Yesterday, DNI James Clapper warned Congress about the “dreamland” created by the government shutdown for terrorists looking to exploit holes in American national security. The Senate was skeptical of those claims thanks to Clapper’s lack of credibility, but Congress should look more to the domestic-policy front for “dreamlands” created by federal dysfunction for fraudsters and scammers. Thanks to the disastrously incompetent rollout of ObamaCare exchanges, experts warn consumers that they are at high risk of phishing and other identity-theft attacks:

Amidst the fighting in Washington and the reports of Marketplace site outages, one issue surrounding the Affordable Care Act (aka Obamacare) hasn’t been addressed: scammers.

Security company Trend Micro reported that they’re already seeing spamtargeted to words like “medicare,” “enrollment,” and “medical insurance.” These terms aren’t quite on-point just yet, but Trend Micro’s threat communications manager Christopher Budd told SecurityWatch that deep problems with the Marketplace websites could make things much worse.

Not to quibble, but the risk has been addressed a number of times — by ObamaCare opponents.  Advocates responded by promising that the exchanges would minimize that risk.  Instead, as PC Magazine reports this morning, those exchanges have multiplied the risks:

“Most states have their own official state sites, and then you can have third party broker sites,” explained Budd, touching on how the Insurance Marketplaces are organized. “The environment this creates right out of the gate is so confusing that it creates space for phishing.”

Budd says that without a clear means to verify if a site is official or not, people are risk of finding themselves duped by convincing-looking fraudulent websites. We’ve already seen how spammers and scammers are very adept tailoring their messages to match the zeitgeist. And because these websites deal with medical issues and insurance, people are already primed to hand over tons of personal information—like their Social Security numbers. Worse yet, some people will be signing up their whole families, potentially giving thieves access to a lot of personal information.

The main problem, says Budd, is that some of the state websites did not follow best practices for security—or even adequately brand themselves as part of the ACA. “To give credit, the Federal site is professional, well branded, and provides SSL,” said Budd, pointing out how HealthCare.gov automatically used SSL.

State-level Marketplaces weren’t so well put together. “There are some state sites that if you go in HTTPS, it gives you a 404 error,” said Budd. Other states had test certificates instead of legitimate ones, and one third-party website automatically rolled Budd back to HTTP when he tried to connect via HTTPS. 

SSL (Secure Socket Layer) is perhaps the most basic Internet transaction security systems available.  Since 1996, it has been the default level of commercial websites expecting to handle sensitive customer information.  A commercial web site that didn’t include at least that much transactional security would get laughed off of the Internet, and would have since Bill Clinton was President. Test certificates are used in development phases, but normally would be long discarded for up-to-date security certificates long before a launch date, especially for systems that had a three and a half year development phase.

This points out the big difference between free-market and government-run operations.  Governments don’t have competition, and therefore have no real incentive to follow industry standards.  This slapdash effort would result in massive consumer rejection and some creative destruction in the free market that would release assets for use by more competent stakeholders.  In the public sector, with no worries about competition, it becomes a “dreamland” for incompetents.  And what we see this week is the result.

Forbes has a list of warnings for consumers who might get confused by scammers and fraudsters looking to take advantage of the low-information Internet users that are now required by law to purchase through these failing mechanisms.  KTNV gives us the thumbnail version:

Number one is the non-existent Obamacare card. You do not need to get an Affordable Care Act insurance card in order to buy coverage. There is no such thing.

Number two is the phone phone call from people pretending to work for the government and asking for personal information such as social security numbers. These people claim they are trying to verify eligibility for Obamacare.

Number three is the bogus Obamacare navigators. They claim to be able to help people through the sign-up process. Instead, they are stealing people’s information and identities. There are legitimate navigators but they were for agencies like the United Way.

Number four is the Medicare scare tactic. People over the age of 65 are being told that they will lose coverage if they do not sign up for ACA.

Number five are websites that look real but are not. Once again, this is an effort to collect personal information so that it may be used for fraudulent activities.

Perhaps a better rule of thumb is this, at least for the moment: if it’s working properly and seems to have security in place, it’s probably not the government site.