September 8, 2016

FIDO: Kryptonite for Banking Malware

This is a guest post contributed by Todd Thiemann, VP of Marketing at Nok Nok Labs.

A recent feature story in The Wall Street Journal brought back to light mobile banking malware as a renewed consumer scourge.  With mobile banking malware names including Acecard, GM Bot, Spy.Agent, various malware variants harvest consumer banking information and pass it to the bad guys.  The approaches run the gamut from simple (grab the login credentials with simulated bank login page) to sophisticated (simulating bank login page and grabbing SMS One Time Passcodes (OTPs).  

A common theme in the attack vector is the use of a shared secret. In the context of a mobile banking application, the secret is shared between the consumer and the financial institution and can come in forms including a password or an OTP that’s shared via SMS.   

So what does the FIDO protocol do to counter such threats? You can review the FIDO Security Reference (the threat model for FIDO) to understand the variety of threats that FIDO mitigates against. Long story short: the FIDO approach to strong authentication avoids shared secrets and is not prone to the existing malware attack vectors compromising those secrets.  Why is it better?

  • FIDO uses a challenge/response approach where the private key used to sign the challenge resides on the device and is unlocked with multi-factor authentication that includes something the user has (e.g., a mobile device) and something they are (e.g., a biometric) or something they know (e.g., a PIN).  
  • The challenge gets sent to the device and the user unlocks the private key to sign the challenge. The signed challenge is compared on the server using the corresponding public key.  
  • The public/private keypair approach mitigates against scalable malware attacks since there is no shared secret that resides on the device and on the server.  

In the context of biometrics, the FIDO UAF protocol uses client-side matching rather than server-side matching, so there is no biometric repository that can be compromised. You can see some of the trade-offs in client vs server-side biometric matching at a Nok Nok Labs blog published following the US Federal Government Office of Personnel Management breach.

As you work on your strategy to avoid mobile malware, the FIDO protocols can help you down the path to combining a great user experience with exceptional security.

MORE Building the Business Case

FIDO Seoul Seminar: Deployment Case Studies Highlight Rise of FIDO Authentication in Asia

Last week in Seoul, FIDO Alliance held a seminar for...

October 7, 2019

House Hearing on Identity Sheds Light on Need for Stronger Identity Verification Procedures

Authentication is getting easier, but identity proofing leaves security gaps...

September 16, 2019

FIDO Focus, New Work Area News Made Identiverse 2019 the Best Yet

Andrew Shikiar, executive director and chief marketing officer Identity professionals...

July 11, 2019

FIDO & PSD2 – Achieving Strong Customer Authentication Compliance Webinar

The Second Payment Services Directive (PSD2) and the associated Regulatory...

April 12, 2019
Download Specs