In the summer of 2012, Mat Honan, a respected writer for WIRED Magazine had his digital world destroyed in 2 hours and the hackers never hacked, they “gamed” the system. Did I mention they were teenagers? Mr. Honan later made contact with one of the Hackers who explained how they did it.
Amazon tech support with basic information added a new email to the account, yes the hacker’s, amazing. This was even after the Hacker could not answer the question and answers created by Mr. Honan. Now with an email address attached to Mr. Honan’s Amazon account, the Hacker clicked the classic, “Forgot Password” and within seconds got the password rest email and hijacked the Amazon account. Now the Hacker had access to Mr. Honan’s account record and simply took the last four digits of his credit card.
Apple tech support was the next call. Armed now with Mr. Honan’s billing address and the last four digits of his credit card, the Hacker knew he could get into his Apple account. The Apple tech asking the security questions with no correct answers went to wallet security: your billing address and last four digits of your credit card. Apple tech then reset over the phone the new password and the Hacker was now in Mr. Honan’s Apple account. Because Mr. Honan had connected his Apple account to his Google account, more email passwords were obtained and now Gmail is hijacked.
Mr. Honan’s Amazon, Apple and Google accounts are now under the control of teenage hackers in less than an hour, armed with only a phone and an email client. Fortunately for Mr. Honan, this is where it stopped. The teenage hackers only deleted everything on those accounts and Mr. Honan's family memories were lost. More ambitious hackers with that much information could have done a lot more damage, possibly even a complete identity hijacking.
I opened with this story about Mr. Honan because the hack was not star wars. This was not a brute-forced password attack or a man in the middle of email eavesdropping or a more sophisticated SQL injection or a malware Trojan or a keyboard logger virus. It was more old school, like the days I used to dumpster dive to find disgruntled workers, befriend them and on and on. This was a classic Social Engineering Hack; by the way, the teenage hackers started their pursuit with Facebook.
So enters the Red Flags Rule, issued in 2007 under Section 114 of the Fair and Accurate Credit Transaction Act of 2003 over seen by the Federal Trade Commission (FTC). The Red Flags Rule requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. The bottom line is that a program can help businesses spot suspicious patterns and prevent the costly consequences of identity theft. The Federal Trade Commission (FTC) enforces the Red Flags Rule with several other agencies. More about the rule can be found on the FTC’s Bureau of Consumer Protection website.
The insurance industry is one massive process of non-public information (NPI). Every organization within the supply chain should have a Red Flags program to safeguard client personal information.
In Mr. Honan’s case, the overriding goal to service the customer was the down fall of protecting his information. When the questions and answers Mr. Honan provided when signing up failed authentication, the only alternative should have been a two factor escalation.
One factor authentication is defined as something you know, like a password or the answers to questions you created. Two factor authentications are defined by something you know and something you have. Something you have can be many things: cell phone, computer, fingerprint, land line and so on. The most used device today is cell phone texting. Anytime during a two factor escalation, the gate keeper can send an alpha-numeric code to the person in whom they can respond via phone or device. New authentication methods include white listing dial from phone numbers, computer location, GPS and my favorite, voice recognition. Voice Rec is where you record a short statement during the account on-boarding phase. The authentication comes into play where you say the statement again and if the two match, you’re the real thing.
When I think of the insurance process, it’s just one large consumer of NPI, a one way process; information comes in and never goes out. There is no need to share NPI over the phone with anyone, even with the most sincere request. Now that’s a simple rule to live by.
Back to the Red Flags policy you need to develop. The first step is to identify the relevant red flags you might come across that signal that people trying to get products or services from you aren't who they claim to be: they fail the “Do I Know You” or what I call the relationship test. Emails that arrive from addresses or carbon copy addresses you don’t know, associate with the customer are red flags.
The second step is to explain how your business or organization will detect the red flags you've identified. Phone inquiries that fail the relationship test should require a single or a two factor authentication policy that your people will use to identify callers.
During the on-boarding process capture a phone password, provide them with a business card with a number or word written on the back, create a question and answer from the customer, something only they would know or have, not from their wallet.
If they fail single factor, then go to two factor: text their cell phone, send them an email or “flash” over and call a white listed number. In any case, an email notice to the customer calling their attention that someone authenticated today for a service request.
Emails should be secure and compliant. Provide your customer with a secure transaction email account to send and receive emails which provide authentication and encryption. Audit trails then provide a record of information exchange meeting the requirements of “Who had Access to NPI”.
The third step is to decide how you’ll respond to any red flags that materialize. All red flagged communications should trigger an email notice to the customer of the event. This is to inform the customer that inquiries are being made which keeps the customer involved in the security of their own NPI.
Red Flags, the recognition of, how to handle and informing those concerned, is the objective. Excellent customer service and protecting customer information is everyone’s goal, setting the line between the two can be very simple. Educate your staff and customer on office behavior so when the occasion arrives, all concerned know what to expect and how to behave. Involving the customer can be as simple as a one page document on “When Contacting Our Office” what is expected. The customer will be happy to conform and will be pleased that your organization is doing everything it can to protect their NPI.
Develop a Red Flag plan and use it. You don’t want to be the next Mr. Honan or worst, lose your identity.