The proliferation of computers and the maturing of the World Wide Web (“web”) have resulted in the web increasingly becoming a medium used to conduct online commerce. Indeed, a broad range of commercial and financial transactions may be conducted over the web.
For example, increasing numbers of web merchants provide websites that a user (e.g., consumer) who plans to purchase a product can access (i.e., visit) to view information about the product, select the product for purchase, place an order for the product, and provide information, such as payment and shipping information, needed to complete the purchase all electronically online over the web. The user typically provides an account number (e.g., credit card account number, debit card account number, checking account number, etc.) as part of the payment information.
Like the web merchants, increasing numbers of financial institutions are also providing their customers online services over the web. For example, many banks now provide their customers the ability to perform numerous online transactions, such as online banking, online funds transfer, online bill payment, online trading, etc., over the web. In a typical online banking transaction, the user provides identification information, such as an account number and password, to gain remote access to the user's account. The user then requests one or more online transactions that involve the accessed account.
The increase in the level of online transactions has also brought about an increase in the levels of identity theft, account takeover, and online fraud. The common threat to online transactions is the use of usernames and passwords. The use and transmission of sensitive information (i.e., usernames, account numbers, passwords, etc.) over the web, Internet, or other unsecured networks, has increased the threat that this information may be intercepted or stolen at the user's computing system, while in transit from the user's computing system to the online merchant's website, or at the merchant's website or server computing system.
One threat is a phishing attack. In a phishing attack, a user is tricked into providing the user's sensitive information (e.g., account numbers, login identification, passwords, PINs, etc.) to a malicious user, typically referred to as a “phisher.” For example, in online banking, a phisher would try to trick a user into providing the user's account number and password. Once the phisher has the user's account number and password, the phisher can online bank as the user.
Another threat is a “man in the middle” attack. A man in the middle attack occurs when a “hacker” gets between a user's computing system (e.g., client or client computing system) and the merchant's website. For example, using social engineering, the hacker may trick the user into thinking that the hacker is the user's bank, for example, through a hyperlink in an email message (e.g., an email message that appears to be sent by a reliable source, such as the user's bank) or other hyperlinks. If the website addressed by the hyperlink appears identical or very similar to the user's bank's website, the user is likely to login, and, at this point, the hacker will have the information needed to perform online fraud.
Still another threat is the possibility of the user's computing system becoming fully compromised. For example, a remote shell to the hacker or a “trojan” listening for the user to access the user's bank's website may be installed and executing on an unsuspecting user's computing system.