Originally Posted by BillyMac (Post 949457)

We service about seventy high schools in our local area. Three years ago, one high school used ArbiterPay. Last year a second school signed on. We have a total of four high schools using it this season. It's the wave of the future, and our state interscholastic sports governing body says that we have to sign up with ArbiterPay to receive our fees from these schools, and any future schools, that choose to use it. There's no choice on our part. We're independent contractors and they can pay us any way they (the schools) want to.

So I signed up this year, figuring I'm going get an assignment at an ArbiterPay high school eventually. Giving ArbiterPay my Social Security Number was one thing (we've been filling out W-9's for years at most schools (I hate it when they leave the forms on the scorers table)), but I hesitated when ArbiterPay asked me for my checking account number. But, like our state interscholastic sports governing body said, we have no choice, so I gave them the information that they wanted. Should I lose sleep over this?

Originally Posted by Camron Rust (Post 949485)

Well, it can possibly be done but you will not be alive to see it done.

The algorithms are published. Even having them and knowing which one was used (as long it is a decent one) really doesn't help much. The math to go backwards from the hashed output to the original input is just too hard for even the best computers to execute in any amount of time that matters.

The typical way cracking works is to use social engineering to guess at what the person might use as a password and try different things until you get it right. They might also just try all combinations of letter, numbers, symbols, etc. until they get the match.

The problem with that is that any decent system will detect repeat failed attempts and just lock the account. So, to have any chance, the hacker needs to obtain a copy of the database so they can run the tests outside of the system. Once the figure it out, they can then use it to break into the account(s).

The hashing algorithms are, however, sufficiently complicated that it just takes too long for it to work well, if at all, as long as you don't use abc123 as your password.

Some older hashing systems have been partially broken but it takes a lot of time with some really powerful computers (ones too expensive for all but big businesses or the government to afford) to get there.

Here is an article that talks about a common encryption technique and how long it would take to crack it:
http://www.eetimes.com/document.asp?doc_id=1279619

Here is a quote from the article:



Most breaches in passwords are due to them either being stored in plain text or simply encrypted but the thief finds the encryption key and is able to decrypt them. Hashes, on the other hand, don't have such a key. They are just not practically reversible to get the original password.

Originally Posted by RefCT (Post 949533)

Unless you're salting the hash as well, you are suceptible to rainbow tables to figure out the hashed values.

Originally Posted by Camron Rust (Post 949539)

Indeed...salts dramatically improve it....but how deep do we want to go on this topic on a referee board. Probably too deep already.

Originally Posted by RefCT (Post 949544)

Absolutely correct. I am hoping someone from Arbiter reads this since they don't seem to know what they are doing over there. Password encryption is the least of the basic technical issues I have seen. A classic case off growing too big too quickly.

Originally Posted by Camron Rust (Post 949622)

I'm hoping they don't read it...and people move to my product as a result! :D

Originally Posted by johnny d (Post 949475)

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

Originally Posted by MD Longhorn (Post 960667)

Let me simplify greatly (it's not THIS easy, but it illustrates the issue)...

What is 6x6? 36
What is 4x9? 36
What is 2x18? 36

If I told you that the question (algorithm) was AxB, and told you the answer (encryption) was 36 ... can you tell me, for sure, what A and B is? No.

Originally Posted by HawkeyeCubP (Post 960673)

I was told there wouldn't be any math.

Originally Posted by Nevadaref (Post 949329)

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>