In recent years, illegal money transfer using man-in-the-browser (MITB) attacks with malware in internet banking has become a social problem. This study focuses on transaction-tampering MITB attacks and considers countermeasures to combat them. The existing countermeasures require that another device, such as a token device, other than the device used to carry out the actual money-transfer operation is utilized to ensure a secure route different from that carrying out the actual money-transfer operation. However, because MITB attackers have become more sophisticated, malware will be able to infect all the devices in the end and the multiple routes approach will have become ineffective against this type of attack. Therefore, we constructed a human-to-machine communication protocol that requires only one device for each user and is secure against transaction-tampering MITB attacks, even if the device is taken over by malware.