Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers' credentials, credit card numbers, and personally identifiable information are equally valuable to cyber-attackers too.
On an internet awash with data breaches, what can merchants do to protect their customers and themselves? While the cybersecurity industry has created a litany of technologies to address the problem, fraud rates continue to climb.
The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets—secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:
Another trend is to analyze customers' shopping behavior and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this "artificial intelligence" is intended to automate human risk management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.
It is this author's contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets—starting with the most obvious one: the customer's password.
Using a strong authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key)—available for as little as USD$10—to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers' identity.
FIDO protocols and Authenticators on which they are based:
The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongKey modified the popular open source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof of concept.
StrongKey will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.