Fraud Prevention

Fraud Detection with the Internet of Things (IoT)

November 24, 20204 min Read

IoT fraud

I’ve been chasing bots around the Internet for over 10 years and over time, we had to evolve detection techniques in order to adapt to the complexity of the attacking botnets. Along with the complexity of the fraud detection methods, the overall Internet ecosystem has also become more and more complex, making the task of defenders more challenging than ever before. One of the major shifts I’ve seen over time is more and more devices or “things” (IoT) connecting to the Internet and needing to login to a cloud service so that the user can manage the content.

The advance of the Internet of Things (IoT)

Ten years ago, web security vendors mostly had to worry about dealing with traffic coming from web browsers, simply because mobile app traffic was not as dominant as it is today. But as new and more powerful mobile phones and tablets came out, the traffic shifted a lot more into the mobile world. In some countries like India, users have their first experience with the Internet from a mobile device. In response, web security vendors adapted to the mobile trend by offering SDK to help integrate with mobile applications. But the evolution did not stop there: along the way, more and more “things” became connected to the Internet, such as smart TVs, DVD / Blueray players, game consoles, watches, picture frames, baby monitors, cameras, printers, you name it… All these devices have one thing in common, they allow the user to login to cloud services to manage the content.

The IoT challenge for web security vendors

So, what’s the big deal? Well, the login API these “things” connect to are regularly attacked by fraudsters and when one of these accounts is taken over, the attacker can gain access to a huge amount of personal information, which may have a devastating effect on the account owner. 

Why not protect these login API with an intelligent fraud detection solution? Sure, unfortunately, it’s not that easy. First, these “things” don’t usually have the same abilities as “traditional” clients like laptops, desktops, or mobile devices and may not be compatible with products that were primarily built to interact with traditional clients. IoT devices sometimes run a proprietary operating system that may not be able to execute JavaScript, which requires web security vendors to develop device-specific SDKs. Even with devices running a mainstream operating system like Android, the interaction the user has with the device is very different: the interaction would happen from a game controller for consoles or a remote control for DVD players or smart TVs. This type of interaction may not have the same richness as the mouse movements, key presses, or touch events we’d normally collect from “traditional” devices. Assuming for a minute we can collect the characteristics of a DVD player, smart TV, or printers, there are so many vendors and models out there that it becomes very challenging to build a dictionary to validate the fingerprint of each system. Because of this, web security vendors constantly need to innovate to keep pace with consumer appetite to login from anything!

Arkose Lab’s approach to fraud detection with the IoT

Arkose labs product combines transparent detection, which helps classify the client, with enforcement challenge techniques to further validate that a human is interacting with the device. Because of the peculiar characteristics of these “things” and how users interact with them, users attempting to log in from them may be challenged more often. But at least, unlike with other vendors who only focus on transparent detection, the integration is possible providing the application running on the things can execute JavaScript. Arkose Labs currently helps a high-tech company and several gaming studios protect their login API used by printers and gaming consoles respectively from account takeover. Our development team has also experimented with a popular streaming service running from a smart TV. If you have a fraud issue on an API used by IoT devices, give us a call, we can probably help.