NIST Calls For Comment of Ecommerce Security

Written by

In an effort to reduce online fraud, the National Cybersecurity Center of Excellence (NCCoE), a subdivision of the National Institute of Standards and Technology (NIST), announced it is now accepting feedback on its draft exploring the ways in which multi-factor authentication can help to mitigate fraudulent online purchases.

As was the case in Europe after retailers adopted chip-and-pin technologies, retailers in the US have seen a spike in ecommerce fraud. In fact, the US saw a 30% increase in online fraud and credit card theft during 2017.

After chip-and-signature and chip-and-PIN security measures were adopted, cyber-criminals shifted their fraudulent activity to the ecommerce space. Ironically, the increased point-of-sale security has given rise to greater fraud with online card-not-present transactions.

The technology partners that collaborated on the project signed a cooperative research-and-development agreement and worked in a consortium with NIST to build the draft, NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce. With the draft, retailers will able to successfully implement the example solutions by following the step-by-step guide. 

Collaborating with stakeholders in the retail sector, NCCoE has developed a draft that explores the use of multifactor authentication in a variety of risk-based scenarios. “In the project’s example implementations, if certain risk elements (contextual data related to the transaction) are exceeded that could indicate an increased likelihood of fraudulent activity during the online shopping session, the purchaser will be prompted to present another distinct authentication factor – something the purchaser has – in addition to the username and password,” NIST wrote.

The practice guide is intended to help organizations reduce online fraudulent purchases, which includes the use of credentials stuffing to take over accounts. The guide also aims to protect the ecommerce systems of participating organizations, which will also demonstrate to customers that security is a priority for the organization. By providing greater situational awareness, the guide will allow retailers to avoid system-administrator-account takeover through phishing.

The guide has been divided into three volumes for greater ease of use. Comments are currently open and can be submitted to NIST by 22 October 2018 by using this online form.

What’s hot on Infosecurity Magazine?