Life, Annuities and Retirement Services: New Targets for Account Takeover

Posted March 7, 2018

Life, Annuities and Retirement Services: New Targets for Account Takeover

Life, annuity and retirement services could soon get schooled in account takeover (ATO) attacks the same way banks did before them—if key lessons from today’s digital identity revolution go unheeded.

As it stands, 2018 is already shaping up to be pivotal. According to A.M. Best, these sectors face an uncertain macroeconomic and regulatory environment in the year ahead, with annuity sales at a 15-year low, despite an improving economy. Meanwhile, life insurance penetration remains at a record low of 30 percent.

As a result, industry analysts predict insurers will look to digital modernization initiatives to maximize margins on existing lines while extending their reach into lucrative new markets. Unfortunately, they’ll also have to contend with growing interest from cybercriminals who see an industry that’s ripe for plunder.

Competition in a ‘Channelless’ World

As life and annuity (L&A) carriers expand into new wealth management services, they’re quickly discovering that they must meet the needs of today’s digital consumers, who want everything on demand—and more personalized and mobile.

Forget early tech-forward incumbents and digital-first insuretechs. Today, the real threshold for meeting customer expectations is no longer just benchmarked against other insurers. It’s about competing against the ease, speed and convenience provided by brands such as Uber, Amazon and Google.

As research firm Aite Group puts it, this is no longer just about “omnichannel” operations that give consumers different options for logging in and managing their own accounts. It’s about what it calls “channelless” operations—the ability for consumers to start a funds transfer via mobile, for instance, and then have an account rep seamlessly continue the process should they run into an issue.

But delivering that level of service means insurers must make trust decisions about users and transactions at the blink of an eye. The problem is that these same drivers—and the technologies behind them—make it easier than ever for outlaws to use stolen identity credentials to login, transfer or withdraw funds completely undetected.

Account Takeovers Skyrocketing

Just look at the ATO attacks launched this tax season.

The IRS is reporting that thieves are stealing client email information from tax preparers and then targeting those clients with fraudulent IRS insurance forms asking for details about their life insurance and annuity accounts. With the information unsuspecting clients provide there, fraudsters then login and attempt to take out loans or make withdrawals.

According to Javelin Strategy & Research, 6.64 percent of U.S. consumers became victims of identity theft last year—nearly double the victims seen in 2016—thanks in part to the recent large data breach that exposed identity credentials on 143 million Americans. In all, an estimated 8 billion personal identity files were stolen from businesses in 2017, and there’s a new breach virtually every day.

In a recent test, researchers showed how identity credentials can be exploited by cyberthieves to launch thousands of attacks within just nine minutes of being set loose on the web. Small wonder that takeover attacks are up 210 percent over 2016, according to a recent report from ThreatMetrix.

Today, 10 new account takeover attempts are launched every second, often through the use of automated bot attacks. And it’s paying off. According to Javelin, account takeover attacks in the U.S. netted more than $5.1 billion in 2017—a 120-percent increase in just one year.

ATOs and the Millionaire Next Door

Burned by ATO attacks, banks long ago began deploying defenses against them, including digital identity solutions that verify identities and assess the risk associated with each transaction in real time, regardless of the identity credentials used.

As a result, cybercriminals have begun targeting “softer targets,” such as L&A insurers—especially those whose clients tend to hold far greater assets than the general populace.

In these attacks, victims can face significant financial loss, which can then take a long time to recoup via the insurer’s fraud team, if that’s even possible. For policyholders, there’s also the laborious tasks of changing usernames and passwords, adjusting beneficiaries and requesting proof of insurance cards.

And then there’s the long-term damage to the insurer’s brand and growth prospects.

Fueling Growth—and Security?

According to a recent study, businesses that gain the most “digital share” in virtually any industry can see revenue growth rates exceed that of their competitors by nearly 20 points in the course of just one year—even if their overall market share is lower.

To pull that off, L&A insurers will need to deliver the frictionless experiences and services today’s digital consumers have come to not only expect, but demand. Of course, given the threat posed by account takeover, they shouldn’t be too surprised if consumers feel balancing that speed and convenience with robust security is the best policy around.

To learn more about trends in account takeover and what digital identity solutions can mean to insurers, download our new eBook, “Insurance Industry Outlook: Top 5 Digital Identity Trends for 2018“.

Frank Teruel

Frank Teruel

SVP/GM, ThreatMetrix

close btn