Recently, there has been an increase in cybercrime against financial services companies in New York. The New York Department of Financial Services has sent an alert about the threat to NY-based organizations, but one can only assume this threat also impacts companies outside of New York.
The attackers are targeting their public-facing websites of financial services companies to harvest Nonpublic Information (NPI). The NPI includes consumers' names, dates of birth, addresses, driver's license numbers, the vehicle makes and models, vehicle identification numbers, and household members' data. But the question is, what are these attackers doing with this information, and what can the target companies do to protect their consumers' data?
Once a consumer's NPI has been stolen, an attacker can then use that information to fraudulently claim benefits, such as unemployment, in the victim's name. The threat actors in this fraud campaign use the following methods to obtain a victims' NPI:
- Using web-debugging tools to steal un-redacted, plaintext NPI while in transit from the data vendor to the company
- Credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI
- Taking un-redacted NPI from the Auto Quote Websites' Hypertext Markup Language ("HTML") that was not displayed in the rendered webpage but visible in the HTML
- Using developer debug tools to intercept and decode un-redacted NPI. In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI
- Manipulating the technology utilized to redact portions of NPI using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website
- Purchasing a policy after requesting a quote, using fraudulent payment methods to view the policy owner's information, including his or her driver's license number
- Requesting a quote and receiving an agent's contact information, and then calling the agent and using social engineering to elicit NPI from the agent
Fortunately, the New York State Department of Financial Services (DFS) has provided companies with some suggestions to protect themselves from becoming the attackers' next victim. In general, the DFS recommends that financial service companies check to see if they have implemented all access controls detailed in DFS' cybersecurity regulation 23 NYCRR 500. If they have not, they urge these companies to implement them as soon as possible.
In addition to implementing the controls outlined in DFS's regulation, organizations can;
- Disable pre-fill of redacted NPI
- Install a Web Application Firewall (WAF)
- Implement CAPTCHA to block bots
- Improve access controls for agent portals (add multi-factor authentication support, switch to more robust password policies, and limit login attempts)
- Train their agents and employees to spot social engineering attacks
- Limit access to NPI only to those employees who need it
- Wait until payments have cleared before issuing a policy,
- Protect NPI received from data vendors.
Although intended for financial services firms, these recommendations are also recommended for any organization with Internet-facing systems containing NPI, PII, etc.