The present invention relates to techniques for authenticating parties during an on-line transaction. More specifically, the present invention relates to a system and a technique that reduces phishing by authenticating parties during a transaction.
While there has been considerable recent growth in on-line commerce, and more generally, in the use of the Internet to conduct financial transactions, data security for these on-line financial transactions remains a significant problem which can cause sensitive information to be misappropriated and/or misused.
One class of security problems is ‘phishing,’ during which a malicious user tricks a victim into accepting a false identity, which enables the malicious user to access or obtain sensitive information (such as a credit-card number, a bank-account number, a social-security number, or a username and password). For example, the malicious user may send an email falsely claiming to be an established, legitimate enterprise in an attempt to scam the victim into providing sensitive information that can be used for identity theft. In some cases, the email may include a link to a fake website (which is a replica of a trusted website) where the sensitive information is requested.
Unfortunately, phishing often mimics the same techniques that are used in on-line financial transactions. In particular, email is a convenient communication technique for sending invoices to customers, and payment for many invoices is often implemented by linking a customer to a payment web page, where the customer can complete the financial transaction. Moreover, to keep the process simple (and thus, to facilitate use of such services), many payment web pages avoid a lengthy registration process, and thus, do not ask customers to login, thereby exacerbating the security risk.
Hence, phishing undermines confidence in the safety of on-line commerce.