IoT, an explosion of connected possibilities
During the last few years the growth rate of IoT devices including sensors, actuators, vehicles, security cameras, home appliances, wearable technology and network devices has been unparalleled. In 2012 some relevant industry players speculated about the possibility of having over 1 trillion such devices in 2017. We are still far away from that prediction although the growth has been simply incredible.
At the end of 2017 the number of connected things has outnumbered the world’s population and depending on the definition of connected device the current count would be somewhere between 8 billion (which doesn’t include smartphones, tablets, and computers), and 17 billion (with all such devices included).
Based on these trends, soon every device we own and nearly every object we can imagine will be connected to the Internet. We are going to reach a point where we will be asking ourselves why things are not connected to the Internet rather than why they are connected.
With regards to the referred IoT momentum, some experts allege that we have not even scratched the surface, that we are at the beginning of the beginning.
IoT applications in financial services
Sensors and connected devices can be very helpful for financial institutions to know more about their customers and to offer more personalized services, thus driving a better customer experience. IoT devices working together with big data and advanced analytics might be instrumental for banks in order to differentiate their already commoditized offers, allowing them to understand how, where and why their customers spend money, and their habits.
This valuable insight will enable banks to present valuable and relevant real-time information to the customer, for example, location-based personalized offers.
Furthermore, it will be possible to asses the customer experience within the branches, the waiting time or to more easily identify a customer, making his experience more seamless, or a staff member, reducing the risk of insider fraud.
Or when a consumer enters the car dealership, it may be possible for banks to alert the customer to how much financing they have been approved for or deliver customized loan proposals in a timely and convenient manner driving an outstanding experience.
On the commercial banking side IoT devices could be used to track assets, for example in trade finance where banks could track raw materials and finished goods and use sensors and GPS to determine when payments should be issued and received.
Insurance is probably the most mature financial service to implement IoT. Data streams from home appliances and automotive sensors, wearables, healthcare specific devices, security cameras, industrial control systems, geographic information systems (GIS) providing climatological and hydrological data and multiple other sources can help grow new business, improve risk assessment and proactively engage policyholders in loss prevention.
Major security challenges
As we have seen there IoT is bringing tremendous opportunities to financial services enabling innovative business models by leveraging new data streams.
Nevertheless, these opportunities do not come without risks.
Sensors and connected devices are being deployed faster than they can be adequately tested.
Security standards cannot keep pace with technology and typically if a new connected thing is cheaper, faster and better, it is on the market regardless of security or privacy issues.
There are several challenges impeding effective IoT security:
- IoT fast growth, prioritizing speed and fast deployment over security. Non-secure protocols are usually used, and non-encrypted data is common.
- Devices are frequently misplaced or misconfigured. If we ask a CISO how many IoT devices you have in your organization, most of them would probably struggle to guess a number. While CISOs have tremendous experience and expertise in dealing with IT security and employing the sophisticated tools to secure the perimeters of the enterprise, the nature of IoT devices and their scale present a multitude of unique threats.
- We trade security for usability: we are living in a plug-and-play generation. As a manufacturer, if your product doesn’t just work out of the box, it is unlikely anyone will buy it.
- We need to manage device updates, detect and manage vulnerabilities.
- The threats landscape is evolving quickly. Recent DDoS attacks have been caused, in part, by IoT devices, highlighting the need for vigilance with IoT security from devices through to IoT platforms. The attacks underline the importance of being able to view, manage and update IoT devices and firmware after the point of manufacture.
We need to make sure that these tiny things are designed with security in mind as a top priority. What we have learned from the latest DDoS attacks is that we need to find a way to prevent those devices from being a problem to the rest of us when they go rogue.
Recent attacks on financial institutions leveraging IoT
During the recent, an increasing number of financial institutions and companies across all industries have been extorted by criminals and hackers. They either pay or their websites get crushed through violent DDoS attacks. The reason why hackers, gangs and criminal organizations target financial institutions is because they are quite profitable, and the thefts are greater with less effort. The impact for online banking of a DDoS attack may be quite important and can count on millions per hour.
There are reports that show that over fifty percent of financial institutions have been victims of a DDoS attack. Just imagine the damage and disruption on the organizations and their clients when the online banking services of a major bank are attacked for hours on a payday.
To achieve their goals, the hackers frequently use botnets, a network of private computers, devices or things, infected with malicious software and controlled as a group without the owners’ knowledge. These botnets are controlled using a command and control (C&C) software and may include different types of devices like CCTV cameras, DVDs, home routers…
Targeting IoT devices makes sense considering that a botnet army of IoT devices could grow to massive proportions given the ubiquity of those devices, their quite limited security and the fact that many people never bother to change their default usernames and passwords.
Some of the most recent DDoS attacks or financial institutions using IoT devices are:
- Sberbank and Alfa Bank in 2016 leveraging an IoT botnet like Mirai to perpetrate the attacks
- HSBC UK DDoS attack in January 2016. The attack came at an awkward time for banking customers on two fronts: first, it was a payday and secondly, it was just two days before the annual Jan. 31 tax payment deadline in the United Kingdom.
- Bank of America and Chase in January 2014
- Lloyds Banking Group, Halifax and Bank of Scotland, January 2017. It seems that the Mirai botnet was used in these attacks.
Potential solutions to address this increasingly concerning problem
Overall, it is important to build protection into the device itself considering security early in the design. In particular the following features should be taken into consideration:
- Support for secure boot and device tamper detection as well as secure code updates.
- Data security features, authentication and secure communications
- Protection against cyber-attacks, intrusion detection and security monitoring
- Embedded security management and integration with security management systems
IoT devices need to be secure before the first heart beat of these tiny things online.
If you have any questions with regards to this article, IoT security in general or want to inquire about potential solutions to increase visibility, manage and secure IoT devices, please contact us on: