One common avenue for fraudsters to steal private information of other individuals is through a so called “evil twin” network. In such a scheme, the fraudster establishes a network access point (e.g., a mobile hotspot) in a location associated with a legitimate network (e.g., a network associated with a merchant). The fraudster configures the access point to mimic the legitimate network (e.g., in name and appearance). Individuals connect to the fraudulent network and communicate private information (e.g., payment credentials) with various other entities. The fraudster intercepts these communications and gains access to the private information. Thus, it would be beneficial to provide a system that diminishes the efficacy of such schemes.
An embodiment relates to a computer-implemented method. The method includes receiving, by a computing system, information indicative of a first purchase by a customer. The method also includes establishing, by the computing system, an aspect of the first purchase as a network authentication credential for the customer. The method also includes receiving, by the computing system, a first request to connect to a network from a customer device associated with the customer after completion of the first purchase. The method also includes transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding the aspect of the first purchase. The method also includes receiving, by the computing system, a customer-input response to the first query. The method also includes authenticating, by the computing system, the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase. The method also includes authorizing, by the computing system, connection of the customer device to the network based at least in part on the first request being authenticated.
Another embodiment relates to a computing system. The computing system includes a network interface enabling the computing system to exchange information over a network. The computing system also includes a customer database configured to store information pertaining to a plurality of customer purchases of a plurality of customers. The computing system also includes a processing circuit. The processing circuit is configured to receive information indicative of a first purchase by a customer. The processing circuit is also configured to establish an aspect of the first purchase as a network authentication credential for the customer. The processing circuit is also configured to receive, by the network interface, a first request to connect to the network from a customer device associated with the customer after completion of the first purchase. The processing circuit is also configured to transmit, by the network interface, a first query to the customer device prompting the customer to input information regarding the aspect of the first purchase. The processing circuit is also configured to receive, by the network interface, a customer-input response to the first query. The processing circuit is also configured to authenticate the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase. The processing circuit is also configured to authorize connection of the customer device to the network based at least in part on the first request being authenticated.
Another embodiment relates to a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by a computing system, causes the computing system to perform operations to authorize a request to connect to a network. The operations include receiving information indicative of a first purchase by a customer. The operations also include establishing an aspect of the first purchase as a network authentication credential for the customer. The operations also include receiving a first request to connect to a network from a customer device associated with the customer after completion of the first purchase. The operations also include transmitting a first query to the customer device prompting the customer to input information regarding the aspect of the first purchase. The operations also include receiving a customer-input response to the first query. The operations also include authenticating the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase. The operations also include authorizing connection of the customer device to the network based at least in part on the first request being authenticated.
The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the disclosure will become apparent from the description, the drawings, and the claims.
Before turning to the figures, which illustrate example embodiments, it should be understood that the application is not limited to the details or methodology set forth in the following description or illustrated in the figures. It should also be understood that the phraseology and terminology employed herein is for the purpose of description only and should not be regarded as limiting.
Referring generally to the figures, systems and methods for authenticating a customer request to connect to a network are shown, according to various example embodiments. In particular, the figures include a merchant computing system associated with a merchant. A customer may engage in a transaction at the merchant and also seek to connect to a network (e.g., a local network established via a Wi-Fi™ connection) provided by the merchant. Such a pattern of interactions between the customer and the merchant creates an opportunity to enhance the security of the customer's private information. More specifically, the merchant computing system enables the customer to establish a shared secret as a network authentication credential. The shared secret may be generated based on the relationship (e.g., past financial or non-financial transactions) between the customer and the merchant. This way, if the customer seeks to connect to a network at the merchant and is not asked for the shared secret, the customer is aware of a potentially fraudulent scheme. Therefore, systems and methods disclosed herein enable mutual (two-way) authentication between the customer and the merchant. As such, the systems and methods disclosed herein facilitate enhanced security of private customer information.
The embodiments and implementations of the systems and methods disclosed herein improve current network authentication systems by enabling customers to establish dynamic authentication credentials for networks at specific locations. For example, on an airline, the customer's seat number may be established as a network authentication credential. Such credentials make it much more difficult for fraudsters to emulate networks provided at various merchants. If the customer is not asked for the credential when attempting to access the network, then the customer is made aware of the potential for fraud.
Additionally, the systems and methods disclosed herein provide a unique solution to the problem of establishing a shared secret credential between a customer and a merchant. Specifically, the systems and methods disclosed herein utilize information regarding a first service provided by the merchant to a customer (e.g., the sale of a product) to authenticate the customer with respect to a second service (e.g., connection to a local network) provided by the merchant to the customer. Use of such information provides benefits over current authentication systems. Because information regarding the first service provided to the customer is readily and uniquely available to the merchant (e.g., information regarding customer purchases may be stored at a computing system associated with a merchant), the merchant may pre-emptively establish information regarding the first service to authenticate the customer with respect to the second service. Thus, when the customer seeks to utilize the second service, a shared secret credential including information known or readily available may be available for use in authenticating the customer. This is a benefit over current systems, which may require the customer to obtain information (e.g., read a unique code) prior to a shared-secret credential being established. As such, the systems and methods disclosed herein provide efficiency and security benefits and a more convenient customer experience over current systems.
Additionally, because the first service provided by the merchant to the customer is not necessarily tied to the second service, the systems and methods disclosed herein provide for greater flexibility in terms of customer authentication processes than provided by current systems. In an example, for a first customer utilization of the second service, the merchant may select data regarding a first customer transaction as a shared secret credential. For a second customer utilization of the second service, the merchant may select data regarding a second customer transaction. In this example, the first and second customer transactions may occur in any order (e.g., the second customer transaction may occur prior to the first customer transaction). Due to this flexibility, the merchant may regularly update the customer's shared secret credential, even if no additional information regarding the customer becomes available between customer utilizations of the second service. Such updating further enhances the security of customer information. Thus, the systems, methods, and computer implementations disclosed improve current network security methods by providing functionalities that are novel and non-obvious over current systems.
Referring now to
The merchant network agent 110 is a device associated with the merchant and configured to generate the merchant local network 105 through being communicatively coupled to the network 150. In various embodiments, the merchant may be any entity that provides any sort of product or service to customers. For example, the merchant may be a financial institution, a brick-and-mortar merchant (e.g., a restaurant or a coffee shop), an airport, or any other entity. Merchant network agent 110 may include any device capable of establishing a connection and communicating data with an external device. In some arrangements, the merchant network agent 110 includes a wireless router configured to communicate information over the network 150 and generate wireless signals that are broadcasted to create the merchant local network 105.
The merchant network agent 110 is shown to include a wide area network interface 112 which enables the network agent 110 to exchange data over the network 150, a network control circuit 114, and an access point 116. The access point 116 is configured to broadcast a wireless network signal capable of being received by external computing devices (e.g., the merchant computing system 120, the customer computing device 140, etc.) to facilitate the connection of the external computing devices to create the merchant local network 105. In some arrangements, the wireless network signal broadcasted by the access point 116 may generate a wireless personal area network (WPAN), and include, for example, a Bluetooth® radio signal or infrared signal. In some arrangements, the wireless network includes a Wi-Fi™ signal, a WiMAX signal, wireless WAN signal, or the like.
The wireless network signal broadcasted by the merchant network agent 110 is received by other computing devices, such as the customer computing device 140 and merchant computing system 120. Upon receiving the wireless network signal from the network agent 110, the other devices may be authenticated by the methods disclosed herein to gain complete access to the merchant local network 105. For example, upon authenticating a customer via the customer computing device 140, encryption keys may be exchanged between the customer computing device 140 and the merchant network agent 110 enabling the customer computing device 140 to exchange information with additional computing systems. In some embodiments, the merchant network agent 110 provides external devices with access to an external network (e.g., the network 150).
In various embodiments, the wireless network signal broadcasted by the access point 116 includes a unique identifier associated with the merchant local network 105. In an example embodiment, the unique identifier includes a name of the merchant local network 105, which may be associated with the name of the merchant. As such, upon external devices, such as the customer computing device 140, receiving the signal from the access point 116, the customer computing device 140 may display the name of the merchant local network 105 to the customer and enable the customer to request to establish a connection with the merchant local network 105. Such an arrangement creates an opportunity for fraudsters to steal private information, as fraudsters may create networks having a unique identifier that mimics the unique identifier associated with the merchant local network 105.
The network control circuit 114 is configured to manage connections between the merchant network agent 110 and various other external devices. In this regard, the network control circuit 114 may include an authentication circuit (not shown) configured to authenticate requests to connect to the merchant local network 105 received from external devices. In an example embodiment, in response to the merchant network agent 110 receiving a request to connect to the merchant local network 105 from a requestor, the merchant network agent 110 transmits an authentication packet to the customer computing device 140 via the network control circuit 114. The authentication packet requests at least one authentication credential (e.g., a password) from the requestor. Upon receiving a requestor-input response to the authentication packet, the network control circuit 114 may compare the requestor-input response to a stored value and authenticate the request if a match is found. According to the systems and methods disclosed herein, the password may be a shared secret credential established for the customer based on a pre-existing relationship between the customer and merchant (e.g., a customer account). In some embodiments, the password may be based on a credential associated with a payments platform utilized by the customer to pay the merchant. For example, the network control circuit 114 may request mobile wallet credentials associated with a mobile wallet of the customer, and the network control circuit 114 may initiate communications with a mobile wallet computing system associated with the provider of the customer's mobile wallet to verify that customer-input mobile wallet credentials match credentials stored at the mobile wallet computing system (e.g., the mobile wallet computing system may verify the customer-input credentials and notify the merchant network agent 110 of the verification).
In some embodiments, the network control circuit 114 is configured monitor the various devices that are connected to the merchant local network 105. For example, when the customer computing device 140 first establishes a connection with the merchant network agent 110, the merchant network agent 110 may assign an IP address to the customer computing device 140 via the Dynamic Host Configuration Protocol (DHCP). Under such a protocol, the merchant network agent 110 may select an IP address from a pool of IP addresses stored at the merchant network agent 110 for customer computing devices 140 and temporarily or permanently assign the selected IP address to the customer computing device 140. In some arrangements, a network interface (e.g., the network interface 142) of the customer computing device 140 has a unique identifier (e.g., a MAC address) associated therewith. Communications between the customer computing device 140 and the merchant network agent 110 may include the unique identifier. As such, the network control circuit 114 may maintain a log of the various IP addresses assigned based on such unique identifiers. This way, based on the IP addresses currently assigned by the merchant network agent 110, the merchant network agent 110 may identify the specific external devices (and the identities of the customers associated therewith) connected to the merchant local network 105.
In some embodiments, the network control circuit 114 is configured to operate in concert with the merchant computing system 120 to authenticate requests to connect to the merchant local network 105. For example, in some embodiments, the network control circuit 114 receives data indicative of interactions (e.g., transactions) between the customer and the merchant, and establishes the received data as a network authentication credential for the customer. In some embodiments, the network control circuit 114 maintains an authentication credential directory. Such a directory may include a number of entries associated with various devices that have connected to the merchant local network 105. In an example, each entry is associated with a MAC address of an external device. The entries may include information regarding a plurality of transactions engaged in by the customer associated with the device. Using this stored information, the network control circuit 114 may generate a temporary network authentication credential used to authenticate the customer computing device 140 prior to authorizing connection of the external device to the merchant local network 105.
In an example, the customer purchases a product (e.g., a cup of coffee) at a merchant. In making such a purchase, the customer may provide payment information to the merchant (e.g., via the merchant computing system 120). Such payment information may include, for example a customer account number at a financial institution. The merchant computing system 120 may provide the received payment information to the merchant network agent 110. Alternatively or additionally, the merchant computing system 120 may transmit additional information (e.g., an identity of the purchased product, the amount of the purchase, the timing of the transaction, etc.) to the merchant network agent 110.
Upon receipt of such information regarding the customer purchase, the network control circuit 114 may establish an aspect of the data received from the merchant computing system 120 as a network authentication credential for the customer. To do this, the network control circuit 114 may first associate the received information regarding the purchase with an entry in the directory of network authentication credentials discussed above. For example, the directory may include a lookup table that matches portions of customer payment information (or information associated with an account of the customer at the merchant) to a particular external device (e.g., the customer computing device 140). As such, upon receipt of the customer payment information from the merchant computing system 120, the merchant network agent 110 may associate the information regarding the customer purchase with the customer computing device 140. After the association, the network control circuit 114 may select an aspect of the purchase information (e.g., a transaction amount, a product identity, etc.) to establish as a network authentication credential for the customer.
In some embodiments, the network control circuit 114 selects an aspect of the purchase data as an authentication credential upon receipt of a request to connect to the merchant local network 105 from the customer computer device 140. For example, based on a MAC address received from the customer computing device 140, the network control circuit 114 selects an aspect of the purchase data stored in the network authentication credential directory. In some embodiments, the network control circuit 114 establishes an aspect of the purchase data as an authentication credential prior to receiving a connection request from the customer computer device 140. This way, upon receipt of a connection request from the customer computer device 140, the merchant network agent 110 retrieves the established credential and compares it to any responses provided by the customer. In some embodiments, the merchant network agent 110 updates the authentication credential associated with the customer computing device 140 each time a connection request is received from the customer computing device 140. In some embodiments, the network control circuit 114 periodically (e.g., weekly) updates the authentication credential associated with the customer computing device 140.
In some embodiments, rather than receiving information regarding customer transactions from the merchant computing system 120, the network control circuit 114 is configured to transmit a notification signal to the merchant computing system 120 upon receipt of a connection request from the customer computing device 140. In such embodiments, the merchant computing system 120 may authenticate the connection request or provide an authentication credential to the merchant network agent 110.
In some embodiments, the network control circuit 114 is configured to establish accounts for customers who connect to the merchant local network but do not yet have accounts with the merchant. For example, the network control circuit 114 may determine if a particular customer has an account with a merchant based on communications with the customer computing device 140. For example, if the directory maintained in the merchant network agent 110 does not contain a MAC address associated with the customer computing device 140, the network control circuit 114 may determine that the customer does not have an account (or at least that the customer computing device 140 is not associated with the customer's account). In such cases, the merchant network agent 110 may transmit a registration packet to the customer computing device 140. The registration packet may prompt the customer to indicate a preference to establish a shared secret authentication credential for accessing the merchant local network 105.
In some embodiments, in response to the customer indicating a preference to establish a shared secret credential, the merchant network agent 110 (or the merchant computing system 120 or an external server) may transmit an application (e.g., the merchant client application 144 described below) to the customer computing device 140. The application may enable the customer to register payment accounts with the merchant computing system 120. As such, when the customer uses the registered payment accounts to engage in a transaction at the merchant, the merchant computing system 120 is able to tie the transactions to a particular customer account and render information regarding the transactions usable as an authentication credential for the merchant local network 105. Additionally, the application may enable the customer to view information regarding previous transaction at the merchant, thus facilitating the use of such information as a network authentication credential.
Still referring to
An output aspect of the merchant I/O device 130 allows users to receive information from the merchant computing system 120 and may include, for example, a digital display, a speaker, illuminating icons, LEDs, and so on. In some embodiments, the merchant I/O device 130 includes radio frequency transceivers (e.g., RF or NFC-based transceivers) and other short range wireless transceivers (e.g., Bluetooth™, laser-based data transmitters, etc.) configured to communicate data with external devices such as the customer computing device 120. For example, via such transceivers, the customer may make a payment for a purchase via a mobile wallet.
In some embodiments, merchant I/O device 130 includes a barcode or QR code scanner configured to gather information from various codes presented to the merchant computing system 120 by the customer. For example, at the time of a customer purchase, the customer may present a product having to be purchased to an attendant at the merchant computing system 120. In response, the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130.
In some embodiments, such a scanner enables the customer to make payments for purchases at the merchant. For example, the customer may have an account with the merchant, and have installed an application (e.g., the merchant client application 144) on the customer computing device 140, enabling the customer to fund the account. The application may enable the customer computing device 140 to generate a QR code to make a payment for a purchase. In response to scanning the QR code, the merchant computing system 120 may deduct the purchase amount from the customer's account.
The customer database 124 is configured to store information regarding accounts associated with a number of customers of the merchant. Customer account information may include, for example, customer identifying information, customer login information (e.g., usernames, passwords, and the like), payment information (e.g., credit or debit card numbers, bank account numbers, mobile wallet account numbers or addresses, etc.), customer account preferences (e.g., addresses, payment methods), and customer history information (e.g., transaction histories). Additionally, customer account information stored at the customer database 124 may also include information regarding the customer computing device 140. For example, the customer database 124 may include information regarding IP addresses assigned to the customer computing device 140 by the merchant network agent 110. Additionally, the customer database 124 may store network authentication credentials established for the customer.
The account management circuit 128 is configured to manage customer accounts at the merchant. In this regard, in some embodiments, the account management circuit 128 is configured to assign data regarding various transactions via the merchant computing system 120 to customer accounts. In this regard, upon the customer providing payment information (e.g., a primary account number associated with a customer payment account at a financial institution) to the merchant computing system 120, the account management circuit 128 may query the customer database 124 to determine if the customer input account information has been previously associated with an account established by the customer. If so, the account management circuit 128 may store data regarding the transaction (e.g., product purchased, transaction amount, transaction timing, location, etc.) in a transaction entry associated with an identified account. In some embodiments, in the event that a customer makes a payment using funds of an account held by the customer at the merchant (e.g., via the QR code discussed above), the account management circuit 128 may update the customer's account funding balance to reflect the payment.
In some embodiments, the account management circuit 128 is configured to transmit customer transaction data to an external server that provides an application (e.g., the merchant client application 144) to the customer computing device 140. For example, upon identifying that a particular transaction is associated with the customer's account, the account management circuit 128 may formulate an information packet identifying the customer's account, including the transaction information for transmittal to the external computing system over the network 150. After this information is transmitted to the external system, the customer may view the transaction by accessing the merchant client application 144. As such, if an aspect of the transaction is later used (e.g., by the merchant network agent 110) as a network authentication credential but the customer forgets the transaction, then the customer is able to view the transaction in the merchant client application 144 prior to entering the credential.
In some embodiments, the account management circuit 128 is configured to manage customer network authentication credentials. In this regard, the account management circuit 128 may be configured to transmit data stored in association with a customer account to the merchant network agent 110, which may establish a subset of the data as a user network authentication credential via the methods discussed above.
In some embodiments, the account management circuit 128 is configured to establish customer network authentication credentials. In this regard, the account management circuit 128 may select a subset of transaction information stored in association with a customer's account in the customer database 124 to establish as a customer network authentication credential. In some embodiments, the selection is based in part on previous customer network authentication credentials. For example, the account management circuit 128 may maintain a log of customer network authentication credentials used at various times and update the customer's authentication credential (e.g., to correspond to a different transaction of the customer or a different aspect of a transaction). If the customer's current network authentication credential has been used for more than a predetermined period, for example, the account management circuit 128 may select a subset of data among data describing the customer's most recent transactions at the merchant for establishment as a network authentication credential.
To establish the selected data as a customer network authentication credential, the account management circuit 128 may cause the merchant computing system 120 to transmit the credential to the merchant network agent 110. The merchant network agent 110 may store the credential in association with the customer computing device 140 (e.g., based on a MAC address) such that, when the next request to connect to the merchant local network 105 is received from the customer computing device 140, the customer is required to input information regarding a previous transaction to access the merchant local network 105. It should be understood that, according to various embodiments, the shared secret can be used for authentication using any of various methods such as challenge-response or it can be used as an input to a key derivation function to produce one or more keys to use for encrypting and/or MACing messages.
The transaction circuit 126 is configured to formulate transaction requests associated with various purchases of the customer. As such, the transaction circuit 126 is communicably coupled to the merchant I/O device 130, customer database 124, and network interface 122. For example, upon receiving customer payment information regarding a customer purchase, the transaction circuit 126 determines a total transaction amount (e.g., based on the identity of the product being purchased), bundles the total with the customer payment information to make a transaction request, and transmits the transaction request to a financial institution (e.g., associated with a customer payment card or mobile wallet) over the network 150. The financial institution may authorize the transaction and provide an indication of the authorization to the merchant computing system 120 over the network 150.
Still referring to
In the example shown, the customer computing device 140 includes a customer network interface 142 enabling the customer computing device 140 to exchange data over the network 150, a merchant client application 144, and a customer I/O device 146. The customer I/O device 146 includes hardware and associated logics configured to enable the customer computing device 140 to exchange information with a customer (e.g., via hardware and associated logics similar to that discussed above with respect to the merchant I/O device 130).
The merchant client application 144 is structured to provide various displays on the customer computing device 140 that enable the customer to view information regarding various transactions engaged in by the customer at the merchant. Additionally, the displays may also enable the customer to register payment cards (e.g., debit cards, credit cards, and the like) with the merchant, and to fund a customer account at the merchant so as to enable the customer to engage in transactions at the merchant via the merchant client application 144 (e.g., via a QR code or the like).
In this regard, the merchant client application 144 may be communicably coupled to the merchant computing system 120 (or another external computing system configured to provide the merchant client application 144 to the customer computing device 140). In some embodiments, the merchant client application 144 is a separate software application implemented on the customer computing device 140. The merchant client application 144 may be downloaded by the customer computing device 140, be hard coded into the memory of the customer computing device 140, or be a web-based interface application such that the merchant client application 144 may provide a web browser to the application, which may be executed remotely from the customer computing device 140. In the latter instance, the customer may have to log onto or access the web-based interface before usage of the application. Further, and in this regard, the merchant client application 144 may be supported by a separate computing system including one or more servers, processors, network circuits, and so on that transmit applications for use to the customer computing device 140. In certain embodiments, the merchant client application 144 includes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications with the merchant client application 144.
Referring now to
At 202, a request to connect to the merchant local network 105 is received. For example, the customer may bring a customer computer device 140 within the range of the wireless signal broadcasted by the merchant network agent 110 such that the name of the merchant local network 105 shows up on the customer computing device 140 (e.g., as wireless network option to connect to). The customer may select the name, thereby causing a connection request to be transmitted by the customer computing device 140 to the merchant network agent 110.
At 204, the customer is presented with a network security preference interface. In some embodiments, the merchant network agent 110 determines if the customer has already established a shared secret network authentication credential based on the connection request received at 202. For example, the network control circuit 114 may query a database with a unique identifier (e.g., MAC address) included in the connection request. If the identifier is not in the database, the network control circuit 114 may determine that the customer has not established a shared secret network authentication credential and transmit a registration packet to the customer computing device 140. The registration packet may cause the customer computing device 140 (e.g., via a web browser) to present the customer with an interface enabling the customer to indicate a preference to establish the shared secret credential.
Referring now to
The interface 300 includes a username entry field 302, a password field 304 and a shared secret preference window 304. The username entry field 302 and password entry field 304 are configured to receive a customer-input network credentials. Upon the customer inputting a credential into the credential entry field 302, the customer-input password may be transmitted to the merchant network agent 110, which may compare the customer-input credentials to a pre-established password for the merchant local network 105. The shared secret preference window 304 is configured to receive a customer input to establish a shared secret network credential for the merchant local network 105 via a customer preference selection button 306. In some embodiments, the shared secret preference window prompts the customer to indicate whether the customer has an account (e.g., a loyalty account) at the merchant. In some embodiments, the interface 300 may prompt the customer to input credentials (e.g., a username and password) associated with an account at the merchant.
Referring again to
At 208, upon receiving a customer input to establish a shared secret network credential, the merchant network agent 110 determines if the customer has established an account with the merchant. In some embodiments, the merchant network agent 110 makes this determination based on an input received from the customer. For example, based on information (e.g., authentication credentials) provided by the customer in response to the authorization packet transmitted to the customer computing device 140 at 206, the merchant network agent 110 may access a directory (e.g., the customer database 124) that includes information regarding various customer accounts. If the information input by the customer matches that of an account stored in the directory, then the merchant network agent 110 may determine that the customer has an account with the merchant. In some embodiments, the merchant network agent 110 maintains such a directory. In some embodiments, the merchant network agent 110 communicates with the merchant computing system 120, which maintains the directory, to determine if the customer has an account.
At 210, if the customer has an account with the merchant, customer account information is retrieved. In some embodiments, based on information received from the customer at 206, the merchant network agent 110 requests and receives information regarding a customer account from the merchant computing system 120. The requested information may contain information describing various aspects of the customer's account with the merchant (e.g., information regarding various customer transactions at the merchant). In some embodiments, a database similar to the customer database 124 is maintained at the merchant network agent 110, and the network control circuit 114 retrieves the customer account information based on information received from the customer computing device 140.
At 212, parameters of a prior customer transaction at the merchant are established as an initial shared secret network authentication credential. In this regard, the network control circuit 114 or merchant computing system 120 may perform a multi-step process to select the credential. First, a prior customer transaction (or prior customer interaction) at the merchant is selected. For example, in some embodiments, the network control circuit 114 selects the most recent transaction engaged in by the customer for establishment as a shared secret network authentication credential. In some embodiments, the network control circuit 114 selects from amongst a number of customer transactions that occurred within a predetermined time period of the customer indicating the preference to establish a shared secret network authentication credential. In some embodiments, rather than the network control circuit 114 selecting the customer transaction, such a selection is performed at the merchant computing system 120 (e.g., via the account management circuit 128).
Upon selecting a customer transaction, the network control circuit 114 selects a parameter of the selected transaction to establish as the shared secret. In various embodiments, the network control circuit 114 randomly selects from a number of different parameters such as timing, location, transaction amount, and the identity of the product purchased. To establish the selected parameter as the shared secret, the network control circuit 114 may transmit a second authorization packet to the customer computing device 140. The second authorization packet may cause the customer computing device 140 to present an additional interface to the customer. The additional interface may query the customer regarding the selected parameter for the prior customer transaction at the merchant.
Turning now to
In various embodiments, the customer-input response must meet predetermined criteria prior to the customer being authorized to fully access the merchant local network 105. For example, in some embodiments, the customer-input response must match the selected parameter prior to the customer being authorized to connect to the merchant local network 105. To illustrate, in the example shown in
In some embodiments, upon the customer initially indicating a preference to establish a shared secret authentication credential for the merchant local network 105 (e.g., at 206), the directory at the merchant network agent 110 is updated such that the customer will automatically be prompted to input a shared secret prior to connecting to the merchant local network 105. In some embodiments, the customer's account settings are updated at the merchant computing system 120. For example, the directory information stored at the merchant network agent 110 may also be stored at the merchant computing system 120 or an external server. The directories at various other network agents (e.g., similar to the merchant network agent 110) affiliated with the merchant are also similarly updated. As such, when the customer seeks to access additional local network associated with the merchant (e.g., at a location different from the location of the merchant local network 105), the customer is also prompted to input a shared secret.
Referring back to
In some embodiments, the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing customer to download an application (e.g., the merchant client application 144). Within the application, the customer may establish a set of login credentials for the new account. Additionally, the customer may register a payment account (e.g., a credit account or a debit account) within the application. The registered payment account may be used to fund the customer's account, enabling the customer to engage in transactions at the merchant using the customer account via the application. Additionally, the linking of a customer payment account to the customer's account at the merchant enables the merchant to link future customer purchases with the customer's account. As such, upon the customer engaging in transaction in the future at the merchant using the customer's account at the merchant, information regarding such transactions (e.g., regarding price, location, timing, product purchased, etc.) may be stored at the merchant computing system 120 (e.g., at the customer database 124) in relation to the customer's account.
In some embodiments, upon the customer establishing an account at the merchant, the customer is authorized to fully access the merchant local network 105 (e.g., during a time period after the request to connect to the merchant local network 105 was received at 202). For example, the customer may be prompted to input a password or the like that has been pre-established at the merchant. Alternatively, the customer may be automatically permitted to access the merchant local network 105 upon establishment of the customer's account. In various embodiments, the merchant network agent 110 assigns an IP address to the customer computing device 140 and stores the IP address in relation to a unique identifier (e.g., MAC address) received in previous communications with the customer computing device 140. As such, the same IP address may be assigned to the customer computing device 140 when the customer requests to access the merchant local network in the future.
At 216, data regarding a customer transaction is received. For example, at a later time, the customer may utilize the merchant client application 144 on the customer computing device 140 to engage in a transaction at the merchant. As discussed above the merchant client application 144 may include a mobile payment capability that provides customer payment credentials to the merchant computing system 120. For example, the merchant client application may generate a QR code having information regarding the customer account encoded thereon for presentation to a scanner included in the merchant I/O device 130. Upon scanning the QR code, the merchant computing system 120 (e.g., via the transaction circuit 126) deducts funds from the customer's account and stores information regarding the transaction in association with the customer's account in the customer database 124.
At 218, after the transaction is completed, the account management circuit 128 may establish a parameter of the transaction as a shared secret network authentication credential for the customer. In this regard, the account management circuit 128 may select a parameter of the transaction and transmit the parameter to the merchant network agent 110 for storage in a device directory (e.g., in association with the IP address previously assigned to the customer computing device 140). As such, upon the customer requesting to access the merchant local network 105 via the customer computing device 140 at a later time, the merchant network agent 110 prompts the customer to input information regarding the selected parameter (e.g., via an interface similar to the interface 400 discussed above).
Referring now to
At 502, a request to connect to the merchant local network 105 is received. For example, while the customer computing device 140 is within range of a wireless network signal broadcast by the merchant network agent 110 (e.g., while the customer is at a brick-and-mortar location associated with a particular merchant), the customer may indicate a preference to connect to merchant local network 105. In response to the customer indicating such a preference, the customer computing device 140 may establish a communications channel with the merchant network agent 110 via any established protocol and provide a network connection request to the merchant network agent 110.
At 504, the customer computing device 140 is identified based on the received request. In various embodiments, the request to connect to the merchant local network 105 received by the merchant network agent 110 includes an identifier (e.g., MAC address) associated with the network interface 142 of the customer computing device 140. As discussed above, assuming the customer computing device 140 has connected to the merchant local network 105 prior to the time of receipt of the network connection request at 502, this identifier may be stored in a device directory of the merchant network agent 110. As such, the network control circuit 114 may identify the customer computing device 140 based on the request received at 502 via the directory.
At 506, a shared secret network authentication credential for the customer computing device 140 is determined. In some embodiments, the network control circuit 114 retrieves a pre-established shared secret credential from the memory of the merchant network agent 110. In some embodiments, the merchant computing system 120 performs a process to provide shared secret credentials to the merchant network agent 110. For example, the merchant computing system 120 may periodically retrieve data from the customer database 124 that is associated with customers who have registered for a shared secret credential (e.g., via the method 200 discussed above), select a parameter regarding a recent customer transaction (e.g., a customer transaction within a predetermined time period), and provide information regarding the parameter to the merchant network agent 110 for storage in association with the customer computing device 140 in the device directory.
In some embodiments, each time the customer engages in a transaction with the merchant via a customer account established at the merchant, the merchant computing system 120 undergoes a process to update the customer's shared secret network authentication credential. This way, an aspect of the customer's most recent transaction at the merchant is always used as the shared secret, and the customer is most likely to remember various aspects of the transaction. As such, upon the merchant computing system 120 receiving data regarding a customer transaction (e.g., a payment from the customer via an account with the merchant, the scanning of a customer loyalty card, etc.), the account management circuit 128 selects an aspect of the transaction and transmits data regarding that aspect to the merchant network agent 110 in association with a customer account identifier. In response, the merchant network agent 110 updates an entry in the directory of devices associated with the customer computing device 140. This way, upon receipt of a connection request from the customer computing device 140, the merchant network agent 110 retrieves the shared secret.
In some embodiments, each time the merchant network agent 110 receives a request from the customer computing device 140 to connect to the merchant local network 105, the shared secret credential is updated. Accordingly, the merchant network agent 110 may store information regarding recent transactions of the customer, or the merchant network agent 110 may query the customer database 124 of the merchant computing system 120 in response to receiving the connection request from the customer computing device 140 for information regarding recent transactions of the customer. From the information regarding recent transactions of the customer, the network control circuit 114 may select an aspect of a recent customer transaction to establish as the shared secret credential.
In some embodiments, in response to receiving the connection request, the merchant network agent 110 requests the merchant computing system 120 to formulate a customer shared secret credential. In response the merchant computing system 120 (e.g., via the account management circuit 128) retrieves customer account information from the customer database 124, selects an aspect of a customer transaction to utilize as a shared secret, and transmits the shared secret to the merchant network agent 110.
At 508, the customer is queried regarding the shared secret. In various embodiments, after determining the customer shared secret, the merchant network agent 110 transmits an authorization packet to the customer computing device 140. The authorization packet may cause an interface (e.g., similar to the interface 400 discussed in relation to
At 510, the network control circuit 114 determines if the customer-input response matches the customer shared secret credential for the purpose of authenticating the connection request. In some embodiments, the customer-input response may be within a predetermined threshold of the actual shared secret to authenticate the customer. For example, if the customer shared secret corresponds to an amount of a recent customer transaction, then the network control circuit 114 may compare a customer-input response to an actual amount of a previous customer transaction. If the customer-input response is within a threshold of the actual amount, the customer may be authenticated. In some situations, the customer-input response must exactly match an aspect of a previous customer transaction in order for the customer to be authenticated. For example, if the customer shared secret is the identity of a product, then the customer must input the correct product name in order to be authenticated.
If the customer-input response does not match the shared secret, then the connection request is denied at 512. As a result, the customer is prevented from having full access to the merchant local network 105. However, if the customer-input response matches the shared secret, the connection request is authorized at 514. As such, the customer computing device 140 is able to communicate data over the network 150 via a connection with the merchant local network 105. Additionally, because the shared secret credential involves an actual transaction of the customer at the merchant, the customer is able to ascertain the legitimacy of the merchant local network 105. This way, it is difficult for fraudsters to emulate the authentication processes described herein, as fraudsters will not have access to data regarding customer accounts at the merchant.
The embodiments described herein have been described with reference to drawings. The drawings illustrate certain details of specific embodiments that implement the systems, methods, and programs described herein. However, describing the embodiments with drawings should not be construed as imposing on the disclosure any limitations that may be present in the drawings.
It should be understood that no claim element herein is to be construed under the provisions of 35 U.S.C. § 112(f), unless the element is expressly recited using the phrase “means for.”
As used herein, the term “circuit” may include hardware structured to execute the functions described herein. In some embodiments, each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein. The circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc. In some embodiments, a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.” In this regard, the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein. For example, a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on.
The “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices. In this regard, the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors. In some embodiments, the one or more processors may be embodied in various ways. The one or more processors may be constructed in a manner sufficient to perform at least the operations described herein. In some embodiments, the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example embodiments, may execute instructions stored, or otherwise accessed, via different areas of memory). Alternatively or additionally, the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors. In other example embodiments, two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution. Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory. The one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc. In some embodiments, the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
An exemplary system for implementing the overall system or portions of the embodiments might include general purpose computing devices in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit. Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), etc. In some embodiments, the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc. In other embodiments, the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media. In this regard, machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions. Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example embodiments described herein.
It should also be noted that the term “input device,” as described herein, may include any type of input device or input devices including, but not limited to, a keyboard, a keypad, a mouse, joystick, or other input devices capable of performing a similar function. Comparatively, the term “output device,” as described herein, may include any type of output device or output devices including, but not limited to, a computer monitor, printer, facsimile machine, or other output devices capable of performing a similar function.
Any foregoing references to currency or funds are intended to include fiat currencies, non-fiat currencies (e.g., precious metals), and math-based currencies (often referred to as cryptocurrencies). Examples of math-based currencies include Bitcoin, Litecoin, Dogecoin, and the like.
It should be noted that although the diagrams herein may show a specific order and composition of method steps, it is understood that the order of these steps may differ from what is depicted. For example, two or more steps may be performed concurrently or with partial concurrence. Also, some method steps that are performed as discrete steps may be combined, steps being performed as a combined step may be separated into discrete steps, the sequence of certain processes may be reversed or otherwise varied, and the nature or number of discrete processes may be altered or varied. The order or sequence of any element or apparatus may be varied or substituted according to alternative embodiments. Accordingly, all such modifications are intended to be included within the scope of the present disclosure as defined in the appended claims. Such variations will depend on the machine-readable media and hardware systems chosen and on designer choice. It is understood that all such variations are within the scope of the disclosure. Likewise, software and web implementations of the present disclosure could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various database searching steps, correlation steps, comparison steps, and decision steps.
The foregoing description of embodiments has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from this disclosure. The embodiments were chosen and described to explain the principals of the disclosure and its practical application to enable one skilled in the art to utilize the various embodiments and with various modifications as are suited to the particular use contemplated. Other substitutions, modifications, changes, and omissions may be made in the design, operating conditions, and arrangement of the embodiments without departing from the scope of the present disclosure as expressed in the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
7024557 | Moles et al. | Apr 2006 | B1 |
7240202 | Orman | Jul 2007 | B1 |
7349871 | Labrou et al. | Mar 2008 | B2 |
7577836 | Puranik et al. | Aug 2009 | B2 |
8423476 | Bishop | Apr 2013 | B2 |
8700729 | Dua | Apr 2014 | B2 |
8719573 | Ran et al. | May 2014 | B2 |
8751801 | Harris | Jun 2014 | B2 |
9038196 | Liberman et al. | May 2015 | B2 |
9100175 | Nix | Aug 2015 | B2 |
9298898 | Koch | Mar 2016 | B2 |
20090037269 | Bassemir | Feb 2009 | A1 |
20100242104 | Wankmueller | Sep 2010 | A1 |
20110302607 | Warrick | Dec 2011 | A1 |
20120184274 | Lopresti et al. | Jul 2012 | A1 |
20120192258 | Spencer | Jul 2012 | A1 |
20130124285 | Pravetz et al. | May 2013 | A1 |
20140068723 | Grim | Mar 2014 | A1 |
20140189829 | McLachlan | Jul 2014 | A1 |
20140195380 | Jamtgaard | Jul 2014 | A1 |
20140248852 | Raleigh | Sep 2014 | A1 |
20150026779 | Ilsar et al. | Jan 2015 | A1 |
20150088746 | Hoffman | Mar 2015 | A1 |
20150088756 | Makhotin | Mar 2015 | A1 |
20150120559 | Fisher | Apr 2015 | A1 |
20150195289 | Kalgi | Jul 2015 | A1 |
20150312780 | Wang et al. | Oct 2015 | A1 |
20160088026 | Abdul et al. | Mar 2016 | A1 |
20160191499 | Momchilov et al. | Jun 2016 | A1 |
20160212695 | Lynch et al. | Jul 2016 | A1 |
20170118190 | Livesay | Apr 2017 | A1 |
20180285877 | Bracconeri | Oct 2018 | A1 |
Entry |
---|
Kindberg et al., “Authenticating public wireless networks with physical evidence”, 2009 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, IEEE 2009. 6 pages. |
Kiwan et al., “Advanced Security Methodologies for Spontaneous Networks”, Electric Vehicle Conference (IEVC) 2013 IEEE International. 7 pages. |