This application relates generally to electronic transactions. More particularly, the disclosure provided herein relates to verifying transactions using out-of-band devices.
As the levels of sophistication of computer and web technologies have increased, the level of sophistication of computer and web attackers have also increased. One sophisticated approach used to attack computers and web resources is commonly referred to as a “Trojan Horse” attack. In a Trojan Horse attack, malicious software masquerades as innocent software, thereby increasing the chances that the malicious software will be executed or installed by users.
While many forms of Trojan Horse attacks exist, a particularly pronounced threat is posed by what are known as “man-in-the-middle attacks,” one example of which is referred to as a “man-in-the-browser attack.” In a man-in-the-browser attack, malicious software used to attack a computer is executed by the attacked computer. The malicious software is capable of modifying a page or other content displayed by a web browser or other application during a transaction or application session. Thus, the malicious software executed in a man-in-the-browser attack is able to modify the transaction being completed via an attacked computer, while modifying display output. Thus, the malicious software is configured to ensure that the user believes the requested transaction is progressing as requested.
In one example of a man-in-the-browser attack, a user accesses a banking application to request transfer of money from a first account to a second account. Malicious software executed by the computer intercepts the requests generated by the computer and modifies the requests in real-time to alter parameters of the transaction. Similarly, the malicious software modifies output from the application and presents transaction or session data to the user in a manner that obscures the interference with the transaction. Thus, a user requesting, for example a one thousand dollar transfer between two accounts may unwittingly transfer ten thousand dollars to a third account, for example an account associated with the attacker. During this transaction, however, the malicious software obscures the parameters of the transaction to ensure that the user will be unaware of the attack until after the transaction is completed.
Various approaches are used to avoid man-in-the-browser attacks. In some approaches, an application verifies that a user is aware of a transaction by interacting with the user via a device separate from the device used to complete the transaction. For example, the application can generate a token or image that is emailed or otherwise transferred to a cell phone or other device associated with a user. Until the user verifies the token, image, or other information received from the application, and thereby ensures the user is aware of the transaction, the transaction is put on hold or blocked. These approaches require sophisticated token generation functions and delivery mechanisms, and also require users to input information such as passwords or tokens. Furthermore, these approaches do not address man-in-the-browser attacks in which the parameters associated with a transaction are modified by malicious software or other entities without the user's knowledge.