Sponsored By
An organization or individual has paid for the creation of this work but did not approve or review it.



MNsure security vulnerable to hackers, experts say

When Minnesota's online health insurance marketplace unveiled its website in October, state IT officials described MNsure's security measures as "state of the art."...

When Minnesota's online health insurance marketplace unveiled its website in October, state IT officials described MNsure's security measures as "state of the art."

But Internet security experts have identified flaws in MNsure's website that could compromise sensitive consumer data. They say the site is vulnerable to what "rogue access points," devices that can masquerade as a standard wireless connection to the Internet.

As people access a website, there's a lot of communication that occurs between their computer or smartphones and the site's servers. When sensitive information is involved, such as a credit card number, typically websites offer a secure encrypted connection so no one can eavesdrop and steal the information.

If for some reason the device doesn't use wind up using encryption, some websites will sever the connection. But in those instances, MNsure's website will continue working.

Security experts say allowing private data to come through unencrypted leaves consumers vulnerable to rogue access points that allow hackers to break into the computers or smartphones of people who are within 20 yards. The device, which MPR News is not identifying by name, manipulates a person's computer so that instead of communicating with the MNsure site it is connected to the hacker.


"The problem is fairly simple," said Mark Lanterman, a forensic computer security analyst in Minnetonka, Minn. "A relatively inexpensive device is capable of preventing a secure connection to the MNsure webpage and the webpage is allowing that to happen."

Minnesota's Legislative Auditor's office also considers MNsure's vulnerability to the device a serious concern that needs to be acknowledged and addressed by the state. State Legislative Auditor Jim Nobles has said if the issue is not addressed adequately, his office will examine the issue when it conducts an I.T. security audit of MNsure next year.

With enough battery power to operate for several days, the less than $100 device can capture a user's password or any other private data entered over a WIFI network.

Forensic professionals legally use the device to detect security weaknesses in wireless networks. But in the wrong hands, it's a hacker's best friend.

"Because of this vulnerability, anything that you're typing into that webpage can be read by the bad guy," Lanterman said. "So that could be your username, password. And once he or she has your log in credentials, they then have access to the same exact information that you would have on your own account."

The device works by tricking computer users into thinking their laptop or smartphone is connected to a known WIFI hotspot. It strips away the safety measures but still shows a little key or lock that typically signals that a website is secure.

MNsure received about $151 million in federal funding to design create the state's online insurance marketplace.

The money also pays for ongoing operations and for "navigators" -- people MNsure certifies to help others use the site to pick insurance plans.


MNsure officials directed questions about the site's security to state MN.IT, which in 2011 consolidated the I.T. functions of 95 state agencies, boards and commissions. MN.IT took the lead in developing and managing MNsure's security.

Chris Buse, the state's chief information security officer, said the MNsure site is safe and always has been. He said people should feel comfortable using it to buy their health insurance.

"We've done our own testing," Buse said. "We've tried to replicate what we think Mr. Lanternman did and I believe we've fixed the problem."

Still, Buse called website security an ongoing journey. He said although new threats appear daily, chances are slim that a hacker could use a device to convince a computer is connected to MNsure. He said a successful attack requires several elements, among them a high level of sophistication, the right tools and close proximity to the user.

"So when you think of all these things happening in the real world, this type of attack has a pretty low probability of actually occurring to anybody that's planning to go to the MNsure site," Buse said.

Lanterman, however said, there's no way to know how widespread of a security problem the device in question presents as an attack using it leaves no trace.

Despite the state's assurances, Lanterman said MNsure is still vulnerable - as are at least seven other state-based insurance exchanges. He said the federal exchange is not.

Lanterman said the MNsure site's vulnerability to unencrypted information would be relatively simple to fix. Less than a half dozen I.T. experts could prepare a remedy for about $10,000, he said.


A solution could come soon, as Buse and a team from his office plan to meet Friday with Lanterman.

Other forensic analysts see another problem connected with MNsure's site.

Users don't just load a webpage by clicking on a website; they load a page and as many as 40 other elements that go on the webpage. Every one of those items should load securely, but MNsure's sign-on page leaves parts unencrypted, said Troy Hunt, a software architect in Sydney, Australia, who specializes in computer security for the Pfizer pharmaceuticals company.

"The log-in page looks secure, the surface veneer," Hunt said. "Then it puts other things on the page that are not secure."

At least three browsers alert consumers to the problem through security icons on the address bar. When consumers click on Firefox's security icon for example, under the headings of More Information, Technical Details, it reads, "Parts of the page are not encrypted before being transmitted over the Internet. Information sent over the Internet without encryption can be seen by other people while it is in transit."

Hunt said that's a problem.

"By the time you're actually entering a username and a password, the page could already be compromised and every key you type could be sent off to an attacker somewhere."

Hunt said if a hacker captures a user's log on information due to MNsure's security vulnerabilities, it can have a lasting effect as people inevitably reuse passwords for multiple accounts. He said each website has a responsibility to not only protect its own content but the content on other sites.

Buse, of MN.IT, said the mix of encrypted and unencrypted parts of the site isn't a security risk but a usability issue.

"All the pieces of the site that needed to be encrypted are encrypted so we're working on some fixes to the site to bring all content in from a secure site because it results in helpdesk calls," he said. "It's not a security issue but it certainly confuses users and that's what we're trying to address right now."

Buse said the need for such a fix came to light at the last minute during the final testing of the system.

"There were some extremely stringent deadlines to get this system up and running by October first and there were some pieces like this that are look-and-feel type of issues that still need to be taken care of," he said.

Related Topics: TECHNOLOGY
What To Read Next
Nonprofit hospitals are required to provide free or discounted care, also known as charity care; yet eligibility and application requirements vary across hospitals. Could you qualify? We found out.
Crisis pregnancy centers received almost $3 million in taxpayer funds in 2022. Soon, sharing only medically accurate information could be a prerequisite for funding.
The Grand Forks Blue Zones Project, which hopes to make Grand Forks not just a healthier city but a closer community, is hosting an event on Saturday, Jan. 21, at the Empire Arts Center from 3-5 p.m.
A bill being considered by the North Dakota Legislature would require infertility treatment for public employees — a step that could lead to requiring private insurance for the costly treatments.