After Exposure, Security Holes Sealed In Minnesota’s Health Exchange

A security flaw has been fixed on MNsure, Minnesota’s health insurance marketplace — one that had left users vulnerable to data interception by hackers.

The fix follows an MPR story last week and a meeting Monday between forensic analyst Mark Lanterman and the state’s chief information security officer, Chris Buse. At the meeting, Lanterman explained how he discovered the flaw and how the state could resolve the problem.

Lanterman tested for the flaw again Tuesday. “I’m happy to report that MNsure is no longer vulnerable to this attack,” he said.

The problem was complex, but it came down to this:  MNsure’s flaw allowed private data to be transmitted unencrypted, leaving consumers’ personal information unprotected.

As people access a website, there’s a lot of communication between their computers or smartphones and the site’s servers. When sensitive information, such as a credit card number, is involved, websites typically offer a secure, encrypted connection so no one can eavesdrop and steal the information. Many websites protect users by severing connections to other computers if encryption is not working correctly.

But that was not true in this case.

Here’s one way this flaw could be exploited: A hacking device can offer up what appears to be a standard Wi-Fi connection to the Internet. But when a user connects to a website through that device’s Internet connection, it attempts to strip away security measures. In the case of the MNsure site, that would allow a hacker to see the  users’ log-ins.

Since that tool works like a standard Wi-Fi router, it can capture information coming from computers or smartphones within a range of as much as 150 yards, according to Lanterman. This would allow a hacker to set up near libraries, coffee shops or other locations where computer users expect to find safe Wi-Fi connections.

But in those instances, MNsure’s website continued to permit users to send sensitive data.

The flaw in the site is now fixed.

Forensic professionals legally use devices like these to detect security weaknesses in wireless networks.  But in the wrong hands, they are a hacker’s best friend.

Buse said the MNsure site is safe and always has been. Still, he called website security an ongoing journey. He said that although new threats appear daily, chances are slim that a hacker could use a device to convince a computer that it is connected to MNsure. He said a successful attack requires several elements, among them a high level of sophistication, the right tools and close proximity to the user.

“So when you think of all these things happening in the real world, this type of attack has a pretty low probability of actually occurring to anybody that’s planning to go to the MNsure site,” Buse said.

But Lanterman disagreed.  He said there’s no way to know how widespread an attack could be, because using it leaves no trace.

The security problems at MNsure are just one aspect of a rocky rollout of the Affordable Care Act in Minnesota. On Tuesday the executive director of the exchange April Todd-Malmlov resigned after criticism about an ill-timed tropical vacation and various problems with the site.