Summer of 2012, Mat Honan, a respected writer for WIRED Magazine, had his digital world destroyed in two hours, and the hackers never hacked—they “gamed” the system. Did I mention they were teenagers? Mr. Honan later made contact with one of the hackers, and that person explained how they did it.
Amazon tech support with basic information added a new email to the account—yes, the hacker’s—amazing. This was even after the hacker could not answer the security questions created by Mr. Honan. Now, with an email address attached to Mr. Honan’s Amazon account, the hacker clicked the classic “Forgot Password” and within seconds got the password reset email and hijacked the Amazon account. Now the hacker had access to Mr. Honan’s account record and simply took the last four digits of his credit card.
Apple tech support was the next call. Armed now with Mr. Honan’s billing address and the last four digits of his credit card, the hacker knew he could get into his Apple account. The Apple tech asking the security questions with no correct answers went to wallet security: your billing address and last four digits of your credit card. Apple tech then reset over the phone the new password and the hacker was now in Mr. Honan’s Apple account. Because Mr. Honan had connected his Apple account to his Google account, more email passwords were obtained and now Gmail was hijacked.
Mr. Honan’s Amazon, Apple and Google accounts were now under the control of teenage hackers in less than an hour, armed with only a phone and an email client. Fortunately for Mr. Honan, this is where it stopped. The teenage hackers only deleted everything on those accounts and Mr. Honan’s family memories were lost. More ambitious hackers with that much information could have done a lot more damage, possibly even a complete identity hijacking.
I opened with this story about Mr. Honan because the hack was not Star Wars. This was not a brute-force password attack, or a man in the middle of email eavesdropping, or a more sophisticated SQL injection, or a malware Trojan, or a keyboard logger virus. It was more old-school—like the days I used to dumpster dive to find disgruntled workers, befriend them and on and on. This was a classic social engineering hack; by the way, the teenage hackers started their pursuit with Facebook.
So enters the Red Flags Rule, issued in 2007 under Section 114 of the Fair and Accurate Credit Transaction Act of 2003 overseen by the Federal Trade Commission (FTC). The Red Flags Rule requires many businesses and organizations to implement a written identity theft prevention program designed to detect the red flags of identity theft in their day-to-day operations, take steps to prevent the crime and mitigate its damage. The bottom line is that a program can help businesses spot suspicious patterns and prevent the costly consequences of identity theft. The FTC enforces the Red Flags Rule with several other agencies. More about the rule can be found on the FTC’s Bureau of Consumer Protection website.
The insurance industry is one massive process of non-public information (NPI). Every organization within the supply chain should have a red flags program to safeguard client personal information.
In Mr. Honan’s case, the overriding goal to service the customer was the downfall of protecting his information. When the questions and answers Mr. Honan provided when signing up failed authentication, the only alternative should have been a two-factor escalation.
One factor authentication is defined as something you know, such as a password or the answers to questions you created. Two factor authentications are defined by something you know and something you have. Something you have can be many things: cell phone, computer, fingerprint, land line and so on. The most used device today is cell phone texting. Any time during a two factor escalation, the gatekeeper can send an alpha-numeric code to the person who in turn can respond via phone or device. New authentication methods include white listing dial from phone numbers, computer location, GPS and my favorite, voice recognition. Voice rec is where you record a short statement during the account onboarding phase. The authentication comes into play when you say the statement again and, if the two match, you’re the real thing.
When I think of the insurance process, it’s just one large consumer of NPI. A one-way process—information comes in and never goes out. There is no need to share NPI over the phone with anyone, even with the most sincere request. That’s a simple rule to live by.
Back to the red flags policy you need to develop. The first step is to identify the relevant red flags you might come across that signal that people trying to get products or services from you aren’t who they claim to be: They fail the “Do I know you” or what I call the relationship test. Emails that arrive from addresses or carbon copy addresses you don’t know to be associated with the customer are red flags.
The second step is to explain how your business or organization will detect the red flags you’ve identified. Phone inquiries that fail the relationship test should require a single- or two-factor authentication policy your people will use to identify callers.
During the onboarding process, capture a phone password, provide them with a business card with a number or word written on the back, create a question and answer from the customer—something only they would know or have—not from their wallet.
If they fail the single factor, then go to two factor: Text their cell phone, send them an email or “flash” over and call a white listed number. In any case, send an email notice to the customer calling to their attention that someone authenticated that day for a service request.
Emails should be secure and compliant. Provide your customer with a secure transaction email account to send and receive emails which provide authentication and encryption. Audit trails then provide a record of information exchange meeting the requirements of “Who had access to NPI.”
The third step is to decide how you’ll respond to any red flags that materialize. All red flagged communications should trigger an email notice of the event to the customer. This is to inform him that inquiries are being made, which keeps the customer involved in the security of his own NPI.
Red flags—the recognition of, how to handle, and informing those concerned, is the objective. Excellent customer service and protecting customer information is everyone’s goal. Setting the line between the two can be very simple. Educate your staff and customer on office behavior so when the occasion arrives, all concerned know what to expect and how to behave. Involving the customer can be as simple as a one-page document on what is expected “When contacting our office.” The customer will be happy to conform and will be pleased that your organization is doing everything it can to protect his NPI.
Develop a red flag plan and use it. You don’t want to be the next Mr. Honan. Or worse, lose your identity.