Today, we bring you this guest post from our founding CTO, Arshad Noor. You can read more posts like this at https://alesa.website/ and we hope you’ll join us on our upcoming NCCoE webinar on November 14 at 12:00 EST.
Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers’ credentials, credit-card numbers and personally identifiable information are equally valuable to cyber-attackers too.
On an internet awash with data-breaches, what can merchants do to protect their customers and themselves? While the cyber-security industry has created a litany of technology to address the problem, fraud rates continue to climb.
The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets – secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:
• When customers are asked to authenticate themselves using passwords – a secret;
• When customers are asked to authenticate using one-time-passcodes (OTP) – a secret – typically sent to their e-mail or mobile phones;
• When customers are asked to confirm their identities using answers – a secret – to questions they were asked as part of account registration;
• When merchants “fingerprint” a customer’s computer and match the stored machine-fingerprint – a secret – when customers come back to shop again.
Another trend is to analyse customers’ shopping behaviour and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this “artificial intelligence” is intended to automate human risk-management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.
It is this author’s contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets – starting with the most obvious one: the customer’s password.
Using a strong-authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key) – available for as little as USD10 – to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers’ identity.
FIDO protocols and Authenticators based on them:
• Require a hardware-based Authenticator so they are not susceptible to attacks from the internet as file-based credentials are;
• Require the customer to prove their presence in front of the computer originating the purchase, with possession of the FIDO Authenticator;
• Are unphishable – attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer;
• Are privacy-protecting. Even with a stolen or lost Authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account.
The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongAuth modified the popular open-source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof-of-concept.
StrongAuth will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.