[conspire] Who authenticates to whom?
Rick Moen
rick at linuxmafia.com
Mon Oct 2 17:32:21 PDT 2017
So, you know how phishing attacks work, right? You get e-mail that
claims to be from a person or firm you work with, wanting you to visit
a URL and do stuff. This mail below (text portion; there was also an
HTML portion) isn't quite that, but....
----- Forwarded message from kaiser.feedback at ipsos-research.com -----
Date: 25 Jul 2017 19:02:04 -0400
From: kaiser.feedback at ipsos-research.com
To: rick at linuxmafia.com
Subject: Feedback for Kaiser Permanente
Kaiser Logo
Dear Kaiser Permanente Member:
A week ago you should have received an e-mail invitation to complete our Kaiser
Permanente patient satisfaction survey. If you have already completed your
survey, thank you and please excuse this reminder.
If you have not yet had a chance to respond, please take a few minutes now to
complete our patient satisfaction survey by clicking here.
Or, copy and paste this link into your browser:
https://vckaiser.ipsos.com/KaiserNCAL13/?id=[redacted]&password=[redacted]
At Kaiser Permanente we want all of our patients to have an excellent care
experience. Your survey ratings tell us where we need to focus our attention,
as well as where our efforts are successful. Ipsos, a national marketing
research company, is our partner in conducting surveys of our members.
If you have trouble activating this survey, please call 1-800-966-1609 or
e-mail our helpdesk at kaiser.feedback at ipsos-research.com and list the subject
in the e-mail as Paperless Feedback.
Thank you very much for your participation!
-------------------------------------------------------------------------------
This e-mail is being sent to you by Ipsos on behalf of Kaiser Permanente. Ipsos
and Kaiser Permanente attempt to comply with all U.S. Federal and state laws
for commercial e-mail.
To remove your e-mail address from this survey list and avoid further e-mail
communications from us, please click here
-------------------------------------------------------------------------------
For information about Ipsos, you can visit http://www.ipsos.com
Sender:
Ipsos
222 S. Riverside Plaza
Chicago, IL 60606
----- End forwarded message -----
It's commendably forthright in that is says it's _not_ Kaiser
Permanente, my HMO, but a company asserting it's acting on Kaiser's
behalf and relaying Kaiser's wish that I visit an outsourced customer
satisfaction survey -- despite the use of the Kaiser logo and the word
"we" used as if they were Kaiser.
When you are a Kaiser Permanente HMO member, and deal with that
organisation online, all of your substantive communication and
information is via its Web site after authentication, viewed over https.
You have more than adequate reason to believe you are not communicating
with imposters or leaking sensitive health information. The only time
you get e-mail, it's to tell you to login to that Web site to use the secure
messaging system -- because they are carefully mindful of HIPPA
requirements about security.
But this is, of course, routed with zero authentication across the open
Internet. If you visit the URL (whose unique hash values I've redacted)
you are first asked to prove you're the patient, by providing personally
identifying information. At this point, I balk, say 'Hell no', and
close the browser tab.
Every time I've gotten one of these survey invitation mails over the
years, I've had the same reaction, which was to write to someone at
Kaiser about why this is a terrible idea and why I cannot in good
conscience participate.
This time, I carefully researched the right department:
Kaiser Permanente Digital Experience Center
4460 Hacienda Drive, Building A, Third Floor
Pleasanton, CA 94588
Re: [personal stuff redacted] and Ipsos Research’s survey
Dear Sirs:
I have a security & privacy concern about the outsourced patient-survey
work handed by Ipsos Research, apparently under contract to Kaiser
Permanente.
In the computer security business that is part of my profession, we go
to great lengths to coax users towards never giving out sensitive data
to outsiders without extremely good justification. In this case,
following a visit to my personal care physician, [name], I once again
received e-mail from Ipsos Research with a Kaiser logo on top and using
the word "we" as if they were Kaiser Permanente, asking me to visit a
vckaiser.ipsos.com URL and fill out a patient satisfaction survey.
Yes, surely it was a reasonable guess that Ipsos Research’s survey was
authorized by Kaiser management, but nothing whatsoever in that e-mail
or elsewhere validates it, and essentially it says ‘Go to a third-party
Web site run by people you’ve never heard of and enter personal
information related to medical matters.’ I cannot determine what Ipsos
would do with my answers. All I know is it’s from someone who knows my
name and knows or guesses that I’m a Kaiser member, which is no secret.
Every day, I get phishing mails that guess where I bank, for example.
Upon visiting that URL, it asks me to confirm I’m [my full formal name],
which is fine, because Ipso Research already knows it, and it’s public
information. Confirming that, I am next asked to provide either my
birth date or my Kaiser Medical Record Number to “verify” my identity –
and my reaction is, sorry, neither of these is public data, you are not
Kaiser Permanente, and I’ve been given no meaningful assurance that
Ipsos has any legitimate purpose for asking. Accordingly, I did not
proceed.
Now, before you say ‘Don’t worry, the survey is legitimate and you
should fill it out’, please be aware that’s the lesser problem. The
larger one is that (assuming the survey is legit, as seems extremely
likely) you and Ipsos are accustomizing Kaiser patients to give out
personal medical-relevant data (birth date or Kaiser number, at miminum)
to unknown-to-them Internet concerns they have really no reason to trust
at all – and certainly not with a degree of confidentiality typical of
medical matters (and in fact, no confidentiality at all).
I have written to Kaiser before, some years ago, calling attention to
this ongoing failure to follow best practices for electronic privacy,
and made no impression. It bothers me that I’m (in effect) unable to
praise [doctor's name] and the [office location] staff’s excellent care
while still acting prudently in matters of online information security.
[Doctor's name] and staff deserves better, and so do Kaiser’s patients.
A sufficient fix, in my estimation, would be for the survey request with
vckaiser.ipsos.com URL to be sent from within KP HealthConnect’s Message
Center subsystem, rather than just arriving at the patient’s Internet
e-mail mailbox from some unknown Internet site. Or, alternatively, KP
HealthConnect’s Message Center could send the patient a notice saying
“You’ll be receiving soon a survey request from Ipsos Research citing
ticket #nnnnnn. Please fill it out, to give us feedback about customer
satisfaction.” Either would fix the problem.
As things stand, I can neither participate in your patient satisfaction
surveys nor recommend other Kaiser members do so. It’s bad security and
sets a bad, and in fact dangerous, precedent for communication with
patients.
Long after sending this overlong letter, I realised the right way to
articulate the central point: They needed to authenticate themselves to
_me_, and not expect me to authenticate myself to _them_.
An apt analogy would be incoming cold telephone calls from people who
start out by asking you, the person called, questions. These days, I
ignore those questions completely and say
o Who are you?
o For whom are you calling?
o Please state your business.
Random callers don't get to ask questions.
I most certainly didn't expect Kaiser's massive bureaucracy to respond
to a letter from little ol' me by altering an outsourcing contract
long-ago decided with upper management buy-in. Instead, someone would
obviously be tasked with justifying the iceberg's motion as right and
proper. I was not disappointed. I expected a form letter, but this
was actually substantive and carefully written, if somewhat evasive.
I won't type in the letter, but can summarise it:
1. It's from the Director of Patient Satisfaction at Kaiser HQ,
who is obviously extremely intelligent and fully understands the
issue I raise. (And was entirely cordial.)
2. The Director blandly ignores and talks around my point about
accustomizing Kaiser patients to give out personal medical-relevant data
to unknown-to-them Internet concerns they have really no reason to trust
at all. Instead, she stresses that Kaiser and Ipsos Reserch are scrupulous
about ensuring HIPPA compliance, and dismisses giving out one's birth
date or last for digits of one's Kaiser medical record number as
'useless to anyone else as a form of identifying you, since only the
complete medical record number is meaningful.
The Director's implicit point is that, when all is said and done, Kaiser
isn't required to heed a patient's notions of best practices and good
security. Their lawyers and other advisors tell them they're covered,
and the Director is politely telling me so. Fair enough.
3. She rather cheekily closes by thanking me for taking the time to
complete the surveys -- knowing that I will not under current
conditiosn.
4. As to my suggestion about how the Ipsos questionaire could be
authenticated to the user with only one or another of some small
improvements, she thanked me for the suggestion and says they will
consider it for the next survey revision cycle.
Better than a kick in the pants, I guess. Actually, fairly impressive.
More information about the conspire
mailing list