Industry Letter

To: Chief Executive Officers, Chief Information Officers, Chief Information Security Officers, Senior Information Officers, Data Privacy Officers, and Government Relations Officers of all Regulated Entities

From: Justin S. Herring, Cybersecurity Division, Department of Financial Services

Re: Cyber Fraud Alert Follow-Up

Date: March 30, 2021

We write to alert you again to an ongoing cybercrime campaign that is a serious threat to consumers.  It has already resulted in theft of sensitive data for hundreds of thousands of New Yorkers.  Financial services companies should take immediate action to protect consumer data from this ongoing cybercrime.

On February 16, 2021, the Department of Financial Services ("DFS") released a Cyber Fraud Alert (the “February 16th Alert”) identifying a systemic and aggressive cybercrime campaign to steal Nonpublic Information (“NPI”),[1] including driver's license numbers (“DLNs”), from public-facing Instant Quote Websites.[2]  Since the February 16th Alert, DFS has received many additional reports of data theft – including some as recent as the past week. 

Cybercriminals have continued to use the methods described in the February 16th Alert to steal NPI, as well as the following hacking methods recently reported to DFS: 

  • Using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and
  • Credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI.

This cybercrime campaign is a serious threat to the personal information of New Yorkers, and we urge all personal lines insurers and other financial services companies to take aggressive action to prevent the further loss of consumer information.  All financial services companies should immediately check for any evidence of this cybercrime and ensure that they have implemented of the robust access controls required by DFS’s cybersecurity regulation, 23 NYCRR 500 et seq.

The best way to prevent NPI from being stolen from public-facing websites is to not display NPI—even in redacted form.  We urge personal lines insurers and other financial services companies to avoid displaying prefilled NPI on public-facing websites considering the serious risk of theft and consumer harm.  We note that many of the auto insurers targeted by this cybercrime campaign have recently disabled all NPI prefill on their public-facing websites. 

Insurance agent portals hosted by insurers often allow access to consumer NPI and have been aggressively targeted by cybercriminals in recent weeks.  Agent portals should be protected by the robust access controls required by DFS’s cybersecurity regulation.  And agent portals should not provide access to consumer NPI beyond what is strictly necessary for the agent’s business.

Regulated entities should remediate security flaws immediately and are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest.  Cybersecurity Events should be reported through DFS’s reporting portal.  DFS also asks that any attempt to steal NPI from any public-facing website be promptly reported to DFS.  Reports of unsuccessful attacks have been useful in identifying techniques used by attackers and enabling DFS to respond quickly to new threats and continue to protect consumers and the financial services industry.

I. Exploitation of Data Prefill Systems

In January 2021, DFS determined that cybercriminals were gaining unauthorized access to NPI by exploiting vulnerabilities in the application design and code of Instant Quote Websites.  Since DFS published the February 16th Alert, we have received reports of two new hacking techniques.  First, hackers have exploited vulnerabilities in the code of data prefill systems used in Instant Quote Websites.[3]  These vulnerabilities are found in the website application design used to redact or mask portions of consumer NPI and in the application programming interface (API) shared with the data service provider.[4]  Second, cybercriminals have used credential stuffing[5] to gain access to insurance agents’ accounts.  Once logged-in as an agent, they can request information from data prefill systems and receive unredacted NPI. 

The NPI obtained by cybercriminals when hacking into data prefill systems includes the consumer’s DLN, vehicle make, vehicle model, vehicle identification number (VIN), and household members' associated data.   The most reliable indicator of hacking of data prefill systems appears to be a cluster or spike in abandoned instant quotes for New Yorkers.

A. Using web debugging tools to steal NPI

Cybercriminals are using web debugging tools to steal unredacted NPI in transit from data service providers to Instant Quote Websites.  The debugging tools employed allow a user to inspect web pages and sessions, and to monitor remote API calls to data service providers for requested customer data.  Using these tools, cybercriminals are capturing plain-text NPI transmitted from data service providers to Instant Quote Websites in extensible markup language (XML) and java script object notation (JSON) file formats.  DFS believes that cybercriminals are targeting these formats because the information returned after requesting an online quote that is in either JSON or XML files includes the requestor's DLN and the state that issued it.

B. Using credential stuffing to gain access to insurance agents’ accounts

Cybercriminals are also entering the web portals of Instant Quote Websites through the accounts of insurance agents to make API calls directly to data service providers and steal DLNs and related NPI.  DFS has confirmed that cybercriminals gained access to these agent accounts by credential stuffing, although regulated entities should be prepared to defend these accounts against phishing and other attacks as well.

II. Other Cyber Fraud Methods Used to Obtain NPI

In addition to exploiting vulnerabilities in data prefill systems, cybercriminals are gaining unauthorized access to NPI by using social engineering scams and by fraudulently buying insurance policies. These methods were described in the February 16th Alert, and since then DFS has received many reports of these attacks continuing. 

The social engineering reports are of “vishing” – eliciting sensitive data from insurance agents over the phone.  Cybercriminals are also repeatedly purchasing insurance policies with eChecks and/or stolen credit and debit card information to view policyholders’ DLNs and other NPI.

III. Remediation Steps

To combat this cybercrime, the following basic security steps should be implemented.  Companies that continue to use Instant Quote Websites should also be prepared for cybercriminals to continue using new methods of attack.

Disable prefill of redacted NPI.  Avoid displaying prefilled NPI, especially on public-facing websites.  See 23 NYCRR 500.09.    

Install Web Application Firewall (WAF).  WAFs help protect websites from malicious attacks and exploitation of vulnerabilities by inspecting incoming traffic for suspicious activity.  See 23 NYCRR 500.02(b)(2).    

Implement CAPTCHA.  Cybercriminals use automated programs or “bots”[6] to steal data.  Completely Automated Public Turing Tests (“CAPTCHA”) attempt to detect and block bots.  See 23 NYCRR 500.02(b)(2).

Improve Access Controls for Agent Portals.  Agent portals typically allow agents access to consumer NPI, and robust access controls are required by DFS’s cybersecurity regulation.  Measures that should be implemented include:

  • MFA, see 23 NYCRR 500.12;
  • Robust password policy, see 23 NYCRR 500.03 and 500.07; and
  • Limitations on login attempts, see 23 NYCRR 500.03 and 500.07.

Training and awareness.  Employees and agents should be trained to identify social engineering attacks.   Employees and agents should know not to disclose NPI, including DLNs, over the phone.  Robotic scripts with grammatical errors or repeated statements used during dialogue are key identifiers of fraudulent calls.  See 23 NYCRR 500.14.    

Limit access to NPI.  Employees and agents should only have access to sensitive information that is necessary to do their job.  See 23 NYCRR 500.03(d) and 500.07.    

Wait until payments have cleared before issuing a policy.  Auto insurers should consider waiting until an eCheck, credit card, or debit card payment has been cleared by the issuing bank before generating an online policy and granting the policyholder access to NPI.  See 23 NYCRR 500.02, 500.03, 500.07, and 500.09.    

Protect NPI received from data vendors.  Ensure that APIs used to pull data files, including JSON and XML, from data vendors are not directly accessible from the internet or agent portals.  See 23 NYCRR 500.02(b)(2) and 500.08.

[1] See 23 NYCRR § 500.01(g) (for the definition of Nonpublic Information).

[2] Instant Quote Websites are websites that offer an instant online quote, such as an auto insurance rate, using NPI of the person requesting the quote and display redacted NPI, such as a redacted DLN, back to that person along with the online quote.

[3] According to forensic investigations conducted by companies impacted by this fraud campaign, exploitation of data prefill systems might have begun as early as July 2020.

[4] DFS has found more online fraud tutorials since publishing the February 16th Alert on how to exploit Instant Quote Website vulnerabilities.

[5] “Credential stuffing” is the use of lists of stolen account credentials consisting of usernames/email addresses and corresponding passwords (usually stolen in past data breaches) that are used to gain access to user accounts through large-scale automated log-in requests.  Credential stuffing works because people often reuse passwords.  See https://attack.mitre.org/techniques/T1110/004/.

[6] Bots, short for robots, are automated scripts programmed to run specific tasks, usually simple ones, on the internet with minimal human intervention and supervision.  See https://techterms.com/definition/bot.