A US health insurer is taking heat for its decision to mail USB drives containing coverage information to businesses that offer its plans to employees.
Alabama-based developer Thomas Gamble said he received a mailer from Blue Cross and Blue Shield of Alabama that included a USB key, along with instructions to insert the gadget into his PC.
The thumb drive would then launch the insurer's online portal that provides details on a specific business's health plans and benefits. This, says Gamble, immediately set off alarms in his head. His insurance company was actually telling him to commit an infosec blunder.
Aside from the fact that these sorts of gimmicks backfire when the USB keys get infected with malware, it conditions people to think it's OK to plug random storage devices into their computers. It is not OK.
"As many things do, I'm sure it started as something innocent: a marketing ploy or a tool to better service customers. I'm sure it never was intended to provide a blueprint for cyber security attacks on high value targets," Gamble noted earlier today.
"Regardless, it's a huge reason why major corporations need to have their security team more involved in all aspects of their business."
The USB drives themselves posed no risk and Blue Cross Blue Shield said businesses can access the same information through the insurer's web portal.
The problem, Gamble explains, is that the practice encourages what is essentially the infosec equivalent of pulling gum off the sidewalk and popping it into one's mouth.
"I am not accusing BCBS of creating software that is less than above board. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software," he said.
"The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them, whether they are official or forged."
The insurer does, however, seem to have gotten the message. A spokesperson told The Register it was halting the mailers.
"Blue Cross and Blue Shield of Alabama recognizes the importance of exercising the proper security measures before inserting an unknown device, even from a reputable source, into a computer or electronic device," the company said.
"Due to the current technical environment and breach risks, our company is re-evaluating this communication tool. The security of our customers' information remains one of our top priorities."
In the meantime, it should go without saying that people should never plug untrusted USB devices into their PCs, and admins should make sure end-users are always wary of unsolicited attachments, whether in email or snail mail form. ®