What We Need to Do in the Fight Against IoT Fraud and Identity Theft
Within two years it is expected that there will be 4 connected ‘things’ for every person on the planet. The growth of the Internet of Things, or IoT, means more convenience and opportunity for more people, but it comes at a cost. With so many Internet connected devices in every home and business, the IoT is a vast playground for fraudsters – and it’s growing larger every day. Some 15.4 million consumers were victims of identity theft or fraud in 2017, according to Javelin Strategy & Research. In all, thieves stole $16 billion, making it a very lucrative illegal business to be in.
The financial gain for hackers looking to infiltrate the IoT lies in the data. In a rush to get items to market, companies often leave IoT devices unsecured and easy to access. Hackers can then get access to personal information that can then be used to create fake identities. For example, a fitness watch or smartphone holds some of the most sensitive, unique data pertaining to you – your name, address, credit card information, photos, places you’ve visited, health information and more.
Today, home Wi-Fi network connect all our devices- and the valuable information within. A fraudster can hack into a wi-fi network through a connected refrigerator and be able to access your other devices – such as smartphones or personal health tracker. From this information, along with social media, they can knit together a complete identity. Cyber thieves are extremely patient and will sometimes work for years creating files on their targets until they have enough data to start their scam. Maybe you post on social media where you went to college, or that your dad just retired from such-and-such company. Maybe your mom lists her maiden name on her Facebook account so her high school friends can find her. And most everyone posts the name of their dogs. Fraudsters know this information is often used to create passwords or are answers to verification questions.
Once personal information is stolen, fake identities have been created to buy expensive cars and purchase million-dollar homes, but sometimes the fraud is smaller and easier to hide. In the U.S. a life insurance provider is offering up to 15% off their policy premiums if you wear your Fitbit to prove you’re living a healthy lifestyle. If you run 5Km every day, someone can exploit your insecure device and steal health information to get a much more favorable premium on their insurance policy. Automobile insurance providers are doing a similar thing with plug in dongles that record driving metrics – and give discounts for those that don’t speed or drive recklessly. A safe driver could have their information stolen - to be used by a bad driver who would otherwise be uninsurable or have to pay a heftier premium.
So, how do we protect our devices and our identities?
Constant vigilance seems to be the best defense, and for businesses looking to protect their employees, machine learning is helping. Business Analytics tools that leverage machine learning can help detect anomalies in how data and devices are being used. The ability to detect a device that has become a ‘bad actor’ can stop fraud in its tracks. The IoT is blurring the lines between security and fraud when it comes to digital identity, making it crucial for businesses to separate the good from the bad.
The Identity Theft Resource Center recommends taking the following measures to mitigate risk:
- Isolate IoT devices on their own protected networks
- Disable Universal Plug and Play on routers
- Consider whether IoT devices are ideal for their intended purpose
- Purchase IoT devices from manufacturers with a track record of providing secure devices
- When available, update IoT devices with security patches
- If a device comes with a default password or an open Wi-Fi connection, change the password and only allow its operation on a home network with a secured Wi-Fi router
- Be informed about the connective capabilities of any medical devices prescribed for at-home use
- Ensure all default passwords are changed to strong passwords, and do not use the default password determined by the device manufacturer
The IoT is a treasure trove for cybercriminals, providing billions of vulnerable devices, a huge attack surface, no regulation and vast quantities of personal data. Cybercriminals and fraudsters are just waking up to what they can potentially gain from the IoT – and the market is being flooded with new ‘hackable’ devices every day. Businesses and homes need to prepare for this new world by having the tools and resources available to protect every bit of our identities.