Evolution of fraud in the IoT era

(Image credit: Image Credit: Gustavo Frazao / Shutterstock)

Since the dawn of sci-fi we’ve seen portrayals of sentient computers capable of speech and facial recognition, automated reasoning and natural language processing. These concepts once required a giant leap of imagination, but the rapid pace of technological development in the modern world highlights that this is certainly no longer the case – especially due to the proliferation of the Internet of Things. 

Intelligent, connected technology is increasingly becoming a part of daily life – from artificial intelligence assistants like Siri and Alexa, to central heating and lighting that you control with your smart phone, we are increasingly getting closer to the age echoing the fictional artificial intelligence (AI) concepts of Hollywood movies.

With the number of connected things predicted to reach 20.4 billion by 2020 according to Gartner, it’s a phenomenal trend that will continue to spread until human and machine connectivity becomes ubiquitous and unavoidably present. We are already seeing new houses and cars being built equipped with interconnectivity to other smart devices. This technological revolution in what is being called the IoT era is seeing businesses increasingly utilise opportunities that IoT present for better brand interaction, productivity, efficiency and user experience, striving to monetise the vast amounts of data generated by smart devices.

Perfect recipe for cybercriminals

However, as is to be expected with any new technology, there lurks a significant threat in the ecosystem – cybercrime. The market has emerged so quickly that manufacturers have hastily created insecure products in their rush to bring goods to market. Security has received very little, if any attention. 

Despite this lack of security and the inherent dangers it brings, consumers continue to buy and deploy these smart gadgets. As Amy Webb, futurist and CEO at the Future Today Institute proclaims: "Technology can be like junk food. We'll consume it, even when we know it's bad for us.” The rise of the IoT era has enabled cybercriminals to commit fraud in new and novel ways. If security isn’t prioritised, both users as well as their data will be at monumental risk. 

With billions of vulnerable devices, no regulation, a huge attack surface and vast quantities of personal data, IoT checks every box on a cybercriminal's Christmas wish-list and could be a very profitable venture for the cybercriminals who are just now waking up to the possibilities.

In the past, IoT cyberattacks were designed to disrupt and were usually motivated by political or social reasons by groups like Anonymous, but thanks to the digitalisation of society, hackers are about to change tact. According to Forrester, cybercriminals targeting the IoT will be driven by financial gain as the black market for malware and the dark web continue to mature. 

For hackers looking to infiltrate the IoT the financial gain lies in the data; smartphones and smart watches hold some of your most sensitive, unique data – name, address, credit card information, locations you’ve visited every day, health information, etc. When coupled with the trend of increased employee mobility and the rise of Bring Your Own Device (BYOD) schemes at businesses, the issue is then extended to the workplace as the risk is increased due to inviting potentially vulnerable devices into an environment loaded with sensitive business data.

Connecting the dots

When everything is connected, everything is at risk, this requires businesses to take a holistic approach to fighting fraud. Whether new account applications, logins or payments, it is vital that organisations genuinely recognise legitimate returning customers by understanding their unique digital DNA. With hackers becoming increasingly aware of the gold mine that is the Internet of Things, and with financial gains spearheading the attacks on the ecosystem, hackers seek to make huge profits from the most sensitive data, and if businesses do not put up adequate defences in place and prioritise digital identity, they will most likely succeed.

Targeting personal data and credentials, hackers will use every nefarious and damaging means in their arsenal to exploit the weakest link in the IoT chain, including malware, spoofing and bots – if successful, they could sell the data on the dark web and it wouldn’t take much work for fraudsters to knit together a completely different synthetic identity, a “Frankenstein’s monster” of mixed and matched real and fake data that they’ve acquired, which they will then look to deploy for financial gain, committing cross-industry fraudulent transactions. The IoT will make this much easier to do so, considering that all the data will be connected and within easy reach from these devices already – if this was theory, then there would be less cause for worry, but the ease of fraud via IoT devices has been demonstrated multiple times due to various weaknesses in the device security.

Today’s cybercriminals are organised, smart, and well equipped. They have the funding and resources to infect millions of IoT gadgets with disruptive mechanisms, spyware, password snatchers, legitimate device imitators. If precautions are not put in place, there is a further risk that payment fraud, account takeover and identity theft will become commonplace, as fraudsters look to exploit the plethora of entry points to steal personal data.

Digital identity

The best way to tackle fraud has always been to differentiate between fraudsters and genuine customers; this applies even more so in the connected IoT era. Separating the bad from the good, the legitimate from the fraudulent, this requires businesses to authenticate user access in real-time to mitigate the risk of fraud.

Digital identity technologies could provide the solution that the IoT era requires – by connecting the dots between device, location, identity and behaviour, businesses will be able to look at several elements of identity data in real-time. If a user was to use multiple devices throughout the day interchangeably, such as a smart phone, laptop and smart watch, the associated email, location or other additional identity data could be analysed to verify a legitimate user from a fraudulent one.

IoT will blur the lines when it comes to digital identity, making it crucial for businesses to be able to differentiate authentic customer transactions from fraudulent ones. Businesses need to be able to analyse massive amounts of data, identify the anomalies and patterns, and be able to detect a device which has been compromised. By integrating IoT devices into the digital identity of good users, businesses have the potential to be able to understand whether a future transaction from an IoT device is trusted or fraudulent.

Alisdair Faulkner, Chief Identity Officer at ThreatMetrix

Alisdair Faulkner

Alisdair Faulkner has two decades experience working on innovations in cybersecurity, machine learning and analytics. As Executive in charge of Global Fraud and Identity Strategy for LexisNexis Risk Solutions delivered market-leading organic and M&A revenue and segment growth across North Americas, Latin America, EMEA and APAC.