Authentication is an essential component in preventing abuse and unauthorized access to network based services. Without secure methods of authentication, many services offered online such as e-mail, banking, credit card management, bill-paying, shopping, etc., could not exist. One common method of authentication is through password verification. However, conventional password protection is often inadequate to protect against the increasing number and sophistication of methods employed by criminals who seek to gain unauthorized access to online services by stealing passwords and other sensitive information from users.
Typical methods of obtaining passwords and other sensitive user information include the use of malware (malicious software), phishing, pharming, man-in-the-middle attacks, and “shoulder surfing”. Malware includes any type of malicious software intended by a hacker to gain access to or damage a computer without the knowledge or consent of the owner. Thus, malware may include viruses, worms, trojan horses, rootkits, spyware, adware, and other unwanted software. Malware can be used to steal sensitive information such as usernames, passwords and credit card numbers from unsuspecting users by installing key loggers on computers that intercept user keystrokes and transmit them back to a criminal hacker. This enables the hacker to commit various fraudulent transactions by gaining unauthorized access to a user's network accounts and services such as online bank accounts, credit card accounts, and the like.
Phishing is another method criminal hackers use to try and steal sensitive user information such as usernames, passwords and credit card numbers. Phishing is a method of directing an unsuspecting user (e.g., through an email or instant message) to a fake website that appears to be legitimate so that the user will enter sensitive information which the hacker can then use to gain unauthorized access to the user's online accounts and services to commit various fraudulent transactions. Pharming is similar to phishing in that a fake or bogus website is used by the hacker to steal sensitive user information. In pharming, however, all of the traffic coming to a website is directed to the fake website.
A man-in-the-middle (MITM) attack is yet another of numerous methods hackers use to commit fraud. In a MITM attack, malicious software intercepts communications between parties of a transaction, such as a user accessing an online bank account. The MITM attacker can alter the content of the communications and/or send them to unintended recipients, and return falsified messages to both parties without either party knowing the communications were compromised. By recording transactions between parties, the attacker gains access to a user's sensitive information which can be used to commit fraud, such as stealing money from the user's bank account.
“Shoulder surfing” is a method of accessing sensitive information through direct observation of a user's activities at a computer. A hacker can literally look over the user's shoulder to try and gain information, or he can use less noticeable techniques of observation such as viewing a user from a distance with binoculars or through small, hidden cameras.