Embedded Mobile and M2M: With Opportunity Comes Threat
Embedded Mobile (EM) encompasses a host of devices and services using wide-area mobile network technologies to provide communication between machines themselves (M2M) and people. It offers exciting new opportunities for operators, but at the same time means that they face exposure to fraud and security risks. In this article Simon Collins, Director of Praesidium, WeDo Technologies’ business consulting division, explains the risks EM can raise and discusses how operators should respond to them.
EM wireless devices for M2M communications are forecast to grow exponentially, with the GSMA predicting 500m connected devices with a SIM over the next 2-3 years. This new range of devices and the resulting end-to-end services will span consumer electronics, business enterprise, automotive, industrial/utilities and medical industries. The demand and requirements for this progression of service delivery are eagerly awaited by operators and other industry players, but will ultimately result in more third party deals with strategic partners, which carry risks. Telecoms fraud has steadily climbed over the years and the introduction of innovative solutions and services for M2M will serve to further fuel the greed of the criminal fraternity.
As evidenced by recent high profile fraud and security incidents and breaches, fraudsters are becoming more innovative, deploying new and more focused techniques for obtaining exactly what they want from the services and products they target, and M2M will be no exception. Communication Service Providers (CSPs) must never become complacent or forget that these highly organised groups and individuals operate their own business and need to “service” their own customers. Their business model for committing fraud spans all types of technology and crosses international boundaries, and has relied heavily on the CSPs’ inability to respond and recover in a timely manner. It is this aspect they will again look to capitalise on, making one of the essential business requirements for CSPs ensuring clearly defined fraud, security and risk protection models for M2M. CSPs must not rely simply on existing practices to protect these new and varied revenue streams but will need to consider end-to-end fraud management requirements that include the new third party relationships, extensive range of host devices, configuration requirements and mass deployment of EM devices in unguarded locations.
The risks and responsibility
As we have seen in recent years with the increased telecoms-financial sector collaboration for m-banking and m-commerce services, the position over “customer responsibility” has been unclear in certain frauds, forcing a revised consideration of ownership and accountability where third parties are concerned. The requirement for protecting the CSP will need to be further extended with M2M due to the range of new markets and business partners entering the arena – vehicle manufacturers, insurance providers, utility and medical businesses, vending machine suppliers etc. There will be associated data protection requirements from a security perspective. The attractiveness for fraudsters for example might not simply be based upon obtaining fraudulent service or avoiding payment. The risk could be extended to compromising a person’s medical records or conditions by unscrupulous insurance investigators, for example, or using vehicle tracking capabilities to identify the whereabouts of a person under some other type of investigation.
It will therefore be vitally important for CSPs to appreciate where their responsibility begins and ends for securing delivery of services they are directly responsible for providing. Recent experiences in the UK of unlawful interception of voicemail services have received very high profile and negative publicity within the media and resulted in criminal investigations.
With M2M, there could be a risk of a service being offered for “home protection”, for instance, that is compromised; allowing criminals to actually identify when the property is empty rather than secure or intercept an alarm signal and disable the transmission path. Alternatively, they may be able to obtain “footage” of a high profile customer’s home environment and sell this to unscrupulous media. Unfortunately for the CSP, consumers will only remember how the service is provided by telecoms technology (if and when compromised) and not consider that the CSP might not be the actual service provider or device owner.
Third party involvement however, although significant, is not the only root of the risks involved in M2M for CSPs. The danger of fraud and revenue loss in M2M are also driven by remote, unguarded or unattended locations, a lack of M2M device control once deployed and the fact that the device may not be as valued by and therefore looked after by the consumer as a mobile device. Moreover, if a soft device is easy to modify, with the control application as the key design purpose rather than the communications, then this is more likely to enable fraud. Lastly, when the billing model approach is different from a traditional SIM contract and M2M usage is not controlled or monitored until something actually goes wrong, then the threat of fraud going undetected and unstopped rises.
Risk management and defence
CSPs therefore will need to evaluate the level of risk by initially defining some basic areas to be subjected to a risk assessment. Considering, for example, radio interface (the communication path), provisioning, authentication (both device and customer), actual product security, attended/unattended devices, operational control, device management, privacy and confidentiality of information. The types and severity of fraud attacks for M2M will primarily revolve around the market environment the CSP operates within and will also relate to the range of products and services actually offered or being considered.
CSPs should identify within their strategy exactly what can result from failures within the technology, methods used to deploy and deliver the M2M services or avoid simply failing to evaluate the benefits fraudsters will gain from attacking the services. Unfortunately the varying level of risk means that there will be no single solution to fraud and security risk. A balanced approach taking into account technology, people and processes working together to create an effective strategy is required.
Having considered potential risks and exposure, the CSP should consider how these new threats and risks will both be defended against and detected on an on-going basis. Fraud control and detection will in certain cases be via the existing traditional methods, for example, adapting the Facilities Management System (FMS) for usage profiling, based initially on expected EM device usage and event-related or high usage profiling to identify any anomalies. Fraud and security management defences and monitoring requirements will need to be defined as an essential part of the risk management strategy but also extend beyond the more traditional methods by factoring in the way the devices and services are provisioned and offered. For example, a CSP will require the capability to detect tampering or physical removal of a device and location updates to ensure integrity of the device.
Effective fraud management relating to the envisaged changes and introduction of new risks can be a time consuming and overwhelming activity, especially for those CSPs who are not yet mature in the development of traditional fraud and security control and prevention strategies.
Moreover, the overall battle against fraudsters will never be won due to the fast moving telecoms environment and the drive to launch more complex products and services quickly to attract market share and maintain that competitive edge. This will always result in procedural weaknesses and technical risks being introduced which fraudsters will seize upon at the earliest opportunity to keep their fraudulent ‘business’ activities operational and profits high. However, CSPs can deploy various defence mechanisms to mitigate against losses and ensure fast detection by ensuring processes are continually reviewed, staff are educated in new M2M fraud trends, and new products and services are assessed for fraud and security weaknesses – all supported by state of the art technology to quickly raise alerts on suspect activity. Combined, these protective measures can go a long way to helping to fight fraudulent activity where M2M is concerned – looking after both the consumer and, ultimately, the CSP’s brand reputation.