Tag Archives: identity theft

4 Ways to Boost Cybersecurity

Cybersecurity threats faced by insurance companies are growing and evolving at an alarming rate. This has been spurred by many factors, including the internet of things (IoT). While the IoT presents opportunities for insurers, it also exposes security gaps. The severity and frequency of cyber-attacks are likely to increase.

Insurers must commit to protecting sensitive customer information in a compliant and reliable way. The cybersecurity threat is huge. It is time for insurance companies to reboot their approaches to cybersecurity.

Common cybersecurity threats facing the insurance industry

Cyber-extortion

Cyber extortion is increasingly becoming a common problem. Some types of ransomware attacks are so effective that victims may be forced to meet the attacker’s demands and pay a hefty bribe to get their systems running again.

Automated threats

Credential cracking, vulnerability scanning, bad bots, credential stuffing and denial of service can potentially shut down a company’s systems quickly.

Identity theft and loss of confidential data

Identity theft may result from system vulnerabilities to data breaches. For instance, files stored on a firm’s local servers may not be protected adequately. Insurers collect and store sensitive personal client information. This information can be particularly valuable for attackers to sell in black markets. They can use it as a tool for fraud, extortion, unauthorized borrowing and many other financial crimes.

Business disruption and reputation damage

Cyber-attacks can seriously disrupt business. For instance, a cyber-attack on Sony Pictures erased its computer infrastructure, including telephone directories, emails, voicemails and business records like contract templates. A malicious attack like this on an insurer could disrupt operations for months.

See also: Cybersecurity for the Insurance Industry

The foundation of any insurance business is policyholder trust. If an insurance company were to suffer a data breach exposing policyholder information or a cyber-attack that renders it unable to conduct normal operations, that trust would be shaken. This, in turn, can lead to reputation damage that may hurt the confidence of investors, consumers, policyholders and rating agencies.

Four tips for boosting security

1. Assess your defense capabilities realistically

Pressure-testing the company’s defenses can determine whether they can repel targeted, high-impact attacks, whether external or internal. The testing includes vulnerability assessment, testing programs, penetration tests and scenario-based testing. Consider hiring a cyber-security firm to test your defenses.

2. Invest in early detection

Insurers need to continually invest and innovate to thwart potential attackers. Early detection is crucial. Otherwise, a cyber-attack can sit undetected for weeks.

Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent and cause. Then, the threat can be neutralized before damage is done. Insurers need to invest in technology. There is a wide range of software solutions that provide near-real-time threat detection.

3. Making cybersecurity everyone’s job

While implementing sophisticated systems will reduce external threats, insurers tend to neglect internal threats such as human error, which could include revealing customer data in response to a convincing phishing email. Cybersecurity awareness among employees can significantly decrease the risk of cyber-attacks resulting from human error.

Alert employees can provide early detection. An Accenture survey found that up to 98% of security breaches that are not detected by a firm’s security team are discovered by employees.

4. Learn from the past and evolve

Effective cybersecurity requires insurers to learn from previous cyber incidents and use the learning to improve planning and technology investments. Solutions include:

  • Upgrading systems: Using last-generation or unpatched security software provides easy fodder for cyber attackers. Speak to your IT consultant about upgrading your systems.
  • Migrating systems to the cloud: The cloud provides users a wide range of compliant and secure storage solutions. Choose a cloud provider that offers the highest possible security.
  • Implementing appropriate security software, protocols, and appliances: This will effectively shield data and systems from automated threats.
  • Establishing a disaster recovery plan: Despite all efforts, systems can be breached. Have a detailed up-to-date plan so that you can respond effectively to any problem, major or minor.

See also: Global Trend Map No. 12: Cybersecurity  

Cyber-crooks are relentless and determined. Security is an continuing battle. You can’t afford to let down your guard a second. Staying one step ahead of hackers takes constant effort.

Employee Benefits: ID Theft Coverage

Employers looking to dial up the correct mix of benefits to retain valued employees are increasingly including identity theft protection services as a perk.

Research firm Willis Towers Watson predicts identity theft protection, offered by 35% of employers in 2015, could double to nearly 70% by 2018, making it the fastest-growing type of employee benefit over the next couple of years.

See also: Identity Theft Can Be Double Whammy  

ThirdCertainty recently sat down with Joel Ray, the CEO of New Benefits, a Dallas-based employee benefits solutions provider, to discuss the drivers — and the arc — of this trend. The following text has been edited for clarity and length:

3C: Identity theft has become part of the lexicon of the world we now live in.

Ray: With all the hacking of corporations, health plans and government, there is a myriad of ways people can get their identities stolen and misused, whether it’s medical fraud, tax return fraud, stealing a Social Security number or a credit card information scam.

To me, not protecting yourself with an identity theft protection service is commensurate with not locking your door and setting an alarm when leaving home or not buying life insurance to protect your family. It just makes all the sense in the world, when you have the ability and a product is available to address identity theft, to include this as an employee benefit.

3C: So how do employers view this?

Ray: Employers were the first ones decades ago to offer health insurance to their employees, and early adopters have added other types of benefits over the years. The idea, of course, is to attract and retain good people . … Research shows an employee’s financial health is every bit as important as physical and mental health. If anything goes wrong (financially), they are not going to be a productive worker. Meanwhile, identity theft happens every two seconds in the U.S. to quite a large number of Americans. So, identity theft protection is something that, in today’s digital world, makes perfect sense to provide employees, either on an employer-paid or payroll deduction basis.

3C: How much of a challenge is public awareness?

Ray: The hard part is the education. Yet the almost daily reports about breach events have gotten employers more interested. We’ve had many (benefits) brokers representing our products say that, for the first time, employers are asking for identity theft protection.

It really is the brokers in today’s world who act as consultants regarding the latest and greatest new products. And, typically, identity theft is toward the top of the list — if not at the top of the list.

See also: ID Theft: A Danger Even After Death  

3C: How does improved productivity factor in?

Ray: Identity theft protection is like any other benefit. Basically, anything you can do to provide financial security to your employee is a good thing. It’s a primary reason employers provide 401Ks. A lot of voluntary benefits, like cancer disability, critical illness and dental, charge a lot more for family coverage. This one charges a little bit more, but you get financial security and protection, not only for the employee but for the entire family, as well. It’s a very inexpensive benefit relative to the protection it offers, and I think it will become a staple of the industry in the very near future. The early adopters who provide this benefit to their clients now are going to have market advantage over those who wait.

3C: Sort of like supplying peace of mind as a benefit?

Ray: Yes. For example, employees buy life insurance for peace of mind so the family is protected in case of an untimely death. With identity theft protection, employees and their families are protected from something that happens every day from thieves who always seem to be one step ahead and out of reach from the law. If you’re an employer, wouldn’t you rather offer your employees a benefit that will meaningfully protect them from financial harm versus other benefits that, based on the historical record, may not add any real value?

More stories related to identity theft insurance:
As threats multiply, cyber insurance and tech security industries start to merge
Cyber insurance industry could face turf war, report warns

NAIC sets model standard for consumer rights, cybersecurity

This article originally appeared on ThirdCertainty.

IRS Is Stepping Up Anti-Fraud Measures

The Internal Revenue Service is taking as long as 21 days to review tax returns, according to research from fraud prevention vendor iovation, a clear sign that Uncle Sam has stepped up anti-fraud measures.

Even so, tax return scams that pivot off stolen identity data continue to rise for the third consecutive tax season. The latest twist: Tax scammers are increasingly targeting vulnerable populations—low-income, children, seniors and homeless—as well as prisoners, overseas military personnel and the deceased, according to an FBI alert.

Complimentary webinar: How identity theft protection has become a must-have employee benefit

And criminals have gotten very creative about conducting phishing campaigns to fool individual consumers—and key employees at targeted companies—into handing over personal tax-related information, useful for filing fake returns.

Tax software vulnerable

The FBI also says criminals often use online tax software to commit the fraud. That’s particularly troubling, considering what the Online Trust Alliance found in a recent audit of free e-filing services approved by the IRS. Of the 13 services audited, about half failed somewhat basic security protocols, such as email authentication and SSL configurations.

craig
Craig Spiezle, Online Trust Alliance executive director

Craig Spiezle, executive director of Online Trust Alliance, says some of the vulnerabilities, such as unsecure sites, are obvious to the casual person, let alone criminals.

“These sites are such high targets, you’d expect 100% of these to be like Fort Knox,” he says. “There’s no perfect security, but you would expect not to see (simple) vulnerabilities.”

Some e-filing sites, for example, had simple server misconfigurations or didn’t have current secure protocols; one provider failed to adopt an extended validation (EV) SSL certificate, leaving it open to spoofing.

Although not everyone is eligible for the free e-filing services that OTA audited, Spiezle says many of the paid e-filing services are run by some of the same parent companies, and thus use much of the same lightly protected infrastructure. He says it would be fair to assume that many of the paid e-filing sites would have the same 46% failure rate as the free e-filing services audited by OTA.

Personal information trades on black market

Even if cyber criminals don’t use stolen tax-related data for filing fraudulent returns, that information is highly valuable on the black market. Spiezle points out that it’s the only place where this type of rich information—such as income, employer, number of dependents, Social Security numbers and even bank accounts—is available all in one swoop.

“All that data that’s amassed is a treasure chest,” he says. “If you want to create a persona of someone’s identity, you have all the data in one place.”

The IRS expects that, this year, 80% of the estimated 150 million individual tax returns will be prepared with tax software and e-filed—and that’s music to fraudsters’ ears.

One typical avenue for cyber thieves is to file returns as early as possible, claiming refunds as large as $1,000 to $4,000 on untraceable prepaid debit cards. They can fly under the radar by filing very generic returns, and those multiple refunds turn into a lucrative operation.

“They have immediate access to that cash, as opposed to credit card fraud where the value is not as high and the delivery is through a retailer, so they have to figure out what to do with those goods,” says Scott Olson, vice president of product at iovation, a provider of device authentication and mobile security solutions.

Phishing, malware skyrocket

According to the Government Accountability Office, the IRS prevented $24 billion in fraudulent tax refunds related to identity theft in 2013, while paying out $5.8 billion in fraudulent refunds that it didn’t discover until a year later. And the number of fraud attempts is on the rise: As of March 25, the IRS reported a 400% increase in phishing and malware incidents related to the 2016 tax season.

Email phishing campaigns include links to web pages requesting personal information, useful for filing fake returns.

These fake pages often imitate an official-looking website, such as IRS.gov or an e-filing service, and also may carry malware, which can turn over control of the victim’s computer to the attacker. This January alone, the IRS counted 1,026 email-related fraud incidents, compared with 254 a year earlier.

Phishing scams also are targeting employers—because criminals know that’s where they can find large caches of income-related information. One growing trend is the so-called business email compromise (also known as “CEO fraud”), a variation of spear phishing. The phisher does deep research on a targeted company, then impersonates a senior executive to get a subordinate to do something.

vidur

Vidur Apparao, chief technology officer at Agari, which offers an email security platform, says malicious attachments and URLs compromised the bulk of spear phishing emails in the past. But what his company is seeing now is phishing ruses aimed at specific employees that leverage trust to get the recipient to take a specific action. Such attacks do not carry any viral attachments or bad URLs that can be detected. Yet they have proven to be very effective at duping the recipient into forwarding files containing employees’ W2 forms.

“Criminals are leveraging the cloud at three separate points, in ways they couldn’t before: developing social engineering content, sending out spear phishing attacks and getting back a response,” he says.

Basic security helps

According to the OTA, 92% of the publicly reported breaches in 2015 could have been prevented. Take email authentication. It’s almost a basic security tool that prevents emails from being spoofed. Those OTA-audited e-filing services that didn’t use it are contributing to the breaches.

“The lack of email authentication or the slow adoption in some cases has led to the prevalence of this easy type of attack,” Apparao says.

Spiezle says people need to be aware that emails and other tactics are becoming more sophisticated, and protect themselves accordingly.

“The problem is that we are all moving so fast, and we have all these devices and desktops—we are multitasking,” he says. “And the criminals play off that, and they’re getting more precise.”

This article was written by Third Certainty’s Rodika Tollefsen.

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.

Why Credit Monitoring Doesn’t Work

Chances are you have received a letter stating that your personal data may have been compromised. Perhaps you were one of the 80 million people with an Anthem health insurance plan. Maybe you were one of the 21 million current or former employees of the federal government, or you could have been one of the 40 million who shopped at Target. There are countless examples where organizations failed to protect sensitive data and then were required to notify the affected individuals.

These notifications typically reveal how the breach happened, what steps are being taken to prevent another incident and what a company is doing to protect you from identity theft. Most organizations offer some form of credit monitoring and ID theft remediation services. Some states are beginning to mandate at least one year of credit monitoring under certain circumstances.

The Limits of Credit Monitoring

Offering credit monitoring seems to be a necessary post-breach strategy, and the very least a company would do. However, a deeper dive into what it does – and what it does not do – is long overdue.

Credit monitoring immediately notifies an individual that an attempt was made to obtain some form of credit in her name. Credit restoration services are usually offered when identity theft occurs. This is a valuable service that restores a victim’s good credit, saves time and alleviates stress.

Credit monitoring does not prevent identity theft. The only way to prevent an identity thief from accessing a victim’s credit is to either place a 90-day fraud alert on a credit file or freeze credit lines.

  • Fraud alerts require potential creditors to contact individuals before opening lines of credit. To activate a fraud alert, individuals are required to notify one of the three bureaus (Equifax, Experian or Trans Union) and to repeat the process every 90 days to maintain the fraud alert status.
  • ƒFreezing credit can be accomplished by contacting all three credit bureaus and requires each one to place a freeze on an individual’s credit file. Each bureau provides a PIN # that can be used to lift the freeze later. There may be a nominal fee based on state of residence, which typically ranges from $5 to $15. Some states may require an additional fee to lift the freeze. A credit freeze may cost less than credit monitoring and identity theft restoration services. In fact, it has been widely reported that the Office of Personnel Management spent $133 million for three years’ credit monitoring for the 21 million individuals affected by their 2015 data breach.

Legal Ramifications of Offering Credit Monitoring

Offering credit monitoring can cost an organization even more than the dollars spent. In Remijas v. Neiman Marcus, the plaintiffs alleged that 350,000 payment cards were affected when hackers gained access to Neiman Marcus networks. Even though a small fraction of the cards were affected by fraudulent activity, the Seventh Circuit Court of Appeals granted the plaintiffs legal standing, allowing the class action to proceed, because card holders had a legitimate fear of future identity theft. Because Neiman Marcus offered credit monitoring to the card holders after the breach, the court concluded that it was conceding that future identity theft was entirely possible.

The state regulatory environment, coupled with recent appellate
court decisions, leaves organizations in a difficult position. States
are beginning to require credit monitoring following a data breach. Organizations that do not offer credit monitoring face scrutiny by attorneys general, potential fines for non-compliance and a public relations fiasco. Yet those that offer credit monitoring will incur significant costs and, as evidenced in Remijas v. Neiman Marcus, may actually hurt their defense in a class action lawsuit.

A Better Way to Protect Your Identity

A more rational approach is needed to identity protection. Organizations and state regulators reacting to data breaches involving sensitive data elements need to address ways to prevent identity theft. As of this writing, organizations cannot legally freeze a consumer’s credit for him, and have little means to prevent identity theft on his behalf. However, with the full support of state officials, a more efficient process to freeze credit can better protect identities and mitigate costs.