homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam

Forum Home Post A Reply

my profile | directory login | | search | faq | forum home

» The Geek Culture Forums! » News, Reviews, Views! » Your News! » WHAT TO DO, WHAT TO DO? » Post A Reply

Post A Reply
Login Name:
Password (max 13 characters):
Message Icon: Icon 1     Icon 2     Icon 3     Icon 4     Icon 5     Icon 6     Icon 7    
Icon 8     Icon 9     Icon 10     Icon 11     Icon 12     Icon 13     Icon 14    

HTML is not enabled.
UBB Code™ is enabled.


Instant Graemlins Instant UBB Code™
Smile   Frown   Embarrassed   Big Grin   Wink   Razz  
Cool   Roll Eyes   Mad   Eek!   Confused   Happytears  
blush   Beard of Peter Gabriel!   crazy   tired   ohwell   evil  
shake head   cry baby   hearts   weep   devil wand   thumbsup  
thumbsdown   Geek   Applause   Angel   Envy    
Insert URL Hyperlink - UBB Code™   Insert Email Address - UBB Code™
Bold - UBB Code™   Italics - UBB Code™
Quote - UBB Code™   Code Tag - UBB Code™
List Start - UBB Code™   List Item - UBB Code™
List End - UBB Code™   Image - UBB Code™

What is UBB Code™?

Disable Graemlins in this post.


T O P I C     R E V I E W
Member # 1659
 - posted March 03, 2005 09:33
What to do. What to do?
As some of you know I retired a year ago, well just recently I noticed a glaring error in my previous employers prescription plan. Because I have a defined benefit retirement and they the Auto company wants to reduce costs, they make it very appealing to use their pharmacy by mail, 1/3 the cost of prescriptions at the local drug store. Now I have no problems with the basic set up of their call in system, I do have a problem with their web based prescription refill site. The opening or splash page is not encrypted (or https) for those that know, however that is where you would log in from. Now starts the real rub, when I brought this to their attention I was given the company policy that their site is secure and not to worry my medical records are safe and that they are in full compliance with the currant United States HHS guidelines for protecting patient confidentiality. I then brought the insurance company that subcontracted to this pharmacy for meds, into the fray and was told that they could not tell their subcontractors how to run their businesses, How ever I was given the phone number of the benefits office for my previous employer, they did not understand the scope of the problem but at least attempted to help get this pharmacy to change their methods, however any time I am in contact with this supplier I can not believe how dense they are and quite satisfied to read me the company policy statement about how well they are protecting my information and that is all it should take to calm my fears.
Am I over reacting to what I see as a serious hole at their web site? When I do go to their web site I use a bogus member ID and password to get inside to the secure page where they tell me that I am not a registered user and log in from there, but my real concern is that some other employee or retiree may have their information compromised by this companies login procedure.. I am almost tempted to do a Kevin Mitnik, but I don't want to go to jail for their stupidity, any ideas? Oh buy the way the user ID is your own e-mail you can not pick a totally unique ID.
Member # 371
 - posted March 03, 2005 10:04
Having the page not be via https is not an issue - IF - the post/get is through a secure connection. View the source of the front page and search for "form" there you should see action=URL. If that URL is https then you should be ok.

Getting the normal customer service people to understand this is pointless. They know that they have been assured by their managers who were assured by the geek's managers who were assured by the geeks that everything is "secure". Getting a good explanation to you as to why it is (or isn't) secure is impossible through all those layers.

Of course you could just bookmark the "error" page and use that from now on.

I wouldn't sweat over your username being your email address. Having a piece of known information isn't a problem if their is a secret piece (i.e. your password/PIN) paired with it.

As far as "hacking" it - the only problem with an insecure login page is that if someone at an ISP wants they could sniff the packet stream and extract usernames and passwords. Home users don't have access to that packet stream so they can't sniff it so they can't see the username/password anyway. So - you can't "demonstrate" the problem unless you happen to work at a large ISP that serves other people who use the same pharmacy. Of course this hacking is assuming that they don't have their form submitting the information securely.
Black Widow
Member # 3046
 - posted March 03, 2005 10:21
I assume you've already tried typing in the home page address with https: at the front rather than just http:?

And what about bookmarking the secure page the next time you visit it, so that you don't have to go through the trouble of the fake signin first? [Confused]
Member # 1659
 - posted March 03, 2005 11:28
DOCO_______That is my concern, as Netscape, iCab, and Mozilla all warn me that the information I am submitting is not encripted, I went to a friends house and on his windows machine he got the same warning.

Also since I keep in touch with many of my past coworkers I aready know their login ID, and would guess that many people that I know work in UAW shops and if they e-mail me I would then know their ID.

It does not seem to be as secure as it should be.

Contact Us | Geek Culture Home Page

© 2018 Geek Culture

Powered by Infopop Corporation
UBB.classicTM 6.4.0

homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam