Confirmed: Sermo Is Not for Physicians Only; New Important Questions Raised

It would have been more appropriate to have had a private conversation with sermo about this first before committing this sort of information to the public domain. If they failed to act on the information, disclosure here would then be more appropriate.

If your argument is based on suggesting that the public good of "outing" loopholes in the manner, you must also consider the damage in trust that you are causing to the image of a very worthwhile initiative.

No system is perfectly secure, and Sermo are trying to plug holes that exist in any early web based project/product. Manual verification doesn't scale very well, and it is understandable that they wanted to demonstrate proof of concept by signing up users in the early days.

Please be considerate, as you are doing a lot of damage to a great concept.

Yours disappointedly,

grisdoc

Why wasn't any of this post hoc justification in the original post. You published a classic computer geek got ya post and are now trying to say it was all high brow and in SERMO"S best interest. If someones identity is compromised what will be your response.I'll bet it won't go much farther than"gee were sorry."

The purpose of revealing this information is for the sake of the doctors who plan to use Sermo, and who are told that everyone logged in is a doctor, while whoever developed Sermo (over $20 million in funding) knew very well that it was easy to circumvent, yet as you say grisdoc, wanted to just sign up as many people as possible as quickly as possible.
The problem is Sermo is providing something which its not yet. When they say "doctors", it shouldn't be something a simple smartass can get around. Our technique used no computer hacking skills of any sort, and we did not reveal any technical secrets. This is too simple a technique in our world of medical privacy, disclosure, licensing, and all that stuff. Sermo should have had this on the front burner long before they made the system public.

gene O,

thanks for the comment. I still maintain that a private conversation with sermo would have been the appropriate first step.

If you understand how the venture capital process works, you will understand that that proof of concept / "traction" is required before any significant funding is usually committed. the $26 million in funding came in the last month, and sermo has been open for 1 year. Your comment suggested that it had $20 million in the bank when the site was launched, which is incorrect. Now that they have the money, i am confident that the registration system will be improved.

I understand your sentiment and take your point, but you have gone about this the wrong way. Please consider this in the future.

grisdoc

For the record, we did contact Sermo and spoke with Greg Shenk about our concerns. His reply basically said MedGadget's post wasn't completely accurate (and it was the first we had heard about MedGadget's independent discovery of the same flaw, showing you that if two people could arrive at this conclusion independently, it is a serious concern), and claiming that Sermo rotates the authentication tokens. Our security consultant tried on three different occasions to register as different doctors, and on all three occasions, he was presented with the same three security tokens (all of which are public information). After blaming it on their growing size, Mr. Shenk also said, "Nevertheless, we will be taking additional steps to address this." No timeline was given, and nothing mentioned about what they are going to do to guarantee their current 30,000 members are actually physicians. Mr. Shenk declined to go into what these additional steps would be.

Earlier today, our security consultant tried again and found a new rotating authentication, the physicians UPIN number (again, a public code easily looked up online) and something new -- the last 4 digits of the physician's SS#. If you don't want to enter that information in, then you have to verified manually by the "Sermo Support Team."

There were no technological reasons why they chose to offer these new verification procedures only now. They did so only when pressed to do so because of websites like MedGadget that called them out publicly for a security model which clearly had not undergone any security testing by actual security experts.

I'm all for cutting corners, but at the risk of one of the foundations of trust you're building your community on seems disingenuous at best. To shoot the messenger(s) is pointing at the wrong target. Instead, ask Sermo why they didn't implement these procedures from Day 1 to ensure all members of their community are truly physicians. Now, we will never know.

Sermo's been around for a year, and apparently thousands of "physicians" have been using it. It's irresponsible to not inform users that they could be dealing with non-physicians or that identity theft is a probably possibility.

We need to make sure that the message gets across that any info that people might have been reading as fact based on faith in the security of the system might not be so factual, trustworthy, or bias-free.

The users of the service need to know that any info they've come across in the past year is suspect. Whether or not it's the company doing the informing I don't think really matters in this case. This is what free press is all about. We're not being malicious. We're just concerned for our colleagues and our patients, not for a company's bottom-line.

I would not be annowed if any of my comments on
Sermo were made public so hack away, you'll not get much for y0ur effort

Regardless, saying you are a physicians when you are not a physician...even if for "benevolent " reasons such as "outing" Sermo is a misdemeanor in most States and in some a felony.