Pension savers are in danger of being hit by cyber scammers. Maggie Williams looks at five ways schemes can minimise the risk
Online security breaches have never been bigger news. Internet service company Yahoo! revealed on 15 December that 1bn of its user accounts had been compromised by a data breach – back in 2013. Just a month earlier, six million customers of Three Mobile were put at risk after its upgrade system was hacked. Last year, telecoms provider TalkTalk admitted that 150,000 customers had had their data exposed to unscrupulous eyes. And as for whether Russian hackers helped Donald Trump on his ascent to the White House…
These attacks should raise concerns for pension schemes, too. Not only could data stolen from one source (such as Yahoo!) be used fraudulently to access other systems (such as pensions sites) but as scheme members take more responsibility for managing their own retirement savings online, hackers will see pensions data as rich pickings in their own right.
Protecting members, their data and their savings from cyber attacks should be on every trustees’ to-do list. If companies of the size of Three Mobile and Yahoo! are affected, don’t automatically assume that your administrator has everything in hand. Here are five pointers to consider:
1. Be aware of third-party fraud: Third-party fraud, such as identity theft, is becoming increasingly common. Fraudsters often target older age groups, with 21% of all third-party fraud affecting the over-55s, typically because that age group is more affluent and is therefore more attractive to fraudsters. With the introduction of freedom and choice, being vigilant and helping your members to be vigilant is more important than ever.
2. Stay one step ahead of hackers and unauthorized access: Ensuring that system security is as robust as possible is an obvious prerequisite for any pensions platform, but hacking is not the only risk. Unauthorised use of member details is an equally big issue.
This could be as a result of a member giving their details to a fraudster, either through coercion or being enticed by a ‘too good to be true’ offer. Or, a member could inadvertently give their details away through malware (malicious software that could be used to gather personal information without the user’s knowledge), ransomware (software which issues a threat unless the user hands login details over) or phishing emails. “These breaches are hard to mitigate, and it’s expensive to do so,” says Nick Mothershaw of Experian, speaking at the PLSA’s recent Trustee Conference.
Ways of combatting data breaches could include issuing members with a card reader that generates a code which a member then uses to confirm a transaction, or by sending a text with a code in it to a mobile phone. Both are widely used by banks, but are costly to administer.
It’s not just member logins that are at risk – employee logins are equally attractive to fraudsters, so check with your administrator to ensure their policies are robust.
3. Watch out for stolen data. The recent Yahoo! story shows that there can be a considerable time lag between a data breach and it becoming public knowledge. In addition, fraudsters rarely use stolen data straight away. Mothershaw says that the typical delay between a theft and attempts to use the stolen details to access other systems is around 13 months.
Making sure that your admin systems can clearly identify unusual patterns –such as multiple logins from ‘different’ people coming from a single machine or IP address – and that you have processes in place to deal with them swiftly is essential.
4. Make sure your member data is in good health. Keeping the Pensions Regulator happy isn’t the only reason to ensure your data is in decent order. The better your data, the greater the chance of being able to spot fraudulent activity and avoid problems in the first place. It’s also important that your administrator is using effective processes, such as checking against credit bureau records, when a ‘member’ calls to change their home address.
5. Keep on top of new ideas. Mothershaw predicts a “renaissance for biometrics” - the science of identifying someone using unique physical characteristics - in the next few years. That doesn’t just extend to finger prints or voice recognition, but also to other, more innovative biometrics such as heart beat patterns.
Logging into a site using biometrics can have the additional benefit of making access more straightforward. That in turn can bring down abandon rates, as members no longer search for that obscure piece of paper with a password on it, or remember the name of their mother’s first pet, when they want to increase their pension contributions.