2 min read

NY Department of Financial Services Issues Cyber Fraud Alert to Auto Insurers

Filip TRUȚĂ

February 24, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
NY Department of Financial Services Issues Cyber Fraud Alert to Auto Insurers

The New York Department of Financial Services (NYDFS) has issued an alert to instant-quote websites, particularly car insurers, warning of a growing campaign to steal nonpublic information (NPI).

The agency says it learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver”s license numbers.

According to the guidance, “the insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver”s license number. The attackers captured the full, unredacted driver”s license numbers without going any further in the process and abandoned the quote.”

The NYDFS says its cyber intelligence unit has discovered communications on cybercrime forums offering to sell techniques to access driver”s license numbers from auto insurance websites and step-by-step instructions on how to steal them.

The growing threat is partly attributed to heightened fraud during the COVID-19 pandemic.

“The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits,” the guidance reads.

Targeted entities are instructed to immediately review data analytics and website traffic metrics for spikes of quote requests and server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.

NYDFS recommends that instant-quote websites take the following steps when displaying or transmitting NPI:

  • Conduct a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations
  • Limit access that users have to manipulate website content using web developer tools
  • Confirm that data redaction and obfuscation solutions for NPI are properly implemented
  • Ensure that privacy protections are up-to-date and working by reviewing who is authorized to view it
  • Search and scrub public code repositories for proprietary code
  • Block the IP addresses of suspected unauthorized users
  • Consider implementing quote limits per user session

The NYDFS also provides recommendations to secure data, noting that regulated entities should review whether it is necessary to display any NPI, including redacted NPI.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

DOJ Leaks Trove of California Gun Owners’ Personal Information Online DOJ Leaks Trove of California Gun Owners’ Personal Information Online
Alina BÎZGĂ

July 01, 2022

2 min read
Exposed Server at Malaysian POS Software Provider Leaks Data of 1 Million Customers Exposed Server at Malaysian POS Software Provider Leaks Data of 1 Million Customers
Alina BÎZGĂ

June 22, 2022

2 min read
Is someone abusing your credit card? Here’s what you can do to prevent credit card fraud Is someone abusing your credit card? Here’s what you can do to prevent credit card fraud
Alina BÎZGĂ

June 14, 2022

2 min read