You may have read about the recent incident in which a client of the Social Insurance Institution, aka Kela—an insurer owned by the Finnish state—was presented with confidential medical insurance data of a complete stranger. This occurred as the client had logged into a Kela web service in order to view her own information. Kela has subsequently closed down the service in question.
Today, a Finnish Broadcasting Company news item reports that Kela has asked the National Bureau of Investigation to examine the case. According to the same story, Kela suspects that the problem was caused by an ISP having assigned the same IP address to two clients.
——— [O]ngelma on saattanut johtua siitä, että molemmat asianosaiset käyttivät samaa verkko-operaattoria. Operaattori on saattanut antaa molemmille saman IP-osoitteen, minkä vuoksi tiedot menivät sekaisin.
This sounds very scary, as it implies that after initial authentication, access control was based on IP addresses alone, with no cryptographic security in use.
Had reasonable security been implemented, the session would instead have taken place through an encrypted tunnel, as is the case with e-banking services. This means that data transmissions from the server to the client would have been encrypted to a session key generated by the client, and known only to the client and the server (since the client would have encrypted the session key to the server’s public key before sending it over).
Under such conditions, even if an intruder were to sniff the traffic off the line, or hijack it by spoofing the client’s IP address, he would gain access only to the encrypted material, not to any means of readily decrypting it. The same, of course, holds true should a third party accidentally stumble upon said traffic.
If other Kela services have been designed to equally feeble standards as the one mentioned above, they should probably all be shut down, now.
(To the best of this writer’s knowledge, Kela the insurance institution is not affiliated with Kela the computer virus.)
Do you have additional information on this case, or would you otherwise like to comment? Please do!