Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 1, 2018
Safeguarding Things When They’re All Connected
In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.
- Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
- Check with reliable product review sites to see what others have to say about the product’s security features.
- If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.
- Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
- Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
- Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
- Register your device with the manufacturer to be notified of security updates or recalls.
- Add the device to your separate network if available.
If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.
We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.
By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- In Payments, What I Say May Not Match What I Do
- Organizational Muscle Memory and the Right of Boom
- Remote Card Fraud: A Growing Concern
- Three Views of Noncash Payments Fraud
- An Ounce of Prevention
- Safeguarding Things When They’re All Connected
- Racing Ahead in the Wireless Space
- Insuring against Business Email Compromise Fraud
- The Case of the Disappearing ATM
- The First Step in Risk Management
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud