IBM's 2017 ‘Global Cost of Data Breach’ study found that the average cost of a data breach is £2.67million — £104 per record — and that 30% of businesses breached will be hit again within two years. With GDPR months away and other industries bracing themselves, why should the insurance industry be any different?
Over the last 3 years iovation has seen a dramatic increase in the tools needed for Account Takeover falling into the hands of criminals. Fraudsters are mining and phishing more identity details and even failing more when they try to get past our multifactor authentication methods. Last year our insurance clients began encountering True Identity Theft and Account Takeover which has led to a 172% increase in reported 3rd Party Application Fraud attempts and evidence being placed. Recent iovation insurance user groups have also highlighted the topic of account takeover too.
The pressure across insurers and brokers to provide their existing customers with greater online access to their products and services is driving the risk of this occurring. This means they must now look to protect their existing customers as well as stopping insurance fraud upfront at quote or policy inception.
In 2018 over 80% of all retail insurance will be purchased via desktops computers, tablets or smartphones; meaning fraudsters have a variety of options when looking to utilise genuine and existing customer information in a remote environment. The standard practice for many insurers is now to, post sale, set up credentials for their customers to access portals instead of issuing and posting one off policy documentation to a physical address. This small change has created a vault of hugely valuable information, for a fraudster gaining access to a document portal such as this represents a huge score. With access granted they can use the data to commit insurance fraud, sell the data for other criminals to use or even commit other financial crimes such as loan or credit application fraud.
When a fraudster gains access to an insurance portal they are also able to add additional risk, make false claims and even change policy details such as adding new vehicles, drivers or changing locations. To monetise the compromised accounts, they can then sell policies to enable either other criminals or unwitting victims to drive high power vehicles for lower premiums (ghost broking). Fraudsters may also be involved in cash for crash schemes and adjust policies to maximise returns from false claims.
Insurance companies should be examining how they currently authenticate their existing users to mitigate the risks coming from compromised credentials or stolen passwords. In addition to this the requirements outlined in the ever approaching deadline of GDPR ensure that access to customer information should be protected by strong (meaning multi-factor) authentication.
The best way to manage account takeover is to stop it before it happens. The key to preventing account takeover—know which customers you can trust. If you can do this you can avoid a breach in your web properties, potential brand damage and avoid the penalties, €20 million or 4% or annual global turnover – whichever is higher, looming with GDPR.