In today's world, computing devices communicate with other computing devices through networks. During such communications, it may be difficult to verify, or authenticate, that a remote computing device is actually the computing device that it purports to be. For example, online businesses or merchants that offer sales online face unique challenges because such purchases are made through a “card not present” transaction, in which a merchant is unable able to inspect the payment card being used in the purchase. Further, such purchases are made without the merchant or consumer physically swiping the payment card, or inserting a payment card including a chip into a terminal. Today, most card not present fraud take place with computing devices communicating with one another over the Internet.
In a card not present transaction, the merchant releases the items purchased with an understanding that the actual cardholder authorized the purchase and that the actual cardholder will make the necessary payment. In this case, because the cardholder is not present, the items purchased are often delivered to an address selected by the cardholder at the time of the transaction. Due to the anonymity of a purchaser during an online transaction, fraud often occurs. That is, unauthorized users may purchase items online using a victim's account information. In some cases, a thief only needs the card number itself to make an online purchase. However, because the payment card information input by the thief is drawn to a valid account, a merchant is typically unaware of the fraud until after the fact.
In an attempt to increase security, online merchants may request additional information about the payment card (e.g., CSC, CVC, CVV) or additional information from the cardholder such as an address, phone number, email, answers to previously asked security questions, and the like. However, card information and personal information about a cardholder are also susceptible to being obtained by a thief. For example, criminals may infiltrate legitimate corporations and use their employment as a means for accessing customer and credit card information, and subsequently use this information to commit fraud. This type of fraud, referred to as skimming, usually occurs when the credit card information is obtained by a dishonest employee or agent of a legitimate merchant. Skimming often takes place in restaurants and bars where the skimmer has possession of the victim's credit card outside of their view.
Phishing is another criminal activity whereby fraudsters attempt to acquire sensitive information, such as credit card numbers, addresses, social security numbers, drivers' license numbers, usernames, and passwords by appearing as a trustworthy organization in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to provide the sensitive information on a website monitored by the criminals, although phone contact may also be used.
Spyware or malware may also be used by criminals to obtain payment card information about a cardholder. Spyware is often attached to trusted data downloaded by a person, such as emails, files, and the like. Spyware covertly gathers cardholder information without the cardholder's knowledge. Typically, the software monitors a user's activity online while remaining in the background and transmits information about the user's activity to another device controlled by the thief. Any kind of data a user enters online including an email address, username, password, credit card number, and the like, may be gathered and used by a third party criminal.
Therefore, an authentication system is needed which is capable of verifying that a user computing device is, in fact, a user computing device of an authorized user.