Wearables open a new door for payment fraud

Register now

The evolution of wearable devices is taking place at a staggering rate. From simple fitness trackers to tethered and stand-alone smartwatches, a tremendous amount of sensitive personal and financial information is being passed from device to device, device to cloud and wrist to wrist, putting consumer privacy and security—as well as enterprise data—at risk.

As app developers race to create wearable-optimized versions of fun, convenient and productivity-enhancing tools for personal and business use, and as device manufacturers race to create the latest must-have wearable gadget, security may not keep up with innovation. Organizations must lead the charge to bring device security to the forefront or risk long-term financial and reputational damage.

Gartner’s latest forecast predicts sales of just over 310 million wearable devices worldwide this year, generating a total of $30.5 billion in revenue—of which $9.3 billion is expected to come from the smartwatch category. In addition to the increased numbers of devices, wearables technology has also rapidly become more sophisticated.
While some of the newest smartwatches allow for installations direct from the cloud to the wearable device, the majority—at least for now—are tethered to a compatible mobile device. The installation of apps onto the wearable is completed via the paired device, meaning identity verification and device authentication can be managed and controlled through the mobile device itself, ensuring apps are vetted before making it on to the wearable.

The rise of mobile device fraud, combined with the amount PII and sensitive information transmitted by smartwatches and other wearables, means information security professionals must remain even more vigilant about mobile device security—with a special focus on the unique risks posed these devices.

One type of wearable that carries significant risk and exposure is fitness trackers. While the average consumer may not recognize the risks of these devices, these popular wearables can collect and transmit personal data which can be compromised. A study by the University of Edinburgh showed that personal information can, in fact, be intercepted and stolen from fitness wearables.

Exacerbating the issue, consumers may knowingly, or unknowingly, hand over personal information in the name of convenience, cost savings or just plain fun. Such behavior is precisely why organizations must make security at the device-level a top concern.

According to market researcher Technavio, the global wearable apps market is expected to grow at a compound annual growth rate (CAGR) of about 57% over the period of 2016-2020. From games to mobile pay and banking apps, to shopping, location-based utilities, productivity tools and more, the increase in the breadth and number of native applications available for smartwatches will create new opportunities for fraudsters to compromise wearable devices for access to highly valuable personal information, costing consumers and businesses alike significant financial losses over time, as well as reputational damage.

The proliferation of wearable devices, their increasing sophistication, the uptick in wearable-optimized applications and the willingness of consumers to trade PII for convenience is converging to create a perfect storm of risk that has the potential to threaten commercial enterprises, as well.

Wearables linked to mobile devices, which are in turn linked to a corporate network, open organizations up to additional risks of attack. Even though the wearable itself may not be the primary target of an attack, its link with a mobile device simply creates another point of entry for cybercriminals to exploit—especially since wearables security is a relatively a new frontier.

Risks from wearables include the continuous transmission of real-time geolocation information, which can be intercepted and exploited by malicious actors to track employee movements and piece together information about an organization’s locations and operations. Additionally, wearables within range of a paired mobile phone can provide fraudsters with access to emails and contacts, as well as other proprietary information stored on the device.

The continued proliferation of wearables, as well as their persistent evolution, brings old digital security concerns front-and-center once again. Mobile-optimized organizations attempting to keep pace with mobile device security concerns find themselves facing yet another type of device , a wearable device, to protect.

The rush of device manufacturers to be first to market, the lack of operating system standardization among wearables manufacturers and the challenge of getting consumers vested in device security means mobile-enabled organizations need to play the leading role in protecting their customers, their financial interests and their reputations by deploying multilayered, device-level authentication and protection measures.

To protect paired mobile devices from wearable point-of-entry attacks, organizations should implement multifactor authentication protocols which leverage the latest biometric technology, and also invest in digital authentication and fraud prevention solutions.

Organizations should seek to authenticate at the device-level to offer the strongest level of identity verification. A permanent device ID is one way to identify a device and establish the first layer of trust. A mobile phone has thousands of unique identifying attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities.

Additionally, instituting a multifactor authentication approach to user authentication will eliminate the inherent security problems associated with outdated username/password protocols. Fingerprint biometrics are not only ubiquitous, but also highly accepted among consumers as a way to reduce password fatigue, eliminate the headaches involved in dealing with stolen credentials, and to conduct transactions with reduced friction.

To mitigate the risk of threats from malware, a mobile fraud prevention solution with real time decisioning gives organizations the ability to detect whether a device is infected with malware before it transacts with an organization, and provides additional layers of verification if initial tests are not cleared, helping reduce friction at the point of sale for consumers, while still providing superior security.

For certain wearables that can operate independently from paired mobile devices, such as those on the Android Wear 2.0 platform, the same critical authentication measures are still possible. It is possible to permanently identify a specific wearable device and correlate that device to the consumer to create more trust. By knowing this is a device the customer typically uses, this satisfies one factor in multifactor authentication, by demonstrating that the customer is in possession of a trusted token.

This factor is commonly referred to as “something you have” in multifactor authentication. Other information such as location, make, model and whether the device is rooted or is being emulated, are important factors that contribute to assessing the device’s risk. This is a critical advancement in protecting consumer information, as well as businesses that interact with wearables that are independent from mobile devices.

The good news is that as the market for wearables expands and the types of wearable devices become more varied (such as tech-enabled clothing), organizations that lead the way in device security now will be well-positioned to benefit from this multibillion-dollar opportunity to increase engagement, enhance customer convenience and improve operational efficiency.

For reprint and licensing requests for this article, click here.
Wearable payments Retailers Digital payments Payment fraud Security risk ISO and agent