The proliferation of smart watches, voice commerce, and vehicle-based payments has got merchants abuzz about the potential for making purchases more convenient. But securing these payments is a scattershot affair, with each provider wielding its own protocols, attendees learned at the CNP Expo this week in Orlando, Fla.
Payments companies welcome the creation of payments where transactions were not formerly possible. But, criminals like this development, too.
Criminals already have used Internet of Things devices to wreak havoc. An IoT-connected refrigerator was used as a proxy network device in 2014, said Bernard McManus, senior director of global fraud strategy at Sony Interactive Entertainment, the San Mateo, Calif.-based enterprise that handles authentication and other services for the electronics giant Sony. “It’s just another computer,” he said of the refrigerator. In general, IoT devices lack what McManus calls “good security.”
Part of the difficulty in securing IoT devices is ensuring the legitimacy of the user, especially when billions of pieces of genuine data about consumers is so readily available to criminals.
It’s about “trying to understand who is a good consumer and who are not good consumers,” said Chris Marchand, vice president of business development at Los Angeles-based Verifi Inc., a fraud-prevention company. “When you get to IoT, it’s not as much about disruption as it is about going to grab the most vulnerable thing a merchant has, which is the data.”
Criminals who successfully infiltrate a merchant’s protective layers and extract data can use that data, and other information they’ve obtained, to reassemble a consumer, he says. “They use real data to commit fraud, which will go undetected for a while,” Marchand adds.
For payments providers and merchants connected to payments on IoT devices, the concern is authenticating the user. Accomplishing that on a desktop browser or even a mobile one is easier than on most IoT devices.
McManus, in describing an IoT-enabled printer, said the small screen on the device does not afford the same user interface that many consumers might be used to. “The user interface for IoT is so much harder,” he says. “They’re struggling with that,” he says of device makers.
“As you add a new device there should be some type of process to authenticate a consumer so your organization can develop a comfort level with that device,” Marchand said.
One way to do that is to ship the IoT device preconfigured for the user, says Brendon Paquin, senior product manager of merchant-fraud management at Worldpay Inc., the Symmes Township, Ohio-based processor.
Consider an e-book reader, he said. The provider and the consumer both need to give approval for the consumer’s content to be loaded onto the device. But before that is done, the provider should have a customer profile with a list of the customer’s devices.
Until better security protocols for IoT devices are commonplace, providers can help mitigate some of the fraud potential with good device management, McManus said. “Give [consumers] the ability to disconnect devices from their profiles,” he says. “If you’re going to ship an IoT device, have it pre-set up for the account.”
Doing so ensures that once the device is activated, the provider can be confident about the identity of the user, he said. “You know it’s a device ordered by Bernard,” McManus said.