The New York Department of Financial Services (NYDFS) has issued an alert to instant-quote websites, particularly car insurers, warning of a growing campaign to steal nonpublic information (NPI). The agency says it learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers.
According to the guidance, “the insurers first noticed this activity because of an unusually high number of abandoned quotes or quotes not pursued after the display of the estimated insurance premium. On the Auto Quote Websites, the criminals entered valid name, any date of birth and any address information into the required fields. The Auto Quote Websites then displayed an estimated insurance premium quote along with partial or redacted consumer NPI including a driver’s license number. The attackers captured the full, unredacted driver’s license numbers without going any further in the process and abandoned the quote.”
The NYDFS says its cyber intelligence unit has discovered communications on cybercrime forums offering to sell techniques to access driver’s license numbers from auto insurance websites and step-by-step instructions on how to steal them.
The growing threat is partly attributed to heightened fraud during the COVID-19 pandemic.
“The unauthorized collection of NPI appears to be part of a growing fraud campaign targeting pandemic and unemployment benefits,” the guidance reads.
Targeted entities are instructed to immediately review data analytics and website traffic metrics for spikes of quote requests and server logs for evidence of unauthorized access to NPI to determine whether their sites have been hacked.
NYDFS recommends that instant-quote websites take the following steps when displaying or transmitting NPI:
- Conduct a thorough review of security controls, including SSL, TLS, HSTS and HTML configurations
- Limit access that users have to manipulate website content using web developer tools
- Confirm that data redaction and obfuscation solutions for NPI are properly implemented
- Ensure that privacy protections are up-to-date and working by reviewing who is authorized to view it
- Search and scrub public code repositories for proprietary code
- Block the IP addresses of suspected unauthorized users
- Consider implementing quote limits per user session
The NYDFS also provides recommendations to secure data, noting that regulated entities should review whether it is necessary to display any NPI, including redacted NPI.