February 20, 2019
The Changing Face of Fraud in the Internet of Things Era
Posted April 9, 2018
50 years ago, audiences around the world were asked to suspend their disbelief as Stanley Kubrick brought HAL 9000 to life in 2001: A Space Odyssey. The portrayal of a sentient computer in control of a spaceship, capable of speech and facial recognition, automated reasoning and natural language processing required a giant leap of imagination – not so much in today’s Internet of Things era.
Intelligent, connected technology is now part of daily life, with smart assistants like Siri and Alexa echoing the fictional HAL 9000. Cars, watches, toasters, fridges, thermostats, lights, the list goes on and on for the number of inanimate objects which are now connected devices.
Underpinning this ever-expanding ecosystem of connected devices is the Internet of Things (IoT), the name given to the network of devices embedded with electronics, software, and sensors which enable the connecting and exchange of data.
As more cities, homes and offices embrace the ‘smart’ moniker, the proliferation of smart devices shows no signs of slowing down, with the number of connected things predicted to reach 20.4 billion by 2020. As businesses tap IoT opportunities for better brand interaction, productivity, efficiency and user experience, striving to monetize the vast amounts of data generated by smart devices, there lurks a significant threat in the ecosystem – albeit not in the same vain as HAL 9000.
The IoT is a veritable treasure trove for cybercriminals. Checking every box on a cybercriminals to-do list, the IoT has billions of vulnerable devices, a huge attack surface, no regulation and vast quantities of personal data. Unfortunately, cybercriminals and fraudsters are just waking up to what they can potentially gain from the IoT.
Historically, IoT cyberattacks have been motivated by political or social reasons. The Mirai botnet, for example, was used in one of the biggest DDoS attacks ever seen in 2016. Attacking a DNS provider, Anonymous and New World Hackers claimed responsibility for the attack which used an army of botnet-infected devices to take down large swathes of the internet. Other perpetrators in the frame for the DDoS attack included a showboating hacker and an angry gamer, but what was clear is that the attack was designed to disrupt.
Hackers are, however, about to change tact. According to Forrester, cybercriminals targeting the IoT will be driven by financial gain as the black market for malware and the dark web continue to mature.
The financial gain for hackers looking to infiltrate the IoT lies in the data. A fitness watch or smartphone holds some of the most sensitive, unique data pertaining to you – name, address, credit card information, health information. The rise of enterprise mobility and BYOD has exasperated this problem, inviting vulnerable devices into an environment with sensitive business data.
The digital footprint built around this trail of data has the potential to become complex and multifaceted, spanning different devices, locations and time zones. Hackers using various nefarious means – malware, spoofing, bots, RATs – will look to exploit the weakest link in the IoT chain, with their prize being personal information and credentials. Knitting together a complete identity from that data will become so simple in the IoT future, purely because all that data will be connected already. Hackers will then look to deploy that data for financial gain, committing cross-industry fraudulent transactions.
The ease of fraud via IoT devices has already been seen in theory; the Def Con security conference saw a Samsung smart refrigerator hacked, with the hackers finding that the fridge integrated with the user’s Gmail calendar using SSL. However, the fridge did not validate SSL certificates, leaving the usernames and passwords unguarded and available for account takeover.
There is a risk that payment fraud, account takeover and identity theft will become commonplace, as fraudsters look to exploit the plethora of entry points to steal data.
For businesses fighting fraud in the IoT era, one thing must be prioritized above all others – the true identity of customers. Separating the bad from the good, the legitimate from the fraudulent, businesses must channel the spirit of IoT and connect the dots to mitigate the risk of fraud.
Digital identity solutions could provide the transparency needed for the IoT era, connecting the dots between device, location, identity and behavior. The holistic nature of digital identity solutions will marry well with the connected IoT ecosystem, allowing businesses to look at several elements of identity data in real time. If a user were to interchangeably use a smartphone, wearable and laptop throughout the day, the associated email, location or other additional identity data could be analyzed to verify a legitimate user.
IoT will blur the lines when it comes to digital identity, making it crucial for businesses to separate the good from the bad. Businesses must be able to analyze massive amounts of data, identify anomalies and patterns, and be able to detect that a device has become a ‘bad actor’. By integrating IoT devices into the digital identity of good users, businesses have the potential to be able to understand whether a future transaction from an IoT device is trusted or fraudulent.
Living by an ‘everything is connected, everything is at risk’ mantra, businesses must take a holistic approach to fighting IoT fraud. Be it new account applications, logins or payments, it is vital that organizations genuinely recognize good, returning customers by understanding the unique digital DNA of new and returning customers.
The hackers are now aware of the goldmine that is the Internet of Things, no longer seeing to attack the ecosystem for kudos or political means. They want to make money from your most sensitive data and they will likely succeed if businesses do not up their ante and prioritize digital identity.