Several new and intriguing ways of authenticating identity from IoT and mobile devices were on display at the CyberTech TLV conference in Israel at the end of last month. Behind all the innovative ways of determining identity lies the notion that personally identifiable information (PII) on humans is no longer necessary or even desirable for security purposes – a message to which the world is increasingly becoming receptive.
One area that desperately needs a secure, human-less manner for authenticating identity is the Internet of Things (IoT). Today, it is possible for any of your IoT-enabled home devices to make autonomous purchases on your behalf. For example, think of smart refrigerator automatically ordering groceries to be delivered to your house when you are running low on your basic necessities. There is no real human behind this kind of financial transaction, so how can the credit companies verify that the transaction is legitimate and not made by a fraudster who has hacked into your refrigerator? Are the credit card companies even aware of this problem yet?
“There are no real breakdowns for fraud via IoT devices because from the perspective of the credit card companies there is no difference between this type of fraud and those initiated by humans,” says Leonid Cooperman, co-founder of the startup IXDen.
So how big is the problem? No one really knows. However, IXDen estimates that just the U.S. payment volume for smart home appliances will reach $6 billion by 2022. If that’s the case, payments fraud for IoT devices is likely to become a rapidly growing problem as the fraudsters adapt to the growing opportunities to make money in this new field of payments.
Securing IoT financial transactions
Payments security today for regular credit card purchases made online uses identity data based on the card’s owner along with the basic identity fingerprint of the mobile device the card-owner uses to detect fraud. For example, the more advanced behavioral biometric solutions currently used in the market detect how you make an order and interact with your screen to determine if it’s really you making the order. A basic device-based fingerprint, like the model and operating system of your smartphone may also be used to determine is someone stole your credit card details and are using them on a device not previously associated with you. However, with IoT purchases, there is no human interaction at all and the device that normally makes purchases on your behalf is what has been compromised.
IXDen’s identity solution solves this problem by essentially turning the device fingerprint used to day from a static piece of identity to a dynamic one. Instead of just fingerprinting some basic, unchanging details of your IoT device, IXDen uses the readings from the many different sensors in your IoT device to create a unique and changing identity for your device.
“This means the identity of your device is changing for each and every transaction,” says Cooperman. “Because this identity can change any second, it cannot be authenticated in the standard way. Instead, we developed special mathematics to compile those identities using methods from typology, artificial intelligence, statistical analysis and behavioral analysis.”
One of the major credit card networks is already working with IXDen on a proof-of-concept to secure this new area from attack. It’s probably still a few years before this type of technology is widely adopted, but expect to hear more announcements from credit card companies and acquirer banks about IoT payments and fraud solutions in the year ahead.
Foiling Sim swap fraud with identity data
One thing that increasingly became apparent last year is the problems with using PII to secure accounts from fraudsters, as SIM swap fraud has become more prevalent. Today, it doesn’t take much more than a clean SIM card and a call to your telecom provider for a fraudster to takeover not just your phone, but your bank account, your Netflix account and a lot of other services for which you use your phone as the second factor in 2-factor authentication.
Why does this form of fraud work if you are required to authenticate your identity on your smartphone using a swipe or a selfie? Because you aren’t actually required to use biometric authentication to get access to your smartphone. There is always an option to revert to password or code provided using two-factor authentication.
“Biometric authentication is more of an issue of convenience when you authenticate for the first time,” says Yossi Geller, VP of Marketing at Paygilant. “The problem from a security perspective is that there is always a fallback to passwords and the fraudster will just say ‘I’m not gonna use my finger.’ Although biometrics look very cool and work well in movies, it doesn’t really impact the security of payments.”
Paygilant is a company that is less than two-years-old and founded by ex-Trusteer employees. Trusteer was a startup that specialized in cybersecurity endpoint protection for large enterprises, such as financial institutions. It was acquired by IBM in 2013 for close to $1 billion.
One technical solution to the problem posed by SIM swap fraud is fairly straightforward: get device data on your SIM card as well as your smartphone to detect suspicious changes as they are happening.
“We get indications of what that SIM is doing in different stages of the user journey, and we can see if its acting in a suspicious fashion,” says Geller. “We can see if the device has used multiple SIM card or if there have been multiple enrollments in various applications using the same SIM.”
Paygilant’s SIM card data is part of a much larger risk scoring system it calls contextual multi-dimensional authentication (CMDA). Essentially, the company is offering a system that incorporates the most advanced form of three different data flows currently used by start different authentication solutions on the market: device data, behavioral biometrics and transaction data.
What is clear is that the concept of identity in financial transaction is moving beyond humans and focusing increasingly on machines.
This article was originally published on About-Fraud’s partner website FraudBeat.