US20230291550A1 - Systems and methods for network authentication with a shared secret - Google Patents
Systems and methods for network authentication with a shared secret Download PDFInfo
- Publication number
- US20230291550A1 US20230291550A1 US18/199,722 US202318199722A US2023291550A1 US 20230291550 A1 US20230291550 A1 US 20230291550A1 US 202318199722 A US202318199722 A US 202318199722A US 2023291550 A1 US2023291550 A1 US 2023291550A1
- Authority
- US
- United States
- Prior art keywords
- customer
- purchase
- merchant
- network
- computing system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 48
- 230000004044 response Effects 0.000 claims abstract description 41
- 230000015654 memory Effects 0.000 claims description 12
- 239000003795 chemical substances by application Substances 0.000 description 80
- 238000013475 authorization Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 239000004570 mortar (masonry) Substances 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003990 capacitor Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000010970 precious metal Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Definitions
- the fraudster establishes a network access point (e.g., a mobile hotspot) in a location associated with a legitimate network (e.g., a network associated with a merchant).
- the fraudster configures the access point to mimic the legitimate network (e.g., in name and appearance).
- Individuals connect to the fraudulent network and communicate private information (e.g., payment credentials) with various other entities.
- the fraudster intercepts these communications and gains access to the private information.
- An embodiment relates to a computer-implemented method.
- the method can include associating, by a computing system, system associated with a merchant, a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving, by the computing system, the first request to connect to the network provided by the merchant from the customer device after completion of the purchase, selecting, by the computing system, the financial transaction based on the predetermined time period and the merchant, transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving, by the computing system, a customer-input response to the first query,
- the computing system can include a network interface enabling the computing system to exchange information over a network provided by the merchant, a customer database configured to store information pertaining to a plurality of customer purchases of a plurality of customers, wherein the customer purchases are from the merchant, and a processing circuit configured to associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receive, by the network interface, the first request to connect to the network from the customer device after completion of the first purchase, select the financial transaction based on the predetermined time period and the merchant, transmit, by the network interface, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication
- Another embodiment relates to a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by a computing system, causes the computing system to perform operations to authorize a request to connect to a network.
- the operations can include associating a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving the first request to connect to a network from the customer device after completion of the first purchase, selecting the financial transaction based on the predetermined time period and the merchant, transmitting a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving a customer-input response to the
- FIG. 1 is a block diagram of a network security system, according to an example embodiment.
- FIG. 2 is a flow diagram of a method of establishing a shared secret network authentication credential with a customer, according to an example embodiment.
- FIG. 3 is a network security user interface, according to an example embodiment.
- FIG. 4 is another network security user interface, according to an example embodiment.
- FIG. 5 is a flow diagram of a method of authorizing a network connection request, according to an example embodiment.
- the figures include a merchant computing system associated with a merchant.
- a customer may engage in a transaction at the merchant and also seek to connect to a network (e.g., a local network established via a Wi-Fi connection) provided by the merchant.
- a network e.g., a local network established via a Wi-Fi connection
- the merchant computing system enables the customer to establish a shared secret as a network authentication credential.
- the shared secret may be generated based on the relationship (e.g., past financial or non-financial transactions) between the customer and the merchant.
- systems and methods disclosed herein enable mutual (two-way) authentication between the customer and the merchant. As such, the systems and methods disclosed herein facilitate enhanced security of private customer information.
- the embodiments and implementations of the systems and methods disclosed herein improve current network authentication systems by enabling customers to establish dynamic authentication credentials for networks at specific locations. For example, on an airline, the customer’s seat number may be established as a network authentication credential. Such credentials make it much more difficult for fraudsters to emulate networks provided at various merchants. If the customer is not asked for the credential when attempting to access the network, then the customer is made aware of the potential for fraud.
- the systems and methods disclosed herein provide a unique solution to the problem of establishing a shared secret credential between a customer and a merchant.
- the systems and methods disclosed herein utilize information regarding a first service provided by the merchant to a customer (e.g., the sale of a product) to authenticate the customer with respect to a second service (e.g., connection to a local network) provided by the merchant to the customer.
- a second service e.g., connection to a local network
- the merchant may pre-emptively establish information regarding the first service to authenticate the customer with respect to the second service.
- a shared secret credential including information known or readily available may be available for use in authenticating the customer. This is a benefit over current systems, which may require the customer to obtain information (e.g., read a unique code) prior to a shared-secret credential being established. As such, the systems and methods disclosed herein provide efficiency and security benefits and a more convenient customer experience over current systems.
- the systems and methods disclosed herein provide for greater flexibility in terms of customer authentication processes than provided by current systems.
- the merchant may select data regarding a first customer transaction as a shared secret credential.
- the merchant may select data regarding a second customer transaction.
- the first and second customer transactions may occur in any order (e.g., the second customer transaction may occur prior to the first customer transaction). Due to this flexibility, the merchant may regularly update the customer’s shared secret credential, even if no additional information regarding the customer becomes available between customer utilizations of the second service. Such updating further enhances the security of customer information.
- the systems, methods, and computer implementations disclosed improve current network security methods by providing functionalities that are novel and non-obvious over current systems.
- FIG. 1 a block diagram of a network security system 100 is shown according to an example embodiment.
- the network security system 100 facilitates enhanced security of a merchant local network 105 by establishing a shared secret between a customer and a merchant as a network authentication credential.
- the network security system 100 includes a merchant network agent 110 and a merchant computing device 120 , both associated with a merchant, and a customer computing device 140 associated with a customer.
- Various components of the network security system 100 may be configured to communicate over the network 150 .
- the network 150 is a data exchange medium, which may include wireless networks (e.g., cellular networks, Bluetooth®, WiFi, Zigbee®, etc.), wired networks (e.g., Ethernet, DSL, cable, fiber-based, etc.), or a combination thereof.
- the network 150 includes the internet.
- the merchant network agent 110 is a device associated with the merchant and configured to generate the merchant local network 105 through being communicatively coupled to the network 150 .
- the merchant may be any entity that provides any sort of product or service to customers.
- the merchant may be a financial institution, a brick-and-mortar merchant (e.g., a restaurant or a coffee shop), an airport, or any other entity.
- Merchant network agent 110 may include any device capable of establishing a connection and communicating data with an external device.
- the merchant network agent 110 includes a wireless router configured to communicate information over the network 150 and generate wireless signals that are broadcasted to create the merchant local network 105 .
- the merchant network agent 110 is shown to include a wide area network interface 112 which enables the network agent 110 to exchange data over the network 150 , a network control circuit 114 , and an access point 116 .
- the access point 116 is configured to broadcast a wireless network signal capable of being received by external computing devices (e.g., the merchant computing system 120 , the customer computing device 140 , etc.) to facilitate the connection of the external computing devices to create the merchant local network 105 .
- the wireless network signal broadcasted by the access point 116 may generate a wireless personal area network (WPAN), and include, for example, a Bluetooth® radio signal or infrared signal.
- the wireless network includes a WiFi signal, a WiMAX signal, wireless WAN signal, or the like.
- the wireless network signal broadcasted by the merchant network agent 110 is received by other computing devices, such as the customer computing device 140 and merchant computing system 120 .
- the other devices may be authenticated by the methods disclosed herein to gain complete access to the merchant local network 105 .
- encryption keys may be exchanged between the customer computing device 140 and the merchant network agent 110 enabling the customer computing device 140 to exchange information with additional computing systems.
- the merchant network agent 110 provides external devices with access to an external network (e.g., the network 150 ).
- the wireless network signal broadcasted by the access point 116 includes a unique identifier associated with the merchant local network 105 .
- the unique identifier includes a name of the merchant local network 105 , which may be associated with the name of the merchant.
- the customer computing device 140 may display the name of the merchant local network 105 to the customer and enable the customer to request to establish a connection with the merchant local network 105 .
- Such an arrangement creates an opportunity for fraudsters to steal private information, as fraudsters may create networks having a unique identifier that mimics the unique identifier associated with the merchant local network 105 .
- the network control circuit 114 is configured to manage connections between the merchant network agent 110 and various other external devices.
- the network control circuit 114 may include an authentication circuit (not shown) configured to authenticate requests to connect to the merchant local network 105 received from external devices.
- the merchant network agent 110 in response to the merchant network agent 110 receiving a request to connect to the merchant local network 105 from a requestor, the merchant network agent 110 transmits an authentication packet to the customer computing device 140 via the network control circuit 114 .
- the authentication packet requests at least one authentication credential (e.g., a password) from the requestor.
- the network control circuit 114 may compare the requestor-input response to a stored value and authenticate the request if a match is found.
- the password may be a shared secret credential established for the customer based on a pre-existing relationship between the customer and merchant (e.g., a customer account).
- the password may be based on a credential associated with a payments platform utilized by the customer to pay the merchant.
- the network control circuit 114 may request mobile wallet credentials associated with a mobile wallet of the customer, and the network control circuit 114 may initiate communications with a mobile wallet computing system associated with the provider of the customer’s mobile wallet to verify that customer-input mobile wallet credentials match credentials stored at the mobile wallet computing system (e.g., the mobile wallet computing system may verify the customer-input credentials and notify the merchant network agent 110 of the verification).
- the network control circuit 114 is configured monitor the various devices that are connected to the merchant local network 105 .
- the merchant network agent 110 may assign an IP address to the customer computing device 140 via the Dynamic Host Configuration Protocol (DHCP).
- DHCP Dynamic Host Configuration Protocol
- the merchant network agent 110 may select an IP address from a pool of IP addresses stored at the merchant network agent 110 for customer computing devices 140 and temporarily or permanently assign the selected IP address to the customer computing device 140 .
- a network interface e.g., the network interface 142
- the customer computing device 140 has a unique identifier (e.g., a MAC address) associated therewith.
- Communications between the customer computing device 140 and the merchant network agent 110 may include the unique identifier.
- the network control circuit 114 may maintain a log of the various IP addresses assigned based on such unique identifiers. This way, based on the IP addresses currently assigned by the merchant network agent 110 , the merchant network agent 110 may identify the specific external devices (and the identities of the customers associated therewith) connected to the merchant local network 105 .
- the network control circuit 114 is configured to operate in concert with the merchant computing system 120 to authenticate requests to connect to the merchant local network 105 .
- the network control circuit 114 receives data indicative of interactions (e.g., transactions) between the customer and the merchant, and establishes the received data as a network authentication credential for the customer.
- the network control circuit 114 maintains an authentication credential directory.
- Such a directory may include a number of entries associated with various devices that have connected to the merchant local network 105 .
- each entry is associated with a MAC address of an external device.
- the entries may include information regarding a plurality of transactions engaged in by the customer associated with the device.
- the network control circuit 114 may generate a temporary network authentication credential used to authenticate the customer computing device 140 prior to authorizing connection of the external device to the merchant local network 105 .
- the customer purchases a product (e.g., a cup of coffee) at a merchant.
- the customer may provide payment information to the merchant (e.g., via the merchant computing system 120 ).
- payment information may include, for example a customer account number at a financial institution.
- the merchant computing system 120 may provide the received payment information to the merchant network agent 110 .
- the merchant computing system 120 may transmit additional information (e.g., an identity of the purchased product, the amount of the purchase, the timing of the transaction, etc.) to the merchant network agent 110 .
- the network control circuit 114 may establish an aspect of the data received from the merchant computing system 120 as a network authentication credential for the customer. To do this, the network control circuit 114 may first associate the received information regarding the purchase with an entry in the directory of network authentication credentials discussed above.
- the directory may include a lookup table that matches portions of customer payment information (or information associated with an account of the customer at the merchant) to a particular external device (e.g., the customer computing device 140 ).
- the merchant network agent 110 may associate the information regarding the customer purchase with the customer computing device 140 .
- the network control circuit 114 may select an aspect of the purchase information (e.g., a transaction amount, a product identity, etc.) to establish as a network authentication credential for the customer.
- the network control circuit 114 selects an aspect of the purchase data as an authentication credential upon receipt of a request to connect to the merchant local network 105 from the customer computer device 140 . For example, based on a MAC address received from the customer computing device 140 , the network control circuit 114 selects an aspect of the purchase data stored in the network authentication credential directory. In some embodiments, the network control circuit 114 establishes an aspect of the purchase data as an authentication credential prior to receiving a connection request from the customer computer device 140 . This way, upon receipt of a connection request from the customer computer device 140 , the merchant network agent 110 retrieves the established credential and compares it to any responses provided by the customer.
- the merchant network agent 110 updates the authentication credential associated with the customer computing device 140 each time a connection request is received from the customer computing device 140 .
- the network control circuit 114 periodically (e.g., weekly) updates the authentication credential associated with the customer computing device 140 .
- the network control circuit 114 is configured to transmit a notification signal to the merchant computing system 120 upon receipt of a connection request from the customer computing device 140 .
- the merchant computing system 120 may authenticate the connection request or provide an authentication credential to the merchant network agent 110 .
- the network control circuit 114 is configured to establish accounts for customers who connect to the merchant local network but do not yet have accounts with the merchant. For example, the network control circuit 114 may determine if a particular customer has an account with a merchant based on communications with the customer computing device 140 . For example, if the directory maintained in the merchant network agent 110 does not contain a MAC address associated with the customer computing device 140 , the network control circuit 114 may determine that the customer does not have an account (or at least that the customer computing device 140 is not associated with the customer’s account). In such cases, the merchant network agent 110 may transmit a registration packet to the customer computing device 140 . The registration packet may prompt the customer to indicate a preference to establish a shared secret authentication credential for accessing the merchant local network 105 .
- the merchant network agent 110 in response to the customer indicating a preference to establish a shared secret credential, may transmit an application (e.g., the merchant client application 144 described below) to the customer computing device 140 .
- the application may enable the customer to register payment accounts with the merchant computing system 120 .
- the merchant computing system 120 is able to tie the transactions to a particular customer account and render information regarding the transactions usable as an authentication credential for the merchant local network 105 .
- the application may enable the customer to view information regarding previous transaction at the merchant, thus facilitating the use of such information as a network authentication credential.
- the merchant computing system 120 is a computing system associated with the merchant.
- the merchant computing system 120 includes a network interface 122 which enables the merchant computing system 120 to communicate data over the merchant local network 105 , a customer database 124 , a transaction circuit 126 , an account management circuit 128 , and a merchant input/output (“I/O”) device 130 .
- the merchant I/O device 130 includes hardware and associated logics configured to enable the merchant computing system 120 to exchange information with a customer and other merchant personnel.
- An input aspect of merchant I/O device 130 allows various users to provide information to the merchant computing system 120 and may include, for example, a mechanical keyboard, a touchscreen, a microphone, a camera, a fingerprint scanner, any user input device engageable to the merchant computing system 120 via a USB, serial cable, Ethernet cable, and so on.
- the merchant I/O device 130 includes a point of sale (POS) device (e.g., a card reader or the like) configured to receive customer payment information from a payment card or mobile wallet presented by the customer to make a purchase at the merchant.
- POS point of sale
- An output aspect of the merchant I/O device 130 allows users to receive information from the merchant computing system 120 and may include, for example, a digital display, a speaker, illuminating icons, LEDs, and so on.
- the merchant I/O device 130 includes radio frequency transceivers (e.g., RF or NFC-based transceivers) and other short range wireless transceivers (e.g., BluetoothTM, laser-based data transmitters, etc.) configured to communicate data with external devices such as the customer computing device 120 . For example, via such transceivers, the customer may make a payment for a purchase via a mobile wallet.
- radio frequency transceivers e.g., RF or NFC-based transceivers
- other short range wireless transceivers e.g., BluetoothTM, laser-based data transmitters, etc.
- the customer may make a payment for a purchase via a mobile wallet.
- merchant I/O device 130 includes a barcode or QR code scanner configured to gather information from various codes presented to the merchant computing system 120 by the customer. For example, at the time of a customer purchase, the customer may present a product having to be purchased to an attendant at the merchant computing system 120 . In response, the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126 ) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130 .
- the customer may present a product having to be purchased to an attendant at the merchant computing system 120 .
- the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126 ) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130 .
- such a scanner enables the customer to make payments for purchases at the merchant.
- the customer may have an account with the merchant, and have installed an application (e.g., the merchant client application 144 ) on the customer computing device 140 , enabling the customer to fund the account.
- the application may enable the customer computing device 140 to generate a QR code to make a payment for a purchase.
- the merchant computing system 120 may deduct the purchase amount from the customer’s account.
- the customer database 124 is configured to store information regarding accounts associated with a number of customers of the merchant.
- Customer account information may include, for example, customer identifying information, customer login information (e.g., usernames, passwords, and the like), payment information (e.g., credit or debit card numbers, bank account numbers, mobile wallet account numbers or addresses, etc.), customer account preferences (e.g., addresses, payment methods), and customer history information (e.g., transaction histories).
- customer account information stored at the customer database 124 may also include information regarding the customer computing device 140 .
- the customer database 124 may include information regarding IP addresses assigned to the customer computing device 140 by the merchant network agent 110 .
- the customer database 124 may store network authentication credentials established for the customer.
- the account management circuit 128 is configured to manage customer accounts at the merchant. In this regard, in some embodiments, the account management circuit 128 is configured to assign data regarding various transactions via the merchant computing system 120 to customer accounts. In this regard, upon the customer providing payment information (e.g., a primary account number associated with a customer payment account at a financial institution) to the merchant computing system 120 , the account management circuit 128 may query the customer database 124 to determine if the customer input account information has been previously associated with an account established by the customer. If so, the account management circuit 128 may store data regarding the transaction (e.g., product purchased, transaction amount, transaction timing, location, etc.) in a transaction entry associated with an identified account. In some embodiments, in the event that a customer makes a payment using funds of an account held by the customer at the merchant (e.g., via the QR code discussed above), the account management circuit 128 may update the customer’s account funding balance to reflect the payment.
- payment information e.g., a primary account number associated with a customer payment account
- the account management circuit 128 is configured to transmit customer transaction data to an external server that provides an application (e.g., the merchant client application 144 ) to the customer computing device 140 .
- an application e.g., the merchant client application 144
- the account management circuit 128 may formulate an information packet identifying the customer’s account, including the transaction information for transmittal to the external computing system over the network 150 . After this information is transmitted to the external system, the customer may view the transaction by accessing the merchant client application 144 .
- an aspect of the transaction is later used (e.g., by the merchant network agent 110 ) as a network authentication credential but the customer forgets the transaction, then the customer is able to view the transaction in the merchant client application 144 prior to entering the credential.
- the account management circuit 128 is configured to manage customer network authentication credentials.
- the account management circuit 128 may be configured to transmit data stored in association with a customer account to the merchant network agent 110 , which may establish a subset of the data as a user network authentication credential via the methods discussed above.
- the account management circuit 128 is configured to establish customer network authentication credentials.
- the account management circuit 128 may select a subset of transaction information stored in association with a customer’s account in the customer database 124 to establish as a customer network authentication credential.
- the selection is based in part on previous customer network authentication credentials.
- the account management circuit 128 may maintain a log of customer network authentication credentials used at various times and update the customer’s authentication credential (e.g., to correspond to a different transaction of the customer or a different aspect of a transaction). If the customer’s current network authentication credential has been used for more than a predetermined period, for example, the account management circuit 128 may select a subset of data among data describing the customer’s most recent transactions at the merchant for establishment as a network authentication credential.
- the account management circuit 128 may cause the merchant computing system 120 to transmit the credential to the merchant network agent 110 .
- the merchant network agent 110 may store the credential in association with the customer computing device 140 (e.g., based on a MAC address) such that, when the next request to connect to the merchant local network 105 is received from the customer computing device 140 , the customer is required to input information regarding a previous transaction to access the merchant local network 105 .
- the shared secret can be used for authentication using any of various methods such as challenge-response or it can be used as an input to a key derivation function to produce one or more keys to use for encrypting and/or MACing messages.
- the transaction circuit 126 is configured to formulate transaction requests associated with various purchases of the customer. As such, the transaction circuit 126 is communicably coupled to the merchant I/O device 130 , customer database 124 , and network interface 122 . For example, upon receiving customer payment information regarding a customer purchase, the transaction circuit 126 determines a total transaction amount (e.g., based on the identity of the product being purchased), bundles the total with the customer payment information to make a transaction request, and transmits the transaction request to a financial institution (e.g., associated with a customer payment card or mobile wallet) over the network 150 . The financial institution may authorize the transaction and provide an indication of the authorization to the merchant computing system 120 over the network 150 .
- a financial institution e.g., associated with a customer payment card or mobile wallet
- the customer computing device 140 is a computing device associated with a customer.
- the customer computing device 140 may be used by the customer to connect to the merchant local network 105 .
- the customer computing device 140 includes one or more processors and non-transitory storage mediums housing one or more logics configured to enable the customer computing device 140 to exchange data over the network, execute software applications, access websites, generate graphical customer interfaces, and perform other operations. Examples of the customer computing device 140 include a personal computer (e.g., desktop or laptop computer), smartphones, tablets, wearable computing devices (e.g., a smartwatch), and the like.
- the customer computing device 140 may be configured to enable the customer to communicate information (e.g., transaction information) to merchant computing system 120 .
- the customer computing device 140 includes a customer network interface 142 enabling the customer computing device 140 to exchange data over the network 150 , a merchant client application 144 , and a customer I/O device 146 .
- the customer I/O device 146 includes hardware and associated logics configured to enable the customer computing device 140 to exchange information with a customer (e.g., via hardware and associated logics similar to that discussed above with respect to the merchant I/O device 130 ).
- the merchant client application 144 is structured to provide various displays on the customer computing device 140 that enable the customer to view information regarding various transactions engaged in by the customer at the merchant. Additionally, the displays may also enable the customer to register payment cards (e.g., debit cards, credit cards, and the like) with the merchant, and to fund a customer account at the merchant so as to enable the customer to engage in transactions at the merchant via the merchant client application 144 (e.g., via a QR code or the like).
- payment cards e.g., debit cards, credit cards, and the like
- the merchant client application 144 may be communicably coupled to the merchant computing system 120 (or another external computing system configured to provide the merchant client application 144 to the customer computing device 140 ).
- the merchant client application 144 is a separate software application implemented on the customer computing device 140 .
- the merchant client application 144 may be downloaded by the customer computing device 140 , be hard coded into the memory of the customer computing device 140 , or be a web-based interface application such that the merchant client application 144 may provide a web browser to the application, which may be executed remotely from the customer computing device 140 . In the latter instance, the customer may have to log onto or access the web-based interface before usage of the application.
- the merchant client application 144 may be supported by a separate computing system including one or more servers, processors, network circuits, and so on that transmit applications for use to the customer computing device 140 .
- the merchant client application 144 includes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications with the merchant client application 144 .
- API application programming interface
- SDK software development kit
- the method 200 may be performed by a combination of the merchant network agent 110 (e.g., via the network control circuit 114 ) and the merchant computing system 120 (e.g., via the account management circuit 128 ).
- a request to connect to the merchant local network 105 is received.
- the customer may bring a customer computer device 140 within the range of the wireless signal broadcasted by the merchant network agent 110 such that the name of the merchant local network 105 shows up on the customer computing device 140 (e.g., as wireless network option to connect to).
- the customer may select the name, thereby causing a connection request to be transmitted by the customer computing device 140 to the merchant network agent 110 .
- the customer is presented with a network security preference interface.
- the merchant network agent 110 determines if the customer has already established a shared secret network authentication credential based on the connection request received at 202 .
- the network control circuit 114 may query a database with a unique identifier (e.g., MAC address) included in the connection request. If the identifier is not in the database, the network control circuit 114 may determine that the customer has not established a shared secret network authentication credential and transmit a registration packet to the customer computing device 140 .
- the registration packet may cause the customer computing device 140 (e.g., via a web browser) to present the customer with an interface enabling the customer to indicate a preference to establish the shared secret credential.
- a network security interface 300 is shown, according to an example embodiment.
- the interface 300 is presented to a customer upon the customer requesting to connect to the merchant local network 105 .
- the merchant network agent 110 may query a database for entries regarding the customer computing device 140 . If no entries are found (e.g., if no shared secret network credential has been established for the customer computing device 140 ), then the merchant network agent 110 transmits an authorization packet to the customer computing device 140 , which presents the interface 300 to the customer.
- the interface 300 includes a username entry field 302 , a password field 304 and a shared secret preference window 304 .
- the username entry field 302 and password entry field 304 are configured to receive a customer-input network credentials.
- the customer-input password may be transmitted to the merchant network agent 110 , which may compare the customer-input credentials to a pre-established password for the merchant local network 105 .
- the shared secret preference window 304 is configured to receive a customer input to establish a shared secret network credential for the merchant local network 105 via a customer preference selection button 306 .
- the shared secret preference window prompts the customer to indicate whether the customer has an account (e.g., a loyalty account) at the merchant.
- the interface 300 may prompt the customer to input credentials (e.g., a username and password) associated with an account at the merchant.
- a customer preference to establish a shared secret network authentication credential is received.
- the customer may interact with the network security preference interface presented to the customer at 204 in such a way that indicates a customer preference to establish a shared secret network authentication credential.
- the merchant network agent 110 determines if the customer has established an account with the merchant. In some embodiments, the merchant network agent 110 makes this determination based on an input received from the customer. For example, based on information (e.g., authentication credentials) provided by the customer in response to the authorization packet transmitted to the customer computing device 140 at 206 , the merchant network agent 110 may access a directory (e.g., the customer database 124 ) that includes information regarding various customer accounts. If the information input by the customer matches that of an account stored in the directory, then the merchant network agent 110 may determine that the customer has an account with the merchant. In some embodiments, the merchant network agent 110 maintains such a directory. In some embodiments, the merchant network agent 110 communicates with the merchant computing system 120 , which maintains the directory, to determine if the customer has an account.
- information e.g., authentication credentials
- customer account information is retrieved.
- the merchant network agent 110 requests and receives information regarding a customer account from the merchant computing system 120 .
- the requested information may contain information describing various aspects of the customer’s account with the merchant (e.g., information regarding various customer transactions at the merchant).
- a database similar to the customer database 124 is maintained at the merchant network agent 110 , and the network control circuit 114 retrieves the customer account information based on information received from the customer computing device 140 .
- parameters of a prior customer transaction at the merchant are established as an initial shared secret network authentication credential.
- the network control circuit 114 or merchant computing system 120 may perform a multi-step process to select the credential.
- a prior customer transaction (or prior customer interaction) at the merchant is selected.
- the network control circuit 114 selects the most recent transaction engaged in by the customer for establishment as a shared secret network authentication credential.
- the network control circuit 114 selects from amongst a number of customer transactions that occurred within a predetermined time period of the customer indicating the preference to establish a shared secret network authentication credential.
- such a selection is performed at the merchant computing system 120 (e.g., via the account management circuit 128 ).
- the network control circuit 114 Upon selecting a customer transaction, the network control circuit 114 selects a parameter of the selected transaction to establish as the shared secret. In various embodiments, the network control circuit 114 randomly selects from a number of different parameters such as timing, location, transaction amount, and the identity of the product purchased. To establish the selected parameter as the shared secret, the network control circuit 114 may transmit a second authorization packet to the customer computing device 140 . The second authorization packet may cause the customer computing device 140 to present an additional interface to the customer. The additional interface may query the customer regarding the selected parameter for the prior customer transaction at the merchant.
- the interface 400 may be presented to the customer upon the merchant network agent 110 or the merchant computing system 120 selecting a parameter regarding a prior customer transaction to establish as a shared secret network authentication credential.
- the interface 400 includes a query window 402 and a submission button 408 .
- the query window 402 contains a description of a prior customer transaction at the merchant as well as the parameter (e.g., product identity) of that transaction that was selected to serve as the customer’s initial shared secret credential.
- the query window 402 prompts the customer to input information regarding the selected parameter via the data field 406 .
- the query window includes multiple options, one of which being the parameter selected to serve as the shared secret.
- the submission button 408 is configured to receive a customer input to transmit a customer-input response to the merchant network agent 110 .
- the customer-input response must meet predetermined criteria prior to the customer being authorized to fully access the merchant local network 105 .
- the customer-input response must match the selected parameter prior to the customer being authorized to connect to the merchant local network 105 .
- the customer-input description of a purchased product must match a predetermined merchant description (or one of a number predetermined merchant descriptions configured to account for customer spelling errors) of the purchased product.
- the customer-input response must be within a threshold of the parameter selected to serve as the shared secret.
- the customer-input amount may have to be within a predetermined percentage (e.g., 10% of the actual transaction amount) in order for the customer to be authorized to fully access the merchant local network 105 .
- the directory at the merchant network agent 110 is updated such that the customer will automatically be prompted to input a shared secret prior to connecting to the merchant local network 105 .
- the customer’s account settings are updated at the merchant computing system 120 .
- the directory information stored at the merchant network agent 110 may also be stored at the merchant computing system 120 or an external server.
- the directories at various other network agents e.g., similar to the merchant network agent 110 ) affiliated with the merchant are also similarly updated. As such, when the customer seeks to access additional local network associated with the merchant (e.g., at a location different from the location of the merchant local network 105 ), the customer is also prompted to input a shared secret.
- the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing the customer to register for an account by providing identifying information (e.g., name, address, phone number, etc.). Additionally, the customer may also be prompted to provide payment information. Such identifying information may be transmitted by the merchant network agent 110 to the merchant computing system 120 , which generates (e.g., via the account management circuit 128 ) a customer account and stores the identifying information in association with the account.
- identifying information e.g., name, address, phone number, etc.
- the merchant network agent 110 transmits a prompt to the customer computing device 140 instructing customer to download an application (e.g., the merchant client application 144 ).
- an application e.g., the merchant client application 144
- the customer may establish a set of login credentials for the new account.
- the customer may register a payment account (e.g., a credit account or a debit account) within the application.
- the registered payment account may be used to fund the customer’s account, enabling the customer to engage in transactions at the merchant using the customer account via the application.
- the linking of a customer payment account to the customer’s account at the merchant enables the merchant to link future customer purchases with the customer’s account.
- information regarding such transactions may be stored at the merchant computing system 120 (e.g., at the customer database 124 ) in relation to the customer’s account.
- the customer upon the customer establishing an account at the merchant, the customer is authorized to fully access the merchant local network 105 (e.g., during a time period after the request to connect to the merchant local network 105 was received at 202 ). For example, the customer may be prompted to input a password or the like that has been pre-established at the merchant. Alternatively, the customer may be automatically permitted to access the merchant local network 105 upon establishment of the customer’s account.
- the merchant network agent 110 assigns an IP address to the customer computing device 140 and stores the IP address in relation to a unique identifier (e.g., MAC address) received in previous communications with the customer computing device 140 . As such, the same IP address may be assigned to the customer computing device 140 when the customer requests to access the merchant local network in the future.
- a unique identifier e.g., MAC address
- data regarding a customer transaction is received.
- the customer may utilize the merchant client application 144 on the customer computing device 140 to engage in a transaction at the merchant.
- the merchant client application 144 may include a mobile payment capability that provides customer payment credentials to the merchant computing system 120 .
- the merchant client application may generate a QR code having information regarding the customer account encoded thereon for presentation to a scanner included in the merchant I/O device 130 .
- the merchant computing system 120 e.g., via the transaction circuit 126 ) deducts funds from the customer’s account and stores information regarding the transaction in association with the customer’s account in the customer database 124 .
- the account management circuit 128 may establish a parameter of the transaction as a shared secret network authentication credential for the customer.
- the account management circuit 128 may select a parameter of the transaction and transmit the parameter to the merchant network agent 110 for storage in a device directory (e.g., in association with the IP address previously assigned to the customer computing device 140 ).
- the merchant network agent 110 prompts the customer to input information regarding the selected parameter (e.g., via an interface similar to the interface 400 discussed above).
- the method 500 may be performed by the merchant network agent 110 (e.g., via the network control circuit 114 ) to provide a customer with access to the merchant local network 105 .
- a request to connect to the merchant local network 105 is received.
- the customer computing device 140 may indicate a preference to connect to merchant local network 105 .
- the customer computing device 140 may establish a communications channel with the merchant network agent 110 via any established protocol and provide a network connection request to the merchant network agent 110 .
- the customer computing device 140 is identified based on the received request.
- the request to connect to the merchant local network 105 received by the merchant network agent 110 includes an identifier (e.g., MAC address) associated with the network interface 142 of the customer computing device 140 .
- this identifier may be stored in a device directory of the merchant network agent 110 .
- the network control circuit 114 may identify the customer computing device 140 based on the request received at 502 via the directory.
- a shared secret network authentication credential for the customer computing device 140 is determined.
- the network control circuit 114 retrieves a pre-established shared secret credential from the memory of the merchant network agent 110 .
- the merchant computing system 120 performs a process to provide shared secret credentials to the merchant network agent 110 .
- the merchant computing system 120 may periodically retrieve data from the customer database 124 that is associated with customers who have registered for a shared secret credential (e.g., via the method 200 discussed above), select a parameter regarding a recent customer transaction (e.g., a customer transaction within a predetermined time period), and provide information regarding the parameter to the merchant network agent 110 for storage in association with the customer computing device 140 in the device directory.
- the merchant computing system 120 each time the customer engages in a transaction with the merchant via a customer account established at the merchant, the merchant computing system 120 undergoes a process to update the customer’s shared secret network authentication credential. This way, an aspect of the customer’s most recent transaction at the merchant is always used as the shared secret, and the customer is most likely to remember various aspects of the transaction.
- the account management circuit 128 selects an aspect of the transaction and transmits data regarding that aspect to the merchant network agent 110 in association with a customer account identifier.
- the merchant network agent 110 updates an entry in the directory of devices associated with the customer computing device 140 . This way, upon receipt of a connection request from the customer computing device 140 , the merchant network agent 110 retrieves the shared secret.
- the shared secret credential is updated. Accordingly, the merchant network agent 110 may store information regarding recent transactions of the customer, or the merchant network agent 110 may query the customer database 124 of the merchant computing system 120 in response to receiving the connection request from the customer computing device 140 for information regarding recent transactions of the customer. From the information regarding recent transactions of the customer, the network control circuit 114 may select an aspect of a recent customer transaction to establish as the shared secret credential.
- the merchant network agent 110 in response to receiving the connection request, requests the merchant computing system 120 to formulate a customer shared secret credential.
- the merchant computing system 120 retrieves customer account information from the customer database 124 , selects an aspect of a customer transaction to utilize as a shared secret, and transmits the shared secret to the merchant network agent 110 .
- the customer is queried regarding the shared secret.
- the merchant network agent 110 transmits an authorization packet to the customer computing device 140 .
- the authorization packet may cause an interface (e.g., similar to the interface 400 discussed in relation to FIG. 4 ) to be presented to the customer that instructs the customer to input information regarding an aspect of a recent customer transaction or interaction with the merchant.
- the interface may present the customer with a plurality of choices, with one of the choices describing an aspect of the recent customer transaction. Alternatively, the interface may request the customer to manually input a response to the query.
- the network control circuit 114 determines if the customer-input response matches the customer shared secret credential for the purpose of authenticating the connection request.
- the customer-input response may be within a predetermined threshold of the actual shared secret to authenticate the customer. For example, if the customer shared secret corresponds to an amount of a recent customer transaction, then the network control circuit 114 may compare a customer-input response to an actual amount of a previous customer transaction. If the customer-input response is within a threshold of the actual amount, the customer may be authenticated. In some situations, the customer-input response must exactly match an aspect of a previous customer transaction in order for the customer to be authenticated. For example, if the customer shared secret is the identity of a product, then the customer must input the correct product name in order to be authenticated.
- the connection request is denied at 512 .
- the customer is prevented from having full access to the merchant local network 105 .
- the connection request is authorized at 514 .
- the customer computing device 140 is able to communicate data over the network 150 via a connection with the merchant local network 105 .
- the shared secret credential involves an actual transaction of the customer at the merchant, the customer is able to ascertain the legitimacy of the merchant local network 105 . This way, it is difficult for fraudsters to emulate the authentication processes described herein, as fraudsters will not have access to data regarding customer accounts at the merchant.
- circuit may include hardware structured to execute the functions described herein.
- each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein.
- the circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc.
- a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.”
- the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein.
- a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on.
- the “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices.
- the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors.
- the one or more processors may be embodied in various ways.
- the one or more processors may be constructed in a manner sufficient to perform at least the operations described herein.
- the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example embodiments, may execute instructions stored, or otherwise accessed, via different areas of memory).
- the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors.
- two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution.
- Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory.
- the one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc.
- the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
- An exemplary system for implementing the overall system or portions of the embodiments might include general purpose computing devices in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit.
- Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), etc.
- the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc.
- the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media.
- machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions.
- Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example embodiments described herein.
- the term “input device,” as described herein, may include any type of input device or input devices including, but not limited to, a keyboard, a keypad, a mouse, joystick, or other input devices capable of performing a similar function.
- the term “output device,” as described herein, may include any type of output device or output devices including, but not limited to, a computer monitor, printer, facsimile machine, or other output devices capable of performing a similar function.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
A computing system can associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer, transmit a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, authenticating, by the computing system, the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
Description
- This application is a continuation of U.S. Pat. No. 11,583,024, titled “SYSTEMS AND METHODS FOR NETWORK AUTHENTICATION WITH A SHARED SECRET,” filed Jan. 24, 2022, which application is a continuation of U.S. Pat. No. 11,233,634, titled “SYSTEMS AND METHODS FOR NETWORK AUTHENTICATION WITH A SHARED SECRET,” filed Jun. 23, 2017, the contents of which are hereby incorporated by reference in their entirety and for all purposes as if completely and fully set forth herein.
- One common avenue for fraudsters to steal private information of other individuals is through a so called “evil twin” network. In such a scheme, the fraudster establishes a network access point (e.g., a mobile hotspot) in a location associated with a legitimate network (e.g., a network associated with a merchant). The fraudster configures the access point to mimic the legitimate network (e.g., in name and appearance). Individuals connect to the fraudulent network and communicate private information (e.g., payment credentials) with various other entities. The fraudster intercepts these communications and gains access to the private information. Thus, it would be beneficial to provide a system that diminishes the efficacy of such schemes.
- An embodiment relates to a computer-implemented method. The method can include associating, by a computing system, system associated with a merchant, a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving, by the computing system, the first request to connect to the network provided by the merchant from the customer device after completion of the purchase, selecting, by the computing system, the financial transaction based on the predetermined time period and the merchant, transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving, by the computing system, a customer-input response to the first query, authenticating, by the computing system, the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
- Another embodiment relates to a computing system. The computing system can include a network interface enabling the computing system to exchange information over a network provided by the merchant, a customer database configured to store information pertaining to a plurality of customer purchases of a plurality of customers, wherein the customer purchases are from the merchant, and a processing circuit configured to associate a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receive, by the network interface, the first request to connect to the network from the customer device after completion of the first purchase, select the financial transaction based on the predetermined time period and the merchant, transmit, by the network interface, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receive, by the network interface, a customer-input response to the first query, authenticate the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorize connection of the customer device to the network based at least in part on the first request being authenticated.
- Another embodiment relates to a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by a computing system, causes the computing system to perform operations to authorize a request to connect to a network. The operations can include associating a customer device of a customer with a financial transaction record and the merchant, the financial transaction record indicative of a first purchase from the merchant by the customer and completed a predetermined period of time prior to a first request to connect to a network provided by the merchant, receiving the first request to connect to a network from the customer device after completion of the first purchase, selecting the financial transaction based on the predetermined time period and the merchant, transmitting a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of the financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant, receiving a customer-input response to the first query, authenticating the first request by determining that the customer-input response to the first query corresponds to the established aspect of the first purchase in accordance with a predetermined accuracy threshold, and authorizing connection of the customer device to the network based at least in part on the first request being authenticated.
- The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the disclosure will become apparent from the description, the drawings, and the claims.
-
FIG. 1 is a block diagram of a network security system, according to an example embodiment. -
FIG. 2 is a flow diagram of a method of establishing a shared secret network authentication credential with a customer, according to an example embodiment. -
FIG. 3 is a network security user interface, according to an example embodiment. -
FIG. 4 is another network security user interface, according to an example embodiment. -
FIG. 5 is a flow diagram of a method of authorizing a network connection request, according to an example embodiment. - Before turning to the figures, which illustrate example embodiments, it should be understood that the application is not limited to the details or methodology set forth in the following description or illustrated in the figures. It should also be understood that the phraseology and terminology employed herein is for the purpose of description only and should not be regarded as limiting.
- Referring generally to the figures, systems and methods for authenticating a customer request to connect to a network are shown, according to various example embodiments. In particular, the figures include a merchant computing system associated with a merchant. A customer may engage in a transaction at the merchant and also seek to connect to a network (e.g., a local network established via a Wi-Fi connection) provided by the merchant. Such a pattern of interactions between the customer and the merchant creates an opportunity to enhance the security of the customer’s private information. More specifically, the merchant computing system enables the customer to establish a shared secret as a network authentication credential. The shared secret may be generated based on the relationship (e.g., past financial or non-financial transactions) between the customer and the merchant. This way, if the customer seeks to connect to a network at the merchant and is not asked for the shared secret, the customer is aware of a potentially fraudulent scheme. Therefore, systems and methods disclosed herein enable mutual (two-way) authentication between the customer and the merchant. As such, the systems and methods disclosed herein facilitate enhanced security of private customer information.
- The embodiments and implementations of the systems and methods disclosed herein improve current network authentication systems by enabling customers to establish dynamic authentication credentials for networks at specific locations. For example, on an airline, the customer’s seat number may be established as a network authentication credential. Such credentials make it much more difficult for fraudsters to emulate networks provided at various merchants. If the customer is not asked for the credential when attempting to access the network, then the customer is made aware of the potential for fraud.
- Additionally, the systems and methods disclosed herein provide a unique solution to the problem of establishing a shared secret credential between a customer and a merchant. Specifically, the systems and methods disclosed herein utilize information regarding a first service provided by the merchant to a customer (e.g., the sale of a product) to authenticate the customer with respect to a second service (e.g., connection to a local network) provided by the merchant to the customer. Use of such information provides benefits over current authentication systems. Because information regarding the first service provided to the customer is readily and uniquely available to the merchant (e.g., information regarding customer purchases may be stored at a computing system associated with a merchant), the merchant may pre-emptively establish information regarding the first service to authenticate the customer with respect to the second service. Thus, when the customer seeks to utilize the second service, a shared secret credential including information known or readily available may be available for use in authenticating the customer. This is a benefit over current systems, which may require the customer to obtain information (e.g., read a unique code) prior to a shared-secret credential being established. As such, the systems and methods disclosed herein provide efficiency and security benefits and a more convenient customer experience over current systems.
- Additionally, because the first service provided by the merchant to the customer is not necessarily tied to the second service, the systems and methods disclosed herein provide for greater flexibility in terms of customer authentication processes than provided by current systems. In an example, for a first customer utilization of the second service, the merchant may select data regarding a first customer transaction as a shared secret credential. For a second customer utilization of the second service, the merchant may select data regarding a second customer transaction. In this example, the first and second customer transactions may occur in any order (e.g., the second customer transaction may occur prior to the first customer transaction). Due to this flexibility, the merchant may regularly update the customer’s shared secret credential, even if no additional information regarding the customer becomes available between customer utilizations of the second service. Such updating further enhances the security of customer information. Thus, the systems, methods, and computer implementations disclosed improve current network security methods by providing functionalities that are novel and non-obvious over current systems.
- Referring now to
FIG. 1 , a block diagram of anetwork security system 100 is shown according to an example embodiment. As described in further detail below, thenetwork security system 100 facilitates enhanced security of a merchantlocal network 105 by establishing a shared secret between a customer and a merchant as a network authentication credential. Thenetwork security system 100 includes amerchant network agent 110 and amerchant computing device 120, both associated with a merchant, and acustomer computing device 140 associated with a customer. Various components of thenetwork security system 100 may be configured to communicate over thenetwork 150. Thenetwork 150 is a data exchange medium, which may include wireless networks (e.g., cellular networks, Bluetooth®, WiFi, Zigbee®, etc.), wired networks (e.g., Ethernet, DSL, cable, fiber-based, etc.), or a combination thereof. In some embodiments, thenetwork 150 includes the internet. - The
merchant network agent 110 is a device associated with the merchant and configured to generate the merchantlocal network 105 through being communicatively coupled to thenetwork 150. In various embodiments, the merchant may be any entity that provides any sort of product or service to customers. For example, the merchant may be a financial institution, a brick-and-mortar merchant (e.g., a restaurant or a coffee shop), an airport, or any other entity.Merchant network agent 110 may include any device capable of establishing a connection and communicating data with an external device. In some arrangements, themerchant network agent 110 includes a wireless router configured to communicate information over thenetwork 150 and generate wireless signals that are broadcasted to create the merchantlocal network 105. - The
merchant network agent 110 is shown to include a widearea network interface 112 which enables thenetwork agent 110 to exchange data over thenetwork 150, anetwork control circuit 114, and anaccess point 116. Theaccess point 116 is configured to broadcast a wireless network signal capable of being received by external computing devices (e.g., themerchant computing system 120, thecustomer computing device 140, etc.) to facilitate the connection of the external computing devices to create the merchantlocal network 105. In some arrangements, the wireless network signal broadcasted by theaccess point 116 may generate a wireless personal area network (WPAN), and include, for example, a Bluetooth® radio signal or infrared signal. In some arrangements, the wireless network includes a WiFi signal, a WiMAX signal, wireless WAN signal, or the like. - The wireless network signal broadcasted by the
merchant network agent 110 is received by other computing devices, such as thecustomer computing device 140 andmerchant computing system 120. Upon receiving the wireless network signal from thenetwork agent 110, the other devices may be authenticated by the methods disclosed herein to gain complete access to the merchantlocal network 105. For example, upon authenticating a customer via thecustomer computing device 140, encryption keys may be exchanged between thecustomer computing device 140 and themerchant network agent 110 enabling thecustomer computing device 140 to exchange information with additional computing systems. In some embodiments, themerchant network agent 110 provides external devices with access to an external network (e.g., the network 150). - In various embodiments, the wireless network signal broadcasted by the
access point 116 includes a unique identifier associated with the merchantlocal network 105. In an example embodiment, the unique identifier includes a name of the merchantlocal network 105, which may be associated with the name of the merchant. As such, upon external devices, such as thecustomer computing device 140, receiving the signal from theaccess point 116, thecustomer computing device 140 may display the name of the merchantlocal network 105 to the customer and enable the customer to request to establish a connection with the merchantlocal network 105. Such an arrangement creates an opportunity for fraudsters to steal private information, as fraudsters may create networks having a unique identifier that mimics the unique identifier associated with the merchantlocal network 105. - The
network control circuit 114 is configured to manage connections between themerchant network agent 110 and various other external devices. In this regard, thenetwork control circuit 114 may include an authentication circuit (not shown) configured to authenticate requests to connect to the merchantlocal network 105 received from external devices. In an example embodiment, in response to themerchant network agent 110 receiving a request to connect to the merchantlocal network 105 from a requestor, themerchant network agent 110 transmits an authentication packet to thecustomer computing device 140 via thenetwork control circuit 114. The authentication packet requests at least one authentication credential (e.g., a password) from the requestor. Upon receiving a requestor-input response to the authentication packet, thenetwork control circuit 114 may compare the requestor-input response to a stored value and authenticate the request if a match is found. According to the systems and methods disclosed herein, the password may be a shared secret credential established for the customer based on a pre-existing relationship between the customer and merchant (e.g., a customer account). In some embodiments, the password may be based on a credential associated with a payments platform utilized by the customer to pay the merchant. For example, thenetwork control circuit 114 may request mobile wallet credentials associated with a mobile wallet of the customer, and thenetwork control circuit 114 may initiate communications with a mobile wallet computing system associated with the provider of the customer’s mobile wallet to verify that customer-input mobile wallet credentials match credentials stored at the mobile wallet computing system (e.g., the mobile wallet computing system may verify the customer-input credentials and notify themerchant network agent 110 of the verification). - In some embodiments, the
network control circuit 114 is configured monitor the various devices that are connected to the merchantlocal network 105. For example, when thecustomer computing device 140 first establishes a connection with themerchant network agent 110, themerchant network agent 110 may assign an IP address to thecustomer computing device 140 via the Dynamic Host Configuration Protocol (DHCP). Under such a protocol, themerchant network agent 110 may select an IP address from a pool of IP addresses stored at themerchant network agent 110 forcustomer computing devices 140 and temporarily or permanently assign the selected IP address to thecustomer computing device 140. In some arrangements, a network interface (e.g., the network interface 142) of thecustomer computing device 140 has a unique identifier (e.g., a MAC address) associated therewith. Communications between thecustomer computing device 140 and themerchant network agent 110 may include the unique identifier. As such, thenetwork control circuit 114 may maintain a log of the various IP addresses assigned based on such unique identifiers. This way, based on the IP addresses currently assigned by themerchant network agent 110, themerchant network agent 110 may identify the specific external devices (and the identities of the customers associated therewith) connected to the merchantlocal network 105. - In some embodiments, the
network control circuit 114 is configured to operate in concert with themerchant computing system 120 to authenticate requests to connect to the merchantlocal network 105. For example, in some embodiments, thenetwork control circuit 114 receives data indicative of interactions (e.g., transactions) between the customer and the merchant, and establishes the received data as a network authentication credential for the customer. In some embodiments, thenetwork control circuit 114 maintains an authentication credential directory. Such a directory may include a number of entries associated with various devices that have connected to the merchantlocal network 105. In an example, each entry is associated with a MAC address of an external device. The entries may include information regarding a plurality of transactions engaged in by the customer associated with the device. Using this stored information, thenetwork control circuit 114 may generate a temporary network authentication credential used to authenticate thecustomer computing device 140 prior to authorizing connection of the external device to the merchantlocal network 105. - In an example, the customer purchases a product (e.g., a cup of coffee) at a merchant. In making such a purchase, the customer may provide payment information to the merchant (e.g., via the merchant computing system 120). Such payment information may include, for example a customer account number at a financial institution. The
merchant computing system 120 may provide the received payment information to themerchant network agent 110. Alternatively or additionally, themerchant computing system 120 may transmit additional information (e.g., an identity of the purchased product, the amount of the purchase, the timing of the transaction, etc.) to themerchant network agent 110. - Upon receipt of such information regarding the customer purchase, the
network control circuit 114 may establish an aspect of the data received from themerchant computing system 120 as a network authentication credential for the customer. To do this, thenetwork control circuit 114 may first associate the received information regarding the purchase with an entry in the directory of network authentication credentials discussed above. For example, the directory may include a lookup table that matches portions of customer payment information (or information associated with an account of the customer at the merchant) to a particular external device (e.g., the customer computing device 140). As such, upon receipt of the customer payment information from themerchant computing system 120, themerchant network agent 110 may associate the information regarding the customer purchase with thecustomer computing device 140. After the association, thenetwork control circuit 114 may select an aspect of the purchase information (e.g., a transaction amount, a product identity, etc.) to establish as a network authentication credential for the customer. - In some embodiments, the
network control circuit 114 selects an aspect of the purchase data as an authentication credential upon receipt of a request to connect to the merchantlocal network 105 from thecustomer computer device 140. For example, based on a MAC address received from thecustomer computing device 140, thenetwork control circuit 114 selects an aspect of the purchase data stored in the network authentication credential directory. In some embodiments, thenetwork control circuit 114 establishes an aspect of the purchase data as an authentication credential prior to receiving a connection request from thecustomer computer device 140. This way, upon receipt of a connection request from thecustomer computer device 140, themerchant network agent 110 retrieves the established credential and compares it to any responses provided by the customer. In some embodiments, themerchant network agent 110 updates the authentication credential associated with thecustomer computing device 140 each time a connection request is received from thecustomer computing device 140. In some embodiments, thenetwork control circuit 114 periodically (e.g., weekly) updates the authentication credential associated with thecustomer computing device 140. - In some embodiments, rather than receiving information regarding customer transactions from the
merchant computing system 120, thenetwork control circuit 114 is configured to transmit a notification signal to themerchant computing system 120 upon receipt of a connection request from thecustomer computing device 140. In such embodiments, themerchant computing system 120 may authenticate the connection request or provide an authentication credential to themerchant network agent 110. - In some embodiments, the
network control circuit 114 is configured to establish accounts for customers who connect to the merchant local network but do not yet have accounts with the merchant. For example, thenetwork control circuit 114 may determine if a particular customer has an account with a merchant based on communications with thecustomer computing device 140. For example, if the directory maintained in themerchant network agent 110 does not contain a MAC address associated with thecustomer computing device 140, thenetwork control circuit 114 may determine that the customer does not have an account (or at least that thecustomer computing device 140 is not associated with the customer’s account). In such cases, themerchant network agent 110 may transmit a registration packet to thecustomer computing device 140. The registration packet may prompt the customer to indicate a preference to establish a shared secret authentication credential for accessing the merchantlocal network 105. - In some embodiments, in response to the customer indicating a preference to establish a shared secret credential, the merchant network agent 110 (or the
merchant computing system 120 or an external server) may transmit an application (e.g., themerchant client application 144 described below) to thecustomer computing device 140. The application may enable the customer to register payment accounts with themerchant computing system 120. As such, when the customer uses the registered payment accounts to engage in a transaction at the merchant, themerchant computing system 120 is able to tie the transactions to a particular customer account and render information regarding the transactions usable as an authentication credential for the merchantlocal network 105. Additionally, the application may enable the customer to view information regarding previous transaction at the merchant, thus facilitating the use of such information as a network authentication credential. - Still referring to
FIG. 1 , themerchant computing system 120 is a computing system associated with the merchant. In the example shown, themerchant computing system 120 includes anetwork interface 122 which enables themerchant computing system 120 to communicate data over the merchantlocal network 105, acustomer database 124, atransaction circuit 126, anaccount management circuit 128, and a merchant input/output (“I/O”)device 130. The merchant I/O device 130 includes hardware and associated logics configured to enable themerchant computing system 120 to exchange information with a customer and other merchant personnel. An input aspect of merchant I/O device 130 allows various users to provide information to themerchant computing system 120 and may include, for example, a mechanical keyboard, a touchscreen, a microphone, a camera, a fingerprint scanner, any user input device engageable to themerchant computing system 120 via a USB, serial cable, Ethernet cable, and so on. In some embodiments, the merchant I/O device 130 includes a point of sale (POS) device (e.g., a card reader or the like) configured to receive customer payment information from a payment card or mobile wallet presented by the customer to make a purchase at the merchant. - An output aspect of the merchant I/
O device 130 allows users to receive information from themerchant computing system 120 and may include, for example, a digital display, a speaker, illuminating icons, LEDs, and so on. In some embodiments, the merchant I/O device 130 includes radio frequency transceivers (e.g., RF or NFC-based transceivers) and other short range wireless transceivers (e.g., Bluetooth™, laser-based data transmitters, etc.) configured to communicate data with external devices such as thecustomer computing device 120. For example, via such transceivers, the customer may make a payment for a purchase via a mobile wallet. - In some embodiments, merchant I/
O device 130 includes a barcode or QR code scanner configured to gather information from various codes presented to themerchant computing system 120 by the customer. For example, at the time of a customer purchase, the customer may present a product having to be purchased to an attendant at themerchant computing system 120. In response, the attendant may scan a barcode attached to the product, causing the merchant computing system 120 (e.g., via the transaction circuit 126) to retrieve information regarding the product and present the information (e.g., a price) to the customer via a display device of the merchant I/O device 130. - In some embodiments, such a scanner enables the customer to make payments for purchases at the merchant. For example, the customer may have an account with the merchant, and have installed an application (e.g., the merchant client application 144) on the
customer computing device 140, enabling the customer to fund the account. The application may enable thecustomer computing device 140 to generate a QR code to make a payment for a purchase. In response to scanning the QR code, themerchant computing system 120 may deduct the purchase amount from the customer’s account. - The
customer database 124 is configured to store information regarding accounts associated with a number of customers of the merchant. Customer account information may include, for example, customer identifying information, customer login information (e.g., usernames, passwords, and the like), payment information (e.g., credit or debit card numbers, bank account numbers, mobile wallet account numbers or addresses, etc.), customer account preferences (e.g., addresses, payment methods), and customer history information (e.g., transaction histories). Additionally, customer account information stored at thecustomer database 124 may also include information regarding thecustomer computing device 140. For example, thecustomer database 124 may include information regarding IP addresses assigned to thecustomer computing device 140 by themerchant network agent 110. Additionally, thecustomer database 124 may store network authentication credentials established for the customer. - The
account management circuit 128 is configured to manage customer accounts at the merchant. In this regard, in some embodiments, theaccount management circuit 128 is configured to assign data regarding various transactions via themerchant computing system 120 to customer accounts. In this regard, upon the customer providing payment information (e.g., a primary account number associated with a customer payment account at a financial institution) to themerchant computing system 120, theaccount management circuit 128 may query thecustomer database 124 to determine if the customer input account information has been previously associated with an account established by the customer. If so, theaccount management circuit 128 may store data regarding the transaction (e.g., product purchased, transaction amount, transaction timing, location, etc.) in a transaction entry associated with an identified account. In some embodiments, in the event that a customer makes a payment using funds of an account held by the customer at the merchant (e.g., via the QR code discussed above), theaccount management circuit 128 may update the customer’s account funding balance to reflect the payment. - In some embodiments, the
account management circuit 128 is configured to transmit customer transaction data to an external server that provides an application (e.g., the merchant client application 144) to thecustomer computing device 140. For example, upon identifying that a particular transaction is associated with the customer’s account, theaccount management circuit 128 may formulate an information packet identifying the customer’s account, including the transaction information for transmittal to the external computing system over thenetwork 150. After this information is transmitted to the external system, the customer may view the transaction by accessing themerchant client application 144. As such, if an aspect of the transaction is later used (e.g., by the merchant network agent 110) as a network authentication credential but the customer forgets the transaction, then the customer is able to view the transaction in themerchant client application 144 prior to entering the credential. - In some embodiments, the
account management circuit 128 is configured to manage customer network authentication credentials. In this regard, theaccount management circuit 128 may be configured to transmit data stored in association with a customer account to themerchant network agent 110, which may establish a subset of the data as a user network authentication credential via the methods discussed above. - In some embodiments, the
account management circuit 128 is configured to establish customer network authentication credentials. In this regard, theaccount management circuit 128 may select a subset of transaction information stored in association with a customer’s account in thecustomer database 124 to establish as a customer network authentication credential. In some embodiments, the selection is based in part on previous customer network authentication credentials. For example, theaccount management circuit 128 may maintain a log of customer network authentication credentials used at various times and update the customer’s authentication credential (e.g., to correspond to a different transaction of the customer or a different aspect of a transaction). If the customer’s current network authentication credential has been used for more than a predetermined period, for example, theaccount management circuit 128 may select a subset of data among data describing the customer’s most recent transactions at the merchant for establishment as a network authentication credential. - To establish the selected data as a customer network authentication credential, the
account management circuit 128 may cause themerchant computing system 120 to transmit the credential to themerchant network agent 110. Themerchant network agent 110 may store the credential in association with the customer computing device 140 (e.g., based on a MAC address) such that, when the next request to connect to the merchantlocal network 105 is received from thecustomer computing device 140, the customer is required to input information regarding a previous transaction to access the merchantlocal network 105. It should be understood that, according to various embodiments, the shared secret can be used for authentication using any of various methods such as challenge-response or it can be used as an input to a key derivation function to produce one or more keys to use for encrypting and/or MACing messages. - The
transaction circuit 126 is configured to formulate transaction requests associated with various purchases of the customer. As such, thetransaction circuit 126 is communicably coupled to the merchant I/O device 130,customer database 124, andnetwork interface 122. For example, upon receiving customer payment information regarding a customer purchase, thetransaction circuit 126 determines a total transaction amount (e.g., based on the identity of the product being purchased), bundles the total with the customer payment information to make a transaction request, and transmits the transaction request to a financial institution (e.g., associated with a customer payment card or mobile wallet) over thenetwork 150. The financial institution may authorize the transaction and provide an indication of the authorization to themerchant computing system 120 over thenetwork 150. - Still referring to
FIG. 1 , thecustomer computing device 140 is a computing device associated with a customer. Thecustomer computing device 140 may be used by the customer to connect to the merchantlocal network 105. Thecustomer computing device 140 includes one or more processors and non-transitory storage mediums housing one or more logics configured to enable thecustomer computing device 140 to exchange data over the network, execute software applications, access websites, generate graphical customer interfaces, and perform other operations. Examples of thecustomer computing device 140 include a personal computer (e.g., desktop or laptop computer), smartphones, tablets, wearable computing devices (e.g., a smartwatch), and the like. Thecustomer computing device 140 may be configured to enable the customer to communicate information (e.g., transaction information) tomerchant computing system 120. - In the example shown, the
customer computing device 140 includes acustomer network interface 142 enabling thecustomer computing device 140 to exchange data over thenetwork 150, amerchant client application 144, and a customer I/O device 146. The customer I/O device 146 includes hardware and associated logics configured to enable thecustomer computing device 140 to exchange information with a customer (e.g., via hardware and associated logics similar to that discussed above with respect to the merchant I/O device 130). - The
merchant client application 144 is structured to provide various displays on thecustomer computing device 140 that enable the customer to view information regarding various transactions engaged in by the customer at the merchant. Additionally, the displays may also enable the customer to register payment cards (e.g., debit cards, credit cards, and the like) with the merchant, and to fund a customer account at the merchant so as to enable the customer to engage in transactions at the merchant via the merchant client application 144 (e.g., via a QR code or the like). - In this regard, the
merchant client application 144 may be communicably coupled to the merchant computing system 120 (or another external computing system configured to provide themerchant client application 144 to the customer computing device 140). In some embodiments, themerchant client application 144 is a separate software application implemented on thecustomer computing device 140. Themerchant client application 144 may be downloaded by thecustomer computing device 140, be hard coded into the memory of thecustomer computing device 140, or be a web-based interface application such that themerchant client application 144 may provide a web browser to the application, which may be executed remotely from thecustomer computing device 140. In the latter instance, the customer may have to log onto or access the web-based interface before usage of the application. Further, and in this regard, themerchant client application 144 may be supported by a separate computing system including one or more servers, processors, network circuits, and so on that transmit applications for use to thecustomer computing device 140. In certain embodiments, themerchant client application 144 includes an application programming interface (API) and/or a software development kit (SDK) that facilitates the integration of other applications with themerchant client application 144. - Referring now to
FIG. 2 , a flow chart of amethod 200 of establishing a shared secret as a network authentication credential is shown, according to an example embodiment. In various embodiments, themethod 200 may be performed by a combination of the merchant network agent 110 (e.g., via the network control circuit 114) and the merchant computing system 120 (e.g., via the account management circuit 128). - At 202, a request to connect to the merchant
local network 105 is received. For example, the customer may bring acustomer computer device 140 within the range of the wireless signal broadcasted by themerchant network agent 110 such that the name of the merchantlocal network 105 shows up on the customer computing device 140 (e.g., as wireless network option to connect to). The customer may select the name, thereby causing a connection request to be transmitted by thecustomer computing device 140 to themerchant network agent 110. - At 204, the customer is presented with a network security preference interface. In some embodiments, the
merchant network agent 110 determines if the customer has already established a shared secret network authentication credential based on the connection request received at 202. For example, thenetwork control circuit 114 may query a database with a unique identifier (e.g., MAC address) included in the connection request. If the identifier is not in the database, thenetwork control circuit 114 may determine that the customer has not established a shared secret network authentication credential and transmit a registration packet to thecustomer computing device 140. The registration packet may cause the customer computing device 140 (e.g., via a web browser) to present the customer with an interface enabling the customer to indicate a preference to establish the shared secret credential. - Referring now to
FIG. 3 , anetwork security interface 300 is shown, according to an example embodiment. In some embodiments, theinterface 300 is presented to a customer upon the customer requesting to connect to the merchantlocal network 105. For example, upon receiving a customer request to connect to the merchantlocal network 105, themerchant network agent 110 may query a database for entries regarding thecustomer computing device 140. If no entries are found (e.g., if no shared secret network credential has been established for the customer computing device 140), then themerchant network agent 110 transmits an authorization packet to thecustomer computing device 140, which presents theinterface 300 to the customer. - The
interface 300 includes ausername entry field 302, apassword field 304 and a sharedsecret preference window 304. Theusername entry field 302 andpassword entry field 304 are configured to receive a customer-input network credentials. Upon the customer inputting a credential into thecredential entry field 302, the customer-input password may be transmitted to themerchant network agent 110, which may compare the customer-input credentials to a pre-established password for the merchantlocal network 105. The sharedsecret preference window 304 is configured to receive a customer input to establish a shared secret network credential for the merchantlocal network 105 via a customerpreference selection button 306. In some embodiments, the shared secret preference window prompts the customer to indicate whether the customer has an account (e.g., a loyalty account) at the merchant. In some embodiments, theinterface 300 may prompt the customer to input credentials (e.g., a username and password) associated with an account at the merchant. - Referring again to
FIG. 2 , at 206, a customer preference to establish a shared secret network authentication credential is received. For example, the customer may interact with the network security preference interface presented to the customer at 204 in such a way that indicates a customer preference to establish a shared secret network authentication credential. - At 208, upon receiving a customer input to establish a shared secret network credential, the
merchant network agent 110 determines if the customer has established an account with the merchant. In some embodiments, themerchant network agent 110 makes this determination based on an input received from the customer. For example, based on information (e.g., authentication credentials) provided by the customer in response to the authorization packet transmitted to thecustomer computing device 140 at 206, themerchant network agent 110 may access a directory (e.g., the customer database 124) that includes information regarding various customer accounts. If the information input by the customer matches that of an account stored in the directory, then themerchant network agent 110 may determine that the customer has an account with the merchant. In some embodiments, themerchant network agent 110 maintains such a directory. In some embodiments, themerchant network agent 110 communicates with themerchant computing system 120, which maintains the directory, to determine if the customer has an account. - At 210, if the customer has an account with the merchant, customer account information is retrieved. In some embodiments, based on information received from the customer at 206, the
merchant network agent 110 requests and receives information regarding a customer account from themerchant computing system 120. The requested information may contain information describing various aspects of the customer’s account with the merchant (e.g., information regarding various customer transactions at the merchant). In some embodiments, a database similar to thecustomer database 124 is maintained at themerchant network agent 110, and thenetwork control circuit 114 retrieves the customer account information based on information received from thecustomer computing device 140. - At 212, parameters of a prior customer transaction at the merchant are established as an initial shared secret network authentication credential. In this regard, the
network control circuit 114 ormerchant computing system 120 may perform a multi-step process to select the credential. First, a prior customer transaction (or prior customer interaction) at the merchant is selected. For example, in some embodiments, thenetwork control circuit 114 selects the most recent transaction engaged in by the customer for establishment as a shared secret network authentication credential. In some embodiments, thenetwork control circuit 114 selects from amongst a number of customer transactions that occurred within a predetermined time period of the customer indicating the preference to establish a shared secret network authentication credential. In some embodiments, rather than thenetwork control circuit 114 selecting the customer transaction, such a selection is performed at the merchant computing system 120 (e.g., via the account management circuit 128). - Upon selecting a customer transaction, the
network control circuit 114 selects a parameter of the selected transaction to establish as the shared secret. In various embodiments, thenetwork control circuit 114 randomly selects from a number of different parameters such as timing, location, transaction amount, and the identity of the product purchased. To establish the selected parameter as the shared secret, thenetwork control circuit 114 may transmit a second authorization packet to thecustomer computing device 140. The second authorization packet may cause thecustomer computing device 140 to present an additional interface to the customer. The additional interface may query the customer regarding the selected parameter for the prior customer transaction at the merchant. - Turning now to
FIG. 4 , anetwork security interface 400 is shown, according to an example embodiment. In an example embodiment, theinterface 400 may be presented to the customer upon themerchant network agent 110 or themerchant computing system 120 selecting a parameter regarding a prior customer transaction to establish as a shared secret network authentication credential. In the example shown, theinterface 400 includes a query window 402 and asubmission button 408. The query window 402 contains a description of a prior customer transaction at the merchant as well as the parameter (e.g., product identity) of that transaction that was selected to serve as the customer’s initial shared secret credential. The query window 402 prompts the customer to input information regarding the selected parameter via thedata field 406. In some embodiments, the query window includes multiple options, one of which being the parameter selected to serve as the shared secret. Thesubmission button 408 is configured to receive a customer input to transmit a customer-input response to themerchant network agent 110. - In various embodiments, the customer-input response must meet predetermined criteria prior to the customer being authorized to fully access the merchant
local network 105. For example, in some embodiments, the customer-input response must match the selected parameter prior to the customer being authorized to connect to the merchantlocal network 105. To illustrate, in the example shown inFIG. 4 , the customer-input description of a purchased product must match a predetermined merchant description (or one of a number predetermined merchant descriptions configured to account for customer spelling errors) of the purchased product. In some embodiments, the customer-input response must be within a threshold of the parameter selected to serve as the shared secret. To illustrate, if the amount of a prior customer transaction was selected to serve as the shared secret, the customer-input amount may have to be within a predetermined percentage (e.g., 10% of the actual transaction amount) in order for the customer to be authorized to fully access the merchantlocal network 105. - In some embodiments, upon the customer initially indicating a preference to establish a shared secret authentication credential for the merchant local network 105 (e.g., at 206), the directory at the
merchant network agent 110 is updated such that the customer will automatically be prompted to input a shared secret prior to connecting to the merchantlocal network 105. In some embodiments, the customer’s account settings are updated at themerchant computing system 120. For example, the directory information stored at themerchant network agent 110 may also be stored at themerchant computing system 120 or an external server. The directories at various other network agents (e.g., similar to the merchant network agent 110) affiliated with the merchant are also similarly updated. As such, when the customer seeks to access additional local network associated with the merchant (e.g., at a location different from the location of the merchant local network 105), the customer is also prompted to input a shared secret. - Referring back to
FIG. 2 , at 214, if the customer does not have an account at the merchant, then an account is established for the customer. In some embodiments, themerchant network agent 110 transmits a prompt to thecustomer computing device 140 instructing the customer to register for an account by providing identifying information (e.g., name, address, phone number, etc.). Additionally, the customer may also be prompted to provide payment information. Such identifying information may be transmitted by themerchant network agent 110 to themerchant computing system 120, which generates (e.g., via the account management circuit 128) a customer account and stores the identifying information in association with the account. - In some embodiments, the
merchant network agent 110 transmits a prompt to thecustomer computing device 140 instructing customer to download an application (e.g., the merchant client application 144). Within the application, the customer may establish a set of login credentials for the new account. Additionally, the customer may register a payment account (e.g., a credit account or a debit account) within the application. The registered payment account may be used to fund the customer’s account, enabling the customer to engage in transactions at the merchant using the customer account via the application. Additionally, the linking of a customer payment account to the customer’s account at the merchant enables the merchant to link future customer purchases with the customer’s account. As such, upon the customer engaging in transaction in the future at the merchant using the customer’s account at the merchant, information regarding such transactions (e.g., regarding price, location, timing, product purchased, etc.) may be stored at the merchant computing system 120 (e.g., at the customer database 124) in relation to the customer’s account. - In some embodiments, upon the customer establishing an account at the merchant, the customer is authorized to fully access the merchant local network 105 (e.g., during a time period after the request to connect to the merchant
local network 105 was received at 202). For example, the customer may be prompted to input a password or the like that has been pre-established at the merchant. Alternatively, the customer may be automatically permitted to access the merchantlocal network 105 upon establishment of the customer’s account. In various embodiments, themerchant network agent 110 assigns an IP address to thecustomer computing device 140 and stores the IP address in relation to a unique identifier (e.g., MAC address) received in previous communications with thecustomer computing device 140. As such, the same IP address may be assigned to thecustomer computing device 140 when the customer requests to access the merchant local network in the future. - At 216, data regarding a customer transaction is received. For example, at a later time, the customer may utilize the
merchant client application 144 on thecustomer computing device 140 to engage in a transaction at the merchant. As discussed above themerchant client application 144 may include a mobile payment capability that provides customer payment credentials to themerchant computing system 120. For example, the merchant client application may generate a QR code having information regarding the customer account encoded thereon for presentation to a scanner included in the merchant I/O device 130. Upon scanning the QR code, the merchant computing system 120 (e.g., via the transaction circuit 126) deducts funds from the customer’s account and stores information regarding the transaction in association with the customer’s account in thecustomer database 124. - At 218, after the transaction is completed, the
account management circuit 128 may establish a parameter of the transaction as a shared secret network authentication credential for the customer. In this regard, theaccount management circuit 128 may select a parameter of the transaction and transmit the parameter to themerchant network agent 110 for storage in a device directory (e.g., in association with the IP address previously assigned to the customer computing device 140). As such, upon the customer requesting to access the merchantlocal network 105 via thecustomer computing device 140 at a later time, themerchant network agent 110 prompts the customer to input information regarding the selected parameter (e.g., via an interface similar to theinterface 400 discussed above). - Referring now to
FIG. 5 , a flow chart of amethod 500 of authorizing a network connection request is shown, according to an example embodiment. In various embodiments, themethod 500 may be performed by the merchant network agent 110 (e.g., via the network control circuit 114) to provide a customer with access to the merchantlocal network 105. - At 502, a request to connect to the merchant
local network 105 is received. For example, while thecustomer computing device 140 is within range of a wireless network signal broadcast by the merchant network agent 110 (e.g., while the customer is at a brick-and-mortar location associated with a particular merchant), the customer may indicate a preference to connect to merchantlocal network 105. In response to the customer indicating such a preference, thecustomer computing device 140 may establish a communications channel with themerchant network agent 110 via any established protocol and provide a network connection request to themerchant network agent 110. - At 504, the
customer computing device 140 is identified based on the received request. In various embodiments, the request to connect to the merchantlocal network 105 received by themerchant network agent 110 includes an identifier (e.g., MAC address) associated with thenetwork interface 142 of thecustomer computing device 140. As discussed above, assuming thecustomer computing device 140 has connected to the merchantlocal network 105 prior to the time of receipt of the network connection request at 502, this identifier may be stored in a device directory of themerchant network agent 110. As such, thenetwork control circuit 114 may identify thecustomer computing device 140 based on the request received at 502 via the directory. - At 506, a shared secret network authentication credential for the
customer computing device 140 is determined. In some embodiments, thenetwork control circuit 114 retrieves a pre-established shared secret credential from the memory of themerchant network agent 110. In some embodiments, themerchant computing system 120 performs a process to provide shared secret credentials to themerchant network agent 110. For example, themerchant computing system 120 may periodically retrieve data from thecustomer database 124 that is associated with customers who have registered for a shared secret credential (e.g., via themethod 200 discussed above), select a parameter regarding a recent customer transaction (e.g., a customer transaction within a predetermined time period), and provide information regarding the parameter to themerchant network agent 110 for storage in association with thecustomer computing device 140 in the device directory. - In some embodiments, each time the customer engages in a transaction with the merchant via a customer account established at the merchant, the
merchant computing system 120 undergoes a process to update the customer’s shared secret network authentication credential. This way, an aspect of the customer’s most recent transaction at the merchant is always used as the shared secret, and the customer is most likely to remember various aspects of the transaction. As such, upon themerchant computing system 120 receiving data regarding a customer transaction (e.g., a payment from the customer via an account with the merchant, the scanning of a customer loyalty card, etc.), theaccount management circuit 128 selects an aspect of the transaction and transmits data regarding that aspect to themerchant network agent 110 in association with a customer account identifier. In response, themerchant network agent 110 updates an entry in the directory of devices associated with thecustomer computing device 140. This way, upon receipt of a connection request from thecustomer computing device 140, themerchant network agent 110 retrieves the shared secret. - In some embodiments, each time the
merchant network agent 110 receives a request from thecustomer computing device 140 to connect to the merchantlocal network 105, the shared secret credential is updated. Accordingly, themerchant network agent 110 may store information regarding recent transactions of the customer, or themerchant network agent 110 may query thecustomer database 124 of themerchant computing system 120 in response to receiving the connection request from thecustomer computing device 140 for information regarding recent transactions of the customer. From the information regarding recent transactions of the customer, thenetwork control circuit 114 may select an aspect of a recent customer transaction to establish as the shared secret credential. - In some embodiments, in response to receiving the connection request, the
merchant network agent 110 requests themerchant computing system 120 to formulate a customer shared secret credential. In response the merchant computing system 120 (e.g., via the account management circuit 128) retrieves customer account information from thecustomer database 124, selects an aspect of a customer transaction to utilize as a shared secret, and transmits the shared secret to themerchant network agent 110. - At 508, the customer is queried regarding the shared secret. In various embodiments, after determining the customer shared secret, the
merchant network agent 110 transmits an authorization packet to thecustomer computing device 140. The authorization packet may cause an interface (e.g., similar to theinterface 400 discussed in relation toFIG. 4 ) to be presented to the customer that instructs the customer to input information regarding an aspect of a recent customer transaction or interaction with the merchant. The interface may present the customer with a plurality of choices, with one of the choices describing an aspect of the recent customer transaction. Alternatively, the interface may request the customer to manually input a response to the query. - At 510, the
network control circuit 114 determines if the customer-input response matches the customer shared secret credential for the purpose of authenticating the connection request. In some embodiments, the customer-input response may be within a predetermined threshold of the actual shared secret to authenticate the customer. For example, if the customer shared secret corresponds to an amount of a recent customer transaction, then thenetwork control circuit 114 may compare a customer-input response to an actual amount of a previous customer transaction. If the customer-input response is within a threshold of the actual amount, the customer may be authenticated. In some situations, the customer-input response must exactly match an aspect of a previous customer transaction in order for the customer to be authenticated. For example, if the customer shared secret is the identity of a product, then the customer must input the correct product name in order to be authenticated. - If the customer-input response does not match the shared secret, then the connection request is denied at 512. As a result, the customer is prevented from having full access to the merchant
local network 105. However, if the customer-input response matches the shared secret, the connection request is authorized at 514. As such, thecustomer computing device 140 is able to communicate data over thenetwork 150 via a connection with the merchantlocal network 105. Additionally, because the shared secret credential involves an actual transaction of the customer at the merchant, the customer is able to ascertain the legitimacy of the merchantlocal network 105. This way, it is difficult for fraudsters to emulate the authentication processes described herein, as fraudsters will not have access to data regarding customer accounts at the merchant. - The embodiments described herein have been described with reference to drawings. The drawings illustrate certain details of specific embodiments that implement the systems, methods, and programs described herein. However, describing the embodiments with drawings should not be construed as imposing on the disclosure any limitations that may be present in the drawings.
- It should be understood that no claim element herein is to be construed under the provisions of 35 U.S.C. § 112(f), unless the element is expressly recited using the phrase “means for.”
- As used herein, the term “circuit” may include hardware structured to execute the functions described herein. In some embodiments, each respective “circuit” may include machine-readable media for configuring the hardware to execute the functions described herein. The circuit may be embodied as one or more circuitry components including, but not limited to, processing circuitry, network interfaces, peripheral devices, input devices, output devices, sensors, etc. In some embodiments, a circuit may take the form of one or more analog circuits, electronic circuits (e.g., integrated circuits (IC), discrete circuits, system on a chip (SOCs) circuits, etc.), telecommunication circuits, hybrid circuits, and any other type of “circuit.” In this regard, the “circuit” may include any type of component for accomplishing or facilitating achievement of the operations described herein. For example, a circuit as described herein may include one or more transistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR, etc.), resistors, multiplexers, registers, capacitors, inductors, diodes, wiring, and so on.
- The “circuit” may also include one or more processors communicatively coupled to one or more memory or memory devices. In this regard, the one or more processors may execute instructions stored in the memory or may execute instructions otherwise accessible to the one or more processors. In some embodiments, the one or more processors may be embodied in various ways. The one or more processors may be constructed in a manner sufficient to perform at least the operations described herein. In some embodiments, the one or more processors may be shared by multiple circuits (e.g., circuit A and circuit B may comprise or otherwise share the same processor which, in some example embodiments, may execute instructions stored, or otherwise accessed, via different areas of memory). Alternatively or additionally, the one or more processors may be structured to perform or otherwise execute certain operations independent of one or more co-processors. In other example embodiments, two or more processors may be coupled via a bus to enable independent, parallel, pipelined, or multi-threaded instruction execution. Each processor may be implemented as one or more general-purpose processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other suitable electronic data processing components structured to execute instructions provided by memory. The one or more processors may take the form of a single core processor, multi-core processor (e.g., a dual core processor, triple core processor, quad core processor, etc.), microprocessor, etc. In some embodiments, the one or more processors may be external to the apparatus, for example the one or more processors may be a remote processor (e.g., a cloud based processor). Alternatively or additionally, the one or more processors may be internal and/or local to the apparatus. In this regard, a given circuit or components thereof may be disposed locally (e.g., as part of a local server, a local computing system, etc.) or remotely (e.g., as part of a remote server such as a cloud based server). To that end, a “circuit” as described herein may include components that are distributed across one or more locations.
- An exemplary system for implementing the overall system or portions of the embodiments might include general purpose computing devices in the form of computers, including a processing unit, a system memory, and a system bus that couples various system components including the system memory to the processing unit. Each memory device may include non-transient volatile storage media, non-volatile storage media, non-transitory storage media (e.g., one or more volatile and/or non-volatile memories), etc. In some embodiments, the non-volatile media may take the form of ROM, flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc. In other embodiments, the volatile storage media may take the form of RAM, TRAM, ZRAM, etc. Combinations of the above are also included within the scope of machine-readable media. In this regard, machine-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing machines to perform a certain function or group of functions. Each respective memory device may be operable to maintain or otherwise store information relating to the operations performed by one or more associated circuits, including processor instructions and related data (e.g., database components, object code components, script components, etc.), in accordance with the example embodiments described herein.
- It should also be noted that the term “input device,” as described herein, may include any type of input device or input devices including, but not limited to, a keyboard, a keypad, a mouse, joystick, or other input devices capable of performing a similar function. Comparatively, the term “output device,” as described herein, may include any type of output device or output devices including, but not limited to, a computer monitor, printer, facsimile machine, or other output devices capable of performing a similar function.
- Any foregoing references to currency or funds are intended to include fiat currencies, non-fiat currencies (e.g., precious metals), and math-based currencies (often referred to as cryptocurrencies). Examples of math-based currencies include Bitcoin, Litecoin, Dogecoin, and the like.
- It should be noted that although the diagrams herein may show a specific order and composition of method steps, it is understood that the order of these steps may differ from what is depicted. For example, two or more steps may be performed concurrently or with partial concurrence. Also, some method steps that are performed as discrete steps may be combined, steps being performed as a combined step may be separated into discrete steps, the sequence of certain processes may be reversed or otherwise varied, and the nature or number of discrete processes may be altered or varied. The order or sequence of any element or apparatus may be varied or substituted according to alternative embodiments. Accordingly, all such modifications are intended to be included within the scope of the present disclosure as defined in the appended claims. Such variations will depend on the machine-readable media and hardware systems chosen and on designer choice. It is understood that all such variations are within the scope of the disclosure. Likewise, software and web implementations of the present disclosure could be accomplished with standard programming techniques with rule based logic and other logic to accomplish the various database searching steps, correlation steps, comparison steps, and decision steps.
- The foregoing description of embodiments has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure to the precise form disclosed, and modifications and variations are possible in light of the above teachings or may be acquired from this disclosure. The embodiments were chosen and described to explain the principals of the disclosure and its practical application to enable one skilled in the art to utilize the various embodiments and with various modifications as are suited to the particular use contemplated. Other substitutions, modifications, changes, and omissions may be made in the design, operating conditions, and arrangement of the embodiments without departing from the scope of the present disclosure as expressed in the appended claims.
Claims (20)
1. A method, comprising:
receiving, by a computing system after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmitting, by the computing system, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticating, by the computing system, the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorizing, by the computing system, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
2. The method of claim 1 , further comprising:
selecting, by the computing system and based on a predetermined time period and the merchant, the financial transaction.
3. The method of claim 1 , wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
4. The method of claim 1 , wherein the aspect of the first purchase established as the network authentication credential includes a transaction amount of the first purchase.
5. The method of claim 1 , wherein the aspect of the purchase established as the network authentication credential includes an identity of a product or service in the first purchase.
6. The method of claim 1 , wherein the first query requests the customer to identify the product or service.
7. The method of claim 1 , further comprising:
receiving, by the computing system, a description indicative of a second purchase by a customer, the second purchase occurring after the first purchase;
updating, by the computing system, the network security credential of the customer to include an aspect of the second purchase;
receiving, by the computing system, a second request to connect to the network from the customer device; and
transmitting, by the computing system, a second query to the customer device prompting the customer to input information regarding the aspect of the second purchase.
8. The method of claim 7 , further comprising:
authenticating, by the computing system, the second request by determining that the customer-input response to the second query corresponds to the aspect of the second purchase; and
authorizing, by the computing system, connection of the customer device to the network based at least in part on the second request being authenticated.
9. The method of claim 1 , further comprising:
transmitting, by the computing system, the aspect of the first purchase to a network agent associated with the merchant, the network agent to associate the aspect of the first purchase with information indicative of an identity of the customer device.
10. A merchant computing system comprising:
a memory and one or more processors configured to:
receive, after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmit a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticate the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorize connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
11. The system of claim 10 , the processors to:
select, by the computing system and based on a predetermined time period and the merchant, the financial transaction.
12. The system of claim 10 , wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
13. The system of claim 10 , wherein the aspect of the first purchase established as the network authentication credential includes a transaction amount of the first purchase.
14. The system of claim 10 , wherein the aspect of the purchase established as the network authentication credential includes an identity of a product or service in the first purchase.
15. The system of claim 10 , wherein the first query requests the customer to identify the product or service.
16. The system of claim 10 , the processors to:
receive a description indicative of a second purchase by a customer, the second purchase occurring after the first purchase;
update the network security credential of the customer to include an aspect of the second purchase;
receive a second request to connect to the network from the customer device; and
transmit a second query to the customer device prompting the customer to input information regarding the aspect of the second purchase.
17. The system of claim 16 , the processors to:
authenticate the second request by determining that the customer-input response to the second query corresponds to the aspect of the second purchase; and
authorize connection of the customer device to the network based at least in part on the second request being authenticated.
18. The system of claim 10 , the processors to:
transmit the aspect of the first purchase to a network agent associated with the merchant, the network agent to associate the aspect of the first purchase with information indicative of an identity of the customer device.
19. A non-transitory computer readable medium including one or more instructions stored thereon and executable by a processor to:
receive, by a processor after completion of a first purchase from the merchant, a first request to connect to a network provided by a merchant from a customer device, the customer device associated with the merchant and the first purchase;
transmit, by the processor, a first query to the customer device prompting the customer to input information regarding an aspect of the first purchase, the first query including a description of a predetermined product parameter of a financial transaction record indicative of the first purchase from the merchant by the customer, the aspect of the first purchase established as a network authentication credential for the customer for the network provided by the merchant;
authenticate, by the processor, the first request by determining that a customer-input response to the first query corresponds to the aspect of the first purchase in accordance with a predetermined accuracy threshold associated with a maximum difference between the customer-input response and the aspect of the first purchase; and
authorize, by the processor, connection of the customer device to the network provided by the merchant based at least in part on the first request being authenticated.
20. The computer readable medium of claim 19 , wherein the aspect of the purchase corresponds to at least one of a timing of the first purchase, a transaction amount of the first purchase, an identity of a product or service in the first purchase, and a location of the first purchase.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/199,722 US20230291550A1 (en) | 2017-06-23 | 2023-05-19 | Systems and methods for network authentication with a shared secret |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/632,094 US11233634B1 (en) | 2017-06-23 | 2017-06-23 | Systems and methods for network authentication with a shared secret |
US17/583,024 US11695548B1 (en) | 2017-06-23 | 2022-01-24 | Systems and methods for network authentication with a shared secret |
US18/199,722 US20230291550A1 (en) | 2017-06-23 | 2023-05-19 | Systems and methods for network authentication with a shared secret |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/583,024 Continuation US11695548B1 (en) | 2017-06-23 | 2022-01-24 | Systems and methods for network authentication with a shared secret |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230291550A1 true US20230291550A1 (en) | 2023-09-14 |
Family
ID=79689750
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/632,094 Active 2037-12-25 US11233634B1 (en) | 2017-06-23 | 2017-06-23 | Systems and methods for network authentication with a shared secret |
US17/583,024 Active US11695548B1 (en) | 2017-06-23 | 2022-01-24 | Systems and methods for network authentication with a shared secret |
US18/199,722 Pending US20230291550A1 (en) | 2017-06-23 | 2023-05-19 | Systems and methods for network authentication with a shared secret |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/632,094 Active 2037-12-25 US11233634B1 (en) | 2017-06-23 | 2017-06-23 | Systems and methods for network authentication with a shared secret |
US17/583,024 Active US11695548B1 (en) | 2017-06-23 | 2022-01-24 | Systems and methods for network authentication with a shared secret |
Country Status (1)
Country | Link |
---|---|
US (3) | US11233634B1 (en) |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080040271A1 (en) * | 2006-06-19 | 2008-02-14 | Ayman Hammad | Portable Consumer Device Verification System |
US20090037269A1 (en) * | 2007-08-03 | 2009-02-05 | Bassemir Richard T | Integration of Cash Registers and WiFi Support for Customers |
US20100242104A1 (en) * | 2009-03-23 | 2010-09-23 | Wankmueller John R | Methods and systems for secure authentication |
US20110302607A1 (en) * | 2010-06-07 | 2011-12-08 | Warrick Peter | Hospitality media system operated by mobile device |
US20120192258A1 (en) * | 2009-07-17 | 2012-07-26 | Boldstreet Inc. | Hotspot network access system and method |
US8423476B2 (en) * | 1999-08-31 | 2013-04-16 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
US20140068723A1 (en) * | 2011-10-25 | 2014-03-06 | Toopher, Inc. | Two-factor authentication systems and methods |
US8751801B2 (en) * | 2003-05-09 | 2014-06-10 | Emc Corporation | System and method for authenticating users using two or more factors |
US20140189829A1 (en) * | 2012-12-31 | 2014-07-03 | Apple Inc. | Adaptive secondary authentication criteria based on account data |
US20140195380A1 (en) * | 2013-01-09 | 2014-07-10 | Nearbuy Systems, Inc. | Wireless Analytics in Physical Spaces |
US20140248852A1 (en) * | 2009-01-28 | 2014-09-04 | Headwater Partners I Llc | Mobile device and service management |
US20150088756A1 (en) * | 2013-09-20 | 2015-03-26 | Oleg Makhotin | Secure Remote Payment Transaction Processing Including Consumer Authentication |
US20150088746A1 (en) * | 2013-09-26 | 2015-03-26 | SayPay Technologies, Inc. | Method and system for implementing financial transactions |
US20150120559A1 (en) * | 2013-10-29 | 2015-04-30 | Douglas Fisher | Enhancements to transaction processing in a secure environment |
US20150195289A1 (en) * | 2012-02-07 | 2015-07-09 | Visa International Service Association | Mobile human challenge-response test |
US9298898B2 (en) * | 2013-07-18 | 2016-03-29 | At&T Intellectual Property I, L.P. | Event-based security challenges |
US20170118190A1 (en) * | 2015-03-09 | 2017-04-27 | Michigan Health Information Network - Mihin | Method and apparatus for remote identity proofing service issuing trusted identities |
US20180285877A1 (en) * | 2017-03-31 | 2018-10-04 | Mastercard International Incorporated | Authentication using transaction history |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7024557B1 (en) | 1999-12-30 | 2006-04-04 | Samsung Electronics Co., Ltd. | System and method for secure provisioning of a mobile station from a provisioning server using encryption |
US7240202B1 (en) | 2000-03-16 | 2007-07-03 | Novell, Inc. | Security context sharing |
US7349871B2 (en) | 2002-08-08 | 2008-03-25 | Fujitsu Limited | Methods for purchasing of goods and services |
US7577836B2 (en) | 2004-01-16 | 2009-08-18 | Verizon Business Global Llc | Method and system for secured wireless data transmission to and from a remote device |
US8700729B2 (en) | 2005-01-21 | 2014-04-15 | Robin Dua | Method and apparatus for managing credentials through a wireless network |
US8638806B2 (en) | 2007-05-25 | 2014-01-28 | Hand Held Products, Inc. | Wireless mesh point portable data terminal |
US8145212B2 (en) | 2007-12-06 | 2012-03-27 | Evolving Systems, Inc. | Wireless device activation |
US8666904B2 (en) | 2008-08-20 | 2014-03-04 | Adobe Systems Incorporated | System and method for trusted embedded user interface for secure payments |
FR2959896B1 (en) | 2010-05-06 | 2014-03-21 | 4G Secure | METHOD FOR AUTHENTICATING A USER REQUIRING A TRANSACTION WITH A SERVICE PROVIDER |
US8719573B2 (en) | 2012-01-27 | 2014-05-06 | Intuit Inc. | Secure peer discovery and authentication using a shared secret |
US20150026779A1 (en) | 2013-07-16 | 2015-01-22 | Qualcomm Connected Experiences, Inc. | Performing remote wi-fi network configuration when a network security protocol is unknown |
EP3039907A2 (en) | 2013-08-29 | 2016-07-06 | Interdigital Patent Holdings, Inc. | Methods, apparatus and systems for wireless network selection |
US9100175B2 (en) | 2013-11-19 | 2015-08-04 | M2M And Iot Technologies, Llc | Embedded universal integrated circuit card supporting two-factor authentication |
US9652212B2 (en) | 2014-09-24 | 2017-05-16 | Oracle International Corporation | Managing change events for devices in an enterprise system |
JP6417483B2 (en) | 2014-12-31 | 2018-11-07 | サイトリックス システムズ,インコーポレイテッド | Shared secret repository for applications including single sign-on |
-
2017
- 2017-06-23 US US15/632,094 patent/US11233634B1/en active Active
-
2022
- 2022-01-24 US US17/583,024 patent/US11695548B1/en active Active
-
2023
- 2023-05-19 US US18/199,722 patent/US20230291550A1/en active Pending
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8423476B2 (en) * | 1999-08-31 | 2013-04-16 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
US8751801B2 (en) * | 2003-05-09 | 2014-06-10 | Emc Corporation | System and method for authenticating users using two or more factors |
US20080040271A1 (en) * | 2006-06-19 | 2008-02-14 | Ayman Hammad | Portable Consumer Device Verification System |
US20090037269A1 (en) * | 2007-08-03 | 2009-02-05 | Bassemir Richard T | Integration of Cash Registers and WiFi Support for Customers |
US20140248852A1 (en) * | 2009-01-28 | 2014-09-04 | Headwater Partners I Llc | Mobile device and service management |
US20100242104A1 (en) * | 2009-03-23 | 2010-09-23 | Wankmueller John R | Methods and systems for secure authentication |
US20120192258A1 (en) * | 2009-07-17 | 2012-07-26 | Boldstreet Inc. | Hotspot network access system and method |
US20110302607A1 (en) * | 2010-06-07 | 2011-12-08 | Warrick Peter | Hospitality media system operated by mobile device |
US20140068723A1 (en) * | 2011-10-25 | 2014-03-06 | Toopher, Inc. | Two-factor authentication systems and methods |
US20150195289A1 (en) * | 2012-02-07 | 2015-07-09 | Visa International Service Association | Mobile human challenge-response test |
US20140189829A1 (en) * | 2012-12-31 | 2014-07-03 | Apple Inc. | Adaptive secondary authentication criteria based on account data |
US20140195380A1 (en) * | 2013-01-09 | 2014-07-10 | Nearbuy Systems, Inc. | Wireless Analytics in Physical Spaces |
US9298898B2 (en) * | 2013-07-18 | 2016-03-29 | At&T Intellectual Property I, L.P. | Event-based security challenges |
US20150088756A1 (en) * | 2013-09-20 | 2015-03-26 | Oleg Makhotin | Secure Remote Payment Transaction Processing Including Consumer Authentication |
US20150088746A1 (en) * | 2013-09-26 | 2015-03-26 | SayPay Technologies, Inc. | Method and system for implementing financial transactions |
US20150120559A1 (en) * | 2013-10-29 | 2015-04-30 | Douglas Fisher | Enhancements to transaction processing in a secure environment |
US20170118190A1 (en) * | 2015-03-09 | 2017-04-27 | Michigan Health Information Network - Mihin | Method and apparatus for remote identity proofing service issuing trusted identities |
US20180285877A1 (en) * | 2017-03-31 | 2018-10-04 | Mastercard International Incorporated | Authentication using transaction history |
Also Published As
Publication number | Publication date |
---|---|
US11695548B1 (en) | 2023-07-04 |
US11233634B1 (en) | 2022-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11954674B1 (en) | Systems and methods for third party token based authentication | |
US11551200B1 (en) | Systems and methods for activating a transaction card | |
US20210390548A1 (en) | Passwordless authentication through use of device tokens or web browser cookies | |
US11954670B1 (en) | Systems and methods for digital account activation | |
US20170308896A1 (en) | Methods and apparatus for brokering a transaction | |
US20220188786A1 (en) | Systems and methods for user data management across multiple devices | |
US12099995B2 (en) | Systems and methods for providing a code to a user device | |
US10949859B2 (en) | Enhancing information security via the use of a dummy credit card number | |
US11132425B1 (en) | Systems and methods for location-binding authentication | |
US20170148009A1 (en) | Dynamic multilayer security for internet mobile-related transactions | |
US20220094678A1 (en) | Systems and methods for user authentication based on multiple devices | |
US11617081B1 (en) | Passive authentication during mobile application registration | |
US11373176B2 (en) | Systems and methods for federated identity management | |
US20230289767A1 (en) | P2P PAYMENTS VIA INTEGRATED 3RD PARTY APIs | |
US11049101B2 (en) | Secure remote transaction framework | |
US20230237172A1 (en) | Data broker | |
US11526880B2 (en) | Dynamic security code for a card transaction | |
US11695548B1 (en) | Systems and methods for network authentication with a shared secret | |
US11244297B1 (en) | Systems and methods for near-field communication token activation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |