You’ve probably come across article headlines about parents facing the headache-inducing consequences of their children placing orders online. We’ve reached the day when it has become so easy to shop online that toddlers can (and do) place successful internet orders.
In fact, earlier this year, a San Diego news station reported a story about a little girl who was able to buy items without a parent’s permission. She simply asked Alexa on her family’s Amazon Echo device to get her a dollhouse. Who could have predicted that a sound bite of a little girl saying, “can you play dollhouse with me and get me a dollhouse?” would trigger an actual transaction? This is also in no way an isolated incident.
While situations such as this are a cause for worry, Internet of Things (IoT) security concerns in the retail space go much deeper. Let’s examine why.
Perhaps you heard about, or were affected by, an advertisement Burger King recently released. The ad “hijacked” Google Home devices by triggering the device to read a product description of the Whopper burger, in what was otherwise a very short TV spot.
The uproar that followed criticized this marketing tactic as annoying. But more importantly, this instance highlights privacy concerns. If a creative marketing ploy can trigger IoT devices, what level of risk potential awaits?
For many, especially those living in or around major metropolitan areas, nearly all shopping can take place from the comfort of home thanks to convenient smartphone apps. Additionally, there is a growing trend towards IoT devices for the home that can create even more user-friendly purchase processes.
Besides the popular “personal assistant” devices, such as the Amazon Echo or Google Home, smart refrigerators and other appliances are becoming increasingly popular as well. With this growing trend towards convenience and fewer barriers, how can we remain secure as consumers? More importantly, how can software and application developers design these products to work securely for customers?
When it comes to securing our own retail accounts while using IoT devices, the unfortunate answer is that convenience means less security. If a user is worried about unauthorized users in their home making purchases on an IoT device, set a passcode to secure purchases. Additionally, did you know that you can turn off voice ordering entirely? Concerned consumers should update their account settings to include multi-factor authentication or additional checks before purchases are confirmed.
For developers working on IoT devices that will be used for online retail, the conversation goes deeper than taking steps towards more secure settings. The same holds true for companies looking to integrate their own products and services with these devices.
Conducting retail sales transactions using IoT devices presents a fundamentally different consumer culture. Retail is no longer an industry defined by the seller. Now that retailers have entered buyer’s homes through such devices, the potential for a breach feels much more personal to the victim. It also widens the attack surface. The threat of theft or fraud occurring at brick and mortar stores is no longer a retailer’s primary vulnerability. Instead, risk lives in every application in every buyer’s home. However, there are steps to help mitigate this risk.
Prevention is the first mainstay in developing secure applications for IoT. But, how can we design security into the function of the application from the ground up?
In the case of IoT devices, putting the content behind a username and password authentication will not suffice. How is input collected from the user? And, how can these devices verify that the user is authorized to make these interactions with the product? Do we assume a user has control over a device meant to operate solely in their home behind a locked door? Or, should we remain more skeptical and build in features to prevent unauthorized intrusions?
Options exist already, such as the passcode for Amazon’s purchases. However, technology may help us find more convenient ways of solving these issues. One suggestion is to make use of biometric voice recognition to identify who is issuing the commands. As the technology becomes more reliable, this is an example of marrying the need for security with the consumer’s desire for a more seamless process.
Unfortunately, technology must catch up with us to be able to integrate more seamless options into IoT applications and devices. In the meantime, these devices are in use and making purchases for consumers.
Even with security options available, not every user is aware or chooses to make use of them. Again, convenience surpasses security in the eyes of the average user. In many cases, it’s up to the retailer to maintain a healthy level of paranoia behind the scenes.
Additionally, connected devices helping to run our daily lives create a ton of data. This means that the industry requires more advanced techniques and tools to sift through this data now more than ever. Here are three tactics that companies can utilize to remain consistently proactive in securing their applications and devices:
Thanks to the Internet of Things, devices we all use daily are expanding the information collected about us as consumers on a greater magnitude than we’ve ever seen before. With all this extra data living on servers, in the cloud, and in transit across the network, we are creating an alluring target for would-be thieves and perpetrators of fraud against retail consumers.
Information is a valuable commodity. It’s important that we are doing everything we can to earn and maintain the trust that the consumer places in us when they make use of our applications.
Claire McKenna is a Security Consultant at Synopsys. She received her undergraduate degree in Information Security and Forensics from Rochester Institute of Technology. Claire specializes in Web application security and has a growing interest in secure development and source code review. Outside of work, Claire enjoys spending time with her family and pets, playing video games, hiking, and kayaking.