1. Field of the Invention
Exemplary embodiments of the present invention relate to a method and an apparatus for authorizing online financial transactions, and more particularly, to a method and an apparatus for authorizing online financial transactions using a technology for creating financial transaction information and a one-time password so as to protect a user from a man-in-the-middle attack using web injection,'a memory hacking attack, a remote control attack, or the like, at the time of an online financial transaction.
2. Description of Related Art
Recently, in online financial transactions, the integrity of transaction information is secured by user authorization using a certificate, a one-time password (hereinafter, referred to as “OTP”), and a security card and an electronic signature using a certificate.
However, when malignant code for intercepting a value input using a keyboard is installed, hackers can acquire a password of a user certificate, an OTP value, and a security card value. In addition, hackers may modulate online financial transactions into a desired form using a man-in-the-middle attack (hereinafter, referred to as an “MITM attack”) method.
In order to prevent important user information from being exposed, a keyboard security program has been used. The keyboard security program may prevent user input from being leaked to the outside during the transmission of the user input to a server using an end to end (E2E) encryption technology at the time of the online financial transaction. However, the keyboard security program has a weak point, which may lead to an MITM attack by hackers when a user inputs information using an image keyboard rather than using a keyboard.
The conventional representative measure for the MITM attack in the online financial transaction uses an OTP linked with a transaction.
The OTP linked with the transaction uses a separate hardware device, which is provided separately from a user computer (PC). This hardware apparatus includes a separate input device through which a user may include financial transaction content. For the online financial transaction, the user accesses the corresponding web sites to log in and input a desired type of transaction information. Further, the user inputs the transaction information to a hardware device based on the OTP linked with the transaction. The OTP linked with the transaction creates a cipher text, which is valid only for the corresponding transaction, and provides the created cipher text to a user, and the user uses the corresponding cipher text to access the web sites through a user computer. In this case, even though the values are exposed to hackers, the hackers do not decrypt the cipher text and thus, may not modulate the values into a desired form.
The method for using the OTP linked with the transaction may cause inconvenience to the user in that users needs to carry the OTP apparatus at all times (the OTP apparatus is larger than that of an OTP apparatus at the current time) and in that it is difficult to distribute the OTP linked with the transaction to existing users.