Experts have found that hackers can obtain information that's useful for phishing attacks
The Obamacare program was launched on October 1, despite the government shutdown. However, the more security experts look at the program’s website, HealthCare.gov, the more issues they find.We’ll put aside the fact that the website has suffered two outages since it was launched. Researcher Ben Simo has published a number of blog posts on the topic of HealthCare.gov security.
For instance, the expert has found that cybercriminals could easily obtain usernames, password reset codes, email addresses and security questions, without needing any kind of authentication.
The information could be used in phishing attacks launched by cybercrooks in an effort to trick Obamacare customers into handing over more of their personal details. The worst part is that is doesn’t take a “super hacker” to exploit the vulnerabilities.
Interestingly, a memo to Center for Medicare and Medicaid Services (CMS) Administrator Marilyn Tavenner, dated September 27, shows that the website was launched without final security checks being performed.
“From a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for [the Federally Facilitated Marketplace],” the memo reads.
It continues, “Although throughout the three rounds of SCA testing all of the security controls have been tested on different versions of the system, the security contractor has not been able to test all of the security controls in one complete version of the system.”
Some of the issues highlighted by Simo have been fixed, but there still are some security holes that increase the risk of personal information becoming compromised.
“The volume of users, the nature of the data presumed in the system, and the political attention all contribute to making HealthCare.gov a target of interest to attackers – of higher interest than the typical web site,” Simo noted.
“This demands a higher standard. This requires that security be made a priority throughout design, implementation, testing, and monitoring of the system.”