Obamacare website security called 'outrageous': How safe is it? (+video)
Glitches in the Obamacare website are well known, but some cyber experts are also raising red flags about the site's security. They point to a variety of concerns.
(Page 2 of 2)
'Clickjacking.' The government site lacks defenses to prevent an attacker from putting an invisible layer over the legitimate website, Ms. Shah added. As a result, a user clicking on a link or button might end up at a renegade site that looked just the same – and end up divulging personal information to that site.Skip to next paragraph
Infographic Obamacare facts: How will the law affect you?
Subscribe Today to the Monitor
Verification. A more fundamental problem is the way the website is set up, contends Christopher Budd, communications manager for Trend Micro, a Tokyo-based cybersecurity company. "The health insurance exchange isn't made up of a single, authoritative site where people can go and register for coverage," he wrote in a blog post. "In addition to the federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage," he said.
While the main federal site uses a key security feature called SSL to verify itself, "a survey of state and third-party sites also shows that official sites aren't required to provide the ability to verify the site using SSL," he writes. Many of those sites don’t authenticate, he said.
"As people look for health care exchanges, they're going to be faced with potentially hundreds or thousands of sites that claim to be legitimate, but [they] won't be able to easily verify that claim," except based on how a site looks, Mr. Budd wrote.
Login fraud. Basic problems with the site could invite cybercriminals to use automated systems to hack individual accounts, according to researchers at TrustedSec in Strongsville, Ohio. They noted that there were no features to prevent an intruder from using an automated program to try repeatedly to enter the site even if it didn’t get a login try correct. Common tools are available to authenticate that a human is trying to make the attempted login, such as putting on the screen with a word that only a human can read – that would then have to be typed into a box.
“As you can imagine, the site is going to be a major target for hackers, other governments, and organized crime,” the TrustedSec researcher wrote. “There’s a lot of money to be made right now in an untapped market that is fresh for the picking.”