Agency Issues 2nd Alert for Instant Quote Website Schemes
Application Security & Online Fraud
,
Cybercrime
,
Fraud Management & Cybercrime
NY Officials: Fraudsters Continue to Probe Sites for Security Weaknesses
New York state officials are warning CISOs and other executives in the banking and insurance industries that fraudsters continue to probe for security weaknesses in websites offering instant quotes, as a way to target consumers’ data.
The New York State Department of Financial Services has found that over the past month fraudsters have been targeting the “sensitive data for hundreds of thousands of New Yorkers” by exploiting websites that offer instant quotes, especially those that provide auto insurance rates, according to an alert sent this week.
See Also: Live Webinar | Attacks on Cloud Infrastructure
In most cases, the fraudsters are looking to steal private information from consumers, including driver’s license numbers, vehicle identification numbers and other personally identifiable information, according to the agency.
The warning issued this week follows a similar alert sent in February by DFS that fraudsters were likely using this data in attempts to apply for pandemic-related benefits and unemployment insurance (see: Hackers Target Instant Quote Websites).
“This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information,” according to the recent DFS alert. “All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented [all] of the robust access controls required by DFS’s cybersecurity regulation.”
DFS did not release any information on the number of individuals these attacks have victimized in New York or elsewhere. The department initially heard about the schemes earlier this year and in January informed 12 auto insurance instant quote sites that they were likely targeted.
Attackers Using Fresh Methods
While DFS had previously warned about a variety of methods used to steal personal data, the new alert finds that fraudsters have added several other techniques.
These include credential stuffing techniques to gain access to insurance agent accounts and then use those agent accounts to steal consumer data and information, according to this week’s alert.
In other cases, DFS has found attackers using web-debugging tools to steal unredacted, plain-text personal information while the data is in transit from the data vendor to the company hosting the instant quote site, the alert says.
“The debugging tools employed allow a user to inspect web pages and sessions and to monitor remote API calls to data service providers for requested customer data. Cybercriminals use these tools to capture plaintext [non-public information] transmitted from data service providers to Instant Quote Websites in extensible markup language (XML) and JavaScript object notation (JSON) file formats,” the alert notes. “DFS believes that cybercriminals are targeting these formats because the information returned after requesting an online quote that is in either JSON or XML files includes the requestor’s DLN and the state that issued it.”
The agency also noted a recent uptick in voice phishing, or vishing, which is being used to trick insurance agents into giving out personal data (see: FBI Warns of Increase in Vishing Attacks).
The DFS notes that auto insurance companies and instant quote websites should not display personal data, even in a redacted form, as fraudsters have numerous ways to bypass the tools used to help mask the information.
“We urge personal lines insurers and other financial services companies to avoid displaying prefilled NPI on public-facing websites considering the serious risk of theft and consumer harm,” the alert notes. “We note that many of the auto insurers targeted by this cybercrime campaign have recently disabled all [non-public information] prefill on their public-facing websites.”
Anthony Pillitiere, co-founder and CTO of security firm Horizon3.AI, notes that instant quote websites for financial services companies and auto insurers fail to offer basic security for information that can easily be gleaned by fraudsters with rudimentary skills.
“People already give up enough information on their own through social media and the rest of their digital footprint,” Pillitiere says. “The last thing they need is someone giving it away without them knowing about it. Criminals use any and all data available to them, from social media to receipts in their trash. … The relationships between that data create a picture that enables attackers to reach their goal.”
Security Measures
DFS recommends that financial institutions and insurance companies that use instant quote websites take additional steps to protect consumer information. They can include:
- Disable prefill functions in public-facing websites to ensure that nonpublic information is not displayed, even in a redacted form;
- Install web application firewalls to protect against vulnerabilities and inspect incoming traffic for malicious activity;
- Implement CAPTCHA to ensure that automated programs or bots cannot steal data that might remain on a public-facing website;
- Improve access controls for agent portals used to gather consumer data. This can include multifactor authentication, enhanced password policies and limits on the number of login attempts;
- Protect personal data received from data vendors and ensure that APIs used to pull data files, including JSON and XML, from data vendors are not directly accessible from the internet or agent portals.