Thwarting Fraud In The Complex IoT Age

IoT Security At Black Hat Conference

Last week’s global cyberattack on hundreds of thousands of smart devices set a ginormous spotlight on the vulnerability around IoT. And it has companies scrambling on defense, perhaps more than ever before. The October edition of the Internet of Things Tracker™ features interviews with Randy Vanderhoof of Smart Card Alliance and Accenture’s Willy Dommen about how companies are looking to protect customer data. That, and a directory featuring 74 providers from around the IoT space, in the Tracker.

With fraud expected to hit $7.2 billion by 2020, companies — particularly eCommerce retailers — are considering mobile and online innovations in payments and IoT security technology to help thwart cyberattacks. This seems especially pertinent these days after hundreds of thousands of smart devices were recently exposed to a global distributed denial-of-service cyberattack.

According to LexisNexis research, card-not-present fraud losses alone are forecasted to increase by $3.2 billion over the next four years. And while fraud can be costly, it can be downright devastating for companies that choose to do nothing about it. According to data from Kount, a fraud and risk management solutions provider, merchants bleed $2.27 for every dollar lost to eCommerce fraud.

With every run-of-the-mill household device seemingly connecting to the commerce-enabled IoT network, the risk is now even bigger. PYMNTS spoke with Randy Vanderhoof, executive director of Smart Card Alliance, and Willy Dommen, regional transportation lead for the North American division at Accenture, about how companies are looking to protect customer data in the age of IoT technology.

Striking a balance

Given how ubiquitous IoT devices are in today’s marketplace, safeguarding all forms of data is critically important to merchants.

Retail industry merchants don’t just have to protect payment data of their customers for the sake of their own business reputation, Vanderhoof said, but they also must ensure that their customers have a sense of safety and security. For merchants, this is no easy feat to achieve. Many of them struggle to provide security to their customers, especially when they are exposed to innovative technology and new payment solutions, he said.

“Retailers are very concerned when new technology is introduced and offered to consumers,” he said. “They are being hit with a wave of new technologies around payments, and it’s very difficult for retailers to keep up because they’re not in the business of payments — they’re in the business of providing products, goods and a good consumer experience in their stores.”

This often leaves them torn between providing their customers with a relevant and positive shopping experience and offering a range of payment methods that consumers want to use at checkout.

No matter what retailers ultimately choose for their payment and security platforms, there are several variables that need to be taken into consideration, Vanderhoof said.

“What we’ve seen is merchants taking a fairly cautious approach to the innovations that are coming around IoT-connected devices and looking at them very carefully,” he said, adding that retailers take into consideration the affordability of investing in new technology and also determining whether a new payment offering is secure enough to be extended to their customers. “All of those factors go into the retail industry’s view of IoT security architecture and implementation,” he added.

When retailers do opt for a technological upgrade, a significant amount of work goes into locking down their payments infrastructure through encryption technology and tokenization to protect the vulnerable payment data, Vanderhoof said.

“Data breaches are a significant fear for all retailers, and we’ve seen them really being attacked by a variety of means [at] their physical in-store channels, as well as their online or eCommerce channels,” he said. “Even if there is a data breach and someone is able to penetrate the network, they’re not going to be able to extract data that could then be used to commit payment fraud.”

IoT growing pains

With new IoT products being introduced in the market every day, the underlying technology is still going through a considerable amount of startup-level experimentation, Vanderhoof said. Since many technologies being proposed won’t receive broad consumer adoption, it can be difficult for merchants to determine the next big thing for which they need to be prepared, he said.

“The challenge for retailers is to be smart about not chasing the shiny new object every time but instead actually doing their research, knowing their customers and understanding how they might interact with these new technologies before they make a significant investment in them,” he said.

When it comes to making major progress in the technology area, the digitization of payment credentials is one example, especially after they were integrated into mobile phones, Vanderhoof said.

Connected car payments?

Aside from digitization of payment credentials, Vanderhoof said he believes the connected car is among the most fascinating IoT concepts from a standpoint of sheer possibilities.

Dommen agreed, saying that the prospect of being able to drive a car up to a gas station, buy fuel and have the car communicate the payment information to the pump is an interesting value proposition for merchants.

The car-as-a-payment-method concept should also appeal to consumers who want that level of speed and convenience and don’t want to be inconvenienced by having to walk into a store, wait in line and then make a traditional-style payment, he added.

Dommen, who is directly involved in the electronic tolling and fare payments systems for Accenture, considers payments from an automobile to be the best example of IoT tech being brought from conceptualization to realization.

Accenture conducted a pilot program where a car was turned into a payment device (the payment credential was embedded into the car), Dommen explained. A parking meter could read the device through the use of sensors, and then, when a driver parked at a specific location, the payment was made automatically, he said.

The security requirements that exist for conducting a contactless transaction, whether that’s using the NFC in a mobile phone, in card emulation mode or using a contactless card, would then also apply to that transaction between the car and the parking meter, Dommen said. “You just need to build in the security mechanisms that already exist,” he added.

Accenture integrates commercial off-the-shelf enterprise resource planning solutions to provide the payment mechanism in both of those areas, Dommen said. Where IoT is concerned, the technology offers companies the ability to collect data they didn’t have before and also allows them to remotely interact with smart devices, he said.

IoT and the road to secure payments

With an eye toward the future of connected devices, IoT innovations and protecting consumers from payment fraud, Vanderhoof said he would like to see the major credit card companies continue to lead the way forward in these areas.

“They should really be at the forefront of making sure that, when they enable consumers or devices to be able to interact with the payments ecosystem, they’re doing it in a way that maintains the existing security that exists in other forms of payment,” he said, noting how digital wallets are one example of mobile payments are being made by smartphones.

Mobile devices can now take a secure payment credential from a financial institution and have it added to their mobile wallet, which can be safely used at a retail store or via an in-app application, Vanderhoof said. In some circumstances, the mobile devices themselves can participate in that transaction by using biometrics, like a fingerprint on a smartphone or some of the even newer technology by Visa and Mastercard that uses facial or vocal recognition, he added.

“These are all steps forward that are going to ensure that, as IoT-based payment solutions enter the marketplace, they’re backed by a technology that’s not going to make those payment transactions more vulnerable than they would have if they were face-to-face transactions with a consumer card at a physical merchant location,” Vanderhoof said.

With all of the new and interesting options available to merchants, they need to ensure that they protect their most important asset: their consumers. Fortunately, technology exists and continues to hit the market to help them with this, one purchase at a time. Merchants and credit card companies need to be ready — and willing — to implement it.

To download the October edition of the PYMNTS.com Internet of Things Tracker™, click the button below…

Can Tenacious D In The IoT Age Possibly Thwart Fraud?

About The Tracker

The PYMNTS.com Internet of Things Tracker showcases companies that are leading the way in all aspects of the Internet of Things. Every month, the Tracker looks at what these companies are doing across the ecosystem and in six categories: Devices, Infrastructure, Payments, Security, Software and Data.