The number of wearable devices is increasing exponentially, with devices such as fitness wearables and smartwatches continuing to gain market share. Tractica, a market intelligence firm, forecasted a significant increase in wearables devices by 2021, with total shipments for all wearable devices reaching 560 million and estimated device revenue $95.3 billion in 2021. Besides the typical health monitoring uses for wearables, the financial uses for wearables are broadening. For example, by using certain smartwatches, you can access your account at select financial institutions and even make payments in stores.
And as financial institutions move toward chatbots and artificial intelligence-powered assistants, banking with your wearable device will become even easier. AI-powered virtual assistants will learn your voice and behavioral patterns, and can alleviate major frustrations associated with smaller wearable devices such as typing, entering credentials and repeating commands the consumer performs often.
However, there are security concerns for wearables. As app developers create wearable-optimized versions of productivity-enhancing tools for personal and business use, and as device manufacturers race to create the latest must-have wearable gadget, security may not keep up with innovation. The increase in the number of native applications available for smartwatches will create new opportunities for fraudsters to compromise wearable devices and gain access to highly valuable personal and financial information.
From simple fitness trackers that connect to a mobile phone to stand-alone smartwatches, potentially sensitive personal and financial information is being passed to the app and manufacturer. For example, users may be asked for access to their files, location, contacts and camera, and for personal information (age, height, weight, gender, etc.), as well as financial information.
One very popular type of wearable that carries risk is the fitness tracker. While the average consumer may not recognize the risks of these devices, these wearables can collect and transmit personal data that can be compromised. A study by the University of Edinburgh showed personal information can, in fact, be easily intercepted and stolen from fitness wearables.
Wearables also create potential risks in enterprise environments. Wearables linked to mobile devices, which in turn are linked to a corporate network, open organizations up to additional risks of attack. Even though the wearable itself may not be the primary target of an attack, its link to a mobile device creates another point of entry for cybercriminals to exploit – especially since wearables security is a relatively a new frontier. Information that can be stolen and exploited includes real-time geolocation data, emails, contacts and other proprietary information on the device.
To help mitigate risks for consumers, manufacturers of wearable devices should ensure their information security professionals remain vigilant about mobile device security and acknowledge the unique risks posed by wearable devices. When partnering with security vendors, they should work with those that specialize in both mobile and wearable application security.
To protect paired mobile devices from point-of-entry attacks that originate with wearables, organizations should implement authentication protocols that leverage biometric technology, versus an ID and password combination, which is more easily compromised in mass breaches and susceptible to phishing.
Organizations that provide mobile or wearable applications for consumers should also invest in digital authentication and fraud prevention solutions. Organizations should seek to authenticate at the device level to offer the strongest level of identity verification. For example, if the wearable is paired to a mobile phone, that mobile phone has thousands of attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities.
Wearable users can also take steps to protect themselves, such as:
- Opting in only for the information required for use of the app.
- Leveraging the highest level of security offered, i.e. biometrics if offered (such as facial recognition or fingerprint recognition).
- Practicing good password hygiene if passwords must be used, including not reusing passwords across multiple applications and changing passwords periodically.
- Becoming knowledgeable about attempts to phish for information from those appearing as their manufacturer. For example, users shouldn’t click on links in emails or texts unless they are sure they are from a trustworthy source.
- Downloading software updates when they are available, as many software updates patch known vulnerabilities.
One way to protect wearables paired with mobile devices is to gather intelligence on the mobile device itself. Factors can be analyzed, such as the location of the device, whether there are any fraud tools on the device, if there is any installed malicious software that is making the device appear as another device/number (“spoofing”), if there is malware present and if the device is jailbroken, which makes it more vulnerable. Other factors can be combined to create a permanent device identifier. That permanent identifier is critical because by knowing it’s a particular person’s device, it creates a trusted security token. That takes authentication to a new level by offering less consumer friction and fewer authentication steps, yet stronger security and fewer false positives.
In the future, there will be more wearables that are not paired with a mobile device. For wearables that can operate independently from paired mobile devices, the same critical authentication measures are still possible. It is possible, and important, to permanently identify a type of wearable device the same way you would a mobile device. It is a matter of gathering the right factors to distinguish the type of device (such as a smartwatch or fitness tracker) and create a unique ID. In addition, other intelligence will be available to assess the risk of the transaction or interaction.
Michael Lynch is Chief Security Officer for InAuth. He can be reached at 855-801-0774 or email@example.com.