Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the Amendment filed on 11/16/2022.
In the instant Amendment, claims 21-28 have been added; claims 1 and 21 are independent claims.  Claims 1-6 and 16-29 have been examined and are pending; claims 7-15 are cancelled. This Action is made Non-FINAL.
Election/Restrictions
Applicant elects, without traverse, Group 1, comprising claims 1-6 and 16-20, for prosecution of this patent application in the reply filed on 11/16/2022 is acknowledged.
Priority
This application is a divisional of and claims priority under 35 U.S.C. § 120 to U.S. Patent Application Serial No. 17/081,813, filed on October 27, 2020. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C.
102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-6 and 16-29 are rejected under 35 U.S.C. 103 as being unpatentable over Larkin (WO 2016/050990) (Provided in the IDS) and in view of Ben Ayed (US 8,467,770) hereinafter Ben.
Regarding claim 1, Larkin discloses a method for computer authentication of a user request for a Subscriber Identity Module (SIM) card transfer by a biometric signature from a UE (Larkin page 58; lines 30-36; The invention can also check if there has been any SIM Card changes recently for this mobile device. Using this information, the Invention Security Manager can calculate a risk score. The Risk score can be based on various checks, such as but not limited to, SIM card Swap, if the user is accessing the service from a known or registered mobile device or MSISDIN, location of mobile device (more on this later), etc.), comprising: 
assigning a risk score, by a mobile service provider, to a user account based on user activity in the user account, wherein the user activity includes a SIM card transfer authorization (Larkin page 58; lines 34-36; Security Manager can calculate a risk score. The Risk score can be based on various checks, such as but not limited to, SIM card Swap, if the user is accessing the service from a known or registered mobile device or MSISDIN, location of mobile device (more on this later), etc.); 
capturing a biometric signature, by the authentication application, on the UE (Larkin page 39; lines 16-20; Any suitable bio-metric factors can be employed including for example fingerprinting (if the device had a fingerprint reader), or facial recognition (for example the security agent on the device could take a photograph of the user), or iris scan, with such features, or the results of analysis of such features being provided as input to the security agent of the invention on the device, and/or to network elements (which can perform biometric analysis), and/or to the RMM which can then be used to influence the risk score);
modifying the risk score, by the mobile service provider, based on comparison of the biometric signature to the authorized signature (Larkin page 58; lines 34-42 ; The invention can also check if there has been any SIM Card changes recently for this mobile device. Using this information, the Invention Security Manager can calculate a risk score. The Risk score can be based on various checks, such as but not limited to, SIM card Swap, if the user is accessing the service from a known or registered mobile device or MSISDIN, location of mobile device (more on this later), etc. The Risk Score can be scored, but is not limited to, as a number between 0 and 1000. Once a Risk Score is calculated for this current session ID, the Risk Score along with a Reason Code. As described previously, the reason code can encode the characteristic that influences the risk score the most, or alternatively multiple reason codes can be included where each reason code encodes a different characteristic that is contributing to the risk score, or alternatively a reason code can encode multiple characteristics reflecting the one or more characteristics that influence the risk score most. See also claim 40). 
Larkin teaches, encodes the characteristic that influences the risk score most, allowing the RMM to indicate that this is the dominant cause of the risk score associated for example with the subscriber. However, Larkin does not explicitly disclose requesting a biometric signature, by the mobile service provider, from an authentication application executing in memory on the UE; encrypting, by the authentication application, the biometric signature; sending an encrypted biometric signature, by the authentication application, to the mobile service provider, with a wireless communication protocol; comparing, by the mobile service provider, the biometric signature to an authorized signature.
However, in an analogous art, Ben teaches wherein requesting a biometric signature, by the mobile service provider, from an authentication application executing in memory on the UE (Ben col.2; lines 32-45; Upon performing an operation onboard the mobile terminal selected from the group comprised of: launch an application, access an application, push a button, run a function, request information, access a data record, if said first device or said second smart phone is connected to the mobile terminal using a short wireless connection, a program onboard the mobile terminal requests information from the connected device, wherein the requested information is selected from the group comprised of: password, One-time-password, certificate, response to a challenge question, challenge authentication results, biometric reading, biometric authentication results,);
encrypting, by the authentication application, the biometric signature (Ben col. 4; lines 34-36 and col. 8; lines 21-28; Short wireless token 11 can be programmed with operation rules such us: turn LED on and off, checking a private key matches a public key, encrypting, obfuscating, returning XML string, storing function codes, responding to messages, encrypting and decrypting voice, scan for other compatible devices, send marketing files, store counters, provide any function. The update application can also program short wireless token 11 to: store keys, store different keys for different interfaces, store different protocols and authentication methods corresponding to different interfaces. The update application can program short wireless token 11 to: upon receiving request from an interface, provide one or more keys or data corresponding to the interface. The update application can program short wireless token 11 to store one or more encryption or obfuscation functions identified by one or more function codes, and upon receipt of a message identifying function code x and a number of operands, and/or a random number, execute encryption function x); 
sending an encrypted biometric signature, by the authentication application, to the mobile service provider, with a wireless communication protocol (Ben col. 4; lines 34-50; The short wireless token 11 stores a user biometric identification signature (or an encrypted user biometric identification signature). The biometric identification signature can be a sample or a pre-processed sample of the user's signature, voice, finger print, iris scan or distinguishing biometric identification. The identification signature can also include variations that correspond to different user conditions, tones, states, moods, etc. Upon receipt of an event or a message to authenticate the user or upon detection of an event--such as wrong PIN code, change of driver, reset, detection of unknown conditions, a predetermined period of time elapses, the short wireless token 11 requests the user to provide biometric information. Upon reading new user biometric information, the short wireless token 11 sends the new user biometric information to the server for comparison with the stored user biometric identification signature); 
comparing, by the mobile service provider, the biometric signature to an authorized signature (Ben col. 4; lines 47-50; Upon reading new user biometric information, the short wireless token 11 sends the new user biometric information to the server for comparison with the stored user biometric identification signature). 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Ben with the method and system of Larkin, wherein sending an encrypted biometric signature and comparing to provide users with a means for securing user data on a mobile device  (Ben abstract).
 Regarding claim 2, Larkin and Ben disclose the method of claim 1,
Larkin further discloses wherein the biometric signature comprises one of a selfie, a face, fingerprint, a hand, or a portion of the face (Larkin page 39; lines 16-20; Any suitable bio-metric factors can be employed including for example fingerprinting (if the device had a fingerprint reader), or facial recognition (for example the security agent on the device could take a photograph of the user), or iris scan, with such features, or the results of analysis of such features being provided as input to the security agent of the invention on the device, and/or to network elements (which can perform biometric analysis), and/or to the RMM which can then be used to influence the risk score). 
Regarding claim 3, Larkin and Ben disclose the method of claim 1,
Larkin further discloses further comprising: providing, by the mobile service provider, an application programming interface (API) to a third party, wherein the API enables the third party to access the risk score of the user account (Larkin page 34; lines 29-37; The date of the transaction, the amount of the transaction, the date of last transaction, the date of last payment, session ID (between app and ASP), ASP ID identifying the application service provider, risk settings to indicate if device was compromised during the gambling period, such as SIM swap status, multi-party call status, call divert unconditional status, etc. Such information can act as independent third party information (with the independent third party being the mobile network operator(s) which has the invention integrated), and can be used and required for non-repudiation of transactions for example for dispute resolution, court proceedings etc.).  
Regarding claim 4, Larkin and Ben disclose the method of claim 3,
Larkin further discloses wherein the risk score is a high risk score when the biometric signature does not match the authorized signature, and wherein the third party denies the user access to a user account associated with the third party based at least in part on the high risk score assigned to the user (Larkin pages 58-59; lines 49-52 and 1-2; The ASP backend application receives the information and based on the Risk Score and/or Reason Code determines if the user should be allowed to gain access to the service or not. If the user should be allowed to gain access, the ASP sends an OK to the access request from the mobile application. If the ASP deems the Risk Score and/or Reason code to be too high (meaning potential fraud or risk for compromise) the ASP sends and Access Denied to the user's mobile application).
Regarding claim 5, Larkin and Ben disclose the method of claim 1,
Larkin further discloses wherein the UE is one of a smartphone, a mobile phone, a laptop computer, a tablet computer, a wireless handset, a personal digital assistant (PDA), a gaming device, a pager, a media player, or a computer (Larkin page 3; lines 6-10; The invention provides means for secure authentication for a user of an application running on an endpoint device (such as a mobile phone) by utilising Unstructured Supplementary Service Data (USSD) as a separate communication channel to achieve device separation in a multi-factor authentication scenario).  
Regarding claim 6, Larkin and Ben disclose the method of claim 1,
Larkin further discloses wherein the user activity further comprises at least one of a password change, a financial transaction, or a money transfer (Larkin page 25; lines 43-46; Although accessing these services via an end-point device such as mobile device, makes it convenient and easy for the end user to perform such services, services such as mobile banking services require added security measures to prevent fraudulent behaviour and to protect the actors involved (including but not limited to), financial institutions such as a bank, and the bank's customers against fraud).
Regarding claim 16, Larkin and Ben disclose the method of claim 3,
Larkin further discloses wherein the third party is one of a financial institution, an insurance company, or an investment company (Larkin page 25; lines 43-46; Although accessing these services via an end-point device such as mobile device, makes it convenient and easy for the end user to perform such services, services such as mobile banking services require added security measures to prevent fraudulent behaviour and to protect the actors involved (including but not limited to), financial institutions such as a bank, and the bank's customers against fraud).
Regarding claim 17, Larkin and Ben disclose the method of claim 3,
Larkin further discloses further comprising: establishing, by the authentication application, a connection to the API by exchanging passwords (Larkin page 5; lines 29-30; The invention can be used 111 conjunction with other authentication mechanisms, e.g. PIN Code, password, etc.)
Regarding claim 18, Larkin and Ben disclose the method of claim 1,
Larkin further discloses further comprising: transmitting, by the authentication application, location data of the UE to the mobile service provider; comparing, by the mobile service provider, the location data to stored location data, wherein the risk score is modified based on comparison of the location data to the stored location data (Larkin page 58; lines 34-42 ; The invention can also check if there has been any SIM Card changes recently for this mobile device. Using this information, the Invention Security Manager can calculate a risk score. The Risk score can be based on various checks, such as but not limited to, SIM card Swap, if the user is accessing the service from a known or registered mobile device or MSISDIN, location of mobile device (more on this later), etc. The Risk Score can be scored, but is not limited to, as a number between 0 and 1000. Once a Risk Score is calculated for this current session ID, the Risk Score along with a Reason Code. As described previously, the reason code can encode the characteristic that influences the risk score the most, or alternatively multiple reason codes can be included where each reason code encodes a different characteristic that is contributing to the risk score, or alternatively a reason code can encode multiple characteristics reflecting the one or more characteristics that influence the risk score most. See also claim 40).  
Regarding claim 19, Larkin and Ben disclose the method of claim 18,
Larkin further discloses wherein the risk score is a high risk score when the location data does not match the stored location data (Larkin page 21; lines 25-31; Even if malware could manipulate the session ID or ASP ID the result is that either the network security service cannot pass the risk information lo the bank (i.e. if ASP ID manipulated) or if the network security service does pass it to the bank and the session ID is incorrect the bank will be unable to correlate to the real customer's active service session. Either of these situations will result in the ASP (in this example the 30 banks backend server) assuming a high risk and minimizing the customer end user device access rights within the service).  
Regarding claim 20, Larkin and Ben disclose the method of claim 19,
Larkin further disclose further comprising: sending, by the mobile service provider, the risk score to a third party, wherein the third party denies the user access to a user account associated with the third party based at least in part on the high risk score assigned to the user (Larkin pages 58-59; lines 49-52 and 1-2; The ASP backend application receives the information and based on the Risk Score and/or Reason Code determines if the user should be allowed to gain access to the service or not. If the user should be allowed to gain access, the ASP sends an OK to the access request from the mobile application. If the ASP deems the Risk Score and/or Reason code to be too high (meaning potential fraud or risk for compromise) the ASP sends and Access Denied to the user's mobile application) .
Regarding claims 21-29; claims 21-29 are directed to a system associated with the method claimed in claims 1-4, 16-17, 6 and 18-19 respectively. Claims 21-29 are similar in scope to claims 1-4, 16-17, 6 and 18-19 respectively, and are therefore rejected under similar rationale respectively.  
Conclusion 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907. The examiner can normally be reached M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SANCHIT K SARKER/Primary Examiner, Art Unit 2495