Internet of Things

Table of Contents

1. What is the Internet of Things?
2. How Can IoT Devices Cause Disputes and Chargebacks?
3. How Do Fraudsters Exploit IoT Devices?
4. What Can Merchants Do to Prevent IoT Chargebacks?
5. Can the Internet of Things be hacked?

Imagine rigorously following the best practices for e-commerce security, using complex passwords and two-factor authentication for every site you visit—only to be betrayed by your own refrigerator. It’s not as far-fetched as you might think. As Internet of Things (IoT) devices continue to grow in popularity with customers, fraudsters are taking a long look at the ways in which these devices can be subverted and hijacked for criminal activity.

Merchants who manufacture, sell, or interface with IoT devices may find themselves facing a rising tide of chargebacks from new and unexpected sources. How do Internet of Things devices open the door to fraud, abuse, and chargebacks? Let's talk about it.

The global market for IoT devices is expected to grow by more than 10% annually over the next few years. As is often the case with new technologies, first we laugh (“does my dishwasher really need to be connected to the internet?”), then the must-have devices start hitting the market, and before you know it, they’re everywhere.

Slightly complicating matters, many devices aren’t explicitly branded as “Internet of Things” technology on the customer end. Instead, marketers emphasize how “smart” and “seamless” these devices are, de-emphasizing the fact that each device may represent a new point of vulnerability for hackers and fraudsters to breach your network and steal your personal data. These risks don’t tend to make for good marketing copy.

Unfortunately, that also makes customers less likely to be vigilant about securing these devices against outside threats. When data breaches and online fraud arrives through IoT channels, disputes and chargebacks are sure to follow.

Popular IoT devices include home security systems that show you who’s at your door, personal fitness devices that track your physical activity and vital signs, smart TVs that automatically connect to streaming services, and even smart refrigerators that keep track of when you’re running out of essentials and help you shop for them.

While these devices do solicit interaction from their users, their internet connectivity is intended to be an always-on background process.

Once they’re connected, they stay connected; you aren’t supposed to have to log your smart devices in manually with a username and password every morning.

Most IoT devices connect through the owner’s home Wi-Fi network, and many need to be linked up to a customer account with the manufacturer, service provider, or a third party like Amazon or Google.

For example, let’s say a smart TV owner tells their TV to download a movie for later viewing. The customer might believe that the film is available on a streaming service they subscribe to and no purchase will be involved. The smart TV might find that the movie is only available for purchase and buy it, assuming that was the customer's intention.

Another example would be a smart refrigerator that is set to order a delivery of eggs when the owner runs out. One day the owner buys eggs at a farmer’s market. The refrigerator fails to recognize the unfamiliar packaging and orders an unneeded extra carton.

While it might be fair to say that user error or carelessness led to the undesired charge, that doesn’t mean they won’t try to file a dispute. Customers often file chargebacks whenever a transaction doesn't fulfill their expectations, regardless of the cause.

That said, fraud is by far the greater danger when it comes to unauthorized transactions and the resulting chargebacks. An internet connection is just about the biggest vulnerability a system can have. In fact, the entire field of cybersecurity basically consists of efforts to defend that one vulnerability. While there are certainly many benefits to IoT technology, that doesn't mean we can ignore the risks.

Medieval castles were designed on the premise that defending a single point of entry is easier than defending many. The same holds true for cyberattacks. A target in possession of multiple IoT devices is providing multiple points of entry for fraudsters—all they have to do is penetrate a single vulnerable device and they have access to the Wi-Fi network and all of the linked accounts.

Unfortunately, IoT’s emphasis on convenience over security means that many of them are highly vulnerable and difficult for owners to better secure. Some come with default passwords that can’t be changed, and even if changing the password is an option, many customers won't bother. Others may store sensitive information on internal drives, which means that fraudsters can look for discarded devices and mine them for data.

Many IoT devices run on bare-bones operating systems that lack the same security protections you find in smartphones and computers.

They operate under the assumption that no one would bother to take the time to figure out how to hack into, for example, a thermostat. Unfortunately, that assumption may not be true. In 2016, a pair of cybersecurity researchers demonstrated a ransomware attack that hacked into a thermostat and cranked the heat up to 99 degrees, then sent a message to the owner telling them to pay up or burn up.

Another known practice is for fraudsters to spoof legitimate IoT devices, tricking the owner’s network into trusting them and granting them access. Cybercriminals have been known to invest considerable time and effort into crafting spoofing devices to use against targets who possess particularly valuable data.

Once a fraudster has gained access, they can engage in account takeover attacks, steal personal data for use in identity theft schemes, or even manipulate devices into placing toll calls to operators who will give them a kickback.

For the most part, it’s up to IoT device manufacturers to implement security features that can prevent fraud and abuse—even if it comes at the cost of some convenience and “seamlessness.” However, merchants who accept orders through IoT device connections can look for ways to screen unusual or uncharacteristic orders, and provide easy ways for customers to investigate or cancel orders placed through their devices.

The Internet of Things is here to stay, but it may be heading for a reckoning with regards to the security risks it poses. As was the case with e-commerce in general, making it safer will be an ongoing, iterative process. Manufacturers, vendors, and merchants who are in a position to demand and implement better security protocols will have to lead the way.

In the meantime, it’s important to be aware of the risks and do what you can to mitigate them. Fraudsters never really give up and go away, but when you implement strong security measures and a comprehensive anti-fraud strategy, you can greatly reduce your chances of being targeted.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.