There needs to be greater awareness that cybercrime has evolved in recent years. In essence, the attack surface is now much bigger, making platform security paramount, says Andrew Wajs
The multi-device, connected world that we are living in today has spurred broadcasters and pay-TV operators to develop a much stronger online connection to the consumer. The pay media industry is not alone in this – banks, retail stores, consumer electronics and even automotive companies are all in a battle to capture the online consumer and nurture that one-to-one relationship.
We know now that this means much more than just having a good website. It means encouraging more interaction online over every imaginable device, engaging the consumer and giving more opportunity to manage accounts and payments online. With more and more devices and even appliances around the home becoming internet-enabled and the connected car becoming a reality, the future is at our doorstep.
These changes have put increasing pressure on companies to validate that customers are who they say they are, while at the same time protecting their own infrastructure and private customer data. It’s clear to us that the connected life of consumers presents major security challenges, some of which are not being appropriately addressed.
There needs to be greater awareness that cybercrime has evolved in recent years. In essence, the attack surface is now much bigger, making platform security paramount. Any device with an operating system connected to the internet can be compromised, providing a backdoor for cybercrime. Gartner forecasts a 30-fold increase in Internet of Things (IoT) capability in such devices, growing to 26bn units by 2020.
Access points and threats
Let’s take a well-known spectre in the pay media industry, content piracy, as an example of one such vulnerability. Content piracy in itself is one of the major challenges faced by the pay-TV industry, but it also brings with it much further reaching threats for the consumer. A recent study on illegal football streams by the BBC found that the millions of fans that access these streams are putting themselves at risk of malicious software being installed on their systems, due to the ads hosted on these sites.
In the new IoT world, a consumer’s system being breached in this way opens up a whole world of possibilities for the intruders. All of your devices, the secure payments you make and potentially even your car could be under threat!
The emergence of the dark net and its anonymity is another challenge. The so-called deep web comprises websites that cannot be found using conventional search engines, which typically function on links. The dark net is a subset of the deep web, referring to websites that have intentionally requested not to be indexed and can only be accessed by using specific software. Unsurprisingly, due to its anonymity, the dark net naturally attracts criminal activity, and we are witnessing growing demand for customer databases – including supplying compromised account credentials for subscription pay-TV services.
Pay-TV login credentials are regularly available for sale on this hidden web, and there is often no way for a subscriber to know that their account details have been compromised.
Once the credentials are bought at a wholesale rate in the dark net, they are sold for maximum profit to be used to access the original subscription package. The average price markup is 300%. That’s a tidy profit for the cybercriminals.
If this were not enough, connected devices installed in consumers’ homes are a potential vulnerability. For example, by hacking a set-top box (STB), cybercriminals can obtain sensitive information including user credentials, viewing history and billing details. Using the STB as a gateway to other connected devices expands the range of what could be obtained.
Securing the connected home – beyond media
While the user experience is key across the connected home (not just in viewing content, but in every online interaction), security is crucial in underpinning this. Protection must extend to all aspects of day-to-day life. It could be securing your credit card details when shopping online, safeguarding a remote network connection, or even protecting premium content such as a blockbuster movie.
To begin solving the web security problem, we need to first secure the point of interaction – the web browser. Using a range of obfuscation techniques, you can ensure that any interaction happening via a web browser is protected.
• Signing and verifying that the code running in a browser is the desired code
• Detecting whether the code has been tampered with and being able to take action
• Validating the application and/or server communication to prevent ‘man in the middle’ attacks
However, while security starts here, this is just the tip of the iceberg. Security of the home platform is also paramount. With an established presence in consumers’ homes and the extension of services in the age of the IoT, pay TV operators become the gatekeepers to the home. They must combine proactive service with state-of-the-art technology in order to justify and build upon the established trust with their customers.
Taking the operator-customer relationship further
The security solution used in any connected device – be it an STB, a car or a refrigerator – must be able to be locked down, and to monitor traffic and device behaviour. It must be able to isolate home security elements from other internet components, ensuring that weaknesses are quickly identified and addressed. A proper set of security services and technology should provide expertise to help understand where vulnerabilities fall in the overall IoT framework – and if an attack does happen, to identify, investigate and provide support in any prosecutions.
The trend of consumers exposing more of their personal information and lives to connected devices shows no sign of abating in the future. By offering the technology to protect this data, any company across the spectrum can deepen existing relationships with customers while protecting personal data. Such steps will certainly serve to define broadcaster and pay-TV operators looking to provide a full service to customers and those who are happy to exist only as providers of entertainment.