ArbiterPay Security Flaw

[Nevadaref]

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>

[Mark T. DeNucci, Sr.]

Quote:

Originally Posted by Nevadaref

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>

Nevada:

I understand the seriousness of your post because Mark, Jr., and I have JrHSs and HSs in Michigan that use RefPay for the JrHS and HS sports we officiate in that state up North, and Mark, Jr., will receive his college softball fees through RefPay.

But you leaving your personal information in the email above reminded my of that great Mel Brooks movie, Blazing Saddles. Therefore:

Hedly Lamarr: "State after me: I, state your name."

Criminals and Scroundrals: "I, state your name."

Time for me to go to bed now. Night all.

MTD, Sr.

[Altor]

If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.

[Welpe]

Quote:

Originally Posted by Altor

If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.

This. That's a pretty serious issue that needs to be rectified immediately.

[griblets]

Nevada,

Thank you for sharing. That is not an acceptable security level. I have sent an email as well.

[Altor]

Just checking on other things Arbiter. I went to https://nfhs.arbitersports.com and clicked the "forgot password" link. That took me to a site that looks like it is a single authentication point for all Arbiter sites. I typed my address in the box. They sent me my current password!

It's not just ArbiterPay. If you have an Arbiter account of any kind, this affects you.

If you are one of those people that has the same password everywhere, I suggest you change it everywhere. And when you change your Arbiter password, use a different password.

Even better: Don't use the same password twice. Instead use a password database like KeePass or LastPass.

[Camron Rust]

The fact that they can send you your password in an email when you change it doesn't necessarily mean they store it in plain text. They could insert it into the email prior to transforming it and storing it.

The fact that they can send you your password by email at a later time also doesn't mean they're storing it in plain text. Data can be encrypted and stored and then decrypted when needed. They very well may be storing the passwords in an encrypted form that is not directly useful to a hacker or malicious employee. But, they are using a 2-way encryption method that allows the data to be decrypted. There will be a "key" that is used to encrypt and decrypt the data. If someone gets the data and the key, then they have the passwords.

The right way to handle passwords (and the way I handle passwords) is to use a 1-way hash on the password before storage. This method is not new and is used by a lot of websites.

When passwords are stored that way, it is impossible to ever determine what the person's password is. I have direct access to the database and the programming of reftown.com and even I can't tell what the actual password is for any of my users.

When a someone sets a password, it is passed through a 1-way encryption and then stored. When they log in, the attempted password is also passed through the 1-way encryption. If the two encrypted values match (the one from the database and the one from the attempted password), the user is allowed in.

This implies that the only way to get someone's password from such a system is to either intercept it before it gets to the server (using https solves that) or guessing at the password and seeing if it creates a match after encrypting. Using long and complicated passwords essentially makes that impossible.

What that also implies is that you have to reset your password if you ever forget it. There are a few ways to do that. You can use temporary passwords that require a change on the first use. Or, you can use 1-time use password reset links that give the user a password and allow them to change it.

Any website that can send you your password is not storing your password as securely as is possible. If it is recoverable, then a hacker can potentially download the entire user list and see everyone's password. If you use the same password at other sites, then every account you use it at is potentially compromised.

[LRZ]

What is a "1-way hash"?

[mutantducky]

When I first singed up for Arbiter I was perplexed with their lack of complex security especially with SSN. I emailed my concerns years back and it seems like the problems still remain especially with encryption. I could be wrong because I don't know what is going on behind the scenes but it just seems with the personal info on there they need to improve their cyber security a lot.

[Welpe]

Quote:

Originally Posted by LRZ

What is a "1-way hash"?

Basically it's like a one way valve for encryption. Passwords sent to the server (in this case Arbiter) are transformed into output that is jibberish to a person but can be understood by the program that has the right key. It's one way because the converted data cannot be transformed back into the original password and sent back to anybody requesting it.

It's like the roach motel of passwords.

http://www.webopedia.com/TERM/O/one-..._function.html

[BillyMac]

We service about seventy high schools in our local area. Three years ago, one high school used ArbiterPay. Last year a second school signed on. We have a total of four high schools using it this season. It's the wave of the future, and our state interscholastic sports governing body says that we have to sign up with ArbiterPay to receive our fees from these schools, and any future schools, that choose to use it. There's no choice on our part. We're independent contractors and they can pay us any way they (the schools) want to.

So I signed up this year, figuring I'm going get an assignment at an ArbiterPay high school eventually. Giving ArbiterPay my Social Security Number was one thing (we've been filling out W-9's for years at most schools (I hate it when they leave the forms on the scorers table)), but I hesitated when ArbiterPay asked me for my checking account number. But, like our state interscholastic sports governing body said, we have no choice, so I gave them the information that they wanted. Should I lose sleep over this?

[Mark Padgett]

Quote:

Originally Posted by BillyMac

but I hesitated when ArbiterPay asked me for my checking account number. But like our state interscholastic sports governing body said, we have no choice, so I gave them the information that they wanted. Should I lose sleep over this?

I have a friend who, a few years ago, was in a similar situation. A company who was going to send him pay for work he was doing as an independent contractor asked for his account number so they could do direct deposit. He went to his bank, opened up a savings account with $20 (their minimum), gave that number to them and then, whenever he got paid, would just make a withdrawal and put the money in his regular account.

[Camron Rust]

Quote:

Originally Posted by LRZ

What is a "1-way hash"?

It is a transformation of the data from one form to another cryptic form such that you can never reverse the operation. I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

The only thing you can do with it is use it to confirm that newly supplied information is the same as previously supplied information.

It goes like this:

1. You set a new password.....abc123
2. That password gets converted to dlkVj08.9Auf3@uQl839&dRsa
3. That converted value is stored in the database with your username
4. Later, you log in and provide abc123 as your password
5. The system converts that in to the same as above (the conversion is repeatable).
6. Since you provided the same password as you set up in step 1, the converted values will match and you are allowed in.

A similar technique is used to sign documents or files for downloads. The publisher of the file provides and MD5 checksum (and it is only 32 ascii characters long). If you get the file from an alternate source and check the MD5 of the file you recieved and it matches the one provided by the original publisher, you can be assured that the entire file is the exactly the same. Change even one character anywhere in the file and the MD5 checksum changes dramatically.

[johnny d]

Quote:

Originally Posted by Camron Rust

I could give you my password in the transformed format and, even if you had a powerful computer working on it for years, you'd never be able to figure out the original password....even if you knew the exact algorithm I used to transform it.

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

[Camron Rust]

Quote:

Originally Posted by johnny d

I find the bolded, underlined part very hard to believe, especially if the process is repeatable such that each time you enter the same sequence of letters, numbers, and symbols, they get converted into the exact same sequence of new letters, numbers, and symbols over and over again. It would not take a human cryptographer years to break that system, let alone a computer. Even without the algorithm, if you have access to multiple passwords and what they are converted to, it would not take that long to determine the algorithm.

Well, it can possibly be done but you will not be alive to see it done.

The algorithms are published. Even having them and knowing which one was used (as long it is a decent one) really doesn't help much. The math to go backwards from the hashed output to the original input is just too hard for even the best computers to execute in any amount of time that matters.

The typical way cracking works is to use social engineering to guess at what the person might use as a password and try different things until you get it right. They might also just try all combinations of letter, numbers, symbols, etc. until they get the match.

The problem with that is that any decent system will detect repeat failed attempts and just lock the account. So, to have any chance, the hacker needs to obtain a copy of the database so they can run the tests outside of the system. Once the figure it out, they can then use it to break into the account(s).

The hashing algorithms are, however, sufficiently complicated that it just takes too long for it to work well, if at all, as long as you don't use abc123 as your password.

Some older hashing systems have been partially broken but it takes a lot of time with some really powerful computers (ones too expensive for all but big businesses or the government to afford) to get there.

Here is an article that talks about a common encryption technique and how long it would take to crack it:
http://www.eetimes.com/document.asp?doc_id=1279619

Here is a quote from the article:

Quote:

As shown above, even with a supercomputer, it would take 1 billion billion years to crack the 128-bit AES key using brute force attack. This is more than the age of the universe (13.75 billion years). If one were to assume that a computing system existed that could recover a DES key in a second, it would still take that same machine approximately 149 trillion years to crack a 128-bit AES key.

Most breaches in passwords are due to them either being stored in plain text or simply encrypted but the thief finds the encryption key and is able to decrypt them. Hashes, on the other hand, don't have such a key. They are just not practically reversible to get the original password.