Transaction verification protects consumers from fraud by ensuring that no change has been made to a monetary transaction as it is being processed. An Internet-based security measure, transaction verification is helpful against Man-in-the-Middle attacks. In these attacks, a cyber criminal creates a fake website that effectively eavesdrops on the communication between a consumer and his bank, retailer, or credit card company. The criminal is thus able to gain the consumer’s personal information and use it. In a Man-in-the-Middle attack, neither the consumer nor the retailer knows that an outside party is spying on the conversation.
One example of a very potent Man-in-the-Middle technology was the Silent Banker malware that infected over 400 bank websites around the world in 2008. In this case, the malware was a rootkit that was implemented before the browser’s virus protection software kicked in. Once the unsuspecting browser entered his authentication information into the bank’s website, the Silent Banker malware activated, changing the destination of the transaction to the criminal’s bank account.
Many websites and mobile software programs have implemented out-of-band technology for transaction verification. Supposedly this method works because it takes the consumer outside of the browser in which the criminal would be eavesdropping. The consumer would verify the transaction through a phone call or e-mail. Unfortunately, out-of-band authentication is still susceptible to Man-in-the-Middle attacks, because those attacks use counterfeit websites. Therefore, the consumer would not necessarily see that anything was wrong with the site before providing the authentication. He might actually call the criminal and give him his information by phone.
Other websites have utilized one-time codes for transaction verification. Theoretically, only the consumer would know the code, so when he enters that code into the bank’s website, the bank is assured that the consumer is who he says he is. If the consumer’s operating system has been taken over by a malware program; however, he is not the only person who has access to that code.
While there is no way to completely protect a consumer from online fraud through transaction verification, there are a few tips which can reduce the likelihood that a consumer will fall into a Man-in-the-Middle trap. First, the consumer should beware of any e-mails or text messages that are sent to him from an unknown source. Those communications should be deleted immediately and no links within those e-mails or text messages should be opened. Second, if the website suddenly changes in appearance, be careful about using it. It might be a Man-in-the-Middle’s decoy site. If suspicious activity continues, call the organization that maintains the website. Finally, all computer users should maintain current virus and Spyware protection as well as a firewall to minimize the likelihood that their computer will be attacked successfully.