Acknowledgements
This communication is in response to applicant’s response filed on 12/29/2021.
Claims 1-3, 6-10, 12, 14-17, and 19-20 have been amended. 
Claims 1-20 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/29/2021 has been entered.

Response to Arguments
Regarding applicant’s arguments:
Regarding applicant’s argument under Claim Rejections - 35 USC § 103, that Landrok (US 20170364911) in view of Sawant (US 20180108007) does not explicitly teach “the transaction is based on transaction-specific information sent by the user device to the application server," "a first hash that is created by the user 
Applicant argues dependent claims are patentable because of their dependency on independent claims 1, 8, and 15. Examiner respectfully argues applicant’s arguments are moot in light of the new grounds of rejection for claims 1, 8, and 15. 

Claim Rejections - 35 USC § 102(a)(1)
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6-8, 12, 14-15, and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Andersen (US 9,165,291 B1).

Regarding Claims 1, 8, and 15, Andersen teaches receiving, via a first communication channel and from an application server, a request to validate a transaction that was requested by a user device that communicates with the application server, wherein the transaction is performed by an application on the application server and wherein the transaction is based on transaction-specific information sent by the user device to the application server (Col. 6, lines 64-67 and Col. 7, lines 1-6, Col. 8, lines 62-67 and Col. 9, lines 1-11, and Col. 12, lines 40-45 teach a user can enter an amount of payment on either the mobile application or in the “SUBJECT” field of a native e-mail application; a token generation module in the user device can be used to generate a unique token that can be included in the body of an email; the security token can be embedded in the e-mail being drafted that can be encrypted and can include sender e-mail address, device characteristic(s) and/or identifier of the payment sender device, and/or financial account information of the sender user (e.g., debit card account information or credit card account information); the token may be embedded and/or hidden within the body to that the user cannot easily identify the token; a communications module in the user device can send the e-mail to an authentication engine in response to a user indication to send in transmission operation; a payment processing system, such as the payment processing system, can receive the payment e-mail), wherein the request to validate the transaction is obtained with a first hash that is created by the user device, and wherein the first hash comprises a hash of the transaction-specific information that is hashed by the user device using data stored on the user device (Col. 2, lines 58-67 and Col. 3, lines 1-19 and Col. 11, lines 45-67 and Col. 12, lines 1-16 teach the user submits to the application a payment amount to be transferred, and in response to the user's transfer request, the application generates a first unique token and a second unique token; the second unique token may be a message token that includes a specially constructed keyed-hash message authentication code (HMAC); the HMAC may include the app token (i.e., first unique token) along with a sender e-mail address, a device identification of the electronic device, financial account information of the sender user, or any combination thereof; an e-mail operation generates the payment e-mail with one or more pre-populated fields and an embedded security token on an electronic device; if the sender user has previously indicated a payment amount, the pre-populated fields can also include a subject line including the payment amount (e.g., dollar amount or other currency amount); the application calls the native e-mail application on the computing device, and generates an e-mail that includes the second unique token (i.e., the message token) and sends a secure message to the authentication engine), obtaining, from the user device and via a second communication channel, a second hash that is created by the user device, wherein the second hash comprises a second hash of the transaction-specific information, wherein the second hash is hashed by the user device using the data stored on the user device (Col. 3, lines 20-24 and Col. 10, lines 11-13 teach after sending the e-mail, the computing device can then make a separate secure connection to the authentication engine and supplies both the message determining, based on the first hash and the second hash, whether the transaction should be allowed or blocked, wherein the transaction is allowed if the first hash matches the second hash, and wherein the transaction is blocked if the first hash does not match the second hash (Col. 3, lines 24-31 and Col. 10 lines 1-14 teach the authentication engine can verify that the email was sent by the user (i.e., from the computing device); the token verification module validates the token by comparing the token against a second token sent through an alternate channel; validation of a token received embedded in an e-mail can verify that the user sent the e-mail, or that the e-mail was sent by the payment facilitation application, the electronic device, and/or the payment facilitation application while running on the electronic device; in such example, the token embedded in the email can be compared against a second token sent through, for example, the payment facilitation application (i.e., alternative channel), to perform the verification), and instructing the application server to allow or block the transaction based on the determining (Col. 10, lines 35-46 and Col. 3, lines 31-36 teach an authentication module can use the information from token verification module and e-mail verification module along with other information in making an authentication decision; the decision generated by authentication module is used by access module in granting or denying access to a user account held at the service provider; the decision generated by authentication module is used in granting or 
Regarding Claim 1, Andersen teaches a system comprising: a processor; and a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations (Col. 9, lines 22-40 teaches a set of components within authentication engine can include memory, one or more processors, message receiving module, token verification module, e-mail verification module, authentication module, access module, accounting module, registration module, and graphical user interface (GUI) generation module; in one embodiment, token verification module, e-mail verification module, and authentication module can be combined into a single module for authenticating the user).
Regarding Claim 8, Andersen teaches a method (Col. 11, lines 43-45 teaches FIG. 5 is a flowchart illustrating a set of operations for sending a cash payment over e-mail in accordance with various embodiments of the disclosed technology).
Regarding Claim 15, a computer storage medium having computer-executable instructions stored thereon that, when executed by a processor, cause the processor to perform operations (Col. 14, lines 12-18 and Col. 15, lines 49-61 teach a variety of these steps and operations may be performed by hardware components or may be embodied in computer-executable instructions, which may be used to cause a general-purpose or special-purpose 

	Regarding Claims 6, 12, and 19, Andersen teaches all the limitations of 1, 8, and 15 above; and Andersen further teaches wherein the transaction comprises requesting sending of an email message via an email service, and wherein the transaction-specific information comprises an email address of a recipient of the email message (Col. 3, lines 65-67 and Col. 4, lines 1-8 teaches to send a payment, the user needs to only specify a receiver e-mail address in an e-mail; the e-mail can also carbon copy (Cc), blind carbon copy (Bcc), or add as a recipient (To) a payment processing e-mail address; when the e-mail is sent, a payment processing system can receive the payment e-mail (e.g., by receiving the payment e-mail through the payment processing e-mail address) and generate a payment receipt interface for the receiver of the e-mail).

Regarding Claims 7, 14, and 20, Andersen teaches all the limitations of 1, 8, and 15 above; and Andersen further teaches wherein the transaction comprises requesting a transfer or payment via a banking service, and wherein the transaction-specific information comprises an amount associated with the transfer or payment (Col. 2, lines 37-42 and Col. 11, lines 9-15 and 51-54 teach the email message can include a payment amount to be .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3, 9-10, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Andersen (US 9,165,291 B1) in view of Lakshmanan (US 20150310431).

Regarding Claims 2, 9, and 16, Andersen teaches all the limitations of 1, 8, and 15 above; however, Andersen does not explicitly teach wherein the data stored on the user device comprises a private key that is stored in a subscriber identity module of the user device.
Lakshmanan from the same or similar field of endeavor teaches wherein the data stored on the user device comprises a private key that is stored in a subscriber identity module of the user device (Paragraphs 0044 and 0048-0049 teach the customer device comprises an encryption/decryption module and a digital signature module; the encryption/decryption module is used to encrypt or decrypt data using encryption keys; the digital signature module is used to cryptographically sign a message by using a hashing algorithm and an encryption algorithm to create a signature, and may use the hash module and encryption/decryption module for these respective purposes; the digital signature module signs a message with a private key; the transaction authorization message is hashed to produce a hash; the hash is then encrypted with the private key, KS; the encrypted hash is the signature and is appended to the transaction authorization message, which is then considered signed).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Andersen to incorporate the teachings of Lakshmanan for the data stored on the user device to comprise a private key that is stored in a subscriber identity module of the user device.
There is motivation to combine Lakshmanan into Andersen because a private key cannot be derived from the public key. The private key KS is encrypted with the a to produce the encrypted private key E. The encrypted private key E is stored on the customer device. In this way, the authenticating input is used to generate a symmetric key that may be used to store and subsequently retrieve the private key. As described further below, when making a purchase, the user may enter the authenticating input, which is used to re-generate the symmetric key and decrypt the private key. In this way, the private key may only be decrypted and used to sign a purchase when the user provides the proper authenticating input (Lakshmanan Paragraph 0024).

Regarding Claims 3, 10, and 17, Andersen teaches all the limitations of 
1, 8, and 15 above; however, Andersen does not explicitly teach wherein the data stored on the user device comprises a hash algorithm that is stored in a subscriber identity module of the user device.
Lakshmanan from the same or similar field of endeavor teaches wherein the data stored on the user device comprises a hash algorithm that is stored in a subscriber identity module of the user device (Paragraphs 0044 and 0047 teach the customer device comprises a hash module; the hash module is capable of mapping inputs to an output of a fixed bit-length, called a hash by employing a one-way, cryptographically secure hashing function to map inputs to hashes; in some embodiments, a hash function takes in two inputs: a value and a seed; the hash module can employ a single hash function or multiple hash functions).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Andersen to incorporate the teachings of Lakshmanan for the data stored on the user device 
There is motivation to combine Lakshmanan into Andersen because by substituting a hash value for the identifier used in the Feng, the base invention is improved because one-way hash functions area useful tool to store sensitive customer data such as credit card data in a blind manner that reduces your risk. The provided input will always result in the same fixed length set of characters but it is impossible to determine the original input. This is a powerful protection because if a hacker was to gain access to the database and steal the stored customer data they will only see the hash codes that were stored and would not be able to decipher what the original credit card data was.

Claims 4-5, 11, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Andersen (US 9,165,291 B1) in view of Guertler (US 20170208464).

Regarding Claims 4 and 11, Andersen teaches all the limitations of 1 and 8 above; however, Andersen does not explicitly teach wherein obtaining the second hash comprises requesting the second hash from the user device in response to receiving an indication that the transaction has been approved, and wherein the user device requires a successful biometric authentication at the user device before creating the second hash.
Guertler from same or similar field of endeavor teaches wherein obtaining the second hash comprises requesting the second hash from the user device in response to receiving an indication that the transaction has been approved, and wherein the user device requires a successful biometric authentication at the user device before creating the second hash (Paragraph 0028 teaches the mobile terminal comprises a reading device for a biometric security feature, in particular a fingerprint reader; the access to the private key in the memory of the mobile terminal, is protected by a biometric security feature of the user (i.e. the access to the private key will only by granted by and after the input of an authorized biometric security feature at the reading device); when the mobile terminal receives the request from the authentication service, it performs an enquiry for input of a biometric security feature; as soon as the user complies with the enquiry and enters an authorized biometric security feature, first the access to the private key will be granted locally, as already explained; using the now accessible private key, the transaction identifier received from the authentication service will be signed in the mobile terminal, wherein the transaction identifier is a hash of the transaction identifier; the signed transaction identifier will then be transmitted back to the authentication service).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Andersen to incorporate the teachings of Guertler for obtaining the second hash to comprise requesting the second hash from the user device in response to receiving an indication that the transaction has been approved, and wherein the user device requires a successful biometric authentication at the user device before creating the second hash.


Regarding Claims 5, 13, 18, Andersen teaches all the limitations of 1, 8, and 15 above; however, Andersen does not explicitly teach receiving, from the user device, an indication that the transaction has been approved, wherein receiving the indication comprises sending, to the user device and via the second communication channel, a validation request comprising a request that the user device validate the transaction, and receiving, from the user device and via the second communication channel, a validation response comprising the indication that the transaction has been approved.
receiving, from the user device, an indication that the transaction has been approved, wherein receiving the indication comprises sending, to the user device and via the second communication channel, a validation request comprising a request that the user device validate the transaction (Paragraphs 0011 and 0028 teach the authentication service determines the address of a mobile terminal linked to the user on the basis of the identification data and transmits a request comprising a transaction identifier to the mobile terminal, the mobile terminal (or an authentication application installed in the mobile terminal) performs an enquiry for input of a biometric security feature; the processing stages explained above, which are carried out on the mobile terminal, can be implemented by an authentication application installed in the mobile terminal so that a mobile terminal can also be equipped subsequently by retrofitting (e.g. downloading) the authentication application for the present method (i.e., the authentication application is separate from the initial Internet application, thus the authentication application is a second channel); if at least one address of a mobile terminal is found, the authentication service establishes a data connection with the mobile terminal via a second channel and transmits a request comprising the previously generated transaction identifier via said data connection to the mobile terminal; the mobile terminal comprises a memory in which a private key is stored; furthermore, the mobile terminal comprises a reading device for a biometric security feature, in particular a fingerprint reader), and receiving, from the user device and via the second communication channel, a validation response comprising the indication that the transaction has been approved (Paragraph 0028 teaches 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Andersen to incorporate the teachings of Guertler to receive, from the user device, an indication that the transaction has been approved, wherein receiving the indication comprises sending, to the user device and via the second communication channel, a validation request comprising a request that the user device validate the transaction, and receive, from the user device and via the second communication channel, a validation response comprising the indication that the transaction has been approved.
There is motivation to combine Guertler into Andersen because of the same reasons listed above for claims 4 and 11
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Narayan et al. (US 20200273031) teaches systems and methods for providing secure end-to-end transactions between consumers, merchants, and banks. A unique identifier is generated based on information specific to the device and information specific to the user and stored in a secure area of a device. A programming module executing on the device may initiate a transaction and interact with a merchant system to complete the transaction. Information provided by the programming module may enable the merchant system to negotiate with a banking system to complete the transaction. Profile information of a user may be collected by a programming module according to user selected preferences. An interface system may provide visual content to a merchant system and a banking system to verify consumer identity.
Rangaraj (US 20200005294) teaches a method is provided that includes assigning one or more first records of a first table and one or more second records of a second table to corresponding range groups of a plurality of range groups. The method further includes comparing at least one record of the first table with at least one record of the second table, where the at least one record of the first table and the at least one record of the second table are assigned to a first range group of the plurality of range groups. The method also includes, based on the comparing, identifying a parent record and a child record and segmenting the parent record 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/COURTNEY P JONES/Examiner, Art Unit 3685