To: All Auto Insurers Licensed by the Department of Financial Services (“DFS”)

From: DFS

Re: Cyber Fraud Alert Follow-Up: New York Insurance Identification (ID) Card Barcode Vulnerability

Date: April 19, 2021

DFS issues this urgent alert related to the ongoing cybercrime campaign to steal New York State residents' drivers' license numbers (DLNs) from automobile insurers. Our investigation reveals that cybercriminals are downloading New York State insurance ID cards they have obtained after purchasing auto insurance using fraudulent e-checks or other electronic funds transfer (EFT) payments. These insurance ID cards contain barcodes that are easily readable using free, publicly available barcode scanners.

To obtain insurance ID cards for New Yorkers, cybercriminals are entering consumers' names and some accurate matching data (stolen from previous data breaches) into auto insurers’ websites. The DLNs entered are typically incorrect. However, when cybercriminals input incorrect DLNs along with some accurate consumer data, the auto insurers’ third-party data vendors provide the correct DLNs which are encoded into the insurance cards' barcodes.

Cybercriminals can then steal the correct DLNs from the insurance ID cards' barcodes.

To stop this theft, insurers should require consumers to provide all the data necessary for a valid auto insurance policy -- including their correct, full DLNs. Auto insurers should be voiding or blocking any transaction where the DLN that was input by a consumer does not match the DLN provided by the auto insurers’ third-party data vendor. This will prevent the transmission of an insurance ID card with the correct DLN to cybercriminals. Auto insurers should also continuously monitor and assess transactions involving e-checks and EFTs to determine whether the transactions are coming from financial service institutions that were not commonly used in the past and consider blocking transactions from these institutions.

Regulated entities should remediate any security flaws immediately and are reminded to report Cybersecurity Events pursuant to NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest. DFS also asks that any attempt to steal Nonpublic Information, including from barcodes, from any public-facing website be promptly reported to DFS. Reports of unsuccessful attacks have been useful in identifying techniques used by the attackers and enable DFS to respond quickly to new threats to continue to protect consumers and the financial services industry.

For DFS’s past alerts on this cybercrime campaign, see:

Any questions or comments regarding this alert should be directed to [email protected].