Security and standardization can be too much of a good thing for burgeoning industries that rely on innovation to drive them forward. However, not enough of either can leave doors wide open and result in costly incidents that derail even the most streamlined companies from their paths to market prominence.
Finding the middle ground between the two is essential, especially as retail becomes inundated with payments terminals and in-store technology enabled by the Internet of Things. Creditcall CEO Lars D. Pedersen shared his thoughts with PYMNTS CEO Karen Webster on what that might look like – and why it’s not the smartest idea to throw everything under the IoT umbrella if the goal is seamless, user-focused security.
KW: In today’s IoT marketplace, manufacturers are taking a user experience first approach and placing security and privacy on the back burner. With an expected 30 billion connected devices by 2020, how should IoT companies evolve their thought process to become proactive instead of reactive when it comes to consumer security and privacy?
LP: One question of course is how do you handle security and privacy in the IoT context. The other key question is how do you handle payments across an installed base of potentially millions or even tens of millions of devices? In terms of payments, it’s something that I started wondering about shortly after joining Creditcall. Nobody had really thought about IoT and payments, but a lot of things have happened over the last 24 months in terms of it really becoming a topic within the payments world. In many ways, I was a little bit early, but I spent quite some time figuring out where this can actually apply to someone like us as a payment gateway versus subscription billing platforms. If you look at those different types of payments, I believe most of what we will see in IoT is the monthly subscription-type payment — you have a particular service you subscribe to and then you pay for that on a monthly basis – in this case it is not that difficult to scale because it’s not that many transactions.
Of course, there are cases where it’s more real-time. For instance, you’re driving your car and you’re looking for a place to park, and your passenger is looking through a phone to see where parking lots are and you’ll make a payment at that point in time with your phone or connected car. Obviously, that type of payment is happening today and we’re seeing that in the market already.
Another thing we’re already seeing is kiosks and vending machines – stationary pay points, which is very much something we do at Creditcall and in many ways we’ve done IoT for a number of years.
So yes, you can do it even with this very vast scale because a good chunk of it will be on a per month basis.
KW: Connecting a single user to a single device provides the ability to set up very secure connection validators, but what threats are created when you have millions of users connecting to a single IoT device? Adding to that are there different risk profiles that need to be established depending on the industry — or should we just develop a universal standard?
LP: The security question is entirely different. In many ways, it’s a bit scary. Of course, everyone is very excited about the market, but you don’t hear a lot of security and privacy. Most of these devices are computing devices or computing-like devices, and that’s familiar territory for a lot of antivirus and firewall solutions. A lot of those solutions are available already, and of course it’s more a question of “Can you actually make an instance that’s cheap enough to warrant it being on a $10 device?” It becomes an economic challenge whether it makes sense or not.
But that only really addresses half the problem. There are two different types of solutions that you need. First, you need to prevent anyone from gaining access or using devices as access points into a bigger network. More or less, these are available. The other type that’s not available but is coming very soon is solutions that can guarantee or ensure that the device is the device you think it is in the first place so you don’t have people connecting rogue devices on the network. What’s interesting about that particular challenge is that we’ve been doing that in payments for years. You want to make sure a payment terminal is that particular terminal and it’s communicating with a particular bank on the other end, so you inject secure keys into the terminal, which is used to unlock the communications, so to speak. The same thing can be done with IoT devices.
KW: Moving on to specific use cases, beacon-enabled digital signage allows marketers the ability to place a true ROI on their campaign, tracing the user’s path to purchase following an impression of that digital advertisement. To go a step further they soon will be able to adapt that the digital marketing campaign to a specific user passing by based off their smartphone’s history through the use of stored cookies. Knowing this, what security threats do you foresee with the growth of these connected marketing strategies? Are there open ports that are not being properly secured?
LP: If you have a user experience-focused developer, he or she will focus on connecting everything to everything else. It provides for a lot of flexibility and features and richness. On the other hand, if you have a security-focused developer, that person will only want to connect the pieces that absolutely need to be, and the ones that don’t really should not be connected. In the specific case of [Chris Roberts’ alleged 2015 hack of a United plane through the in-flight entertainment system], the obvious question is, “Why can you gain access to engine controls through the in-flight entertainment box under the seat?” They should be completely disconnected and operated as two separate systems.
It’s definitely of great concern. The other thing that you should bear in mind is if you look at most of the breaches that we’ve seen in payments in our part of the world, some say around 30 percent have been caused or influenced or participated in by so-called “insiders” — people who worked for the company that suffered the breach. Imagine a company with hundreds or thousands of installation technicians installing devices all over the place, unsupervised. Just imagine what some of them — let alone other people — can do. That’s why I’m so keen on using the key injection principle used in payments to solve this problem.
By the way, part of the problem we’re dealing with is that IoT as a concept is too broad. You throw in all those 30 billion devices under the umbrella of IoT. Maybe it’s 20 million vending machines, 100 million cars and so on and so forth. But within each different application area that belong to separate industry sectors, there needs to be some standardization. You can’t standardize across IoT. The automobile industry needs to come up with some security equivalent of a five-star crash rating. What pertains to autonomous vehicles will not necessarily pertain to smart refrigerators.
KW: Cutting-edge retail technologies such as magic mirrors are allowing brick-and-mortar locations to slim down on their in-store inventory and allow customers to virtually try on clothing and then sync, order and ship via their smartphone. This is currently in the small-scale pilot stages, which is the perfect opportunity for retailers to make changes to their risk management and authenticators. How do you see emerging consumer security technologies being used to authenticate these magic mirrors eliminating friction and false declines?
LP: That would be great and would be good for commerce, but some standardization is needed also in this area. My personal opinion on standardization is that it’s good, but too much is bad and too early is also bad. As always, it’s a compromise between innovation and standardization. As soon as you start to standardize, you tend to favor the larger incumbents in an industry, and the smaller, more agile, very innovative companies with their own ideas will not have influence on the standards. As such, they won’t even try to enter a market because they know there’s a standard coming they’ll have no input into.
What we’ve seen in payments with all these types of ideas and technologies and new business mushrooming all over the place is great. If payments was more standardized, you wouldn’t be seeing that. For some of the very new things like new ways of authentication which could be in the context of magic mirrors, as you mentioned. Some and more standardization is needed than we have today. But I do still believe security needs to be handled within sectors. It cannot be a general IoT thing, because the industry sectors are just too different.
KW: We’ve talked a lot about security, but the flip side of security is privacy. You made the point that being driven by the user experience will lead to connecting all devices to eliminate friction, but if you look at it from the consumer perspective, the potential problem is they don’t actually know how much of their data is being used and consumed by whom because so much is happening without context. How should we think about that dimension of IoT?
LP: It does need to be reined in. It’s a little bit out of control right now, in my opinion. Just like we talked about the balance between standardization and innovation needs to be different than it is now, I would say it’s the same between commerce on the one side and security or privacy on the other side. Yes, of course, we absolutely want all this and it’s great and drives economies, but at the same time, it needs to be somewhat reined in. I do believe that markets are best off operating freely initially with very little standardization and control, but there comes a time when you need to rein it in a bit.
I think we are all a little bit freaked out at times at the online experience; where did that come from? How do they know that about me? We all get those experiences, and it’s probably OK as it is now, but what if it gets a whole lot worse? … It might be a controversial statement, but it doesn’t really make sense to have a whole lot of commerce where you just have a competition on who can leverage your identity the best at the expense of your privacy. Then the balance between commerce and privacy is off.
I think security should be improved, definitely, and I do believe in free markets and all that stuff, but for sakes of privacy we don’t have it right yet.
KW: As we think about this brave new world where there is this technology taking us to lots of different places where data can be accessed and commerce can happen, in your mind, have we done this before in other areas and can we learn something from that?
LP: I think to some degree, yes. It’s a continuous evolution that some say started with the Internet. We’ll probably see something similar, but it will move a lot faster. Technology tends to be exponential in its rate of change, so I would expect this to happen faster than before. As with all technology, it’s an accumulation of knowledge, and it’s a collective accumulation. That’s why its exponential, so I do expect us to be able to learn a lot from what has happened before, but it will likely play out very differently than the Internet.