The Bank of Things – The Application of IoT in the Financial Sector
The Bank of Things – Put simply, the Internet of things (IoT) is the network of interrelated computing devices that connect and exchange data with one another via the Internet.
Comprised of billions of devices that transcend every major industry and shape each aspect of our lives, facilitating everything from credit card payments to the reduction of pollution in major cities, it is not hard to see why the IoT has become such a hot buzzword in recent years.
By 2020, it is predicted that there will be 26 billion connected devices globally- a 30-fold increase from 2009.
This exponential increase in the number of IoT devices will produce an incalculable rise in the number of interactions, transactions and exchanges, and a virtually endless number of possibilities and opportunities, which we may not be able to fathom or control.
However, herein this limitless exchange of information and data lies comparably limitless challenges and vulnerabilities.
The Positives and Negatives of IoT:
The power of the IoT is a double-edged sword. The very ubiquity and interconnectedness that make it so powerful and effective are the same characteristics that make it so susceptible- there are billions of devices and therefore billions of attack paths for security threats. If everything becomes “smart”- our homes, cars, offices, cities- as some commentators hypothesise/ predict, then every aspect of our lives is at risk of being hacked or breached.
The Bank of Things
As an industry that trades in the intangible, from the exchange of long-term stock assets to enabling online payments of consumer goods, the financial services industry (FSI) may not seem directly associated with something tangible like the Internet of things. However, the transformational impact and optimisation of IoT devices is no more apparent than in the worlds of commerce and investment. The intrinsic value of the IoT lies in the transmission of data, which the FSI requires to gather, exchange and analyse information- or in other words, function.
In the FSI the bank of things (which makes the very apt acronym “BoT”) is the material infrastructure that facilitates the billions of data transfers that take place every day. It enables insurance companies to collect and share data with customers about their insured goods in real time, allows consumers to make instant contactless payments and provides the framework for retail banks to collect information on each customer that enters one of their locations.
The most notable and well-documented example of investment in the IoT infrastructure has been by retail banks.
To create an optimally convenient consumer experience, they have invested growing amounts of revenue into connective technologies- otherwise known as “fintech”- that make payment transactions and transfers the seamless processes that we know and use today. Mark Barnett, Mastercard’s President for UK & Ireland, predicts that cash will become obsolete in the UK within the next five years as these technologies become even more efficient and more accessible as the range of connective payment devices increases and diversifies. In 2014, electronic payments overtook cash payments by volume in the UK for the first time. Eventually, it is believed, tangible forms of money will become extinct and looked back on as anachronistic and superfluous.
However, banks and FSIs are under an increasing amount of scrutiny for their failure to maintain sufficient levels of customer service and defend against and respond to cyber-attacks. One of the main reasons for this is the susceptibility of fintech devices and networks to malfunctioning. In June this year, Visa payment systems crashed throughout Europe, preventing millions of customers from being able to use card readers to pay for goods. Although Visa reported there was no malicious attack involved in the hardware failure, the incident demonstrated how dramatic, wide-ranging and economically detrimental the structural collapse of an IoT infrastructure can be, especially in the FSI.
Another concern is that IoT devices are not protected by design. As there is no standard of compliance to safeguard against cyber threats in the manufacturing process, they are often shipped and distributed as hackable devices, and financial organisations have no means of securing them. Therefore, financial products, that are used to transfer money and personal data, are very convenient and attractive attack surfaces for cybercriminals. Once one insecure device is breached, the data within its wider network can be accessed and stolen. Put simply, they are an “open door:” inviting hackers to scan networks, install malware, conduct reconnaissance, and seamlessly exfiltrate data by bypassing other security mechanisms. Their prominence within the FSI puts the data of every consumer at risk.
Moreover, IoT devices can be exposed through their cloud or web application services, as very often, they are not adequately secured. The wireless networks surrounding IoT devices are also highly unprotected (WPA2 vulnerabilities, for example). Wireless infrastructures are highly sensitive, especially where multiple devices from multiple vendors/users are concerned. They can be used to penetrate an employee’s device, and their organisations network, anywhere the employee might be using a Wi-Fi hotspot. This happened to the Chief Executive of a New York tech company recently, when his computer was infiltrated and forced to pay a digital currency called Monero, demonstrating the vulnerability of IoT devices throughout the world. Billions of consumers are connected to public Wi-Fi each day, thousands, if not millions, of which could work for large financial organisations.
You Need to Protect Your Assets and Airspace from IoT attacks
The power of IoT devices is boundless. However, so too is their vulnerability. Within the FSI, this frailty is compounded by the out-dated and complex systems that shape it. These systems possess swathes of highly sensitive and valuable consumer information that can reap significant rewards for hackers. More and more of this data will continue to be generated, and become increasingly accessible and desirable, as the number of connected devices, users and interactions grows at an exponential rate. Therefore, organisations must figure out a way to store, track and protect it, and quickly.
An additional aspect is that IoT devices are often “invisible”; we tend to forget about them and the device manufacturers are not cybersecurity experts, so trusting the system/device itself to be secured is a problem. Let’s say there is a vulnerability and something needs to be updated; in many cases, organizations will skip the updates because it may put the operation at risk or could cost a lot of money to arrange a shutdown.
We have seen organizations investing a lot of money in mechanisms to protect their networks, perimeters and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment. However, organizations are unaware that it’s not only the corporate network that is in danger; its airspace is also under threat. Hackers can connect via P2P directly to these assets and, from there, get into the corporate network.
What is needed is a defence that quickly and easily identifies, monitors and protects all the smart connected devices operating in and around your business. This dedicated cybersecurity solution needs to monitor both the IoT device and its activity 24 x 7, and neutralize the threat. By doing this, an organization will be able to detect when and which devices are at risk, as well as mitigate the threat in real time without physically looking for it. The answer does not lie within the device itself, but with a solution that brings your Security Operations Team visibility and control.
Security should be done from outside the organization’s operational network or infrastructure by dedicated security staff so they can ensure there is the right solution in place without having to trust the infrastructure or operational network itself.
- Know what and where each IoT/connected device is.
- Have continuous visibility (24×7), not a onetime scan, update or patch.
- Understand the risk level of each device is to your network.
- Mitigate as soon as a negative behavior is discovered.
- Be able to build their policy. Enabling the organization to take control and set what behavior it allows and doesn’t allow. This level of security required will be different for each organization – what is allowed in one company, may be disabled in another.
Organization need to understand that the threat landscape has changed , there are billions of devices out there and each one is different.
You can’t use the old way of detecting signatures of attacks or looking for vulnerabilities.
You have to be smarter and use the next generation defense methods based on sophisticated machine learning, behavioural analysis and anomaly detection technologies combined with big-data science in order to meet the challenges of IoT and connected devices pose to Cybersecurity.