By Invitation Only

"Companies clearly still are struggling with how secure is 'secure.' What's enough security, and how much presents too much of an impact on customers?" says Mark Steinhoff, principal in Deloitte's security and privacy services practice.

"At the end of the day, there's no security without some inconvenience," says Tom Wills, senior analyst in security, fraud, and compliance at Javelin Strategy and Research. "The art is paying close attention to the user interface [of the online application] and having the right amount of pain to the degree you need to secure information."

PHISHING AND OTHER MALPHEASANCE

Fraudsters, naturally, always have looked for ways to target the weakest link in the security chain–people. According to a survey released by Deloitte in February 2009, titled "Protecting What Matters," 86 percent of respondents reported human error is the leading cause of information security failure.

In the B2C arena, the weakest human link is the consumer, which is why scammers have employed phishing and other social engineering cons to get customers to give up their information willingly. In the Deloitte study, phishing–and its DNS-hacking counterpart, pharming–caused respondents the highest levels of concern and ranked as the leading category of external breach.

Estimates of how much is lost each year as a result of phishing vary widely. Gartner reported U.S. phishing losses had grown to a $3.7 billion annual problem by the end of 2007. Microsoft countered with its own report, released at the end of 2008, which put the figure at just $61 million. What analysts do agree on is phishing has become increasingly sophisticated and easier to do.

"The problem today is fraud has been commoditized," reports Wills. "You can buy a kit to put up a phishing site or deploy Trojans with no coding skills whatsoever."

Because fraud involves people, Wills advises the best defense starts with education. "You should put the appropriate security technology in, but there's also the 80/20 rule around security. Eighty percent of the results come from involving the people who have a stake in information security in the security practice itself. Those people are your employees and your customers," he says.

"We've come a long way," according to Tom Meenan, vice president of IT risk and business recovery at MetLife. "We constantly educate our associates and customers on e-mails and attachments and what you open and don't open. Across the board, the awareness around threats and what they mean really has improved."

The good news is Web browsers, e-mail clients, Internet security software, and other client-side technologies have become better at alerting users to potential phishing expeditions. Users also have become more wary.

"We've had instances where our customers, being diligent, have contacted us after MetLife sent out e-mails to them to make sure the e-mail is valid," Meenan says.

The other bright spot for insurers is, compared with their counterparts in the financial services sector, most carriers have faced significantly fewer generic phishing attacks.

"The reward from [phishing] a financial institution is faster and greater for phishers than it is from [targeting] insurers," says Jerald Murphy, senior vice president and research director at the Robert Frances Group.

That is, insurers are a one-off for phishers. "The focus is where the money is," Meenan says. "Fortunately for us [MetLife's insurance operations], it's tougher to get into the ultimate cash through insurance than it is through a bank."

Paul Kocher, president and chief scientist at Cryptography Research, maintains insurers should be concerned with "spear phishing" attacks. Spear phishing involves sending targeted e-mails to specific customers of a single company in the hopes of snaring a gullible victim before the attack can be detected, rather than blasting millions of e-mail messages that may not even reach actual customers of an institution.

"Insurers are uniquely at risk for spear-phishing attacks," Kocher says. "In particular, the insurance business revolves around making a small number of large payments, making it worth more adversary effort than targets with lower yield per successful attack. For example, adversaries mounting these attacks may make telephone calls with a spoofed caller ID or send personalized fraudulent paper letters to targets."

There are defense strategies carriers can employ, Kocher suggests. "Before making large payments, risk management steps–such as telephoning the recipient for confirmation and, when addresses have been changed recently, sending a non-forwardable letter to the old address–can catch some attacks," he explains.

Even though they do not currently share banks' risk level to generic phishing, insurers still are deploying phishing detection, prevention, and mitigation strategies. Doan, who had a hand in IT security for a Fortune 500 bank before coming to Westfield, relates the carrier currently keeps tabs on bogus sites as part of its brand management process.

"We have controls and a monitoring system in place to determine whether there are sites popping up that might be phishing sites and pose a risk for Westfield Group," he notes.

Dealing with phishing remains more about old-fashioned sleuthing than software. "There are a few things we do quietly," says Phil Swift, CIO of Esurance, declining to go into detail about any specific technology approaches the company uses. "We rely on people, who are on our payroll but located off site, to monitor the Internet for what's going on, participate in chat rooms, and basically do detective work to see whether our name is being discussed out there."

Esurance well understands the risk of a phishing event or other attack that would compromise customer information or relationships. As a company that makes its living online, any breach of customer trust would have devastating consequences.

"Everything we do is online. Customers can get a quote, purchase a policy, and set up credit-card billing. They can file a claim and look at policy and claim information online. Therefore, security is the bedrock of our company. It's part of our DNA," asserts Swift.

For the past two years, MetLife has been using a phishing monitoring and detection service, which it declined to name. In addition to looking for Web site derivatives, the service uses honeypots (computer traps set to attract attackers) and monitors chat rooms and newsgroup feeds for chatter related to MetLife.

MetLife has had the opportunity to test the service, although, fortunately, not due to an actual phishing attack. "Our e-commerce department recently registered a number of sites similar to what MetLife already had" to prevent a phisher from using those domains, Meenan explains. "In each case, the service caught it and notified us."

BORROWING FROM BANKING

Unfortunately, Murphy says, insurers will have to contend with increasing incidents of phishing and other attacks. "The number of attacks continues to increase for everyone. It's only a matter of time," he predicts.

Insurers can learn from the work their counterparts in banking have done. "When the phishing attacks really started in the marketplace, we brought in the banking team to assess the risk. Even though MetLife's banking operation isn't the size of a Citibank, we believed we shouldn't make the assumption attackers wouldn't go after us," says Meenan.

"Also, I felt once banks protected themselves, attackers would go after insurers and target the next level of customer information. They'd go from bank account numbers, credit-card numbers, and Social Security numbers down to other information that could be used to identify and compromise a customer," he adds.

Companies know, as well, the damage a fraudster could cause is severe. "The top security concern in any company is breach of privacy information," says Doan. "Any company that has an outward-facing, Internet-accessible portal needs to be concerned with breach of financial information and breach of private information, not just because of the number of disclosure laws we contend with but because of the damage it would cause to a company's reputation."

Although insurers have had to comply for some time with various privacy regulations, how they authenticate customers in the online transaction to ensure privacy largely has been left to them. Banking, however, has been mandated to provide stronger authentication, generally interpreted as multifactor authentication.

"Commercial banking is 18 months in front of the insurance business in terms of multifactor authentication," says Murphy.

Multifactor authentication solutions aim to supplement the "what you know" factor (i.e., user name and password) with a "what you have" component. Hardware tokens and biometric devices are examples, but these generally are unworkable solutions in a B2C environment.

"There are logistics around managing a token, and it's likely to fall flat with consumers. With the risk level of information one would find on a consumer insurance Web site, you wouldn't want to deploy any of those really strong [hardware] solutions," says Wills.

Device registration, PC "fingerprinting," and computer forensics are less intrusive ways authentication platforms try to confirm what you "have." MetLife uses device registration on the banking side. "If customers come in from a machine that's not known based on their past log-ins, they'll be asked a number of security questions to confirm their identity," Meenan says.

In addition to device registration, heuristic technologies can compare the type of activity a consumer is doing with past activity and identify when fraud is likely occurring. Anyone who has gotten an alert from a credit-card company after making a purchase outside the realm of normal activity has dealt with this.

Esurance, for instance, uses software from Tealeaf to monitor the Web activity of customers to use in its CRM efforts. "Sometimes, customers simply are going to make mistakes, and we want to help them correct those and to provide a positive online experience," Swift says.

Additionally, the company has found ways to use software to compare current session activity with patterns of past user behavior. This monitoring can help Esurance detect first-person fraud as well as third-party identity theft attempts.

AUTHENTICATION AND ANTI-PHISHING

Consumers have been on the front lines of the battle against phishing. Unfortunately, even the most careful user can fall for a cleverly crafted phishing effort, forget to check for the browser security lock, or mistype or misinterpret a URL.

Two-way authentication, or mutual authentication, has arisen as another defense against identity theft. Traditional authentication is about knowing who the user is, whereas two-way authentication also provides users the same level of assurance they're dealing with a genuine and trusted site. The goal is to find a method of site authentication for consumers that, while not foolproof, is both easy to use and hard to overlook.

The current crop of tools tends to be based on custom images and phrases selected by the consumer that, in theory, a phishing site would not be able to reproduce. First-time site users enroll by choosing or providing an image and creating a unique label for it. Each time they log on, and before they provide their password, users see the image, which assures them they are on a legitimate site–as long as they remember they are supposed to look for it.

Image-based, two-way authentication has become widespread in banking over the past year. MetLife uses it on its banking site.

"What we've done within the bank site is strike a really good balance between protecting the customer, protecting MetLife, and providing online capabilities," Meenan says. "If customers notice the site doesn't look right because it's missing their image, they can investigate whether they got misdirected or phished."

It may be a step in the right direction, but it's also another step for consumers to go through when they want to access their accounts, which again raises the convenience question. "The new generation [of site authentication], such as RSA's PassMark, Passfaces, or even using passphrases vs. simple passwords, may be too onerous for consumers in most online settings. They'll put up with it if they're dealing with their bank because they want to get to their money, but they won't put up with it from other companies," Wills claims.

MetLife believes the authentication measures already in place on the insurance site are adequate to protect the level of customer information that is available. However, the company continues to evaluate adding controls to that site, including those used on the banking side, as online functionality and the amount of information available to consumers both increase.

"I would expect to see some of that technology be deployed," indicates Meenan. "The fear is if we do deploy additional authentication right now, customers will find someone else to do business with."

For insurers, the question is not whether they will be faced with the need–or a mandate–for multifactor and/or mutual authentication, but how long they will be able to do online business without it. "Even though the banking regulators now have required these types of stronger controls, insurers may recognize the value of those [authentication] solutions, and consumers want the protection, the adoption of new technology still is not widely accepted" in the insurance industry, Steinhoff says.

SECURING THE FUTURE

In the near term, carriers' new security investments generally will be in providing security around the data itself related to the online channel. That includes securing transactions with trusted third parties, providing encryption around data at rest and in transit, and monitoring against the "insider threat."

"Where I have seen insurers invest money is in data protection itself," Murphy says. "Since the ultimate objective is to protect customer information, let's put in protection mechanisms in the infrastructure so I can see people trying to access the data. Rather than focusing on asking where users are coming from, let's see who is retrieving protected data. Let's look at behaviors of system administrators, database administrators, and people accessing accounts."

"The key thing we need to do is make sure criminals don't penetrate our network. Our data is behind multiple layers, everything is encrypted, and no one person has access to put the whole thing together," Swift says.

"We use Cisco tools to watch the site 24/7. We have monitoring tools looking for changing patterns in user behavior. We also have tools looking at our database for access patterns and reports that are run so we can take action," adds Swift.

Beyond these measures, insurers have become more careful about the type of information they obtain and store. "One way companies have addressed [customer information] security is through limiting the amount of information they collect," says Doan. "In the past, the goal was to collect and display as much of the information as you can. Now, companies are looking back through their systems and determining where it is really necessary to collect and retain information and what the most sensitive information is they need to protect."

Protecting customer information and providing customer security in the online channel is a continually evolving challenge for insurers. "You can set up your defenses, but you're really defending against known threats. The biggest challenge is finding out what's happening ahead of you and to get in front of it. That's my biggest worry," Swift says.

One of the most positive developments for IT security professionals is, while their jobs haven't gotten any easier, business' understanding of the ramifications of a security breach has made it easier to get budget dollars.

"The good thing about my job is MetLife 'gets it,'" Meenan says. "It understands how important online security is and that protecting customer data is key because it affects our reputation and our brand. That really helps me in my role and makes my job easier."

"Security has been baked into our operations from day one," says Swift. "There are studies out there where, if I needed to, I could compare the cost [of security technology] with potential impact [of a breach] to the company, but I've never had anyone question anything we have done on security. It's something we take very seriously."

"There is no magic bullet," Kocher concludes. "The problem of phishing ultimately comes down to a trade-off between costs and risk–which, fortunately, insurers understand better than most other targets."