The present disclosure generally relates to securing secure resources. The disclosed embodiments relate more specifically to systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions.
An increasing number of people engage in electronic transactions, telephone transactions, and other types of transactions in which at least one of the parties to the transaction relies on funds or other types of value to be provided or distributed by an entity other than that party. For example, an individual engaged in a purchase transaction with a merchant may rely on their banking institution to provide funds to the merchant through a bank or credit account held by the banking institution for the individual. In those types of transactions, it often is desirable to authenticate the identity of the party (e.g., the individual) to reduce the risk of unauthorized transactions.
Various techniques for authenticating the identity of a party engaged in a transaction generally include soliciting the party for a user-associated password, where the party previously has registered the user-associated password with an authenticating agent. For example, the user-associated password may be a personal identification number (PIN) registered by the party at the banking institution at which the party holds funds. That type of PIN often is entered at and passed through a merchant during a transaction. As another example, the user-associated password may be a password that is solicited by an account issuer and which, during a transaction with a merchant, is communicated to the account issuer while bypassing the merchant (e.g., a one-time password (OTP)).
While the use of user-associated passwords increases the integrity of transactions, problems with engaging in secure transactions still widely persist. For example, if an unauthorized third party gains access to the user-associated password of another, that third party may use that user-associated password to engage in unauthorized transactions by posing as the party that registered the user-associated password.
One method of authentication that secure systems (e.g., online bank interfaces, retail websites, Customer Relationship Management (CRM) portals, etc.) use is to solicit a user name/password combination from a user. Ease of use, convenience, and the familiarity of most users are the main reasons why that mode of authentication is so widely adopted. Such static password-based authentication, however, has many weaknesses. For example, user-chosen passwords tend to be weak and guessable, users tend to use the same password on multiple systems, and static passwords are vulnerable to phishing and eavesdropping.
Humans, in general, don't have great memories. They frequently choose passwords that are meaningful to them and relatively simple to guess. According to at least one study, the two most commonly used passwords are the number sequence “123456” and the word “password.” The common use of such simple passwords makes attacking accounts relatively easy because hackers often can guess those passwords without having to go through all the combinations of potential passwords.
Further, people tend to use the same password on multiple systems. Thus, if one of the systems is compromised and a person's password is obtained from that system, that person's accounts on multiple systems can be broken into with that password. Moreover, since static passwords do not change, they are easy to phish/eavesdrop. If a user gets fooled by a phishing attack, he/she will end up disclosing his/her password to the fraudster. A person also may inadvertently disclose his/her password by transmitting the password over a non-protected channel on which a fraudster may eavesdrop.
In response to the foregoing problems, and in response to market demand, some websites hosting sensitive, high-value data have started offering two-factor authentication for certain accounts. Two-factor authentication requires the presentation of a first factor defined by something the user knows (e.g., a password, a personal identification number (PIN), etc.) in combination with at least a one other factor, such as something the user has (e.g., a smart card, a hardware token, etc.) and/or something the user is (e.g., a biometric characteristic). That strong authentication option, however, generally is made available only to commercial accounts or high net-worth individuals and is seldom granted to retail end-users. The availability of that option is limited by the websites to keep their operational costs down. Two-factor credentials are more expensive, require end-user training, and require more sophisticated support processes.
Two-factor credentials using hardware tokens, which are a commonly deployed type of two-factor credentials, are more expensive because of the additional hardware costs. Larger deployments also have to factor in the increased costs associated with inventory management, shipment, and replacement. Another reason for the lack of adoption of two-factor credentials on a large scale is the inconvenience associated with using them. For example, a user must have his/her hardware token in his/her physical possession in order to authenticate himself/herself, which is an unacceptable requirement in this age of near ubiquitous Internet access. Moreover, if the hardware token is lost, the user is locked out of the corresponding system until a replacement device is shipped to him/her. The use of two-factor credentials also requires an additional PIN, which users frequently forget or use in the incorrect order. Dealing with such scenarios requires more support processes than just resetting a user's password.
Piggybacking on the recent trend of mobile device usage, some security vendors have started supporting software-based tokens. While that reduced some of the overhead associated with hardware tokens (e.g., inventory management, shipment, replacement, etc.), the complexity of using an OTP was still the same as before. Moreover, such software-based tokens are vulnerable to clone attacks. While the hardware-based tokens used a seed key protected in hardware to generate OTPs, software-based tokens use seed keys kept on the file system of a mobile device to generate OTPs, which makes them vulnerable to cloning attacks. In such attacks, the seed keys may be copied from the mobile device by an attacker by attaching the mobile device to the attacker's computer and/or by placing a virus on the mobile device.