Managing the Internet of Things & Fraud Threats in an Increasingly-Interconnected Marketplace
The Internet of Things—commonly referred to as “IoT”—was one of the most hyped new concepts of the last decade. IoT technologies poured onto the market, promising to put the future in peoples’ hands. Unfortunately, this has also opened the home to potential IoT fraud abuse.
- Internet of Things
The Internet of Things may refer to either the interconnection of internet-enabled computing devices that are embedded in everyday objects or to such devices themselves. These devices use their interconnectivity to send and receive data and provide a more customized, integrated user experience.
[noun]/ ɪntɚˌnɛt • əv • /thIngz/
In essence, an IoT device can be described as anything that has a sensor or other input capability attached or built into it, and which can transmit data from one such object to another. Common examples of IoT products you might already have in your home include:
- Connected appliances (refrigerators, washers, dryers, etc.)
- Smart home security systems
- Wearable health monitors and smart exercise equipment
- AI virtual assistants like Alexa or Google Home
IoT devices present myriad new opportunities for individuals to interact, research, and shop online. For instance, we could see users assemble a shopping list directly from their smart fridge, then order groceries online and have them delivered to their front door within hours. Users could also research products through voice search while doing chores, then make a purchase via their virtual assistant.
There’s no shortage of scenarios through which buyers can do business in an IoT environment. Security Today projects that we’ll see roughly 35 billion IoT devices in use around the globe by the end of 2021—a 13% increase over the number of devices active the previous year.
This could be a fantastic opportunity for all types of merchants to leverage. As mentioned before, though, each new device could be an avenue for IoT fraud.
How do Fraudsters Abuse IoT?
Fraudsters are resourceful; they’re constantly on the lookout for fresh opportunities to take advantage of new and developing products and processes. The Internet of Things is a perfect example.
When banks first introduced IoT-enabled ATMs a few years ago fraudsters quickly identified IoT systems as a point of entry to access and alter cardholders’ account balances. Criminals were able to siphon off cash and steal from cardholders because they knew how to manipulate the new technology and commit this type of IoT fraud.
It’s important to note that each new device added to a network can be a point of access for thieves to steal sensitive data. A network is only as secure as its weakest point: implementing strong security measures (such as complex passwords) on a computer or phone is pointless if a fraudster can gain easy access through an interconnected doorbell or appliance.
Plus, the range of data collected by IoT devices themselves is widening dramatically. Fraudsters could have access to an individual’s personal health details, lifestyle habits, physical location, payment information, and much more, simply by hacking into an IoT-enabled exercise bike.
Criminals can harvest this information and sell it on the dark web, or they can use it to engage in IoT fraud themselves. In most cases, this will come in the form of invalid transactions conducted online.
IoT and Friendly Fraud
Criminal activity conducted using devices linked to the Internet of Things is a serious concern for consumers and merchants alike. That said, not all abuse is going to come from hardened criminals.
IoT devices that can be used to conduct transactions will typically be connected to cardholder information kept on-file. This allows the buyer to simply tell the IoT device to buy something, then confirm the purchase after a verbal prompt. This can lead to obvious problems: there have already been news reports about accidental or unauthorized purchases made over voice-controlled speakers. In one case, a six-year-old managed to purchase a $170 dollhouse, as well as four pounds worth of sugar cookies, through an Amazon Echo device!
Obviously, a six-year-old doesn’t understand the ramifications of what they’re doing. Nonetheless, these accidental purchases are a concern for merchants. The same goes for transactions that are made deliberately, but without the cardholder’s consent, such as a relative of the cardholder renting streaming movies or buying digital goods.
When these transactions occur, the cardholder might not be able to recognize the transaction when it shows up on a billing statement. Or, they might recognize the sale, but experience buyer’s remorse. In either case, they will probably file a chargeback to recoup the funds.
These scenarios are perfect examples of IoT fraud. But because the cardholder filed a chargeback on what should be a legitimate transaction, they are forms of friendly fraud, as well.
Friendly fraud is a costly source of merchant revenue loss. When it happens, you lose sales revenue, merchandise, and overhead costs, and are also responsible for added chargeback fees. It’s a growing problem; in fact, 60-80% of all chargebacks are possible cases of friendly fraud.
What You Can Do About IoT Fraud Threats
Internet of Things fraud can result from criminal abuse, or from unintentional consumer chargeback abuse. Either way, it has the same result from a merchant’s perspective: loss of revenue. That’s why it’s crucial for merchants to implement any tactics that can help reduce risk and prevent losses.
One way to defend against both criminal fraud and friendly fraud is to introduce stronger authentication methods to IoT checkout processes. Voice identification is one technology that could help prevent unauthorized use, as could:
- Velocity checks
- Requiring security passcodes to complete purchases
…just to name a few. But, we also need to emphasize that consumer education can be a major step toward preventing IoT fraud. As a merchant, you should:
- Be transparent and clear about what information you collect and why
- Remind customers to review and update account information regularly
- Make it easy to determine which payment methods customers have on file
- Clarify which devices can be used to make purchases and how
- Add security steps when available, such as requiring a passcode to complete a purchase
- Include the device used to make a purchase in the billing descriptor
Issuers should play a role here, too. Consumers place their trust in their issuing banks as financial institutions and so tend to take issuers’ cautionary advice seriously. Issuers messaging cardholders and reminding them to regularly review their IoT devices and settings, for instance, could prevent some problems.
In this article, we learned how to identify IoT devices, as well as how fraudsters—and legitimate customers—abuse these devices to commit fraud attacks via IoT devices. We also reviewed some of the tactics that you, the merchant, can deploy to help protect yourself against these losses.
The Internet of Things is a fascinating new frontier in commerce. However, transparency and understanding are going to be key to ensuring that IoT technologies remain an asset, rather than a threat source.
Want to learn more about preventing IoT fraud? Have questions about other threats facing your business? Click below to talk with one of our experts today.