GlobalSign Blog

22 Mar 2016

Beware! Data And Identity Theft in the IoT

While we often hear about scary and unpredictable hackers trying to get to our data and money with all types of impressive hacks, we are often also our own biggest security enemy. Through careless safekeeping of our internet connected devices (think: mobile phone, iPad, Kindle, smartwatch, etc.) we are playing into the hands of malicious thieves and opportunistic finders.

How You Could Be the Biggest Threat to Your Personal or Business Security

While the Internet of Things (IoT) may make our lives easier, the security considerations are sometimes an afterthought and are sacrificed to get a product to market faster.

The main strategy of identity theft is to amass data. With a little bit of homework, there is plenty to find. General data available on the internet, combined with social media information, plus data from smart watches, fitness trackers and if available smart meters, smart fridges and many more give a great all-round idea of your identity. The more details can be found about a user, the easier and the more sophisticated a targeted attack through identity theft can be. If a hacker in addition manages to collect business related data to a person, the potential hacking target gets all the more lucrative.

For example, you keep hearing those news stories about someone who got called by an allegedly nephew who needs money urgently. It’s much easier to believe if a hacker knows that the targeted person indeed has a nephew, who might just be away from home at that moment in time. In a business context a hacker could pose as the HR director, asking for banking details or employee addresses – again so much more plausible if the company has recently switched banks or updated an employee database.

The World of IoT - Our Most Sensitive Data Is Now Everywhere

Nearly two-thirds of Americans own a smartphone, and by 2020 it is expected that each person worldwide will on average have more than six connected devices.

The tricky thing with connected devices is that we often carry them around with us. We take them to busy places, keep them in handbags and backpacks and use them naturally in front of strangers, whether for business or personal use or both. It’s not hard to watch someone type in their device’s pin code or password. So even when we have (often basic) security practices in place, it’s all too easy to memorize a security code and steal the device.

A fitness watch or a smartphone contains the most private of all information – name, address, date of birth, credit card information and health information. Your phone often also harbors unprotected access to apps including email, business and social media accounts, online banking and many more. Looking at it from this angle, it’s quite shocking that we take our data goldmines everywhere and anywhere with little thought about the implications of it getting into the wrong hands. The trend of Bring Your Own Device (BYOD) for business purposes further encourages the risk of leaking highly sensitive business data.

While mobile phone security is slowly catching up (pin protection, remote blocking and deleting of data, fingerprint authentication technology, etc.) the majority of other connected devices are still way behind. Only 50% of tested smartwatches for example, offer the ability to enforce a screen lock by PIN or pattern. The good news is that especially business applications are catching up. It’s up to the user to make use of the technology.

The more connected our world becomes the more valuable the data becomes for an opportunistic hacker. And the more connected devices a person has, the more likely it is for a hacker to find a device, which could serve as an entry point to access the home or corporate network, such as the home security system or work computer.

The Greatest Threat Today – Identity Theft

Having your device stolen is a big hassle in itself. If the thief is using your device’s data to act on your behalf and impersonates your identity, then you have an even bigger problem at hand. Other devices, and possibly some of your personal or business contacts, that trust your identity, are at risk of falling for “your” stolen identity. Identity theft can therefore be counted as one of the biggest risks in the IoT.

Just image the following scenario which ThinkAdvisor paints: Someone applies for a mortgage with your stolen identity, rents out the house or quickly sells it. Or equally bad, in a business environment: someone poses as your senior manager and asks you to transfer funds over to another bank account. There are already many scary real-life examples of where identity theft can affect you to a level that most people don’t even think about.

Protecting Your Data and Yourself

There are many routes that you can take to protect your data:

  • Only share the minimum amount of data needed: it is important to know who has access to your data, what it is being used for and also what data protection policies are in place to protect your data. It is always wise to share as little information as possible when using services, and never select “remember my details” such as for personal banking or corporate networks.
  • Encrypt your data: Ensuring your data is encrypted is a big step in making sure only authorized people have access to the data.
  • Use strong authentication: Who and what is allowed to connect to your device, data or corporate network – in using an authentication model unwanted people can be excluded – especially useful if your device has been stolen or lost. Multi-factor authentication requires a combination of elements to gain access – usually two or more of something you know (e.g. a password), something you have (e.g. your phone) and something you are (e.g. a fingerprint). Multi-factor authentication is yet another step to improve your security.
  • Use a different password for every device and always change the default password.
  • The FBI has many further hints how to reduce your chances of becoming a victim of identity theft and may businesses will have set security policies that must be abided by.

Unfortunately the increase of efficient security hasn’t kept up with the increase of available IoT devices. Very often criminals are steps ahead of the security developments when it comes to smart objects. In a recent study, HP found that 70% of the most commonly used IoT devices contain vulnerabilities.

The best way to protect yourself and your business is to follow basic security guidelines and look for reputable manufactures and solution providers, who take security seriously, when considering your purchasing options. That should apply to any connected device: from work laptops, to smartphones and thermostats, weather sensors, tracking devices, health monitors and smartwatches through to manufacturing machines and connected cars.

Learn more about how to protect your employee and business identities with the use of GlobalSign’s digital certificates for secure email, authentication and PDF Signing.

For more information about the Internet of Things visit our website.

Share this Post

Subscribe to our Blog