devon knows how they make them sooo stupid

Today what’s irritated Mark today award goes to EMIS
https://patient.emisaccess.co.uk

Today I booked an appointment with my Doctor online (5th November 2012), to discover that I was being asked to provide 5 answers to very commonly used pre-selected questions for future password resets on the system.

The questions are presently:

  • What was your childhood phone number including area code?
  • In what city or town did your Mother and Father meet?  †
  • What was the name of your primary school?
  • What was your favourite place to visit as a child?  †
  • What was the name of the Manager at your first job?  †
  • What was the make of your first car?  †
  • What is your Mother’s home town?
  • What is the first single/album you ever bought?  †
  • In what city and country do you want to retire?  †
  • What is your maternal Grandmother’s maiden name?

Out of the 10 questions, only 6 may only be considered as not derivable form the public domain / social engineering if you try hard enough. But if you are actually in the “FaceBook” social group of a target, some of these are actually derivable themselves.

I have a major problem with their approach:

  • If this data is breeched it’s open season to password reset heaven – á la the Sony Playstation network fiasco
  • I cannot understand why the user is not given the choice to set their own questions, that they can choose not to share with other systems?
  • The password reset system was obvious NOT planned in from the beginning. Disaster normally strikes system here: gate, shut, horse, bolted – bugger

As a BCS award winner, amongst many others organisations, it sort of worries me:

http://www.emis-online.com/award-wins

  • The system received awards for the initial design. For which they’ve changed the front end design three times in as many years. With no means to communicate to the users that this was happening in advance
  • Changed the home page URL
  • Changed the login system (credentials), and again Jan/Feb 2013

In the words of John McEnroe – Award winners? “You cannot be serious?”

Solution

1.
What is need is a system like CPD, but web sites would join as entities, run by a “NGO security organisation” – I’d like this to be called – CSD, Continuous Security Development.

2.
Hold on, infact under an Act of Parliament, if your data is graded by the Data Commissioner as “mission critical” to someone’s “life” and the Data Protection Commission could actually be granted some powers.

If the Data Protection Registrar had a compliant from a member of the public, the DPR could be forced to grade the data the organisation being complained about holds. And the organisations graded have to have their CSD record inspected, a bit like a gas safety ticket if you live in rented property in the UK. Safe for use…

3.
This then determines, access by the user, holding duration of all record elements, the user to be able to receive a report on who has seen what records for what purpose and when. And whether these reports can be demanded free of charge once per year.

I distinctly remember being at a security and identity conference in 2009 and one of the speakers referencing a Scandivian country where it’s citizens can opt to have a text or email whenever a clinician accesses their health records… (My ability to use Google to find the country has failed!)

Mark Cross
MBCS CITP