Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers' credentials, credit card numbers, and personally identifiable information are equally valuable to cyber-attackers too.
On an internet awash with data breaches, what can merchants do to protect their customers and themselves? While the cyber-security industry has created a litany of technologies to address the problem, fraud rates continue to climb.
The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets—secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:
- When customers are asked to authenticate themselves using passwords—a secret
- When customers are asked to authenticate using one-time passcodes (OTP)—a secret—typically sent to their e-mail or mobile phones
- When customers are asked to confirm their identities using answers—a secret—to questions they were asked as part of account registration
- When merchants "fingerprint" a customer's computer and match the stored machine fingerprint—a secret—when customers come back to shop again
Another trend is to analyze customers' shopping behavior and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this "artificial intelligence" is intended to automate human risk management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.
It is this author's contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets—starting with the most obvious one: the customer's password.
Using a strong authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key)—available for as little as USD$10—to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers' identity.
FIDO protocols and Authenticators on which they are based:
- Require a hardware-based Authenticator—not susceptible to attacks from the internet as file-based credentials are
- Require the customer to prove their presence in front of the computer originating the purchase—with possession of the FIDO Authenticator
- Are unphishable—attackers cannot compromise the protocol's cryptographic messages and use them to masquerade as the legitimate customer
- Are privacy-protecting—even with a stolen or lost Authenticator, attackers cannot learn a customer's identity and use it to compromise the customer's account
The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongKey modified the popular open-source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof of concept.
StrongKey will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.