Sermo’s $9M Weak Security Model
In the physician community, there’s been a fair amount of buzz about a physician’s-only community (or “social network,” if you prefer) called Sermo. I was curious as to how strong their registration system was to prevent non-physicians from subscribing to the service, which is free and open to all physicians that have either an M.D. or a D.O. (and a DEA prescribing number). So I asked a technology and security consultant friend of mine to check it out.
His findings didn’t surprise me. It took him five minutes and only two tries to register a valid physician account at Sermo, even though he isn’t a physician. He used information freely available on the Internet to register as someone who was a legitimate physician. He took a few screen shots to show me his success:
The problem appears to be a traditional issue between trading off “ease of use” with “tight security.” The best and tightest security would be to manually verify each and every registration with a human phone call. But, of course, this would require money and manpower, something many startups don’t have.
But Sermo can’t use that excuse, since it just closed on yet another round of VC funding in the $26.7 million range (on top of the existing $9 million they have already raised). So the strongest security possible to protect the integrity of their physician members is to be verifying each member manually, yet they aren’t. When it comes to security of their closed community, Sermo’s FAQ only says:
How do I know that Sermo members are really MDs?
Joining Sermo isn’t easy. In fact, Sermo technology is the first of its kind to authenticate and credential physicians in real-time. Our state-of-the-art technology is working behind the scenes, re-validating physicians every time they sign in, ensuring that only physicians can become members.
Well, in fact, it was incredibly easy. So easy that within 5 minutes, someone who wasn’t a physician did it. And if by chance they close the account my friend created, he can create a new physician account in another 5 minutes. Because Sermo’s authentication process is fundamentally flawed (we won’t tell you how he did it, so don’t ask), the only long-term fix for this problem is asking for registrants for even more personally-identifiable information (stuff many people won’t like to give up, like their social security number), or calling each person who registers to verify they are who they say they are.
We’re all for closed physician communities — we think they have enormous potential. But we hope that such communities really put their members best privacy and security interests above “ease of use” and quick registrations. We also hope that VCs really do a little more hard due diligence before plopping their money into whatever the latest/greatest “social network” is, because it exactly those companies that cut the corners on security that can ruin it for future startups in similar spaces.
We contacted Sermo regarding this issue and discovered that a day before we began investigating this security hole (Friday), MedGadget had already discovered and published their take on it. Their method was slightly different than our consultant’s method, who simply guessed at the correct DEA number (because you get 3 tries out of 6 possible numbers). Of course, Medgadget’s post makes it even easier.
A spokesperson for Sermo replied to our inquiries with,
Sermo actually rotates the authentication questions and DEA is not the only item we use. Nevertheless, we will be taking additional steps to address this. Alas, when you become the largest online physician community, ever, people start to set their sites on you.
True, true. But if you want to gain a professional’s trust by emphasizing how “secure” your community is, you should be prepared to stand by your current registration practices. The fact that their registration is so easy to game at present means their community is less-than-secure.
Sermo also reminded us that impersonating a physician is a federal offense. We’d love to see what amount of federal resources would be expended to go after Sermo violators, however. Sermo can only rely on Sermo to uphold’s Sermo’s security model.
Sermo claims it has 30,000 physician members today. We wonder, how many of them are really physicians?
This is an announcement only, so there are no comments.
Grohol, J. (2007). Sermo’s $9M Weak Security Model. Psych Central. Retrieved on August 31, 2015, from http://psychcentral.com/blog/archives/2007/09/22/sermos-9m-weak-security-model/