In a recent panel discussion on financial fraud prevention, a question was raised to the panelists – a credit-card issuer, a prepaid-card payment processor, and others: Were any of them using FIDO protocols to prevent transaction fraud?
There was silence for a full 15 seconds before the panelists slowly responded, one by one, to state they were not; no reasons were provided. The responses surprised this author. Not only because FIDO protocols are well known in the security industry and have been available as standards for over two years, but also because the card-issuer on the panel is a Board member of the FIDO Alliance! They had to be aware of the transaction-fraud prevention capabilities of FIDO protocols.
FIDO standard protocols – the Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F) – are the result of an industry alliance of over 300 companies worldwide to eliminate shared secret authentication: mechanisms such as userid-passwords, one-time password tokens, etc., which are at the heart of numerous data-breaches over the last decade. Since the protocols were standardized two years ago, more than 150 products have been FIDO Certified® – including StrongAuth’s own CryptoEngine FIDO Server – and are available to serve risk-mitigation needs.
In addition to strong-authentication – an industry term implying the use of cryptographic digital signatures emanating from hardware authenticators to confirm a user’s identity – FIDO protocols also support acquiring digital-signatures from end-users to confirm transactions. The most important facets of FIDO-based digital signatures are their mandates that:
- End-users be physically present in front of the computer/device initiating the transaction;
- End-users possess a FIDO Authenticator with a private-key to authenticate themselves; and optionally
- End-users confirm transactions with a digital signature using their FIDO Authenticator.
While FIDO protocols were primarily designed to enable strong-authentication to web-applications, the ability of the protocols to support transaction-authorization is icing on the cake. Yet applications, apparently, are not using this feature to stem multi-billion dollar losses to the industry. This is a shame; because FIDO protocols not only have the potential to strengthen transaction security, but they eliminate the password hell end-users are subjected to, while protecting them and web-applications from many attacks on the internet.
Notwithstanding the availability of a patch, the most recent ransomware attack in May 2017 could have been mitigated if applications accessing sensitive files required such digital-signature authorization to modify and/or delete files. Technically, from an application’s point-of-view, writing to a file is analogous to an electronic transaction such as buying a book at an e-commerce site: both modify the state of a file or database upon the conclusion of the transaction.
Currently, ransomware attacks work because applications allow authenticated users to modify files (encrypting them and deleting the original file) without secondary authentication and/or authorization. Consequently, malware executing on users’ computers execute with full privileges of the user. FIDO digital signatures change that paradigm, leading to higher levels of security.
This author has written about the benefits of application-level encryption and strong-authentication in the past. Building on that foundation, companies would do well to add transaction-level authorization to not only deter transaction fraud, but also inoculate themselves from ransomware. The protocols to support this are available today; the tools to enable this are available now; all that is required is the resolve to get the job done.