View Single Post
  #1 (permalink)  
Old Thu Jan 08, 2015, 10:00pm
Nevadaref Nevadaref is offline
Official Forum Member
 
Join Date: Nov 2002
Posts: 14,995
Thumbs down ArbiterPay Security Flaw

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>
Reply With Quote