OneBeacon Technology Welcomes David Chavez & Jason Gitlitz

We’re pleased to welcome two new members to our Technology team—David Chavez and Jason Gitlitz.

David joins us as our Information Technology Solutions™ (ITS) Product Manager, bringing more than 25 years of experience to the team. Based out of San Francisco, David is an Attorney by trade, specializing in cyber-related issues for small and mid-size companies. David has managed data breach response efforts, co-written a leading cyber policy, and underwritten scores of technology accounts.   Prior to joining OneBeacon, David held senior roles at Berkley Life Sciences and Hiscox. David can be reached at

Jason joins our New England regional technology underwriting team, based out of Boston. With experience as both an agent and an underwriter, Jason brings well-rounded capabilities to the team. Prior to joining OneBeacon, Jason was an underwriter at CNA in their healthcare facilities unit.  Jason can be reached at

Welcome to OneBeacon, David and Jason!

Consent Phishing: Cyber Criminals Want More Than Your Password

Reliance on cloud services has increased in conjunction with the recent shift to remote work, education, and healthcare. Cloud computing allows data to be stored and accessed via the Internet rather than on a local computer. Use of cloud collaboration apps such as Zoom, Webex, and Microsoft Teams, has grown dramatically.  As a result., application-based attacks are becoming more prevalent as society pivots to these virtual tools. Capabilities inherent in applications are being used to gain unauthorized access to people’s data.   

This societal shift to a greater online presence has compelled hackers to leverage application-based attacks to obtain access to valuable data stored in the cloud. Apps are being built to integrate account and organizational data from cloud platforms to enhance the online experience. The vast amount of information stored in the cloud is a lucrative target for cyber criminals. Consent phishing is an emerging tactic meant to trick people into granting a malicious app access to sensitive data stored in the cloud.

A recent Microsoft Security Blog outlined the basic steps of an attack, demonstrating the evolving and sophisticated methods cyber criminals are using in their quests to steal your valuable data. The steps include:

  1. Attackers register an app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth is an open standard protocol for authorization that delegates authentication to the service that hosts the account, thus allowing websites or applications access to their information without providing passwords. For example, when you use your Facebook or Google account to login in to another application.
  2. The app is configured to appear trustworthy. For instance, the name of a similar product may be used.
  3. A link is provided via a phishing email or by compromising a valid website.
  4. When the link is clicked, an authentic consent prompt appears and requests permission to access data.
  5. If “Accept” is clicked, the malicious app is granted permission to access your data.
  6. The app gets an authorization code that it redeems for an access token and possibly a refresh token.
  7. The access token is used to make API (Application Programming Interface) calls on behalf of the targeted individual. An API  allows interaction between two applications.
  8. If the call from the API is accepted, the attacker gains access to sensitive data, which may include mail, files, contacts, and other resources.

Security Best Practices to Avoid Consent Phishing

  • Understand the data and permissions requested by an application.
  • Check for poor spelling and grammar in emails and on application consent screens.
  • Make sure you recognize app names and website addresses before clicking “Consent” on applications.
  • Carefully check app names, website addresses, and email addresses. Be aware that they are sometimes slightly modified to look legitimate. Typosquatting takes advantage of common misspellings, slightly modified email and website addresses, or application names to re-direct people to malicious websites.
  • Hover over a link to determine if it’s legitimate.
  • Always open a browser and hand type the website address before clicking on the link in the email.
  • Only obtain and download apps from official app stores.
  • As always, approach all email with heightened attentiveness and focused attention.
  • Carefully check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
  • If you receive a suspicious email:
    • Do not click any link or attachment. Delete the email immediately.
    • Do not unsubscribe from the list. Delete it immediately. Very often attempting to unsubscribe also executes malicious activities.

Emerging Cyber Threats: Phishing, Mobile Banking & Multi-Factor Authentication

As the saying goes, “the only constant is change.” Cyber criminals are constantly adapting and changing tactics to take advantage of current events and find vulnerabilities in our systems.  Here are some developments we are watching closely:

Phishing Schemes:

Termination Phishing Emails: A recent FBI (Federal Bureau of Investigation) Private Industry Notification warned that cyber criminals were taking advantage of the COVID-19 pandemic to target teleworking employees through fake termination phishing emails and VTC (Video Tele-Conference) meeting invites. The bad actors are using spoofed or typosquatted email domains to impersonate Human Resources or management. The emails lure victims to click on malicious links for additional information or online conferences about termination or severance packages.

Voting Campaigns to Spreads Malware: Cybercriminals are also leveraging current emotionally-charged social issues to entice you to click on links you might not otherwise look at. A recent article reported that an email phishing campaign requesting people vote anonymously about current race-related matters was spreading information-stealing malware. In general you should be wary of any surveys you receive.

Security Best Practices to Avoid Threats

  • Approach all email with heightened attentiveness and focused attention.
  • Double-check all emails received.
  • Be aware that sometimes email addresses are slightly modified to look legitimate. This is called typosquatting and takes advantage of common misspellings or slightly modified email and website addresses to re-direct people to malicious websites.
  • Carefully, check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
  • If you receive a suspicious email:
    • Do not click on any link or attachment. Delete the email immediately.
    • Do not unsubscribe from the list. Very often unsubscribe also performs malicious activities. Delete it immediately.

Mobile Banking Cyber Threats

A recent FBI Public Service Announcement warns of mobile banking cyber attacks. According to the advisory, there has been a 50% increase in mobile banking use since the beginning of 2020 due in part to increased time spent at home. Additionally, they report U.S. technology providers estimate more than 75% of Americans used some form of mobile banking in 2019. The FBI issued the following tips:

  • Obtain apps from official app stores or directly from bank websites.
  • Enable MFA (Multi-Factor Authentication) and use the strongest option possible such as biometrics, hardware tokens, or authentication apps.
  • Because layering is a stronger security option, use multiple types of authentications when possible.
  • Monitor where your PII (Personally Identifiable Information) is stored and only share what is absolutely necessary with financial institutions.
  • Do not click links in emails or text messages. Ensure messages come from the financial institution by double-checking email details.
  • Do not provide MFA codes to anyone over the phone or via text. Financial Institutions will NEVER ask for these codes over the phone. Beware there is a scam going around now, and the fraudster pretends to be from the financial institution and requests this information.

If a banking app appears suspicious, contact the bank via the customer service number posted on their website. The bank may ask for a banking PIN but will never ask for username and password over the phone.

Turn on MFA (Multi-Factor Authentication)

A recent Krebs on Security Blog warned that not turning on MFA makes accounts vulnerable to exploitation by cyber criminals. Increasingly, bad actors are enabling MFA options and attaching them to devices they control making it much more difficult to regain access when an account is hacked. This risk increases for people who habitually reuse or recycle passwords on multiple accounts. It also cautions that many online sites and services are completely automated and difficult to reach for help when account takeovers occur. This is especially challenging if attackers modify and/or remove the original email address associated with the account. Any MFA option is better than relying on a password alone, but it is best to use the strongest option available such as biometrics, hardware tokens, or authentication apps. For a list of MFA options offered by popular websites, visit

Autonomous Vehicles: Why Drive When the Vehicle Drives You

The idea of being effortlessly chauffeured by self-driving cars or autonomous vehicles (AV), has been a dream of futurists for several decades. They envision a time where businesses and consumers will use the technology to transport goods and people alike.

We’re pleased to share our latest whitepaper titled, “Autonomous Vehicles: Why Drive When the Vehicle Drives You” authored by OneBeacon’s Tushar Nandwana.  In this whitepaper, he provides an overview of the history of Autonomous Vehicle development, pros and cons of the technology as well as considerations for the future of the market.  

More whitepapers can be found at