The stakes in online transactions are growing every day. Global B2C ecommerce is expected to hit $1.7 trillion in 2015 (up from $1.2 trillion in 2013) and we could very well expect it to be $2.35 trillion by 2018. This attracts a whole selection of unpleasant characters.
Globally, payment card fraud amounted to $11.7 billion in 2013. The US alone accounted for more than 50% of this figure. Since payment card transactions are big part of e-commerce, the real figure of losses is bound to be a lot higher. Besides, there is much more at stake than just dollars alone. Business reputations loss could worth a lot more than simply dollar losses.
The High Costs of Cybercrime
Symantec placed the cost of IP theft to U. S. companies at $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation.
Federal Reserve Bank of San Francisco,
Previously most e-commerce sites relied on basic user names and passwords to grant their members access. Nothing could be more dangerous. An analysis of nearly 6 million accounts has shown that about 30% users tend to use a password that would be found in a list of just 10,000 passwords. Google alone has experienced thousands of accounts being hijacked daily.
One Time Passwords and Two Factor Authentications
Businesses felt that they had solved the security problem when they came up with the onetime password (OTP) or some other forms of two factor authentication (2FA) mechanisms. The OTP is a password sent to the user via an alternate medium of communication. A text message or SMS is a common example. When such a system is in use, a single user name and password are no longer enough to transact online. The site you are logging on or transacting with will send you a code via SMS or another means. You enter this code on the website to prove that you are indeed the same person. On many occasions adding a second layer of authentication did help make transactions secure.
Typically, OTPs and 2FA are passwords that are valid only for a brief period or for a specific login. The key is to combine a regular login and password with another password or authentication code that is sent to the user ‘out of band’ i.e. by using a different mode of communication.
While OTPs have worked well for a while, in recent years facts prove otherwise. Recent reports indicate that fraudsters have realized the reliance many people place on OTPs and have begun to target phones specifically. A report by CSO Online shows how one time passwords are being specifically targeted. September 2014 research by Javelin Strategy & Research also brings out how one time passwords are being specifically targeted with nearly 4 out of 10 users facing fraud threats in spite of using two factor authentications.
While many researchers (and real life incidents) have demonstrated practical flaws in the OTP / 2FA systems, there are some conceptual flaws as well. Some key flaws are as under -
- Authentication Silos - every application creates an independent OTP usage methodology. This non-standard use creates multiple weaknesses that can be exploited.
- Differing authentication requirements - applications may have different requirements for authentication. BYOD - bring your own device - where users perform work using their own devices (laptops, tablets, smartphones) pose additional challenges. It is difficult for businesses to settle on a single solution that will work on Android, iOS and Windows operating systems with all their varying versions.
- Malware on client devices could capture and misuse OTPs using a man in the middle attack
- Issues with global coverage – some OTP schemes, notably ones based on mobile phones, presume that all users will have the device with them and that the user will always be in an area of cell phone coverage. While this is generally true, it is not a certainty. There are also issues with late arrival of SMS messages that can cause transactions to fail and consequent revenue loss to businesses or a failure to obtain the desired service for individuals.
Universal 2 Factor Authentication - U2F
U2F starts off very differently from its predecessors. Let us checkout some interesting features of U2F below
Standards based solution - U2F started with a Google initiative but it has gone way beyond that. These specifications form the basis of FIDO U2F. Hence the most major advantage of U2F over its predecessors is that it is a single, comprehensive, standards based solution that will naturally work far better than a medley of individual methods of authentication.
Industry wide acceptance – The FIDO alliance has a very large and rapidly growing membership. You can see the list here. This pedigree itself ensures that the U2F will rapidly become the industry standard means of authentication.
Ease of Use - The user gets a U2F device that contains the second set of authentication. While the authentication is different for every website that uses U2F, the process is very simple - the user simply indicates presence by touching the button on the security key when asked. Everything else is automatic.
Greater Assurance – The U2F security key does more than merely authenticate you to the website you are using. It also has the functionality to authenticate the website to you. This confirms that the website you are logging on to is indeed the authentic site and not a lookalike phishing site. This is great functionality that will naturally improve security.
No possibility of a man in the middle – all data going out of the key is encrypted. An attacker can never be sure if your key is registered with a specific website. Therefore the possibility of a man in the middle attack is practically negated.
A new improved Internet – E-commerce is here to stay and let’s face it, so are cyber criminals. Luckily, the heavyweights of the Internet have got together and with the experience of nearly three decades of ecommerce and its vulnerabilities they have created a solution that should make it easier and safer for us to transact business over the web.
Loss of a Key - it is not a big deal if a key is lost. Each is unique, and you simply revoke one that is lost. It will no longer be able to authenticate itself to any website.
To summarize, with U2F, security of e-commerce and business applications on the Internet is getting formalized. Standards based, holistic approach to the problem will give users greater confidence and will accelerate business applications.
Many other applications of U2F will emerge in the near future. There are reports that U2F will find applications in home automation and security, healthcare, vehicle and machine management interfaces and so on. Almost any field of work that depends on identification of an individual can employ U2F in some form.
The Internet of Things will see billions of devices getting connected to the Internet. Reliable authentication made possible by U2F will help you get the most out of these connected devices.
It is the “Universal” in U2F that really creates value. Are you ready to take advantage?