The New York Department of Financial Services (NYDFS) has now released a pair of alerts on the increase in cyberattacks on public facing insurance websites that provide instant quoting services to customers. If you provide instant online quoting through your website, it is imperative that you review your system’s security and the methods you use to provide instant quotes. A few simple steps could mitigate or outright prevent many of the common consequences from these attacks.
As described by the NYDFS, the cyberattacks typically use a mix of credential stuffing and misuse of website debugging tools to steal individual identifiers that may be provided to individuals as part of the online quoting process. For example, the quoting tool may request an individual’s name along with another identifier and then would autofill other potentially sensitive identifiers. The attackers mass-query online quoting tools using known names and identifier combinations in order to obtain new valid combinations of identifiers.
Remediation can be simple. Disabling the autofill systems for many online quoting tools will temporarily solve the problem and mitigate the ongoing risk. For more permanent ongoing solutions that would still permit autofill features, the NYDFS recommends a number of options, including web application firewalls, CAPTCHA, and limiting access to online portals.