Resident questions security of FATHOM websites UPDATED
By LYNETTE SOWELL
Cove Leader-Press
A Copperas Cove resident approached the Copperas Cove city council at its Tuesday meeting during citizens’ forum, questioning the security of the website gwfathom.com along with FATHOM’s website 2turniton.com, both available to city utility customers for paying their bills and for having utility service turned on.
Joseph Richardson said he recently moved back to Copperas Cove and became aware of FATHOM along with issues in the utility billing. However, he brought his own concern to the council.
“I work for a multinational corporation as a senior security analyst in cyber security. When I first got here and started taking a look at what was going on, that was the first thing I did. I was shocked to find out that it was a total failure,” he told the council.
He said the 2turniton.com website, the one customers can use for turning on their services receives an “F” rating from Qualys SSL Labs.
He added that the server that supports 2turniton.com is susceptible to a “Man-in-the-Middle” attack.
“While that generally means their system already has to be compromised, that means they are susceptible to these attacks that have been well-known since 2009. They’ve done nothing on their servers to remediate it,” Richardson said. He added that the company he works for currently works on remediating issues like this.
“Oftentimes you’ll see it in companies who are dealing with really old clients who haven’t moved from server 2003 or Windows XP to modern servers. The other problem is that (FATHOM doesn’t) actually have their own servers.
“If you go to the gwfathom.com webpage and you check it with SSL.com, you find that their webpages are hosted with WordPress. WordPress has an interesting history of being susceptible to malware attacks. Last year they were WordPress itself was used in several well-known worldwide attacks.”
Richardson told the council he’s hesitant to give his credit card information, or any information, to a company that’s using insecure platforms.
“They don’t have their own SSL certificate. If you go to gwfathom.com, they are relying on WordPress to conduct business, so you have a certificate mismatch. There’s some trust issues involved here.” Richardson then showed the council members the rating results on SSL.com. “This is the SSL Labs’ rating for 2turniton webpage you will note that they have a susceptibility and insecure encryption algorithms. This is the platform that our council is allowing citizens to submit their credit card, checking account, and addresses.
“I have been communicating on the Neighborhood website and I’ve been trying to tell people not to use the platforms. I don’t want my credit card information stolen. I don’t’ know if it will be, but it could be…. Susceptibility to attacks makes them questionable.”
Although the council was not able to respond during citizens’ forum, at the close of the meeting councilman James Pierce Jr. called on the city manager to check further into the information that Richardson brought to the council and to report back to the council. The other council members agreed with Pierce.
UPDATE FROM FATHOM 8/16/17 10:08 a.m.
Customer safety and the security of personal information is a top priority to FATHOM. We take active steps to ensure all online bill payments and customer dashboards securely handle sensitive personal information. While marketing websites are hosted on the common Wordpress platform, they do not handle sensitive information. Customer billing portals redirect to a highly secure server with added protection features. In addition, FATHOM employs a third party information security company – Qualys, the parent company to SSL Labs – to regularly scan each of its websites for vulnerabilities. 2turniton.com is not a FATHOM-owned property, and is outside FATHOM’s domain of direct control." - Jason Bethke, President and Chief Growth Officer, FATHOM