September 8, 2016

FIDO: Kryptonite for Banking Malware

This is a guest post contributed by Todd Thiemann, VP of Marketing at Nok Nok Labs.

A recent feature story in The Wall Street Journal brought back to light mobile banking malware as a renewed consumer scourge.  With mobile banking malware names including Acecard, GM Bot, Spy.Agent, various malware variants harvest consumer banking information and pass it to the bad guys.  The approaches run the gamut from simple (grab the login credentials with simulated bank login page) to sophisticated (simulating bank login page and grabbing SMS One Time Passcodes (OTPs).  

A common theme in the attack vector is the use of a shared secret. In the context of a mobile banking application, the secret is shared between the consumer and the financial institution and can come in forms including a password or an OTP that’s shared via SMS.   

So what does the FIDO protocol do to counter such threats? You can review the FIDO Security Reference (the threat model for FIDO) to understand the variety of threats that FIDO mitigates against. Long story short: the FIDO approach to strong authentication avoids shared secrets and is not prone to the existing malware attack vectors compromising those secrets.  Why is it better?

  • FIDO uses a challenge/response approach where the private key used to sign the challenge resides on the device and is unlocked with multi-factor authentication that includes something the user has (e.g., a mobile device) and something they are (e.g., a biometric) or something they know (e.g., a PIN).  
  • The challenge gets sent to the device and the user unlocks the private key to sign the challenge. The signed challenge is compared on the server using the corresponding public key.  
  • The public/private keypair approach mitigates against scalable malware attacks since there is no shared secret that resides on the device and on the server.  

In the context of biometrics, the FIDO UAF protocol uses client-side matching rather than server-side matching, so there is no biometric repository that can be compromised. You can see some of the trade-offs in client vs server-side biometric matching at a Nok Nok Labs blog published following the US Federal Government Office of Personnel Management breach.

As you work on your strategy to avoid mobile malware, the FIDO protocols can help you down the path to combining a great user experience with exceptional security.

MORE Building the Business Case

White Paper: Choosing FIDO Authenticators for Enterprise Use Cases

Secure access to online applications and services has evolved into...

September 21, 2021

World’s Largest Tech Companies Drive FIDO Alliance’s New User Experience Guidelines

By Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO...

June 23, 2021

FIDO Recognition for European Digital Identity Systems and eIDAS Grows

Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico Recognition of...

March 29, 2021

White Paper: FIDO for SCA Delegation to Merchants or Wallet Providers

The authentication of consumers during remote transactions has undeniable benefits...

March 16, 2021
Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.