Target Breach a Threat to All
Computer security breaches that enable the theft of confidential financial information are no laughing matter. Just ask the 110 million or so people who have been affected by the infamous hack into Target’s customer-facing systems. So why should we in the insurance industry be sitting up and taking notice?
Internet sources report that this particular break-in used a form of memory-scraping malware technology that captures information as it is being input at the point of sale, but before it can be encrypted in the retailer’s systems.
We in the seemingly safe insurance sector may feel bad for our friends in retail, but before we get to feeling too comfy, it would be wise to consider that retail isn’t the only industry using point-of-sale (POS) devices. In fact, such input devices are used in lots of industries — retail, hospitality and health care among them.
It is that final class of users that should give us pause in the insurance sector. In case you weren’t paying attention, the Affordable Care Act requires electronic record-keeping. This naturally involves uncountable points of sale in doctors’ offices, clinics, and hospitals, not to mention places like Wal-Mart that are beginning to offer insured health care services.
Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer?
In the Target heist, an executive reported that someone had actually installed the malware on its POS systems. How that was done is a mystery at this writing, but one has to assume that these systems were connected to the Internet — which would allow the thieves to then retrieve the stolen data remotely. So, it seems likely that the malware was also remotely introduced into Target’s systems, as well as those of Nieman Marcus and other affected retailers.
These kinds of attacks are not exactly on the cutting edge of technology, however. According to InformationWeek, “Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet.” So, it won’t just be the most advanced thieves who pull off these kinds of crimes. The less-sophisticated, whether here or abroad, will likely be able to do the same.
Personal financial information is an extremely valuable commodity on the black market, and if you’re a criminal, it seems surprisingly easy to steal. Hackers can sell the credit card numbers for $35 to $100 each, while gold or platinum credit cards go for $60 each, business credit cards for $80 and some platinum cards for $100, said Cisco security researcher Levi Gundert in a blog posting. Interestingly, the information stolen in the Target incident includes names, addresses, credit card numbers, PINs and other data that enable thieves to assume an individual’s identity — which could lead to far bigger losses for those who are victimized.
Here’s the bottom line. Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer? Can insurance companies and brokers — already involved in a dog-eat-dog competition for insureds — afford to have that kind of backlash aimed at them?
The answers remain to be seen, but it is clear that with cyber crime escalating and becoming easier to perpetrate, our industry cannot stand back and hope the boogeyman goes away.
Banks have spent years developing protections to minimize hacking and other fraudulent activities — but how do they protect against losses from thieves pretending to be legitimate customers who use social engineering, or exploit new technologies such as mobile remote deposit capture?
Take this example: In June, Boma Robert Spero-Jack, 34, was charged with stealing thousands of dollars from Bank of America and Kroger grocery stores by using mobile banking.
Spero-Jack is accused of purchasing at least 32 Western Union money orders at multiple Kroger stores, in amounts ranging from $195 to $500. He deposited the money orders into his Bank of America checking or savings accounts via a mobile application.
Then, he returned to the Kroger store and cashed the money orders, as well as withdrew the amount of the money orders from his bank account at a local branch of Bank of America, police said. In total, Spero-Jack stole $12,620, according to police.
Social engineering schemes, on the other hand, are less technical and often involve tricking individuals into breaking normal security procedures.
John Morrissey, senior vice president and an attorney with Aon’s financial services group in New York City, said that in the last two years, a number of U.S. corporations with subsidiaries in Europe have been defrauded through the use of social engineering.
Organized crime rings go on corporate websites and social sites to glean information about the inner workings of corporations, and use voice manipulation software to imitate executives’ voices.
“For example, they get enough information to make a call to a treasury person at a subsidiary in central Europe and pretend that they are the CFO of the U.S.-based parent,” Morrissey said. “They tell the treasury person that they are in secret negotiations to buy a company in China and need for the subsidiary to wire X amount to a bank in Hong Kong that is doing business with their company’s lawyers there.
“These organized fraud rings have gotten away with as much as $20 million at a time,” he said.
Commercial crime insurers are looking closely at these losses because they weren’t on the radar when the policy language was first drafted, he said.
Cyber insurance is still a relatively new type of coverage, and policies vary dramatically, said Kevin Kalinich, Aon Risk Solutions’ global cyber practice leader. In a typical professional liability policy, the coverage trigger is alleged error, omission or negligent act of the financial institution. However, under a cyber policy, a trigger is whether the financial institution is legally responsible for a privacy breach or security breach event — regardless of negligence.
Questions of Liability
Theft by way of social engineering is increasing in frequency.
“The bad guys may call customers saying, ‘This is John at your bank. We’re upgrading your account to a higher loyalty program,’ or they email customers, using the logo and URL of the bank, telling … them they ‘can get a lower interest rate if they plug in their account number, PIN number and password,’ ” Kalinich said.
“Once the fraudster gets it, they immediately transfer as much money as possible to their own account in another country,” he said.
In such a scenario, bank customers can sue, claiming the bank should not have allowed the unauthorized transfers, he said. A customized cyber insurance policy can respond to such data breach claims to pay the defense costs and indemnity, whereas an off-the-shelf professional liability policy might not.
“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens.”
– Dena Magyar, vice president, Professional Risk Group, Wells Fargo Insurance
Dena Magyar, vice president at Wells Fargo Insurance’s professional risk group in Charlotte, N.C., said there are numerous social engineering scenarios. A thief could:
• Pretend to be in the bank’s information technology department when emailing employees to ask for their user names and passwords so they can upgrade the speed of the bank’s computer system;
• Impersonate a vendor sent to fix a copier at the bank branch, and then remove the copier and copy its hard drive full of records listing customer information.
• Drop a thumb drive in a bank parking lot, with a label such as “executive compensation” so that the finder will plug the drive into a bank computer, thus installing malware that provides either transaction information or access to the bank’s system.
Social engineering schemes and other types of fraud are emerging so fast that banks have to make sure their policies keep up, she said.
“Right now, we are at a very interesting point in insurance,” Magyar said. “There are different types of policies that need to be reviewed to make sure banks are adequately covered and that there are not gaps between their bankers’ professional liability, crime and network security privacy policies.
“As bad actors become more devious, banks need to make sure their policies are working together, so they are covered regardless of what happens,” she said.
When considering a bank’s protection against computer crimes, George Allport, vice president and financial fidelity product manager for the Chubb Group of Insurance Cos., said his company has historically questioned whether the bank had firewalls and intrusion detection software, and if it immediately patched known vulnerabilities.
“While we still ask for that type of information, there is also a growing emphasis on addressing and underwriting this risk as a management issue,” Allport said. “We are taking a broader focus when looking at the risk.”
Chubb’s underwriters will soon be asking banks to detail the percentage of their IT budget that has been devoted to security in the current year, and whether those percentages will change in the coming year, he said.
Chubb’s underwriters will also be asking about the knowledge and oversight of security matters at the board level; the number of employees devoted to the implementation and maintenance of security mechanisms; and the top security challenges that the bank may face in the coming year.
“We want to know how the bank verifies that employees have been trained and have learned something from that training,” Allport said. “For instance, are the companies that are contracted to conduct the training doing it online? If so, then a month after training, they need to send employees a bogus email to see if they fall for it.”
The Human Element
Oliver Brew, vice president of professional liability for Liberty International Underwriters in New York City, said the carrier had a payment services client that, through social engineering, suffered fraud on its prepaid debit cards.
The thief, pretending to be a retailer, called the payment company — the retailer’s store card provider — and baited the customer service representative into giving the security credential to reload the card. Very quickly the payment company was out over $200,000.
“It’s the human element that is the most vulnerable. Social engineering is taking on new flavors almost every day,” Brew said.
There’s phishing, the practice of acquiring user data by sending out bogus emails, and then there’s spear phishing, where thieves use credentials, including email addresses, to specifically target people based on behavioral patterns, he said.
“For example, [assume a Bank of America] customer frequently went to Macy’s to buy jeans,” Brew said. “Then a fraudster sends them emails as if they are from BofA regarding their recent Macy’s transaction. A lot of marketing partners at banks that have bank customer information can be the targets of hacking.”
Banks need to have their marketing partners that have access to their customer data demonstrate that their systems are at least as secure as the bank’s systems, he said.
As part of its process, LIU’s underwriters verify whether banks perform background checks to ensure that bank employees are not vulnerable to extortion, blackmail or coercion, Brew said. Red flags would be a bad credit history or a criminal history, particularly in financial crime.
David Hallstrom, vice president and practice leader, Information Risk at CNA in Chicago, said banks have to be vigilant about their controls. Financial institutions need to go beyond intrusion technology and train their staff how to spot social engineering attempts, regardless of where they originate, he said.
“They always need to be mindful that there can also be internal attempts from someone in the inside of the bank,” Hallstrom said.
While cyber protection products typically cover security breaches and the costs to notify bank customers, such policies don’t necessarily cover fraudulent credit card purchases, such as when someone gets access to credit card data and uses the information to buy goods or services, or to steal money, said John Kerns, executive managing director, Financial Services at Beecher Carlson in New York City.
Lloyd’s of London has been able to cover this type of fraud, but it’s very expensive, he said.
“Banks need to work with their brokers to do a gap analysis to understand their risks,” Kerns said. “There was a point in time when all the mortgage refinancing was going on, there was a lot of mortgage fraud and a fair amount of losses at banks.
“Now,” he said, “the digital world has created the ability for fraudsters to multiply deposits, so banks don’t know what’s real and what’s not.”