Security experts identify MNsure vulnerability
ST. PAUL, Minn. (AP) — Internet security experts have identified flaws in Minnesota's online health insurance marketplace that they say could compromise sensitive consumer data.
The MNsure website is vulnerable to "rogue access points," Minnesota Public Radio reported Thursday. Such devices can masquerade as a standard wireless connection to the Internet, but when a user inadvertently connects to a nearby device, it strips away security measures. That allows the hacker to see information passing between the user and MNsure's site.
When sensitive information is involved, websites typically offer encrypted connections so no one can eavesdrop. Some websites sever connections if the customer's computer or smartphone fails to use encryption to secure the communication. But MNsure's site allows unsecured transmissions to go through, according to MPR.
"The problem is fairly simple," said Mark Lanterman, a forensic computer security analyst in Minnetonka. "A relatively inexpensive device is capable of preventing a secure connection to the MNsure webpage and the webpage is allowing that to happen."
According to Legislative Auditor Jim Nobles, the vulnerability is a serious concern that MNsure needs to acknowledge and address. Nobles has said that if the issue is not adequately addressed, his office will examine it during a security audit of MNsure next year.
"Because of this vulnerability, anything that you're typing into that webpage can be read by the bad guy," Lanterman said. "So that could be your username, password. And once he or she has your log in credentials, they then have access to the same exact information that you would have on your own account."
Troy Hunt, a software architect in Sydney, Australia, who specializes in computer security for the Pfizer pharmaceuticals company, said that if a hacker captures a user's log-on information due to MNsure's vulnerabilities, it could exposes the user to more problems because people inevitably reuse passwords for multiple accounts.
Chris Buse, the state's chief information security officer, said the MNsure site is safe and people should feel comfortable using it. He said the probability of a successful attack, such as one that Lanterman described, was slim.
"We've done our own testing," Buse said. "We've tried to replicate what we think Mr. Lanterman did and I believe we've fixed the problem."
Buse and a team from his office plan to meet with Lanterman on Friday.
Copyright 2013 The Associated Press.