“This is not who we are,” muttered the CIO of one of the largest health insurance companies in the world as he looked over the report.
The digital team had been forced to put up a CAPTCHA on the site’s login page, and this had driven a full 70 percent of the company’s older patients off of the website. Pharmacy orders were also down a shocking 70 percent, and the call center was swamped at 130 percent of call volume with site users unable to pass the difficult visual puzzles. It was a complete disaster.
The seeds of this catastrophe were planted quite innocently.
The global healthcare insurer had introduced an innovative Health Rewards program that was hailed as a bold gamification of wellness. The program rewarded patients with points for achieving preventive medical milestones, such as scheduling wellness checkups, screening for bone density, and getting flu shots. Patients even got points for volunteering or participating in nutrition classes, activities that were good for their social and mental health and community bonding. It was beautiful; this is how markets are supposed to work —personal rewards for conscientious behavior.
The reward points themselves had no cash value, but could be redeemed in the insurer’s online mall for gift cards from retailers like Amazon and Walmart—and those gift cards definitely did have cash value. These rewards proved a juicy target for gift-card crackers.
Credential Stuffing and Gift Card Cracking
Almost immediately, automation attackers began credential-stuffing the login page of the insurance company’s rewards program. Credential stuffing is the act of testing millions of previously breached username and password combinations against a website with the knowledge that some of the credentials will work there. Success rates for an individual credential-stuffing login are low; they vary between 0.1 percent and 2 percent depending on the client population.
Attackers counter the low probability of any individual login succeeding by scaling their attempts into the millions via automation—scripted programs called “bots.” Modern bots look very much like human users to a target computer—telling them apart is one of the most difficult problems in modern computer science. A 1 percent success rate in a credential-stuffing attack is a reasonable statistical estimate; one million leaked credentials will yield 10,000 successful logins against a third party, leading to account takeovers by the attacker. Today there are over 5 billion leaked credentials on the market.
The attackers breached thousands of accounts at the healthcare insurer’s rewards program. They consolidated reward points and converted them into gift cards, from which they exfiltrated the real cash value. The insurer’s CIO and IT security team were actually not that worried about the losses incurred through gift-card fraud.
“We were much more anxious about the PII exposure than the fraud.”
Global Health Insurer CIO
The attackers appeared to be ignoring the Personally Identifiable Information (PII) associated with the cracked accounts in favor of getting the rewards points, but the exposure was alarming.
The security team turned to their Content Delivery Network (CDN) vendor for help. The CDN’s “bot management” solution put a CAPTCHA into the user login process in an attempt to stop the automation.
And that’s when the wheels came off.
Human success rates for CAPTCHAs are already distressingly low—as low as 15 percent completion rates for some populations. Because computers have gotten so good at solving CAPTCHAs, the tests have gotten more and more difficult.
For elderly users, who are visually impaired more often than not, CAPTCHA success rates are even lower. In fact, one would be hard-pressed to devise a worse user experience than CAPTCHA for an aging population.
Immediately after the CDN put their CAPTCHA in place, login success rates plummeted. Seven out of ten elderly users could no longer log in to their accounts, access the rewards program, or renew their prescriptions online.
Online pharmacy orders plunged by 70 percent.
Frustrated patients had to phone the health insurer’s call center to renew prescriptions.
Meanwhile the attackers easily bypassed the “bot management” solution through one of the many underground services that offer 1,000 solved CAPTCHAs for $1. Now they were the only ones earning rewards.
“This is not what we do.”
Global Insurer CIO
The CAPTCHA was far more damaging than the fraud it was supposed to stop. The cure was worse than the disease.
Can you make an introduction?
The CIO reached out to a C-level colleague of his at a top-3 North American bank. He explained the situation and said, “Hey, you guys are a bank, and you don’t use CAPTCHAs. How do you get away with that?”
His peer said, “We use Shape Security,” and he made an introduction.
Shape worked with the healthcare insurer’s CIO and his team to get our technology deployed. We went into monitoring mode first, to study attack traffic patterns. Because Shape came in behind their CDN solution, the monitoring period became an informal bake-off between the CDN’s bot management service and Shape’s.
Understanding Users and Risk
|Web and Mobile Visitor||Behaviors||Risk|
|Legitimate users with good behavior||Strong passwords|
No password re-use
|Legitimate users with bad behavior||Weak passwords|
Prey to phishing
|Illegitimate users with ill intent||Account Takeover|
Even behind the CDN’s CAPTCHA, Shape was detecting large amounts of credential stuffing and gift-card cracking—sometimes up to two million attempts per day. While the attackers had been smart enough to “hide” their traffic spikes within the diurnal patterns associated with human logins, they were not otherwise trying to disguise their traffic. Sometimes they connected through proxies, sometimes through a partner healthcare insurer, and even once through a financial aggregator.
Shape fought the attackers as they retooled, attempting to get around the Shape defenses. Within weeks, most of the attackers gave up, resulting in a 90% decrease in overall traffic.
The CIO was sufficiently impressed by Shape to completely displace the CDN for bot management at the healthcare insurer’s web property, and the CAPTCHAs were removed from two dozen entry points.
Shape then began working with the team to monitor the mobile property, because that is where attackers always retarget to after we block them on the web. After another month of monitoring the mobile traffic, Shape was able to show that the healthcare insurer’s mobile property could be further improved to remember legitimate users, and we cut their legitimate “forgot password” transactions in half. Shape also provided the insurer with a customized list of recommendations for information access and password protections policies.
Steady State Unlocked
Today the healthcare insurer’s website has zero CAPTCHAs in front of their pharmacy, the account profile, and their rewards program. The Shape mobile SDK is integrated with nearly all the mobile platforms that the insurer reports.
Attackers and aggregators continue to probe the insurer’s web and mobile properties. Shape sees them, and foils the attackers. The health insurer is notified of the aggregators, who are encouraged to use authorized API gateways.
The online pharmacy is accessible to all customers again. Call volumes have dropped to levels not seen since before the CAPTCHA crisis. Attackers and aggregators continue to probe the insurer’s web and mobile properties. Shape sees them, and foils the attackers. The health insurer is notified of the aggregators, who are encouraged to use authorized API gateways.
And, perhaps most importantly, the healthcare insurer is again free to focus on innovating new programs and rewarding customers for taking preventive steps for their medical and social wellness.
*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by David Holmes. Read the original post at: https://blog.shapesecurity.com/2019/08/06/healthcare-captcha-the-cure-thats-worse-than-the-disease/