A bunch of people with sinister intentions called Discovery Insure agents over the course of a few weeks recently and pretended to be 19 separate policyholders, asking for their schedules to be e-mailed to them. And those agents obliged.
Another 21 clients with other insurance companies also had policy schedules e-mailed to impersonators in the same targeted attack, according to Discovery Insure. The insurer claims there is no obvious link between the mix of clients who were targeted.
The infiltration may have remained under the radar were it not for the fact that one of the affected Discovery Insure clients was Simon Peile. He missed the insurer’s first e-mailed notification on May 17, but spotted the follow-up one of June 5. And that evening his wife — billionaire businesswoman Magda Wierzycka, co-founder and CEO of financial services company Sygnia — took to X to voice her outrage, in no uncertain terms.
“Let me point out the immense personal security risk Discovery has created,” she raged. “The fraudsters are not merely after the money in your bank account. They want valuables in your safe or ‘hidden’ spaces. To get to those they need you physically in the house.”
Apart from the unsettling knowledge that the impersonators know where their targets live, and where their valuable assets are at night, in the wrong hands the stolen information could be used to commit identity theft, submit fraudulent insurance claims and perpetrate financial scams. That’s according to Insurance Crime Bureau (ICB) CEO Garth de Klerk.
The ICB is now investigating the 40 insurance fraud cases. Asked to name the other insurance companies whose clients’ policy schedules were e-mailed to impersonators, De Klerk said it was not his place to do so.
Discovery says it picked up the impersonation incidents as part of its “proactive audit and forensic screenings”. As for how the impersonators were able to answer those security questions when prompted by call centre agents, Discovery pointed to “historical third party data breaches” including that of credit bureaus TransUnion and Experian, as well as “messaging platforms” and other “data scraping” techniques.
And despite most consumers assuming such “leaks” are “inside jobs”, cybercrime experts confirm that all credit-active South Africans’ personal information is available on the “dark web”, thanks to those breaches. But that raises the question: knowing that South African consumers’ personal information has been compromised by those leaks, why haven’t corporates increased their verification protocols to reduce their clients’ risk of impersonation?
Wierzycka posed this question to Discovery on X: “How weak are your verification processes that you are willing to send out an unencrypted file with sensitive financial information?”
In Discovery’s case, the impersonators only had to answer three security questions, such as how many vehicles were covered by their policy, their ID number and banking institution. The answers to all those questions can be sourced by those with criminal intent, thanks to those “historical” data leaks.
Plus, and here’s the truly alarming part, the impersonators succeeded in getting those call centre agents to e-mail the schedules to addresses other than those specified on the respective policy schedules. No questions asked.
Naturally, Discovery has now put several closing-the-stable-door-after-the-horse-has-bolted measures in place. Agents will now ask policyholders — or those claiming to be them — five security questions instead of three, and if they don’t answer correctly, they won’t be “assisted over the phone”. And: “We have immediately updated our systems so that an e-mail address cannot be edited via the call centre — this can only be done through the app or online through our logged-in section of our website.”
Also, from tomorrow no documentation will be sent via the call centre but will only be available via authenticated channels, such as web, app and broker portals. Asked whether Discovery made use of biometrics (such as voice recognition) to verify policyholders, given that this technology is now widely available, the company said: “[We do] not currently use biometric verification, but this is something we are investigating, along with other verification processes.
“We take our responsibility in respect of our client’s privacy very seriously and are continuously working to update our security measures to protect our clients and their data.”
Southern African Fraud Prevention Service CEO Manie van Schalkwyk said the asking of security questions — no matter how many — was now an outdated verification method, given the credit bureau breaches of citizens’ current and past financial information. Investec reportedly routinely runs a biometric voice recognition check to verify a caller’s identity. It’s time we consumers questioned all the companies that hold our critical personal and financial information about what they are doing to ensure they don’t hand it over to impersonators.
CONTACT WENDY: E-mail: consumer@knowler.co.za X (Twitter): @wendyknowler Facebook: wendyknowlerconsumer
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.