Patent Application
20250063055
Payment fraud detection is tasked with determining the origin of a data breach. When fraud is detected on a group of users, an investigator attempts to determine a common point of purchase (e.g., a particular merchant) by all users of the group. Similarly, intrusion detection systems (IDS) are tasked with identifying the origin of an illegitimate entry into a network infrastructure. When an intrusion is detected, the point of compromise is determined, and the controls are reviewed to either determine gaps or failures. Conversely, verification methods securely convey credentials from the entry point to the verification point in an attempt to prevent payment fraud or unauthorized access to networks and resources.
The arrangements disclosed herein relate to systems, apparatus, methods, and non-transitory computer readable media for receiving, by a server from a first device via a quantum channel, first verification information associated with a user of the first device. The server determines that the first verification information fails to verify against second verification information. In response to determining that the first verification information fails to verify against second verification information, the server stores the first verification information. In response to receiving, by the server from a second device, the first verification information and device information of the second device, the server flags the device information of the second device as a potential origin of fraud.
These and other features, together with the organization and manner of operation thereof, will become apparent from the following detailed description when taken in conjunction with the accompanying drawings.
The arrangements disclosed herein relate to systems, apparatuses, methods, and non-transitory computer-readable media for using a quantum channel and Quantum Key Distribution (QKD) to perform a password exchange. Threat detection is performed to detect and alert against eavesdropper attacker using QKD protocol. Out-of-band verification is used for identity verification, e.g., via a banking application of a user device. Utilizing a false password, the systems described herein can target and trap potential fraudulent charges.
In some arrangements, a user device transmits a password to the server via a quantum channel using QKD protocol (e.g., BB84). For example, the intended password message is sent from a user device of a customer or consumer to the server for verification services. In the scenario in which an eavesdropper device intercepts the password, both the eavesdropper device and the server (intended recipient) receives a random message, an altered version of the actual password, instead of the intended password. Accordingly, both the server and the eavesdropper device have the same false password, and the user device is unaware of the false password. In response, the server denies verification of the password, and also denies any operation (e.g., financial transaction or operation) protected the password. The server can perform an out-of-band verification with the user device. The server can notify the user device of the eavesdropping by triggering a notification (e.g., a banner notification, a pop-up window, and so on) on the banking application. On the other hand, in response to the server receiving the correct password via the quantum channel, the server can approve verification of the password and any operation protected by the password.
In addition, the server can generate a flag to protect the user of the user device. Given that the false password received by the server is same as the false password received by the eavesdropper device, the server can monitor whether the false password is used for any subsequent attempts by the eavesdropper (e.g., for a purchase). In response to determining that the false password is used, the server can identify the purchase as one made by the eavesdropper, flag the purchase as fraudulent, notify the merchant and relevant authorities, and collect information about the eavesdropper device that is used for the fraudulent transaction. Given that the eavesdropper is unaware that it has a false password, the eavesdropper may continue to commit fraud with the false password under the assumption the eavesdropper's attack was successful.
The quantum channel 150 refers to a channel by which the verification information 115 (e.g., quantum information) can be transferred or transmitted using quantum bits or qubits. For example, the user device 110 can generate the verification information 115 as a stream of quantum particles such as photons containing information such as a string of binary zeroes and ones. The quantum particles can be entangled or regular photons.
The user device 110 and the server 120 can communicate over a network 160. The network 160 is any suitable Local Area Network (LAN), Wide Area Network (WAN), or a combination thereof. For example, the network 160 can be supported by Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA) (particularly, Evolution-Data Optimized (EVDO)), Universal Mobile Telecommunications Systems (UMTS) (particularly, Time Division Synchronous CDMA (TD-SCDMA or TDS) Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), evolved Multimedia Broadcast Multicast Services (eMBMS), High-Speed Downlink Packet Access (HSDPA), and the like), Universal Terrestrial Radio Access (UTRA), Global System for Mobile Communications (GSM), Code Division Multiple Access 1× Radio Transmission Technology (1×), General Packet Radio Service (GPRS), Personal Communications Service (PCS), 802.11X, ZigBee, Bluetooth, Wi-Fi, any suitable wired network, combination thereof, and/or the like. The network 160 is structured to permit the exchange of data, values, instructions, messages, and the like.
Accordingly, the server 120 reads the quantum particles corresponding to the verification information 125, and the eavesdropper device 130 reads the quantum particles corresponding to the verification information 135. In some arrangements, the interpretation of the quantum particles corresponding to the verification information 125 is the same as the interpretation of the quantum particles corresponding to the verification information 135. That is, by the eavesdropper device 130 intercepting the quantum particles corresponding to the verification information 115, both the server 120 and the eavesdropper device 130 cannot interpret the received quantum particles as the verification information 115, but rather as different verification information 125 and 135, respectively, where the verification information 125 and 135 are the same. The quantum particles corresponding to the verification information 125 and 135 may appear to be random, invalid, cannot be interpreted, or false. Specifically, both the verification information 125 and 135 are the same false password based on which the server 120 denies verification of the user device 110 or a user of the user device 110. The server 120 can request the user device 110 to provide additional verification information or another form of verification over the network 160, referred to as out-of-band verification.
The server 120 can also store the verification information 125 (which is the same as the verification information 135) in a database such that when the server 120 receives the same verification information 125, the server 120 can store associated device information that identifies one or more of the device providing the verification information 125 such as the device identifier (e.g., an International Mobile Equipment Identity (IMEI)), a merchant identifier, a merchant device identifier (e.g., a Point-Of-Sale (POS) identifier), an equipment identifier (e.g., of an Autonomous Teller Machine (ATM) identifier), a network address, a location (e.g., a Global Positioning System (GPS)), and so on that is received along with the verification information 125. The server 120 can receive the verification information 125 from another quantum channel or over another convention network such as the network 160.
In some arrangements, the processing circuit 212 includes a processor 214 and a memory 216. The processor 214 is implemented as a general-purpose processor, an Application Specific Integrated Circuit (ASIC), one or more Field Programmable Gate Arrays (FPGAs), a Digital Signal Processor (DSP), a group of processing components, or other suitable electronic processing components. The memory 216 (e.g., Random Access Memory (RAM), Read-Only Memory (ROM), Non-Volatile RAM (NVRAM), Flash Memory, hard disk storage, etc.) stores data and/or computer code for facilitating the various processes described herein. Moreover, the memory 216 is or includes tangible, non-transient volatile memory or non-volatile memory. Accordingly, the memory 216 includes database components, object code components, script components, or any other type of information structure for supporting the various activities and information structures described herein. The processing circuit 212 can be used to implemented one or more of the circuits 218, 220, 222, and 224.
The network interface circuit 218 is configured for and structured to establish a connection and communicate with the server 120 via the network 160 or another suitable wired, wireless, or physical connection. The network interface circuit 218 is structured for sending and receiving data over a communication network (e.g., the network 160). Accordingly, the network interface circuit 218 includes any of a cellular transceiver (for cellular standards), wireless network transceiver (for 802.11X, ZigBee, Bluetooth, Wi-Fi, or the like), wired network interface, or a combination thereof. For example, the network interface circuit 218 may include wireless or wired network modems, ports, baseband processors, and associated software and firmware.
The application circuit 222 can be used to execute one or more applications or software on the user device 110 for which verification information needs to be send to the server 120, before the server 120 can provide information or data to the application executed on the user device 110. For example, the application circuit 222 can execute one or more applications that generate data to be accessed by the server 120 or that receive data from the server 120. For example, the application circuit 222 can execute a mobile banking application, a browser, a word processing application, a mobile banking application, a mobile wallet, and so on.
The input/output circuit 224 is configured to receive user input from and provide information to the user. In this regard, the input/output circuit 224 is structured to exchange data, communications, instructions, etc. with an input/output component of the user device 110. For example, the input/output circuit 224 can include an input device for receiving the verification information from the user operating the user device 110. Accordingly, in some arrangements, the input/output circuit 224 includes an input/output device such as a display device, touchscreen, keyboard, microphone, biometric sensor, and/or the like. In arrangements in which the user device 110 is a POS device or an ATM, the input/output circuit 205 can include one or more of a payment card reader, a barcode reader, a Bluetooth device, a Near Field Communication (NFC) reader, and the like for receiving information from a customer. In some arrangements, the input/output circuit 205 includes communication circuitry for facilitating the exchange of data, values, messages, and the like between the input/output device and the components of the user device 110. In some arrangements, the input/output circuit 205 includes machine-readable media for facilitating the exchange of information between the input/output device and the components of the user device 110. In still another arrangement, the input/output circuit 205 includes any combination of hardware components (e.g., a touchscreen), communication circuitry, and machine-readable media.
The verification circuit 220 is executed by the processing circuit 212 in some arrangements. The verification circuit 220 can generate at least one of quantum bits, qubits, or quantum particles as a string corresponding to the verification information 115 and send the same to the server 120 via the quantum channel 150. For example, the verification circuit 220 includes a quantum circuit 221. The quantum circuit 221 can generate a stream of quantum particles, such as photons containing information such as a string of binary zeroes and ones of the verification information 115. Although shown to reside in the user device 110, the quantum circuit 211 can also be located on a third-party system.
For example, the quantum circuit 221 can generate and send the stream of quantum particles according to the QKD protocol (e.g., BB84, E91, and so on). For example, the intended password message is sent from the user device 110 of to the server 120. In some examples, the quantum circuit 221 can include a
In some arrangements, the processing circuit 232 has a processor 234 and memory 236. The processor 234 is a processing component such as the processor 214. The memory 236 is a memory device such as the memory 216. The processing circuit 232 can be used to implemented one or more of the circuits 238, 240, and 242.
The network interface circuit 238 is a network device such as the network interface circuit 218. The network interface circuit 238 is configured for and structured to establish a connection and communicate with the user device 110 via the network 160.
The verification circuit 240 can be implemented with the processing circuit 232 or a separate processing circuit similar to the processing circuit 232. The verification circuit 240 can receive at least one of quantum bits, qubits, or quantum particles as a string corresponding to the verification information 115 or 125 via the quantum channel 150 and interpret the same to determine the received verification information. For example, the verification circuit 240 includes a quantum circuit 241. The quantum circuit 241 can receive a stream of quantum particles, such as photons containing information such as a string of binary zeroes and ones of the verification information 115 or 125. The quantum circuit 241 can interpret the quantum mechanics properties of the received stream of quantum particles for interpretation. Although shown to reside in the server 120, the quantum circuit 241 can also be located on a third-party system.
The application circuit 242 can be used to execute one or more applications or software on the server 120 for which verification of the user device 110 is needed to send data or information to the user device 110 or receive from the user device 110 (for the application executed by the application circuit 222). For example, the application circuit 242 can execute one or more applications that use verified the verification information 115 or 125 as input to generate an output or a decision. For example, the application circuit 242 can execute a server application for a mobile banking platform, a browser, a word processing application, a mobile banking platform, a mobile wallet platform, and so on.
At 310, the server 120 (e.g., the quantum circuit 241) receives from a first device (e.g., the user device 110) via the quantum channel 150 first verification information associated with the user of the first device. In some arrangements, receiving the first verification information includes receiving, by the quantum circuit 241 from the first device via the quantum channel 150, at least one of quantum bits, qubits, photons, or quantum particles. The quantum circuit 241 interprets the at least one of quantum bits, qubits, photons, or quantum particles as a string corresponding to the first verification information, to extract the first verification information. The first verification information can be the verification information 115 in the examples in which there is no interception attempt and can be the verification information 125 in the example in which there is an interception attempt.
At 320, the server 120 (e.g., the verification circuit 240) determines whether the first verification information can be verified, for example, against second verification information. In some examples, 320 includes verifying whether the first verification information matches a second verification information. The second verification information refers to the correct verification information that is stored in a database of the server 120 or another database coupled to the server. In some examples, the first verification information includes a hash of a password, which is compared to the stored second verification information (e.g., the stored hash of the password). In some examples, the first verification information includes PIN Verification Value (PVV), which is compared to the stored second verification information (e.g., a stored PVV). The PVV is generated by encrypting a PIN using a PIN Verification Key (PVK). In some examples, the first verification information includes a biometric sample, which is compared to the second verification information (e.g., the stored biometric template). In some examples, the first verification information includes a challenge value is signed by the user device 110 (e.g., the verification circuit 220) using a private key of the user device 110 and verified by the server 120 using a public key of the user device 110.
In response to determining that the first verification information (e.g., the verification information 115) is verified (320: YES), the server 120 (e.g., the verification circuit 240) verifies the user of the first device, at 330. This is the scenario shown in
On the other hand, in response to determining that the first verification information (e.g., the verification information 125) is not verified (320: NO), the server 120 (e.g., the verification circuit 240) performs at least one of 340, 350, and 360 in any suitable order or simultaneously. This is the scenario shown in
For example, at 340, the server 120 sends to the first device (e.g., the user device 110) a notification of potential fraud, notifying the first device that there may be an eavesdropper or attacker attempting to intercept the verification information 115. The notification, when received at the first device, can trigger a forced display (e.g., a pop-up notification) displayed by an output device of the input/output circuit 224. In some examples, the server 120 (e.g., the network interface circuit 238) can send the notification to the user device 110 via the network 160 different from the quantum channel 150.
At 350, the server 120 sends to the first device a request to provide additional verification information. In some examples, the server 120 (e.g., the network interface circuit 238) can send the request to the user device 110 via the network 160. In response, the server 120 can receive the additional verification information from the first device via the network 160 different from the quantum channel 150.
At 360, the server 120 (e.g., the verification circuit 240) stores the first verification information (e.g., the verification information 125) in a database on the server 120 or another suitable database, such as a database of known false passwords.
At 370, the server 120 receives from a second device, the first verification information 125 or 135 and device information of the second device. The second device can be the eavesdropper device 130 or another suitable device (e.g., a POS, an ATM, a smartphone, and so on) where the first verification information 125 or 135 is initially received via manual input or a network, before being sent to the server 120. The device information refers to metadata or associated data that is typically received by the server 120 from the second device in this type of transactions, such as the device identifier (e.g., an IMEI), a merchant identifier, a merchant device identifier (e.g., a POS identifier), an equipment identifier (e.g., of an ATM identifier), a network address, a location (e.g., a GPS), and so on that is received along with the verification information 125.
In response, at 380, the server 120 (e.g., the verification circuit 240) flags this transaction attempt, including the second device information, as a potential origin of fraud. For example, the server 120 (e.g., verification circuit 240) can store the second device information in a database of known potential origins of fraud, where such database can be maintained by the server 120 or another suitable third-party device.
At 410, the first device (e.g., the quantum circuit 221) sends to the server 120 via a quantum channel 150 verification information 115 associated with a user of the first device. The server 120 receives first verification information (e.g., 115 or 125, depending on whether there has been an attempt to intercept the verification information 115) corresponding to the verification information 115 sent by the first device. The server 120 may determine that the first verification information (e.g., 125) fails to verify against second verification information (e.g., 320: NO).
In some arrangements, sending the verification information 115 includes generating, by the first device (e.g., the quantum circuit 221), at least one of quantum bits, qubits, photons, or quantum particles based on a string corresponding to the verification information 115. The Quantum circuit 221 sends the least one of quantum bits, qubits, photons, or quantum particles via the quantum channel 150 to the server 120.
In response, the first device can perform at least one of 420 or 430 in any suitable order or simultaneously. At 420, the first device (e.g., the network interface circuit 218) receives from the server 160 via the network 160 different from the quantum channel 150a notification of potential fraud, notifying the first device that there may be an eavesdropper or attacker attempting to intercept the verification information 115. The notification, when received at the first device, can trigger a forced display (e.g., a pop-up notification) displayed by an output device of the input/output circuit 224.
At 430, the first device receives from the server 120 a request to provide additional verification information. In some examples, the first device (e.g., the network interface circuit 218) can receive the request from the server 120 via the network 160. In response, at 440, the first device (e.g., the network interface circuit 218) can send the additional verification information to the server 120 via the network 160 different from the quantum channel 150.
As noted above, in both the methods 300 and 400, the eavesdropper device 130 measures the verification information 115 transmitted by the first device before the verification information is received by the server 120, altering the quantum mechanics properties of at least one of quantum bits, qubits, photons, or quantum particles corresponding to the verification information 115 transmitted by the first device. As a response to the eavesdropper device 130 measuring verification information transmitted by the first device, the first verification information 125 received by the server 120 and third verification information 135 received by the eavesdropper device 130 are same. This allows the server 120 to record the false verification information 125/135 (e.g., at 360) and monitor its future use (e.g., at 370 and 380) to identify an origin of fraud.
As utilized herein, the terms “approximately,” “substantially,” and similar terms are intended to have a broad meaning in harmony with the common and accepted usage by those of ordinary skill in the art to which the subject matter of this disclosure pertains. It should be understood by those of ordinary skill in the art who review this disclosure that these terms are intended to allow a description of certain features described and claimed without restricting the scope of these features to the precise numerical ranges provided. Accordingly, these terms should be interpreted as indicating that insubstantial or inconsequential modifications or alterations of the subject matter described and claimed are considered to be within the scope of the disclosure as recited in the appended claims.
Although only a few arrangements have been described in detail in this disclosure, those skilled in the art who review this disclosure will readily appreciate that many modifications are possible (e.g., variations in sizes, dimensions, structures, shapes, and proportions of the various elements, values of parameters, mounting arrangements, use of materials, colors, orientations, etc.) without materially departing from the novel teachings and advantages of the subject matter described herein. For example, elements shown as integrally formed may be constructed of multiple components or elements, the position of elements may be reversed or otherwise varied, and the nature or number of discrete elements or positions may be altered or varied. The order or sequence of any method processes may be varied or re-sequenced according to alternative arrangements. Other substitutions, modifications, changes, and omissions may also be made in the design, operating conditions and arrangement of the various exemplary arrangements without departing from the scope of the present disclosure.
The arrangements described herein have been described with reference to drawings. The drawings illustrate certain details of specific arrangements that implement the systems, methods and programs described herein. However, describing the arrangements with drawings should not be construed as imposing on the disclosure any limitations that may be present in the drawings.
It should be understood that no claim element herein is to be construed under the provisions of 35 U.S.C. § 112 (f), unless the element is expressly recited using the phrase “means for.”
As used herein, the term “circuit” may include hardware structured to execute the functions described herein. In some arrangements, each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein. The circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc. In some arrangements, a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.” In this regard, the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein. For example, a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on).
The “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices. In this regard, the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors. In some arrangements, the one or more processors may be embodied in various ways. The one or more processors may be constructed in a manner sufficient to perform at least the operations described herein. In some arrangements, the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example arrangements, may execute instructions stored, or otherwise accessed, via different areas of memory). Alternatively or additionally, the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors. In other example arrangements, two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution. Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory. The one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc. In some arrangements, the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
An exemplary system for implementing the overall system or portions of the arrangements might include a general purpose computing computers in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit. Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), a distributed ledger (e.g., a blockchain), etc. In some arrangements, the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc. In other arrangements, the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media. In this regard, machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions. Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example arrangements described herein.
It should be noted that although the diagrams herein may show a specific order and composition of method steps, it is understood that the order of these steps may differ from what is depicted. For example, two or more steps may be performed concurrently or with partial concurrence. Also, some method steps that are performed as discrete steps may be combined, steps being performed as a combined step may be separated into discrete steps, the sequence of certain processes may be reversed or otherwise varied, and the nature or number of discrete processes may be altered or varied. The order or sequence of any element or apparatus may be varied or substituted according to alternative arrangements. Accordingly, all such modifications are intended to be included within the scope of the present disclosure as defined in the appended claims. Such variations will depend on the machine-readable media and hardware systems chosen and on designer choice. It is understood that all such variations are within the scope of the disclosure. Likewise, software and web arrangements of the present disclosure could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various database searching steps, correlation steps, comparison steps and decision steps.
The foregoing description of arrangements has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from this disclosure. The arrangements were chosen and described in order to explain the principals of the disclosure and its practical application to enable one skilled in the art to utilize the various arrangements and with various modifications as are suited to the particular use contemplated. Other substitutions, modifications, changes and omissions may be made in the design, operating conditions and arrangement of the arrangements without departing from the scope of the present disclosure as expressed in the appended claims.
