This is topic WHAT TO DO, WHAT TO DO? in forum Your News! at The Geek Culture Forums.


To visit this topic, use this URL:
http://www.geekculture.com/cgi-bin/ultimatebb/ultimatebb.cgi?ubb=get_topic;f=15;t=002279

Posted by TheMoMan (Member # 1659) on March 03, 2005, 09:33:
 
What to do. What to do?
As some of you know I retired a year ago, well just recently I noticed a glaring error in my previous employers prescription plan. Because I have a defined benefit retirement and they the Auto company wants to reduce costs, they make it very appealing to use their pharmacy by mail, 1/3 the cost of prescriptions at the local drug store. Now I have no problems with the basic set up of their call in system, I do have a problem with their web based prescription refill site. The opening or splash page is not encrypted (or https) for those that know, however that is where you would log in from. Now starts the real rub, when I brought this to their attention I was given the company policy that their site is secure and not to worry my medical records are safe and that they are in full compliance with the currant United States HHS guidelines for protecting patient confidentiality. I then brought the insurance company that subcontracted to this pharmacy for meds, into the fray and was told that they could not tell their subcontractors how to run their businesses, How ever I was given the phone number of the benefits office for my previous employer, they did not understand the scope of the problem but at least attempted to help get this pharmacy to change their methods, however any time I am in contact with this supplier I can not believe how dense they are and quite satisfied to read me the company policy statement about how well they are protecting my information and that is all it should take to calm my fears.
Am I over reacting to what I see as a serious hole at their web site? When I do go to their web site I use a bogus member ID and password to get inside to the secure page where they tell me that I am not a registered user and log in from there, but my real concern is that some other employee or retiree may have their information compromised by this companies login procedure.. I am almost tempted to do a Kevin Mitnik, but I don't want to go to jail for their stupidity, any ideas? Oh buy the way the user ID is your own e-mail you can not pick a totally unique ID.
 
Posted by Doco (Member # 371) on March 03, 2005, 10:04:
 
Having the page not be via https is not an issue - IF - the post/get is through a secure connection. View the source of the front page and search for "form" there you should see action=URL. If that URL is https then you should be ok.

Getting the normal customer service people to understand this is pointless. They know that they have been assured by their managers who were assured by the geek's managers who were assured by the geeks that everything is "secure". Getting a good explanation to you as to why it is (or isn't) secure is impossible through all those layers.

Of course you could just bookmark the "error" page and use that from now on.

I wouldn't sweat over your username being your email address. Having a piece of known information isn't a problem if their is a secret piece (i.e. your password/PIN) paired with it.

As far as "hacking" it - the only problem with an insecure login page is that if someone at an ISP wants they could sniff the packet stream and extract usernames and passwords. Home users don't have access to that packet stream so they can't sniff it so they can't see the username/password anyway. So - you can't "demonstrate" the problem unless you happen to work at a large ISP that serves other people who use the same pharmacy. Of course this hacking is assuming that they don't have their form submitting the information securely.
 
Posted by Black Widow (Member # 3046) on March 03, 2005, 10:21:
 
I assume you've already tried typing in the home page address with https: at the front rather than just http:?

And what about bookmarking the secure page the next time you visit it, so that you don't have to go through the trouble of the fake signin first? [Confused]
 
Posted by TheMoMan (Member # 1659) on March 03, 2005, 11:28:
 
DOCO_______That is my concern, as Netscape, iCab, and Mozilla all warn me that the information I am submitting is not encripted, I went to a friends house and on his windows machine he got the same warning.

Also since I keep in touch with many of my past coworkers I aready know their login ID, and would guess that many people that I know work in UAW shops and if they e-mail me I would then know their ID.

It does not seem to be as secure as it should be.
 


© 2015 Geek Culture

Powered by Infopop Corporation
UBB.classicTM 6.4.0