Secure display for FIDO transaction confirmation

Yongxian Zhang; Xinluo Wang; Ziming Zhao; Hui Li

doi:10.1145/3176258.3176946

Secure display for FIDO transaction confirmation

Yongxian Zhang, Xinluo Wang, Ziming Zhao, Hui Li

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Scopus citations

Abstract

FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.

Original language	English (US)
Title of host publication	CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
Publisher	Association for Computing Machinery, Inc
Pages	155-157
Number of pages	3
ISBN (Electronic)	9781450356329
DOIs	https://doi.org/10.1145/3176258.3176946
State	Published - Mar 13 2018
Event	8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States Duration: Mar 19 2018 → Mar 21 2018

Publication series

Name	CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
Volume	2018-January

Conference

Conference	8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Country/Territory	United States
City	Tempe
Period	3/19/18 → 3/21/18

Keywords

FIDO
Secure Display
Transaction Confirmation

ASJC Scopus subject areas

Computer Science Applications
Information Systems
Software

Access to Document

10.1145/3176258.3176946

Cite this

Zhang, Y., Wang, X., Zhao, Z., & Li, H. (2018). Secure display for FIDO transaction confirmation. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (pp. 155-157). (CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy; Vol. 2018-January). Association for Computing Machinery, Inc. https://doi.org/10.1145/3176258.3176946

Secure display for FIDO transaction confirmation. / Zhang, Yongxian; Wang, Xinluo; Zhao, Ziming et al.

CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2018. p. 155-157 (CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy; Vol. 2018-January).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Zhang, Y, Wang, X, Zhao, Z & Li, H 2018, Secure display for FIDO transaction confirmation. in CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy, vol. 2018-January, Association for Computing Machinery, Inc, pp. 155-157, 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018, Tempe, United States, 3/19/18. https://doi.org/10.1145/3176258.3176946

Zhang Y, Wang X, Zhao Z, Li H. Secure display for FIDO transaction confirmation. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2018. p. 155-157. (CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy). doi: 10.1145/3176258.3176946

@inproceedings{a37db6c69c174594bb7fe0c87ceca824,

title = "Secure display for FIDO transaction confirmation",

abstract = "FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.",

keywords = "FIDO, Secure Display, Transaction Confirmation",

author = "Yongxian Zhang and Xinluo Wang and Ziming Zhao and Hui Li",

note = "Funding Information: This research is supported in part by the National Natural Science Foundation of China grant (61628202) and the Center for Cyberse-curity and Digital Forensics at Arizona State University.; 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 ; Conference date: 19-03-2018 Through 21-03-2018",

year = "2018",

month = mar,

day = "13",

doi = "10.1145/3176258.3176946",

language = "English (US)",

series = "CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy",

publisher = "Association for Computing Machinery, Inc",

pages = "155--157",

booktitle = "CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy",

}

TY - GEN

T1 - Secure display for FIDO transaction confirmation

AU - Zhang, Yongxian

AU - Wang, Xinluo

AU - Zhao, Ziming

AU - Li, Hui

N1 - Funding Information: This research is supported in part by the National Natural Science Foundation of China grant (61628202) and the Center for Cyberse-curity and Digital Forensics at Arizona State University.

PY - 2018/3/13

Y1 - 2018/3/13

N2 - FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.

AB - FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.

KW - FIDO

KW - Secure Display

KW - Transaction Confirmation

UR - http://www.scopus.com/inward/record.url?scp=85052012032&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85052012032&partnerID=8YFLogxK

U2 - 10.1145/3176258.3176946

DO - 10.1145/3176258.3176946

M3 - Conference contribution

AN - SCOPUS:85052012032

T3 - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy

SP - 155

EP - 157

BT - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery, Inc

T2 - 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018

Y2 - 19 March 2018 through 21 March 2018

ER -

Secure display for FIDO transaction confirmation

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this