Account Takeovers Are on the Rise
For insurance carriers, account takeovers (ATOs) can mean long-term damage to their brand and growth. Unfortunately, the drive for frictionless interactions makes it easier than ever for hackers to steal identity credentials. Due to the increase in large data breaches, millions of U.S. consumers have become victims of identity theft. Some other troubling facts*:
- A 2018 NuData Security report found that 40% of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value.
- From 2016 to 2017, losses from ATOs rose 122%. In 2018, losses increased by 164%.
- The cost of these attacks tripled from 2016 to 2017, reaching an estimated $5.1 billion in the United States alone.
- According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020.
- In 2018, ten new ATO attempts were launched every second, often using automated bot attacks (also known as credential stuffing).
Banks began deploying defenses against ATOs years ago, including identity and access management (IAM) solutions. These solutions verify customer identities and assess risk associated with each transaction in real time, no matter the identity credentials used.
As banks tightened up their defenses, cybercriminals have begun targeting softer targets—such as life insurers—particularly as their clients tend to have a higher net worth. Victims can face major financial loss, and face the tedious task of changing usernames and passwords, adjusting beneficiaries and requesting proof of insurance cards.
Three Recommendations to Prevent ATO—Without Losing Customers
How can life insurance carriers keep up with technology and abate ATOs without losing customers? Here are three key recommendations:
Adopt a Multi-Layered Identity Access Management (IAM) Solution
As banks have done, savvy merchants are moving away from single-lock login credentials to multi-layered defense solution that combines verification, authentication, authorization and risk detection. This enables businesses to instantly recognize legitimate customers and automatically detect—and block—fraudsters and bots. By combining risk-based authentication (RBA) with built-in strong customer authentication (SCA) capabilities, carriers can reserve transaction friction for the transactions that may need further review. This also helps reduce the false declines that can frustrate returning customers.
Tap into Global, Shared Identity Intelligence
Many organizations are becoming part of cross-industry consortia, in order to gain access to shared, global and anonymized identity intelligence. For instance, the LexisNexis® ThreatMetrix® Consortium (“ThreatMetrix”) functionality enables near real-time sharing of data and intelligence, and more accurate risk assessments that better reflect current fraud activity. Customers within a specific industry and/or region can share negative and positive data attributes, and let ThreatMetrix help to facilitate the process. With cybercriminal networks working together, it’s important that businesses do the same to create the most effective risk decisioning processes.
Confirm Orders, Comfort Customers
In order to reassure customers, transactions and account changes can be verified before they’re finalized through multi-factor authentication (MFA). Examples of this are emails or texts that provide a real-time code that only the customer would receive. With MFA, an account takeover can be detected and there’s the added benefit of customers knowing they are protected, without extra friction.
Transaction confirmations are becoming the norm prior to transaction completion. In the EU, the Revised Payment Service Directive (PSD2) mandates Secure Customer Authentication (SCA). While this may initially ruffle some feathers, customers value their privacy and expect businesses to take security seriously. The carriers that articulate the value of more stringent security practices can strengthen customer relationships and mitigate ATOs.
It won’t be easy to mitigate ATOs and satisfy increasingly demanding customers, but with the right IAM strategy in place, carriers can do it—and that means happy customers who feel secure, and carriers know they can grow both profit and trust.
*Source: Security Boulevard, The Costs and Risks of Account Takeover, June 20, 2019