The present disclosure is related to methods for leveraging secure communication channels established by using two-way authentication between the entities involved in the communication.
Customers and service providers often must make transactions across secure telecommunication connections (e.g. a web browsing session or a telephone call). A connection between the customer and the service provider relies on authentication processes to validate the identity of the customer and the identity of the service provider before beginning an interaction between the customer and the service provider. Presently, each of such telecommunications connections between the customer and the service provider is initiated as if it were a first contact between the customer and the service provider. For example, when a customer uses the web browser to navigate to the service provider's website, the customer relies on the web browser to verify that the service provider's website is genuine before establishing an encrypted connection between the web browser and the service provider's website. After the web browser has validated the service provider's website, the web browser establishes an encrypted connection with the service provider's website. After the encrypted connection has been established, the customer sends personal identifying information, such as a username and a password, over the encrypted connection to confirm the customer's identity to the service provider's website.
The process of browser-run authentication described above is complicated and requires many intermediate, often third-party, validation steps using certificates. The certificates are easy to falsify and therefore a risk that the validation process will be compromised is inherent in each step of the validation process. If the validation process is compromised, the encryption key, and therefore any information sent across the encrypted connection, may therefore be accessed by a hacker. Another drawback of the web browser-run verification process is that the service provider's website often uses the same encryption key to establish every encrypted connection with every web browser requesting a secure connection with the website of the service provider. Accordingly, if even a single communication between the service provider's website and the customer's browser is intercepted by a hacker, all subsequent communication for all customers occurring over telecommunication connections encrypted using the encryption key are compromised.
The customer may also make transactions with the service provider using a telephone call into a call center of the service provider. When the customer calls the call center of the service provider, the customer is required to validate his or her identity by providing personal identifying information, such as a birthdate, a social security number, an address, or historical family information to a call center employee. While the call center may thus verify an identity of the customer based on the personal identifying information provided, the customer has no way to verify that the call center employee is a genuine call center employee associated with the service provider. Furthermore, the customer has no way to prevent the call center employee from stealing the customer's personal identifying information.
In the examples described above, the customer and the service provider have a pre-existing relationship (e.g. the customer has already signed up for the service provided by the service provider), yet this pre-existing relationship is not leveraged to authenticate the customer during transactions that occur after the initial encounter between the customer and the service provider. Instead, the customer is required to provide many pieces of personal identifying information for every interaction between the customer and the service provider, as is described above for the customer calling the call center. Alternatively, the service provider may require the customer to make an account that is accessible by a username and a password with the service provider. The account includes the personal identifying information of the customer. However, since the validation process completed by the browser before establishing the encrypted connection has many points of weakness, meaning that information such as the username or the password sent by the user over the encrypted connection may be intercepted.