Cyber Fraud Alert Issued for Websites Collecting NPI

In February, The New York State Department of Financial Services (DFS) released guidance on a cyber fraud campaign targeting websites that collect non-public information (NPI).  Essentially, fraudsters are exploiting misconfigurations in websites and web applications that collect, process, and transmit NPI – think financial websites that offer instant quotes – such as insurance or lending services.

There have been several confirmed cases of this type of hack starting back in late 2020 and continuing through present day.    While this guidance is directed at businesses regulated by DFS, it would be prudent for all businesses that collect NPI in a similar fashion to be aware of this potential threat.  It is recommended that any company that utilize this type of auto-quote technology review their website’s configuration and look for indicators or compromise (IOC).  The DFS recommends that potentially impacted organizations begin with an effort to:

“Conduct a thorough review of public-facing website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS), and HTTP Strict Transport Security (HSTS) and Hypertext Markup Language (HTML) configurations.”

For a full list of the DFS recommendations, you can visit their blog post on this topic by clicking here. Revised guidance, including additional attack methodologies and prevention and remediation methods, were released by DFS on March 30th which can be found by clicking here.

Key Takeaways

Key takeaways from this cyber fraud alert include the exploitation of web debugging tools and the recommendation to implement a web-application firewall (WAF). For more information regarding web-application testing, please visit our Web & Mobile Application Testing Services by clicking below.

Related articles