US20230291550A1 - Systems and methods for network authentication with a shared secret - Google Patents

Systems and methods for network authentication with a shared secret Download PDF

Info

Publication number
US20230291550A1
US20230291550A1 US18/199,722 US202318199722A US2023291550A1 US 20230291550 A1 US20230291550 A1 US 20230291550A1 US 202318199722 A US202318199722 A US 202318199722A US 2023291550 A1 US2023291550 A1 US 2023291550A1
Authority
US
United States
Prior art keywords
customer
purchase
merchant
network
computing system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US18/199,722
Inventor
Christopher P. Clausen
Jeffrey A. Cornman
David J. Dietrich
Jinee K. Ellis
Chirstopher P. Smith
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wells Fargo Bank NA
Original Assignee
Wells Fargo Bank NA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wells Fargo Bank NA filed Critical Wells Fargo Bank NA
Priority to US18/199,722 priority Critical patent/US20230291550A1/en
Publication of US20230291550A1 publication Critical patent/US20230291550A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the fraudster establishes a network access point (e.g., a mobile hotspot) in a location associated with a legitimate network (e.g., a network associated with a merchant).
  • the fraudster configures the access point to mimic the legitimate network (e.g., in name and appearance).
  • Individuals connect to the fraudulent network and communicate private information (e.g., payment credentials) with various other entities.
  • the fraudster intercepts these communications and gains access to the private information.
  • An embodiment relates to a computer-implemented method.
  • the method can include associating, by a computing system, system associated with a merchant, a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving, by the computing system, the first request to connect to the network provided by the merchant from the customer device after completion of the purchase, selecting, by the computing system, the financial transaction based on the predetermined time period and the merchant, transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving, by the computing system, a customer-input response to the first query,
  • the computing system can include a network interface enabling the computing system to exchange information over a network provided by the merchant, a customer database configured to store information pertaining to a plurality of customer purchases of a plurality of customers, wherein the customer purchases are from the merchant, and a processing circuit configured to associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receive, by the network interface, the first request to connect to the network from the customer device after completion of the first purchase, select the financial transaction based on the predetermined time period and the merchant, transmit, by the network interface, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication
  • Another embodiment relates to a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by a computing system, causes the computing system to perform operations to authorize a request to connect to a network.
  • the operations can include associating a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving the first request to connect to a network from the customer device after completion of the first purchase, selecting the financial transaction based on the predetermined time period and the merchant, transmitting a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving a customer-input response to the
  • FIG. 1 is a block diagram of a network security system, according to an example embodiment.
  • FIG. 2 is a flow diagram of a method of establishing a shared secret network authentication credential with a customer, according to an example embodiment.
  • FIG. 3 is a network security user interface, according to an example embodiment.
  • FIG. 4 is another network security user interface, according to an example embodiment.
  • FIG. 5 is a flow diagram of a method of authorizing a network connection request, according to an example embodiment.
  • the figures include a merchant computing system associated with a merchant.
  • a customer may engage in a transaction at the merchant and also seek to connect to a network (e.g., a local network established via a Wi-Fi connection) provided by the merchant.
  • a network e.g., a local network established via a Wi-Fi connection
  • the merchant computing system enables the customer to establish a shared secret as a network authentication credential.
  • the shared secret may be generated based on the relationship (e.g., past financial or non-financial transactions) between the customer and the merchant.
  • systems and methods disclosed herein enable mutual (two-way) authentication between the customer and the merchant. As such, the systems and methods disclosed herein facilitate enhanced security of private customer information.
  • the embodiments and implementations of the systems and methods disclosed herein improve current network authentication systems by enabling customers to establish dynamic authentication credentials for networks at specific locations. For example, on an airline, the customer’s seat number may be established as a network authentication credential. Such credentials make it much more difficult for fraudsters to emulate networks provided at various merchants. If the customer is not asked for the credential when attempting to access the network, then the customer is made aware of the potential for fraud.
  • the systems and methods disclosed herein provide a unique solution to the problem of establishing a shared secret credential between a customer and a merchant.
  • the systems and methods disclosed herein utilize information regarding a first service provided by the merchant to a customer (e.g., the sale of a product) to authenticate the customer with respect to a second service (e.g., connection to a local network) provided by the merchant to the customer.
  • a second service e.g., connection to a local network
  • the merchant may pre-emptively establish information regarding the first service to authenticate the customer with respect to the second service.
  • a shared secret credential including information known or readily available may be available for use in authenticating the customer. This is a benefit over current systems, which may require the customer to obtain information (e.g., read a unique code) prior to a shared-secret credential being established. As such, the systems and methods disclosed herein provide efficiency and security benefits and a more convenient customer experience over current systems.
  • the systems and methods disclosed herein provide for greater flexibility in terms of customer authentication processes than provided by current systems.
  • the merchant may select data regarding a first customer transaction as a shared secret credential.
  • the merchant may select data regarding a second customer transaction.
  • the first and second customer transactions may occur in any order (e.g., the second customer transaction may occur prior to the first customer transaction). Due to this flexibility, the merchant may regularly update the customer’s shared secret credential, even if no additional information regarding the customer becomes available between customer utilizations of the second service. Such updating further enhances the security of customer information.
  • the systems, methods, and computer implementations disclosed improve current network security methods by providing functionalities that are novel and non-obvious over current systems.
  • FIG. 1 a block diagram of a network security system 100 is shown according to an example embodiment.
  • the network security system 100 facilitates enhanced security of a merchant local network 105 by establishing a shared secret between a customer and a merchant as a network authentication credential.
  • the network security system 100 includes a merchant network agent 110 and a merchant computing device 120 , both associated with a merchant, and a customer computing device 140 associated with a customer.
  • Various components of the network security system 100 may be configured to communicate over the network 150 .
  • the network 150 is a data exchange medium, which may include wireless networks (e.g., cellular networks, Bluetooth®, WiFi, Zigbee®, etc.), wired networks (e.g., Ethernet, DSL, cable, fiber-based, etc.), or a combination thereof.
  • the network 150 includes the internet.
  • the merchant network agent 110 is a device associated with the merchant and configured to generate the merchant local network 105 through being communicatively coupled to the network 150 .
  • the merchant may be any entity that provides any sort of product or service to customers.
  • the merchant may be a financial institution, a brick-and-mortar merchant (e.g., a restaurant or a coffee shop), an airport, or any other entity.
  • Merchant network agent 110 may include any device capable of establishing a connection and communicating data with an external device.
  • the merchant network agent 110 includes a wireless router configured to communicate information over the network 150 and generate wireless signals that are broadcasted to create the merchant local network 105 .
  • the merchant network agent 110 is shown to include a wide area network interface 112 which enables the network agent 110 to exchange data over the network 150 , a network control circuit 114 , and an access point 116 .
  • the access point 116 is configured to broadcast a wireless network signal capable of being received by external computing devices (e.g., the merchant computing system 120 , the customer computing device 140 , etc.) to facilitate the connection of the external computing devices to create the merchant local network 105 .
  • the wireless network signal broadcasted by the access point 116 may generate a wireless personal area network (WPAN), and include, for example, a Bluetooth® radio signal or infrared signal.
  • the wireless network includes a WiFi signal, a WiMAX signal, wireless WAN signal, or the like.
  • the wireless network signal broadcasted by the merchant network agent 110 is received by other computing devices, such as the customer computing device 140 and merchant computing system 120 .
  • the other devices may be authenticated by the methods disclosed herein to gain complete access to the merchant local network 105 .
  • encryption keys may be exchanged between the customer computing device 140 and the merchant network agent 110 enabling the customer computing device 140 to exchange information with additional computing systems.
  • the merchant network agent 110 provides external devices with access to an external network (e.g., the network 150 ).
  • the wireless network signal broadcasted by the access point 116 includes a unique identifier associated with the merchant local network 105 .
  • the unique identifier includes a name of the merchant local network 105 , which may be associated with the name of the merchant.
  • the customer computing device 140 may display the name of the merchant local network 105 to the customer and enable the customer to request to establish a connection with the merchant local network 105 .
  • Such an arrangement creates an opportunity for fraudsters to steal private information, as fraudsters may create networks having a unique identifier that mimics the unique identifier associated with the merchant local network 105 .
  • the network control circuit 114 is configured to manage connections between the merchant network agent 110 and various other external devices.
  • the network control circuit 114 may include an authentication circuit (not shown) configured to authenticate requests to connect to the merchant local network 105 received from external devices.
  • the merchant network agent 110 in response to the merchant network agent 110 receiving a request to connect to the merchant local network 105 from a requestor, the merchant network agent 110 transmits an authentication packet to the customer computing device 140 via the network control circuit 114 .
  • the authentication packet requests at least one authentication credential (e.g., a password) from the requestor.
  • the network control circuit 114 may compare the requestor-input response to a stored value and authenticate the request if a match is found.
  • the password may be a shared secret credential established for the customer based on a pre-existing relationship between the customer and merchant (e.g., a customer account).
  • the password may be based on a credential associated with a payments platform utilized by the customer to pay the merchant.
  • the network control circuit 114 may request mobile wallet credentials associated with a mobile wallet of the customer, and the network control circuit 114 may initiate communications with a mobile wallet computing system associated with the provider of the customer’s mobile wallet to verify that customer-input mobile wallet credentials match credentials stored at the mobile wallet computing system (e.g., the mobile wallet computing system may verify the customer-input credentials and notify the merchant network agent 110 of the verification).
  • the network control circuit 114 is configured monitor the various devices that are connected to the merchant local network 105 .
  • the merchant network agent 110 may assign an IP address to the customer computing device 140 via the Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the merchant network agent 110 may select an IP address from a pool of IP addresses stored at the merchant network agent 110 for customer computing devices 140 and temporarily or permanently assign the selected IP address to the customer computing device 140 .
  • a network interface e.g., the network interface 142
  • the customer computing device 140 has a unique identifier (e.g., a MAC address) associated therewith.
  • Communications between the customer computing device 140 and the merchant network agent 110 may include the unique identifier.
  • the network control circuit 114 may maintain a log of the various IP addresses assigned based on such unique identifiers. This way, based on the IP addresses currently assigned by the merchant network agent 110 , the merchant network agent 110 may identify the specific external devices (and the identities of the customers associated therewith) connected to the merchant local network 105 .
  • the network control circuit 114 is configured to operate in concert with the merchant computing system 120 to authenticate requests to connect to the merchant local network 105 .
  • the network control circuit 114 receives data indicative of interactions (e.g., transactions) between the customer and the merchant, and establishes the received data as a network authentication credential for the customer.
  • the network control circuit 114 maintains an authentication credential directory.
  • Such a directory may include a number of entries associated with various devices that have connected to the merchant local network 105 .
  • each entry is associated with a MAC address of an external device.
  • the entries may include information regarding a plurality of transactions engaged in by the customer associated with the device.
  • the network control circuit 114 may generate a temporary network authentication credential used to authenticate the customer computing device 140 prior to authorizing connection of the external device to the merchant local network 105 .
  • the customer purchases a product (e.g., a cup of coffee) at a merchant.
  • the customer may provide payment information to the merchant (e.g., via the merchant computing system 120 ).
  • payment information may include, for example a customer account number at a financial institution.
  • the merchant computing system 120 may provide the received payment information to the merchant network agent 110 .
  • the merchant computing system 120 may transmit additional information (e.g., an identity of the purchased product, the amount of the purchase, the timing of the transaction, etc.) to the merchant network agent 110 .
  • the network control circuit 114 may establish an aspect of the data received from the merchant computing system 120 as a network authentication credential for the customer. To do this, the network control circuit 114 may first associate the received information regarding the purchase with an entry in the directory of network authentication credentials discussed above.
  • the directory may include a lookup table that matches portions of customer payment information (or information associated with an account of the customer at the merchant) to a particular external device (e.g., the customer computing device 140 ).
  • the merchant network agent 110 may associate the information regarding the customer purchase with the customer computing device 140 .
  • the network control circuit 114 may select an aspect of the purchase information (e.g., a transaction amount, a product identity, etc.) to establish as a network authentication credential for the customer.
  • the network control circuit 114 selects an aspect of the purchase data as an authentication credential upon receipt of a request to connect to the merchant local network 105 from the customer computer device 140 . For example, based on a MAC address received from the customer computing device 140 , the network control circuit 114 selects an aspect of the purchase data stored in the network authentication credential directory. In some embodiments, the network control circuit 114 establishes an aspect of the purchase data as an authentication credential prior to receiving a connection request from the customer computer device 140 . This way, upon receipt of a connection request from the customer computer device 140 , the merchant network agent 110 retrieves the established credential and compares it to any responses provided by the customer.
  • the merchant network agent 110 updates the authentication credential associated with the customer computing device 140 each time a connection request is received from the customer computing device 140 .
  • the network control circuit 114 periodically (e.g., weekly) updates the authentication credential associated with the customer computing device 140 .
  • the network control circuit 114 is configured to transmit a notification signal to the merchant computing system 120 upon receipt of a connection request from the customer computing device 140 .
  • the merchant computing system 120 may authenticate the connection request or provide an authentication credential to the merchant network agent 110 .
  • the network control circuit 114 is configured to establish accounts for customers who connect to the merchant local network but do not yet have accounts with the merchant. For example, the network control circuit 114 may determine if a particular customer has an account with a merchant based on communications with the customer computing device 140 . For example, if the directory maintained in the merchant network agent 110 does not contain a MAC address associated with the customer computing device 140 , the network control circuit 114 may determine that the customer does not have an account (or at least that the customer computing device 140 is not associated with the customer’s account). In such cases, the merchant network agent 110 may transmit a registration packet to the customer computing device 140 . The registration packet may prompt the customer to indicate a preference to establish a shared secret authentication credential for accessing the merchant local network 105 .
  • the merchant network agent 110 in response to the customer indicating a preference to establish a shared secret credential, may transmit an application (e.g., the merchant client application 144 described below) to the customer computing device 140 .
  • the application may enable the customer to register payment accounts with the merchant computing system 120 .
  • the merchant computing system 120 is able to tie the transactions to a particular customer account and render information regarding the transactions usable as an authentication credential for the merchant local network 105 .
  • the application may enable the customer to view information regarding previous transaction at the merchant, thus facilitating the use of such information as a network authentication credential.
  • the merchant computing system 120 is a computing system associated with the merchant.
  • the merchant computing system 120 includes a network interface 122 which enables the merchant computing system 120 to communicate data over the merchant local network 105 , a customer database 124 , a transaction circuit 126 , an account management circuit 128 , and a merchant input/output (“I/O”) device 130 .
  • the merchant I/O device 130 includes hardware and associated logics configured to enable the merchant computing system 120 to exchange information with a customer and other merchant personnel.
  • An input aspect of merchant I/O device 130 allows various users to provide information to the merchant computing system 120 and may include, for example, a mechanical keyboard, a touchscreen, a microphone, a camera, a fingerprint scanner, any user input device engageable to the merchant computing system 120 via a USB, serial cable, Ethernet cable, and so on.
  • the merchant I/O device 130 includes a point of sale (POS) device (e.g., a card reader or the like) configured to receive customer payment information from a payment card or mobile wallet presented by the customer to make a purchase at the merchant.
  • POS point of sale
  • An output aspect of the merchant I/O device 130 allows users to receive information from the merchant computing system 120 and may include, for example, a digital display, a speaker, illuminating icons, LEDs, and so on.
  • the merchant I/O device 130 includes radio frequency transceivers (e.g., RF or NFC-based transceivers) and other short range wireless transceivers (e.g., BluetoothTM, laser-based data transmitters, etc.) configured to communicate data with external devices such as the customer computing device 120 . For example, via such transceivers, the customer may make a payment for a purchase via a mobile wallet.
  • radio frequency transceivers e.g., RF or NFC-based transceivers
  • other short range wireless transceivers e.g., BluetoothTM, laser-based data transmitters, etc.
  • the customer may make a payment for a purchase via a mobile wallet.
  • merchant I/O device 130 includes a barcode or QR code scanner configured to gather information from various codes presented to the merchant computing system 120 by the customer. For example, at the time of a customer purchase, the customer may present a product having to be purchased to an attendant at the merchant computing system 120 . In response, the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126 ) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130 .
  • the customer may present a product having to be purchased to an attendant at the merchant computing system 120 .
  • the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126 ) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130 .
  • such a scanner enables the customer to make payments for purchases at the merchant.
  • the customer may have an account with the merchant, and have installed an application (e.g., the merchant client application 144 ) on the customer computing device 140 , enabling the customer to fund the account.
  • the application may enable the customer computing device 140 to generate a QR code to make a payment for a purchase.
  • the merchant computing system 120 may deduct the purchase amount from the customer’s account.
  • the customer database 124 is configured to store information regarding accounts associated with a number of customers of the merchant.
  • Customer account information may include, for example, customer identifying information, customer login information (e.g., usernames, passwords, and the like), payment information (e.g., credit or debit card numbers, bank account numbers, mobile wallet account numbers or addresses, etc.), customer account preferences (e.g., addresses, payment methods), and customer history information (e.g., transaction histories).
  • customer account information stored at the customer database 124 may also include information regarding the customer computing device 140 .
  • the customer database 124 may include information regarding IP addresses assigned to the customer computing device 140 by the merchant network agent 110 .
  • the customer database 124 may store network authentication credentials established for the customer.
  • the account management circuit 128 is configured to manage customer accounts at the merchant. In this regard, in some embodiments, the account management circuit 128 is configured to assign data regarding various transactions via the merchant computing system 120 to customer accounts. In this regard, upon the customer providing payment information (e.g., a primary account number associated with a customer payment account at a financial institution) to the merchant computing system 120 , the account management circuit 128 may query the customer database 124 to determine if the customer input account information has been previously associated with an account established by the customer. If so, the account management circuit 128 may store data regarding the transaction (e.g., product purchased, transaction amount, transaction timing, location, etc.) in a transaction entry associated with an identified account. In some embodiments, in the event that a customer makes a payment using funds of an account held by the customer at the merchant (e.g., via the QR code discussed above), the account management circuit 128 may update the customer’s account funding balance to reflect the payment.
  • payment information e.g., a primary account number associated with a customer payment account
  • the account management circuit 128 is configured to transmit customer transaction data to an external server that provides an application (e.g., the merchant client application 144 ) to the customer computing device 140 .
  • an application e.g., the merchant client application 144
  • the account management circuit 128 may formulate an information packet identifying the customer’s account, including the transaction information for transmittal to the external computing system over the network 150 . After this information is transmitted to the external system, the customer may view the transaction by accessing the merchant client application 144 .
  • an aspect of the transaction is later used (e.g., by the merchant network agent 110 ) as a network authentication credential but the customer forgets the transaction, then the customer is able to view the transaction in the merchant client application 144 prior to entering the credential.
  • the account management circuit 128 is configured to manage customer network authentication credentials.
  • the account management circuit 128 may be configured to transmit data stored in association with a customer account to the merchant network agent 110 , which may establish a subset of the data as a user network authentication credential via the methods discussed above.
  • the account management circuit 128 is configured to establish customer network authentication credentials.
  • the account management circuit 128 may select a subset of transaction information stored in association with a customer’s account in the customer database 124 to establish as a customer network authentication credential.
  • the selection is based in part on previous customer network authentication credentials.
  • the account management circuit 128 may maintain a log of customer network authentication credentials used at various times and update the customer’s authentication credential (e.g., to correspond to a different transaction of the customer or a different aspect of a transaction). If the customer’s current network authentication credential has been used for more than a predetermined period, for example, the account management circuit 128 may select a subset of data among data describing the customer’s most recent transactions at the merchant for establishment as a network authentication credential.
  • the account management circuit 128 may cause the merchant computing system 120 to transmit the credential to the merchant network agent 110 .
  • the merchant network agent 110 may store the credential in association with the customer computing device 140 (e.g., based on a MAC address) such that, when the next request to connect to the merchant local network 105 is received from the customer computing device 140 , the customer is required to input information regarding a previous transaction to access the merchant local network 105 .
  • the shared secret can be used for authentication using any of various methods such as challenge-response or it can be used as an input to a key derivation function to produce one or more keys to use for encrypting and/or MACing messages.
  • the transaction circuit 126 is configured to formulate transaction requests associated with various purchases of the customer. As such, the transaction circuit 126 is communicably coupled to the merchant I/O device 130 , customer database 124 , and network interface 122 . For example, upon receiving customer payment information regarding a customer purchase, the transaction circuit 126 determines a total transaction amount (e.g., based on the identity of the product being purchased), bundles the total with the customer payment information to make a transaction request, and transmits the transaction request to a financial institution (e.g., associated with a customer payment card or mobile wallet) over the network 150 . The financial institution may authorize the transaction and provide an indication of the authorization to the merchant computing system 120 over the network 150 .
  • a financial institution e.g., associated with a customer payment card or mobile wallet
  • the customer computing device 140 is a computing device associated with a customer.
  • the customer computing device 140 may be used by the customer to connect to the merchant local network 105 .
  • the customer computing device 140 includes one or more processors and non-transitory storage mediums housing one or more logics configured to enable the customer computing device 140 to exchange data over the network, execute software applications, access websites, generate graphical customer interfaces, and perform other operations. Examples of the customer computing device 140 include a personal computer (e.g., desktop or laptop computer), smartphones, tablets, wearable computing devices (e.g., a smartwatch), and the like.
  • the customer computing device 140 may be configured to enable the customer to communicate information (e.g., transaction information) to merchant computing system 120 .
  • the customer computing device 140 includes a customer network interface 142 enabling the customer computing device 140 to exchange data over the network 150 , a merchant client application 144 , and a customer I/O device 146 .
  • the customer I/O device 146 includes hardware and associated logics configured to enable the customer computing device 140 to exchange information with a customer (e.g., via hardware and associated logics similar to that discussed above with respect to the merchant I/O device 130 ).
  • the merchant client application 144 is structured to provide various displays on the customer computing device 140 that enable the customer to view information regarding various transactions engaged in by the customer at the merchant. Additionally, the displays may also enable the customer to register payment cards (e.g., debit cards, credit cards, and the like) with the merchant, and to fund a customer account at the merchant so as to enable the customer to engage in transactions at the merchant via the merchant client application 144 (e.g., via a QR code or the like).
  • payment cards e.g., debit cards, credit cards, and the like
  • the merchant client application 144 may be communicably coupled to the merchant computing system 120 (or another external computing system configured to provide the merchant client application 144 to the customer computing device 140 ).
  • the merchant client application 144 is a separate software application implemented on the customer computing device 140 .
  • the merchant client application 144 may be downloaded by the customer computing device 140 , be hard coded into the memory of the customer computing device 140 , or be a web-based interface application such that the merchant client application 144 may provide a web browser to the application, which may be executed remotely from the customer computing device 140 . In the latter instance, the customer may have to log onto or access the web-based interface before usage of the application.
  • the merchant client application 144 may be supported by a separate computing system including one or more servers, processors, network circuits, and so on that transmit applications for use to the customer computing device 140 .
  • the merchant client application 144 includes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications with the merchant client application 144 .
  • API application programming interface
  • SDK software development kit
  • the method 200 may be performed by a combination of the merchant network agent 110 (e.g., via the network control circuit 114 ) and the merchant computing system 120 (e.g., via the account management circuit 128 ).
  • a request to connect to the merchant local network 105 is received.
  • the customer may bring a customer computer device 140 within the range of the wireless signal broadcasted by the merchant network agent 110 such that the name of the merchant local network 105 shows up on the customer computing device 140 (e.g., as wireless network option to connect to).
  • the customer may select the name, thereby causing a connection request to be transmitted by the customer computing device 140 to the merchant network agent 110 .
  • the customer is presented with a network security preference interface.
  • the merchant network agent 110 determines if the customer has already established a shared secret network authentication credential based on the connection request received at 202 .
  • the network control circuit 114 may query a database with a unique identifier (e.g., MAC address) included in the connection request. If the identifier is not in the database, the network control circuit 114 may determine that the customer has not established a shared secret network authentication credential and transmit a registration packet to the customer computing device 140 .
  • the registration packet may cause the customer computing device 140 (e.g., via a web browser) to present the customer with an interface enabling the customer to indicate a preference to establish the shared secret credential.
  • a network security interface 300 is shown, according to an example embodiment.
  • the interface 300 is presented to a customer upon the customer requesting to connect to the merchant local network 105 .
  • the merchant network agent 110 may query a database for entries regarding the customer computing device 140 . If no entries are found (e.g., if no shared secret network credential has been established for the customer computing device 140 ), then the merchant network agent 110 transmits an authorization packet to the customer computing device 140 , which presents the interface 300 to the customer.
  • the interface 300 includes a username entry field 302 , a password field 304 and a shared secret preference window 304 .
  • the username entry field 302 and password entry field 304 are configured to receive a customer-input network credentials.
  • the customer-input password may be transmitted to the merchant network agent 110 , which may compare the customer-input credentials to a pre-established password for the merchant local network 105 .
  • the shared secret preference window 304 is configured to receive a customer input to establish a shared secret network credential for the merchant local network 105 via a customer preference selection button 306 .
  • the shared secret preference window prompts the customer to indicate whether the customer has an account (e.g., a loyalty account) at the merchant.
  • the interface 300 may prompt the customer to input credentials (e.g., a username and password) associated with an account at the merchant.
  • a customer preference to establish a shared secret network authentication credential is received.
  • the customer may interact with the network security preference interface presented to the customer at 204 in such a way that indicates a customer preference to establish a shared secret network authentication credential.
  • the merchant network agent 110 determines if the customer has established an account with the merchant. In some embodiments, the merchant network agent 110 makes this determination based on an input received from the customer. For example, based on information (e.g., authentication credentials) provided by the customer in response to the authorization packet transmitted to the customer computing device 140 at 206 , the merchant network agent 110 may access a directory (e.g., the customer database 124 ) that includes information regarding various customer accounts. If the information input by the customer matches that of an account stored in the directory, then the merchant network agent 110 may determine that the customer has an account with the merchant. In some embodiments, the merchant network agent 110 maintains such a directory. In some embodiments, the merchant network agent 110 communicates with the merchant computing system 120 , which maintains the directory, to determine if the customer has an account.
  • information e.g., authentication credentials
  • customer account information is retrieved.
  • the merchant network agent 110 requests and receives information regarding a customer account from the merchant computing system 120 .
  • the requested information may contain information describing various aspects of the customer’s account with the merchant (e.g., information regarding various customer transactions at the merchant).
  • a database similar to the customer database 124 is maintained at the merchant network agent 110 , and the network control circuit 114 retrieves the customer account information based on information received from the customer computing device 140 .
  • parameters of a prior customer transaction at the merchant are established as an initial shared secret network authentication credential.
  • the network control circuit 114 or merchant computing system 120 may perform a multi-step process to select the credential.
  • a prior customer transaction (or prior customer interaction) at the merchant is selected.
  • the network control circuit 114 selects the most recent transaction engaged in by the customer for establishment as a shared secret network authentication credential.
  • the network control circuit 114 selects from amongst a number of customer transactions that occurred within a predetermined time period of the customer indicating the preference to establish a shared secret network authentication credential.
  • such a selection is performed at the merchant computing system 120 (e.g., via the account management circuit 128 ).
  • the network control circuit 114 Upon selecting a customer transaction, the network control circuit 114 selects a parameter of the selected transaction to establish as the shared secret. In various embodiments, the network control circuit 114 randomly selects from a number of different parameters such as timing, location, transaction amount, and the identity of the product purchased. To establish the selected parameter as the shared secret, the network control circuit 114 may transmit a second authorization packet to the customer computing device 140 . The second authorization packet may cause the customer computing device 140 to present an additional interface to the customer. The additional interface may query the customer regarding the selected parameter for the prior customer transaction at the merchant.
  • the interface 400 may be presented to the customer upon the merchant network agent 110 or the merchant computing system 120 selecting a parameter regarding a prior customer transaction to establish as a shared secret network authentication credential.
  • the interface 400 includes a query window 402 and a submission button 408 .
  • the query window 402 contains a description of a prior customer transaction at the merchant as well as the parameter (e.g., product identity) of that transaction that was selected to serve as the customer’s initial shared secret credential.
  • the query window 402 prompts the customer to input information regarding the selected parameter via the data field 406 .
  • the query window includes multiple options, one of which being the parameter selected to serve as the shared secret.
  • the submission button 408 is configured to receive a customer input to transmit a customer-input response to the merchant network agent 110 .
  • the customer-input response must meet predetermined criteria prior to the customer being authorized to fully access the merchant local network 105 .
  • the customer-input response must match the selected parameter prior to the customer being authorized to connect to the merchant local network 105 .
  • the customer-input description of a purchased product must match a predetermined merchant description (or one of a number predetermined merchant descriptions configured to account for customer spelling errors) of the purchased product.
  • the customer-input response must be within a threshold of the parameter selected to serve as the shared secret.
  • the customer-input amount may have to be within a predetermined percentage (e.g., 10% of the actual transaction amount) in order for the customer to be authorized to fully access the merchant local network 105 .
  • the directory at the merchant network agent 110 is updated such that the customer will automatically be prompted to input a shared secret prior to connecting to the merchant local network 105 .
  • the customer’s account settings are updated at the merchant computing system 120 .
  • the directory information stored at the merchant network agent 110 may also be stored at the merchant computing system 120 or an external server.
  • the directories at various other network agents e.g., similar to the merchant network agent 110 ) affiliated with the merchant are also similarly updated. As such, when the customer seeks to access additional local network associated with the merchant (e.g., at a location different from the location of the merchant local network 105 ), the customer is also prompted to input a shared secret.
  • the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing the customer to register for an account by providing identifying information (e.g., name, address, phone number, etc.). Additionally, the customer may also be prompted to provide payment information. Such identifying information may be transmitted by the merchant network agent 110 to the merchant computing system 120 , which generates (e.g., via the account management circuit 128 ) a customer account and stores the identifying information in association with the account.
  • identifying information e.g., name, address, phone number, etc.
  • the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing customer to download an application (e.g., the merchant client application 144 ).
  • an application e.g., the merchant client application 144
  • the customer may establish a set of login credentials for the new account.
  • the customer may register a payment account (e.g., a credit account or a debit account) within the application.
  • the registered payment account may be used to fund the customer’s account, enabling the customer to engage in transactions at the merchant using the customer account via the application.
  • the linking of a customer payment account to the customer’s account at the merchant enables the merchant to link future customer purchases with the customer’s account.
  • information regarding such transactions may be stored at the merchant computing system 120 (e.g., at the customer database 124 ) in relation to the customer’s account.
  • the customer upon the customer establishing an account at the merchant, the customer is authorized to fully access the merchant local network 105 (e.g., during a time period after the request to connect to the merchant local network 105 was received at 202 ). For example, the customer may be prompted to input a password or the like that has been pre-established at the merchant. Alternatively, the customer may be automatically permitted to access the merchant local network 105 upon establishment of the customer’s account.
  • the merchant network agent 110 assigns an IP address to the customer computing device 140 and stores the IP address in relation to a unique identifier (e.g., MAC address) received in previous communications with the customer computing device 140 . As such, the same IP address may be assigned to the customer computing device 140 when the customer requests to access the merchant local network in the future.
  • a unique identifier e.g., MAC address
  • data regarding a customer transaction is received.
  • the customer may utilize the merchant client application 144 on the customer computing device 140 to engage in a transaction at the merchant.
  • the merchant client application 144 may include a mobile payment capability that provides customer payment credentials to the merchant computing system 120 .
  • the merchant client application may generate a QR code having information regarding the customer account encoded thereon for presentation to a scanner included in the merchant I/O device 130 .
  • the merchant computing system 120 e.g., via the transaction circuit 126 ) deducts funds from the customer’s account and stores information regarding the transaction in association with the customer’s account in the customer database 124 .
  • the account management circuit 128 may establish a parameter of the transaction as a shared secret network authentication credential for the customer.
  • the account management circuit 128 may select a parameter of the transaction and transmit the parameter to the merchant network agent 110 for storage in a device directory (e.g., in association with the IP address previously assigned to the customer computing device 140 ).
  • the merchant network agent 110 prompts the customer to input information regarding the selected parameter (e.g., via an interface similar to the interface 400 discussed above).
  • the method 500 may be performed by the merchant network agent 110 (e.g., via the network control circuit 114 ) to provide a customer with access to the merchant local network 105 .
  • a request to connect to the merchant local network 105 is received.
  • the customer computing device 140 may indicate a preference to connect to merchant local network 105 .
  • the customer computing device 140 may establish a communications channel with the merchant network agent 110 via any established protocol and provide a network connection request to the merchant network agent 110 .
  • the customer computing device 140 is identified based on the received request.
  • the request to connect to the merchant local network 105 received by the merchant network agent 110 includes an identifier (e.g., MAC address) associated with the network interface 142 of the customer computing device 140 .
  • this identifier may be stored in a device directory of the merchant network agent 110 .
  • the network control circuit 114 may identify the customer computing device 140 based on the request received at 502 via the directory.
  • a shared secret network authentication credential for the customer computing device 140 is determined.
  • the network control circuit 114 retrieves a pre-established shared secret credential from the memory of the merchant network agent 110 .
  • the merchant computing system 120 performs a process to provide shared secret credentials to the merchant network agent 110 .
  • the merchant computing system 120 may periodically retrieve data from the customer database 124 that is associated with customers who have registered for a shared secret credential (e.g., via the method 200 discussed above), select a parameter regarding a recent customer transaction (e.g., a customer transaction within a predetermined time period), and provide information regarding the parameter to the merchant network agent 110 for storage in association with the customer computing device 140 in the device directory.
  • the merchant computing system 120 each time the customer engages in a transaction with the merchant via a customer account established at the merchant, the merchant computing system 120 undergoes a process to update the customer’s shared secret network authentication credential. This way, an aspect of the customer’s most recent transaction at the merchant is always used as the shared secret, and the customer is most likely to remember various aspects of the transaction.
  • the account management circuit 128 selects an aspect of the transaction and transmits data regarding that aspect to the merchant network agent 110 in association with a customer account identifier.
  • the merchant network agent 110 updates an entry in the directory of devices associated with the customer computing device 140 . This way, upon receipt of a connection request from the customer computing device 140 , the merchant network agent 110 retrieves the shared secret.
  • the shared secret credential is updated. Accordingly, the merchant network agent 110 may store information regarding recent transactions of the customer, or the merchant network agent 110 may query the customer database 124 of the merchant computing system 120 in response to receiving the connection request from the customer computing device 140 for information regarding recent transactions of the customer. From the information regarding recent transactions of the customer, the network control circuit 114 may select an aspect of a recent customer transaction to establish as the shared secret credential.
  • the merchant network agent 110 in response to receiving the connection request, requests the merchant computing system 120 to formulate a customer shared secret credential.
  • the merchant computing system 120 retrieves customer account information from the customer database 124 , selects an aspect of a customer transaction to utilize as a shared secret, and transmits the shared secret to the merchant network agent 110 .
  • the customer is queried regarding the shared secret.
  • the merchant network agent 110 transmits an authorization packet to the customer computing device 140 .
  • the authorization packet may cause an interface (e.g., similar to the interface 400 discussed in relation to FIG. 4 ) to be presented to the customer that instructs the customer to input information regarding an aspect of a recent customer transaction or interaction with the merchant.
  • the interface may present the customer with a plurality of choices, with one of the choices describing an aspect of the recent customer transaction. Alternatively, the interface may request the customer to manually input a response to the query.
  • the network control circuit 114 determines if the customer-input response matches the customer shared secret credential for the purpose of authenticating the connection request.
  • the customer-input response may be within a predetermined threshold of the actual shared secret to authenticate the customer. For example, if the customer shared secret corresponds to an amount of a recent customer transaction, then the network control circuit 114 may compare a customer-input response to an actual amount of a previous customer transaction. If the customer-input response is within a threshold of the actual amount, the customer may be authenticated. In some situations, the customer-input response must exactly match an aspect of a previous customer transaction in order for the customer to be authenticated. For example, if the customer shared secret is the identity of a product, then the customer must input the correct product name in order to be authenticated.
  • the connection request is denied at 512 .
  • the customer is prevented from having full access to the merchant local network 105 .
  • the connection request is authorized at 514 .
  • the customer computing device 140 is able to communicate data over the network 150 via a connection with the merchant local network 105 .
  • the shared secret credential involves an actual transaction of the customer at the merchant, the customer is able to ascertain the legitimacy of the merchant local network 105 . This way, it is difficult for fraudsters to emulate the authentication processes described herein, as fraudsters will not have access to data regarding customer accounts at the merchant.
  • circuit may include hardware structured to execute the functions described herein.
  • each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein.
  • the circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc.
  • a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.”
  • the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein.
  • a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on.
  • the “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices.
  • the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors.
  • the one or more processors may be embodied in various ways.
  • the one or more processors may be constructed in a manner sufficient to perform at least the operations described herein.
  • the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example embodiments, may execute instructions stored, or otherwise accessed, via different areas of memory).
  • the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors.
  • two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution.
  • Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory.
  • the one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc.
  • the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
  • An exemplary system for implementing the overall system or portions of the embodiments might include general purpose computing devices in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit.
  • Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), etc.
  • the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc.
  • the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media.
  • machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.
  • Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example embodiments described herein.
  • the term “input device,” as described herein, may include any type of input device or input devices including, but not limited to, a keyboard, a keypad, a mouse, joystick, or other input devices capable of performing a similar function.
  • the term “output device,” as described herein, may include any type of output device or output devices including, but not limited to, a computer monitor, printer, facsimile machine, or other output devices capable of performing a similar function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A computing system can associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer, transmit a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, authenticating, by the computing system, the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.

Description

    CROSS-REFERENCE TO RELATED PATENT APPLICATIONS
  • This application is a continuation of U.S. Pat. No. 11,583,024, titled “SYSTEMS AND METHODS FOR NETWORK AUTHENTICATION WITH A SHARED SECRET,” filed Jan. 24, 2022, which application is a continuation of U.S. Pat. No. 11,233,634, titled “SYSTEMS AND METHODS FOR NETWORK AUTHENTICATION WITH A SHARED SECRET,” filed Jun. 23, 2017, the contents of which are hereby incorporated by reference in their entirety and for all purposes as if completely and fully set forth herein.
  • BACKGROUND
  • One common avenue for fraudsters to steal private information of other individuals is through a so called “evil twin” network. In such a scheme, the fraudster establishes a network access point (e.g., a mobile hotspot) in a location associated with a legitimate network (e.g., a network associated with a merchant). The fraudster configures the access point to mimic the legitimate network (e.g., in name and appearance). Individuals connect to the fraudulent network and communicate private information (e.g., payment credentials) with various other entities. The fraudster intercepts these communications and gains access to the private information. Thus, it would be beneficial to provide a system that diminishes the efficacy of such schemes.
  • SUMMARY
  • An embodiment relates to a computer-implemented method. The method can include associating, by a computing system, system associated with a merchant, a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving, by the computing system, the first request to connect to the network provided by the merchant from the customer device after completion of the purchase, selecting, by the computing system, the financial transaction based on the predetermined time period and the merchant, transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving, by the computing system, a customer-input response to the first query, authenticating, by the computing system, the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
  • Another embodiment relates to a computing system. The computing system can include a network interface enabling the computing system to exchange information over a network provided by the merchant, a customer database configured to store information pertaining to a plurality of customer purchases of a plurality of customers, wherein the customer purchases are from the merchant, and a processing circuit configured to associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receive, by the network interface, the first request to connect to the network from the customer device after completion of the first purchase, select the financial transaction based on the predetermined time period and the merchant, transmit, by the network interface, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receive, by the network interface, a customer-input response to the first query, authenticate the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorize connection of the customer device to the network based at least in part on the first request being authenticated.
  • Another embodiment relates to a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by a computing system, causes the computing system to perform operations to authorize a request to connect to a network. The operations can include associating a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving the first request to connect to a network from the customer device after completion of the first purchase, selecting the financial transaction based on the predetermined time period and the merchant, transmitting a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving a customer-input response to the first query, authenticating the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing connection of the customer device to the network based at least in part on the first request being authenticated.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the disclosure will become apparent from the description, the drawings, and the claims.
  • FIG. 1 is a block diagram of a network security system, according to an example embodiment.
  • FIG. 2 is a flow diagram of a method of establishing a shared secret network authentication credential with a customer, according to an example embodiment.
  • FIG. 3 is a network security user interface, according to an example embodiment.
  • FIG. 4 is another network security user interface, according to an example embodiment.
  • FIG. 5 is a flow diagram of a method of authorizing a network connection request, according to an example embodiment.
  • DETAILED DESCRIPTION
  • Before turning to the figures, which illustrate example embodiments, it should be understood that the application is not limited to the details or methodology set forth in the following description or illustrated in the figures. It should also be understood that the phraseology and terminology employed herein is for the purpose of description only and should not be regarded as limiting.
  • Referring generally to the figures, systems and methods for authenticating a customer request to connect to a network are shown, according to various example embodiments. In particular, the figures include a merchant computing system associated with a merchant. A customer may engage in a transaction at the merchant and also seek to connect to a network (e.g., a local network established via a Wi-Fi connection) provided by the merchant. Such a pattern of interactions between the customer and the merchant creates an opportunity to enhance the security of the customer’s private information. More specifically, the merchant computing system enables the customer to establish a shared secret as a network authentication credential. The shared secret may be generated based on the relationship (e.g., past financial or non-financial transactions) between the customer and the merchant. This way, if the customer seeks to connect to a network at the merchant and is not asked for the shared secret, the customer is aware of a potentially fraudulent scheme. Therefore, systems and methods disclosed herein enable mutual (two-way) authentication between the customer and the merchant. As such, the systems and methods disclosed herein facilitate enhanced security of private customer information.
  • The embodiments and implementations of the systems and methods disclosed herein improve current network authentication systems by enabling customers to establish dynamic authentication credentials for networks at specific locations. For example, on an airline, the customer’s seat number may be established as a network authentication credential. Such credentials make it much more difficult for fraudsters to emulate networks provided at various merchants. If the customer is not asked for the credential when attempting to access the network, then the customer is made aware of the potential for fraud.
  • Additionally, the systems and methods disclosed herein provide a unique solution to the problem of establishing a shared secret credential between a customer and a merchant. Specifically, the systems and methods disclosed herein utilize information regarding a first service provided by the merchant to a customer (e.g., the sale of a product) to authenticate the customer with respect to a second service (e.g., connection to a local network) provided by the merchant to the customer. Use of such information provides benefits over current authentication systems. Because information regarding the first service provided to the customer is readily and uniquely available to the merchant (e.g., information regarding customer purchases may be stored at a computing system associated with a merchant), the merchant may pre-emptively establish information regarding the first service to authenticate the customer with respect to the second service. Thus, when the customer seeks to utilize the second service, a shared secret credential including information known or readily available may be available for use in authenticating the customer. This is a benefit over current systems, which may require the customer to obtain information (e.g., read a unique code) prior to a shared-secret credential being established. As such, the systems and methods disclosed herein provide efficiency and security benefits and a more convenient customer experience over current systems.
  • Additionally, because the first service provided by the merchant to the customer is not necessarily tied to the second service, the systems and methods disclosed herein provide for greater flexibility in terms of customer authentication processes than provided by current systems. In an example, for a first customer utilization of the second service, the merchant may select data regarding a first customer transaction as a shared secret credential. For a second customer utilization of the second service, the merchant may select data regarding a second customer transaction. In this example, the first and second customer transactions may occur in any order (e.g., the second customer transaction may occur prior to the first customer transaction). Due to this flexibility, the merchant may regularly update the customer’s shared secret credential, even if no additional information regarding the customer becomes available between customer utilizations of the second service. Such updating further enhances the security of customer information. Thus, the systems, methods, and computer implementations disclosed improve current network security methods by providing functionalities that are novel and non-obvious over current systems.
  • Referring now to FIG. 1 , a block diagram of a network security system 100 is shown according to an example embodiment. As described in further detail below, the network security system 100 facilitates enhanced security of a merchant local network 105 by establishing a shared secret between a customer and a merchant as a network authentication credential. The network security system 100 includes a merchant network agent 110 and a merchant computing device 120, both associated with a merchant, and a customer computing device 140 associated with a customer. Various components of the network security system 100 may be configured to communicate over the network 150. The network 150 is a data exchange medium, which may include wireless networks (e.g., cellular networks, Bluetooth®, WiFi, Zigbee®, etc.), wired networks (e.g., Ethernet, DSL, cable, fiber-based, etc.), or a combination thereof. In some embodiments, the network 150 includes the internet.
  • The merchant network agent 110 is a device associated with the merchant and configured to generate the merchant local network 105 through being communicatively coupled to the network 150. In various embodiments, the merchant may be any entity that provides any sort of product or service to customers. For example, the merchant may be a financial institution, a brick-and-mortar merchant (e.g., a restaurant or a coffee shop), an airport, or any other entity. Merchant network agent 110 may include any device capable of establishing a connection and communicating data with an external device. In some arrangements, the merchant network agent 110 includes a wireless router configured to communicate information over the network 150 and generate wireless signals that are broadcasted to create the merchant local network 105.
  • The merchant network agent 110 is shown to include a wide area network interface 112 which enables the network agent 110 to exchange data over the network 150, a network control circuit 114, and an access point 116. The access point 116 is configured to broadcast a wireless network signal capable of being received by external computing devices (e.g., the merchant computing system 120, the customer computing device 140, etc.) to facilitate the connection of the external computing devices to create the merchant local network 105. In some arrangements, the wireless network signal broadcasted by the access point 116 may generate a wireless personal area network (WPAN), and include, for example, a Bluetooth® radio signal or infrared signal. In some arrangements, the wireless network includes a WiFi signal, a WiMAX signal, wireless WAN signal, or the like.
  • The wireless network signal broadcasted by the merchant network agent 110 is received by other computing devices, such as the customer computing device 140 and merchant computing system 120. Upon receiving the wireless network signal from the network agent 110, the other devices may be authenticated by the methods disclosed herein to gain complete access to the merchant local network 105. For example, upon authenticating a customer via the customer computing device 140, encryption keys may be exchanged between the customer computing device 140 and the merchant network agent 110 enabling the customer computing device 140 to exchange information with additional computing systems. In some embodiments, the merchant network agent 110 provides external devices with access to an external network (e.g., the network 150).
  • In various embodiments, the wireless network signal broadcasted by the access point 116 includes a unique identifier associated with the merchant local network 105. In an example embodiment, the unique identifier includes a name of the merchant local network 105, which may be associated with the name of the merchant. As such, upon external devices, such as the customer computing device 140, receiving the signal from the access point 116, the customer computing device 140 may display the name of the merchant local network 105 to the customer and enable the customer to request to establish a connection with the merchant local network 105. Such an arrangement creates an opportunity for fraudsters to steal private information, as fraudsters may create networks having a unique identifier that mimics the unique identifier associated with the merchant local network 105.
  • The network control circuit 114 is configured to manage connections between the merchant network agent 110 and various other external devices. In this regard, the network control circuit 114 may include an authentication circuit (not shown) configured to authenticate requests to connect to the merchant local network 105 received from external devices. In an example embodiment, in response to the merchant network agent 110 receiving a request to connect to the merchant local network 105 from a requestor, the merchant network agent 110 transmits an authentication packet to the customer computing device 140 via the network control circuit 114. The authentication packet requests at least one authentication credential (e.g., a password) from the requestor. Upon receiving a requestor-input response to the authentication packet, the network control circuit 114 may compare the requestor-input response to a stored value and authenticate the request if a match is found. According to the systems and methods disclosed herein, the password may be a shared secret credential established for the customer based on a pre-existing relationship between the customer and merchant (e.g., a customer account). In some embodiments, the password may be based on a credential associated with a payments platform utilized by the customer to pay the merchant. For example, the network control circuit 114 may request mobile wallet credentials associated with a mobile wallet of the customer, and the network control circuit 114 may initiate communications with a mobile wallet computing system associated with the provider of the customer’s mobile wallet to verify that customer-input mobile wallet credentials match credentials stored at the mobile wallet computing system (e.g., the mobile wallet computing system may verify the customer-input credentials and notify the merchant network agent 110 of the verification).
  • In some embodiments, the network control circuit 114 is configured monitor the various devices that are connected to the merchant local network 105. For example, when the customer computing device 140 first establishes a connection with the merchant network agent 110, the merchant network agent 110 may assign an IP address to the customer computing device 140 via the Dynamic Host Configuration Protocol (DHCP). Under such a protocol, the merchant network agent 110 may select an IP address from a pool of IP addresses stored at the merchant network agent 110 for customer computing devices 140 and temporarily or permanently assign the selected IP address to the customer computing device 140. In some arrangements, a network interface (e.g., the network interface 142) of the customer computing device 140 has a unique identifier (e.g., a MAC address) associated therewith. Communications between the customer computing device 140 and the merchant network agent 110 may include the unique identifier. As such, the network control circuit 114 may maintain a log of the various IP addresses assigned based on such unique identifiers. This way, based on the IP addresses currently assigned by the merchant network agent 110, the merchant network agent 110 may identify the specific external devices (and the identities of the customers associated therewith) connected to the merchant local network 105.
  • In some embodiments, the network control circuit 114 is configured to operate in concert with the merchant computing system 120 to authenticate requests to connect to the merchant local network 105. For example, in some embodiments, the network control circuit 114 receives data indicative of interactions (e.g., transactions) between the customer and the merchant, and establishes the received data as a network authentication credential for the customer. In some embodiments, the network control circuit 114 maintains an authentication credential directory. Such a directory may include a number of entries associated with various devices that have connected to the merchant local network 105. In an example, each entry is associated with a MAC address of an external device. The entries may include information regarding a plurality of transactions engaged in by the customer associated with the device. Using this stored information, the network control circuit 114 may generate a temporary network authentication credential used to authenticate the customer computing device 140 prior to authorizing connection of the external device to the merchant local network 105.
  • In an example, the customer purchases a product (e.g., a cup of coffee) at a merchant. In making such a purchase, the customer may provide payment information to the merchant (e.g., via the merchant computing system 120). Such payment information may include, for example a customer account number at a financial institution. The merchant computing system 120 may provide the received payment information to the merchant network agent 110. Alternatively or additionally, the merchant computing system 120 may transmit additional information (e.g., an identity of the purchased product, the amount of the purchase, the timing of the transaction, etc.) to the merchant network agent 110.
  • Upon receipt of such information regarding the customer purchase, the network control circuit 114 may establish an aspect of the data received from the merchant computing system 120 as a network authentication credential for the customer. To do this, the network control circuit 114 may first associate the received information regarding the purchase with an entry in the directory of network authentication credentials discussed above. For example, the directory may include a lookup table that matches portions of customer payment information (or information associated with an account of the customer at the merchant) to a particular external device (e.g., the customer computing device 140). As such, upon receipt of the customer payment information from the merchant computing system 120, the merchant network agent 110 may associate the information regarding the customer purchase with the customer computing device 140. After the association, the network control circuit 114 may select an aspect of the purchase information (e.g., a transaction amount, a product identity, etc.) to establish as a network authentication credential for the customer.
  • In some embodiments, the network control circuit 114 selects an aspect of the purchase data as an authentication credential upon receipt of a request to connect to the merchant local network 105 from the customer computer device 140. For example, based on a MAC address received from the customer computing device 140, the network control circuit 114 selects an aspect of the purchase data stored in the network authentication credential directory. In some embodiments, the network control circuit 114 establishes an aspect of the purchase data as an authentication credential prior to receiving a connection request from the customer computer device 140. This way, upon receipt of a connection request from the customer computer device 140, the merchant network agent 110 retrieves the established credential and compares it to any responses provided by the customer. In some embodiments, the merchant network agent 110 updates the authentication credential associated with the customer computing device 140 each time a connection request is received from the customer computing device 140. In some embodiments, the network control circuit 114 periodically (e.g., weekly) updates the authentication credential associated with the customer computing device 140.
  • In some embodiments, rather than receiving information regarding customer transactions from the merchant computing system 120, the network control circuit 114 is configured to transmit a notification signal to the merchant computing system 120 upon receipt of a connection request from the customer computing device 140. In such embodiments, the merchant computing system 120 may authenticate the connection request or provide an authentication credential to the merchant network agent 110.
  • In some embodiments, the network control circuit 114 is configured to establish accounts for customers who connect to the merchant local network but do not yet have accounts with the merchant. For example, the network control circuit 114 may determine if a particular customer has an account with a merchant based on communications with the customer computing device 140. For example, if the directory maintained in the merchant network agent 110 does not contain a MAC address associated with the customer computing device 140, the network control circuit 114 may determine that the customer does not have an account (or at least that the customer computing device 140 is not associated with the customer’s account). In such cases, the merchant network agent 110 may transmit a registration packet to the customer computing device 140. The registration packet may prompt the customer to indicate a preference to establish a shared secret authentication credential for accessing the merchant local network 105.
  • In some embodiments, in response to the customer indicating a preference to establish a shared secret credential, the merchant network agent 110 (or the merchant computing system 120 or an external server) may transmit an application (e.g., the merchant client application 144 described below) to the customer computing device 140. The application may enable the customer to register payment accounts with the merchant computing system 120. As such, when the customer uses the registered payment accounts to engage in a transaction at the merchant, the merchant computing system 120 is able to tie the transactions to a particular customer account and render information regarding the transactions usable as an authentication credential for the merchant local network 105. Additionally, the application may enable the customer to view information regarding previous transaction at the merchant, thus facilitating the use of such information as a network authentication credential.
  • Still referring to FIG. 1 , the merchant computing system 120 is a computing system associated with the merchant. In the example shown, the merchant computing system 120 includes a network interface 122 which enables the merchant computing system 120 to communicate data over the merchant local network 105, a customer database 124, a transaction circuit 126, an account management circuit 128, and a merchant input/output (“I/O”) device 130. The merchant I/O device 130 includes hardware and associated logics configured to enable the merchant computing system 120 to exchange information with a customer and other merchant personnel. An input aspect of merchant I/O device 130 allows various users to provide information to the merchant computing system 120 and may include, for example, a mechanical keyboard, a touchscreen, a microphone, a camera, a fingerprint scanner, any user input device engageable to the merchant computing system 120 via a USB, serial cable, Ethernet cable, and so on. In some embodiments, the merchant I/O device 130 includes a point of sale (POS) device (e.g., a card reader or the like) configured to receive customer payment information from a payment card or mobile wallet presented by the customer to make a purchase at the merchant.
  • An output aspect of the merchant I/O device 130 allows users to receive information from the merchant computing system 120 and may include, for example, a digital display, a speaker, illuminating icons, LEDs, and so on. In some embodiments, the merchant I/O device 130 includes radio frequency transceivers (e.g., RF or NFC-based transceivers) and other short range wireless transceivers (e.g., Bluetooth™, laser-based data transmitters, etc.) configured to communicate data with external devices such as the customer computing device 120. For example, via such transceivers, the customer may make a payment for a purchase via a mobile wallet.
  • In some embodiments, merchant I/O device 130 includes a barcode or QR code scanner configured to gather information from various codes presented to the merchant computing system 120 by the customer. For example, at the time of a customer purchase, the customer may present a product having to be purchased to an attendant at the merchant computing system 120. In response, the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130.
  • In some embodiments, such a scanner enables the customer to make payments for purchases at the merchant. For example, the customer may have an account with the merchant, and have installed an application (e.g., the merchant client application 144) on the customer computing device 140, enabling the customer to fund the account. The application may enable the customer computing device 140 to generate a QR code to make a payment for a purchase. In response to scanning the QR code, the merchant computing system 120 may deduct the purchase amount from the customer’s account.
  • The customer database 124 is configured to store information regarding accounts associated with a number of customers of the merchant. Customer account information may include, for example, customer identifying information, customer login information (e.g., usernames, passwords, and the like), payment information (e.g., credit or debit card numbers, bank account numbers, mobile wallet account numbers or addresses, etc.), customer account preferences (e.g., addresses, payment methods), and customer history information (e.g., transaction histories). Additionally, customer account information stored at the customer database 124 may also include information regarding the customer computing device 140. For example, the customer database 124 may include information regarding IP addresses assigned to the customer computing device 140 by the merchant network agent 110. Additionally, the customer database 124 may store network authentication credentials established for the customer.
  • The account management circuit 128 is configured to manage customer accounts at the merchant. In this regard, in some embodiments, the account management circuit 128 is configured to assign data regarding various transactions via the merchant computing system 120 to customer accounts. In this regard, upon the customer providing payment information (e.g., a primary account number associated with a customer payment account at a financial institution) to the merchant computing system 120, the account management circuit 128 may query the customer database 124 to determine if the customer input account information has been previously associated with an account established by the customer. If so, the account management circuit 128 may store data regarding the transaction (e.g., product purchased, transaction amount, transaction timing, location, etc.) in a transaction entry associated with an identified account. In some embodiments, in the event that a customer makes a payment using funds of an account held by the customer at the merchant (e.g., via the QR code discussed above), the account management circuit 128 may update the customer’s account funding balance to reflect the payment.
  • In some embodiments, the account management circuit 128 is configured to transmit customer transaction data to an external server that provides an application (e.g., the merchant client application 144) to the customer computing device 140. For example, upon identifying that a particular transaction is associated with the customer’s account, the account management circuit 128 may formulate an information packet identifying the customer’s account, including the transaction information for transmittal to the external computing system over the network 150. After this information is transmitted to the external system, the customer may view the transaction by accessing the merchant client application 144. As such, if an aspect of the transaction is later used (e.g., by the merchant network agent 110) as a network authentication credential but the customer forgets the transaction, then the customer is able to view the transaction in the merchant client application 144 prior to entering the credential.
  • In some embodiments, the account management circuit 128 is configured to manage customer network authentication credentials. In this regard, the account management circuit 128 may be configured to transmit data stored in association with a customer account to the merchant network agent 110, which may establish a subset of the data as a user network authentication credential via the methods discussed above.
  • In some embodiments, the account management circuit 128 is configured to establish customer network authentication credentials. In this regard, the account management circuit 128 may select a subset of transaction information stored in association with a customer’s account in the customer database 124 to establish as a customer network authentication credential. In some embodiments, the selection is based in part on previous customer network authentication credentials. For example, the account management circuit 128 may maintain a log of customer network authentication credentials used at various times and update the customer’s authentication credential (e.g., to correspond to a different transaction of the customer or a different aspect of a transaction). If the customer’s current network authentication credential has been used for more than a predetermined period, for example, the account management circuit 128 may select a subset of data among data describing the customer’s most recent transactions at the merchant for establishment as a network authentication credential.
  • To establish the selected data as a customer network authentication credential, the account management circuit 128 may cause the merchant computing system 120 to transmit the credential to the merchant network agent 110. The merchant network agent 110 may store the credential in association with the customer computing device 140 (e.g., based on a MAC address) such that, when the next request to connect to the merchant local network 105 is received from the customer computing device 140, the customer is required to input information regarding a previous transaction to access the merchant local network 105. It should be understood that, according to various embodiments, the shared secret can be used for authentication using any of various methods such as challenge-response or it can be used as an input to a key derivation function to produce one or more keys to use for encrypting and/or MACing messages.
  • The transaction circuit 126 is configured to formulate transaction requests associated with various purchases of the customer. As such, the transaction circuit 126 is communicably coupled to the merchant I/O device 130, customer database 124, and network interface 122. For example, upon receiving customer payment information regarding a customer purchase, the transaction circuit 126 determines a total transaction amount (e.g., based on the identity of the product being purchased), bundles the total with the customer payment information to make a transaction request, and transmits the transaction request to a financial institution (e.g., associated with a customer payment card or mobile wallet) over the network 150. The financial institution may authorize the transaction and provide an indication of the authorization to the merchant computing system 120 over the network 150.
  • Still referring to FIG. 1 , the customer computing device 140 is a computing device associated with a customer. The customer computing device 140 may be used by the customer to connect to the merchant local network 105. The customer computing device 140 includes one or more processors and non-transitory storage mediums housing one or more logics configured to enable the customer computing device 140 to exchange data over the network, execute software applications, access websites, generate graphical customer interfaces, and perform other operations. Examples of the customer computing device 140 include a personal computer (e.g., desktop or laptop computer), smartphones, tablets, wearable computing devices (e.g., a smartwatch), and the like. The customer computing device 140 may be configured to enable the customer to communicate information (e.g., transaction information) to merchant computing system 120.
  • In the example shown, the customer computing device 140 includes a customer network interface 142 enabling the customer computing device 140 to exchange data over the network 150, a merchant client application 144, and a customer I/O device 146. The customer I/O device 146 includes hardware and associated logics configured to enable the customer computing device 140 to exchange information with a customer (e.g., via hardware and associated logics similar to that discussed above with respect to the merchant I/O device 130).
  • The merchant client application 144 is structured to provide various displays on the customer computing device 140 that enable the customer to view information regarding various transactions engaged in by the customer at the merchant. Additionally, the displays may also enable the customer to register payment cards (e.g., debit cards, credit cards, and the like) with the merchant, and to fund a customer account at the merchant so as to enable the customer to engage in transactions at the merchant via the merchant client application 144 (e.g., via a QR code or the like).
  • In this regard, the merchant client application 144 may be communicably coupled to the merchant computing system 120 (or another external computing system configured to provide the merchant client application 144 to the customer computing device 140). In some embodiments, the merchant client application 144 is a separate software application implemented on the customer computing device 140. The merchant client application 144 may be downloaded by the customer computing device 140, be hard coded into the memory of the customer computing device 140, or be a web-based interface application such that the merchant client application 144 may provide a web browser to the application, which may be executed remotely from the customer computing device 140. In the latter instance, the customer may have to log onto or access the web-based interface before usage of the application. Further, and in this regard, the merchant client application 144 may be supported by a separate computing system including one or more servers, processors, network circuits, and so on that transmit applications for use to the customer computing device 140. In certain embodiments, the merchant client application 144 includes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications with the merchant client application 144.
  • Referring now to FIG. 2 , a flow chart of a method 200 of establishing a shared secret as a network authentication credential is shown, according to an example embodiment. In various embodiments, the method 200 may be performed by a combination of the merchant network agent 110 (e.g., via the network control circuit 114) and the merchant computing system 120 (e.g., via the account management circuit 128).
  • At 202, a request to connect to the merchant local network 105 is received. For example, the customer may bring a customer computer device 140 within the range of the wireless signal broadcasted by the merchant network agent 110 such that the name of the merchant local network 105 shows up on the customer computing device 140 (e.g., as wireless network option to connect to). The customer may select the name, thereby causing a connection request to be transmitted by the customer computing device 140 to the merchant network agent 110.
  • At 204, the customer is presented with a network security preference interface. In some embodiments, the merchant network agent 110 determines if the customer has already established a shared secret network authentication credential based on the connection request received at 202. For example, the network control circuit 114 may query a database with a unique identifier (e.g., MAC address) included in the connection request. If the identifier is not in the database, the network control circuit 114 may determine that the customer has not established a shared secret network authentication credential and transmit a registration packet to the customer computing device 140. The registration packet may cause the customer computing device 140 (e.g., via a web browser) to present the customer with an interface enabling the customer to indicate a preference to establish the shared secret credential.
  • Referring now to FIG. 3 , a network security interface 300 is shown, according to an example embodiment. In some embodiments, the interface 300 is presented to a customer upon the customer requesting to connect to the merchant local network 105. For example, upon receiving a customer request to connect to the merchant local network 105, the merchant network agent 110 may query a database for entries regarding the customer computing device 140. If no entries are found (e.g., if no shared secret network credential has been established for the customer computing device 140), then the merchant network agent 110 transmits an authorization packet to the customer computing device 140, which presents the interface 300 to the customer.
  • The interface 300 includes a username entry field 302, a password field 304 and a shared secret preference window 304. The username entry field 302 and password entry field 304 are configured to receive a customer-input network credentials. Upon the customer inputting a credential into the credential entry field 302, the customer-input password may be transmitted to the merchant network agent 110, which may compare the customer-input credentials to a pre-established password for the merchant local network 105. The shared secret preference window 304 is configured to receive a customer input to establish a shared secret network credential for the merchant local network 105 via a customer preference selection button 306. In some embodiments, the shared secret preference window prompts the customer to indicate whether the customer has an account (e.g., a loyalty account) at the merchant. In some embodiments, the interface 300 may prompt the customer to input credentials (e.g., a username and password) associated with an account at the merchant.
  • Referring again to FIG. 2 , at 206, a customer preference to establish a shared secret network authentication credential is received. For example, the customer may interact with the network security preference interface presented to the customer at 204 in such a way that indicates a customer preference to establish a shared secret network authentication credential.
  • At 208, upon receiving a customer input to establish a shared secret network credential, the merchant network agent 110 determines if the customer has established an account with the merchant. In some embodiments, the merchant network agent 110 makes this determination based on an input received from the customer. For example, based on information (e.g., authentication credentials) provided by the customer in response to the authorization packet transmitted to the customer computing device 140 at 206, the merchant network agent 110 may access a directory (e.g., the customer database 124) that includes information regarding various customer accounts. If the information input by the customer matches that of an account stored in the directory, then the merchant network agent 110 may determine that the customer has an account with the merchant. In some embodiments, the merchant network agent 110 maintains such a directory. In some embodiments, the merchant network agent 110 communicates with the merchant computing system 120, which maintains the directory, to determine if the customer has an account.
  • At 210, if the customer has an account with the merchant, customer account information is retrieved. In some embodiments, based on information received from the customer at 206, the merchant network agent 110 requests and receives information regarding a customer account from the merchant computing system 120. The requested information may contain information describing various aspects of the customer’s account with the merchant (e.g., information regarding various customer transactions at the merchant). In some embodiments, a database similar to the customer database 124 is maintained at the merchant network agent 110, and the network control circuit 114 retrieves the customer account information based on information received from the customer computing device 140.
  • At 212, parameters of a prior customer transaction at the merchant are established as an initial shared secret network authentication credential. In this regard, the network control circuit 114 or merchant computing system 120 may perform a multi-step process to select the credential. First, a prior customer transaction (or prior customer interaction) at the merchant is selected. For example, in some embodiments, the network control circuit 114 selects the most recent transaction engaged in by the customer for establishment as a shared secret network authentication credential. In some embodiments, the network control circuit 114 selects from amongst a number of customer transactions that occurred within a predetermined time period of the customer indicating the preference to establish a shared secret network authentication credential. In some embodiments, rather than the network control circuit 114 selecting the customer transaction, such a selection is performed at the merchant computing system 120 (e.g., via the account management circuit 128).
  • Upon selecting a customer transaction, the network control circuit 114 selects a parameter of the selected transaction to establish as the shared secret. In various embodiments, the network control circuit 114 randomly selects from a number of different parameters such as timing, location, transaction amount, and the identity of the product purchased. To establish the selected parameter as the shared secret, the network control circuit 114 may transmit a second authorization packet to the customer computing device 140. The second authorization packet may cause the customer computing device 140 to present an additional interface to the customer. The additional interface may query the customer regarding the selected parameter for the prior customer transaction at the merchant.
  • Turning now to FIG. 4 , a network security interface 400 is shown, according to an example embodiment. In an example embodiment, the interface 400 may be presented to the customer upon the merchant network agent 110 or the merchant computing system 120 selecting a parameter regarding a prior customer transaction to establish as a shared secret network authentication credential. In the example shown, the interface 400 includes a query window 402 and a submission button 408. The query window 402 contains a description of a prior customer transaction at the merchant as well as the parameter (e.g., product identity) of that transaction that was selected to serve as the customer’s initial shared secret credential. The query window 402 prompts the customer to input information regarding the selected parameter via the data field 406. In some embodiments, the query window includes multiple options, one of which being the parameter selected to serve as the shared secret. The submission button 408 is configured to receive a customer input to transmit a customer-input response to the merchant network agent 110.
  • In various embodiments, the customer-input response must meet predetermined criteria prior to the customer being authorized to fully access the merchant local network 105. For example, in some embodiments, the customer-input response must match the selected parameter prior to the customer being authorized to connect to the merchant local network 105. To illustrate, in the example shown in FIG. 4 , the customer-input description of a purchased product must match a predetermined merchant description (or one of a number predetermined merchant descriptions configured to account for customer spelling errors) of the purchased product. In some embodiments, the customer-input response must be within a threshold of the parameter selected to serve as the shared secret. To illustrate, if the amount of a prior customer transaction was selected to serve as the shared secret, the customer-input amount may have to be within a predetermined percentage (e.g., 10% of the actual transaction amount) in order for the customer to be authorized to fully access the merchant local network 105.
  • In some embodiments, upon the customer initially indicating a preference to establish a shared secret authentication credential for the merchant local network 105 (e.g., at 206), the directory at the merchant network agent 110 is updated such that the customer will automatically be prompted to input a shared secret prior to connecting to the merchant local network 105. In some embodiments, the customer’s account settings are updated at the merchant computing system 120. For example, the directory information stored at the merchant network agent 110 may also be stored at the merchant computing system 120 or an external server. The directories at various other network agents (e.g., similar to the merchant network agent 110) affiliated with the merchant are also similarly updated. As such, when the customer seeks to access additional local network associated with the merchant (e.g., at a location different from the location of the merchant local network 105), the customer is also prompted to input a shared secret.
  • Referring back to FIG. 2 , at 214, if the customer does not have an account at the merchant, then an account is established for the customer. In some embodiments, the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing the customer to register for an account by providing identifying information (e.g., name, address, phone number, etc.). Additionally, the customer may also be prompted to provide payment information. Such identifying information may be transmitted by the merchant network agent 110 to the merchant computing system 120, which generates (e.g., via the account management circuit 128) a customer account and stores the identifying information in association with the account.
  • In some embodiments, the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing customer to download an application (e.g., the merchant client application 144). Within the application, the customer may establish a set of login credentials for the new account. Additionally, the customer may register a payment account (e.g., a credit account or a debit account) within the application. The registered payment account may be used to fund the customer’s account, enabling the customer to engage in transactions at the merchant using the customer account via the application. Additionally, the linking of a customer payment account to the customer’s account at the merchant enables the merchant to link future customer purchases with the customer’s account. As such, upon the customer engaging in transaction in the future at the merchant using the customer’s account at the merchant, information regarding such transactions (e.g., regarding price, location, timing, product purchased, etc.) may be stored at the merchant computing system 120 (e.g., at the customer database 124) in relation to the customer’s account.
  • In some embodiments, upon the customer establishing an account at the merchant, the customer is authorized to fully access the merchant local network 105 (e.g., during a time period after the request to connect to the merchant local network 105 was received at 202). For example, the customer may be prompted to input a password or the like that has been pre-established at the merchant. Alternatively, the customer may be automatically permitted to access the merchant local network 105 upon establishment of the customer’s account. In various embodiments, the merchant network agent 110 assigns an IP address to the customer computing device 140 and stores the IP address in relation to a unique identifier (e.g., MAC address) received in previous communications with the customer computing device 140. As such, the same IP address may be assigned to the customer computing device 140 when the customer requests to access the merchant local network in the future.
  • At 216, data regarding a customer transaction is received. For example, at a later time, the customer may utilize the merchant client application 144 on the customer computing device 140 to engage in a transaction at the merchant. As discussed above the merchant client application 144 may include a mobile payment capability that provides customer payment credentials to the merchant computing system 120. For example, the merchant client application may generate a QR code having information regarding the customer account encoded thereon for presentation to a scanner included in the merchant I/O device 130. Upon scanning the QR code, the merchant computing system 120 (e.g., via the transaction circuit 126) deducts funds from the customer’s account and stores information regarding the transaction in association with the customer’s account in the customer database 124.
  • At 218, after the transaction is completed, the account management circuit 128 may establish a parameter of the transaction as a shared secret network authentication credential for the customer. In this regard, the account management circuit 128 may select a parameter of the transaction and transmit the parameter to the merchant network agent 110 for storage in a device directory (e.g., in association with the IP address previously assigned to the customer computing device 140). As such, upon the customer requesting to access the merchant local network 105 via the customer computing device 140 at a later time, the merchant network agent 110 prompts the customer to input information regarding the selected parameter (e.g., via an interface similar to the interface 400 discussed above).
  • Referring now to FIG. 5 , a flow chart of a method 500 of authorizing a network connection request is shown, according to an example embodiment. In various embodiments, the method 500 may be performed by the merchant network agent 110 (e.g., via the network control circuit 114) to provide a customer with access to the merchant local network 105.
  • At 502, a request to connect to the merchant local network 105 is received. For example, while the customer computing device 140 is within range of a wireless network signal broadcast by the merchant network agent 110 (e.g., while the customer is at a brick-and-mortar location associated with a particular merchant), the customer may indicate a preference to connect to merchant local network 105. In response to the customer indicating such a preference, the customer computing device 140 may establish a communications channel with the merchant network agent 110 via any established protocol and provide a network connection request to the merchant network agent 110.
  • At 504, the customer computing device 140 is identified based on the received request. In various embodiments, the request to connect to the merchant local network 105 received by the merchant network agent 110 includes an identifier (e.g., MAC address) associated with the network interface 142 of the customer computing device 140. As discussed above, assuming the customer computing device 140 has connected to the merchant local network 105 prior to the time of receipt of the network connection request at 502, this identifier may be stored in a device directory of the merchant network agent 110. As such, the network control circuit 114 may identify the customer computing device 140 based on the request received at 502 via the directory.
  • At 506, a shared secret network authentication credential for the customer computing device 140 is determined. In some embodiments, the network control circuit 114 retrieves a pre-established shared secret credential from the memory of the merchant network agent 110. In some embodiments, the merchant computing system 120 performs a process to provide shared secret credentials to the merchant network agent 110. For example, the merchant computing system 120 may periodically retrieve data from the customer database 124 that is associated with customers who have registered for a shared secret credential (e.g., via the method 200 discussed above), select a parameter regarding a recent customer transaction (e.g., a customer transaction within a predetermined time period), and provide information regarding the parameter to the merchant network agent 110 for storage in association with the customer computing device 140 in the device directory.
  • In some embodiments, each time the customer engages in a transaction with the merchant via a customer account established at the merchant, the merchant computing system 120 undergoes a process to update the customer’s shared secret network authentication credential. This way, an aspect of the customer’s most recent transaction at the merchant is always used as the shared secret, and the customer is most likely to remember various aspects of the transaction. As such, upon the merchant computing system 120 receiving data regarding a customer transaction (e.g., a payment from the customer via an account with the merchant, the scanning of a customer loyalty card, etc.), the account management circuit 128 selects an aspect of the transaction and transmits data regarding that aspect to the merchant network agent 110 in association with a customer account identifier. In response, the merchant network agent 110 updates an entry in the directory of devices associated with the customer computing device 140. This way, upon receipt of a connection request from the customer computing device 140, the merchant network agent 110 retrieves the shared secret.
  • In some embodiments, each time the merchant network agent 110 receives a request from the customer computing device 140 to connect to the merchant local network 105, the shared secret credential is updated. Accordingly, the merchant network agent 110 may store information regarding recent transactions of the customer, or the merchant network agent 110 may query the customer database 124 of the merchant computing system 120 in response to receiving the connection request from the customer computing device 140 for information regarding recent transactions of the customer. From the information regarding recent transactions of the customer, the network control circuit 114 may select an aspect of a recent customer transaction to establish as the shared secret credential.
  • In some embodiments, in response to receiving the connection request, the merchant network agent 110 requests the merchant computing system 120 to formulate a customer shared secret credential. In response the merchant computing system 120 (e.g., via the account management circuit 128) retrieves customer account information from the customer database 124, selects an aspect of a customer transaction to utilize as a shared secret, and transmits the shared secret to the merchant network agent 110.
  • At 508, the customer is queried regarding the shared secret. In various embodiments, after determining the customer shared secret, the merchant network agent 110 transmits an authorization packet to the customer computing device 140. The authorization packet may cause an interface (e.g., similar to the interface 400 discussed in relation to FIG. 4 ) to be presented to the customer that instructs the customer to input information regarding an aspect of a recent customer transaction or interaction with the merchant. The interface may present the customer with a plurality of choices, with one of the choices describing an aspect of the recent customer transaction. Alternatively, the interface may request the customer to manually input a response to the query.
  • At 510, the network control circuit 114 determines if the customer-input response matches the customer shared secret credential for the purpose of authenticating the connection request. In some embodiments, the customer-input response may be within a predetermined threshold of the actual shared secret to authenticate the customer. For example, if the customer shared secret corresponds to an amount of a recent customer transaction, then the network control circuit 114 may compare a customer-input response to an actual amount of a previous customer transaction. If the customer-input response is within a threshold of the actual amount, the customer may be authenticated. In some situations, the customer-input response must exactly match an aspect of a previous customer transaction in order for the customer to be authenticated. For example, if the customer shared secret is the identity of a product, then the customer must input the correct product name in order to be authenticated.
  • If the customer-input response does not match the shared secret, then the connection request is denied at 512. As a result, the customer is prevented from having full access to the merchant local network 105. However, if the customer-input response matches the shared secret, the connection request is authorized at 514. As such, the customer computing device 140 is able to communicate data over the network 150 via a connection with the merchant local network 105. Additionally, because the shared secret credential involves an actual transaction of the customer at the merchant, the customer is able to ascertain the legitimacy of the merchant local network 105. This way, it is difficult for fraudsters to emulate the authentication processes described herein, as fraudsters will not have access to data regarding customer accounts at the merchant.
  • The embodiments described herein have been described with reference to drawings. The drawings illustrate certain details of specific embodiments that implement the systems, methods, and programs described herein. However, describing the embodiments with drawings should not be construed as imposing on the disclosure any limitations that may be present in the drawings.
  • It should be understood that no claim element herein is to be construed under the provisions of 35 U.S.C. § 112(f), unless the element is expressly recited using the phrase “means for.”
  • As used herein, the term “circuit” may include hardware structured to execute the functions described herein. In some embodiments, each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein. The circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc. In some embodiments, a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.” In this regard, the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein. For example, a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on.
  • The “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices. In this regard, the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors. In some embodiments, the one or more processors may be embodied in various ways. The one or more processors may be constructed in a manner sufficient to perform at least the operations described herein. In some embodiments, the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example embodiments, may execute instructions stored, or otherwise accessed, via different areas of memory). Alternatively or additionally, the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors. In other example embodiments, two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution. Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory. The one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc. In some embodiments, the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
  • An exemplary system for implementing the overall system or portions of the embodiments might include general purpose computing devices in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit. Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), etc. In some embodiments, the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc. In other embodiments, the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media. In this regard, machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions. Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example embodiments described herein.
  • It should also be noted that the term “input device,” as described herein, may include any type of input device or input devices including, but not limited to, a keyboard, a keypad, a mouse, joystick, or other input devices capable of performing a similar function. Comparatively, the term “output device,” as described herein, may include any type of output device or output devices including, but not limited to, a computer monitor, printer, facsimile machine, or other output devices capable of performing a similar function.
  • Any foregoing references to currency or funds are intended to include fiat currencies, non-fiat currencies (e.g., precious metals), and math-based currencies (often referred to as cryptocurrencies). Examples of math-based currencies include Bitcoin, Litecoin, Dogecoin, and the like.
  • It should be noted that although the diagrams herein may show a specific order and composition of method steps, it is understood that the order of these steps may differ from what is depicted. For example, two or more steps may be performed concurrently or with partial concurrence. Also, some method steps that are performed as discrete steps may be combined, steps being performed as a combined step may be separated into discrete steps, the sequence of certain processes may be reversed or otherwise varied, and the nature or number of discrete processes may be altered or varied. The order or sequence of any element or apparatus may be varied or substituted according to alternative embodiments. Accordingly, all such modifications are intended to be included within the scope of the present disclosure as defined in the appended claims. Such variations will depend on the machine-readable media and hardware systems chosen and on designer choice. It is understood that all such variations are within the scope of the disclosure. Likewise, software and web implementations of the present disclosure could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various database searching steps, correlation steps, comparison steps, and decision steps.
  • The foregoing description of embodiments has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from this disclosure. The embodiments were chosen and described to explain the principals of the disclosure and its practical application to enable one skilled in the art to utilize the various embodiments and with various modifications as are suited to the particular use contemplated. Other substitutions, modifications, changes, and omissions may be made in the design, operating conditions, and arrangement of the embodiments without departing from the scope of the present disclosure as expressed in the appended claims.

Claims (20)

What is claimed is:
1. A method, comprising:
receiving, by a computing system after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticating, by the computing system, the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
2. The method of claim 1, further comprising:
selecting, by the computing system and based on a predetermined time period and the merchant, the financial transaction.
3. The method of claim 1, wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
4. The method of claim 1, wherein the aspect of the first purchase established as the network authentication credential includes a transaction amount of the first purchase.
5. The method of claim 1, wherein the aspect of the purchase established as the network authentication credential includes an identity of a product or service in the first purchase.
6. The method of claim 1, wherein the first query requests the customer to identify the product or service.
7. The method of claim 1, further comprising:
receiving, by the computing system, a description indicative of a second purchase by a customer, the second purchase occurring after the first purchase;
updating, by the computing system, the network security credential of the customer to include an aspect of the second purchase;
receiving, by the computing system, a second request to connect to the network from the customer device; and
transmitting, by the computing system, a second query to the customer device prompting the customer to input information regarding the aspect of the second purchase.
8. The method of claim 7, further comprising:
authenticating, by the computing system, the second request by determining that the customer-input response to the second query corresponds to the aspect of the second purchase; and
authorizing, by the computing system, connection of the customer device to the network based at least in part on the second request being authenticated.
9. The method of claim 1, further comprising:
transmitting, by the computing system, the aspect of the first purchase to a network agent associated with the merchant, the network agent to associate the aspect of the first purchase with information indicative of an identity of the customer device.
10. A merchant computing system comprising:
a memory and one or more processors configured to:
receive, after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmit a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticate the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorize connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
11. The system of claim 10, the processors to:
select, by the computing system and based on a predetermined time period and the merchant, the financial transaction.
12. The system of claim 10, wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
13. The system of claim 10, wherein the aspect of the first purchase established as the network authentication credential includes a transaction amount of the first purchase.
14. The system of claim 10, wherein the aspect of the purchase established as the network authentication credential includes an identity of a product or service in the first purchase.
15. The system of claim 10, wherein the first query requests the customer to identify the product or service.
16. The system of claim 10, the processors to:
receive a description indicative of a second purchase by a customer, the second purchase occurring after the first purchase;
update the network security credential of the customer to include an aspect of the second purchase;
receive a second request to connect to the network from the customer device; and
transmit a second query to the customer device prompting the customer to input information regarding the aspect of the second purchase.
17. The system of claim 16, the processors to:
authenticate the second request by determining that the customer-input response to the second query corresponds to the aspect of the second purchase; and
authorize connection of the customer device to the network based at least in part on the second request being authenticated.
18. The system of claim 10, the processors to:
transmit the aspect of the first purchase to a network agent associated with the merchant, the network agent to associate the aspect of the first purchase with information indicative of an identity of the customer device.
19. A non-transitory computer readable medium including one or more instructions stored thereon and executable by a processor to:
receive, by a processor after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmit, by the processor, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticate, by the processor, the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorize, by the processor, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
20. The computer readable medium of claim 19, wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
US18/199,722 2017-06-23 2023-05-19 Systems and methods for network authentication with a shared secret Pending US20230291550A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US18/199,722 US20230291550A1 (en) 2017-06-23 2023-05-19 Systems and methods for network authentication with a shared secret

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/632,094 US11233634B1 (en) 2017-06-23 2017-06-23 Systems and methods for network authentication with a shared secret
US17/583,024 US11695548B1 (en) 2017-06-23 2022-01-24 Systems and methods for network authentication with a shared secret
US18/199,722 US20230291550A1 (en) 2017-06-23 2023-05-19 Systems and methods for network authentication with a shared secret

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US17/583,024 Continuation US11695548B1 (en) 2017-06-23 2022-01-24 Systems and methods for network authentication with a shared secret

Publications (1)

Publication Number Publication Date
US20230291550A1 true US20230291550A1 (en) 2023-09-14

Family

ID=79689750

Family Applications (3)

Application Number Title Priority Date Filing Date
US15/632,094 Active 2037-12-25 US11233634B1 (en) 2017-06-23 2017-06-23 Systems and methods for network authentication with a shared secret
US17/583,024 Active US11695548B1 (en) 2017-06-23 2022-01-24 Systems and methods for network authentication with a shared secret
US18/199,722 Pending US20230291550A1 (en) 2017-06-23 2023-05-19 Systems and methods for network authentication with a shared secret

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US15/632,094 Active 2037-12-25 US11233634B1 (en) 2017-06-23 2017-06-23 Systems and methods for network authentication with a shared secret
US17/583,024 Active US11695548B1 (en) 2017-06-23 2022-01-24 Systems and methods for network authentication with a shared secret

Country Status (1)

Country Link
US (3) US11233634B1 (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040271A1 (en) * 2006-06-19 2008-02-14 Ayman Hammad Portable Consumer Device Verification System
US20090037269A1 (en) * 2007-08-03 2009-02-05 Bassemir Richard T Integration of Cash Registers and WiFi Support for Customers
US20100242104A1 (en) * 2009-03-23 2010-09-23 Wankmueller John R Methods and systems for secure authentication
US20110302607A1 (en) * 2010-06-07 2011-12-08 Warrick Peter Hospitality media system operated by mobile device
US20120192258A1 (en) * 2009-07-17 2012-07-26 Boldstreet Inc. Hotspot network access system and method
US8423476B2 (en) * 1999-08-31 2013-04-16 American Express Travel Related Services Company, Inc. Methods and apparatus for conducting electronic transactions
US20140068723A1 (en) * 2011-10-25 2014-03-06 Toopher, Inc. Two-factor authentication systems and methods
US8751801B2 (en) * 2003-05-09 2014-06-10 Emc Corporation System and method for authenticating users using two or more factors
US20140189829A1 (en) * 2012-12-31 2014-07-03 Apple Inc. Adaptive secondary authentication criteria based on account data
US20140195380A1 (en) * 2013-01-09 2014-07-10 Nearbuy Systems, Inc. Wireless Analytics in Physical Spaces
US20140248852A1 (en) * 2009-01-28 2014-09-04 Headwater Partners I Llc Mobile device and service management
US20150088756A1 (en) * 2013-09-20 2015-03-26 Oleg Makhotin Secure Remote Payment Transaction Processing Including Consumer Authentication
US20150088746A1 (en) * 2013-09-26 2015-03-26 SayPay Technologies, Inc. Method and system for implementing financial transactions
US20150120559A1 (en) * 2013-10-29 2015-04-30 Douglas Fisher Enhancements to transaction processing in a secure environment
US20150195289A1 (en) * 2012-02-07 2015-07-09 Visa International Service Association Mobile human challenge-response test
US9298898B2 (en) * 2013-07-18 2016-03-29 At&T Intellectual Property I, L.P. Event-based security challenges
US20170118190A1 (en) * 2015-03-09 2017-04-27 Michigan Health Information Network - Mihin Method and apparatus for remote identity proofing service issuing trusted identities
US20180285877A1 (en) * 2017-03-31 2018-10-04 Mastercard International Incorporated Authentication using transaction history

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7024557B1 (en) 1999-12-30 2006-04-04 Samsung Electronics Co., Ltd. System and method for secure provisioning of a mobile station from a provisioning server using encryption
US7240202B1 (en) 2000-03-16 2007-07-03 Novell, Inc. Security context sharing
US7349871B2 (en) 2002-08-08 2008-03-25 Fujitsu Limited Methods for purchasing of goods and services
US7577836B2 (en) 2004-01-16 2009-08-18 Verizon Business Global Llc Method and system for secured wireless data transmission to and from a remote device
US8700729B2 (en) 2005-01-21 2014-04-15 Robin Dua Method and apparatus for managing credentials through a wireless network
US8638806B2 (en) 2007-05-25 2014-01-28 Hand Held Products, Inc. Wireless mesh point portable data terminal
US8145212B2 (en) 2007-12-06 2012-03-27 Evolving Systems, Inc. Wireless device activation
US8666904B2 (en) 2008-08-20 2014-03-04 Adobe Systems Incorporated System and method for trusted embedded user interface for secure payments
FR2959896B1 (en) 2010-05-06 2014-03-21 4G Secure METHOD FOR AUTHENTICATING A USER REQUIRING A TRANSACTION WITH A SERVICE PROVIDER
US8719573B2 (en) 2012-01-27 2014-05-06 Intuit Inc. Secure peer discovery and authentication using a shared secret
US20150026779A1 (en) 2013-07-16 2015-01-22 Qualcomm Connected Experiences, Inc. Performing remote wi-fi network configuration when a network security protocol is unknown
EP3039907A2 (en) 2013-08-29 2016-07-06 Interdigital Patent Holdings, Inc. Methods, apparatus and systems for wireless network selection
US9100175B2 (en) 2013-11-19 2015-08-04 M2M And Iot Technologies, Llc Embedded universal integrated circuit card supporting two-factor authentication
US9781098B2 (en) 2014-09-24 2017-10-03 Oracle International Corporation Generic server framework for device authentication and management and a generic framework for endpoint command dispatch
US9626525B2 (en) 2014-12-31 2017-04-18 Citrix Systems, Inc. Shared secret vault for applications with single sign on

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8423476B2 (en) * 1999-08-31 2013-04-16 American Express Travel Related Services Company, Inc. Methods and apparatus for conducting electronic transactions
US8751801B2 (en) * 2003-05-09 2014-06-10 Emc Corporation System and method for authenticating users using two or more factors
US20080040271A1 (en) * 2006-06-19 2008-02-14 Ayman Hammad Portable Consumer Device Verification System
US20090037269A1 (en) * 2007-08-03 2009-02-05 Bassemir Richard T Integration of Cash Registers and WiFi Support for Customers
US20140248852A1 (en) * 2009-01-28 2014-09-04 Headwater Partners I Llc Mobile device and service management
US20100242104A1 (en) * 2009-03-23 2010-09-23 Wankmueller John R Methods and systems for secure authentication
US20120192258A1 (en) * 2009-07-17 2012-07-26 Boldstreet Inc. Hotspot network access system and method
US20110302607A1 (en) * 2010-06-07 2011-12-08 Warrick Peter Hospitality media system operated by mobile device
US20140068723A1 (en) * 2011-10-25 2014-03-06 Toopher, Inc. Two-factor authentication systems and methods
US20150195289A1 (en) * 2012-02-07 2015-07-09 Visa International Service Association Mobile human challenge-response test
US20140189829A1 (en) * 2012-12-31 2014-07-03 Apple Inc. Adaptive secondary authentication criteria based on account data
US20140195380A1 (en) * 2013-01-09 2014-07-10 Nearbuy Systems, Inc. Wireless Analytics in Physical Spaces
US9298898B2 (en) * 2013-07-18 2016-03-29 At&T Intellectual Property I, L.P. Event-based security challenges
US20150088756A1 (en) * 2013-09-20 2015-03-26 Oleg Makhotin Secure Remote Payment Transaction Processing Including Consumer Authentication
US20150088746A1 (en) * 2013-09-26 2015-03-26 SayPay Technologies, Inc. Method and system for implementing financial transactions
US20150120559A1 (en) * 2013-10-29 2015-04-30 Douglas Fisher Enhancements to transaction processing in a secure environment
US20170118190A1 (en) * 2015-03-09 2017-04-27 Michigan Health Information Network - Mihin Method and apparatus for remote identity proofing service issuing trusted identities
US20180285877A1 (en) * 2017-03-31 2018-10-04 Mastercard International Incorporated Authentication using transaction history

Also Published As

Publication number Publication date
US11233634B1 (en) 2022-01-25
US11695548B1 (en) 2023-07-04

Similar Documents

Publication Publication Date Title
US11954674B1 (en) Systems and methods for third party token based authentication
US11551200B1 (en) Systems and methods for activating a transaction card
US20210390548A1 (en) Passwordless authentication through use of device tokens or web browser cookies
US11954670B1 (en) Systems and methods for digital account activation
US20170308896A1 (en) Methods and apparatus for brokering a transaction
US20220188786A1 (en) Systems and methods for user data management across multiple devices
US12099995B2 (en) Systems and methods for providing a code to a user device
US10949859B2 (en) Enhancing information security via the use of a dummy credit card number
US11132425B1 (en) Systems and methods for location-binding authentication
US20170148009A1 (en) Dynamic multilayer security for internet mobile-related transactions
US20220094678A1 (en) Systems and methods for user authentication based on multiple devices
US11617081B1 (en) Passive authentication during mobile application registration
US11373176B2 (en) Systems and methods for federated identity management
US20230289767A1 (en) P2P PAYMENTS VIA INTEGRATED 3RD PARTY APIs
US11049101B2 (en) Secure remote transaction framework
US20230237172A1 (en) Data broker
US11526880B2 (en) Dynamic security code for a card transaction
US11695548B1 (en) Systems and methods for network authentication with a shared secret
US11244297B1 (en) Systems and methods for near-field communication token activation

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED