20131013

Problem ID: 2525092769284475147
Entered by: Ben Simo
Is there a problem here?  

Healthcare.gov protects your account with insecurity questions

In creating an account at Healthcare.gov, users are asked to select three security questions and provide answers to them. I assume these are used in cases that users forget their username or password.

While challenge questions can help add security, they should be something that only the authorized person can answer. How do these questions from Healthcare.gov look?




These look like questions that are likely to be known by one's friends and family. Many of these are likely posted somewhere on the Facebook profile of many Americans.  How can these be secure?




And, if this wasn't bad enough, the insurance application process requires a security question and answer that third parties can use to access your information. For third party access to your account, you have to select one of only 4 options -- options that are likely to be known by friends and family, and your ex.





To me, these questions demonstrate a lack of respect for the American people. Anyone building a software system like the new Healthcare Insurance Marketplace should know better.


  Edit

6 Comments:

October 15, 2013 at 12:36 PM  
Comment ID: 6950933087359460525
Written by: Robert Martin

I think there is a delicate balance here in providing security questions that the user can easily remember the answers to and providing security questions that are, in fact, secure. If the security question is too obscure, it is detrimental to the user experience, even if it keeps the stuff secure.

Perhaps a blend of a security question and some other means (like e-mail recovery without exposing the e-mail address and then an embedded, timed link... without having the link timeout before the e-mail is received) is the best way because I'm not convinced, really, security questions alone do any good.

October 21, 2013 at 5:46 PM  
Comment ID: 7696568393008998374
Written by: Anonymous

There's no requirement that the answers to your security questions be factual.
Question: Where were you born?
Answer: On the side of the road.

October 30, 2013 at 9:49 AM  
Comment ID: 6925673111489011061
Written by: Bill Pytlovany

Anyone who answers factually is asking for trouble. These questions are better than most in the industry.
As the previous comment points out users should always have standard fake answers. How many years ago did a former Alaskan Governor have her email hacked since she answered correctly when asked where she went to high school.
My bank still asks for my mothers maiden name.

October 30, 2013 at 10:25 AM  
Comment ID: 1142132231844517070
Written by: Ben Simo

In testimony before a congressional committee this morning, HHS Secretary Sebelius referred to these questions as "personalized questions that can only be verified by you". They aren't.

And yes, we should not answer these questions truthfully. However, I suspect that most people aren't thinking that they need to answer these with something other than the truth. And by asking these specific questions, Healthcare.gov (and others) is setting people up to have their accounts compromised.

November 1, 2013 at 3:30 AM  
Comment ID: 148420854813168888
Written by: Anonymous

The problem with those security questions is that you need to have answers to them that YOU can remember and someone else can not. If you give true answers to any of the example questions, someone else would know the answer or look it up.
If you give untrue answers, as you should, then YOU cannot remember an answer on some site after many months (unless you administer what you answered, but who does that (and it is as worse as writing down your passwords)).

So this whole system of automated security questions and answers is flawed anyway.

If I forgot my password, how should I know the answer to a security question, I needed to madeup anyway, long ago (assuming I do not need to use this often, as I usually do remember my password),

November 13, 2014 at 8:01 PM  
Comment ID: 28677717051082081
Written by: Anonymous

I cant remember my security answers and therefore cannot get a new password reset .....so Im not able to buy health insurance as I cant sign in

Post a Comment