Emerging Fraud from the Internet of Things

It seems that each day the internet of things (IoT) becomes a bigger and bigger topic in the mobile industry. With the number of IoT connections forecast to more than double, from roughly 10 billion connections this year to 23 billion by 2020, according to the GSMA, and with new IoT devices coming to market every year, IoT technologies are quickly taking root to become an important part of our consumer lifestyle and industrial operations.

Yet, as with any new technology, IoT is bringing important new opportunities as well as important new challenges. One of the challenges is the opening of a number of new vulnerabilities to fraud.

Increasing Sophistication of IoT Fraud
At a basic level, it’s easy to understand this fraud. Connected devices that provide increased convenience and improved services are also collecting, transmitting and storing vast amounts of consumer data, and creating a number of new theft and privacy risks. As a result, with everything connected to Internet theoretically able to be hacked, millions of new devices, business processes and network connections have now become hackable.

What’s not as clear with IoT fraud, however, is what threats IoT poses on a deeper level. Specifically, the danger doesn’t just come from some data suddenly becoming easily available through transmissions and exchanges on the internet, it comes from the ingeniousness of fraudsters in constantly searching for new ways to pick the locks of the internet and exploit weak points across rapidly evolving environments with countless points of entry.

Moreover, in terms of security policies implemented to protect specific IoT systems from fraud attacks, it’s crucial to understand that intrusions and thefts don’t only occur in policies managed directly by people, but they occur in policies automated by machines that don’t have the understanding to know when they’re being misused. For example, in ATM fraud, which I explain more on below, fraudsters can program an ATM system to have an account show an unchanged balance while they withdraw more money than what is actually in the account.

Understanding these dimensions of IoT fraud is crucial to understanding some of the specific attacks emerging today. And understanding these attacks is vital as the mobile industry ramps up more and more quickly to serve a new generation of IoT devices and connections.

Two Emerging Types of IoT Fraud
Through my recent work with customers, I’ve begun to focus on two types of IoT fraud, among others, that I see as particular rising threats and ones needing stronger responses:

ATM fraud – One of the more egregious thefts in the IoT world comes from this type of fraud attack. Using web-based controls, fraudsters can change account balances and access restrictions to directly tap into machines loaded with cash. The way this kind of fraud emerged is an example of how IoT is now decentralizing the control of infrastructure in the same way that the web decentralized access to information. Banks began using IoT-enabled ATMs to decentralize their ATM operations. Then, fraudsters discovered this IoT-based system as a point of entry through which account balances could be accessed and manipulated. Through this control, fraudsters began to perpetrate any number of transactions. A typical method involves withdrawing money from ATMs without having the balance of an account reduced, because the account has been programmed to show an unchanged balance. Using these methods, one attack resulted in $40 million being robbed from just 12 accounts. Additionally, in another kind of IoT fraud attack, fraudsters known as “skimmers” go to ATMs and install fake PIN pads designed to trick consumers into providing card information. They then use internet connections to have this information sent to themselves through emails and text messages.
Ad fraud – This attack occurs when fraudsters spread malware through a piece of code in an ad. When a user clicks on that code, the code takes over the user’s device and creates a botnet, a network of computers infected without the users’ knowledge. Fraudsters then can use this botnet to send spam emails, transmit viruses and engage in other acts of cybercrime. This botnet risk perpetrated through ad fraud underlies a central threat of IoT fraud: It’s not the devices themselves that present the security risk as much as it is the Trojan horses they represent in terms of being vulnerable to attacks. For example, many newer IoT devices, such as baby monitors and refrigerators, don’t even have security systems protecting them from botnet attacks because of their limited memory and slow processors. In the same way, ad fraud offers an ideal pathway to creating a botnet because, in general, security intrusions come from perpetrators trying to hack into a system directly, or from perpetrators using a third-party code to try to get into a system indirectly. Ad fraud offers one of the biggest third-party codes available to exploit users’ devices and is much easier than a brute-force attack. As a result, the botnet risk is a serious one, and one for which protection against cannot be guaranteed because of ad fraud vulnerabilities, among other factors.

As an industry, we’re still in the early stages of developing standard, proven approaches to containing these new threats. But by taking a brief look at each of these now, we can begin to take better steps to ensure our more heavily connected world is made safer against data theft and revenue loss that result from these fraud types.