Walgreens is one of the largest drugstores in the county and like millions I have used their pharmacy from time to time. As the digital world expands it’s becoming easier to conduct business across all aspects of life, including having your prescriptions refilled. A few years ago it was up to the customer to call in refills or remember to go pick them up. Today you can get phone call reminders and text messages.
Walgreens moved to using text alerts fairly recently to alert patients when their refills are due and even accepting responses to refill or not refill. A few days ago I get a new Walgreens text alert that they are going to be including the medicine’s name in the text alerts. I think this is very handy because if you have a family or yourself have multiple prescriptions on different refill schedules this can be a mystery on which one is up. However, this is not was I am surprised about, it’s what Walgreens added in the text that made my security bones shiver with approval.
Here’s the text message:
Walgreens: We will now include Rx name previews in select msgs. Note: SMS is unsecure & unencrypted. Text MORE for complete terms or to change your preferences.
Their addition of Note: SMS is unsecure & unencrypted floored me and will keep me a Walgreens customer, let me explain why.
Walgreens is the FIRST business, that I am aware of, that has ever acknowledged that using text messages over cellular (SMS) is insecure. This is a 100% correct statement.
In 2016 the National Institute of Standards and Technology (NIST) released a draft publication (Section 184.108.40.206) that stated using SMS for authentication purposes is not ideal. NIST also stated in the future they will prohibit SMS use in government systems. The reason being is that SMS can be intercepted, modified and pushed to unsuspecting individuals to say whatever the attacker wants which in turn makes it untrusted. This flaw cannot be fixed as it’s baked into the entire SMS architecture on how it works and to fix it would break every single device old and new that uses SMS.
Here are some excerpts from the advisory:
“Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators…”
“Out-of-band authentication using [SMS or voice] is deprecated, and is being considered for removal in future editions of this guideline.”
Although SMS use for messaging and used for multi-factor authentication for many sites and services, it’s not as secure as you think. Before you get all freaked out the threat is real but the risk of you being impacted by this is very, very low. You would have to be specifically targeted but the ability to carry it out by a hacker is not difficult with the right equipment. Regardless, from the security point of view, the risk of compromise is too high to allow it to be used for highly sensitive use like mutli-factor authentication or sending sensitive information.
Walgreens steps up the game and calls this out even though these text message are not used for authenticaiton. Although their new offering will be very convenient for customers Walgreens will be sending sensitive data over SMS. The icing on the cake is Walgreens offers the ability for customers to opt-out of these new messages.
Seeing what medicines or treatments someone is receiving could be used for malicious purposes. The fact Walgreens called this out directly to customers shows their understanding of this technology but their focus to keep customer’s health data secure. Other companies should take a note from Walgreens and get more up front and transparent to their own security practices.
I have discussions all the time with various business, mainly from non-technical areas, and argue that a business’s cybersecurity practices not only will become vital but can and should be turned into competitive advantages. Walgreens has done just that, bravo.
Keep the conversation going.
Be aware, be safe.