Apps & Wearables are the Security Frontiers
2 information security heads from leading life insurance companies share the current scenario of mobile frauds and initiatives taken by their organisation to combat them:
The users of mobile devices are increasingly subject to malicious activity, mainly concerning pushing malware apps to smartphones, tablets, or other devices using a mobile OS. These handheld devices, carried in the pockets, are used to store and protect sensitive information. Even though Google and Apple offer distribution environments that are closed and controlled, users are still exposed to different kinds of attacks.
TOP FRAUDS
Future Generali India Life Insurance observed that one-way criminals can bypass the app market source code checks was not by including anything malicious in the app itself, but rather by making an app that, in essence, is a browser window to a phishing site. The company observed that a trojanized version of a legitimate app had been included in the factory firmware from a small mobile phone manufacturer and shipped to customers on brand new phones.
Pawan Chawla, CISO & DPO of
the company says: “We encountered a significant jump in the number of apps that, without notification to the user, included crypto-miner code in the app. Advertisement fraud is, surprisingly, one of the most profitable criminal enterprises nowadays, and mobile apps appear to be a key part of this subtle crime.”
IMPROVEMENTS IN MOBILE SECURITY
App security isn’t a feature or a benefit – it is a bare necessity. One breach could cost a company not just millions of dollars but a lifetime of trust. That is why security should be a priority from the moment the developer starts writing the first line of code. Pawan provides additional inputs: “With one break-in, criminals could know our name, age, home address, account numbers, and even our current location precise to a few meters. Enterprise applications exchange exceedingly sensitive information that attackers are constantly on the prowl for.”
Canara HSBC Life Insurance is planning to launch its mobile application to facilitate customers and help them with more personalized services and a one-stop solution for all their queries.
Siddharth Kaushik, Chief Risk Officer of the company, shares: “Initiatives like these bring the company and customers closer making the products and services accessible. However, at the same time, these also security considerations must be factored in. With increased internet penetration coupled with smartphone growth, we have seen exponential growth in mobile applications and users. Considering our industry - life insurance - we have optimized our mobile web pages to facilitate the online sales process.”
Siddharth further added, as company information security has always been one of the top priorities and we ensure that controls like source code review and application security testing are given much importance before any go-live in addition to periodic reviews. Security of data, periodic patching, and bug fixing of applications along with underlying infrastructure components are regularly ensured. Lastly, resiliency posture must be always maintained to ensure uninterrupted access to such applications.
WEARABLES SECURITY
Wearable healthcare devices have gone far beyond merely counting steps and heartbeats. Juniper Research published a search paper in 2019 which projected those 5 million individuals will be remotely monitored by healthcare providers by 2023, with patients and healthcare professionals now relying on medical wearables for early diagnosis, medical adherence, remote patient monitoring, and even treatment of illnesses.
However, Future Generali Life Insurance has not undertaken any project on wearable devices. Pawan shares challenges related to the usage of wearable devices: “Manufacturers often ship wearable devices without a built-in security mechanism such as user authentication or PIN system protection features. Data collected by wearables are very valuable but some third-party apps neglect to include basic security standards and send or store information that is not encrypted.”
According to Pawan, wearable devices connect to smartphones wirelessly via protocols such as Bluetooth, NFC, and WIFI. But the security of these wireless channels can be insufficient against determined hackers. Data synchronized to cloud storage are also vulnerable to several threats such as distributed denial of service (DDoS) attacks, SQL injection, or back door attacks. If left unchecked, these vulnerabilities can be a point of entry for attackers that can exploit legitimate enterprise credentials or hospital records which would lead to loss of or the ransom of sensitive data.
Siddharth added: “We have seen a spurt in the use of wearable devices and there are a plethora of OEMs herein serving customers across this segment. Maintaining utmost security practice towards the safeguarding of health data is of prime importance. In the life insurance sector, integration of wearable is at a very nascent and more at an exploratory stage.”
Canara HSBC Life Insurance runs periodic awareness campaigns across its social media handles and communication touchpoints. These cover a host of topics ranging from social engineering, endpoints security as well as general security practices and cover relevant topics about not falling prey to spurious calls thereby ensuring that the customer is protected against any cybercrimes and other forms of digital frauds.
recommends source code review and application security testing in addition to periodic reviews
MOBILE SECURITY INITIATIVES
Mobile initiatives are a top priority for every organization these days because it helps in improving operations and productivity. An increase in the use of mobile devices means an increase in