How an obscure new technology is giving the bad guys a headache
The (not so) perfect crime
Imagine, purely hypothetically of course, that you were a crook. Perhaps you’re one of those people who would rather earn an easy living than an honest one. If you can steal money and not get caught, perhaps your first instinct is to ask yourself ‘why not?!’
I jest, of course. I’m sure this doesn’t describe you in any way. But pretend, for a moment, that it did.
What if I were to tell you there was a sure-fire, can’t-lose way to steal thousands of dollars from big insurance companies. Better still, what if I were to tell you this scam is so foolproof that the insurance companies might not ever even know they’d been defrauded?
Here’s the scam.
Go out and buy a car. It doesn’t need to be flash but it needs to be worth something. Maybe pay $10,000 or so for it?
Try not to fall in love with it, however, as the car isn’t going to make it to the end of this story in one piece.
But, first, open up your laptop and find the web sites for some big insurers. Take out a comprehensive policy for the car with the first insurer you find. Maybe the policy costs $500? Doesn’t matter… you’re going to make enough back to cover this. And then some.
Now switch to the next tab in your browser. And take out a comprehensive policy for the car with this insurer. Another $500, another policy. Now switch to the third tab, and the fourth. And the fifth and the sixth. (See where this is going yet…?)
Don’t stop until you’ve taken out ten policies for this vehicle.
Cost to date? $10,000 for the car, and maybe $5,000 for the insurance policies. $15,000 in all.
Remember I told you not to get emotionally attached to the car?
Well, that’s because – you guessed it – the car is about to meet with an “unfortunate” accident… This is your big chance… this is your chance to prove you have it in you to be bad. I bet nobody thought you’d go through with it when you told them you were changing career and joining the ‘alternative’ economy, did they? Well now you can show them.
You see… you now need to go crash this car so badly that it’s a write-off. And it needs to be convincing. This has to look like a genuine accident. You need to really go for it! And, please, try to be creative.
Done it? Good for you! How does it feel to have embarked on your life of crime? Exciting? A little bit wild? You’re probably getting a taste for it by now…!
Assuming you’ve managed to do the deed, then it’s plain sailing from here….
File ten identical claims on the ten policies you took out with those ten insurers. Assume they each pay out maybe $8,000? That means you’ll receive payouts for $80,000 total. Subtract your $15,000 costs, and you just made sixty five thousand dollars for one day’s (well, maybe night’s) work!
This is no time for amateurs
Now, there’s the teensy little problem that this is highly illegal.
And there’s the ever-so-slightly bigger problem that convincingly staging a fake car accident is really quite hard.
And that latter problem may actually be the show stopper for your budding career in crime. Insurers aren’t stupid. They’re wise to amateurs thinking they know what they’re doing. So, hopefully, you read down this far before trying this little scam! If you’re foolish enough to try it, you’ll very quickly find yourself in court.
But there are highly experienced, professional gangs who know exactly how to pull this sort of thing off. And they cost the insurance industry a LOT of money.
Why is it so hard to prevent this sort of fraud?
You’d think it would be an easy problem to solve. After all, each insurer in this story is processing a claim for the same vehicle! And each car has a unique identity: literally, a Vehicle Identification Number (VIN).
So why can’t the insurers check with each other? It would be infeasible for the claims handlers to manually call up their counterparts at all the other insurers each time they received a claim (imagine how many calls that would be each day!) But nothing stops the insurers setting up a centralised ‘claims database’ that could spot this sort of fraud in an instant, right?
Well… it turns out there is something stopping them from doing this in some jurisdictions: data privacy rules and commercial sensitivity.
To see why, imagine you had to build such a database. How would you do it?
You’d need some way of detecting when the same VIN was being processed in a claim by more than one insurer. And to do that you’d need to keep track of all claims currently being processed. After all, how would know a second claim was indeed a second claim if you didn’t know about the first?!
So you’d need to build a system that knew about all vehicles that were the subjects of active or recent claims with all insurers. Only then could you scan the database looking for duplicates, which would be evidence of possible fraudulent ‘multiple claims.’
In other words, this is a problem with a simple – almost trivial! – technical solution. But the solution is really difficult to implement owing to the amount of data – some of it personal - that would need to be aggregated in one place, by one party. There is the obvious personal privacy issue, but also a commercial one: who would the insurers trust to have all this information? Anybody who could see all the information could deduce pretty much anything about the underwriting policies and standards of every participating insurer.
We could give up at this point – as most insurers in most markets have done – and deal with the scam through other, more indirect, means.
Can we bring together the data we need, without sacrificing privacy or commercial secrecy?
But we could also ask ourselves a question. Imagine, for a moment, that we could wave a magic wand. What would it take to make this central database viable? What would its designers need to promise to make it acceptable from a commercial and privacy perspective?
The answer is: the operator would need to be able to prove two things to the insurers who participated in the scheme.
First, they would need to prove that the only thing the claims data could be used for is identifying duplicate claims. If they could provide that proof, it would allay the insurers’ commercial fears.
And, secondly, they would need to prove that nobody – not even the operator of the service – could see any of the underlying claims data. If a claim turns out not to be a duplicate, nobody outside the insurer handling that claim should ever be able to see that record. And if it does turn out to be a duplicate, then only the insurers concerned should learn about it. Nobody else. Not even the operator of the service.
If – and it’s a big if, of course – it were possible to build a service that could make those promises (and keep them!), it would kill this form of fraud dead. And the system itself wouldn’t be that hard to build – and could be up and running in no time.
So the billion dollar question is: can you build a system that can make those promises?
The answer – surprisingly – is yes!
Confidential Computing lets us reimagine the ‘art of the possible’ for data pooling services
An obscure – but rapidly maturing – technology known as ‘Confidential Computing’ enables precisely this. Confidential Computing utilises hardware cryptography from companies such as Intel to protect data even when it’s in use. Applications written with this technology can technologically prove to their users what algorithms will run on their data, and that the underlying data will never be visible to the operator of the service.
And using this technology to solve the insurance duplicate fraud problem is not theoretical. A firm called IntellectEU have built it! The solution is called ClaimShare and the first pool of insurers to use it is being assembled.
However, it turns out that Confidential Computing applications can be exceedingly difficult to write. So how has IntellectEU been able to build ClaimShare so quickly and without having to train an army of hardware cryptographers?
The answer is that they are building ClaimShare using a ‘software development kit’ that is purpose-built to make it easy and quick to write confidential computing applications without having to understand the underlying hardware.
I know about this project because IntellectEU are using my firm’s product, Conclave, but there are, of course, other platforms seeking to do the same thing.
And that’s really the main message of this post. Confidential Computing allows us to imagine a future where owners of sensitive data can be absolutely sure how it will be used when they send it for processing elsewhere. But it is the new generation of confidential computing ‘software development kits’ that are going to unlock the power of this technology at scale.
I shouldn't have to say this but, for the avoidance of doubt, do not be tempted to try the 'scam' I outlined in this post. Aside from the illegality, you'll also be wasting your time... the story I tell is highly simplified!
Author Richard Gendal Brown I am CTO at R3, where I helped invent Corda, one of the most widely deployed blockchains amongst the world's businesses. I write from practical experience about what problems distributed ledgers solve, what lessons I've learned from building and deploying Corda, and how to cut through the hype.