The 3 R’s of M2M
The statistics are astounding. The predictions for future adoption and revenues from machine to machine (M2M) technology nearly boggle the mind. Devices in the billions, revenues in the hundreds of billions. No matter how you define M2M, the uptake and revenues look very promising.
Any service that expands quickly will have growing pains and certain functions will need to play catch up. Small issues that while manageable on a small scale tend to break down when the scale is increased. M2M and fraudsters are most likely in this category. Devices that are physically removed from constant human presence and are in unsecured locations provide fraudsters with an opportunity for acquisition. In addition, these devices being part of a network provide additional opportunities for fraudsters. Many of the fraud cases to date have been with the stealing of Subscriber Identity Module (SIM) cards from unattended devices, plugging them into devices that allow the fraudster to make calls. Cases, such as fleet monitoring devices, traffic lights, vending machines and others have fallen prey to this. The only key is that fraudsters figure out where they are and have the tools required to gain access to the SIMs. Although network providers often have the ability to limit SIMs to only make calls, and not send text messages or use data access, they are often not able to prevent calls from happening when plugged into a device. This provides fraudsters a way to make calls by simply using a screwdriver at the correct target.
Other types of fraud are likely to become more relevant. Downloading malware onto a device either via direct physical connection or through the network that an M2M device is connected to will enable the fraudster to take over the device. This could enable the fraudster to change the behavior of the device. Imagine a security system that suppresses notification of intrusion or a traffic light that changes based on the desire of the fraudster, which could either create traffic jams or a dangerous free for all. An M2M device could also be used for its Internet connectivity to launch Denial of Service (DoS) attacks and try to hack into Internet sites with no tie back to the actual fraudsters.
Internal fraud is also a large worry about M2M services and devices. Employees have access to generate orders and employees and in some cases third parties have access to the devices and SIMs cards and may steal or route them to fraudsters. Once SIM cards have been acquired, then they can be used for similar purposes as described above.
A comprehensive strategy to prevent fraud in M2M services has three main facets. The first facet in limiting fraud is to put the appropriate internal controls around ordering, fulfillment and distribution of devices, including channels. These controls need to limit or eliminate the possibility that fraudsters will gain access to devices without them being deployed for their specific purpose. The second facet is to restrict as much as possible the activities that a device is able to perform. Some networks do not allow for voice calls to be prevented, but certainly international calls can be disabled. Also, data access is a required service for M2M, but restricting data to certain bandwidths or URLs can be effective at preventing fraud. The final facet is setting up a monitoring system to look for activity beyond the norm for a device, variation from historical patterns or activity that is similar to prior frauds that have been detected.