Security of financial and other types of transactions is of great importance due to the relatively recent growth of threats such as phishing and pharming which are intended to fraudulently acquire sensitive information, such as passwords, pin numbers and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Once such details are fraudulently acquired they are utilised to make financial payments or to misappropriate funds from financial accounts. The account holder is often without any knowledge of these fraudulent transactions until after they have been concluded and it is too late to intervene. It is desirable, therefore, to seek authorisation of transactions from a customer before transactions are concluded by the financial institution.
In current systems used to authorise financial transactions, it is difficult and often impossible to obtain a firm guarantee that the person initiating the transaction is the account holder and is authorised to conclude the transaction. For example, when a merchant swipes a customer's credit card, the credit card terminal connects to the merchant's acquirer, or credit card processor, which verifies that the customer's account is valid and that sufficient funds are available to cover the transaction's cost. However, this process does not provide any form of verification that the individual making the transaction is indeed authorised to do so.
Although, a merchant may compare a signature on the credit card to the signature of the customer, such methods of verifying whether or not the transaction is fraudulent are far from foolproof. Furthermore, the account holder and credit card provider are relying on the merchant to deny transactions that appear to be fraudulent and unauthorised.
This issue is particularly pronounced with transactions conducted in the online environment or over the telephone, where the merchant is unable to verify the customer's signature and therefore determine whether or not the transaction is fraudulent.
One method of overcoming such issues is to require the purchaser to provide a Card Verification Value Code (CVV), which is not part of the card number itself, and is also known as CVV2, CVC2, and CID. The CVV is an authentication procedure established by credit card companies to reduce fraud for internet and telephone transactions. It consists of requiring a card holder to provide the CVV number at transaction time to verify that the card is on hand. While the CVV code helps ascertain that the customer placing the order actually possesses the credit/debit card and that the card account is legitimate, this authentication procedure is ineffective when the card itself has been misappropriated or in scenarios where there has been unauthorised access to the financial records of the account holder.
Similarly, in current systems where the customer is required to provide a password or pin number before a transaction is authorised, unauthorised access to the account holder's records is likely to provide the information required to fraudulently authorise transactions.
Accordingly, it is an object of the invention to provide a system for authorising transactions which seeks to alleviate the problems of prior art systems.
It will be clearly understood that, if a prior art publication or systems are referred to herein; this reference does not constitute an admission that the publication or system forms part of the common general knowledge in the art in Australia or in any other country.