Solving for IoT security
What are the risks and responsibilities for payments?
It’s been called a game-changer and the next Industrial Revolution. It’s been heralded as possibly the most important technological innovation in history. It’s also a little hard to define. We’re talking, of course, about the Internet of Things (IoT).
Ask professionals from around the payments community for a definition of an IoT-based payment, and you’ll likely get varied responses. For some, it is the natural evolution of e-commerce; for others, it’s a distinct concept centered on how a purchase is initiated—by machine rather than man. Still others weigh whether the device fits the description of a traditional computer, which can get tricky considering that mobile electronics, such as tablets, essentially behave like computers.
Direct connection to the internet also seems to be a point of contention. For example, a purchase made with a smartwatch containing payment credentials over an NFC interface may or may not be considered an IoT-based payment, depending on whom you ask.
Even outside of the payments world, the definition of IoT in general remains fuzzy. The global professional engineering organization IEEE developed an 86-page “all-inclusive definition,” and the latest version resides on the organization’s IoT Initiative web portal as a “living document.” Visitors are invited to contribute to the “ever-changing definition of IoT” via the comments section.
Given the disparity in defining IoT, conversations about securing payments via IoT are equally diverse. Sources point to multiple risks and solutions, many of which are similar, or even identical, to those that the industry has discussed for years. They also offer up opinions about stakeholder education and the profession’s responsibility to be accountable for future products introduced in the market.
The October 2016 distributed denial of service (DDoS) attack on Dyn, a company that controls most of the internet’s domain name system infrastructure, arguably gave the general public its first glimpse into the breadth and depth of connected devices—and hackers’ ability to infiltrate on a broad scale. According to Dyn, a “significant volume of attack traffic originated from Mirai-based botnets,” which infected IoT devices around the world and ultimately led some of the most popular websites on the internet to go dark. Since then, security experts have detected “much other malware” targeting IoT devices, according to IT security and training firm Infosec Resources, which predicts the number of IoT botnets to grow in both number and maleficence.
The Dyn attack did not specifically target the payments system, and a May analysis from Aite Group says attempts to penetrate existing card-not-present platforms “will likely be no more (or less) successful than current hacks on payments.” However, with more than 28 billion devices expected to be connected by 2021, it is feasible to assume payments’ vulnerability could increase as IoT scales, the payments ecosystem evolves, and new use cases emerge.
“The most significant risk from IoT, greater than the traditional risk of e- or m-commerce, is that the IoT is connecting billions of sensors, each with its own address,” says Thad Peterson, senior analyst with Aite Group and author of the report. “Many of these devices have default passwords installed, and those passwords are easily discovered by hackers,” he continues. The report also notes that millions of smaller sensors have no security at all—offering criminals the ability to hack one device to get to another.
The threat of using that connectivity to disrupt payments traffic in a Dyn-style DDoS attack is “significant,” says Troy Leach, chief technology officer of the PCI Security Standards Council. “That may lead to the inability to authenticate transactions online if a merchant or processor is being overwhelmed by malicious internet traffic.” Making matters worse, most of the exploited devices will reside in the consumer’s home and “entirely outside the control or ability for the merchant to secure,” he adds. The same can be said of poorly or unprotected wifi connections, which security professionals have long warned could be easy access points for hackers.
Peterson says that most of the overall IoT activity currently is at the enterprise and commercial levels where “there is a greater degree of consciousness about the inherent risks of IoT,” but he anticipates that will change as IoT becomes more pervasive in general commerce.
Mindset also concerns Sam Pfanstiel, ETA CPP, certified security professional and solution principal for Coalfire, an independent cybersecurity firm. “I think the biggest thing that separates Internet of Things as being a segment of risk is that these are generally purpose-built devices—devices that serve a particular function, and security is generally not that function,” he says. “If I’m building a child’s toy, I don’t see myself as being in the security business. I see myself being in the toy or entertainment business. Similarly, devices that perform payments as a secondary function—using tokens or third-party services—may think they are free from security responsibilities, but this is not the case.”
Instead, device manufacturers are focused on competitive advantage through speed to market or maximizing the user experience. “The last thing on my mind is going to be spending an extra six months on penetration testing, third-party vetting, lab testing. Those are the things that really ensure that I have not introduced a vulnerability into that device,” Pfanstiel explains.
Leach agrees that additional risk to payments exists if devices don’t incorporate solutions such as tokenization or encryption from the start: “Your refrigerator or washer may want to reorder products and can do so in a secure manner,” he says. “But again, if the design does not integrate payment security considerations to minimize risk, then cardholder data could be exposed.”
Regardless of how they define IoT, sources say that within the scope of payments, authentication is the single most critical security challenge facing the profession.
Tim Sherwin, CEO and co-founder of authentication solutions firm CardinalCommerce, says his firm is focused on ensuring transactions from IoT devices can be properly authenticated to avoid fraud and false positives. He explains that his team has already seen “challenges” stemming from internet-connected personal assistant devices, on-demand cable boxes, and gaming systems.
“Specifically, friendly fraud is an issue—when a child in the home orders something through a cable box that a parent didn’t authorize,” he says. “Makers of these devices have already put software in place to require a PIN or other code to prevent this. As these devices become more sophisticated and more prevalent, we can expect to see new challenges.”
Cardinal, which was acquired by Visa in February, is looking to the newest version of EMVCo’s 3-D Secure to address the issue and has built the new specs into its core product. The 2.0 version of 3DS was developed to “support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions,” according to the EMVCo website. Sherwin says the new specification “dramatically enhances the amount of data that is used to perform authentication. More data means more informed decision-making by both issuer and merchant, lower rates of fraud and false positives, and fewer challenges.”
In an automatic card-on-file scenario, the device, rather than the user, needs to identify itself, explains Philip Andreae, vice president of field marketing for OT-Morpho, a new digital security and identification technology firm resulting from the May merger of Oberthur Technologies and Safran Identity & Security. Shoring up device identity is “an emerging place,” he says. OT-Morpho supports the idea of embedding cryptography into device hardware—a secure element that already is used in mobile phones and payment cards. The firm is currently providing embedded secure elements to several luxury connected-car manufacturers, including Maserati and BMW, he says.
“When I boil it down, it’s this act of authentication, which we have to secure,” Andreae explains. “We have to do it in a convenient and secure way that cannot be spoofed, that cannot be replicated and used nefariously.”
When scaling for IoT growth, Andreae, who is secretary of the FIDO Alliance and who also led the team at Europay that developed the standards for EMV, suggests payments professionals look to standards such as WebAuthn, which the World Wide Web Consortium is developing to provide authentication in the internet space. “Then, I’d start looking at biometrics—because sometimes it’s not just the object that I want to authenticate; it’s the presence of the right individual,” he adds.
Education and Accountability
Specific security solutions aside, sources agree that stakeholder knowledge is vital to the future of IoT security.
For its part, the PCI Council is partnering with industry organizations to help innovators and app developers better understand payments security. It is working on “software development practices to educate developers and demonstrate basic security principles are consistently being tested against software within all forms of devices,” says Leach.
The Council is concerned with current software practices—namely that most software is updated frequently, is highly customized, and relies heavily on open source. “These are challenges that really didn’t exist 10-12 years ago in payments before ‘smart’ technology” was common, Leach explains.
As a result, the Council is reevaluating its Payments Application Data Security Standard to account for new software lifecycles and agility while also ensuring “integrity and assurance exists for merchants and cardholders that entrust the application to be tested and protect against common threats,” says Leach. It will release more information about the new requirements in September.
Pfanstiel ponders self-regulation in terms of driving peer accountability. For example, an acquirer could require that devices used on its network adhere to a particular security framework. He also believes strongly in effective third-party risk management—“good vendor agreements, solid vetting, and contractual obligations for security that transcend some kind of arbitrary compliance” and cover appropriate attributes and attack vectors. The “risk of producing another DDoS attack like what happened to Dyn DNS last October—that’s huge. That affects the payments ecosystem as well as the entire internet. Just depends on who they want to target next,” he explains.
Consequently, education around multiple risk factors, “not just putting your blinders onto payments,” would be of value, Pfanstiel says.
Andreae believes strongly in educating stakeholders, too. He sees a void in “simple, easy-to-understand” communication efforts—particularly in the consumer media and among business executives and merchants—that adequately explain security concerns so that stakeholders demand it of their products. Even payments professionals who are not directly involved in the security function, such as those in sales and marketing positions, don’t fully appreciate the necessity of effective security measures. “We’re educating the people who can provide the answer [to IoT security problems], but we’re not educating the people who have to ask the question,” he says.
“There’s no one really that’s not to some degree responsible for the security of the installations that are being placed into the market,” Pfanstiel concludes. “Anyone who touches the payment stream is not only responsible for securing that data but also accountable for what happens to it.” TT
Josephine Rossi is editor of Transaction Trends. Reach her at firstname.lastname@example.org.