6 common attacks on insurtech and mobile insurance apps
Unprotected applications can leave policyholder and insurer information vulnerable to hackers.
Consumers are increasingly moving toward digital channels to handle daily tasks, shop for goods and enjoy entertainment. These trends also extend to insurance. Consumers increased their use of insurance and insurtech mobile apps by 26% in 2021 year over year, according to J.D. Power. And for those who used mobile apps for insurance, their customer satisfaction scores were significantly higher across all measures than those who used traditional channels.
Mobile app risks
But the movement towards using mobile apps for insurance means that a lot of very valuable information ends up concentrated in them: medical information, account numbers, addresses and more. This kind of information is far more valuable on the black market than credit card numbers, because credit cards can be canceled. This kind of personally identifiable information is largely permanent, and criminals can use it for fraud and other kinds of schemes.
So, it should be no surprise that cybercriminals are already targeting insurers and mobile apps.
Hackers were able to access State Farm accounts in 2019 through a credential stuffing attack. And in 2021, the New York Department of Financial Services fined multiple insurers millions of dollars for breaches and noncompliance.
And beyond fines, if there’s evidence that insurers were negligent in protecting their apps, successful cyberattacks can result in class-action lawsuits. So, it is definitely in everyone’s interest, from insurers and insurtechs, to contract developers and consumers, that insurance mobile apps are secure.
Mobile apps can be attacked in an infinite number of ways. However, most attacks fall into six major types. If insurers and insurtechs protect against them, they will have made significant progress towards securing their apps against the vast majority of attacks.
Stealing personal policyholder information from the app: Marital status, full names, driver’s license, date of birth and, sometimes, even social security numbers are stored on insurance apps. You might even find detailed vehicle information like a plate number or VIN. All of this data is gold to a cybercriminal intent on fraud.
To protect this data, it must be encrypted in the app using the AES 256 or a similarly strong standard. And encryption shouldn’t stop at data. It should also cover the data used by the application programming interfaces (APIs) to talk to back-end systems and servers. If URLs, tokens, passwords and other secrets aren’t encrypted, cybercriminals can easily obtain them to gain access to an insurer’s core systems.
Attacks on location information: Insurance and insurtech apps track geolocation data for a variety of reasons, such as monitoring policyholders’ driving behavior to identify safe drivers to provide them discounts, or to activate and deactivate coverage based on physical location.
By jailbreaking (iOS) or rooting (Android) a device, hackers can grant themselves more expansive privileges that enable them to control the OS and access geolocation information. Apps should be able to detect when the device on which they are running is rooted or jailbroken and then shut down to prevent it from operating in an insecure environment.
Overlays and keyloggers: Sophisticated malware can employ a trick on users, where they present a fake or transparent screen over an insurance app, making users think they’re entering data into a trusted source, when in fact they’re working with the malware. In this way, malware can steal data, take over accounts and execute all kinds of malevolent acts. Keyloggers work in a similar fashion, though they run in the background, tracking every key entry that a user makes to any app. Mobile apps must detect these kinds of attacks so they can stop operating when they are in effect to protect the user.
Intercepting data from transactions: Many insurtech apps, like Lemonade and Metromile, allow their policyholders to pay for coverage as they require it, adding more coverage as they go. This capability also opens up these apps to attacks on payment information. To protect payment data, all data — whether it is stored on the device or being transmitted to a back-end payment service — must be encrypted using a strong standard to comply with the Payment Card Industry (PCI) Standard. If an insurer is found to be noncompliant with PCI, stiff fines and even the loss of the ability to accept credit cards as payment can result.
Abuse of dynamic and static analysis tools: Software developers rely on these critical tools for debugging and other important tasks during the process of software creation, but they can also be abused by cybercriminals to map out a mobile app’s internal logic. This insight enables them to create sophisticated, highly targeted and extremely effective attacks on both the app and back-end services. They can also develop trojans that trick the user into thinking they’re working with the real thing, while the malware surreptitiously compromises other apps, steals data and other harmful activities.
Obfuscating the binary code, as well as native and non-native libraries, will help prevent reverse engineering, and additional shielding with anti-debugging, anti-tampering and anti-reversing protections will further strengthen defenses.
Network attacks: Many mobile apps, including those from insurance and insurtech companies, communicate using HTTP and TLS 1.1., both of which are not secure protocols. They enable cybercriminals to perpetrate “man-in-the-middle” (MitM) attacks on data as it’s being transmitted, which allows them to steal it and even change it mid-stream. To protect against MitM attacks, developers should implement TLS (transport layer security) 1.3, TLS version enforcement, secure certificate validation and malicious proxy detection.
Insurers and insurtechs have a big opportunity for growth and to improve customer satisfaction with mobile apps. But these apps must be secure, because otherwise, it’s just a matter of time before cybercriminals successfully attack them, harming policyholders, potentially compromising the insurer’s back-end systems and maybe even resulting in negative news stories. Securing against these six threats will go a long way towards ensuring the safety of everyone and establishing a foundation for digital growth.
Karen Hsu is the CMO at Appdome. Contact her at karen@appdome.com.
Related: