Mitigating e-Commerce Fraud


Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers’ credentials, credit-card numbers and personally identifiable information are equally valuable to cyber-attackers too.

On an internet awash with data-breaches, what can merchants do to protect their customers and themselves? While the cyber-security industry has created a litany of technology to address the problem, fraud rates continue to climb.

The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets – secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:

  • When customers are asked to authenticate themselves using passwords – a secret;
  • When customers are asked to authenticate using one-time-passcodes (OTP) – a secret – typically sent to their e-mail or mobile phones;
  • When customers are asked to confirm their identities using answers – a secret – to questions they were asked as part of account registration;
  • When merchants “fingerprint” a customer’s computer and match the stored machine-fingerprint – a secret – when customers come back to shop again.

Another trend is to analyse customers’ shopping behaviour and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this “artificial intelligence” is intended to automate human risk-management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.

It is this author’s contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets – starting with the most obvious one: the customer’s password.

Using a strong-authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key) – available for as little as USD10 – to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers’ identity.  FIDO protocols and Authenticators based on them:

  • Require a hardware-based Authenticator so they are not susceptible to attacks from the internet as file-based credentials are;
  • Require the customer to prove their presence in front of the computer originating the purchase, with possession of the FIDO Authenticator;
  • Are unphishable – attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer;
  • Are privacy-protecting. Even with a stolen or lost Authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account.

The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongAuth modified the popular open-source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof-of-concept.

StrongAuth will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.


Deterring transaction-fraud … and ransomware


In a recent panel discussion on financial fraud prevention, a question was raised to the panelists – a credit-card issuer, a prepaid-card payment processor, and others: Were any of them using FIDO protocols to prevent transaction fraud?

There was silence for a full 15 seconds before the panelists slowly responded, one by one, to state they were not; no reasons were provided. The responses surprised this author. Not only because FIDO protocols are well known in the security industry and have been available as standards for over two years, but also because the card-issuer on the panel is a Board member of the FIDO Alliance! They had to be aware of the transaction-fraud prevention capabilities of FIDO protocols.

FIDO standard protocols – the Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F) – are the result of an industry alliance of over 300 companies worldwide to eliminate shared secret authentication: mechanisms such as userid-passwords, one-time password tokens, etc., which are at the heart of numerous data-breaches over the last decade. Since the protocols were standardized two years ago, more than 150 products have been FIDO Certified® – including StrongAuth’s own CryptoEngine FIDO Server – and are available to serve risk-mitigation needs.

In addition to strong-authentication – an industry term implying the use of cryptographic digital signatures emanating from hardware authenticators to confirm a user’s identity – FIDO protocols also support acquiring digital-signatures from end-users to confirm transactions. The most important facets of FIDO-based digital signatures are their mandates that:

  • End-users be physically present in front of the computer/device initiating the transaction;
  • End-users possess a FIDO Authenticator with a private-key to authenticate themselves; and optionally
  • End-users confirm transactions with a digital signature using their FIDO Authenticator.

While FIDO protocols were primarily designed to enable strong-authentication to web-applications, the ability of the protocols to support transaction-authorization is icing on the cake. Yet applications, apparently, are not using this feature to stem multi-billion dollar losses to the industry. This is a shame; because FIDO protocols not only have the potential to strengthen transaction security, but they eliminate the password hell end-users are subjected to, while protecting them and web-applications from many attacks on the internet.

Notwithstanding the availability of a patch, the most recent ransomware attack in May 2017 could have been mitigated if applications accessing sensitive files required such digital-signature authorization to modify and/or delete files. Technically, from an application’s point-of-view, writing to a file is analogous to an electronic transaction such as buying a book at an e-commerce site: both modify the state of a file or database upon the conclusion of the transaction.

Currently, ransomware attacks work because applications allow authenticated users to modify files (encrypting them and deleting the original file) without secondary authentication and/or authorization. Consequently, malware executing on users’ computers execute with full privileges of the user. FIDO digital signatures change that paradigm, leading to higher levels of security.

This author has written about the benefits of application-level encryption and strong-authentication in the past. Building on that foundation, companies would do well to add transaction-level authorization to not only deter transaction fraud, but also inoculate themselves from ransomware. The protocols to support this are available today; the tools to enable this are available now; all that is required is the resolve to get the job done.