Saturday 5 October 2013

Beware of Fake Obamacare Insurance Marketplace Sites

HealthCare.gov Amidst the fighting in Washington and the reports of Marketplace site outages, one issue surrounding the Affordable Care Act (aka Obamacare) hasn't been addressed: scammers.
Security company Trend Micro reported that they're already seeing spam targeted to words like "medicare," "enrollment," and "medical insurance." These terms aren't quite on-point just yet, but Trend Micro's threat communications manager Christopher Budd told SecurityWatch that deep problems with the Marketplace websites could make things much worse.
A Confusing Web
"Most states have their own official state sites, and then you can have third party broker sites," explained Budd, touching on how the Insurance Marketplaces are organized. "The environment this creates right out of the gate is so confusing that it creates space for phishing."
Budd says that without a clear means to verify if a site is official or not, people are risk of finding themselves duped by convincing-looking fraudulent websites. We've already seen how spammers and scammers are very adept tailoring their messages to match the zeitgeist. And because these websites deal with medical issues and insurance, people are already primed to hand over tons of personal information—like their Social Security numbers. Worse yet, some people will be signing up their whole families, potentially giving thieves access to a lot of personal information.
The main problem, says Budd, is that some of the state websites did not follow best practices for security—or even adequately brand themselves as part of the ACA. "To give credit, the Federal site is professional, well branded, and provides SSL," said Budd, pointing out how HealthCare.gov automatically used SSL.
State-level Marketplaces weren't so well put together. "There are some state sites that if you go in HTTPS, it gives you a 404 error," said Budd. Other states had test certificates instead of legitimate ones, and one third-party website automatically rolled Budd back to HTTP when he tried to connect via HTTPS.  
How to Stay Safe
To avoid scamming sites, Budd said that people shouldn't start by using search engines to find information. Search results can be easily tainted by phishing sites, and targetting popular phrases is a key strategy used by scammers.
Instead, people should start at https://www.healthcare.gov. From here, they can find the appropriate Marketplace website for their state. Information about legitimate third party insurance suppliers can also be found on these sites.
Whenever possible, connect via SSL and use HTTPS, instead of HTTP, at the beginning of the URL. On HTTPS sites, a small lock icon should appear just to the left of the URL. You can click this, and verify the authenticity of the website.
If the certificate is expired, or if you're not sure you can trust the website for any reason, take it offline. Budd told SecurityWatch that some insurance vendors can be reached over the phone or in person.
Most modern browsers, like Chrome, will throw up a warning screen if they detects anything untoward about the site's certification. "If your browser raises a warning, stop there unless you know what you're doing," said Budd.
Time for Change
Budd acknowledged that states have an uphill battle tackling the security issues surrounding the Marketplaces. He said that public-key infrastructure, the cryptographic technology that secures these kind of communications, was "one of the most complicated, costly, and confusing technologies out there." Add to the fact that most states are strapped for cash these days, and it's not surprising that these issues exist.
To help protect users from scammers, Budd said that the first priority should be to get SSL in place for each and every site associated with the ACA. Next, he suggested the creation of a seal—like the one used by Verisign—so less tech-savvy people know that they're on a legitimate site. He also suggested that the federal government could follow the lead of the financial industry and audit ACA sites.
Budd stressed that the Insurance Marketplaces—indeed, this entire service—are brand new. He pointed again to the financial sector, which took years to fine-tune its approach to the online services. Given the level of interest in this program, scammers and spammers won't be far behind. Hopefully, the Marketplace sites will mature quickly enough to meet those threats.

Be Smart About Checking Your Online Bank Account

ThreatMetrix Online Banking 475
Do you check your bank account on almost all devices you own? If the answer is yes, you might want to consider changing your ways. ThreatMetrix, a provider of cybercrime prevention solutions, released data from a ThreatMetrix Global Trust Intelligence Network study done from May 1 through July 13, 2013 that showed banking website customers use the most devices to access online accounts, more than all other website categories examined. These included personal and work computers, smartphones, and tablets.
Other industries that the study looked at, like e-commerce, enterprise, social networks, government, and healthcare, have a considerably lower number of singular devices per account. About 68 percent of accounts across all these industries are accessed by one device each month, 19 percent are accessed by two devices, and 7 percent are accessed by three devices. Combined, these industries' accounts are accessed by an average of 1.79 devices per account as opposed to bank accounts.
Surprisingly, on average, people access their online bank account on 2.4 unique devices. As of this past July, the study revealed that 55 percent of bank accounts are accessed by one device, 26 percent are accessed by two devices, 11 percent are accessed by three, and 4 percent are accessed by four.
The data also shows that there are some accounts accessed by as many as twenty devices in a month timespan, which is a serious concern. The more devices you access your bank account on, the more you're putting yourself and your bank at serious risk for fraud and malware threats.
Device Security Screening
It's important for online banks and other businesses to have preventative screening so that they can authenticate returning users and devices and ensure that suspicious account logins require additional screening. Unlike other online services that rely on cookies to determine the number of devices accessing accounts, ThreatMetrix uses a cookieless device identificaton technology they call Smart ID. This allows them to match visitors with devices even if they have wiped their cookies, used private browsing, or changed IP addresses.
Threatmetrix's website consumers are able to see which devices and activity could be suspicious and need further screening by showing a more accurate number of devices that have accessed accounts. More businesses should look into using device identification technology similar to Smart ID in order to provide better protection for their customers.
You can't just rely on your bank to keep your personal data safe; you have take responsibility as well. Limit the number of devices you access your bank account on and only check it when absolutely necessary. Be smart about which device you decide to access sensitive data on.