• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    Two user-authenticated sessions are compared between two different servers (110, 120) or users from two different financial institutions. Based on comparisons of adjusted key press times, position or motion related inputs and other inputs, it is determined that the sessions were / are running with the same user. If this user is identified as a fraudulent or malicious actor at a server or a banking institution, this data is shared with another server or the other financial institution via another server (100) without passing on confidential information, so that the second server or the second financial institution can change the data sent to this user, even if the user is not identified, to prevent fraud and unauthorized access to someone else's data.
    公开号:CH715740A2
    申请号:CH00046/20
    申请日:2020-01-14
    公开日:2020-07-15
    发明作者:Deutschmann Ingo;Burstrom Per;Lindblad Philip;Julitz David
    申请人:Bahaviosec Inc;
    IPC主号:
    专利说明:

    AREA OF DISCLOSED TECHNOLOGY
    The technology disclosed relates to a method and apparatus for the exchange of disinfected data for the detection of fraud, such as especially in banking systems.
    BACKGROUND TO DISCLOSED TECHNOLOGY
    As long as there are banks, there has been fraud. Banks and other institutions that offer services that require authorized access must protect their customers from fraudulent actors. Since a physical or electronic break in a bank is generally more difficult than a break in the computer of a single user, today's bank robbers often specialize in the "last mile" to the end customer.
    In general, banking transactions in a digital environment are facilitated by establishing a session between the server and client device using secure and encrypted communication protocols, which requires the user to provide authorization data. This is usually based on a user name and password and / or a second strong authentication, but can also be based on biometric solutions such as a fingerprint scan, an iris scan or techniques with continuous behavior measurement in the background. A "user session" for the purposes of this disclosure is defined as viewing and downloading multiple discrete pieces of information, such as additional packaged data and / or web pages that are loaded based on user input. Examples include a login page, an overview page, action pages, etc. Each page can consist of several parts, such as fields, forms, lists, sliders and buttons to enable user input.
    To gain access to data and applications provided by a privileged service provider, such as a banking service provider (BSP), a web browser or application running on the customer's device can be used, and many customers or clients do banking over the Internet using bank frontends, mostly on theirs own devices such as desktop computers, tablets and smartphones. In some cases, to prevent fraud and comply with general security guidelines, every session is logged and stored in a database on a server. The session is usually described by a large number of descriptors, and some of the relevant descriptors are the user agent, i.e. Browser and software information, device type and IP address. In prior patents prior to this invention, behavioral biometric descriptors with features of user behavior, including timings of how the user typed or swiped the mouse, moved and navigated through the forms and pages, were logged.
    Despite efforts to make modern internet banking more secure, banking transactions are still vulnerable to the broad threat that modern fraud is, from phishing, hacking, and stolen account information to sophisticated social engineering that has been perfected. to attract quite eager and watchful users of modern internet banking. With a social engineering scam, it is often the right user of the account who is lured to log in and perform a transaction on a fraudulent front-end system. Overall, fraud detection can be a very hard needle in a haystack, with the added difficulty of not knowing what the needle looks like. Attacks are a very small number compared to real user logins and are often only discovered long after the attack is complete. Some aspects of an attacker's session descriptors can be falsified, or multiple devices and automated scripts can be used to confuse fraud prevention systems. Existing methods are often plagued by false alarms, which creates manual work and reduces trust.
    What we need is a way to better identify misconduct, fraud and / or the risk that authenticated data sent to a bank user may be compromised by a third party.
    SUMMARY OF DISCLOSED TECHNOLOGY
    A method for a fraud management system (defined as "a combination of devices used to detect fraud and prevent data theft") for identifying fraudulent behavior (defined as "actions that take place across a variety of computer networks Network nodes are running to provide false information or to receive information that is not intended for the receiving party ”) is disclosed here. This includes instructions sent by a server (defined as "a device located at a network node in a packet-switched network and authenticating and / or encrypting data to a client receiving device at another network node in the network that distributes the Should receive data after authentication, which indicates that the client receiving device is authorized to receive the data ”). The server distributes content over a packet switched data network that has been encrypted to a client receiving device (defined as "a device operated by a user who has been authenticated to receive secure / encrypted / authenticated data") on a separate one Network node in the network. The content includes code that must be executed by the client receiving device (so that the instructions in the code are executed) to detect fraudulent behavior on the client receiving device. The results of the detection of fraudulent behavior are transmitted back to the server over the packet switched network based on fraudulent behavior.
    In one embodiment of the disclosed technology, a method of denying access to sensitive data is performed by receiving a version of data from each of at least a first end user device and a second end user device based on a recorded session with recorded interactions. The “version” of the data is a version that is representative of aspects of the original data, and the parts thereof that are required to implement the method of the disclosed technology are still in a form that can be used. The recorded interactions include at least one or more key presses and the chronological sequence of each key press or at least the chronological sequence of some key presses. The recorded interactions can also include the recording of movements. These movements can include one or more key presses (which keys are pressed, when the keys are pressed in time, where a screen is pressed and how it is moved when using a touchscreen, etc.). The version of the received data is first "cleaned up", which is defined as "identifying information of a specific person who is being removed". This is achieved in the embodiment of the disclosed technology by anonymizing the keystrokes.
    [0009] Once the above steps are performed, it is determined that a user who creates the interactions on the first end user device is not authorized. This determination can be made by a system or device that directly implements the disclosed technology method or by receiving an indication (i.e. that the data is a version of a record of fraudulent acts) from another entity like that first end user device or an intermediate device that has forwarded the data generated on the first end user device. Then, based on similarities in the data received from the first end user device and the second end user device, it is determined that the user who created the interactions on the first end user device is the same user who created the interactions on the second end user device.
    Once the above determination is made that the first and second users are the same user, various additional steps are taken in embodiments of the disclosed technology. The change or the instruction to another to change the further delivery of data to the second end user device can be done e.g. prevent further fraudulent activity or the theft of data.
    A web server (see definition below) can be used to receive or send data from the first end user device, such a web server being operated by a banking institution. A "banking institution" is an entity that handles financial transactions between other such entities or users, and hereinafter a banking institution is also referred to as an "operator", i.e. as the operator of the method in the disclosed technology. It should be understood that "operator" can also refer to a specific legal entity of the bank, such as an anti-fraud department or an IT department and / or devices that operate, or are under their control, in whole or in part, to implement methods and other limitations of the disclosed technology. The reception from the second end user device can also take place via a web server, this web server differing from the server described above and being operated by a second banking institution. In many countries, every "banking institution" is legally obliged to keep user information confidential before any other banking institution. With this method, by cleaning up the information, fraudulent actors can be discovered without disclosing confidential information.
    The above-described delivery of data to the second end user, who is identified as a fraudulent actor, can thus be changed in real-time embodiments. A "fraudulent actor" is someone who is believed to be accessing a device that sends / receives data to a disclosed technology method operator who has committed a fraud that has performed an act that suspects Fraud or a security breach or potential security breach, such as a software port, on his device that is not expected to be used. In another embodiment, the step of obtaining a version of data based on the recorded session of the first end user device is performed only after and as a result of a step of determining that a user who creates the interactions on the first end user device is not authorized.
    The above-mentioned work can be carried out as part of the post-processing and the comparison between the users. "Postprocessing" is defined for the purposes of this disclosure as steps that are performed after each first and second user has completed their interactions with the respective web servers and / or financial institutions that are part of a recorded interaction that is related to fraud or potentially fraudulent behavior indicates. The recorded session of the first end user and a plurality of additional recorded sessions, each with anonymous key presses and time measurements of movements of a corresponding movement or touch device, are stored on a server and compared as part of the postprocessing in some of these embodiments.
    [0014] The determination that a user who creates the interactions on the first end user device is in some embodiments due to the (sub) determination that the recorded session of the first end user device has at least one of the following properties: a) keystrokes or their timing, b) movements of a movement or touch device that are used to carry out a fraudulent financial transaction. The combination of the timing of the keystrokes and the use of the touch device can also be used for determination. In another embodiment, or in combination therewith, the determination that the user device is unauthorized (which is tantamount to determining that the user is a fraudulent actor for the purposes of this disclosure) is made by receiving an indication that a particular one Software port on the first end user device is used during the recorded session of the first end user device. Other ways to determine unauthorized use are to compare a tilt angle of the first end user device to the recorded session, to output an accelerometer, or other output provided by such a device. If such issues match between the first and the second user, it can be said that they come from the same user.
    In a different way, a method for determining that a user of a web server can access a user account without authorization despite an associated user name and password, by recording time and entering at least text and position-related inputs carried out. The text is anonymized and the recording with changed text is sent to and received by a third-party server. The third-party server also receives or generates an indication that the record matches data associated with a user who is identified as fraudulent or likely to have committed fraud (a "fraudulent actor"). The further delivery of data to the user as a result of the specification is changed. The positional inputs can include at least one or two mice, touch sensors, orientation sensors, gyroscopes and accelerometers.
    The web server is operated by a first financial institution and the fraud or probable fraud was committed at a second banking institution based on interaction with a web server operated by the second banking institution in some embodiments. A "banking institution" is, in some embodiments, differentiated from, or defined as, separate from another such banking institution based on legal requirements that require the institutions not to share user data in any form.
    In some embodiments of the disclosed technology, the determination that the record matches the data of the user who was identified as the fraudster or who is likely to have committed fraud is made by a third party server that records the web server and the second banking institution had received. In other embodiments, the method is only carried out when the operator of a web server suspects that the user is a fraudulent actor. Such a suspicion can be based on the fact that an executable code is sent from the web server to a device operated by the user in order to scan software ports and to receive a response that indicates that a specific software port is already in use. Instead, the suspicion may be based on the fact that the user account was previously used to carry out a financial transaction that could not be completed. The suspicion may also, or instead, be based on an internet protocol address of the web server user that matches that of the user who has stated that he has or has likely committed fraud, or on a device or software description that was collected from the end user device and matches that of the user who has stated that he has committed or is likely to have committed fraud.
    The "sending" step can be carried out simultaneously with part of the "recording" step. In some embodiments, the “modifying” step is carried out at least partially simultaneously with the “picking up” step and the “sending” step. In other embodiments, the “sending” takes place after the “recording” step has been completed and / or the “modification” step after the user name and password have been provided to the web server for a second time.
    A "web page" for the purposes of this disclosure is "a discrete / finite amount of code that is received over a packet-switched data connection over a network node and that has data sufficient to render text and graphics that are useful for the display is formatted by a user, ”and may have additional data such as code that is executed to change the display or to perform tasks that are unknown to the viewer. A "browser" for the purposes of this disclosure is "a method or construct that renders a website's code and shows it to a user." In some embodiments, a version of the code is executed when or after the content is downloaded from each of a variety of unique Uniform Resource Locators (URLs). A “URL” is defined as a text string that is used to retrieve and / or identify certain content that is to be sent / received over a data network. A "web server" is defined as a device that sends a "website" or a large number of websites to a "browser".
    [0020] Each device or step to a method described in this disclosure may include or consist of what it or the parts of which it is made, or which constitute the device or step. The term “and / or” encompasses the elements that it linguistically combines and each element for itself. “Essentially” is defined as “at least 95% of the term described”, and any device or aspect of a device or method described herein can be read as “consisting of” or “consisting”.
    BRIEF DESCRIPTION OF THE DRAWINGS
    Figure 1 shows a high level schematic of devices used to carry out embodiments of the disclosed technology.
    Figure 2 shows a high-level table of steps taken to determine if an unauthorized user matches a previous unauthorized user accessing another server in an embodiment of the disclosed technology.
    Figure 3 shows a parent table of steps used to determine whether a user is not authorized to access a user account in embodiments of the disclosed technology.
    Figure 4 shows a block diagram of high-level devices used to implement embodiments of the disclosed technology.
    DETAILED DESCRIPTION OF EMBODIMENTS OF OPEN TECHNOLOGY
    [0025] Two user-authenticated sessions are compared between two different servers or users from two different financial institutions. Based on comparisons of adjusted key press times, position or motion related inputs and other inputs, it is determined that the sessions were / are running with the same user. If this user is identified as a fraudulent or malicious actor at a server or banking institution, this data will be shared with the other server or financial institution without disclosing confidential information, so that the second server or financial institution will have data even if the user is not identified that has been sent to this user to prevent fraud and unauthorized access to data that contains private information about another person.
    The embodiment of the disclosed technology will become clearer in light of the following description of the numbers.
    Figure 1 shows a high level schematic of devices used to carry out embodiments of the disclosed technology. Here, servers 110 and 120 send content over a network, such as a distributed wide area network that is not owned by a single person or entity, such as a packet-switched network with a series of hubs, switches and routers that connect the end-user devices. Such a network, in the embodiment of the disclosed technology, is referred to as the “Internet”. The services are connected to network nodes 98 (physical devices that provide an electrical or wireless electrical connection to the wide area network), each at a different such node. The servers 110 and 120 are embodied in the technology disclosed by separate companies on separate network nodes and are required by law to provide at least some data from the respective end user devices 130 and / or 140 and other end user devices used to send data to one of the servers 110 or 120 are used, received, kept away from each other.
    End user devices 130 and 140 have secure packetized data network connections to servers 110 and 120, as shown in the figure. It should be understood that each server and end user device can be representative of several such devices and servers. Server 100, in embodiments of the disclosed technology, has a data network connection over a packet-switched data network to servers 110 and 120. In embodiments of the disclosed technology, no data is transferred from end user devices 130 or 140 to server 100 or from server 100 to any of the end user devices 130 or 140 forwarded. Each of these devices has the elements shown with reference to Figure 4 and connects to at least one other of the devices via a packet switched data network.
    A malicious, fraudulent, or unauthorized user is someone who attempts to commit a fraudulent act, steal data or information that is not intended for him or has been identified as suspicious behavior that indicates such behavior could. In embodiments of the disclosed technology, information about such a user can be recorded and exchanged between servers 110 and 120 via server 100, overcoming a legal difficulty preventing the exchange of personal information about another by removing or anonymizing that information . If server 110 delivers content to end user device 130, it may be secure content that is intended only for an authenticated user of end user device 130.
    The end user device 130 executes instructions that, when executed, capture and characterize the behavior of the authenticated user of the end user device 130. Such instructions are included in the content provided by server 110 and represent methods that continuously authenticate the user during the session. The behavioral characteristics are defined as statistical measures for at least one or more key presses, key runtimes, mouse movements, device description, user agent (i.e. operating system, browser type, model and version), screen refresh rate, pressure sensor values and more.
    Figure 2 shows a high-level table of steps taken to determine if an unauthorized user matches a previous unauthorized user accessing another server in an embodiment of the disclosed technology. Each of servers 110 and 120 independently performs the steps in the left box in embodiments of the disclosed technology. At least one server performs all of the steps, while in some embodiments only one server 110 or 120 performs step 299. The third party server 100 performs the steps in the large right box of Figure 2, interacting with servers 110 and 120. It should further be understood that servers 110 and 120 are performing the steps for many users of devices such as devices 130 and 140 simultaneously and / or at different times using data that they previously received from a previous user session with one or both servers 110 and 120. This becomes clearer given the description of the steps shown in Figure 2.
    If you first discuss the left field, the steps performed by one or both servers 110 and 120, an authenticated session with an end user is opened in step 210. This may be based on receiving a username and password or other authentication mechanism from an end user device including biometric data such as fingerprint or iris scan. After authentication, the data between the server 110 or 120 and the end user device is recorded in steps 220 (recording the input text and the time of the input) and 225 (recording the position-related inputs). The positional inputs are discussed in more detail in step 320 of Figure 3. To return to the discussion of Figure 2, steps 220 and 225 can be performed using a script that resides on the end user device, e.g. Device 130 or 140, which is provided with a website from server 110 or 120 and / or based on data sent from an end user device to one of the servers. However, this data may include sensitive information about the end user's bank account, name, IP address, and other personal information. The movement of positional inputs in embodied technology is free of such personally identifiable data, and the data received from a fraudulent actor is not protected by confidentiality rules in many places. However, even a fraudulent actor could provide data that is representative of a person's personal information, even if it was obtained fraudulently. Therefore, in step 230, the recorded data that could identify, or do, and / or is confidential is changed. Text that is received by the end user device and / or server 110 or server 120 is cleaned up, randomized, encrypted or otherwise changed (here each of these methods is referred to as “anonymized”). In some embodiments, step 230 includes deterministic encryption of session information to ensure traceability without disclosing personal information. In such an embodiment, the session information includes an IP address, device hardware information (data that is unique to a particular physical device, such as a MAC address, processor ID, or serial number), and device software information , such as an operating system and web browser version, a banking front end, a user agent and the like. One such method for deterministic encryption of session information is to use a hash algorithm or encryption method per substring of the session information text without changing the random seed value, defined as the number used to initialize a pseudo random number generator in the encryption algorithm, between the devices that creates the same hash symbol per given input character or character set. In an embodiment, the seed differs between servers 110 and 120 such that in the event that they both encounter and encrypt the same original characters or substrings, the resulting encrypted / hashed versions of the session information will have different symbols when they step 240 are sent from servers 110 and 120 and received by the third party server 100 in step 260. The patterns of events can be counted and compared between two or more hashed records. This provides some more match data between received encrypted session information. In another embodiment, servers 110 and 120 use the same seed, which enables a direct comparison between encrypted versions of the session information and makes it more likely to find fraud cases. Regardless of the method of seed treatment chosen, server 100 is generally unable to decrypt the symbols into the original characters. In this way, personal information on servers 110 and 120 is securely protected, while the accuracy in determining fraud cases is significantly increased by comparing to server 100, step 270 and step 280 to determine whether the user is the same as one is another user, which will be discussed in more detail below.
    While the text is anonymized, the times of the entered text are retained in the recording from step 220. The now anonymized data received via the end user and / or the end user device is sent in step 240 to the third party server 100, a device that is operated by another network node in the network and in which, in some embodiments, no communication via the authenticated Session is sent directly between it and an end user device. The third-party server receives the anonymized record in step 260 from multiple servers, such as servers 110 and 120, which are based on separate records of separate user sessions. A "user session" is the set of data that is sent and received between an end user and a server during a time when private data is between these servers based on the authentication of an end user's identity, as described in step 210, may be transmitted.
    In step 250 or step 270, it is determined whether the user session involves or includes unauthorized or fraudulent acts. This means that this determination can be made either by a server 110/120 or its operator or by the third server 100. In an example where server 110 makes this determination in step 250, it may be the result of determining that a software port is used that indicates that an unauthorized user has access to the data. In another example, after the record, a financial institution operating server 110 may determine that the record contains a fraudulent transaction, such as an illegal transfer or payment. The determination that a transfer or payment is unlawful is a determination, in terms of embodied technology, that is made following instructions previously entered, based on actions taken by a user of a banking system and / or a person who makes such a determination , is based on at least one of the following: attempts to transfer funds to a country to which the user has never previously transferred, use account numbers that are blacklisted in the recipient, attempt to complete a transaction cause while data is routed through a VPN (virtual private network) and / or attempt to complete a transaction that fails. In examples where the third-party server detects this, for example, this can be done based on the records that match those of other records that have been identified as fraudulent, e.g. where there are matches, such as typing speed and print / flight characteristics, how it interacted with a touchscreen interface, at what angle the end user devices were held and so on. The determination can also be made on the basis of the anonymized session information, as described above. If no fraud or unauthorized use is detected in step 250 or 270, the method stops with respect to the respective session (but can still record new sessions or receive new data about further user sessions and repeat the steps from Figure 2).
    If it is determined that a recorded user session and / or authenticated session is fraudulent / unauthorized, then it is determined whether another session in step 280 occurred through its recording with an end user served by the same fraudulent actor. The “fraudulent actor” can be a person, a bot (computer device that executes instructions that should look as if the instructions were executed by a person) or another. For the purposes of this disclosure, "record" refers to storing a version of the same of the data received from an end user and / or end user device during the authenticated session. In other words, two different user sessions recorded between two different servers that cannot exchange confidential data under the laws of the country in which they operate interact with a user through the same or two different end-user devices. In at least one of these cases, an embodiment of the disclosed technology determines that a user serving an end-user device or device has been used to conduct a fraudulent transaction, or information about the operation of the device gives rise to concern that a fraudulent activity or confidential data has been compromised. Each of these cases is simply referred to as "fraudulent" or "unauthorized" in the nomenclature for convenience.
    Based on such a determination, step 290 is performed with respect to the second user, the second user session or the second terminal of the user, which matches that of the fraudulent user or the terminal. As such, a server 110 or 120 is instructed about the possibility that an end user thereof is a fraudulent actor or not authorized, and in step 290 and in step 299 a server modifies the content sent to the end user to restrict access to the data or otherwise modify the content to prevent further fraud. In some embodiments, a server on which the fraud is discovered is different from a server that modifies the content, and each of these servers can be operated by a separate financial institution. Step 299 can be carried out while the end user suspected of fraud is in an authenticated session with a corresponding server, or when a later authenticated session between the user is opened using the authentication information (eg user name and password), regardless of whether it is opened with the same server (including one operated by the same institution) or with another server (e.g. one operated by a third party financial institution).
    Figure 3 shows a higher-level table with steps that are used to determine the unauthorized access authorization of a user to a user account in embodiments of the disclosed technology. This illustration shows steps 250 and 270 of Figure 2 in detail. A fraudulent or unauthorized transaction can be determined based on a transaction rejected in step 310. That is, a transaction that aims in any way to transfer funds from one account to another account or from one entity to another entity that fails for whatever reason may indicate fraudulent activity and is marked as such which leads to a “yes” or a positive decision for step 250 and / or 270. In addition, a software port that is used on an end user device that is likely to be available or is being used by a fraudulent actor may trigger such a determination in step 330. The parent case describes this in more detail, which is included by reference based on the priority claim. The keystroke times that match a known fraudulent user / actor or bot in step 340 may also cause the determination that a recorded session is from a fraudulent user. In such an embodiment, a match with another recorded session can then be made by one of the other comparison mechanisms shown in Figure 3. This three-way comparison (transitive property) between different sessions and actions can be done by combining any of the steps shown in Figure 3, each of which can be done independently of the others.
    A match between symbols of encrypted / hated IP (internet protocol address based on IPv4 or IPv6) or device / software description in step 350 is another such feature that can be used to match user sessions and find fraudulent acts. In addition, the comparison of position-related inputs in step 320 can be a basis for this. Such inputs may come from an accelerometer 312, a mouse 318, a touch sensor 319, an orientation sensor 314 or a gyroscope 316, each of which provides data about how an end user interacts with an end user device, including based on the orientation in which the device how hard and fast you pull, move, shake and the like. Sensor misalignment, floating point calculation errors in the CPU or GPU, display characteristics, audio fidelity and fidelity, and other similar discrepancies that help identify a particular device can also be used in embodiments of the disclosed technology.
    Finally, in step 390 of FIG. 3, the content is restricted to a second user, with the comparison of data from two different user sessions being carried out on two different servers.
    Figure 4 shows a high-level block diagram of devices used to implement embodiments of the disclosed technology. Device 500 includes a processor 550 that controls the overall operation of the computer by executing the program instructions of the device that define that operation. The program instructions of the device can be stored in a storage device 520 (e.g. magnetic disk, database) and loaded into the memory 530 if the execution of the program instructions of the console is desired. The operation of the device is thus defined by the program commands of the device stored in the memory 530 and / or in the memory 520, and the console is controlled by the processor 550, which executes the program commands of the console. A device 500 also includes one or more input network interfaces for communicating with other devices over a network (e.g., the Internet). The device 500 also includes an electrical input interface. A device 500 also includes one or more output network interfaces 510 for communicating with other devices. The device 500 also includes an input / output 540 that represents devices that enable user interaction with a computer (e.g., screen, keyboard, mouse, speaker, buttons, etc.). One skilled in the art will recognize that an implementation of an actual device includes other components and that Figure 4 is a high-level illustration of some components of such a device for illustration purposes. One skilled in the art should also understand that the method shown in Figures 1 to 3 and the devices can be implemented on a device as shown in Figure 4.
    [0041] While the disclosed technology has been taught with specific reference to the above embodiments, a person with ordinary skill in the art will recognize that changes in form and detail can be made without departing from the spirit and scope of the disclosed technology. The embodiments described are to be considered in all respects only as illustrative and not restrictive. All changes that come within the meaning and range of equivalency of the claims are to be embraced within their scope. Combinations of the methods, systems and devices described above are also contemplated and fall within the scope of the technology disclosed.
    权利要求:
    Claims (21)
    [1]
    1. A method of denying access to sensitive data, comprising the following steps:received by each of at least a first end user device and a second end user device:a version of data based on a recorded session that includes recorded interactions, the recorded interactions at least including:Key presses and times of each key press of said key presses; andMovements, including at least one of the following: pressing buttons, movement and timing of said buttons and their movement;this version of the received data was cleaned up by anonymizing the keystrokes;determining that a user who creates these interactions on the first end user device is not authorized;Determine, based on similarities of the data received from the first end user device and the second end user device, that the user who creates the interactions on the first end user device is the same user who creates the interactions on the second end user device.
    [2]
    2. The method of claim 1, wherein based on the determination that the first user and the second user are the same user, another is modified or instructed to modify the further delivery of data to the second end user device.
    [3]
    3. The method of claim 2, wherein:said that reception from this first end user device was through a first web server operated by a first banking institution;that the reception from the second end user device took place via a second web server operated by a second banking institution; andsaid the further delivery of data will be modified in real time while the second end user is trying to access secure data from the second web server.
    [4]
    4. The method of claim 1, wherein the step of receiving a version of data based on the recorded session of the first end user device is performed only after and as a result of the step of determining that the user creating the interactions on the first end user device is not authorized.
    [5]
    5. The method of claim 4, wherein the recorded session of the first end user and a plurality of additional recorded sessions, including anonymized keystrokes and timings of movements of a particular movement or touch device, are stored on a server and compared as part of the postprocessing thereof.
    [6]
    6. The method of claim 4, wherein determining that a user who creates the interactions on the first end user device is based on determining that the recorded session of the first end user device is at least one of the keystrokes and movements of a movement or of a touch device used to perform a fraudulent financial transaction.
    [7]
    7. The method of claim 1, wherein determining that a user creating the interactions on the first end-user device is unauthorized is based on determining that a particular software port on the first end-user device during the recorded session of the first End user device is used.
    [8]
    8. The method of claim 4, wherein the determination that the user who creates the interactions on the first end user device is not authorized is based on the determination that an unlawful transmission has occurred.
    [9]
    The method of claim 1, wherein an angle of inclination of the first end user device is included in its recorded session and is compared in the step of determining that the second user device is operated by the same user as the first user device.
    [10]
    10. The method of claim 1, wherein deterministically encrypted session information is included by the first end user device in its recorded session and is compared in the step of determining that the second user device is being operated by the same user as the first user device.
    [11]
    11. A method of determining that a user of a web server is not authorized to access a user account despite having a username and password associated with it, the method of:Time of recording and input of at least text and position-related inputs;Anonymization of said text;Sending the record modified by anonymization to a third party server;receive an indication that this record is consistent with data related to a user who has been reported to have or is likely to have committed fraud;modify the further delivery of data to the named user as a result of the indicated indication.
    [12]
    12. The method of claim 11, wherein the positional inputs include at least two of a mouse, a touch sensor, an orientation sensor, a gyroscope, and an accelerometer.
    [13]
    13. The method of claim 11, wherein the web server is operated by a first financial institution and the fraud or probable fraud was committed at a second banking institution based on the interaction with a web server operated by the second banking institution.
    [14]
    14. The method of claim 13, wherein a determination that the record matches the data associated with the user who was indicated to have or was likely to have committed fraud is made by a third party server who received the recording from the web server and from the second banking institution.
    [15]
    15. The method of claim 11, wherein the step of sending is carried out only when an operator of a web server suspects that the user is a fraudulent actor.
    [16]
    16. The method of claim 15, wherein the suspicion is based on sending executable code from the web server to a user-operated device for scanning software ports and receiving a response indicating that a particular software port already exists is used.
    [17]
    17. The method of claim 15, in which the suspicion is based that the user account was previously used to perform a financial transaction that could not be completed.
    [18]
    The method of claim 11, wherein the step of sending is performed concurrently with a portion of the step of recording.
    [19]
    19. The method of claim 18, wherein the modifying step is further performed at least partially concurrently with the recording step and the sending step.
    [20]
    20. The method according to claim 11, wherein the step of sending after the completion of the step of recording and the step of changing is carried out after a second provision of the user name and password to the web server.
    [21]
    21. The method of claim 15, wherein the suspicion is based on deterministically anonymized session information of the user of the web server that matches that of the user who was stated to have or was likely to have committed fraud.
    类似技术:
    公开号 | 公开日 | 专利标题
    DE60130037T2|2008-05-08|PROCESS AND SYSTEM FOR WEB-BASED CROSS-DOMAIN AUTHORIZATION WITH UNIQUE REGISTRATION
    US8826400B2|2014-09-02|System for automated prevention of fraud
    DE102009001718B4|2010-12-30|Method for providing cryptographic key pairs
    DE60311757T2|2007-10-31|System and method for authentication based on random partial pattern recognition
    Kienzle et al.2002|Security patterns repository version 1.0
    Talukder et al.2008|Architecting secure software systems
    Dougan et al.2012|Man in the browser attacks
    US20190147451A1|2019-05-16|Collaborate Fraud Prevention
    EP1777907A1|2007-04-25|Method and devices for carrying out cryptographic operations in a client-server network
    DE102014206325A1|2015-10-08|Distributed authentication system
    Nagpal et al.2017|A survey on the detection of SQL injection attacks and their countermeasures
    US20110283351A1|2011-11-17|How to stop external and most internal network "Hacking"attacks by utilizing a dual appliance/server arrangement that allows for the use of peering servers and/or client software running on said peering servers or on proxy servers, web servers, or other legacy equipment
    US10728279B2|2020-07-28|Detection of remote fraudulent activity in a client-server-system
    Parthiban et al.2020|Web Folder Phishing Discovery and Prevention with Customer Image Verification
    DE102008062984A1|2010-06-02|A process of authenticating a user with a certificate using out-of-band messaging
    US20180054429A1|2018-02-22|Systems and methods for the detection and control of account credential exploitation
    Lepofsky2014|The manager's guide to web application security: a concise guide to the weaker side of the web
    Kessler2012|Information security: New threats or familiar problems?
    Jain et al.2015|Session hijacking: Threat analysis and countermeasures
    CH715740A2|2020-07-15|Procedure for determining unauthorized access to data.
    Muttoo et al.2016|Analysing security checkpoints for an integrated utility-based information system
    Rauti2019|Towards cyber attribution by deception
    Srinivasan et al.2016|Preventing Cloud Attacks using Bio-Metric Authentication in Cloud Computing
    Manaseer et al.2018|Distributed Detection and prevention of Web Threats in Heterogeneous Environment
    Gómez Cárdenas et al.2005|Security challenges of distributed e-learning systems
    同族专利:
    公开号 | 公开日
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    2020-07-31| PK| Correction|Free format text: BERICHTIGUNG INHABER |
    2020-10-30| PCAR| Change of the address of the representative|Free format text: NEW ADDRESS: C/O DOERIG, UNTERSTUEDTLISTRASSE 26A, 9470 BUCHS SG (CH) |
    优先权:
    申请号 | 申请日 | 专利标题
    US16/246,974|US20190147451A1|2018-11-27|2019-01-14|Collaborate Fraud Prevention|
    [返回顶部]