NIST Releases Cybersecurity Guide to Help Reduce Online Retail Fraud
Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been collaborating with retailers and technology vendors on a cybersecurity project using multifactor authentication (MFA) to help reduce the risk of online fraudulent purchases. The project resulted in the recently published draft of cybersecurity practice guide, NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce.
The draft guide may be published, but our work is just beginning. Recently, the project’s lead engineer participated in an RH-ISAC community webinar, during which he reviewed the contents of the guide.
A First for the NCCoE
The Multifactor Authentication for E-Commerce Practice Guide was the NCCoE’s first retail sector project. With so many challenges facing this sector, we made improving the security of online purchases a top priority. Here’s why: According to a recent independent analysis, e-commerce fraud increased by 30 percent in 2017, compared with 2016, as malicious actors shift from using stolen credit card data in stores at the checkout counter to using stolen credit card data for fraudulent online shopping. Because online retailers cannot utilize all the benefits of improved credit card technology, the NCCoE focused upon helping online retailers implement stronger user authentication methods.
What Say You?
During the recent RH-ISAC webinar, Implementing Multifactor Authentication for E-Commerce, participants responded to a series of questions regarding their experience with MFA. Below is what we learned:
- Do you already offer Multifactor Authentication for customers? (select one)
- Yes – 33%
- Will offer it within 6 months – 0%
- No – 67%
- What might keep you from implementing Multifactor Authentication? (select all that apply)
- Cost – 57%
- Existing fraud reduction tactics – 29%
- Project success risk – 43%
- Could turn away customers due to increased complexity during the purchaser checkout process – 86%
- Your organization’s technical expertise on MFA implementations – 29%
- What 2nd authentication factor does your organization prefer? (select all that apply)
- Hardware token-Customer brings their own device – 50%
- Hardware token-Retailer supplied device – 25%
- Mobile application – 50%
- Text (Short Message Service-SMS) – 25%
- Email – 0%
Tell Us What You Think!
The NCCoE believes the draft guide helps meet a critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to help enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on October 22, 2018.
And to learn more about the work of the NCCoE Retail team and to contribute new ideas for improving the cybersecurity of the retail sector, please consider joining our Retail Community of Interest. If interested, send an email to [email protected].