Embedded Mobile and M2M: With Opportunity Comes Threat

Embedded Mobile (EM) encompasses a host of devices and services using wide-area mobile network technologies to provide communication between machines themselves (M2M) and people. It offers exciting new opportunities for operators, but at the same time means that they face exposure to fraud and security risks. In this article Simon Collins, Director of Praesidium, WeDo Technologies’ business consulting division, explains the risks EM can raise and discusses how operators should respond to them.

EM wireless devices for M2M communications are forecast to grow exponentially, with the GSMA predicting 500m connected devices with a SIM over the next 2-3 years. This new range of devices and the resulting end-to-end services will span consumer electronics, business enterprise, automotive, industrial/utilities and medical industries. The demand and requirements for this progression of service delivery are eagerly awaited by operators and other industry players, but will ultimately result in more third party deals with strategic partners, which carry risks. Telecoms fraud has steadily climbed over the years and the introduction of innovative solutions and services for M2M will serve to further fuel the greed of the criminal fraternity.

As evidenced by recent high profile fraud and security incidents and breaches, fraudsters are becoming more innovative, deploying new and more focused techniques for obtaining exactly what they want from the services and products they target, and M2M will be no exception. Communication Service Providers (CSPs) must never become complacent or forget that these highly organised groups and individuals operate their own business and need to “service” their own customers. Their business model for committing fraud spans all types of technology and crosses international boundaries, and has relied heavily on the CSPs’ inability to respond and recover in a timely manner. It is this aspect they will again look to capitalise on, making one of the essential business requirements for CSPs ensuring clearly defined fraud, security and risk protection models for M2M. CSPs must not rely simply on existing practices to protect these new and varied revenue streams but will need to consider end-to-end fraud management requirements that include the new third party relationships, extensive range of host devices, configuration requirements and mass deployment of EM devices in unguarded locations.

The risks and responsibility
As we have seen in recent years with the increased telecoms-financial sector collaboration for m-banking and m-commerce services, the position over “customer responsibility” has been unclear in certain frauds, forcing a revised consideration of ownership and accountability where third parties are concerned. The requirement for protecting the CSP will need to be further extended with M2M due to the range of new markets and business partners entering the arena – vehicle manufacturers, insurance providers, utility and medical businesses, vending machine suppliers etc. There will be associated data protection requirements from a security perspective. The attractiveness for fraudsters for example might not simply be based upon obtaining fraudulent service or avoiding payment. The risk could be extended to compromising a person’s medical records or conditions by unscrupulous insurance investigators, for example, or using vehicle tracking capabilities to identify the whereabouts of a person under some other type of investigation.

It will therefore be vitally important for CSPs to appreciate where their responsibility begins and ends for securing delivery of services they are directly responsible for providing. Recent experiences in the UK of unlawful interception of voicemail services have received very high profile and negative publicity within the media and resulted in criminal investigations.

With M2M, there could be a risk of a service being offered for “home protection”, for instance, that is compromised; allowing criminals to actually identify when the property is empty rather than secure or intercept an alarm signal and disable the transmission path. Alternatively, they may be able to obtain “footage” of a high profile customer’s home environment and sell this to unscrupulous media. Unfortunately for the CSP, consumers will only remember how the service is provided by telecoms technology (if and when compromised) and not consider that the CSP might not be the actual service provider or device owner.

Third party involvement however, although significant, is not the only root of the risks involved in M2M for CSPs. The danger of fraud and revenue loss in M2M are also driven by remote, unguarded or unattended locations, a lack of M2M device control once deployed and the fact that the device may not be as valued by and therefore looked after by the consumer as a mobile device. Moreover, if a soft device is easy to modify, with the control application as the key design purpose rather than the communications, then this is more likely to enable fraud. Lastly, when the billing model approach is different from a traditional SIM contract and M2M usage is not controlled or monitored until something actually goes wrong, then the threat of fraud going undetected and unstopped rises.

Risk management and defence
CSPs therefore will need to evaluate the level of risk by initially defining some basic areas to be subjected to a risk assessment. Considering, for example, radio interface (the communication path), provisioning, authentication (both device and customer), actual product security, attended/unattended devices, operational control, device management, privacy and confidentiality of information. The types and severity of fraud attacks for M2M will primarily revolve around the market environment the CSP operates within and will also relate to the range of products and services actually offered or being considered.

CSPs should identify within their strategy exactly what can result from failures within the technology, methods used to deploy and deliver the M2M services or avoid simply failing to evaluate the benefits fraudsters will gain from attacking the services. Unfortunately the varying level of risk means that there will be no single solution to fraud and security risk. A balanced approach taking into account technology, people and processes working together to create an effective strategy is required.

Having considered potential risks and exposure, the CSP should consider how these new threats and risks will both be defended against and detected on an on-going basis. Fraud control and detection will in certain cases be via the existing traditional methods, for example, adapting the Facilities Management System (FMS) for usage profiling, based initially on expected EM device usage and event-related or high usage profiling to identify any anomalies. Fraud and security management defences and monitoring requirements will need to be defined as an essential part of the risk management strategy but also extend beyond the more traditional methods by factoring in the way the devices and services are provisioned and offered. For example, a CSP will require the capability to detect tampering or physical removal of a device and location updates to ensure integrity of the device.

Effective fraud management relating to the envisaged changes and introduction of new risks can be a time consuming and overwhelming activity, especially for those CSPs who are not yet mature in the development of traditional fraud and security control and prevention strategies.

Moreover, the overall battle against fraudsters will never be won due to the fast moving telecoms environment and the drive to launch more complex products and services quickly to attract market share and maintain that competitive edge. This will always result in procedural weaknesses and technical risks being introduced which fraudsters will seize upon at the earliest opportunity to keep their fraudulent ‘business’ activities operational and profits high. However, CSPs can deploy various defence mechanisms to mitigate against losses and ensure fast detection by ensuring processes are continually reviewed, staff are educated in new M2M fraud trends, and new products and services are assessed for fraud and security weaknesses – all supported by state of the art technology to quickly raise alerts on suspect activity. Combined, these protective measures can go a long way to helping to fight fraudulent activity where M2M is concerned – looking after both the consumer and, ultimately, the CSP’s brand reputation.


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Nozomi Networks and Tripwire announce strategic partnership

Posted on: September 17, 2021

Nozomi Networks Inc., the provider of OT and IoT security, and Tripwire, a global provider of security and compliance solutions for enterprises and industrial organisations, announced they have partnered to help organisations lower cyber risk with consistent security controls that span their IT, OT and IoT environments.

Read more

RightIndem deploys enterprise-grade conversational AI to simplify customer claims process

Posted on: September 17, 2021

RightIndem, an global insurance technology company, has worked with Bristol-based Amdaris to simplify its customer onboarding process via developing enterprise-grade conversational Artificial Intelligence experiences.

Read more