Securing an automated customer ordering process
Original Publication Date: 2002-May-16
Included in the Prior Art Database: 2003-Jun-21
In the world of retail and distribution, a retailer wants to be able to place an order with their distributor, either using a manual process or an automated process. For the order to be made on a secure connection, the retailer can be prompted to enter a password when using a manual process, but for an automated process, the password needs to be stored on some accessible medium. And this is where the problem arises. Storing a password leaves it open to compromise and hence, misuse. This invention uses a combination of the password entered with the manual process (known as the non-stored password within this context), the stored password and a random time of day to submit the automated order. The retailer (client) uses the non-stored password to initiate an automated order request with the distributor (server). The client specifies a time of day for the automated order to start and synchronises the time of day with the server. The time of day for the order is specified with a time range, e.g. plus/minus 30 minutes. The server now randomly selects a time of day within the specified range for the automated order to start from the client. The server expects an order to arrive at the specified time, within a predefined limit, allowing for any network delay and any slight discrepancies in the system clocks. If the stored password is compromised, it can only be used at the predefined time or within a very small window of opportunity. If the server receives more than one request from the same client at the specified time, it can raise an alarm.