In recent years, the financial services sector has been looking at all sorts of technology-based strategies for preventing fraud. With the need for fraud protection growing by the day, things like darknet intelligence and automated threat detection are no longer luxuries. They are necessities. Holding everything together are new standards like Fast Identity Online (FIDO).
FIDO is a set of open technical specifications governing how organizations can develop phishing-resistant authentication. The idea is to rely less on traditional passwords and more on harder and more secure authentication processes. FIDO is rooted in the principle of making life as hard as possible on threat actors.
The specifications specifically target strategies like phishing, credential theft, and replay attacks. In concert with tools like DarkOwl’s darknet threat intelligence platform, FIDO can significantly reduce the risks of financial fraud.
3 FIDO Specifications
FIDO is built on three specifications designed to enhance online security. The first is Universal Second Factor (U2F). Specification calls for adding a strong second factor to existing password-based logins. It is similar to two-factor authentication.
Universal Authentication Framework (UAF) is the second specification. It calls for using technologies like PINs and biometrics to completely bypass the need for usernames and passwords. It essentially facilitates passwordless authentication.
Last but not least is the combination of Web Authentication API and Client-to-Authenticator Protocol to create (WebAuthn + CTAP). This specification allows for secure, no-password and multi-factor authentication protocols across all browsers and platforms.
Practical Applications of FIDO
Understanding the specifications is one thing. But how are they practically implemented within the fraud protection arena? DarkOwl points to multi-factor authentication as the most visible example.
FIDO supports both multi-factor and passwordless authentication. Imagine a situation in which biometrics or facial recognition is combined with a second authentication factor. FIDO goes one step further to encourage a single, user-friendly authentication step.
Other applications include:
- Public Key Cryptography – FIDO supports the strategy of generating a unique cryptographic key pair (both public and private) for each service. This is known as public key cryptography. The private key is stored on a user’s device while the public key is registered with the service provider.
- Cryptographic Pass Keys – FIDO also supports cryptographic pass keys that are unique to individual sites yet never leave a user’s device. Such pass keys can be utilized against fishing and credential stuffing.
- Privacy Protection – User privacy is a priority for FIDO standards. Any data utilized for authentication purposes never leaves the user’s device. Therefore, FIDO credentials can never be used across multiple services.
FIDO specifications are especially helpful against phishing and replay attacks. Intercepted credentials are useless on other sites. Likewise, redirecting potential victims to fake login pages, for the purposes of stealing credentials, is useless because those credentials cannot be used elsewhere.
Improving Security With Each Device
Implementing FIDO standards on individual devices is the domain of an open standard known as FIDO Device Onboard (FDO). Like FIDO itself, FDO is an open standard developed specifically to simplify onboarding IoT and edge devices. FDO represents a number of key security improvements for fraud protection:
1. Zero-Touch Provisioning
FDO allows for secure onboarding management without the need for manual intervention or default passwords. Through automation, human error is reduced. Likewise, the risk of misconfiguration goes down.
2. Zero-Trust Architecture
FDO incorporates zero-trust principles. Zero-trust dictates that no user or device is ever trusted implicitly. Both users and devices must be authenticated before access is granted. There are no exceptions.
In a zero-trust environment, each device is authenticated by way of an encrypted asymmetric public key. Only legitimate devices can connect to the service. Meanwhile, individual users are verified and authenticated through a variety of means.
3. Digital Ownership
As edge devices are onboarded they are provisioned with digital ownership vouchers. The vouchers represent cryptographic proof that the device in question is owned by the user attempting to onboard. Thus, onboarding is more secure.
Digital ownership is a late-binding approach. It is implemented at the onboarding stage rather than during manufacturing. This allows mass manufacturing without limiting hardware. Owners can authenticate their devices at the time of installation.
4. Eliminating Default Credentials
FDO’s automation invites the utilization of secure installation methods to protect configuration data and secrets. Because insecure default passwords are eliminated, there is no default way into IoT environments. FDO thereby eliminates a major attack vector common in the IoT.
5. A Secure Supply Chain
With FDO, organizations can cryptographically verify both device ownership and integrity across the supply chain. This greatly reduces the risk of compromise prior to deployment. After deployment, tampering risks are also reduced.
6. Security With Scalability
FIDO and FDO address many of the security concerns that come with scalability. FDO specifically supports onboarding at scale, ensuring consistent security practices across an unlimited number of devices. Best of all, manufacturers and device types are irrelevant to secure onboarding. It all just works.
Enhancing FIDO With Darknet Intelligence
The financial services sector is now combining FIDO with darknet intelligence in the fraud prevention arena. Where FIDO thwarts attacks as they come, darknet intelligence enhances fraud protection by looking for evidence of potential threats before they launch.
Darknet intelligence is all about constantly monitoring the dark web in hopes of staying a step or two ahead of threat actors. It requires around-the-clock monitoring of every known dark web destination. Fortunately, cybersecurity teams have access to powerful software tools enhanced with automation. DarkOwl’s threat intelligence platform is but one example.
Fraud protection is an ongoing endeavor simply because cyber criminals will not stop doing what they do. They have no intention of giving up what has proven quite lucrative over the last decade or so. But cybersecurity is making it harder on them. That is the point of FIDO.
FIDO is a lot like electronic home security. It makes success harder to come by. The harder criminals need to work to earn a living, the more likely they are to find another line of work. FIDO aims to do that by directly addressing phishing and replay attacks.