Transaction authentication refers to an Internet method of identifying an account user to ensure the person is authorized for that account. This system typically requests specific information such as a password and a user identification number in order to verify permissions. Other types of information requested might be mother’s maiden name, place of birth or the name of the user’s first child. Additional transaction authentication information may be requested during the session because it is sometimes possible for others to access the transaction information while the session is active. Certain transaction authentication software may also check the user’s computer information and habits and compare the current session to stored information.
The typical applications for transaction authentication are those that involve user accounts including banking, sales and personal information. Customers wishing to make bank transfers may be asked to provide transaction authentication numbers (TAN) or to re-enter the original information used to log in at the beginning of the session. Certain sales websites also use this process to verify that the original customer is the one making the purchase, and that sales transaction information is correct. Companies that create customer accounts containing personal information such as medical accounts or rental registries typically require some form of transaction authentication to verify that the new account is legitimate.
Since a third party may be able to use sophisticated software and hijack, or steal, the transaction, some type of authorization process is important to verify the user’s identity. This is especially true with large purchases or bank transfers, money that is being sent to a previously unused account, or items being shipped to an address other than that of the account holder. The problem with using transaction authentication as a security method is that it is still sometimes possible for an unauthorized person to access the information, possibly resulting in theft or fraud. When a third party hijacks the session, the hijacker may be able to obtain all or the original transaction authentication information from the session and use it unlawfully.
Some systems check the customer’s physical location as well as other identifying information including the consumers previous pattern of usage and the computer’s Internet Protocol (IP) address. Unusual results will trigger a request for additional authorization information. This is only useful in situations where the person is a repeat customer, but it can be very helpful in preventing banking fraud.
A more effective way to protect transaction content is through the use of additional security measures such as transaction verification. This method adds a means of verifying the integrity of the transaction itself to the transaction authentication. It becomes much harder for unauthorized users to capture the transmitted information in such a system, especially when the data that is transmitted is encrypted by the system.