Peer-to-peer transactions allow individuals to directly exchange information and value. Peer-to-peer transactions can be enabled by intermediary applications, such as a digital wallet provider.
For example, Alice can activate a digital wallet application on her mobile device and activate a peer-to-peer transaction function. Alice inputs her account credentials, and indicates that she would like to send a payment to Bob by inputting Bob's phone number. When Alice submits the transaction, Alice's mobile device sends her credentials to the digital wallet provider, along with the transaction amount and Bob's phone number. The digital wallet provider then contacts Bob at his mobile device, asking for his credentials. Bob inputs his credentials, and his mobile device sends his credentials back to the digital wallet provider. Having obtained both Alice's credentials and Bob's credentials, the digital wallet provider can cause the transaction to take place, such that the payment value is transferred from Alice's account to Bob's account.
While peer-to-peer transactions enable individuals to send value to one another, peer-to-peer transactions create a number of security issues. For example, a fraudster can execute a man-in-the-middle attack by intercepting a transaction message, changing some of the information, and then forwarding along the change transaction message.
As an example, the fraudster can intercept Alice's message to the digital wallet provider. The fraudster can change the message so that Bob is no longer indicated as the transaction recipient, and instead the fraudster is the recipient (e.g., by changing Bob's phone number to the fraudster's phone number). As a result, the digital wallet provider contacts the fraudster at his mobile device (instead of Bob), and the fraudster inputs his own account credentials. Then, the payment is sent to the fraudster instead of Bob.
As another example, the fraudster can intercept Bob's message to the digital wallet provider. The fraudster can change the message so that Bob's credentials are no longer listed, and instead the fraudster's credentials are listed. Again, the payment is sent to the fraudster instead of Bob.
Embodiments of the invention address these and other problems individually and collectively.