Protecting Employees from an Online Hack via Wearable Devices

The increasingly connected world brings new conveniences that greatly benefit our everyday lives. No new connected device seems more ubiquitous than wearable devices – nearly 33 million were in use in the US in 2015 by an estimated 20 million people. Smartwatches like Pebble and Apple Watch allow us to access the internet with a flick of the wrist. Wearable health tech like the omnipresent Fitbit and the gadget-class favorite Jawbone help improve the livelihoods of millions with inspiration to move more.

As much as wearables bring value to our lives, they also create a new opportunity for criminals to extract personally identifiable information. Like many other new technologies, the susceptibility of wearables to an online hack is being exposed and potentially exploited.

Fitbit has been a popular provider for employee wellness programs. However, last year the company fell victim to an online hack that was exposed by Fortinet, whose analysts remotely accessed the device through its Bluetooth signal, loading and offloading data. They even outlined a theoretical scenario in which each infected device could then deliver malicious code onto computers with which it was synced. Fitbit responded to these accusations swiftly, refuting the suggestions and highlighting their ongoing efforts to strengthen security against such an online hack, but doubts remain.

Vulnerabilities like this are valuable for identity thieves who consistently try to assemble a comprehensive profile of a person (called “fullz” in hacker parlance). The more information that’s collected, the easier it is to identify account numbers and passwords as well as medical ID numbers and tax return data. Better understanding the individual’s routines and habits ensures that criminal activity will go unnoticed for longer periods of time.

Wearable Devices Can Expose More Sensitive Data than Many Think

But some wearable data can provide quicker wins for identity thieves:

Most wearable devices use an accelerometer and gyroscope to track forward motion and directional orientation. Some even contain an altimeter to measure altitude for hikers and climbers. All of this data is crunched into code that orients the user’s specific location and tracks their activity – sometimes down to a few inches. Shockingly, new research from the Stevens Institute of Technology found that ATM PIN codes could be discerned from the data in wearables’ sensors with 80% accuracy on one try and 90% accuracy after 3 tries.

Many more examples abound of the challenges that wearable devices bring to data security. As technology proliferates, the inescapable, increased availability of data will mean increased opportunity for identity theft.

All the while, it’s important to keep in perspective the human role of identity management in any technology environment.

A flash survey conducted by corporate identity management firm Centrify exposed some worrying trends:

• 69% of wearable device owners don’t utilize login credentials such as passwords, fingerprint scans, or voice recognition to access their device, and
• 56% of wearable owners use their device to access corporate applications such as Outlook, Dropbox, and Salesforce.

While the sample size was small, the survey was conducted at the RSA Conference, one of the world’s largest gatherings of information security professionals. If those on the frontline of data security leave their personal and corporate data at risk, it’s easy to imagine that the population at large (read: your employees) may be even less cautious – jeopardizing their identities and your corporate data security.

Securing Wearables against an Online Hack

While wearables (and all technology, for that matter) are never 100% secure, there are a number of tactics that can be undertaken by your employees to minimize the risk of data theft.

• Opt-out of automatic data transmission that will continually upload information via Wi-Fi or other networks.
• When using a Wi-Fi, stick to known and/or secure networks
• Enable passwords and change them regularly. If available, use two-step authentication.
• Physically secure the device if it’s not in use. Particularly, when traveling, utilize hotel safes.
• Take time to learn how to remotely erase data so that the device can be “cleaned” if it’s lost or stolen.
• Make sure to regularly update the operating system in order to patch known security gaps.

Additionally, it’s always a good idea to utilize proactive identity monitoring that tracks suspicious activity of information stored on wearables like credit card numbers and affinity program account numbers. This data can be bought and sold on the dark web and programs like our advanced identity monitoring scours millions of data points in these black markets and alerts you if your information is detected.

To learn more about keeping employees’ data safe request a demo.

You can also read the "Protecting Employees' Identities Series" introduction article.