• Steve (unregistered)

    Yes, I don't see the WTF in the New Mexico one. Happy to be proved wrong ...

  • syslinux (unregistered)

    Neither phone nor email are particularly secure ways of doing 2FA in the wake of TOTP and U2F, and institutes like the NIST even explicitly recommend against the former. Considering this is about medical data, I can see the WTF there.

  • Not Submitted (unregistered) in reply to Steve

    The implication is that the vaccinee didn't have to provide phone or e-mail, just name, date of birth, and insurance to get the vaccine.

    The rest of the issue is left as an exercise for the reader.

  • Instincts (unregistered)

    What I like is that we appear to have multiple instincts (ok, programming site, so you can call them "latent programming") to deal with predatory threats. Some ignore, some cower, some fight, some defend, some sacrifice others, some sacrifice themselves, ... I'm probably missing a few. Really fascinating distribution! In the real world (i.e. outside the nearly deterministic model of the computer paradigm), we can accomplish things despite bad programming instead of because of, which is mostly what I think we've experienced over the past couple years. What's the time complexity for squashing a virus?

  • Loren Pechtel (unregistered)

    Yeah, that's impressively non-secure on the vaccines--and it's all recent vaccines, not merely Covid.

  • WTFGuy (unregistered)

    As to the vax records ...

    For it to be 2FA, you need, well, two factors. A mobile or email (assuming you gave it when vaccinated so they have it on file) is 1-factor auth. I think the submitter was mostly riffing on that point, not making a comment about the overall (non-) security of NM's system.

    What would really be horrifying is if, after one selects mobile or email from the radio buttons, a textbox is revealed for one to enter the address to deliver the results to. With no cross-checking of the contact info the state may or may not have on file for that name & birthdate.

    Guess what ... I just went to their site and that's exactly what happens. See https://nmsiis.health.state.nm.us/webiznet_nm_public/Application/PublicPortal

    I was unwilling to continue the experiment as far as actually submitting a fraudulent request to a government data system, but somebody of more hackerish mindset might give it a whirl & report back.

  • Loren Pechtel (unregistered)

    @WTFGuy It's the same here in Nevada. At least it sends a code you have to reply with to prove that's really your e-mail or phone number. You also get a limited number of attempts/day.

    It's also very strict on the names, I'm going to have to call them to figure out what they've done to my wife's name as all the normal wrong things that get done to it haven't produced a match.

  • (nodebb) in reply to WTFGuy

    For it to be 2FA, you need, well, two factors.

    Usually, "something you know" (password) and "something you have" (2FA token or TOTP app, finger- or retina- or iris- print, etc.)

    This particular case is, by implication, 1FA, as noted, based on "something you have" (the email account or phone), but there's an implied "something you know" since you in theory had to know your password to get to this point.

    (Noteworthy, as noted before on this site, "security questions" do not make something 2FA, since it is essentially "something you know" and "something else you know", which isn't more secure than just "something you know".)

  • WTFGuy (unregistered)

    @Steve The Cynic ref

    but there's an implied "something you know" since you in theory had to know your password to get to this point.

    But there is no password (nor userID) to get to that point. That form is 100% open to the world. Follow the url I provided and see for yourself.

    I can see the problem these agencies face. They want to make the info they have on each person available to that person. And because a sizeable fraction of Americans hate the very idea of ever identifying themselves to a government agency, they need to design it for drive-by anonymous users who aren't willing to establish a logon with that agency or any other.

    How can we provide only your info to you, your info to nobody else, and have you retain the illusion of anonymity enough that you're willing to use the form in the first place? It's one of those trilemma "We need attributes X, Y, & Z. Pick 2." situations.

  • (nodebb) in reply to Steve_The_Cynic

    Usually, "something you know" (password) and "something you have" (2FA token or TOTP app, finger- or retina- or iris- print, etc.)

    Biometrics are usually considered to be a third category “something you are” and are fine… provided you back them up with at least one of the other two categories.

  • Yes_I_Am_Vaxed_Thanks (unregistered) in reply to WTFGuy

    First of all, SO excited that one of my entries actually made it!

    Second, you are correct, this is effectively 0FA. I did not provide a phone number or email address when I registered for my vaccination. So asking to send me a text message to a random phone number of my choice is, well, lacking in security.

  • xtrenlabs (unregistered)
    Comment held for moderation.
  • xtrenlabs (unregistered)
    Comment held for moderation.

Leave a comment on “Sick Day”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article