About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

July 1, 2019


Ransomware: Hopefully Not Coming Soon to a Computer Near You

In March 2018, the city of Atlanta fell victim to a ransomware attack. Criminals gained access to the city's computer network and loaded SamSam Ransomware, a malicious software. The criminals demanded a payment of approximately $51,000 in virtual currency to provide the decryption keys necessary to regain access to the infected and locked systems. The attack laid siege to the city by rendering police, utility billing, traffic court, and other systems unusable. The city refused to pay the ransom, and has since spent at least $6 million in forensic and remediation work with as much as an additional $11 million earmarked for system upgrades and other resources to combat future attacks.

Ransomware attacks have been a growing threat. While studies such as the Symantec Internet Threat Security Report  show that the overall incident rate has decreased slightly, they also indicate that the range of targets has shifted. From 2013 until last year, consumers were the most frequent targets, with ransom requests in the hundreds of dollars. In the early years of these attacks, individuals would get a message that their computers had been infected and they had to pay a fee to download a fix. In many cases, the infection claim was false. Beginning in 2018, businesses—including municipalities, hospitals, and health care networks—have become primary targets, with ransom demands in the tens or hundreds of thousands of dollars. Typically, the criminals demand that the ransom be paid in cryptocurrency (nearly always bitcoin). As in the Atlanta case, these attacks often prevent customers from making payments, whether for traffic violations, business permits, or even marriage licenses.

Should ransomware targets pay the ransom? Law enforcement communities officially say "no." In some cases, when victims pay the ransom, they never receive the decryption keys to regain access to their data, or the keys don't work. There is concern that payments only encourage the criminals to commit further attacks, sometimes against the same business and demanding additional money. It is not illegal for a business to make ransomware payments, and many, including Newark, New Jersey ($30,000), have done so.

Is your computer or network prepared to defend against such an attack? Ransomware attacks typically exploit weak passwords or known security vulnerabilities in applications and operating systems. But a common entry point is through phishing of an employee to compromise legitimate system access credentials. As in business email compromise, the criminal conducts surveillance to learn about the different systems in operation and plans the initial attack to have the greatest possible impact. As we have stressed so often, prevention starts with employee education and the adoption of security best practices. In a future post, I will write about more prevention and mitigation best practices.

As for the Atlanta ransomware attack, last December, a federal grand jury returned indictments against two foreign nationals for the attack. The grand jury indicated these two people were also behind the April 2017 attack on Newark, New Jersey. There was hope in the law enforcement and cybersecurity communities that the arrest of these individuals would dampen enthusiasm for this threat vector, but attacks this year against Akron, Ohio (January), Albany, New York (March), and Baltimore, Maryland (May) suggest otherwise. None of these cities made any ransom payments.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 1, 2019 in cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 29, 2019


Next-Gen Security

In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.

I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:

  • The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
  • The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
  • In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.

I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).

When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.

What is your bank doing to educate the next gen of security ninjas?

April 29, 2019 in consumer fraud, consumer protection, cybersecurity, identity theft, payments fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 8, 2019


Insuring Against Cyber Loss

Over the last few months, my colleagues and I have had multiple speaking engagements and discussions with banking and payments professionals on the topic of business email compromise (BEC). Generally, these discussions lead to talk about a risk management strategy or approach for this large, and growing, type of scam. One way some companies and financial institutions are mitigating their risk of financial loss to BEC and other cyber-related events is through a cyber-risk insurance policy. In a recent conversation, someone told me their cyber-insurance carrier mandates that they get an outside firm to audit and assess their cybersecurity strategy and practices, or they risk losing coverage.

According to a recent Wall Street Journal article, some large insurers are even going a step further and collaborating with each other to offer their own assessments of cybersecurity products and services available to businesses. Their results, which they will make publically available, will identify products and services they deem effective in reducing cybersecurity incidents and potentially qualify insured companies with improved policy terms and conditions if they use those products or services.

Cybersecurity vendors who would like their products and services to be assessed must apply by early May. They are not required to pay any fees for the evaluation. In light of the rising number of cyber-related events and increasing financial losses, along with the growing number of legal cases between companies and their insurance providers, this move by the insurance companies makes sense as a way for them to potentially reduce their exposure to cyber incidents. But it will be very interesting to see just how many cybersecurity vendors apply for participation in the program and how effective the insurers are at assessing the vendors' products and services. Moreover, for businesses, just using cybersecurity solutions helps them meet only part of the challenge. How they implement and maintain these solutions is critical to an effective cybersecurity approach.

Also of note in the Wall Street article is a graph that depicts the percentage of a particular global insurance company's clients, by industry, that have purchased a stand-alone cyber-insurance policy. Financial institutions, at 27 percent, rank last. Perhaps they are more confident in their cybersecurity strategies than are other industries, or perhaps insurers have no attractive stand-alone policies for financial institutions.

The cyber threat today is serious. In fact, Federal Reserve Board chairman Jerome Powell in a recent CBS 60 Minutes interview, when asked about a possible cyberattack on the U.S. banking system, responded that "cyber risk is a major focus—perhaps the major focus in terms of big risks."

As the Risk Forum continues to also focus on and monitor cyber risks, we look forward to the public findings from the insurers' collaborative assessment of cybersecurity products and services and will be interested to see if, over time, more financial institutions obtain cyber-risk insurance policies. I suspect the cyber-insurance industry will evolve in the products they offer and will continue to grow as companies look to mitigate their risks in the event of a cyber event.

What are your thoughts on this collaborative effort by the insurers? How do you see the cyber-insurance industry evolving? And do you think more financial institutions (or perhaps your own) will acquire cyber-insurance policies?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 8, 2019 in banks and banking, cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 25, 2019


Fighting Discipline with Discipline

When I meet with law enforcement officers, they often describe the growing sophistication of criminal groups that commit large-scale fraud. Just like legitimate enterprises, these global organizations follow a disciplined process to reach their business goals. As a successful salesperson follows specific steps from prospecting to closing, successful criminal enterprises follow defined steps that improve their chances of successfully executing financial crimes.

Let's take a look at a disciplined, five-step process that criminals generally follow to successfully execute a business email compromise (BEC) attack. The process can also apply to other types of cybercrimes, such as account takeover.

  • Identify targets. Fraudsters scan specific industries to identify firms to attack. While firms handling real estate closings and trusts remain primary targets of BEC attempts, other businesses, across multiple industries, that have large-value accounts payable have increasingly become targets.
  • Gain access. Fraudsters attempt a variety of methods to gain entry to the business accounting or IT system. With BEC, the most common way in is to get an employee to open an email or click on a link containing malware that will result in the compromise of the employee's log-in credentials. Another method is to exploit a security gap in the company's IT access control system. Social engineering is also becoming more frequent.
  • Establish a foothold. Upon gaining access to the business records of the company, the fraudsters are likely to create hidden paths to enter and exit the company's systems without detection.
  • Conduct surveillance. More and more often, fraudsters take their time monitoring the activity and records of the company, sometimes for months. Doing so helps them better understand the company's controls related to authorizing large-dollar-value transactions and customer records maintenance. When they eventually conduct their misdeed, they stay within normal controls and therefore don't set off any additional oversight.
  • Steal and retreat. When the criminals have gained the necessary knowledge—by conducting their thorough, sometimes lengthy surveillance—they make a funds transfer request. In a BEC, this is generally an email from a senior official of the company to the finance department conveying some sense of urgency. In most cases, the request refers to a valid invoice or customer account number in an attempt to appear legitimate. Of course, the criminal controls the account that would receive the funds. If the request succeeds, the criminal may make additional funds transfer attempts. When they're done, they try to erase any evidence of their intrusion.

These sophisticated criminals achieve their results with discipline, but you can successfully stop BEC and similar attacks by relying on your own discipline in several areas. BEC is totally preventable if a business combines employee education and testing with meticulous authorization control processes, audit oversight, and IT security techniques. Instill this discipline and you won't be a victim.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 25, 2019 in cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 14, 2019


Hiding in Plain Sight

Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.

But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.

Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.

A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.

Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 14, 2019 in crime, cybercrime, cybersecurity, data security, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 17, 2018


Card Fraud Values Often above Average

Recent data from the Federal Reserve Payments Study remind me of my first experience with payments fraud as a 20-something college grad freshly arrived in Boston. I left my wallet in a conference room, and someone lifted my credit card. I still remember the metaphorical punch to the stomach when the telephone operator at the card company asked, "Did you spend $850 at Filene's Basement?" $850! That was more than twice my rent, and far more than I could conceive of spending at Boston's bargain hunters' paradise in a year, let alone on a one-night spree.

Decades later, the first thing I do to check my card and bank statements is to scan the amounts and pay attention to anything in the three digits. For noticing high-value card fraud, this is a pretty good habit.

That's because, on average, fraudulent card payments are for greater dollar values than nonfraudulent card payments. In 2016, the average value of a fraudulent credit card payment was $128, almost 50 percent more than $88 for a nonfraudulent credit card payment. For debit cards, the relationship was more pronounced: $75 for the average fraudulent payment, about twice the $38 average nonfraudulent payment, according to the Federal Reserve Payments Study.

Chart-average-value-per-payment-2016

Even to the noncriminal mind, this relationship makes sense: get as much value from the card before the theft or other unauthorized use is discovered. For a legitimate user, budgetary constraints (like mine way back when) and other considerations can come into play.

Interestingly, this relationship does not hold for remote payments. In 2016, the average dollar values of remote debit card payments, fraudulent and nonfraudulent, were the same: $68. And the average value of a nonfraudulent remote credit card payment, $151, exceeded that of a fraudulent remote credit card payment, $130. Why the switcheroo?

A couple of possibilities: Remote card payments include online bill payments, which often are associated with a verified street address and are of high value. So that could be pushing the non-fraudulent remote payments toward a high value relative to the fraudulent remote payments. Another factor could be that fraud detection methods used by ecommerce sites look for values that could be outliers, so perpetrators avoid making purchases that would trigger detection—and thus average values for remote fraud are closer to average values for remote purchases generally. But this is speculation. What do you think?

The relationships described here are depicted in figures 21 and 28 of the recent report of the Federal Reserve Payments Study, Changes in the U.S. Payments Fraud Landscape from 2012 to 2016. You can explore other relationships among average values of payments, and more, on the payments study web page.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 17, 2018 in cards, cybercrime, cybersecurity, data security, debit cards, mobile banking, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 5, 2018


Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

November 5, 2018 in consumer protection, cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 22, 2018


Three Views of Noncash Payments Fraud

Despite what we might gather from the headlines, payments fraud is a small fraction of the value of all payments.In 2015, by value, it was only about 1/200 of 1 percent of noncash payment transactions. The pie chart shows what a tiny slice of the pie that payments fraud is.

Image-one-sm

This view of the value of payments fraud in 2015 is one of three views that today's post will offer, using data from a recently released payments fraud report.

The report, based on data from the Federal Reserve Payments Study, quantifies noncash payments fraud by value and number in 2012 and 2015 and provides information that can help inform efforts to prevent and detect payments fraud. Data include detail on different payment instruments and transaction types.

Fraud value is defined in the report to be the value of unauthorized third-party payments that were cleared and settled, before any chargebacks, returns, or recoveries. It does not include the costs of any prevention, detection, or remediation methods. The report covers noncash payments used for everyday consumer and business transactions, including automated clearinghouse (ACH), check, and card payments. (Wires are excluded.)

Here's the next view of payments fraud by value: most payments fraud is by card. Slightly more than three-quarters of noncash payments fraud by value are credit card, debit card (prepaid and non-prepaid), and ATM withdrawal fraud; almost half is credit card fraud. The second chart shows that by value, ACH fraud is 14 percent of noncash payments fraud and check fraud is 8.6 percent.

Image-two-sm

Finally, fraud rates by value for cards increased from 2012 to 2015 while fraud rates for check payments decreased and fraud rates for ACH stayed flat. That rate increase for cards means that the value of fraudulent card payments grew faster than the dollar-value growth overall, which is concerning. Indeed, card fraud by value grew more than three times faster than the growth in card payments and ATM withdrawals by value—64 percent compared to 21 percent. ACH fraud grew more in line with the growth rate in ACH payments, with fraud by value increasing 11 percent compared to a 13 percent increase in the value of total ACH payments.

Image-three-sm
You can find additional data in the report at https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about the payments fraud report, join our next Talk About Payments webinar on November 1 at 11 a.m. (ET). The webinar is open to the public but you must register in advance to participate. (Registration is free.) Once registered, you will receive a confirmation email with login and call-in information. Also, be sure to check back next Monday for another Take On Payments post about the report.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 22, 2018 in cards, consumer fraud, cybercrime, cybersecurity, debit cards, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics, cards, cybersecurity, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad