Method for authenticating a website

This work is licensed under Attribution-ShareAlike 4.0 International 

FIELD OF THE INVENTION

The present invention relates to the field of Internet authentication techniques. More particularly, the invention relates to a method for authenticating a website.

BACKGROUND OF THE INVENTION

In the world today many business transactions are done through the Internet, whether by shopping on-line in websites offering goods and merchandise or by paying bills through a designated website. Furthermore many banks allow their customers to perform money transactions through the bank website which is claimed to be secured. All websites involved in money transactions need some kind of authentication from the customer before approving the transaction as to prevent an impostor to pose as a customer. An electronic request issued from one network unit to another for authentication will be referred to hereinafter as a challenge, while the authenticating or answer to the request will be referred to hereinafter as a response. Some of the authentication techniques involve using a password known by the user and authenticated by the website, which can be used alone or together with a username. Furthermore some of the authentication techniques use two passwords together with a username, or a password together with a credit card number or an ID number or even a key which is installed in a hardware device. The common factor of all the authentication techniques above is the use of input fields supplied by the user (response) on demand of the website (request) for authenticating the user. Therefore many ways have been devised by hackers and internet thieves to copy and steal these input fields, due to the fact that these input fields or passwords are the keys for authentication. Once acquiring the means for authentication, a hacker is able to buy or transfer money using the account of the user.

One of the tricks used by computer hackers to copy passwords to bank websites, where the bank is interested in allowing his customers to utilize money transactions, involves impersonation. The computer hacker buys an internet address similar to an address of a bank, or changes the IP numbers corresponding to a certain address to mislead the user into a different website than the one he intended to access, and sets a faked website similar to the real website of the bank. Once a user of the bank enters the hacker site, he is led to think that he has entered the correct site of the bank and then he is requested to enter his password and personal details while the system records his input. Furthermore, the hacker might wait for the user to enter the correct website of the bank and then open another website page on the user's computer, hiding the open bank website, requesting the password while recoding the input. At the critical moment, for example, after entering the password, the user is notified of a failure with the Internet connection misleading the user to believe that his password is still safe. After acquiring the password and username of a user, the hacker has the confidential details of the user, and he can log into the real website of the bank and can enter the theft username and password of the private bank account. Once in a private bank account the hacker can do essentially everything the user is entitled to in the website, such as transfer money from the account or use the personal information for other uses.

US publication 2004/0139152 suggests a system in which a user issues a first request at a website and the website issues a challenge to the user. The challenge maybe selected among a number of different types of challenges, and the user has to file an appropriate response. This publication solves some of the problems concerning the authentication of the user but does not offer a solution to the problem of authenticating the website for the user and determining that the website is truly what it claims to be.

It is an object of the present invention to provide a system which is capable of authenticating a public website for the user.

It is another object of the present invention to provide a public website authentication system that is easy to use by an average user.

It is still another object of the present invention to provide a public website authentication system that cannot be copied easily and automatically by a computer program.

Other objects and advantages of the invention will become apparent as the description proceeds.

SUMMARY OF THE INVENTION

The present invention relates to a method for authentication of a website, the method comprises:

Preferably the method further comprises:

1. Establishing an agreement between a user and a website owner where the user receives at least one personal client key and the website owner receives at least one personal authenticating website code;
2. Performing initial access to the website by the user;
3. Performing, by the website, challenge of the user for his client key;
4. Submitting, by the user, his client key and sending to the website;
5. Verifying at the website said client key;
6. Sending by the website to the user the said agreed personal authenticating website code associated with that user;
7. Verifying by the user that this is indeed the authentic website code as agreed between him and the website owner.
8. Further establishing in said agreement between user and website owner second personal client key;
9. Challenging, by the website, the user for said second client key, after sending said authenticating website code;
10. Submitting said second client key by user to the website.

• Preferably the user first client key is a username.

• Preferably the authenticating website code is a picture.
• Preferably the authenticating website code is a hardware indication.
• Preferably the authenticating website code is a personal question.
• Preferably the challenging for a second client key is a request to reply to the authenticating website code.
• Preferably the request for the second client key is a request for password.
• Preferably the second client key is a password.
• Preferably there is another request for a password after the request to reply to the personal code.
• Preferably the first client key and/or second client key of the user are submitted automatically by the user side with or without human intervention.