DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 13, 2021 has been entered.
 
Response to Amendment
Claims 21, 31, and 40 have been amended.  Claims 1-20 have been canceled.  Claims 21-40 are pending and are provided to be examined upon their merits.

Response to Arguments
Applicant's arguments filed May 26, 2021 have been fully considered but they are not persuasive.  A response is provided below in bold where appropriate.
Applicant argues Claim Objections, pg. 7 of Remarks:
CLAIM OBJECTIONS
Applicant acknowledges the Office’s claim objections and will take the Office’s remarks into consideration in future correspondence.

The objection has been modified based on the claim amendments.  Again, please be careful to mark up all changes to the prior claims, if they are made, and Examiner thanks Applicant in advance.  
Applicant argues 35 USC §112, pg. 7 of Remarks:
REJECTIONS UNDER 35 U.S.C. § 112
Claims 17-22, 24-32, and 34-36 were rejected under pre-AiA 35 U.S.C. §112(b), first paragraph, as allegedly failing to comply with the written description/enablement requirement. See Office Action at pg. 9.
Applicant acknowledges the Office’s Section 112(b) rejection, however, Applicant submits that this rejection is rendered moot in view the claim amendments.

The claimed element was not amended and it remains indefinite.  The rejection is respectfully maintained.
	
Applicant argues Double Patenting, pg. 7 of Remarks:
REJECTIONS UNDER DOUBLE PATENTING
Applicant acknowledges the double patenting rejection of claims 21-40 (as allegedly being unpatentable over claims of U.S. Patent No. 10,430,779 (Office Action at pg. 7-9). However, Applicant submits that the Office’s Double Patent Rejection is rendered moot in view of the instant claim amendments. Moreover, Applicant will determine whether the filing of a terminal disclaimer is appropriate at such time when the Office indicates that the claims recite allowable subject matter. Applicant maintains that filing a terminal disclaimer based on non-statutory double patenting does not constitute an admission of the propriety of the rejection. See Quad Environmental Technologies Corp. v. Union Sanitary District, 946 F.2d 870 (Fed. Cir. 1991).

Withdrawn as of now based on the claim amendments and further consideration.  As indicated, the claims are themselves determinate as to this issue.  

Applicant argues 35 USC §101, pg. 8 of Remarks:
REJECTIONS UNDER 35 U.S.C. § 101
Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
As amended, independent claims 21, 31, and 40 relate to a mechanism for determining a proper authentication protocol based on capabilities of a mobile device. The independent claims have been amended to recite:


determining, at the server, one or more authentication options associated with the authenticating capabilities of the mobile device; and transmitting, to the mobile device, the one or more authentication options;

Applicant submits that the independent claims as amended include a series of unconventional, technical features for remotely authenticating a mobile device prior to conducting a transaction with an ATM. In contrast, the prior art is silent on the subject matter at issue. Thus, these unconventional, technical features have not been “proven by clear and convincing evidence” as no evidence of these features has been provided and the rejection has not been expressly supported in writing with evidence. Berkheimer Memo at pages 3-4 and 12.

The feature, however, is claimed and taught at a high level of generality.  This could be simply a database of a user device and mapping features of the user’s device to the model (e.g. fingerprint capability).  However, there is no technical explanation taught or claimed as to what this is.  

The rejection is not based on well-understood, routine and conventional.  In any event, Applicant’s own disclosure teaches using a general purpose computer (e.g. para’s [034], [038], [043], and [048].

In conclusion, as the system uses unconventional technical features, the claim is patent eligible under Step 2B of the Alice/Mayo test.

The rejection is respectfully maintained but modified for the claim amendments.

Applicant argues 35 USC §103, starting pg. 8 of Remarks:
REJECTIONS UNDER 35 U.S.C. § 103
U.S. Patent No. 8,818,906 (“Szwalbenest”) and U.S. Pub. No. US 2007/0295805 (“Ramachandran”), whether taken alone or in combination, do not show or render obvious “detecting, at the server based on physical components of the mobile device, authentication capabilities of the mobile device,” as recited by the amended independent claims. Szwalbenest discusses methods for authenticating a user device by analyzing and manipulating device attributes, such as “cookies,” stored on a customer's processing device. See Szwalbenest, at Col. 2, lines 27-29. Thus, device attributes in Szwalbenest are not equivalent to the claimed capabilities of the mobile device. That is, the device attributes (i.e., cookies) of Szwalbenest are not “based on physical components of the mobile device,” as the claims require. Therefore, Szwalbenest does not discuss the subject matter at issue. Ramachandran is cited by the Office Action for 

From Szwalbenest…
Server keeps track of particular device (physical device) and particular attributes of a customer’s (physical) device, where such “device” (physical) attributes are used with authentication…
“The invention may provide processing to address the situation where a customer uses different devices to access the particular server. For example, the server might keep track of the particular device used, and track reissued cookies accordingly. The invention may use the particular attributes of a customer's computer ( device) in others ways, such as looking for particular device attributes in conjunction with authentication. Various other features are provided by the invention.” (col. 3, lines 26-33)

Device attribute based on specific device (physical devcoe) of a user…
“As shown in FIG. 9, the process starts in step 750 and passes to step 752. In step 752, the authentication entity 300 generates a new device attribute. Such generation of the new device attribute might be based on various information in the customer record such as the specific device of the user, if known, the protocol implemented for the particular user, as well as the history. For example, it may be determined that a new cookie should be issued to the user's personal computer, with the cookie based on a counter that is incremented. After step 752 of FIG. 9, the process passes to step 754.” (col. 10, lines 8-17)

Szwalbenest therefore teaches particular attributes of a customer’s device, therefore device attributes are not cookies but physical device attributes.

Accordingly, claims 21, 31, and 40, and their respective dependent claims are patentable over the art of record.

The rejection has been modified but maintained based on the claim amendments.


Claim Objections
Claims 21 and 31 are objected to because of the following informalities:  The claims have added to and deleted from claim elements that should be marked up in the amendments to properly reflect changes from the prior claim set.  
For example, from Claim 21, the following was deleted:
“select” an authentication option from the authentication options

“receive, at the server from the mobile device, a selection of” an authentication option…”
Claim 31 has a similar problem.  
Appropriate correction is required.  In this case, please be careful in the future to mark-up changes and the Examiner thanks the Applicant in advance.  See MPEP 37 CFR 1.121 (c) (2).

	Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Claims 21-40 are either directed to a system, method, or product, which are statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 31 as the claim that represents the claimed invention for analysis and is similar to system Claim 21 and product Claim 40.  Claim 31 recites the limitations of:
A computer-implemented method for authenticating a user at an automated teller machine (ATM), comprising:
receiving, by one or more processors of a server, a transaction request corresponding to the ATM received from a mobile device associated with the user;
identifying a user account based on the transaction request; 
detecting, at the server based on physical components of the mobile device, authenticating capabilities of the mobile device;
determining, at the server, one or more authentication options associated with the authenticating capabilities of the mobile device;
transmitting to the mobile device, the one or more authentication options;
receiving, at the server from the mobile device, a selection of an authentication option from the one or more authentication options;
transmitting a prompt to the mobile device for user input based on the selected authentication option;
receiving authentication data from the mobile device based on the user input; 
requesting user identification data from a database; 
comparing the user identification data received from the database and the authentication data received from the user via the mobile device; and
authenticating the user at the ATM based on the comparison.

These above limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity.  The claim recites elements, highlighted in bold above, which covers performance of the limitation as a fundamental economic practice (mitigating risk by authentication a user at the ATM) and commercial interaction (receiving a transaction request).  If a claim limitation, under its broadest reasonable interpretation, covers performance of the Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. In particular, the claims only recite: automated teller machine (ATM), memory, server, mobile device (Claim 21); ATM, server, mobile device (Claim 31); and computer readable medium, server, ATM, mobile device (Claim 40).  The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer component.  The system comprises a serve, and a mobile device, which are computer or computer components.  The ATM: 1) is claimed at a high level of generality; 2) is used in an insignificant, extra solution manner; and  3) is an “FSP device” (financial service provider) device that may be a computer and use a processor to execute instructions (para. [092]), therefore the ATM appears to perform computer functions.  See paras.[0034] and [038] where the FSP system is a general purpose computer.  Also paras. [047] and [049] where one of ordinary skill in the art would know to include other components and other types of arrangements.  The detecting at the server authenticating capabilities of the mobile device and determining at the server one or more options associated with the authentication capabilities of the mobile are claimed at a high level of generality.  See para. [0113] of the specification where there is no technical description of how FSP device may detect the capabilities of a user device, therefore this is also only taught at a high level of generality (e.g. this could be simply Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a computer hardware amounts to no more than mere instructions to apply the exception using a generic computer component.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they  do not impose any meaningful limits on practicing the abstract idea.  Steps such as receiving and transmitting are steps that are considered insignificant extra solution activity and mere instructions to apply the exception using general computer components (see MPEP 2106.05(d), II). Thus claims 21, 31, and 40 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 21-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 31 has “receiving, by one or more processors of a server, a transaction request corresponding to the ATM received from a mobile device…” where it is Claims 21 and 40 have a similar problem.
Claims 22-30 and 32-39 are further rejected as they dependent on their respective independent claims.

Examiner Request
The Applicant is requested to indicate where in the specification there is support for amendments to claims should Applicant amend.  The purpose of this is to reduce potential 35 U.S.C. §112(a) or §112 1st paragraph issues that can arise when claims are amended without support in the specification.  The Examiner thanks the Applicant in advance.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 21-26, 28-36, and 38-40 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No. 8818906 to Szwalbenest in view of Pub. No. US 2007/0295805 to Ramachandran.
Regarding claims 21, 31, and 40
(claim 31) A computer-implemented method for authenticating a user at an automated teller machine (ATM), comprising: 

Szwalbenest teaches:
Banking platform…
“The authentication entity 300 may be in the form of a banking platform maintained by a bank, for example. The authentication entity 300 includes a processing portion 310 and a memory portion 320. The processing portion 310 may be in the form of a general purpose computer, special purpose computer, or some other tangibly embodied processing device. The memory portion 320 may be in the form of a database, for example.” (col. 4, lines 56-63)

	See ATM below.

receiving, by one or more processors of a server, a transaction request corresponding to the ATM received from a mobile device associated with the user; 

Logging into a processing platform (receiving at a server) banking related tasks (transaction requests) associated with a customer device (user)…
“FIG. 1 shows high-level processing steps, in accordance with one embodiment of the invention. In particular, FIG. 1 shows communications between a customer device 100 and an authentication entity 300. As an initial step, as reflected in step (1) of FIG. 1, the customer device 100 sends a request for a session to the authentication entity (AE) 300. The requested session may, for example, include the customer logging in to a bank processing platform to perform banking related tasks, such as checking the customer's account balances, recent debits to their account, and recent deposits, for example.” (col. 3, lines 43-52)

Perform banking tasks (corresponding to banking tasks) such as checking account balances...
“FIG. 1 shows high-level processing steps, in accordance with one embodiment of the invention. In particular, FIG. 1 shows communications between a customer device 100 and an authentication entity 300. As an initial step, as reflected in step (1) of FIG. 1, the customer device 100 sends a request for a session to the authentication entity (AE) 300. The requested session may, for example, include the customer logging in to a bank processing platform to perform banking related tasks, such as checking the customer's account balances, recent debits to their account, and recent deposits, for example.” (col. 3, lines 43-52)

Where the processing is a computer (server)…
“The authentication entity 300 may be in the form of a banking platform maintained by a bank, for example. The authentication entity 300 includes a processing portion 310 and a memory portion 320. The processing portion 310 may be in the form of a general purpose computer, special purpose computer, or some other tangibly embodied processing device. The memory portion 320 may be in the form of a database, for example.” (col. 4, lines 56-63)

Where the customer device is a cellular or smart phone (mobile device)…
“As used herein, "device" and "customer device" are used interchangeably. As used herein, a "device" (i.e., customer device) means a processing machine, as set forth below, such as a cellular telephone, smart, phone, IPAD, TABLET PC, laptop computer, netbook, any other computer, land phone, or PDA (personal digital assistant), for example.” (col. 2, lines 35-40)

	See ATM below.

identifying a user account based on the transaction request; 

Example of checking (identifying) customer (user) account balances…
“FIG. 1 shows high-level processing steps, in accordance with one embodiment of the invention. In particular, FIG. 1 shows communications between a customer  such as checking the customer's account balances, recent debits to their account, and recent deposits, for example.” (col. 3, lines 43-52)


detecting, at the server based on physical components of the mobile device, authenticating capabilities of the mobile device;

Generate (detecting) new device attribute of the user (mobile device) based on customer record such as specific device…
“As shown in FIG. 9, the process starts in step 750 and passes to step 752. In step 752, the authentication entity 300 generates a new device attribute. Such generation of the new device attribute might be based on various information in the customer record such as the specific device of the user, if known, the protocol implemented for the particular user, as well as the history. For example, it may be determined that a new cookie should be issued to the user's personal computer, with the cookie based on a counter that is incremented. After step 752 of FIG. 9, the process passes to step 754.” (col. 10, lines 8-17)


determining, via the server, authentication options associated with one or more authentication capabilities of the mobile device of authenticating the user at the ATM;
[No Patentable Weight is given to non-functional descriptive claim language of “at the ATM” since where the authentication at the ATM does not affect determining the authentication options (i.e. the ATM does not affect the act of determining).]

Looking for (determining) device (mobile device) attributes (authentication capabilities)…
“The invention may provide processing to address the situation where a customer uses different devices to access the particular server. For example, the server might keep track of the particular device used, and track reissued cookies accordingly. The invention may use the particular attributes of a customer's computer (device) in others ways, such as looking for particular device attributes in conjunction with authentication. Various other features are provided by the invention.” (col. 3, lines 26-33)

	See ATM below.

transmitting to the mobile device, the one or more authentication options;
Issue (transmitting) a new cookie (authentication options) to the user’s computer (mobile device)…
“As shown in FIG. 9, the process starts in step 750 and passes to step 752. In step 752, the authentication entity 300 generates a new device attribute. Such generation of the new device attribute might be based on various information in the customer record such as the specific device of the user, if known, the protocol implemented for the particular user, as well as the history. For example, it may be determined that a new cookie should be issued to the user's personal computer, with the cookie based on a counter that is incremented. After step 752 of FIG. 9, the process passes to step 754.” (col. 10, lines 8-17)

Output (transmitting) the new device attribute to the customer (therefor an authentication option)…
“In step 754, the authentication entity 300 proceeds to output the new device attribute to the customer. Accordingly, such output new device attribute is received by the customer device and integrated into the data of the customer device. In a further session at some future time, the new device attribute that was output to the customer will be sent from the customer device to the authentication entity 300 for purposes of authentication, as described above. Accordingly, the "new device attribute," as described in conjunction with step 754 of FIG. 9, will constitute the observed device attribute in such future session.” (col. 10, lines 18-28)


receiving, at the server from the mobile device, a selection of an authentication options from the one or more authentication options;

Sent (receiving) from customer (mobile device) authentication using new (one) authentication options…
“In step 754, the authentication entity 300 proceeds to output the new device attribute to the customer. Accordingly, such output new device attribute is received by the customer device and integrated into the data of the customer device. In a further session at some future time, the new device attribute that was output to the customer will be sent from the customer device to the authentication entity 300 for purposes of authentication, as described above. Accordingly, the "new device attribute," as described in conjunction with step 754 of FIG. 9, will constitute the observed device attribute in such future session.” (col. 10, lines 18-28)

Where authentication entity is a server…
“FIG. 1 is a high-level schematic diagram of a transaction system 10 in accordance with one embodiment of the invention. As shown, the transaction system 10 includes a customer device 100 and an authentication entity 300. The customer device 100 may be in the form of a personal computer such as a laptop, cell phone, PDA (personal digital assistant) or some other personal device, for example. The authentication entity 300 may be in the form of a bank processing platform, such as a server or some other computer processing system.” (col. 3, lines 34-42)

Where the customer device is a phone cell (mobile device)…
“FIG. 1 is a high-level schematic diagram of a transaction system 10 in accordance with one embodiment of the invention. As shown, the transaction system 10 includes a customer device 100 and an authentication entity 300. The customer device 100 may be in the form of a personal computer such as a laptop, cell phone, PDA (personal digital assistant) or some other personal device, for example. The authentication entity 300 may be in the form of a bank processing platform, such as a server or some other computer processing system.” (col. 3, lines 34-42) 

Another example of retrieve (receiving) from customer device particular device attribute (device capabilities) that allows authentication entity to determine what information should be retrieved…
“In step 620, the authentication entity 300 determines what device attribute that the bank is monitoring for the particular device of the customer. That is, based on the information in the customer record, as well as other information that is available to the authentication entity 300, the particular device attribute is determined. For example, the device that the customer is using may be determined to be a personal computer. Further, the customer record may reflect that a cookie is issued every time the customer requests a session with the authentication entity 300. Accordingly, the protocol associated with this particular customer is the issuance of a cookie upon each session. Relatedly, the history information contained in the particular customer's record may include the details of the last cookie that was issued to the customer's device. This information allows the authentication entity 300 to determine specifically determine what information should be retrieved from the customer device 100 (for purposes of authentication of the customer's device).” (col. 7, lines 14-31)

transmitting a prompt to the mobile device for user input based on the selected authentication option;

Phone call (transmitting a prompt) on failure to authenticate (selected authentication option)…
“In embodiments of the invention, a failure to authenticate based on a "device attribute" may result in other authentication processes being performed. Such other authentication processes might include an authentication on another channel, e.g. if the customer's initial transaction request originated from a computer, then authentication on another channel might be a phone call to the customer (advising of the transaction and requesting particular information, such as the customer's personal identification number).” (col. 9, lines 3-11)

receiving authentication data from the mobile device based on the user input;

Requesting (receiving) customer’s personal identification number (authentication data) using a phone (mobile device), where a user’s information be an input…
“In embodiments of the invention, a failure to authenticate based on a "device attribute" may result in other authentication processes being performed. Such other authentication processes might include an authentication on another channel, e.g. if the customer's initial transaction request originated from a computer, then authentication on another channel might be a phone call to the customer (advising of the transaction and requesting particular information, such as the customer's personal identification number).” (col. 9, lines 3-11)   Inherent with phone call and request for particular information is a user input, such as voice response. 

requesting user identification data from a database; 

Attempts to map (requesting) username from a database…
“In step 520, the authentication entity 300 attempts to map the username that was submitted by the customer to a customer record that is stored in the database of the authentication entity 300. After step 520, the process passes to step 530. In step 530, the authentication entity 300 determines whether the mapping to a customer record (based on the username) and the comparison of the password that was found in the customer record (vis-a-vis the password submitted by the customer) was successful. In other words, did the username and password submitted by the customer match with those stored in the authentication entity 300. If NO in step 530, i.e., there was not a match, then the process passes to step 540 of FIG. 5.” (col. 6, lines 12-24)

comparing the user identification data received from the database and the authentication data received from the user via the mobile device; and 

Map (comparing) username of customer (customer identification data) submitted (from customer mobile device) to customer record stored in database…
“In step 520, the authentication entity 300 attempts to map the username that was submitted by the customer to a customer record that is stored in the database of the authentication entity 300. After step 520, the process passes to step 530. In step 530, the authentication entity 300 determines whether the mapping to a customer record (based on the username) and the comparison of the password that was found in the customer record (vis-a-vis the password submitted by the customer) was successful. In other words, did the username and password submitted by the customer match with those stored in the authentication entity 300. If NO in step 530, i.e., there was not a match, then the process passes to step 540 of FIG. 5.” (col. 6, lines 12-24)
42)

Comparison of device attribute (comparing customer 
a device attribute comparison portion 312 and a device attribute generation portion 314. The device attribute comparison portion 312 may perform various processing in conjunction with comparison of device attribute, as described herein. The device attribute generation portion 314 may perform various processing in conjunction with generation of device attributes, as described herein.” (col. 4, lines 64-67 to col. 5, lines 1-5)

authenticating the user at the ATM based on the comparison.

Secure valid username and password (authenticating the user)..
“In step 540, the authentication entity 300 generates and sends a message to the customer that the username and/or password submitted by the customer is not valid. The authentication entity 300 may then further interface with the customer to secure valid username and password information. Accordingly, in step 550, a determination is made of whether a valid username and password (or other credentials) were indeed ultimately received. If YES, then the process passes to step 570. In step 570, the process proceeds to secondary authentication based on device attribute. That is, the process passes to step 580 of FIG. 5 and then returns to step 600 of FIG. 4.” (col. 6, lines 25-36)

Successful mapping (comparison) of the customer…
“Returning to step 530 of FIG. 5, described above, if YES in step 530, i.e., the mapping to the customer record (based on the username and password) was successful, then the processing passes immediately to step 580 of FIG. 5. As described above, in step 580, the process passes back to FIG. 4 and step 600.” (col. 6, lines 60-65)

	See ATM below.

ATM
Szwalbenest teaches authentication of transactions using mobile devices.  He does not teach transaction request corresponding to an ATM.

Ramachandran also in the business of  authentication of transactions using mobile devices teaches:

Hand-held (mobile) device interacting with an automated banking machine (ATM)…
“Finally, there further exists a need for an apparatus and method for carrying out transactions using a hand-held device that enables a user to remotely interact with a transaction terminal device, such as an automated banking machine, electronic cash register, or electronic funds transfer terminal.” [0013]

Phone (mobile device) and cash amount (transaction request) with  (corresponding to) ATM identifier…
“Alternatively, the customer may initially transmit transaction data from the phone to the in-store terminal 630. This data may correspond to just the customer account, signature, and/or PIN. In such a scenario, at this point in the cash purchase process the customer may be requested to provide (via their phone to the network) how much cash they want and the identity of the particular ATM. As previously discussed, the customer can uses their phone to transmit the ATM identifier and the desired amount of cash to the store network. The transmitting may involve a phone line network or the Internet. The phone can be used to transmit the ATM identifier and the cash amount to a network device (or location) remote from the store.” [0200]

Where the network approves the cash withdrawal at the ATM…
“The store network (which may include a secondary financial network) checks the received transaction data to determine 614 whether the requested cash withdrawal should be permitted. With network approval (step 510) of the requested cash withdrawal, the requested cash may then be dispensed via a cash dispenser in the ATM. Responsive to the approval, the store network 610 correlates (e.g., charges, debits, bills, etc.) the customer's account 616 with the cash purchase (step 512), similar to a merchandise purchase. The store network instructs the in-store ATM 620 (i.e., the ATM corresponding to the customer-provided ATM identifier 622) to dispense the requested cash amount. The instruction to the ATM may cause the ATM to immediately dispense the requested cash (step 514). The store may receive a service fee for providing the cash.” [0201]

It would have been obvious to one of ordinary skill in the art at the time of filing to include in the method and system of Szwalbenest the ability to use a mobile device with an ATM and at an ATM location as taught by Ramachandran since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Further motivation is provided by the convenience to customers of using automated teller machines and the references benefit by customers use of ATM’s for performing transactions.
	
Regarding claims 22 and 32
(claim 32) The method of claim 31, further includes receiving a customer identifier from the mobile device.

Szwalbenest teaches:
Username (customer identifier)…
the customer, may include a username and password, which is authenticated by the authentication entity 300, i.e., assuming that the username and password are valid. Upon authentication of the username and password, in accordance with the invention, the authentication entity 300 initiates processing to perform "secondary device attribute authentication" associated with one or more attributes of the customer's device 100, i.e., "device attributes."” (col. 3, lines 43-61)

Regarding claims 23 and 33
(claim 33) The method of claim 31, further comprises performing multi-tiered authentication.

Szwalbenest teaches:
Secondary authentication (multi-tiered)…
“After step 700, the process passes to step 800. In step 800, the authentication based on the device attribute of the customer's device 100 is concluded, i.e., the secondary device attribute authentication is concluded.” (col. 5, lines 32-65)

Regarding claims 24 and 34
(claim 34) The method of claim 33, further comprises determining authentication tier level based on the capabilities of the mobile device.

Szwalbenest teaches:
Authentication based on device attributes (capabilities)…
“After step 700, the process passes to step 800. In step 800, the authentication based on the device attribute of the customer's device 100 is concluded, i.e., the secondary device attribute authentication is concluded.” (col. 5, lines 32-65)

Attribute as a personal computer (type of device)…
“In step 620, the authentication entity 300 determines what device attribute that the bank is monitoring for the particular device of the customer. That is, based on the information in the customer record, as well as other information that is available to the authentication entity 300, the particular device attribute is determined. For example, the device that the customer is using may be determined to be a personal computer.” (col. 7, lines 14-21)

Attribute based on specific device of the user…
“As shown in FIG. 9, the process starts in step 750 and passes to step 752. In step 752, the authentication entity 300 generates a new device attribute. Such generation of the new device attribute might be based on various information in the customer record such as the specific device of the user, if known, the protocol implemented for the particular user, as well as the history. For example, it may be determined that a new cookie should be issued to the user's personal computer, with the cookie based on a counter that is incremented. After step 752 of FIG. 9, the process passes to step 754.” (col. 10, lines 8-17)

Example of tier…
“In accordance with further aspects of the invention, it is appreciated that information that is not "device attribute" information may be used in conjunction with the processing as described herein. That is, other information may be used in conjunction with the device attribute related processing as described herein. For example, date information, time information, merchant information, geographical information, and other information may be used in conjunction with device attribute. As an example, as consistency of geographical location of transactions (of a particular customer) is less, then stricter comparison of device attributes might be demanded by the authentication entity 300, i.e., in that less consistent geographical location may be indicative of fraud. Hereinafter aspects of implementation will be described.” (col. 10, lines 62-67 to col. 11, lines 1-8)

Example of observed (determining) attributes (capabilities) sufficient to authenticate the session and if not may be other information (determining authentication tier level) that legitimized the customer’s interaction…
“In step 736, the authentication entity 300 determines whether other observed attributes of the device are sufficient to authenticate the session. That is, step 736 reflects a situation in which the authentication entity 300 cannot obtain a match between the determined device attribute and the observed device attribute. However, there may be other information that is secured from the customer that legitimizes the customer's requested interaction, e.g. session. In step 736, if it is determined that authentications can still not be granted, then the process passes again to step 737.” (col. 9, lines 52-61)

Regarding claims 25 and 35
(claim 35) The method of claim 34, further comprises iteratively prompting the user for additional authentication data until the required authentication tier level is satisfied.

Szwalbenest teaches:
Example of challenge and request (prompt) multi-factor authentication to confirm (iteratively prompting for more authentication information)…
“The sequential retrieval and issuance of cookies, having identifiably different attributes, provides a very effective deterrent against a fraudster who has somehow secured a particular cookie in the sequence. It may well take a fraudster weeks and likely months to secure and attempt to fraudulently use a stolen cookie. In that time, the particular server will generally have replaced the legitimate customer's cookie multiple times. When the server is presented with an old cookie, the server will challenge the requested access. For example, the server may initiate an MFA (multi-factor authentication) request--to confirm the identity of the customer, and thus thwart the fraudster.” (col. 3, lines 14-25)

Regarding claims 26 and 36


Szwalbenest teaches:
Fraudster (different customer) with different attributes (device) and multi-factor authentication (different tier) for a transaction…
“The sequential retrieval and issuance of cookies, having identifiably different attributes, provides a very effective deterrent against a fraudster who has somehow secured a particular cookie in the sequence. It may well take a fraudster weeks and likely months to secure and attempt to fraudulently use a stolen cookie. In that time, the particular server will generally have replaced the legitimate customer's cookie multiple times. When the server is presented with an old cookie, the server will challenge the requested access. For example, the server may initiate an MFA (multi-factor authentication) request--to confirm the identity of the customer, and thus thwart the fraudster.” (col. 3, lines 14-25)

Regarding claims 28 and 38
(claim 38) The method of claim 34, wherein the authentication tier level is determined by an amount of the transaction.

Szwalbenest teaches:
Enhanced security based on large value (amount of) transaction…
“Yet further, it is appreciated that the authentication entity 300 may use a plurality of device attributes in conjunction with each other. Such processing of device attributes might be performed as a matter of routine, such as when enhanced security is desired, e.g. with a transaction involving a large value. Such processing of device attributes might also be performed when the authentication of one device attribute is questionable.” (col. 9, lines 42-49)

Regarding claims 29 and 39
(claim 39) The method of claim 33, further comprises, providing a notification on a display of the user device reflecting results of the authentication.

Szwalbenest teaches:
Outputting (display) to the customer device approval…
“…outputting approval of the requested interaction and a new device attribute to the customer device, if the authentication test is passed;…” (6)
User interface to convey information to a user…
“As discussed above, a user interface is utilized by the processing machine that performs a set of instructions such that the processing machine processes data for a user. The user interface is typically used by the processing machine for interacting with a user either to convey information or receive information from the user….” (col. 13, line 66-67 to col. 14, lines 1-4)

Regarding claim 30


Szwalbenest teaches:
Authentication using a cookie (transparent to a user)…
“More specifically, in one known use, the cookie is created by the particular server and is sent by the server, over the Internet, to the customer's web browser. The data in the cookie is then stored on the customer's computer, such as on the customer's hard drive. Thereafter, the web browser sends the cookie back to the server at predetermined times, such as when the web browser accesses the particular server. A cookie can be used for various purposes, such as for authentication, other identity processing, to save personal information to avoid the need for re-entry, session tracking, storing customer preferences and patterns, and other purposes. The cookie may include URL information for which that cookie is valid. Accordingly, when the browser encounters a server that matches a URL in a cookie, the browser sends the particular matching cookie to that server.” (col. 2, lines 40-55)


Claims 27 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over the combined references in section (9) above in further view of Pub. No. US 2004/0020984 to Clark.
Regarding claims 27 and 37
(claim 37) The method of claim 31, wherein the authentication data comprises one or more of fingerprint detection, retina scan, iris scan, heartbeat pattern detection, facial recognition, voice recognition, or palm vein scan.

The combined references teach authentication.  They do not teach biometric data such as fingerprint.

Clark also in the business of authentication teaches:
ATM analyzes services offered by the transceiver (cellphone)…
“Device discovery works as follows. When the cellphone 70 enters the ATM's vicinity 76, the cellphone's transceiver 72 detects a device discovery procedure executed by the ATM's wireless module 28. The cellphone's transceiver 72 responds to this device discovery procedure by transmitting parameter information relating to the device 70. On receiving this parameter information from the cellphone's transceiver 72, the ATM's wireless module 28 analyses the types of services offered by the transceiver 72 and determines that the cellphone 70 can be used to enter a transaction, so the ATM's wireless module 28 

Transmit fingerprint to ATM…
“The cellphone 70 receives the request for a fingerprint template, and transmits its stored fingerprint template to the ATM 12 either immediately, or after obtaining permission to transmit from the person carrying the cellphone 70.” [0043]

It would have been obvious to one of ordinary skill in the art at the time of filing to include in the method and system of the combined references the ability to use authentication data such as a fingerprint as taught by Clark since the claimed invention is merely a combination of old elements and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Further motivation is provided by Clark and the added security of using a fingerprint for authentication.  


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENNETH BARTLEY whose telephone number is (571)272-5230.  The examiner can normally be reached on Mon-Fri: 7:30 - 4:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHAHID MERCHANT can be reached on (571) 270-1360.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/KENNETH BARTLEY/Primary Examiner, Art Unit 3693