1. Field of the Invention
The present invention relates generally to data processing, and more particularly but not exclusively to online transactions over a computer network.
2. Description of the Background Art
Various financial transactions may be performed over the Internet. Examples of these financial transactions include online banking, sending or receiving of payments for product purchases (e.g., use of PayPal™ system), credit card purchases, and so on. Unfortunately, the convenience of performing online financial transactions over the Internet not only attracts legitimate users but fraudsters as well. Fraudsters gain access to online financial accounts of their victims using a variety of techniques including by “phishing,” use of a Trojan horse, and man-in-the-middle attacks. Phishing involves some form of misrepresentation. In a typical phishing attack, the victim receives an email falsely claiming to be from the victim's financial institution. The email is made to look convincingly real, oftentimes complete with the look and feel of emails from the financial institution. The email includes a link to the fraudster's website, where the victim enters his financial account information (e.g., login ID and password) thinking he is providing the information to his financial institution.
A Trojan horse is an apparently useful program or data that contains malicious code. The malicious code allows the fraudster to keep track of keystrokes entered on a computer with the Trojan horse, access the computer, and perform other unauthorized actions on the computer. The Trojan horse thus allows the fraudster to get financial account information available in the computer.
Man-in-the-middle (“MITM”) attacks involve an intermediate computer intercepting communications between two other computers, such as a user's client computer and a financial institution's server computer. The intermediate computer monitors, and sometimes even modifies, intercepted communications, which may include financial account information.
Various IP and URL reputation services have been developed to prevent some of these attacks. Generally speaking, IP and URL reputation services combat phishing by checking the source IP address of an email or the URL of a website against a list of known phishing sites. However, reputation-based security measures only work against known phishing scams, are not easy to implement, and have difficulty preventing man-in-the-middle attacks and key-logging.
Once the fraudster gets a hold of legitimate financial account information, it is relatively easy for the fraudster to take advantage of the anonymity of the Internet to access the victim's financial account online and perform an unauthorized transaction, such as transferring funds out of the victim's account. What is needed is a way to enhance security of online transactions without unduly impacting the ease and convenience by which these transactions may be performed.