![]() I thought about this for a little bit and asked my coworkers for advice. They practice no good security policy when it comes to handling this type of information. So this company,, is holding people’s personal identifying information and health information, and literally all you need to get it is a mistyped email address. I should have caught that first, but I completely glossed over it. Then I looked over at the email more closely, and it was sent by in care of some doctor in New York City. Even a rudimentary “enter your birthdate” on the password reset dialog would have stopped me, because, obviously, I am not that person. History of visits with doctors.Įverything I would need to convincingly impersonate this person was handed to me with absolutely no verification that I was this person. I saw his full name, address, both cell phone and home phone, even the last 4 of his social (the first 5 were X-ed out, but I’m guessing they have that too). There, plain as day, was the full personal information for a “Robert Peck” who lives in New York City. Still operating under the assumption that this was sent to me, but making a mental note to talk with whichever of my doctors is using this product about its lack of security, I changed the password and hit submit. Just immediately dropped to an old password, new password, enter new password again style password reset dialog. Imagine my surprise when I logged in with the username in the first email and the temporary password and was immediately prompted to change my password! No verification of the account ownership. ![]() But whatever, there are a lot of amateurs out there, so I better go sign in and change the password. The first one contained a username and the second one, send a minute later, contained a temporary password. I figured one of my doctors had started using this online portal. ![]() The URLs in the email matched their site and the email was sent from “redacted-db19” mail server, so everything about this looked legitimate. A quick Google search for “” shows it to be some cloud-based patient portal. At first I thought they were spam, but they had my firstname and lastname in them and “looked” legit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |