Cybercrime and the Internet of Things: The Need for Digital Identities

Posted October 11, 2017

Cybercrime and the Internet of Things: The Need for Digital Identities

In the annals of cybercrime, few events have managed to drive home both the promise and peril of our rapidly expanding digital universe quite like the one that occurred on October 21, 2016.

In a stunning blow, the massive Mirai botnet attack that hijacked 2.5 million malware-infected Internet of Things (IoT) devices—security cameras, baby monitors, thermostats, DVRs and more—also succeeded in knocking a sizable chunk of the digital economy offline for hours.

By the time the dust settled, Twitter, Amazon, PayPal, the New York Times and Shopify were among the thousands of prominent online businesses sidelined by one of the largest distributed denial of service (DDoS) attacks ever. Losses were estimated to be between $20,000 and $100,000 per company, per hour.

Beyond this immediate and very costly disruption, the event put three key forces shaping today’s cybersecurity landscape into sharp focus. First, digital channels have become critical to modern business models. Second, the proliferation of IoT devices is transforming, or giving rise to, entire industries. And third, the same digital technologies that companies rely on also make it easier than ever for cybercriminals to execute an attack.

But as we stare down the one-year anniversary of that staggering attack, a breakthrough in cybersecurity technology promises to be a game-changer.

The Digital-First Frontier

Every day, nearly half the world’s population and 80 percent of Americans transact online, fueling the $3.4 trillion digital economy. In the space of just a few short years, transactions that were once predominantly local and in-person have grown evermore digital, mobile and global.

Many of these transactions are also going “nodal”—moving beyond the desktop, smartphone and tablet to a whole new generation of IoT device. While many of these technologies are user-driven, some are fully automated to operate based on preset preferences and business rules. Increasingly, many transactions leverage artificial intelligence to meet and even predict real-time user needs and desires.

Some of these IoT devices monitor supplies and initiate machine-to-machine (M2M) transactions for just-in-time replenishments in manufacturing, supply chain operations and a growing number of home pantries and refrigerators. Connected automobiles pay tolls, provide value-added services, or even enable use-based car insurance rates that factor in real-time risks, routes and driving behaviors.

Meanwhile, stylish new smart watches, glasses, shoes and other wearable devices facilitate all kinds of transactions, whether it’s purchasing digital content, paying for public transit, tracking personal fitness or buying groceries without ever digging for cash, writing a check, swiping a card—or standing in line.

Yet, for all the new revenue streams and customer engagement opportunities these innovations represent, businesses seeking to capitalize on them face a daunting challenge.

Internet of Threats

The fact is, every digital transaction on every device involves a trust decision that businesses must make in the blink of an eye. These decisions are based on identity credentials captured at login—whether they’re entered manually, or delivered through automated IoT technologies.

The problem is that cybercriminals have easy access to massive amounts of stolen identity credentials—usernames, passwords, social security numbers, PIN codes, challenge questions, you name it—acquired through a continuous stream of corporate data breaches or on the dark web.

Using bots and other tools, cyberthieves routinely exploit these credentials en masse to take out fraudulent loans, hijack bank accounts, steal personal or corporate information, make illegal purchases and more. Indeed, each new transaction node added to the IoT is, by default, a node of vulnerability, increasing the total number of points of entry fraudsters can use to infiltrate systems undetected.

This is no small matter. Total worldwide losses from cybercrime already exceed $3 trillion, and are expected to double by 2021. But how can businesses be sure the person on the other end of a transaction is really who they claim to be, if identity credentials have been rendered useless?

How can businesses make accurate trust decisions when their outdated authentication systems can’t tell the difference between a valued customer and a fraudster or malicious bot using valid credentials?

The answer is ThreatMetrix ID™.

One Identity to Rule Them All

Unveiled for the first time during our Digital Identity Summit in San Francisco, ThreatMetrix ID adds a whole new dimension to user verification.

ThreatMetrix ID provides a unique, fraud-proof identifier for each user, so businesses can make accurate trust decisions in real time, across all digital technologies, and at global scale.

We’re not talking about digital identification requested by users here. Instead, ThreatMetrix ID works behind the scenes to connect the dots between individuals, their devices, email addresses, phone numbers, payment cards, ship-to details, IP addresses, transaction details and hundreds of other dynamic attributes spanning online and offline worlds.

This universal digital ID leverages the decade of success ThreatMetrix has achieved in digital identity-based smart authentication solutions. It combines advanced machine learning and anonymized, crowdsourced intelligence amassed through 75 million daily transactions spanning 40,000 websites and mobile apps throughout the ThreatMetrix Digital Identity Network.

ThreatMetrix ID continuously assesses each individual and their related attributes, and expresses them as a unique, anonymized, alphanumeric identifier that cannot be faked and cannot be converted into personally identifiable information.

A Unified View of Everything

Using interactive graphic visualizations of all related device, credential, threat and behavioral attributes that compromise a digital identity, ThreatMetrix ID generates a confidence score confirming the veracity of each digital identity. It also scores the risk associated with each identity and each transaction.

In mere milliseconds, trusted users are recognized and transactions streamlined. Fraudsters and their bots are blocked, even if they’re using valid credentials. And it all happens transparently, without creating any user friction.

What’s more, businesses get a graphical, bird’s eye view of the ever-expanding universe of attributes associated with each identity. And they can even provide trusted customers with the assurance that should their identities ever be compromised, anomalies can be detected in real time, and fraudulent behavior neutralized without endangering their accounts.

Still, is the ability to make consistent and accurate trust decisions really the secret to gaining the upper hand against cybercriminals and competitors?

As we approach the anniversary of last October’s IoT attack, we find ourselves in a post data-breach era in which a growing number of connected consumers demand ease, convenience and speed, without sacrificing security. Which means we shouldn’t be too surprised if a universal digital ID actually becomes something else entirely – namely, the bare minimum cost of entry for doing business in the digital economy.

To learn more about establishing true identity in an evolving digital landscape, download our exclusive white paper on ThreatMetrix ID.

Andreas Baumhof

Andreas Baumhof

Chief Technology Officer, ThreatMetrix

close btn