DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Claims 1-20 are pending in this application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/20/24 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claims 1-20 are directed to a system or method, which are/is one of the statutory categories of invention. (Step 1: YES).
The Examiner has identified independent method claim 1 as the claim that represents the claimed invention for analysis and is similar to independent system claim 9 and method claim 17. Claim 1 recites the limitations of determining transaction risk based on distance between user device location, store location, and user’s home.
These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Receiving an account transaction request; determining the risk score based on (two of ANY) distance between user device and user, distance between user device and store, distance between user device and device home location, distance between user device and a dominate device location, distance between dominate device and store; and distance between device home location and store; and based on the risk score being high than a threshold, requiring second authorization to complete the transaction, – specifically, the claim recites:
“receiving a request to perform an account transaction with an account of a wireless device; determining a risk score for the transaction based in part on at least two of the following: a distance between a current location of the wireless device and a location of a person requesting the transaction, a distance between the current location of the wireless device and a physical store location of a wireless provider for the wireless device, a distance between the current location of the wireless device and a home location of the wireless device, a distance between the current location of the wireless device and a dominant location of the wireless device, a distance between the dominant location of the wireless device and the physical store location, a distance between the home location and the physical store location; and in response to the risk score being above a first risk score threshold, requiring secondary authorization to complete the account transaction”, recites a fundamental economic practice, directed to mitigating risk.
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic practice, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The “a system”, “a transaction authentication server”, and “at least one electronic processor”, in claim 9, are just applying generic computer components to the recited abstract limitations. The recitation of generic computer components in a claim does not necessarily preclude that claim from reciting an abstract idea. Claims 1 and 17 are also abstract for similar reasons. (Step 2A-Prong 1: YES. The claims recite an abstract idea)
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional elements of: a computer such as a system, a transaction authentication server, and at least one electronic processor. The computer hardware/software is/are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer component.
Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, claims 1, 9, and 17 are directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a computer hardware amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. Thus, claims 1, 9, and 17 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Dependent claims further define the abstract idea that is present in their respective independent claims 1, 9, and 17 and thus correspond to Certain Methods of Organizing Human Activity, and hence are abstract for the reasons presented above.
Dependent claim 2 discloses the limitation of wherein the secondary authorization comprises at least one of: store manager approval, approval by a customer care manager, and additional authentication by way of two-factor authentication, which further narrows the abstract idea.
Dependent claim 3 discloses the limitation of in response to the risk score being above a second risk score threshold higher than the first risk score threshold, denying the account transaction, which further narrows the abstract idea.
Dependent claim 4 discloses the limitation of the physical store location is determined by querying a database comprising known store locations for the wireless provider of the wireless device, which further narrows the abstract idea. Note that the technical element “a database” is recited at a high level of generality. It does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
Dependent claim 5 discloses the limitation of the home location of the account of the wireless device comprises a billing location of the account of the wireless device, which further narrows the abstract idea.
Dependent claim 6 discloses the limitation of the location of the person requesting the transaction is determined by using at least one of an IP address of a device accessing a customer service portal of a wireless provider, and a Caller ID of a device calling a customer service phone line of the wireless provider, which further narrows the abstract idea. Note that the technical elements “a customer service portal of a wireless provider” and “a customer service phone line of the wireless provider” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 7 discloses the limitation of wherein the dominant location of the wireless device comprises a location where the wireless device is most often used; and wherein the method further comprises: determining the current location of the wireless device by querying a database comprising location information of wireless devices served by the wireless provider, which further narrows the abstract idea. Note that the technical elements “the wireless device” and “a database” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 8 discloses the limitation of wherein the account transaction comprises at least one of accessing information of the account, changing information of the account, adding a new wireless device to the account, and changing a SIM card for the wireless device, which further narrows the abstract idea. Note that the technical elements “a new wireless device” and “a SIM card” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 10 discloses the limitation of wherein the secondary authorization comprises at least one of: store manager approval, approval by a customer care manager, and additional authentication by way of two-factor authentication, which further narrows the abstract idea.
Dependent claim 11 discloses the limitation of in response to the risk score being above a second risk score threshold higher than the first risk score threshold, denying the account transaction, which further narrows the abstract idea.
Dependent claim 12 discloses the limitation of wherein the physical store location is determined by querying a database of known store locations for the wireless provider of the wireless device, which further narrows the abstract idea. Note that the technical element “a database” is recited at a high level of generality. It does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
Dependent claim 13 discloses the limitation of wherein the home location of the account of the wireless device comprises a billing location of the account of the wireless device, which further narrows the abstract idea.
Dependent claim 14 discloses the limitation of wherein the location of the person requesting the transaction is determined by using at least one of an IP address of a device accessing a customer service portal of a wireless provider, and a Caller ID of a device calling a customer service phone line of the wireless provider, which further narrows the abstract idea. Note that the technical elements “a customer service portal of a wireless provider” and “a customer service phone line of the wireless provider” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 15 discloses the limitation of wherein the dominant location of the wireless device comprises a location where the wireless device is most often used, and wherein the operations further comprise: determining the current location of the wireless device by querying a database comprising location information of wireless devices served by the wireless provider, which further narrows the abstract idea. Note that the technical elements “the wireless device” and “a database” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 16 discloses the limitation of wherein the account transaction comprises at least one of accessing information of the account, changing information of the account, adding a new wireless device to the account, and changing a SIM card for the wireless device, which further narrows the abstract idea. Note that the technical elements “a new wireless device” and “a SIM card” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Dependent claim 18 discloses the limitation of wherein the secondary authorization comprises at least one of: store manager approval, approval by a customer care manager, and additional authentication by way of two-factor authentication, which further narrows the abstract idea.
Dependent claim 19 discloses the limitation of in response to the risk score being above a second risk score threshold higher than the first risk score threshold, denying the account transaction, which further narrows the abstract idea.
Dependent claim 20 discloses the limitation of at least one of accessing information of the account, changing information of the account, adding a new wireless device to the account, and changing a SIM card for the wireless device, which further narrows the abstract idea. Note that the technical elements “a new wireless device” and “a SIM card” are recited at a high level of generality. They do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Thus, the dependent claims do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the dependent claims are directed to an abstract idea. Thus, the claims 1-20 are not patent-eligible.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Buhrmann (20120144498) in view of Tyler (12438909).
Regarding claim 1, Buhrmann discloses:
a method, the method comprising: receiving a request to perform an account transaction with an account of a wireless device
(“[0046] Once an entity's or individual's Wireless Device ID is registered in the Identity Register, external application events requiring identity authentication may be detected, received, processed, recorded and stored by the Identity Register”).
PNG
media_image1.png
200
400
media_image1.png
Greyscale
determining a risk score for the transaction based in part on at least two of the following:
a distance between a current location of the wireless device and a location of a person requesting the transaction,
a distance between the current location of the wireless device and a physical store location of a wireless provider for the wireless device,
a distance between the current location of the wireless device and a home location of the wireless device,
a distance between the current location of the wireless device and a dominant location of the wireless device,
a distance between the dominant location of the wireless device and the physical store location,
a distance between the home location and the physical store location; and
(The examiner notes that “home location” can include user’s home (see specification paragraph 19), and “dominant location” can include user’s work location (paragraph 20) As such, the claimed elements are disclosed by the following prior art teaching:
“[0083] The Identity Risk Logic Resources use location data obtained about the authentication event for an authentication application engaged in by the entity or individual, the entity's or individual's wireless device location data, location data associated with the Wireless Device ID stored in the exemplary Identity Database, one or more previously calculated Personal Identity Values stored in the exemplary Wireless Device ID Database and weighting factors designating the importance of each of the information elements that may be defined in the Identity Risk Configuration data to generate a current Personal Identity Value for the entity, individual or data subject. The Identity Risk Logic Resources may generate a multiplicity of distance and time variables from the data for the Personal Identity Value calculation such as the distance between the entity's or individual's wireless device location and the individual's home location, the distance between the individual's wireless device location and the individual's work location, the distance between the individual's home location and the individual's work location, the distance between the individual's wireless device location and the Identity Authentication Event location, the distance between the entity's or individual's home location and the Identity Authentication Event location, the distance between the individual's work location and the Identity Authentication Event location, the distance between other frequented locations stored in the Identity Database and the Identity Authentication Event location, the distance between other frequented locations stored in the Identity Database and the individual's wireless device location, etc. Similarly, the time variance between the last known wireless device location and the Identity Authentication Event location as well as other time variances among the data parameters may be used in the identity risk logic calculation”).
( “[0084] Once a Personal Identity Value representing the likelihood that identity theft has occurred, or is occurring, for the particular Identity Authentication Event, it may be passed in an appropriate format to a Results Processing System. The Results Processing system may be external to the Identity Register or internal to the Identity Register. The Results Processing System may reside within, or be the same as, the aforementioned authentication application or some other system that requires the Personal Identity Value results. An exemplary Results Processing System may apply the Personal Identity Value to any type of application regardless of the value of the result or the type of application. These applications may include identity authentication systems, activity fraud management systems, financial fraud detection systems, online website applications or any secure system where identity authentication is required”).
Buhrmann does not disclose, however, Tyler teaches
in response to the risk score being above a first risk score threshold, requiring secondary authorization to complete the account transaction
(“C17, L41-67 (73) For example, one or more embodiments may check a user's IP address first, and then use a logon prompt for a password if the initial IP address check fails. One or more embodiments may use any type of user credentials, including for example, without limitation, passwords, PINs, biometric credentials, security certificates, access requests that result in a one-time PIN being sent to a user's registered email or texted to a user's registered mobile device, responses to challenge questions, single sign-on credentials, or security tokens such as USB keys or smart cards. One or more embodiments may use multi-factor authentication combining credentials in any desired manner”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Buhrmann to include in response to the risk score being above a first risk score threshold, requiring secondary authorization to complete the account transaction as taught by Tyler to provide a second possible authentication attempt when the initial attempt is unsatisfactory – see “C17, L41-67 (73) When user 440a attempts access, the user's IP address 816 is automatically provided to the system, and the system can check it against the expected IP address range for the user. IP address checks may be particularly useful for example to ensure that employees only access resources from authorized computers with known IP addresses…. For example, one or more embodiments may check a user's IP address first, and then use a logon prompt for a password if the initial IP address check fails. One or more embodiments may use any type of user credentials, including for example, without limitation, passwords, PINs, biometric credentials, security certificates, access requests that result in a one-time PIN being sent to a user's registered email or texted to a user's registered mobile device, responses to challenge questions, single sign-on credentials, or security tokens such as USB keys or smart cards. One or more embodiments may use multi-factor authentication combining credentials in any desired manner.
Regarding claim 2, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann does not disclose, however, Tyler further discloses
wherein the secondary authorization comprises at least one of: store manager approval, approval by a customer care manager, and additional authentication by way of two-factor authentication
(“C17, L41-67 (73) For example, one or more embodiments may check a user's IP address first, and then use a logon prompt for a password if the initial IP address check fails. One or more embodiments may use any type of user credentials, including for example, without limitation, passwords, PINs, biometric credentials, security certificates, access requests that result in a one-time PIN being sent to a user's registered email or texted to a user's registered mobile device, responses to challenge questions, single sign-on credentials, or security tokens such as USB keys or smart cards. One or more embodiments may use multi-factor authentication combining credentials in any desired manner”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Buhrmann to include wherein the secondary authorization comprises at least one of: store manager approval, approval by a customer care manager, and additional authentication by way of two-factor authentication as taught by Tyler to provide a second possible authentication attempt when the initial attempt is unsatisfactory – see “C17, L41-67 (73) When user 440a attempts access, the user's IP address 816 is automatically provided to the system, and the system can check it against the expected IP address range for the user. IP address checks may be particularly useful for example to ensure that employees only access resources from authorized computers with known IP addresses…. For example, one or more embodiments may check a user's IP address first, and then use a logon prompt for a password if the initial IP address check fails. One or more embodiments may use any type of user credentials, including for example, without limitation, passwords, PINs, biometric credentials, security certificates, access requests that result in a one-time PIN being sent to a user's registered email or texted to a user's registered mobile device, responses to challenge questions, single sign-on credentials, or security tokens such as USB keys or smart cards. One or more embodiments may use multi-factor authentication combining credentials in any desired manner.
Regarding claim 3, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann further discloses
in response to the risk score being above a second risk score threshold higher than the first risk score threshold, denying the account transaction
(“[0024] Yet another object of the present invention is to provide a system, and its methods of use, for detecting identify theft that employs an analysis to revise and refine a Personal Identity Value used to allow or deny access or operation of a computer application, activity, network, system or device for current or subsequent access or operation of said computer application, activity, network, system or device”).
Regarding claim 4, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann further discloses
the physical store location is determined by querying a database comprising known store locations for the wireless provider of the wireless device
(“[0051] An optional Identity Database enables the storage and use of additional Identity Data that may be obtained via an external system or application associated with the Identity Register. The Identity Database enables the association of a Wireless Device ID and one or more additional identity information elements associated with a unique Wireless Device ID such as an entity's or individual's home address, work address, related locations or addresses frequented by the individual, various telephone numbers associated with an individual and additional Wireless Device IDs related to the present Wireless Device ID. Additional Wireless Device IDs associated with, or otherwise related to, the present Wireless Device ID may be required, such as those that may be associated with family members that may be associated with the same identity authentication application”).
Regarding claim 5, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann further discloses
wherein the home location of the account of the wireless device comprises a billing location of the account of the wireless device
(“[0026] Yet another object of the present invention is to provide a system, and its method of use, for detecting identify theft in response to a Personal Identity Value based on a transaction or activity event data, the location of the transaction or activity event, the entity's home location, the location of the entity's wireless device”).
(“[0028] These and other objects of the present invention are achieved in, a method for detecting identity theft of an individual based on one or more types of Identification Data, Event Data or both including the location of a wireless device associated with an entity obtained from a Wireless Network, the entity's home location, other locations associated with an entity, automated activity data, automated transaction data or automated event detection data”).
Regarding claim 6, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann does not disclose, however, Tyler further discloses
wherein the location of the person requesting the transaction is determined by using at least one of an IP address of a device accessing a customer service portal of a wireless provider, and a Caller ID of a device calling a customer service phone line of the wireless provider
(“C17, L41-67 (73) FIG. 8 illustrates another possible user authorization technique using the user's IP address. The Registered Users table 801 includes an IP address range for each user, stored in columns 805 and 806. When user 440a attempts access, the user's IP address 816 is automatically provided to the system, and the system can check it against the expected IP address range for the user. IP address checks may be particularly useful for example to ensure that employees only access resources from authorized computers with known IP addresses. One or more embodiments may use IP checking as the only or the primary authentication mechanism. One or more embodiments may require additional authentication information in addition to the IP address of the user. One or more embodiments may combine IP address checking with passwords, cookies, or any other scheme for checking user credentials”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Buhrmann to include wherein the location of the person requesting the transaction is determined by using at least one of an IP address of a device accessing a customer service portal of a wireless provider, and a Caller ID of a device calling a customer service phone line of the wireless provider as taught by Tyler to increase security of the authentication process by using IP address that can only be only access resources from authorized computers with known IP addresses – see C17, L41-67 (73) FIG. 8 illustrates another possible user authorization technique using the user's IP address. The Registered Users table 801 includes an IP address range for each user, stored in columns 805 and 806. When user 440a attempts access, the user's IP address 816 is automatically provided to the system, and the system can check it against the expected IP address range for the user. IP address checks may be particularly useful for example to ensure that employees only access resources from authorized computers with known IP addresses. One or more embodiments may use IP checking as the only or the primary authentication mechanism. One or more embodiments may require additional authentication information in addition to the IP address of the user. One or more embodiments may combine IP address checking with passwords, cookies, or any other scheme for checking user credentials.
Regarding claim 7, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann further discloses
wherein the dominant location of the wireless device comprises a location where the wireless device is most often used; and wherein the method further comprises: determining the current location of the wireless device by querying a database comprising location information of wireless devices served by the wireless provider
(“[0083] The Identity Risk Logic Resources use location data obtained about the authentication event for an authentication application engaged in by the entity or individual, the entity's or individual's wireless device location data, location data associated with the Wireless Device ID stored in the exemplary Identity Database, one or more previously calculated Personal Identity Values stored in the exemplary Wireless Device ID Database and weighting factors designating the importance of each of the information elements that may be defined in the Identity Risk Configuration data to generate a current Personal Identity Value for the entity, individual or data subject. The Identity Risk Logic Resources may generate a multiplicity of distance and time variables from the data for the Personal Identity Value calculation such as… the distance between the individual's wireless device location and the individual's work location, the distance between the individual's home location and the individual's work location… the distance between other frequented locations stored in the Identity Database and the individual's wireless device location, etc.… Event location as well as other time variances among the data parameters may be used in the identity risk logic calculation”).
Regarding claim 8, the combination of Buhrmann and Tyler, as shown in the rejection above, discloses the limitations of claim 1.
Buhrmann further discloses
wherein the account transaction comprises at least one of accessing information of the account, changing information of the account, adding a new wireless device to the account, and changing a SIM card for the wireless device
(“[0068] Illustrative examples of the types of activities and transactions that the present invention may provide identity theft protection and utility include financial transactions such as credit card transactions, debit card transactions, electronic fund transfers, deposit transactions and non-financial bank transactions such as change of account data transactions. Other examples include online account activations, online purchases, online banking transactions, online gaming access, online sharing of data, online interactive messaging systems (e.g. sending and receipt of email, instant messages, etc.) online social networking, online communications systems, software-based automated systems and services, hardware-based automated systems and services, computer access (e.g. log-ons, log-offs, etc.), website registrations, activations, deactivations, computer applications, network or device registrations, activations, deactivations and any applications requiring identity authentication”).
Claim 9 is rejected using the same rationale that was used for the rejection of claim 1.
Claim 10 is rejected using the same rationale that was used for the rejection of claim 2.
Claim 11 is rejected using the same rationale that was used for the rejection of claim 3.
Claim 12 is rejected using the same rationale that was used for the rejection of claim 4.
Claim 13 is rejected using the same rationale that was used for the rejection of claim 5.
Claim 14 is rejected using the same rationale that was used for the rejection of claim 6.
Claim 15 is rejected using the same rationale that was used for the rejection of claim 7.
Claim 16 is rejected using the same rationale that was used for the rejection of claim 8.
Claim 17 is rejected using the same rationale that was used for the rejection of claim 1.
Claim 18 is rejected using the same rationale that was used for the rejection of claim 2.
Claim 19 is rejected using the same rationale that was used for the rejection of claim 3.
Claim 20 is rejected using the same rationale that was used for the rejection of claim 8.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Dennis (WO2013181151A2) teaches system and method for automated analysis comparing a wireless device location with another geographic location.
Joa (GB2463573A) teaches wireless number risk scores for use with mobile payments.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARK H GAW whose telephone number is (571)270-0268. The examiner can normally be reached Mon-Fri: 9am -5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mike Anderson can be reached on 571 270-0508. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MARK H GAW/Examiner, Art Unit 3693