Mitigating e-Commerce Fraud

By November 5, 2017News & Updates

Today, we bring you this guest post from our founding CTO, Arshad Noor. You can read more posts like this at and we hope you’ll join us on our upcoming NCCoE webinar on November 14 at 12:00 EST.

Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers’ credentials, credit-card numbers and personally identifiable information are equally valuable to cyber-attackers too.

On an internet awash with data-breaches, what can merchants do to protect their customers and themselves? While the cyber-security industry has created a litany of technology to address the problem, fraud rates continue to climb.

The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets – secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:

• When customers are asked to authenticate themselves using passwords – a secret;

• When customers are asked to authenticate using one-time-passcodes (OTP) – a secret – typically sent to their e-mail or mobile phones;

• When customers are asked to confirm their identities using answers – a secret – to questions they were asked as part of account registration;

• When merchants “fingerprint” a customer’s computer and match the stored machine-fingerprint – a secret – when customers come back to shop again.

Another trend is to analyse customers’ shopping behaviour and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this “artificial intelligence” is intended to automate human risk-management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.

It is this author’s contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets – starting with the most obvious one: the customer’s password.

Using a strong-authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key) – available for as little as USD10 – to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers’ identity.

FIDO protocols and Authenticators based on them:

• Require a hardware-based Authenticator so they are not susceptible to attacks from the internet as file-based credentials are;

• Require the customer to prove their presence in front of the computer originating the purchase, with possession of the FIDO Authenticator;

• Are unphishable – attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer;

• Are privacy-protecting. Even with a stolen or lost Authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account.

The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongAuth modified the popular open-source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof-of-concept.

StrongAuth will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.


Author strongkey

More posts by strongkey