Developments in communication technology have changed common protocol for business, hence reducing in-person communication as people communicate through alternative mediums. For example, e-mail enables individuals to communicate virtually instantaneously over the Internet. Moreover, as the Internet grows in popularity as a business medium, users engage in a wider variety of transactions online. Accordingly, various transactions such as interactions with financial institutions or online retailers, now involves sensitive exchange of personal information (e.g., bank account numbers or credit card information.) To protect such information, a plurality of solutions have been introduced that typically require users to register and obtain unique user name/password prior to the business transaction.
Moreover, in such systems security breaches such as spoofing attacks are becoming pervasive. In general, user spoofing attacks relate to attempts by malicious third parties to deceive users into disclosing username/password or other type of credential specified by user (e.g., memorized), through impersonation of trusted entities. Generally, spoofing attacks can be initiated by local malware or by sending electronic mail messages, which are crafted such that they appear to originate from known and trusted establishments. Such electronic mail messages typically inform recipients that the trusted entity needs to verify user information by having to check username/password. The user may enter such information at a web site that appears to belong to such trusted entity, and yet is controlled by malicious third parties. Once a user enters such information at a phishing site, the third party can use such user held credential (e.g., username and password) at the real website being impersonated, to perform transactions or even to wrest control of an account away from the user.
Several factors make spoofing a challenging problem from a computer security standpoint. First, in spoofing attacks the victim unknowingly or unwittingly assists the attacker by voluntarily providing security credentials such as a username and password. Second, identifying phishing sites can be difficult using a fixed algorithm because attackers both quickly adapt to security measures; and hence it is difficult if not impossible to anticipate the ingenuity of all future attackers with a fixed set of rules. Third, users tend to ignore warnings about security dangers—a user who does not heed the warning can render even the best warnings useless.
Other type of security breaches occur when users cannot readily ensure that their PCs are free of malware and spyware. Even if every effort is made to keep a system fully patched (e.g., running anti-virus program and implementing firewall policies), a malicious code may still end up on the system. Such can be of great concern for users who perform financial tasks such as banking and shopping on a PC. For example, a key logger installed on a machine can spy on all keyboard traffic, retrieve passwords for any accounts accessed and then compromise the accounts.
Furthermore, since users often perform a plurality of tasks and a variety of activities on the same machine—it is often difficult to guarantee the safety for such machine. For example, if a machine is used only for banking, and never accesses sites other than predetermined financial entities, a high chance exists for keeping such machine relatively clean. Nonetheless, if such user also plays online games; visits web sites that maintain poor security policies, or installs shareware applications, the threat risk is substantially increased. As such, it is exceedingly difficult to ensure that such machine is free of malware or spyware. Hence, users continue to face challenges when desiring to perform secure tasks, such as financial transactions or banking, on the same machine where malicious applications can run in the same security context as the rest of the users programs and data.