Internet banking system with FIDO authentication was invetigated by Institute for Monetary and Economic Studies, Bank of Japn. As a conclusion, FIDO is secure enough, but the related processing such as FIDO registration by use of old ID data and related transaction regarding money transfer might have risk for cyber attacks.
Hidemitsu Izawa, Hidehito Gomi, "Points to keep in mind when financial institutions introduce next-generation authentication technology -Focusing on FIDO-", Discussion Paper No. 2016-J-3 in Institute for Monetary and Economic Studies, Bank of Japn http://www.imes.boj.or.jp/research/abstracts/japanese/16-J-03.html
The FIDO system based on biometrics is being evaluated for safety of internet banking using smartphones. Criminal techniques are based on phishing, malware, and biometric impersonation, and assess whether an attacker can physically access a user's device or network access.
At the registration stage, it is assumed that FIDO will be introduced when the user authentication mechanism (legacy authentication, legacy authentication information) is already in operation. For this reason, FIDO registration is not possible to attack, but it is possible to attack simply by illegally stealing legacy authentication and using the legacy authentication information stolen by the attacker using his device. It is concluded that As a method for criminals to steal legacy authentication information, we can consider
- Guide to phishing sites, trick users into stealing legacy credentials Attackers steal legacy credentials entered by users into legitimate banking apps through evil malware.
- After installing the fake application type malware on the user, the legacy authentication information is input to the application and stolen.
In the certification phase, he points out the possibility of an attack that tampers with the financial transactions that accompany the FIDO certification process.
- Falsify transaction details (transfer destination and amount information)
- Tampering with transaction confirmation message confirmed by user Point out.
The attack is established by falsifying "10,000 yen transfer to friend" to "1 million yen transfer to criminal" and falsifying the confirmation message at the same time as the implementation.
As for the former, if it is a malicious type of malware, the malware carries out a registration phase so that the user can recognize “user information in FIDO” registered in FIDO Server. Work to link "user information in FIDO" and "user account information" at a financial institution's window terminal (secure terminal). By rewriting the memory information of the application, for example, the transaction contents input by the user to the regular banking application are falsified, and the falsified contents are transmitted to the financial institution server.
Regarding the latter, the “Display Overlay attack” by malware is an attack in which the message displayed by the malware is covered on the terminal screen over the correct transaction content confirmation message. By doing so, the user's message is tampered with, and instead of “1 million yen transfer to criminal”, “10,000 yen transfer to friend” is displayed, and the transaction is not noticed.
In conclusion, FIDO is an international standard designed to be widely used for payments at EC sites and logins for various services on the Internet, and the number of supporting members is increasing year by year. At the same time, it is concluded as of 2016 that the FIDO ecosystem may become a de facto standard for biometrics over the network.
