The New York Department of Financial Services (DFS) has issued a cybersecurity fraud alert to all of its regulated entities, describing a “systemic and aggressive” campaign to steal consumers’ private data.
The DFS has reported from several regulated entities of successful or attempted data theft from websites that provide instant quotes to the end-user. All entities using instant quote software on their public-facing websites are vulnerable to this type of data theft attack. These attackers appear to be using the stolen data to apply for pandemic and unemployment benefits.
According to this alert, all regulated entities with instant quote websites should immediately review their websites for evidence of hacking. Reports have shown that even when consumer data is redacted, cybercriminals have proven they can easily recover the full unredacted information.
Reports have confirmed several methods that criminals successfully (or attempted) to use to steal consumer data from auto quote websites:
- Taking unredacted information from the Auto Quote Websites’ HTML (Hypertext Markup Language) that was not displayed on the rendered page, but was visible in the code.
- Using developer debug tools to intercept & decode unredacted consumer information.
- Manipulating the technology to access parts of a public-facing website to view where the unredacted data is stored.
- Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
- Requesting a quote and receiving an agent’s contact information to use social engineering to elicit information from the agent.
The DFS has requested prompt reporting of any attempts to steal consumer information from public-facing websites. Reports of unsuccessful attacks have previously been used to identify the techniques used by attackers. This helps the DFS respond quickly to new threats and continue to help protect consumers and the financial services industry.
Any DFS-regulated entity with a website that uses this type of technology should immediately review the following indicators:
- Data analytics and website traffic metrics for spikes of quote requests. An unusual spike in abandoned quotes occurring in a short time frame was one of the key indicators of this type of attack. On a broader scope, regulated entities should look for an increase in consumer submissions that terminate as soon as consumer data is revealed.
- Server logs for evidence of unauthorized access to private information. After your IT team has reviewed your web traffic, have them review your server logs for that period. When examining the logs of customer sessions, security teams should check to see if there has been any site manipulation using web developer tools.
These are just two suggestions by the DFS. There are a number of other ways cybercriminals can access information. Regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.
The DFS has suggested the following steps for entities that are using Instant Quote websites to collect information:
- Conduct a thorough review of website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and Hypertext Markup Language (HTML) configurations.
- Review public-facing websites for browser web developer tool functionalities. Verify and limit the access so that users cannot adjust, deface or manipulate the website content using web developer tools.
- Review and confirm that its redaction software for consumer information is properly implemented throughout the entire transmission of the data.
- Ensure that privacy protections are up to date and effectively protect the data by reviewing which applications use the data, who has the authorization to view the data, and most importantly where is the data stored
- Search and scrub public code repositories for proprietary code.
- Block any IP addresses of suspected unauthorized users and consider a Quote limit per user session or IP address.
Any questions regarding the alert from the NY Department of Financial Service should contact their department directly, at CyberAlert@dfs.ny.gov
If you have any questions regarding your own cybersecurity. Contact one of our Risk Advisors at 914-357-8444 or visit our Contact Us page to schedule a 10-minute meeting.