Security

Guidelines for Multifactor Authentication in E-Commerce Arrive This Summer

A NIST practice guide contains suggestions for how to prevent the use of stolen credit card data in online shopping

Twitter

Elizabeth Neus is the managing editor of FedTech. Before joining FedTech, Elizabeth was a reporter for Gannett, covering health care policy and medicine. As a Gannett editor, she worked on publications and magazines focusing on everything from defense to agriculture to travel to shopping. The Washington Nationals are her team; 80s Brit pop is her sound.

Credit card thieves found it easier to make fraudulent purchases online than in stores in 2017, triggering a 30 percent increase in stolen credit card data that year. The National Cybersecurity Center of Excellence is about to publish a practice guide for retailers who want to cut down on those thefts.

The guide, currently in draft format and expected to post in final form in June, is designed to help prevent credential stuffing and account takeovers, as well as remedy vulnerabilities such as failure to lock out users who enter multiple incorrect passwords.

The guidelines work with existing technologies, NCCoE says; the agency worked with RSA and Splunk, among others, to test the ideas. The guide did not study how security would work for customers who prefer to shop as a guest or who shop on mobile devices.

“Security is one of retailers’ top concerns, to protect themselves and their customers,” says Craig Shearman, vice president for government affairs at the National Retail Federation. “So there is a demand. It’s certainly an area with a lot of potential.”

Increased EMV Card Use Drives Thieves to the Web

NCCoE, part of the National Institute of Standards and Technology, began researching new guidelines for online commerce after the implementation of EMV credit card technology became more common in the United States. Most cards now include embedded electronic chips, making them more difficult to counterfeit and sending malicious actors online instead.

“This increase in e-commerce fraud mirrors a similar increase observed in Europe following the rollout of similar credit card technology enhancements,” says the NCCoE practice guide. “Because online retailers cannot utilize all of the benefits of improved credit card technology, they should consider implementing stronger authentication to reduce the risk of e-commerce fraud.”

MFA would be built on “public key cryptography, protection from authentication replay attacks, options for determining when MFA should be requested [and] auditing and system activity logging and display,” the practice guide states.

“If it’s implemented well, then you’ve got a lot more protection than if you never had it,” says Bill Newhouse, the NCCoE project lead. “My hope is that many retailers step in and start saying to their customers, ‘Look, we value you as a customer, and we’d like to offer you this.’”

The practice guide contains two scenarios that retailers can follow to implement multifactor authentication when a shopper exceeds expected cost thresholds and spends an uncharacteristic amount of money, or when the shopper triggers a risk engine by using an unfamiliar computer or logging in from an unfamiliar location.

In most cases, a shopper would plug a physical, USB-based authentication key into his or her device as the second identification factor; someone who had the credit card data but not the key would not be allowed to proceed further.

“That’s friction,” admits Newhouse. “It won’t make you happy if you’re rushing to get on the subway and you’re trying to get those flowers ordered for your mom, but [the additional security] might also make you feel really good.”

Getting a code via text may be impractical if you don’t have your phone nearby or if you’re shopping on a spouse’s account tied to his or her phone number; it’s also not as secure as a USB-based key, Newhouse adds.

Customers May Resist Extra Security if It Slows Shopping

Friction that slows or stops a customer from buying merchandise is a concern for retailers. “I have certainly seen transactions myself where it has been so difficult for me to use my own credit card to make a legitimate purchase that I’ve given up, or come close,” Shearman says. “You need to have a balance between security and friction.”

The retail industry is open to additional measures to prevent misuse of credit card data online, but would like those measures to be “universal, industrywide practices” with open standards, rather than measures that can only be used through a partnership with the company that creates them, he added.

No matter the means of security, added protection could be a way for a retailer to differentiate itself in the market, Newhouse says. “Voluntary adoption by retail would be interesting to watch.”