Mitigating e-Commerce Fraud


Assuming the Pareto Principle applies to electronic commerce, most companies likely derive 80% of their profits from just 20% of their customers. While merchants surely value these customers highly, the customers’ credentials, credit-card numbers and personally identifiable information are equally valuable to cyber-attackers too.

On an internet awash with data-breaches, what can merchants do to protect their customers and themselves? While the cyber-security industry has created a litany of technology to address the problem, fraud rates continue to climb.

The principal reason current anti-fraud technologies do not work effectively is because they rely on secrets – secrets stored at merchant sites, and which are susceptible to compromise through scalable attacks (where a single attack can compromise large numbers of customers). Here are some examples of secrets that are vulnerable:

  • When customers are asked to authenticate themselves using passwords – a secret;
  • When customers are asked to authenticate using one-time-passcodes (OTP) – a secret – typically sent to their e-mail or mobile phones;
  • When customers are asked to confirm their identities using answers – a secret – to questions they were asked as part of account registration;
  • When merchants “fingerprint” a customer’s computer and match the stored machine-fingerprint – a secret – when customers come back to shop again.

Another trend is to analyse customers’ shopping behaviour and use algorithms to make real-time decisions about the risk of the transaction being executed by a bad actor. While this “artificial intelligence” is intended to automate human risk-management, it has the propensity to become expensive as more and more shopping data must be stored and processed to make real-time decisions.

It is this author’s contention that merchants can dramatically reduce the risk of fraud by simply eliminating secrets – starting with the most obvious one: the customer’s password.

Using a strong-authentication protocol from the FIDO Alliance, merchants can offer their top 20% of customers a free FIDO Authenticator (aka Security Key) – available for as little as USD10 – to protect their accounts. By using FIDO technology, merchants enable one of the strongest authentication protocols in the industry to ascertain their customers’ identity.  FIDO protocols and Authenticators based on them:

  • Require a hardware-based Authenticator so they are not susceptible to attacks from the internet as file-based credentials are;
  • Require the customer to prove their presence in front of the computer originating the purchase, with possession of the FIDO Authenticator;
  • Are unphishable – attackers cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer;
  • Are privacy-protecting. Even with a stolen or lost Authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account.

The National Cybersecurity Center of Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) recently initiated a project to show how multi-factor authentication using FIDO protocols can help mitigate e-commerce fraud. As one of the Technical Collaborators chosen by NIST to assist with this effort, StrongAuth modified the popular open-source e-commerce platform, Magento, to integrate FIDO protocols into the purchasing process as a proof-of-concept.

StrongAuth will be presenting the modified Magento flow during an NCCoE webinar on November 14th 2017 at Noon EST, and subsequently releasing the Magento modifications to the open-source community. I encourage interested parties to join us on the webinar and learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.


Not all biometric authentication is equal


Recently, the Chief Executive Officer of Wells Fargo Bank spoke about biometric authentication at an Economic Outlook Conference.  He stated that we may be the last generation to use user names and passwords, and that Wells Fargo (amongst other banks) was testing biometric technology – fingerprint matching, voice recognition, iris matching, etc. – as a means of authenticating users to websites and systems.

While biometric technology is not new (it has been commercially available for at least two decades), the fingerprint reader in Apple’s iPhone and newer Android-based devices have done more to bring biometrics to the masses than all previous efforts combined.  Notwithstanding this deluge, it would be a fallacy to assume all biometric technologies are equal – or secure.  While biometrics certainly appear to make the user’s authentication experience easier, it doesn’t necessarily make it more secure; as the adage goes: the devil is in the details.

Given the variability of biometrics, how does a user tell if a given biometric technology is secure?  The quick answer: they can’t. It would be futile to educate users about security factors associated with biometrics when its difficult enough for professionals to do so within a rapidly evolving landscape.

There is one concern, however, most users have – or are likely to have – with biometric authentication: are the biometric data being sent to a site’s servers?   If so, are they stored there?  What are the protections around that storage?  Given the breaches we’ve witnessed over the years, and given the propensity of site operators to profit from customer data, this is a very legitimate concern.  Unlike healthcare data, US law says precious little about biometric data security and privacy.

A solution that has the potential to address this concern is the use of biometric technology when combined with a Fast Identity Online (FIDO) protocol for strong-authentication.

When a device, a site and the application between them use a FIDO protocol for strongly authenticating users, they’re following an industry standard designed with the user’s security and privacy in mind.  FIDO protocols do not require biometric data to be sent to the site; FIDO cryptographic keys used to authenticate a user are unique for each site.  Finally, devices and applications using FIDO with biometrics, typically, use biometric data to verify a user’s identity locally on the device.  When successful, they use FIDO keys on the device to authenticate the user to the site.  This two-step authentication process ensures that a FIDO-enabled site respects their users’ privacy in not requiring biometric data on the site to authenticate the user.

Biometric devices not using FIDO protocols may legitimately claim they do not send biometric data to sites for authentication; however, only FIDO protocols currently provide standardized cryptographic proof that biometric data is neither needed by, nor sent to, the site to authenticate users.

Given the potential for confusion as biometrics are used by more applications and sites, what is needed is a standard identification mark to affirm the following:

  1. To distinguish ‘plain-vanilla biometric’ devices from ‘FIDO-enabled biometric’ devices;
  2. To distinguish FIDO-enabled applications from non-FIDO-enabled applications (much as the SSL/TLS lock identifies the security protocol in browsers); and
  3. For sites to identify when they’re using FIDO protocols for strong-authentication.

While the FIDO Alliance has such identifying marks for devices, its uncertain whether Android/iOS and browsers (the most common FIDO-enabled application) and sites will choose to highlight the marks even if devices are so labelled.  This assurance by mobile operating systems, browser manufacturers and sites may be necessary to provide consumers the confidence they are not being dumped from the frying-pan of passwords into the fire of biometrics.

What is ALESA?


Question:  Aside from eliminating sensitive data from your business process, what are two things you can do to eliminate much of the risk of a data-breach?

Answer:  Application Level Encryption and Strong Authentication.


Longer Answer:  While we all recognize that encrypting sensitive data can protect you, most people – even in the security business – don’t realize that not all encryption is equal.  Even if using NIST-approved algorithms with the largest key-sizes available, data can still get breached.  How is that possible?

When encrypting data, all else being equal from a cryptographic point-of-view, two design decisions matter:  1) Where is data being cryptographically processed? and 2) How are cryptographic keys managed?

If data is encrypted/decrypted in any part of the system – the hard-disk drive, operating system, database, etc. – other than the business application using that data, significant residual risks remain despite the encryption.  An attacker need only compromise a software layer above the encrypting-layer to see unencrypted (plaintext) data.  Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data as it affords the attacker the smallest target.  This also ensures that, once data leaves the application layer, it is protected no matter where it goes (and conversely, must come back to the application layer to be decrypted).

The second design-decision of encryption is how you protect cryptographic keys.  If you use a general-purpose file, keystore, database or device to store your keys, this would be the equivalent of leaving company cash in a general-purpose desk or drawer.  Much as you need a safe to store cash in a company, you need a purpose-built “key-management” solution designed with hardened security requirements to protect cryptographic keys.  These solutions have controls to ensure that, even if someone gains physical access to the device, gaining access to the keys will be very hard to near impossible.  If the key-management system cannot present sufficiently high barriers, even billion-dollar companies can fail to protect sensitive data – as many did this year and continue to do so even as I’m writing this!

While cryptography tends to get complex and the details might seem burdensome, it is important to recognize that an encryption solution provides the last bastion of defence against determined attackers; it is well worth a company’s time to give it the proper attention and not attempt to invent it themselves.

Conversely, the first line of defence should be strong-authentication. Strong-authentication is the ability to use different cryptographic keys combined with secure hardware (in the possession of the user) to confirm that the user is who they claim to be.  While digital certificates on smartcards provided such capability for over two decades, they are expensive, and not easy to use and support even in highly technical environments.  A standards group ( is attempting to simplify this problem; some early solutions have already made it to market this year with successful deployments under way.

Between application-level-encryption on the back-end and strong-authentication on the front-end, even if an attacker managed to slip past network defences – as they always seem to do – they will have little wiggle-room to compromise sensitive data.  While no security technology is absolutely fool-proof, implemented correctly, ALESA raises the bar sufficiently high to “encourage” the vast majority of attackers to move onto easier targets.