DT, December 2016
December 1, 2016
By Jim Daly
The ever-expanding Internet of Things could represent a back-to-the-future security nightmare for the payments industry.
What’s a network without endpoints? Visa Inc. and MasterCard Inc. have big networks—about 8 million endpoints in the form of merchant locations that include point-of-sale terminals in the U.S. alone.
But the Internet of Things, now there’s a network.
Research firm IDC Financial Insights recently estimated that the IoT consists of 12.1 billion “things” connected to the Internet in 2015, and predicted it will grow to 30.3 billion by 2020, for a compounded annual growth rate of 20.2%. That works out to more than 6,900 new devices plugging in every minute.
What’s more, 500 new types of devices are being introduced each week, according to Craig Spiezle, founder, president, and executive director of the Online Trust Alliance. The Bellevue, Wash.-based OTA promotes practices aimed at increasing security and usability for Internet users.
Internet-connected cameras were probably the first iteration of the IoT that most Americans became aware of, though nobody used the term “Internet of Things” when Webcams appeared in the mid-1990s. But now, everything from routers, refrigerators, thermostats, garage-door openers, light bulbs, washing machines, and other household appliances to drones, speakers, automobiles, smart watches, and garments are all connected to the Internet.
Ken Munro, co-founder of Pen Test Partners LLP, a Buckingham, England-based data-security assessment firm, takes particular delight in mocking some of the curious endpoints of the IoT.
“It’s the gift that keeps on giving,” says Munro, who’s come across IoT dolls for girls and toys for adults, ahem. “There’s just no logic to it.” Of a Web-connected tea kettle he says, “It’s very important to us Brits.”
An unknown but growing number of these connected devices can facilitate payments. The IoT will represent a $14 billion revenue opportunity globally by 2020 for payments firms, according to IDC (see sidebar).
IoT’s potential has that gee-whiz factor that new technology so often generates. Early this year, MasterCard demonstrated an Internet-connected Samsung refrigerator that can detect when food items are getting low, then order and pay for them. And a business might find quite useful a payments-enabled connected printer that can order and pay for printer cartridges.
“There are more and more devices that have payment information stored on them, or at least a payment token,” says Markus Bergthaler, director of programs at the Merchant Risk Council, a Seattle-based trade group of 450 e-commerce merchants, vendors, and law-enforcement officials in about 30 countries concerned about online fraud control.
‘A Wakeup Call’
There’s a problem, however. Many connected devices flunk the data-security test.
“They’re poorly configured,” says IoT expert Ray Klump, chairperson of Computer Science and Mathematics at Lewis University in Romeoville, Ill. An electrical engineer, Klump says “security is sort of baked in as an afterthought” with the IoT.
Fortunately, at least some IoT devices are secure from a payments perspective. Munro says his firm took apart the Samsung IoT refrigerator and deemed it safe. “We found some minor bugs, nothing major,” he says.
The same can’t be said of many other connected devices. While there has been no known breach of payment data involving the IoT yet, Munro believes it’s only a matter of time.
“I’m confident it’ll happen soon,” he says. “Organizations aren’t getting the hardware right, the firmware right. The mobile applications [which control many IoT devices] aren’t written securely.”
The MRC’s Bergthaler says fraudsters “are looking for the weakest link.” IoT security is now “among the most requested topics we get” for conferences and presentations, he says. As a result, the MRC’s upcoming March conference in Las Vegas will have several sessions about IoT security.
Indeed, the IoT has already played a starring role in a major cyberattack. On Oct. 21, a massive digital denial of service (DDoS) attack hit Dyn, a leading domain-registration services provider, in several waves. Through Dyn, the cyber-attackers were able to temporarily shut or slow down a number of major U.S. and European Web sites, including Twitter, Netflix, Reddit, The New York Times, and The Wall Street Journal. Even online payments provider PayPal Holdings Inc. got stuck in the electronic goo for a while.
In a DDoS attack, a targeted Web site is flooded with a massive number of requests simultaneously, overwhelming its capacity to respond. The October attack was notable in that it used a variant of malicious software called Mirai to marshal IoT devices and use them to send traffic to targeted sites.
Redwood Shores, Calif.-based security-technology firm Imperva Inc. says Mirai not only scans Internet Protocol (IP) addresses for insecure devices, but also can remove and replace previously installed malware.
According to Klump, one reason the malware was able to assemble so many endpoints—up to 100,000 by Dyn’s estimate—was that many had default or otherwise known passwords, thus enabling the program to use the devices for its own purposes.
The IoT’s newfound vulnerability for assemblage of devices into so-called botnets for purposes of DDoS attacks represents a threat to payments companies, if only for lost transaction volume if not actual compromise of data.
“I really think that the DDoS is the bigger issue,” says Branden R. Williams, a Dallas-based security consultant and former qualified security assessor (QSA) who tested merchants’ payment-acceptance systems for compliance with the Payment Card Industry data-security standard, the main set of security rules for general-purpose credit and debit cards.
For many American and European consumers, the October attack may have been the first time they’d ever heard the term “Internet of Things,” not to mention “DDoS.” And if they hadn’t thought about IoT security before, payments executives suddenly had a very good new reason to start paying attention.
“It is, hopefully, a wakeup call to the payments industry,” says Michelle Tinsley, director of mobility and secure payments in the Retail Solutions Division of Santa Clara, Calif.-based chipmaker and software developer Intel Corp.
‘Fixed And Rigid’
Part of the problem is that the IoT can worsen existing weak spots seen in e-commerce, according to Julie Conroy, a security-technology analyst who is research director at Aite Group LLC, Boston. “In the e-commerce world, the attack vectors and points of vulnerability are different, they will be magnified by the IoT,” she says.
The scale of the October DDoS attack even spurred security experts to talk about the potential for taking down huge components of the payments system, such as the Visa and MasterCard networks. Most say that’s highly unlikely, given the networks’ separation from the Internet, but not impossible.
“Visa and MasterCard are some of the most fortified networks, have the most redundancy, they are better prepared for this,” says Conroy. “But theoretically you can’t rule that out. It’s pretty scary.”
DDoS attacks can affect other payment firms more directly reliant on the Internet, such as PayPal, as the October attack showed. “It did not impact their vitality as a business, but it should underscore what could happen,” says the OTA’s Spiezle. “The PayPals of the world need to have mitigation in place.”
Even more vulnerable are retailers, according to Williams. Security varies widely in the retail community, and most national and regional retailers today depend on their Web sites to varying degrees for sales. Consequently, they’re vulnerable to revenue disruptions from botnet attacks, even if hackers do not penetrate their systems far enough to steal data.
“I would be way more concerned if I were a retailer,” says Williams.
A related problem with the IoT is that it’s hard for payment-services providers to reliably differentiate between the good and the bad—fraudulent—traffic it generates, according to Al Pascual, senior vice president and director of fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research.
“The challenge is, if you have known IoT payment devices pinging you in great numbers, it’s difficult to separate the wheat from the chaff,” he says.
And fixing the problem with updates isn’t an easy option. Analysts mention that many IoT devices are governed by the coding in their chips, meaning that patch installations and updates can be difficult. “It’s fixed and rigid, it’s not meant to be updated,” says Lewis University’s Klump.
DDoS attacks may be an obvious concern, but they’re not the only threat to payments through the IoT. The mobile apps that control many IoT devices often are poorly configured for protecting payments, notes Munro of Pen Test Partners.
“If you start to enable payments, you’ll see breaches,” he says.
Other potential weak links include poorly protected WiFi networks linking IoT devices, networks that if penetrated could result in data breaches.
“What you see happening, more and more, [is] people driving through neighborhoods and getting into WiFi networks,” says Klump. He adds that most corporate networks are “protected better than they used to be, but there are still unprotected segments.”
‘A Lot of Moving Parts’
Beyond the technology-based security issues, the explosive growth of the Internet of Things means legions of software developers and technical people with little or no experience in payments are now creating or overseeing devices with payments functions.
These payments rookies are unfamiliar with tokenization and encryption of payment data, and if not educated fast, seem poised to learn the same lessons many payments veterans learned the hard way after data breaches.
“You can’t make the assumption that as these folks are doing this [building the IoT] that they are using tokenization,” Aite’s Conroy says. “There’s still a lot of folks that still don’t have that knowledge.”
Many IoT developers come from the manufacturing sector, and until recently “have not needed to think about payment security,” says Troy Leach, chief technology officer for the Wakefield, Mass.-based PCI Security Standards Council, overseer of the PCI data-security standard and its related sets of rules for payment card-accepting merchants, processors, and card-industry vendors.
The PCI Council hopes to remedy that. The organization recently began devising recommendations, or what Leach calls a “framework,” for ensuring payment security when IoT devices are involved. The framework will pay close attention to the software involved with these devices.
“We are developing a new software-security framework that is going to be applicable to all types of payment software, potentially including the Internet of Things,” Leach says.
The framework will have three major components that address secure coding principles for IoT devices, software updates, and testing of payments-facilitating applications.
Specific payment-security rules for the IoT aren’t in the immediate offing, nor is there any timeline for completing the framework. And anything that emerges from the framework likely would first appear as best-practices recommendations, according to Leach.
“There are a lot of moving parts,” says Leach. “My hope is we will have this out next year.”
Leach adds that the Council “will have heavy industry involvement” in developing the framework. The Council also is working with non-payments software companies such as Microsoft Corp. and Intel to get ideas and recommendations.
In some ways, the influx of software developers and other tech people into payments via the IoT resembles the experience of the payments industry itself a decade ago, when the major card networks created the PCI Council. But the importance of data security was easier to grasp back then when everybody involved—from banks to card networks to processors, merchants, and vendors—was familiar with the ins and outs of electronic payments.
But with the IoT, “payments is an element, but not central to the product design,” says Leach. “That’s what’s different from 10 years ago.”
Some of the same problems that have plagued conventional payments for years, such as default passwords on payment-accepting devices, or passwords and other data in the clear and vulnerable to interception, are reappearing.
“It’s the same challenge that any type of new technology introduces if [it is] going to accept payments,” says Leach.
‘A World of Hurt’
Another industry group working to improve IoT security is the Princeton Junction, N.J.-based Smart Card Alliance. The SCA recently created its Internet of Things Security Council.
“The Smart Card Alliance has always taken a very close look at emerging markets where security technology is typically underutilized and not strongly considered as part of the startup of the business,” says Randy Vanderhoof, the SCA’s executive director.
As such, the IoT is now in the position that chip card-based fare systems for transit, mobile wallets, and other new technologies were in when they came on the scene and needed to integrate payments. “The Internet of Things ‘things’ have the same security issues that we have addressed in these other markets,” says Vanderhoof.
The SCA sponsored its first “Security of Things” conference in Chicago in October and attracted about 200 attendees. Vanderhoof says that wasn’t bad considering two other IoT conferences were going on at the same time.
Indeed, the need for education about IoT payment security won’t be satisfied any time soon. That’s because so many people and companies have identified the IoT’s economic potential. “There’s an opportunity to make a lot of money,” says Klump.
But if the security problem isn’t solved, says Javelin’s Pascual, “We are going to be in for a world of hurt.”
—With additional reporting by John Stewart
The IoT’s Payments Potential
Assuming that fraud can be kept under control, the budding world of connected devices represents a major new source of transactions for payments firms. Research firm IDC Financial Insights says the IoT will amount to a $14 billion revenue opportunity globally by 2020 for payments companies.
“That is a very conservative estimate,” says James Wester, research director of worldwide payment strategies at Framingham, Mass.-based IDC.
Wester and Michelle Tinsley, director of mobility and secure payments in the Retail Solutions Division of chipmaker and business-software provider Intel Corp., spoke about the IoT’s potential in October at the Electronic Transactions Association’s Strategic Leadership Forum in Palm Beach, Fla.
Just exactly what the IoT is and can do is somewhat fuzzy for many people. MasterCard Inc. and Samsung early this year made a connected refrigerator famous by showing how it could track the groceries inside it, then order food when supplies were getting low.
An example Wester pointed out is a so-called smart electric meter in a house that not only reports to the electric company how much juice the home used in a month, but also pays the bill. “A lot of these ‘things’ are going to have to connect to financial services,” Wester said.
Wester defined the IoT “as an aggregation of endpoints that are uniquely identifiable” and communicate over an Internet Protocol network “using some form of automated connectivity, whether locally or globally.”
The worldwide installed base of IoT devices already numbered 12.1 billion in 2015 and will grow to 30.3 billion by 2020, according to IDC. Spending to develop the IoT will total $1.5 trillion globally in 2020, IDC estimates.
“It is a massive, massive area of investment,” said Wester.
Many companies are looking to the IoT to reduce operating costs and learn more about customers’ desires, according to Tinsley. For example, a clothing retailer selling garments with IoT tags could track how many times a particular item was tried on, and why it may not be selling, she said. Or, in the case of a hot seller, the tags could tell the retailer early on that it should replenish inventory.
“There’s very real operational savings to be had,” she said.
With a few notable exceptions such as Samsung’s refrigerator, not many IoT devices have payment functionality yet. That’s coming, according to Tinsley and Wester, who noted that the $14 billion payments opportunity is net of credit and debit card interchange.
But the initial revenue opportunity will be different from a merchant greenfield in which electronic payments make big inroads into a cash- or check-dominated segment for the first time, as debit cards did in grocery stores beginning in the 1980s.
“I don’t know if it does,” said Wester when asked if the IoT presents an opportunity for entirely new electronic payments. “For the short term it’s not going to be net new transactions.”
Instead, first-generation IoT payments will consolidate many existing transactions now flowing through any number of processors. “You’re going to see fewer providers in the background,” Wester says.
The field might become dominated by value-added resellers (VARs) and related companies that provide application programming interfaces (APIs). Their opportunity lies in creating software-based platforms that make it simple for utilities, manufacturers, and other firms to bundle transactions and integrate payments with whatever Web-based services they offer to consumers and businesses, according to Wester.
SPECIAL FEATURERead Digital Transactions Online