The Internet of Things to Worry About

When we look for capabilities and technologies above and beyond what we have in banking now, it’s impossible to avoid the elephant in the room: the Internet of Things (IoT). Yet it’s also a little embarrassing, since the reality of this dynamic paradigm certainly hasn’t lived up to the hype.  So let’s start instead with a promising nugget.

One massive concern with this emerging colossus is of course security—with all those new touchpoints embedded in everyday objects, building a solid defense has the potential to be a nightmare. However, according to new research from the Online Trust Alliance (OTA), an industry working group seeking the right balance between enhancing digital trust and promoting innovation, 100% of IoT-related vulnerabilities reported since November of last year could be avoided with ease. That’s right—every vulnerability or privacy issue discovered in connected home products and wearable technologies can be overcome with existing tools and accepted protocols.

This is a big deal to us, because we’re the one industry that will have a bull’s-eye on its back. And it’s also one reason why, despite the unrealized potential, we’ve spent a lot of time on this blog considering the possibilities of IoT.

Late last year, while making a list of foolhardy predictions for 2016, we included the growth prospects for the Internet of Things—and we had good reason. As noted then, “the fact that microchips and sensors can be embedded in every conceivable object means that all ‘things’ that are now single-purpose, static and standalone can take on new functions, evolve consistently, and become connected to all other ‘things’” is a dynamite concept.

After all, for most of their existence, phones could only be used for talking; today, we’re at two and a half million apps. So how many aps might there be for the myriad devices that are now basically brainless but will become as ‘smart’ as the phone once they’re connected? Even with slow progress, the possibilities are endless.

Financial services will be an essential variable in this question. Imagine this scenario: With cameras and an algorithm, the refrigerator ‘sees’ which regular items are running low (milk, eggs, bread, etc.), scans the inventory at local grocery stores (perhaps in search of sales), and makes purchases within its pre-assigned limit. Yes, the debit/credit card is used even without human involvement. That’s the IoT-enabled future.

Which brings us back to the question of security. How easy will it be for those multiple endpoints within each consumer’s environment to get hacked?

First, as a recent article that explains why the Internet of Things is stalling makes clear, concerns over security have the potential to actually boost development and adoption. The overall IoT concept is still too amorphous for the average consumer to grasp, but products that meet everyday needs could go a long way in gaining acceptance for the dynamic. For example, a wide range of home security products that fit perfectly into the IoT framework are finding a big audience precisely because they offer better protection, and that advantage can be extended to other devices.

Meanwhile, it could go the other way—a rash of device extensions that bring convenience without accompanying defenses could lead not only to rampant breaches but unprecedented weaponization of those same tools. This is why the OTA’s study of recent security problems makes for interesting reading, and shows us a path forward.

Some of the weaknesses revealed shouldn’t come as a surprise: Insecure credential management that leave admin controls open; inadequate disclosure of data collection and sharing practices; a lack of rigorous security testing during development, including penetration testing and threat modeling; a lack of encrypted storage; and insufficient plans specifically to address vulnerabilities during the normal product lifecycle.

In other words, the Internet of Things may be new, but some of the problems are quite old. That said, the sheer size of the pending market takes these concerns to a different level. The reality is that as these devices find a home, in the home and elsewhere, many will be embedded with banking-related capabilities, and some will inevitably be breached. When that happens, the blame will go not only to the device maker or the technology service provider, but to the financial services brand involved. That could be a global credit card issuer, or a local branch, or the family accountant, who had nothing to do with the use of IoT tools in the first place.

It’s great that industry bodies such as the OTA are working on new frameworks that can incorporate these challenges, but the banking side needs to step up too. Financial services groups should be developing and propagating finance-specific practices and protocols—some are already out there—and every institution should adapt those to meet its own particular needs. After all, when all ‘things’ can be like an ATM, the peril is almost as great as the promise.

Written by Jack Dougal