The internet of things (IoT) is big, getting bigger, and bringing with it a dangerous new problem. According to the latest GSMA data, IoT by 2020 will represent over 23 billion global connections, including approximately 10 billion machine-to-machine (M2M) connections, a connection type in developed countries that grew by 25 percent from the last year.
Unfortunately with this growth, as with many technology developments that open new markets, where money goes, criminals usually follow. And now criminals are infiltrating IoT technologies and beginning to uncover a number of new fraud vulnerabilities. Through my recent work with customers, however, I’ve developed several principles that I think can redefine our approach and help the mobile industry better contain this new and escalating threat.
Understanding the Scope of IoT Fraud
First, a quick explanation to distinguish IoT and M2M. Based on a definition by the GSMA, IoT describes the overall coordination of multiple machines, devices and appliances connected to the Internet through multiple networks. M2M, though, also based on a definition by the GSMA, describes the use of applications that are enabled by the communication between two or more machines, which use a variety of communication channels to deliver services with limited direct human intervention.
With these definitions in mind, let’s consider the amount of data we’re collecting and saving today through IoT and M2M technology, which is truly staggering. On the consumer side, connected-home systems know which rooms in our house we spend time in and how much, car manufacturers have tracking devices to monitor multiple metrics about our car’s performance, and fitness trackers know our heart rates and how many steps we take each day. On the industry side, machines like jet engines, power turbines and rail locomotives sense and predict when they need a tune-up, before any breakdowns, and automatically adjust to changes in the weather and market demand.
With all these new uses, IoT and M2M technologies have the potential to provide enormous benefits for consumers. But with this exciting new world, a new and quickly developing generation of fraudsters has taken root. Connected devices that provide increased convenience and improved services are also collecting, transmitting and storing vast amounts of consumer data, and creating a number of new theft and privacy risks. As a result, with everything connected to Internet theoretically able to be hacked, millions of new devices, business processes and network connections have now become hackable.
Here are some examples. In addition to major retail and technology brands recently getting hacked and compromising millions of customers’ names and credit card details, criminals are now reaching directly down to consumers’ personal machines, with one car manufacturer revealing that it had to patch a cybersecurity flaw that affected over 2 million vehicles. The flaw allowed hackers to penetrate SIM cards in order to open doors remotely and seize control of onboard systems including everything from the radio to the online services console. A more troubling example of this involved a case in which professional hackers demonstrated how one car model could be completely hijacked and driven off the road through the car’s internet-connected devices. These breaches have now led regulatory bodies like the U.S. Federal Trade Commission to announce that it’s planning to regulate the IoT through a new Office of Technology Research and Investigation so it can better protect consumers’ security. Some of the areas it will regulate are car systems and new mobile-payment methods, like Apple Pay.
Four Principles to Redefine an Approach to IoT Fraud
But both mobile operators and other businesses face a number of tough challenges in taking on this new fraud. Among them, the sheer number of IoT connections continues to multiply exponentially. At the same time, many IoT connections involve multiple partners and thus remain equally vulnerable at the weakest link in the system. Finally, new mobile technologies like 5G present new processes and loopholes that are vulnerable to exploitation by fraudsters.
To better take on these challenges, I think we need to redefine our approach with some basic principles that we have not employed consistently and wholeheartedly. Our industry, especially the mobile operator group, is poised to become pivotal providers in a technology revolution that will profoundly transform how governments, manufacturers, utilities, healthcare providers and financial institutions do business.
Based on my latest customer engagements in the past few years and over 14 years of developing mobile and technology fraud solutions, I’ve defined four principles I think operators should incorporate as basic ways of working in taking on IoT and M2M fraud:
- Separate IoT strategy – Although IoT fraud schemes can be perpetrated through PCs and other non-mobile channels before reaching mobile devices, it’s imperative that this fraud be treated as a separate type and have a dedicated strategy distinct from other technologies. IoT fraud attacks have specific, complex characteristics that demand a specialized strategy specific to the mobile channel.
- Predictive analysis capability – An IoT strategy must include a predictive analysis capability to provide a sophisticated, far-ranging approach to obtaining the best data and using it to respond to particular fraud patterns. Data-based predictive analyses that use a scientific approach have been proven to be the most successful in combating fraud of all types.
- Cloud-based solutions – Although a wide range of solutions is available to fight IoT fraud, their cost and time to implementation make them impractical for a number of operators, especially smaller ones. Cloud-based systems are vital in offering more cost-efficient and quickly deployable solutions, and they represent the future of enabling a fast and powerful response capability for IoT fraud.
- Global approach to organized criminal networks – The nature of today’s IoT fraud is vast and complex, and it is often professionally managed across multiple locations and networks around the world. A successful IoT fraud strategy thus requires a global approach and a coordinated effort across all an operator’s geographic regions to ensure a comprehensive and consistent response.
As daunting as the new fraud from IoT and M2M technologies may appear, by refocusing our approach with these four principles, I think we can begin to take major steps to ensure our new, more heavily connected world is made much safer.