The Daily Swig Web security digest

Fitbit applies ‘multifaceted approach’ to cybersecurity

James Walker | 27 February 2018 at 12:05

Fitbit’s director of brand protection, Brett Millar, provides some insight into how the company is tackling cybersecurity issues in 2018.

Since its formation more than a decade ago, Fitbit has grown to become the world’s most recognized developer of wearable activity tracking devices, and a leader in a consumer retail segment estimated to be worth $26.4 billion in 2018.

While the San Francisco-based company continues to ride the wave of popularity among today’s increasingly health-conscious consumers, Fitbit’s ubiquity makes it a prime target for criminals looking to leverage the brand’s popularity for illicit purposes.

As is the case with market leaders across all verticals, brand protection is a key concern for Fitbit. And although criminal activity in this field often relates to the counterfeit goods supply chain, Brett Millar, director of global brand protection at Fitbit, said cybercrime is a growing threat.

During a recent conference call hosted by UK security firm Digital Shadows, Millar provided some insight into the different ways in which Fitbit approaches brand exposure challenges in 2018.

“In terms of emerging threats, we are seeing many changes within our function, which deals with traditional brand protection and counterfeit-type activities, as well as fraud activities,” he said.

“The other threat that is emerging is from the realm of eCommerce and cybercrime-related problems.”

Assessing the threat landscape

As with many other electronic products on the market today, Fitbit’s range of IoT-enabled devices are tied directly to users’ email addresses and unique passwords.

Unfortunately, Millar said many people continue to use the same email address and the same password across multiple different accounts.

“Though Fitbit has not detected any direct customer data breaches, we are sometimes affected by larger breaches that have occurred – for example, Yahoo! and LinkedIn – wherein the cybercriminals get hold of these accounts and conduct account stuffing,” Millar said.

“The information [from successfully compromised accounts] is aggregated into certain fraud schemes and sold off to parties on the dark web, which then facilitate fraud.”

According to Millar, domain spoofing is another growing concern for global brands such as Fitbit. “Generally, criminals are advertising over social media to drive people to these lookalike sites, which are nothing more than facilitations for identity theft and credit card fraud,” he stated.

Discussing the company’s efforts to mitigate these threats, Millar said Fitbit has adopted a “multifaceted approach” in order to scupper the activities of criminals operating online.

“Essentially, you want to identify these potential issues as they come up and stop them before an actual fraud is committed,” he said.

"When it does rise to the occasion where it is a significant loss to the company, that’s when it lands onto the plate of my team within Fitbit, where we then conduct the investigation and make a determination as to whether or not we are going to take civil or criminal action against the parties involved.”

“Each one is integral in terms of thwarting this type of activity and threats against your company.”

Tracking criminal behavior

When it comes to the identification of cybercrime activity, Millar said there are a number of products on the market that allow brand owners or potential victim companies to identify threats at an early stage.

“That may be because those security companies are crawling the dark web for potential threats against your company, or they may have certain indicators within their algorithm where they are identifying when multiple user accounts are being used for, say, service abuse, account ordering, or something that would be indicative of fraud.”

In addition to the myriad corporate cyber-challenges faced by brand owners, Millar said manufacturers of IoT-enabled devices are also confronted with the issue of balancing security and user convenience.

Speaking to The Daily Swig via email after his presentation last week, Millar said: “Given that most IoT devices were originally designed with single-factor authentication for the very purpose of ease for customers, implementing process changes is difficult.

“This is even more challenging to implement if you already have a large, established customer base and are looking to move to two-factor, or multi-factor authentication.”

Millar added: “Often these security or authentication enhancements tend to be reactive versus proactive, [often occurring] after a significant data breach or fraud has been perpetrated against a company.”

For the Fitbit director, however, issues surrounding convenience and cost are ultimately mitigated by the “potential of economic loss associated with not implementing this type of security”.

“A good example of this is the potential penalties associated once GDRP goes into effect in the EU, where the potential penalties of customer data breaches far outweigh the cost and convenience of not implementing enhanced account security,” said Millar.