FIDO: Kryptonite for Banking Malware

Written by Andrew Shikiar on . Posted in Blog

This is a guest post contributed by Todd Thiemann, VP of Marketing at Nok Nok Labs.

A recent feature story in The Wall Street Journal brought back to light mobile banking malware as a renewed consumer scourge.  With mobile banking malware names including Acecard, GM Bot, Spy.Agent, various malware variants harvest consumer banking information and pass it to the bad guys.  The approaches run the gamut from simple (grab the login credentials with simulated bank login page) to sophisticated (simulating bank login page and grabbing SMS One Time Passcodes (OTPs).  

A common theme in the attack vector is the use of a shared secret. In the context of a mobile banking application, the secret is shared between the consumer and the financial institution and can come in forms including a password or an OTP that’s shared via SMS.   

So what does the FIDO protocol do to counter such threats? You can review the FIDO Security Reference (the threat model for FIDO) to understand the variety of threats that FIDO mitigates against. Long story short: the FIDO approach to strong authentication avoids shared secrets and is not prone to the existing malware attack vectors compromising those secrets.  Why is it better?

  • FIDO uses a challenge/response approach where the private key used to sign the challenge resides on the device and is unlocked with multi-factor authentication that includes something the user has (e.g., a mobile device) and something they are (e.g., a biometric) or something they know (e.g., a PIN).  
  • The challenge gets sent to the device and the user unlocks the private key to sign the challenge. The signed challenge is compared on the server using the corresponding public key.  
  • The public/private keypair approach mitigates against scalable malware attacks since there is no shared secret that resides on the device and on the server.  

In the context of biometrics, the FIDO UAF protocol uses client-side matching rather than server-side matching, so there is no biometric repository that can be compromised. You can see some of the trade-offs in client vs server-side biometric matching at a Nok Nok Labs blog published following the US Federal Government Office of Personnel Management breach.

As you work on your strategy to avoid mobile malware, the FIDO protocols can help you down the path to combining a great user experience with exceptional security.