As readers of RISKS know, many Internet users think that HTTPS is equivalent
to security. Here's an example where that went badly wrong.
My employer uses an online service to handle signups for the flexible
spending plan (*). It uses an HTTPS form to collect the usual personal
info: name, address, social security number, and amount to be deducted. So
far, so good. I don't know what it does with the information (presumably
puts it in a database, which has it's own issues). Then they e-mail the
information back to the user for confirmation, including the SSN.
Interestingly, *someone* at the company understood the risks, because their
"security and privacy" policy on their home page notes that unencrypted
e-mail is not safe. (**) Whoever wrote that policy obviously wasn't working
with the people building the system.
The response when we pointed the problem out was "we use HTTPS, so we're
secure". After several rounds of back-and-forth with the vendor, they
admitted the problem, and proposed to fix it early next year. Since this is
software that gets used once a year (to meet the Dec 31st deadline), that
was clearly a silly proposal, since all users would be forced into using the
incorrect version. So after some arm-twisting, they changed the
confirmation message to eliminate all but the last 4 digits of the SSN. A
big improvement.
The risk here is that this is a commercial system that's presumably used by
many other companies besides ours. How many other companies use this flawed
system and never objected? And how many other equivalent systems are there
out on the net? If I were looking for an easy way to commit identity theft,
I'd be monitoring e-mails coming out of that company... chances are there's
a lot of good info! (Which is why I'm not giving their name or URL!)
-----
(*) A flexible spending plan is established by US tax law to allow tax-free
deductions from salary into an account which can then be used to pay for
medical or child care expenses. By law, you have to decide by December 31st
how much money will be deducted in the following year, and you (generally)
can't change that decision once it's made. Also, any unspent money is not
returned to the employee, so it's important to estimate accurately. Because
of the legal Dec 31st deadline, it wasn't possible/feasible to wait for a
more appropriate resolution of the problem.
(**) I did a Google search on the actual phrase used on their Web page to
see if it would disclose who the vendor is. They were the only vendor of
their type who used the particular phrase, which is why I haven't quoted it
verbatim, but it seems to be a catch phrase used in MANY security and
privacy policies. So perhaps they just cut & pasted it without having a
clue what it meant.
--Jeremy
P.S. Yes, I understand there are a lot of other risks in this system besides
just sending the SSN unencrypted. This was just particularly egregious. [Jeremy Epstein via risks-digest Volume 21, Issue 83]
0:00
#
G!
