TY - GEN
T1 - Secure display for FIDO transaction confirmation
AU - Zhang, Yongxian
AU - Wang, Xinluo
AU - Zhao, Ziming
AU - Li, Hui
N1 - Funding Information:
This research is supported in part by the National Natural Science Foundation of China grant (61628202) and the Center for Cyberse-curity and Digital Forensics at Arizona State University.
PY - 2018/3/13
Y1 - 2018/3/13
N2 - FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.
AB - FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.
KW - FIDO
KW - Secure Display
KW - Transaction Confirmation
UR - http://www.scopus.com/inward/record.url?scp=85052012032&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85052012032&partnerID=8YFLogxK
U2 - 10.1145/3176258.3176946
DO - 10.1145/3176258.3176946
M3 - Conference contribution
AN - SCOPUS:85052012032
T3 - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
SP - 155
EP - 157
BT - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Y2 - 19 March 2018 through 21 March 2018
ER -