Tom Heintjes: Hi, and thanks for coming back for another episode of the Economy Matters podcast. I'm Tom Heintjes, managing editor of the Atlanta Fed's Economy Matters magazine, and today we're joined by Dave Lott, a payments risk expert at the Atlanta Fed's Retail Payments Risk Forum. Great to have you with us, Dave.
Dave Lott: Thanks, Tom—glad to be with you.
Photo: David Fine
Heintjes:: Dave recently wrote a very interesting post for Take On Payments, which is his department's blog. The post was titled "Attack of the Smart Refrigerator." The title of it of course drew me right in, and in the post he discusses what we've come to call the Internet of Things—which is kind of a catchall term for the devices that send and receive information wirelessly and make our lives easier without us having to take any action. Does that sort of capture what the Internet of Things is, Dave?
Lott: That's a great description, Tom. Most people are familiar with the consumer devices, such as the wearable fitness trackers, things of that nature. But also there's a big market in the medical field—things like pacemakers and other implanted devices—as well as in the industrial field, for sensors. Gartner estimated that there are about eight billion "Internet of Things" devices globally in 2017, and it's expected to increase up to 20 billion by 2020, so it's a growing field, for sure.
Heintjes:: Yes, to say the least. Well, Dave, I found your post really thought provoking and wanted to get you on the podcast to discuss the security issues surrounding this so-called Internet of Things [IoT], what we need to be aware of, and so forth. So let me start off by asking you—as a payment security expert, what first piqued your interest in this topic?
Lott: Well, at the Payments Risk Forum we are always looking at things that could possibly impact payment security—fraud incidents, things of that nature. And with all the news about cybersecurity, most people understand about potential attacks against their computers and their wifi networks, but they really don't understand with regard to these IoT devices—some of which are more convenience-oriented, in their view, and not really focused in on the security aspect.
Heintjes:: Well, that actually leads me nicely to my next question, which is, do you think that people consider the relevant security issues when they begin surrounding themselves with smart appliances and other IoT devices? Is that something people are aware of?
Lott: I don't really think so. I think that the driving force behind the purchase and acquisition of these devices is really convenience, and they don't really stop to think about the security aspects—being connected into their Wi-Fi network, or somehow connected.
Heintjes:: Well, I know I don't always think of these things, because in your post you wrote about things like baby monitors and wireless routers—things that are hardly exotic or unusual, things I've used in my own personal life. Is the security risk more widespread than most of us realize, even if we don't own something like a refrigerator that automatically orders a gallon of milk for us when we get low?
Lott: I think that the real concern in the industry today is really due to the exploding acquisition of these devices—as I said, on the consumer side as well as industry-specific. We've all read the stories about the driverless cars, and things of that nature. But let me give you an example of the risk. Back in 2016—
Heintjes:: Not that long ago.
Lott: Not that long ago, there was a botnet attack against a major domain name system provider—that is a company that provides the link of: when you type in a certain company name, "w-w-w dot such and such," it knows where to go to get to that company's website. But this botnet attack brought down the websites of at least 80 major companies, including Amazon, Netflix, PayPal, Starbucks, and others.
Heintjes:: Wow, real household names.
Lott: The botnet, that was controlled by criminals, consisted of a network of millions of IoT devices—such as printers and laptops and cameras, baby monitors, routers, things of that nature—in order to sustain this attack of sending hundreds of millions of messages to these websites that, in essence, either brought them down completely because they weren't able to handle that amount of traffic, or it blocked legitimate users from accessing their sites. So it is a very real and serious security issue.
Heintjes:: So in that case, the IoT was kind of a backdoor to a much greater malfeasance?
Lott: Right, and that's what the real concern is—that there are some IoT devices—such as the wearables, the fitness trackers, things of that nature—which have strong security built into them, and certainly sensors in the driverless cars, things of that nature—very high security. But you get other devices that are very low cost, have little if any security, and if that is the device that can be used to access the other devices in the network, that's the weak link in the chain.
Heintjes:: Well, you mentioned common devices that we all take for granted. From a security standpoint, can you cite some examples of the Internet of Things having an impact on people's lives in a way they didn't intend, perhaps?
Lott: Well, one incident that recently occurred where security of the device was not compromised, but it's where the data that was collected on that device led to the threat, and that was through wearable devices. And that information about where the individuals jogged or ran was uploaded to a company that would provide that information to the individuals so that they could keep track, but all of that information was consolidated as well, and there was concern that terrorists—particularly in locations around military bases, and things of that nature—could see some common routes that the soldiers would take in their runs, and things of that nature, and use that to target them.
Heintjes:: There must be some sort of standard for data encryption for these appliances and these network devices. Is this sort of encryption able to stay ahead of the bad actors?
Lott: Well, having minimal security standards certainly would be a big step forward, but currently it's very fragmented within the industry. Certainly there are encryption standards dealing with data transmission from the device to other devices that are connected on the network. But again, the level of security within those devices varies greatly from one type of device to another.
Heintjes:: And I guess staying ahead of the bad actors is an ongoing effort: you can never become complacent or stop thinking about it.
Lott: No, it's always trying to stay one step ahead, and that's becoming more and more of a real challenge.
Heintjes:: Right. Well, Dave, let me ask you if you yourself have these devices in your own home. I assume you do—we all have wireless. What has your own experience been, and what safeguards do you take in your own life?
Lott: Well, I don't have a smart refrigerator or rice cooker, but I have an Alexa voice-assisted device, as well as a connected thermostat and weather station, as well as my laptops and printers and things of that nature. I really break down the security that we use into two levels: one is the device security, such as—for routers—making sure that you update the firmware in the router when that becomes available, to stay on top of virus protection, things of that nature, changing passwords on that from what the factory settings were, things of that nature. And then at the network level, making sure that I'm careful, if I'm in a public place, if using a wifi that has open access, of what's being used there.
Heintjes:: Right, coffee shops and so forth.
Lott: Things of that nature, as well as at home. Have a secured wifi network there.
Heintjes:: Well, you mentioned one of those voice-activated devices—which I don't own, but I know Siri and Alexa are very common, and Google Home. Do they pose challenges that are different from what we're talking about today, or are they sort of lumped into the Internet of Things?
Lott: They're very similar. Each of those devices has different security features that the user can enable to provide a little bit better protection. I can tell a personal, interesting story in that about a year ago my six-year-old nephew was able to order a hundred boxes of frozen pizza through our voice-assisted device. Fortunately, we had the safeguard of any purchases had to be validated through a second source, and so when my wife got the email she was able to put a stop to that purchase. [laughter]
Heintjes:: Lesson learned!
Lott: That's right! But there are those things. People are concerned about those voice-assisted devices in terms of listening in, and things of that nature. But again, if you go to the user manual you'll see that there are a number of things that can be done to improve the security, and safeguard those concerns.
Heintjes:: Dave, considering everything we've talked about so far, what can we as consumers do both to take advantage of these conveniences, yet maintain our information security? Is there an inherent tension there, or what tips would you give a consumer of, say, average technical proficiency?
Lott: Well, the best advice I can give is for the individual to understand what security features are available through the device—to understand what options are available—and then they can decide which ones would be a trade-off, if any, between convenience versus security, so that they can set that level that they're comfortable with. Certainly, as I mentioned before in terms of changing passwords, using secure networks, things of that nature, are kind of the basic minimum that I would recommend.
Heintjes:: Dave, as a payments risk expert, what is your main interest, or what do you observe most closely in this arena?
Lott: Well, again, it goes back to: what is the threat? Our focus really is on the consumer side, but these devices are being more and more put into businesses, whether it be through security cameras, you have the printers, and the desktops and laptops, things of that nature, and so we're constantly looking and advocating security standards in order to provide that minimal level of security to all of the stakeholders there in order to prevent fraud. Because if we have fraud, not only is it a major inconvenience to the individual, but certainly there's generally financial loss associated somewhere in the payment chain as well.
Heintjes:: The way these things are proliferating, I hope we can have you back on in the near-term future and talk about this subject again, because I'm sure it's going to be an ongoing thing for us to revisit.
Lott: I think it's going to become more and more of an interest to all segments of the payment industry, as well as the business industry as a whole, as it continues to grow and grow.
Heintjes:: So we'll have you back on—that's a "yes," right?
Lott: Absolutely—I'll look forward to it.
Heintjes:: Okay, great. Well, this has been a really fascinating conversation, and I can't help but think that the topic of security in our internet age will only become more relevant as these devices become more and more embedded in our lives, so thank you for your willingness to come talk to us today. This has been great.
Lott: Glad to be here.
Heintjes:: Again, I'm Tom Heintjes from the Atlanta Fed's Economy Matters online magazine, and I hope you'll join us next month when we sit down with Atlanta Fed economists Kris Gerardi and Scott Frame, when we discuss their research into the role of subprime borrowers in the housing crisis. Were these the main drivers of the crisis, or were they convenient scapegoats for it? You'll have to join us next month to find out! Thanks for spending time with us today, and come back next month.