Chatbots are all the rage these days. And it’s no surprise, as they offer a method of frictionless, natural conversation between a brand and its customers, as well as the ability to improve the customer service experience without the need to augment expensive department staff.
At this point in time, while the “chat” part of the chatbot interaction may seem superficial, the seamless and ubiquitous interface promises to disrupt a range of technologies, including search engines, social networking, customer relationship management, and application development. Consumers are already using chatbots with platforms like Facebook Messenger and WhatsApp, and companies big and small are jumping on the chatbot bandwagon, rolling out functionality in their enterprise messaging apps.
Currently, the majority of questions being asked by companies about chatbots revolve around consumer adoption, such as whether chatbots meet their demand and expectation. However, businesses aren’t as focused on one of the most important aspects of the technology: security. As chatbots grow in popularity and more people use them across a variety of business sectors, more chatbots will be misused by cybercriminals looking to make a little money or flaunt their skills by laying claim to an “impressive” hack. Modern fraudsters are incredibly inventive and prepared to utilize all available technology.
Cybercriminals have a lot to gain from hacking into chatbots. For example, a consumer may use a bot to share their credit card information with merchants, or an employee might consume and upload confidential business information through a bot. Valuable, confidential data is being exchanged across bot platforms all the time, and hackers know this. In order to prevent damaging attacks that exploit chatbot infrastructures and can impact consumer and enterprise confidence, steps should be taken to make security priority number one.
Before jumping on the chatbot bandwagon
So what goes into securing chatbots? The real issue here is less about the chatbot phenomena and more about security issues in the technology, network, or platform utilized to run them. At the end of the day, a bot is just another piece of technology within the fraudster’s attack vector. It’s part of the network or platform they can already exploit.
Security needs to play a larger role in the platforms that host chatbots. It is everyone’s responsibility within the infrastructure value chain to do this, from brands like Facebook and WhatsApp to enterprise IT networks and the networks that we use to access bots.
Chatbot security = mobile network security
Perhaps somewhat surprisingly, mobile network operators play a key role in this. They can provide network reliability, global interoperability, and service ubiquity, so it’s no wonder that many chatbots are built to be accessed via mobile phones, whether through Facebook, a financial institution, or even the mobile operator itself.
Mobile users put a large amount of trust in their chosen operator network, yet mobile cybercrime is already rife and is growing more than the general public realize. This new threat of yet more potential attacks on networks and customers is even more reason that operators should take heed and do all they can now to ensure their networks are better safeguarded — not least, to protect themselves from dissatisfied customers and resulting revenue leakage.
As an example, there has been a well-known voicemail spam problem in the U.S. which appears to be generated by chatbots, but the underlying issue is that the networks and infrastructure have allowed these bots to be compromised.
Another example of bot vulnerabilities has been revealed by experts who recently managed to take over a phone, allowing them to intercept and redirect any call to that subscriber in the system. These calls could be redirected to a bot, where hackers can fake a voicemail system or, instead of a silent call termination and interception, create a phishing scam. This would be especially damaging if the target number belonged to a financial institution where sensitive financial details were being discussed or took the form of a malicious link shared with an unsuspecting customer.
Plan of action
You might ask what security options are available for this emerging tech. Here are two immediate fixes.
1. Maintain a strong back-end infrastructure
In order to keep networks clean and safeguarded from the constant barrage of assaults from cybercriminals, mobile operators must maintain a bullet-proof back-end infrastructure. Mobile operators need comprehensive network management and access, so they can control what type of traffic is acceptable and determine what is fraudulent.
2. Close SS7 Loopholes
Signaling System No. 7, or SS7, is the central nervous system of a mobile operator’s network; however, mobile operators have come to realize that the networks they used to transport messages (including those from chatbots) and connect subscribers’ calls weren’t nearly as secure as they thought. Traditional IP firewall protection methods are not sufficient to detect and resolve the large majority of SS7 vulnerabilities. Instead, a comprehensive purpose-built SS7 firewall is required.
While chatbots present exciting opportunities for mobile operators, enterprises, and consumers alike, the technology is unfortunately a ticking time bomb for opportunistic fraudsters waiting to exploit it. Mobile operators are in a position to play their part and can act quickly before this type of fraud escalates to become a mainstream issue, but it is the responsibility of everyone in the value chain to ensure that secure technologies, networks, and platforms are being used and safeguarded. It is also down to consumers to be vigilant and ensure they don’t fall victim to a seemingly friendly chatbot and end up being exploited by a fraudster lurking in the network, who views chatbots as the new number one target.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here