It is important to provide protection against malware in web browsers in an effort to prevent attackers from gaining access to critical resources or information of a user. Step-up authentication is a known security technique for computing devices which consists of employing an authentication mechanism other than a primary authentication operation to protect operations, resources and information. For example, a website may have a username/password authentication operation as a primary authentication mechanism however an additional level of security such as a second level of user authentication may also be employed such as using a one time password, grid card, other token based system or other technique to provide another level of authentication of the user.
Systems are also known wherein, for example, a web server (including a backend infrastructure hosting a website) receives a transaction request by a user device and the web server using the backend infrastructure calls into a risk based authentication platform to add step-up authentication and/or transaction verification. For example, a risk score or risk assessment that results in a risk score is carried out to determine when to apply step up authentication for an online transaction such as a banking transaction or other transactions. Transaction verification may employ, for example, the use of an additional device to verify that the transactions should be approved. Using an additional device in the process can add additional security for an online transaction involving critical information or access to important resources of a system. Systems are known to use a second channel (also referred to as a back channel) and an associated device such as a smart phone to get additional confirmation of a transaction if a transaction is being conducted, for example, on a laptop with a web server. However, such systems typically require the web server to have its applications modified to call an authentication platform that carries out the transaction verification operation using the additional device and out of band channel.
Transaction verification consists of the act of a user initiating a transaction on a device or system and before the transaction is accepted or processed by the backend system, the user receives details of the transaction on another device or system and is given the opportunity to approve or reject the transaction. For example, transaction verification systems are known to require a user to acknowledge information on a separate device from the device used to initiate the online transaction. In one example, an out of band communication to a user's smart phone requests confirmation of an online transaction while the user is online with a different device to provide additional security when, for example, large money balances are being transferred from one account to another, or for other high risk transactions. However, such systems typically require the hosting website to be modified to call into the risk based authentication platforms. The software applications that are on the website must typically be modified to force a call in to the authentication platform. This can result in very costly software modifications, require additional testing and increase rollout costs.
There are verification and transaction (proxy) servers—out of band transaction verification gateways known that attempt to protect a website server in a manner that does not require the platform hosting the website to be modified as to providing out of band transaction verification. However, such systems typically do not employ any type of transaction risk assessment so the system applies the out of band verification for all transactions it processes. This can create errors for users.
A need exists for an improved security system that employs step-up authentication and/or an improved online transaction verification.