September 8, 2016

FIDO: Kryptonite for Banking Malware

This is a guest post contributed by Todd Thiemann, VP of Marketing at Nok Nok Labs.

A recent feature story in The Wall Street Journal brought back to light mobile banking malware as a renewed consumer scourge.  With mobile banking malware names including Acecard, GM Bot, Spy.Agent, various malware variants harvest consumer banking information and pass it to the bad guys.  The approaches run the gamut from simple (grab the login credentials with simulated bank login page) to sophisticated (simulating bank login page and grabbing SMS One Time Passcodes (OTPs).  

A common theme in the attack vector is the use of a shared secret. In the context of a mobile banking application, the secret is shared between the consumer and the financial institution and can come in forms including a password or an OTP that’s shared via SMS.   

So what does the FIDO protocol do to counter such threats? You can review the FIDO Security Reference (the threat model for FIDO) to understand the variety of threats that FIDO mitigates against. Long story short: the FIDO approach to strong authentication avoids shared secrets and is not prone to the existing malware attack vectors compromising those secrets.  Why is it better?

  • FIDO uses a challenge/response approach where the private key used to sign the challenge resides on the device and is unlocked with multi-factor authentication that includes something the user has (e.g., a mobile device) and something they are (e.g., a biometric) or something they know (e.g., a PIN).  
  • The challenge gets sent to the device and the user unlocks the private key to sign the challenge. The signed challenge is compared on the server using the corresponding public key.  
  • The public/private keypair approach mitigates against scalable malware attacks since there is no shared secret that resides on the device and on the server.  

In the context of biometrics, the FIDO UAF protocol uses client-side matching rather than server-side matching, so there is no biometric repository that can be compromised. You can see some of the trade-offs in client vs server-side biometric matching at a Nok Nok Labs blog published following the US Federal Government Office of Personnel Management breach.

As you work on your strategy to avoid mobile malware, the FIDO protocols can help you down the path to combining a great user experience with exceptional security.

MORE Building the Business Case

FIDO Alliance Members Meet Virtually in Inaugural APAC Marketing Forum

Joon Hyuk Lee and Atsuhiro Tscuhiya, APAC Market Development Team...

November 2, 2020

White Paper: Accepting FIDO Credentials in the Enterprise

Today, secure access to online applications and services has evolved...

October 19, 2020

CISA Cites FIDO Authentication to Protect Political Campaigns

Andrew Shikiar, FIDO Alliance Executive Director & CMO  The US...

September 11, 2020

Forbes: Trust Is A Keystone Of Digital Transformation

In a talk with Forbes, FIDO Alliance’s Andrew Shikiar, Executive...

August 12, 2020
Download Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.