Browse Prior Art Database

Method for two-way caller/callee direct authentication and validation

IP.com Disclosure Number: IPCOM000242013D
Publication Date: 2015-Jun-14
Document File: 3 page(s) / 80K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system for an on-the-fly two-way authentication and validation between caller and callee which isn't vulnerable to man-in-the-middle type attacks is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 43% of the total text.

Page 01 of 3

Method for two-way caller/callee direct authentication and validation

Disclosed is a method and system for an on-the-fly two-way authentication and

validation between caller and callee which isn't vulnerable to man-in-the-middle type attacks. The system allows both the caller and callee to authenticate themselves to the other party. In addition, the system provides support to validate the other party's identity, in a stateless, on-the-fly manner that is not vulnerable to man-in-the-middle type attacks.

Currently, during a telephone call dealing with secure information (such as financial or personal information), the business's customer service representative may ask the customer to authenticate themselves using security questions (usually pre-defined questions with answers) before proceeding with the conversation. This verification happens regardless of the customer called the business or if the business called the customer. This is a one-way authentication in that customer has to prove to the

business who they are. Since the business does not prove to the customer who they are, the customer must implicitly trust that the other party is the business and has all the relevant account/security information stored in their database. This opens up the customer to imposters who can simply ask the authentication questions ("What are the last 4 digits of your SSN?" or "Mother's maiden name"). The imposter may immediately say that is correct, and has now gathered security question information. In fact, the most common scenario is that the customer assumes the other party has the security database - customer's rarely ever test the business by first offering incorrect security answers to see if the business actually has the correct answer stored.

While it is more likely for a customer to be called by an imposter, it is also possible for a customer to accidentally call an imposter. It's common in spam email to pretend to be a business, with copied logos and even links to non-secure pages on the website, but the contact phone numbers could be incorrect, which would then cause the customer to call

the wrong business.

The current method of customer audio fingerprint enables customers' to determine the authenticity of a business. However, that is still a one-way authentication, as the business still should identify that the person on the other end is actually the customer.

Also, since the audio fingerprint needs to be stored in the business' database, a casual imposter will not be able to pose as the business, but a determined imposter who gains access to the business' database may have access to the audio fingerprint.

A more secure method is a 2-way authentication method, where the callers exchange a

direct (i.e., not stored in any database), random (i.e., generated at that moment), authentication token or pass phrase. This method also piggybacks on existing "identity authentication" such as Secure Sockets Layer (SSL) and username/passwords for

...