The use of mobile applications creates vulnerabilities for customers.
Consumers are increasingly turning to digital channels to manage daily tasks, purchase goods and be entertained. These trends also extend to insurance. Consumers increased their use of insurance and insurtech mobile apps by 26% in 2021 year-over-year, according to JD Power. And for those who used mobile apps for insurance, their customer satisfaction scores were significantly higher across all metrics than those who used traditional channels.
Risks related to mobile applications
But the movement towards using mobile apps for insurance means that a lot of very valuable information is concentrated there: medical information, account numbers, addresses, etc. This type of information is much more valuable on the black market than credit card numbers because credit cards can be voided. This type of personally identifiable information is largely permanent and criminals can use it for fraudulent purposes and other types of schemes.
It is therefore not surprising that cybercriminals are already targeting insurers and mobile applications.
Hackers gained access to State Farm accounts in 2019 through a credential stuffing attack. And in 2021, the New York Department of Financial Services fined multiple insurers millions of dollars for misconduct and non-compliance.
And beyond fines, if there is evidence that insurers have been negligent in protecting their applications, successful cyberattacks can result in class action lawsuits. It is therefore in the interest of everyone, from insurers and insurtechs to contract developers and consumers, that mobile insurance applications are secure.
Mobile apps can be attacked in an infinite number of ways. However, most attacks fall into six main types. If insurers and insurtechs protect against them, they will have made significant progress in securing their applications against the vast majority of attacks.
Theft of personal policyholder information from the app: Marital status, full names, driver’s license, date of birth, and sometimes even social security numbers are stored on insurance apps. You might even find detailed vehicle information like a plate number or VIN. All this data is gold for a cybercriminal who intends to defraud.
To protect this data, it must be encrypted within the application using AES 256 or a similar standard. And encryption doesn’t have to stop at data. It should also cover data used by application programming interfaces (APIs) to communicate with back-end systems and servers. If URLs, tokens, passwords and other secrets are not encrypted, cybercriminals can easily obtain them to gain access to an insurer’s core systems.
Attacks on location information: Insurance and insurtech apps track geolocation data for a variety of reasons, such as monitoring the driving behavior of policyholders to identify safe drivers to offer them discounts, or to turn coverage on and off based on the physical location.
By jailbreaking (iOS) or rooting (Android) a device, hackers can grant themselves greater privileges that allow them to control the operating system and access geolocation information. Apps need to be able to detect when the device they’re running on is rooted or jailbroken, and then shut down to prevent it from running in an insecure environment.
Overlays and keyloggers: Sophisticated malware can use a trick on users, where it presents a fake or transparent screen on an insurance app, tricking users into thinking they are entering data from a trusted source, when in fact they are working with it. the malware. This way, malware can steal data, take control of accounts, and perform all kinds of malicious acts. Keyloggers work the same way, although they run in the background, tracking every key entry a user makes in any app. Mobile apps need to detect these types of attacks so that they can stop working when in effect to protect the user.
Intercept transaction data: Many insurtech apps, like Lemonade and Metromile, allow their policyholders to pay for coverage as needed, adding more coverage as they go. This capability also exposes these applications to attacks against payment information. To protect payment data, all data, whether stored on the device or transmitted to a primary payment service, must be encrypted using a strong standard to comply with PCI (Payment Card Industry). If an insurer is found to be non-PCI compliant, steep fines and even the loss of the ability to accept credit cards as payment can result.
Abuse of dynamic and static analysis tools: Software developers rely on these essential tools for debugging and other important tasks during the software building process, but they can also be exploited by cybercriminals to map the internal logic of a mobile application. This information allows them to create sophisticated, highly targeted and extremely effective attacks on both the application and back-end services. They can also develop Trojans that trick the user into believing they are working with the real thing, while the malware surreptitiously compromises other applications, steals data, and performs other harmful activities.
Obfuscating binary code, as well as native and non-native libraries, will help prevent reverse engineering, and additional shielding with anti-debug, anti-tamper, and anti-reverse protections will further strengthen defenses.
Network attacks: Many mobile apps, including those from insurance and insurtech companies, communicate using HTTP and TLS 1.1., which are not secure protocols. They allow cybercriminals to perform man-in-the-middle (MitM) attacks on data as it is transmitted, allowing them to steal it and even modify it along the way. To protect against MitM attacks, developers should implement Transport Layer Security (TLS) 1.3, TLS version enforcement, secure certificate validation, and malicious proxy detection.
Insurers and insurtechs have a great opportunity for growth and improved customer satisfaction with mobile apps. But these apps need to be secure, because otherwise it’s only a matter of time before cybercriminals successfully attack them, harming policyholders, potentially compromising the insurer’s back-end systems and potentially even leading to negative reports. Protecting against these six threats will go a long way to keeping everyone safe and laying the foundation for digital growth.
Karen Hsu is Appdome’s Chief Marketing Officer. Contact her at [email protected].