user to view the website was made and then
store the second geographical location in the database 30. In
another approach, user verification system 26 may verify the user
16 by comparing the first geographical location with the second
geographical location. If user's 16 identity cannot be verified,
user verification system 26 notifies voice response unit 24 to
terminate the communication and notifies the security alert system
38 of a failed user verification attempt.
[0019] If user's 16 identity is verified, user 16 enters the OTP
that user reads from the GUI 32. Comparison system 28 receives the
entered OTP from the user 16. Comparison system 28 compares the
entered OTP with the generated OTP in the database 30.
[0020] If the entered OTP matches the generated OTP, then website
authentication system 20 communicates to the user 16 that the
website being viewed by the user 16 is authentic. If the entered
OTP does not match the generated OTP, then website authentication
system 20 communicates to the user 16 via the communication device
34 that the website being viewed by the user is fake. In one
embodiment, if the entered OTP does not match the generated OTP,
comparison system notifies the security alert system 38 that a fake
website has been detected.
[0021] In one embodiment if a fake website is detected, security
alert system 38 may store the fake website in the database 30.
Storing the fake website may include storing information about the
fake website including the website address of the fake website and
html coding of the fake website. Security alert system 38 may
notify an authentic website administrator of the report of the fake
website.
[0022] Referring now to FIG. 2, one embodiment of the process of
website authentication as defined by the present invention is
described. The process starts at S1 when user 16 clicks on a link
in an email. Email is a common method for disseminating fake
websites for purposes of deceiving users 16 into conveying
proprietary, personal and/or secure information. Clicking a link in
an email is illustrative, the teachings of the invention apply to
any means of a user 16 accessing a website.
[0023] After the website is accessed, at S2 an OTP is generated and
displayed on a GUI 32. Both an authentic website and a fake website
could generate an OTP and display the OTP on a GUI 32. At S3 the
generated OTP is stored in a database 30. If at S4 an OTP is not
displayed on a user's GUI 32 then at S5 a fake website has been
detected by the user 16. If at S4 an OTP is displayed, then at S6
user 16 telephones the VRU 24.
[0024] At S7 VRU 24 receives a first identification datum. First
identification datum may be an identification datum automatically
generated by the communication device 34. At S8, user identity is
verified by comparing the first identification datum with known
information in the database 30. If at S8 the user 16 is identified,
then at S11 the user 16 will enter the OTP displayed on the GUI 32.
If at S8 the user 16 is not identified, then at S9 the user 16 may
be prompted for the second identification datum. Second
identification datum may include, for example, an account number, a
password, a personal identification number, date of birth, Social
Security number or any number of identification data that would be
previously stored in the database 30. If at S10 the second
identification datum matches information in the user database, then
user is identified. If at S10 the second identification datum does
not match information in the user database, then user 16 is not
identified. Second identification datum may include the first
geographical location from where the call is being initiated. The
second geographical location from the GUI 32 where the website was
accessed may be detected and stored in the database 30. If at S10
the first geographical location matches the second geographical
location, then user 16 is identified. If at S10 the first
geographical location does not match the second geographical
location, then user 16 is not identified. A person skilled in the
art will readily recognize that any number of methods for verifying
the identity of the user 16 may be used. A person skilled in the
art will also recognize that the number of steps of verifying user
identity could be added or subtracted depending upon the level of
security desired.
[0025] At S11, after user 16 is identified, user 16 enters the OTP
that is displayed on the website being accessed. The entered OTP is
compared with the generated OTP in the database S12. If the entered
OTP matches the generated OTP then the website is authenticated
S13. If the entered OTP does not match the generated OTP then a
fake website is detected S5.
[0026] Referring again to FIG. 1, a person skilled in the art will
readily recognize that in the event of website authentication any
number of communications could be generated to the user through the
website on the GUI 32 or communication device 34. In the event of a
fake website being detected, any type of communication or warning
could be generated to the user on the communication device 34 (as
the website being viewed by the user 16 would be a fake website).
Once the user 16 received such a communication, the user 16 could
immediately terminate interaction with the website.
[0027] I/O 14 may comprise any system for exchanging information
to/from an external resource. External devices/resources may
comprise any known type of external device, including a
monitor/display, speakers, storage, another computer system, a
hand-held device, keyboard, mouse, voice recognition system, speech
output system, printer, facsimile, pager, etc. Bus 36 provides a
communication link between each of the components in the computer
system 10 and likewise may comprise any known type of transmission
link, including electrical, optical, wireless, etc. Although not
shown, additional components, such as cache memory, communication
systems, system software, etc., may be incorporated into computer
system 10.
[0028] Access to computer system 10 may be provided over a network
such as the Internet, a local area network (LAN), a wide area
network (WAN), a virtual private network (VPN), etc. Communication
could occur via a direct hardwired connection (e.g., serial port),
or via an addressable connection that may utilize any combination
of wireline and/or wireless transmission methods. Moreover,
conventional network connectivity, such as Token Ring, Ethernet,
WiFi or other conventional communications standards could be used.
Still yet, connectivity could be provided by conventional TCP/IP
sockets-based protocol. In this instance, an Internet service
provider could be used to establish interconnectivity. Further, as
indicated above, communication could occur in a client-server or
server-server environment.
[0029] It should be appreciated that the teachings of the present
invention could be offered as a business method on a subscription
or fee basis. For example, a computer system 10 comprising a
website authentication system 20 could be created, maintained
and/or deployed by a service provider that offers the functions
described herein for customers.
[0030] It is understood that in addition to being implemented as a
system and method, the features may be provided as a program
product stored on a computer-readable medium, which when executed,
enables computer system 10 to provide a website authentication
system 20. To this extent, the computer-readable medium may include
program code, which implements the processes and systems described
herein. It is understood that the term "computer-readable medium"
comprises one or more of any type of physical embodiment of the
program code. In particular, the computer-readable medium can
comprise program code embodied on one or more portable storage
articles of manufacture (e.g., a compact disc, a magnetic disk, a
tape, etc.), on one or more data storage portions of a computing
device, such as memory 18 and/or a storage system.
[0031] As used herein, it is understood that the terms "program
code" and "computer program code" are synonymous and mean any
expression, in any language, code or notation, of a set of
instructions that cause a computing device having an information
processing capability to perform a particular function either
directly or after any combination of the following: (a) conversion
to another language, code or notation; (b) reproduction in a
different material form; and/or (c) decompression. To this extent,
program code can be embodied as one or more types of program
products, such as an application/software program, component
software/a library of functions, an operating system, a basic I/O
system/driver for a particular computing and/or I/O device, and the
like. Further, it is understood that terms such as "component" and
"system" are synonymous as used herein and represent any
combination of hardware and/or software capable of performing some
function(s).
[0032] The block diagrams in the figures illustrate the
architecture, functionality, and operation of possible
implementations of systems, methods and computer readable medium
according to various embodiments of the present invention. In this
regard, each block in the block diagrams may represent a module,
segment, or portion of code, which comprises one or more executable
instructions for implementing the specified logical function(s). It
should also be noted that the functions noted in the blocks may
occur out of the order noted in the figures. For example, two
blocks shown in succession may, in fact, be executed substantially
concurrently, or the blocks may sometimes be executed in the
reverse order, depending upon the functionality involved. It will
also be noted that each block of the block diagrams can be
implemented by special purpose hardware-based systems which perform
the specified functions or acts, or combinations of special purpose
hardware and computer instructions.
[0033] As used herein, an element or step recited in the singular
and proceeded with the word "a" or "an" should be understood as not
excluding plural elements or steps, unless such exclusion is
explicitly stated. Furthermore, references to "one embodiment" of
the present invention are not intended to be interpreted as
excluding the existence of additional embodiments that also
incorporate the recited features. Moreover, unless explicitly
stated to the contrary, embodiments "comprising" or "having" an
element or a plurality of elements having a particular property may
include additional such elements not having that property.
[0034] Although specific embodiments have been illustrated and
described herein, those of ordinary skill in the art appreciate
that any arrangement which is calculated to achieve the same
purpose may be substituted for the specific embodiments shown and
that the invention has other applications in other environments.
This application is intended to cover any adaptations or variations
of the present invention. The following claims are in no way
intended to limit the scope of the invention to the specific
embodiments described herein.
* * * * *