‘Cyber-attacks in the insurance sector are growing exponentially as insurance companies migrate toward digital channels’ says outsourcing giant Deloitte in its Cyber Executive Briefing.'
Cloud security website CloudSecureTech agrees. ‘Hackers are increasingly targeting insurance companies with the aim of stealing customer information that they can use for insurance fraud. Interestingly, hackers have identified the insurance industry as one which handles extremely sensitive information - that has yet to put in place few measures to effectively safeguard itself and its customers from cyber-attacks.’ [2]
Why is this happening when elsewhere in the fintech sector, banks are busily sharpening up their act, implementing Strong Customer Authentication (SCA) on the orders of the European Banking Directive PSD2? Those in charge must surely know the costs and penalties. In 2018 the global cost of cybercrime was circa $600 billion. The typical cost of a data breach in the UK in 2019 was $3.88m (up from $3.68m in 2018) according to a report by IBM Security and the Ponemon Institute [3].
This showed the average cost per lost record was $150 and the time taken to identify and rectify such a breach averaged 279 days. Meanwhile GDPR fines as is well known, can amount to 4% of turnover, which could cripple many in the insurance sector. However, the impact of an attack may not only manifest itself in terms of costs and penalties, but in the extra time staff may need to spend dealing with the breach, plus damage to the brand, loss of credibility and goodwill, as well as future business.
The reason insurance companies have become such a target is clear: with so much of their business now conducted online, they hold large amounts of personal data, which can be hugely valuable to identity thieves and fraudsters. And it’s not only customer data that’s going missing. In the case of an American insurer which lost a million records to hackers (including details like drivers’ license details and social security numbers) those listed included both actual customers and those who had simply asked for quotes.
After assisting in the clean-up, a team of investigators from Deloitte concluded: ‘As attackers learn to leverage encryption and other advanced attack techniques, traditional tools such as firewalls, antivirus software, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are becoming less and less effective.
‘As a result, many insurers may be misallocating their limited resources to address compliance-oriented, easily recognised threats while completely overlooking stealthy long-term threats that ultimately could be far more damaging.’
A good start is ensuring that the company knows exactly who is logging in, whether it be staff, customers, prospects, contractors or suppliers. Passwords can no longer be trusted to strongly authenticate users, as someone using a fixed login string may have stolen or shared it. Something far more precise is required, providing confidence that the ‘correct’ person is entering your system. Yet the message about the inadequacy of passwords seems to be taking a while to permeate UK boardrooms. According to the 2019 Verizon Data Breach Investigations Report probably the most authoritative research on the market, published annually) ‘stolen credentials’ are still cited as the number one
vulnerability.
After all, a hacker simply has to get hold of a user’s password, via any of the excellent tools criminals currently have at their fingertips (malware, phishing, social engineering, shoulder-surfing, to name just four) and thereafter it’s as though they’ve been given a front door key to your systems. They can come and go as they please, with no-one knowing whether it’s the authenticated user entering the system or a criminal. A password is after all just a single ‘factor’ or ‘credential’ – and there is no way of telling who is using it. (This problem can also apply to colleagues for the sake of expediency ‘sharing’ passwords, as again there is no way of telling who has used the credential to gain access.)
Many experts still advise using ‘password wallets’ (literally databases of passwords) with one ‘master’ password protecting all the others. But all those individual strings of characters are still fixed passwords at the end of the day. They are still vulnerable to being captured and re- used. Others still preach using longer, more complex passwords, or even whole ‘pass-phrases’, or simply practising ‘password hygiene’. But none of this protects against things like key-logging viruses able to record everything the user types, or data-breaches where password files may be stolen and sold-on, on an industrial scale. With respect, programmes like Cyber Essentials take companies through the basics, but may lull them into a false sense of (cyber) security thereafter.
These are respectively termed two-factor authentication (2FA) or two-step verification (2SV). Unfortunately implementing either of these tends to add to complexity and friction, as well as increasing costs and the burden of administration. It may be useful at this point to examine the set of standards used by the Government for its ‘GOV.UK Verify’ scheme [4], designed to allow citizens to log in securely to communicate with bodies such as HMRC. These are known as ‘Good Practice Guidelines’ or GPG 44 [5] for short. Under GPG44 there are three levels. As described above, Level one relates to the use of a single factor, typically a password. Also, the problem with a single factor is the lack of assurance that the authenticated individual is using it. So, Level 2 specifies that there ‘sufficient confidence that the credential is being used by the legitimate account holder’. There is a Level 3, but it’s in reality an enhanced version of Level 2, insisting that such a system can ‘protect the transaction from attacks where the credential may have been compromised’.
It also states that the credential should be ‘bound to its owner’ - though the meaning of this is left slightly vague - and arguably if a device such as a key fob or phone is used, neither is really ‘bound’ to the owner (in fact quite the reverse, since both can easily be stolen). At one time it was thought the perfect solution for SCA might be to send one-time codes to users’ mobiles via SMS/text. However, it was then realised that ‘sim fraud’ and mobile account takeover had damaged the security of such solutions, as originally pointed out by some US Government officials.
Another critic of SMS-based two-factor was the online security specialist Kaspersky in an October 2018 blog [8], pointing out that an alternative to ‘two-factor’ can be provided by the likes of Google Authenticator, where the user’s phone runs time-based software creating a series of one-time passcodes (TOTP). Though again, the same problems can occur if the phone falls into the wrong hands, or its battery fails etc. However, the big ‘elephant in the room’ over device-based two-factor in all its forms is that many people simply don’t like it. Its take-up has been pathetic. One of Google’s senior engineers revealed at a conference a year or so back that just 10% of Google app users had enabled Google Authenticator, despite it having been available since the start of the last decade and the doyen of many techies. Also at least one IT company has told us that many of its clients’ end-users flatly refuse to use their own mobiles for anything to do with work-place security, leaving employers with the choice of providing new phones, or finding another way.
Some experts still believe biometrics holds the answer, as our ‘immutable’ characteristics like fingerprints, face shapes or voiceprints cannot be changed, meaning authentication systems using these characteristics hold the future of authentication in their hands (literally!). The trouble is biometrics are at best an approximation (biometric readers will always tell you there’s only a percentage match) and our biometric credentials are constantly being exposed (every door-handle, every drinking cup carries your fingerprints). There’s also a lot of software out there designed for the entertainment of its users, which can modify facial images.
But the true body blow to biometrics came in November 2019, when at a conference clever Chinese security experts demonstrated their ability to lift fingerprints from drinking glasses, which could then unlock victims’ phones in about 20 minutes [6]. Alternatively fingerprint files can simply be stolen – or just handled carelessly. In August 2019 security staff from the consultancy VPNMentor revealed that they had accessed a million fingerprints left unprotected by a security tool called Biostar 2 [7]. And what happens to a user once his/her biometric data has been released into the wild? Might such people find they have become second-class citizens, shunned by banks, airport security and others?
Our view is that the best solution will be one that combines a high-strength knowledge- factor with the strength of one-time passcodes, but without the encumbrance of having to carry additional hardware (including phones). Such a method could at last help the insurance industry know for sure that the ‘right’ people are accessing its systems with the minimum of friction. Shayype [9] is a system able to offer these important attributes. Furthermore it has now been ‘powered by’ IBM / Red Hat’s trusted Keycloak IAM (Identity and Access Management) system – though thanks to a new SDK, alternative IAM packages can also be used.