According to a Technavio published earlier this year, the InsurTech market size is expected to increase by USD 33.73 billion from 2020 to 2025, at a CAGR of 45.28%. Bain Research reports that digitally active millennials are open to switching to a provider that is not in the traditional insurance industry, including InsurTech companies. According to a survey of insurers, brokers, and agents, only 27% of users are creating policies via a website or mobile app. Other research states users are looking for a better experience and more flexibility. Insurtechs such as Lemonade and Metromile have focused on the digital experience and offer flexible plans, making it easy to start small and add coverage as needed. As digital first Insurtech mobile apps are increasingly adopted, they have become the targets of hackers. In this blog, we’ll discuss the top 6 cyber attacks on insurtech apps and how to solve them.
Consequences of Cyber Attacks
Reports of data breaches show not only driver’s license numbers but full names, addresses, phone and Social Security numbers, email addresses, dates of birth, gender specifics, marital statuses and vehicle data of hundreds of thousands of people have been exposed. Class action lawsuits have been filed against insurance companies for not protecting personally identifiable information from unauthorized access and disclosure. These breaches and lawsuits are not only costly, but they also have a negative impact on the company brand.
Insurtech Cybersecurity Checklist – Top 6 Attacks and How to Solve Them
Based on our research and work with insurance companies, here are the top 6 cyber attacks on insurance apps and how to solve them.
Attack on the user’s personal data in the app
Insurance apps contain a lot of information about users, including driver’s license numbers, full names, addresses, phone and Social Security numbers, email addresses, dates of birth, gender specifics, marital statuses, children’s names if they are insured under users and vehicle data (year/make/model of car, license plate number, VIN). The identifiers about users and their families are in the app. Once harvested, this confidential, personal data can be used in identity theft. While photos of your house, car or other property may be used to file claims, they could also be exploited by hackers or thieves.
To protect your privacy and confidential data, it’s recommended insurance app makers use Data Encryption, such as AES 256 encryption to secure and protect all API data (keys, secrets, urls, tokens, payload, etc.), as well as data in the App Sandbox and Preferences.
Jailbreak/Rooting Bypass Tools and Other OS Attacks
Revolut and other companies use geolocation to activate and deactivate your insurance based on where you are. Geolocation data is also used to monitor your driving habits. The insurance app on your phone tracks details like your GPS location and driving speed, which are all fed into a database every time you’re driving. Using this data, the insurance company may lower your premium or reward you for driving safely.
On a jailbroken or rooted device, an attacker has much more control over the underlying operating system, file system and any app running on the device, all of which allows them to access geolocation data stored in the SD card or sandbox. To prevent this type of attack, Insurtech app developers and security professionals should prevent the app from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk and Jailbreak bypass tools such as Liberty Lite.
Overlay Attacks, Keyloggers, PII Harvesting, & Data Input Attacks
Applying for insurance or filing a claim through an app means entering personal details about yourself. Even linking a credit card for payment requires entering confidential data. All these activities are forms of data entry and should be protected. Malware and fraudsters can use transparent or malicious overlays, placed on top of the insurance app to capture user or transaction data. The objective of overlays is to secretly gather the targeted data or trick users into engaging with the fake (malicious) element to harvest the target data. In addition to overlay attacks, malware keyloggers can be used to gather usernames, passwords, credit card information and more at the point of data entry. Learn more about how to use Appdome to stop overlay attacks and prevent keyloggers from attacking insurance apps.
Attack on the Mobile App Transactions
Insurtech apps like Lemonade and Metromile make it easy for users to pay as they go and add coverage as needed. Payment is usually made through a credit card. Apps that accept, process, stores, or transmit credit card data must meet PCI compliance. The PCI Security Standard is an industry-standard that was created to protect businesses from becoming targets of cybercriminals. The standard provides an approach for protecting PIN entry on devices. Using Appdome, PCI compliance can be achieved without coding or SDKs.
Analyzing Source Code & Mobile App Behavior via Static & Dynamic Reversing
Insurance app makers are expected to pass pentest or security audits regularly according to internal software development lifecycle (SLDC) rules before going into production. Pentesters use dynamic and static analysis to identify security issues such as parameter tampering. To prevent reverse engineering, it’s recommended insurance app developers and security professionals obfuscate the binary code, native and non-native libraries, to protect the API’s flow control and logic and protect strings, resource files, app preferences and other places that store sensitive information from static code analysis. It’s also important to protect against dynamic attacks by implementing anti-tampering, anti-debugging and anti-reversing protections.
Network-Based Attacks on Insecure Communication
Research has shown Insurtech and insurance app providers used HTTP protocol to send/receive data. Using insecure communication protocols (like HTTP, and TLS 1.1) leaves the the insurance app user’s data in transit in the clear and vulnerable to man-in-the-middle attacks. Man-in-the-middle prevention protects Android and iOS applications from MiTM and other network based attacks. Use Appdome to protect Android and iOS app connections with TLS, SSL certificate validation, CA verification, malicious proxy detection, TLS version enforcement, secure certificate pinning.
Insurtechs have an enormous opportunity to transform the insurance market. Much of that relies on improving the user experience and making it easier to create policies, file claims and extend coverage. All those activities are prone to attack, and it’s important Insurtechs protect against those threats.
I’d love to help with your security project and help your Insurance app overcome the challenges you are facing. Let me show how you can protect against threats to your mobile app. Please reach out to us for a demo!