Common attacks on insurtech and insurance apps: What you need to know
While consumers are moving towards digital channels and apps more than ever before to complete daily tasks; the trend is also being seen in the insurance industry.
Let’s take a look at some of the risks you may face in the insurance sector.
Mobile apps: The risks
While many people moving to use apps for their insurance needs, it also means that many important pieces of valuable information end up concentrated in the apps. Medical information, addresses, account numbers, SSNs, etc. is far more valuable on the black market than the average credit card number, seeing as credit cards can be canceled. Personal information is usually permanent, and it can be used for fraud and other schemes by criminals.
With the large amount of information contained in the apps, it’s not particularly surprising that cybercriminals are targeting insurers and mobile apps.
Just recently in 2021, the New York Department of Financial Services fined multiple insurers for noncompliance breaches. Fines aren’t the only punishment for leaky insurers either. If companies are found negligent in protecting their mobile app, successful attacks often result in lawsuits.
Apps can be attacked in a multitude of ways, but there are six main ways the attacks occur. If proper steps are taken to protect consumer information, a vast majority of attacks will be unsuccessful.
1. Stealing personal policyholder information
Things like full legal names, marital status, date of birth, and social security numbers are often stored on insurance mobile apps. There can even be a driver’s license with car information (VIN, license plate number) stored on them.
To protect this data, it needs to be encrypted in the app by using the AES 256 or a similarly strong system. Data shouldn’t be the only thing that is encrypted, however. It should also cover the data used by the APIs. If things like tokens, URLs, passwords, etc. aren’t properly secured, cybercriminals can easily use them to access the insurer’s system.
2. Location information
Insurtech and insurance apps track location data for many reasons, including things like driver behavior to provide discounts or to activate or deactivate coverage based on location.
By rooting (Android) or jailbreaking (iOS) a device, hackers can gain more privileges that allow them to control the operating system and access location data. Apps should have the capability to detect when the device is jailbroken or rooted and shut them down to prevent unsafe data storage.
3. Keyloggers and overlays
The latest malware can employ a trick on its users, where it presents a fake screen over an insurance app, making the user think that they’re entering their data into a trusted source. Malware steals data in this way and can also take over accounts and other malevolent acts.
Keyloggers work similarly but run in the background while tracking every key entry a consumer makes in an application. Mobile apps need to detect these attack types so they can stop operating when they are in effect to protect the user and their data.
4. Intercepting data through transactions
Many insurtech apps allow policyholders to pay for coverage as they need it, adding coverage as they go. While this is a great feature, it also makes these apps vulnerable to attacks on payment information. To protect payment data, all data types must be encrypted using a level to comply with the PCI (Payment Card Industry) standard.
If an insurer is found to be in violation of PCI compliance, fines and even the loss of ability to accept credit cards as a payment type may result.
5. Abuse of static and dynamic analysis tools
Software developers use this information to debug and complete other important tasks during software creation, but it can also be used by cybercriminals to discover an app’s internal logic. The insights enable them to create polished, targeted, and highly effective attacks on not only the apps, but also the app’s back-end services.
Obscuring the binary code will help prevent reverse engineering, while added shielding with anti-debugging, anti-reversing, and anti-tampering protections will strengthen the app’s defenses.
6. Network attacks
Many mobile apps from both insurtech and insurance companies communicate using TLS 1.1 and HTTP, neither of which are particularly secure. They allow for cybercriminals to perpetrate “man-in-the-middle” attacks on data while it’s being transmitted, which allows for them to steal and even alter it mid-stream. To protect against potential attacks, developers should implement TLS version enforcement, TLS 1.3, secure certificate validation and malicious proxy detection.
In conclusion
Both insurtech and insurance industry members have a great chance to grow and improve consumer satisfaction with mobile apps. These apps must be secure or a cybercriminal is waiting in the dark to execute their next attack. Securing against these threats will help ensure the safety of everyone and their data while building a foundation for digital expansion.