Amidst the fighting in Washington and the reports
of Marketplace site outages, one issue surrounding the Affordable Care
Act (aka Obamacare) hasn't been addressed: scammers.
Security company Trend Micro reported that they're already seeing spam targeted to words like "medicare," "enrollment," and "medical insurance." These terms aren't quite on-point just yet, but Trend Micro's threat communications manager Christopher Budd told SecurityWatch that deep problems with the Marketplace websites could make things much worse.
A Confusing Web
"Most states have their own official state sites, and then you can have third party broker sites," explained Budd, touching on how the Insurance Marketplaces are organized. "The environment this creates right out of the gate is so confusing that it creates space for phishing."
Budd says that without a clear means to verify if a site is official or not, people are risk of finding themselves duped by convincing-looking fraudulent websites. We've already seen how spammers and scammers are very adept tailoring their messages to match the zeitgeist. And because these websites deal with medical issues and insurance, people are already primed to hand over tons of personal information—like their Social Security numbers. Worse yet, some people will be signing up their whole families, potentially giving thieves access to a lot of personal information.
The main problem, says Budd, is that some of the state websites did not follow best practices for security—or even adequately brand themselves as part of the ACA. "To give credit, the Federal site is professional, well branded, and provides SSL," said Budd, pointing out how HealthCare.gov automatically used SSL.
State-level Marketplaces weren't so well put together. "There are some state sites that if you go in HTTPS, it gives you a 404 error," said Budd. Other states had test certificates instead of legitimate ones, and one third-party website automatically rolled Budd back to HTTP when he tried to connect via HTTPS.
How to Stay Safe
To avoid scamming sites, Budd said that people shouldn't start by using search engines to find information. Search results can be easily tainted by phishing sites, and targetting popular phrases is a key strategy used by scammers.
Instead, people should start at https://www.healthcare.gov. From here, they can find the appropriate Marketplace website for their state. Information about legitimate third party insurance suppliers can also be found on these sites.
Whenever possible, connect via SSL and use HTTPS, instead of HTTP, at the beginning of the URL. On HTTPS sites, a small lock icon should appear just to the left of the URL. You can click this, and verify the authenticity of the website.
If the certificate is expired, or if you're not sure you can trust the website for any reason, take it offline. Budd told SecurityWatch that some insurance vendors can be reached over the phone or in person.
Most modern browsers, like Chrome, will throw up a warning screen if they detects anything untoward about the site's certification. "If your browser raises a warning, stop there unless you know what you're doing," said Budd.
Time for Change
Budd acknowledged that states have an uphill battle tackling the security issues surrounding the Marketplaces. He said that public-key infrastructure, the cryptographic technology that secures these kind of communications, was "one of the most complicated, costly, and confusing technologies out there." Add to the fact that most states are strapped for cash these days, and it's not surprising that these issues exist.
To help protect users from scammers, Budd said that the first priority should be to get SSL in place for each and every site associated with the ACA. Next, he suggested the creation of a seal—like the one used by Verisign—so less tech-savvy people know that they're on a legitimate site. He also suggested that the federal government could follow the lead of the financial industry and audit ACA sites.
Budd stressed that the Insurance Marketplaces—indeed, this entire service—are brand new. He pointed again to the financial sector, which took years to fine-tune its approach to the online services. Given the level of interest in this program, scammers and spammers won't be far behind. Hopefully, the Marketplace sites will mature quickly enough to meet those threats.
Security company Trend Micro reported that they're already seeing spam targeted to words like "medicare," "enrollment," and "medical insurance." These terms aren't quite on-point just yet, but Trend Micro's threat communications manager Christopher Budd told SecurityWatch that deep problems with the Marketplace websites could make things much worse.
A Confusing Web
"Most states have their own official state sites, and then you can have third party broker sites," explained Budd, touching on how the Insurance Marketplaces are organized. "The environment this creates right out of the gate is so confusing that it creates space for phishing."
Budd says that without a clear means to verify if a site is official or not, people are risk of finding themselves duped by convincing-looking fraudulent websites. We've already seen how spammers and scammers are very adept tailoring their messages to match the zeitgeist. And because these websites deal with medical issues and insurance, people are already primed to hand over tons of personal information—like their Social Security numbers. Worse yet, some people will be signing up their whole families, potentially giving thieves access to a lot of personal information.
The main problem, says Budd, is that some of the state websites did not follow best practices for security—or even adequately brand themselves as part of the ACA. "To give credit, the Federal site is professional, well branded, and provides SSL," said Budd, pointing out how HealthCare.gov automatically used SSL.
State-level Marketplaces weren't so well put together. "There are some state sites that if you go in HTTPS, it gives you a 404 error," said Budd. Other states had test certificates instead of legitimate ones, and one third-party website automatically rolled Budd back to HTTP when he tried to connect via HTTPS.
How to Stay Safe
To avoid scamming sites, Budd said that people shouldn't start by using search engines to find information. Search results can be easily tainted by phishing sites, and targetting popular phrases is a key strategy used by scammers.
Instead, people should start at https://www.healthcare.gov. From here, they can find the appropriate Marketplace website for their state. Information about legitimate third party insurance suppliers can also be found on these sites.
Whenever possible, connect via SSL and use HTTPS, instead of HTTP, at the beginning of the URL. On HTTPS sites, a small lock icon should appear just to the left of the URL. You can click this, and verify the authenticity of the website.
If the certificate is expired, or if you're not sure you can trust the website for any reason, take it offline. Budd told SecurityWatch that some insurance vendors can be reached over the phone or in person.
Most modern browsers, like Chrome, will throw up a warning screen if they detects anything untoward about the site's certification. "If your browser raises a warning, stop there unless you know what you're doing," said Budd.
Time for Change
Budd acknowledged that states have an uphill battle tackling the security issues surrounding the Marketplaces. He said that public-key infrastructure, the cryptographic technology that secures these kind of communications, was "one of the most complicated, costly, and confusing technologies out there." Add to the fact that most states are strapped for cash these days, and it's not surprising that these issues exist.
To help protect users from scammers, Budd said that the first priority should be to get SSL in place for each and every site associated with the ACA. Next, he suggested the creation of a seal—like the one used by Verisign—so less tech-savvy people know that they're on a legitimate site. He also suggested that the federal government could follow the lead of the financial industry and audit ACA sites.
Budd stressed that the Insurance Marketplaces—indeed, this entire service—are brand new. He pointed again to the financial sector, which took years to fine-tune its approach to the online services. Given the level of interest in this program, scammers and spammers won't be far behind. Hopefully, the Marketplace sites will mature quickly enough to meet those threats.