Payments technology is showing up in places that were unimaginable just a few years ago. That creates new opportunities for merchants and banks, but also new opportunities for fraudsters.
Devices that were never originally intended to be financial instruments — cars, watches and refrigerators — are steadily being transformed into commerce platforms, but experts wonder if security is being considered as part of this transition.
"Security has been largely neglected in Iot devices and most are not secure enough to enable secure payments," said Avivah Litan, a vice president and security analyst at Gartner. "I would say [Internet of Things] security depends more on the manufacturer and whether it allocates resources to security than to the type of device."
There are concerns, for example, about embedding digital payments inside of a car's computer system. Car alarm systems typically guard against physical access, not WiFi access.
Regarding GM's upgrade to embed e-commerce and payments into its OnStar system, "the payment tech side of me understands the interest in and utility of turning one's car into a mobile payment device, especially if the car can help me find parking," said Andy Schmidt, an executive advisor at CEB.
And it would seem like a natural extension of wireless toll-collection systems such as E-ZPass. "However, I have serious concerns about the safety and security of such a move outside of the transponder model that we have seen in the highway tool-taking market," he said.
GM's tie in with Mastercard—the OnStar system uses Masterpass to power payments—will address security for the actual payment, Schmidt said. But it's the implementation of the connection to the LTE cellular network that raises concerns, Schmidt said.
A network of IoT devices was able to overwhelm DNS provider Dyn, which in turn brought down Twitter, Etsy and others last month, Schmidt noted.
"This scenario may create a similar vulnerability for network-enabled motor vehicles if the LTE gateway or the APIs that would leverage it are not secure," Schmidt said. "Depending on how the connectivity is implemented, there is also a concern that customer information may be exposed in the transmission or that these vehicles could be shut down from afar."
General Motors attempts to protect the wireless technology in its cars by severely limiting its connections to the car's operation. The automaker updated its security following researchers' hacking of OnStar a couple of years ago. The remote exploit targeted the OnStar dashboard, allowing the hackers to track cars and theoretically gain control over music and entertainment systems, and potentially even disable brakes.
GM can now remotely push updates to the software that runs OnStar, updating the system against new vulnerabilities and shielding the system that handles payments and other sensitive functions, said Vijay Iyer, director of communications for General Motors.
Further, the OnStar system does not store payment information in the car's computer. "None of the payment or personal information sits in the vehicle, it sits on a cloud in your profile," Iyer said.
The mobile app that's used to lock and unlock cars also works remotely also communicates with the cloud for verification and authentication. "There are also layers to this protection," Iyer said.
Cars of course aren't the only devices that can connect to the Web, and as a result everything from watches to refrigerators to gloves can become payments portal, and all may present distinct security and safety issues.
From a pure payments technology perspective, there are best practices that will apply equally across the Internet of Things—just like in the traditional merchant environment, the best practice will be to devalue the data on the device through tokenization and point to point encryption to minimize the attack surface, said Julie Conroy, research director at Aite Group.
"However as you one step deeper, each IoT device needs to be looked at individually to assess risk," Conroy said. "The risk vectors are radically different for cars vs. medical devices vs. refrigerators vs. thermostats, and each use case needs to be assessed for their own unique risk factors."