The number of potentially insecure applications running on client computers that, nevertheless, require secure real time transaction services, continues to grow. One non-limiting example of such applications are FLASH-based gaming applications that require replenishment of virtual currency in order to buy in-game upgrades like level unlocks, virtual equipment, virtual special weapons and cheats directly to gamers. Securing such real time transactions is needed in the art to protect users and application developers from fraudulent acquisition of account information, identity theft, and other forms of fraud.
One known method for securing such transactions is the concept of using a shared secret (secret key cryptography). Secret key cryptography involves the use of a single key. Given a message and the key, encryption produces unintelligible data which requires the key to decrypt. See, for example, Section 2.4 of Kaufman, Network Security, Prentice-Hall, Inc., Upper Saddle River, N.J., which is hereby incorporated by reference. However, the shared secret method does not work in instances where one of the applications is not secure. For example, many popular programming applications are executed by FLASH players and are not secure. Typically, when a shared secret algorithm is used, there is a remote web server calling a local web server. The secret is safe on the remote web server and the local web server and is not communicated between the two servers. This fails when the application is written in FLASH or other programs that are downloaded to a client computer and run, for example, within the client's browser. In the case of FLASH, when a user requests a FLASH application, a SWF file that contains bytecode that is interpreted by a FLASH player is down-loaded to the client computer and run (interpreted) by a FLASH player within the client's browser. The bytecode in the SWF file can be inspected at the client computer to determine the secret. Thus, secrets cannot be contained within a FLASH SWF file.
Given the above background, what is needed in the art are improved systems and methods for authenticating electronic transactions originated from applications that may not be secure.