Abstract

In this paper, we describe a novel method of approving and finalising financial transactions that would raise the bar for any potential attackers. The proposed scheme is based on the hypothesis that it would be significantly harder for an attacker to compromise two hardware devices or monitor and interfere with two communication channels at the same time. This will allow the users of this method to initiate a transaction on the Internet and then use their mobile phone in order to sanction the transfer of funds to a different account. In contrast to Two-Factor Authentication systems, this scheme does not require the online submission of any information that is received by the user's device but directly interacts through the mobile phone network. For this purpose the user's mobile phone has an additional encryption layer that allows it to communicate securely with the server side and convey the user's consent for a certain transaction. This ensures that the two channels and the authentication factors are kept independent. Therefore, even if the user's computer is compromised an attacker would not be able to set a fraudulent transaction without actually having the user's mobile phone and the unique data that are generated by the device.