ArbiterPay Security Flaw

[Nevadaref]

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>

[Mark T. DeNucci, Sr.]

Quote:

Originally Posted by Nevadaref

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>

Nevada:

I understand the seriousness of your post because Mark, Jr., and I have JrHSs and HSs in Michigan that use RefPay for the JrHS and HS sports we officiate in that state up North, and Mark, Jr., will receive his college softball fees through RefPay.

But you leaving your personal information in the email above reminded my of that great Mel Brooks movie, Blazing Saddles. Therefore:

Hedly Lamarr: "State after me: I, state your name."

Criminals and Scroundrals: "I, state your name."

Time for me to go to bed now. Night all.

MTD, Sr.

[Altor]

If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.

[Welpe]

Quote:

Originally Posted by Altor

If they can include the password in the e-mail, that means they are also storing it in plain text. Another no-no.

This. That's a pretty serious issue that needs to be rectified immediately.

[griblets]

Nevada,

Thank you for sharing. That is not an acceptable security level. I have sent an email as well.

[Altor]

Just checking on other things Arbiter. I went to https://nfhs.arbitersports.com and clicked the "forgot password" link. That took me to a site that looks like it is a single authentication point for all Arbiter sites. I typed my address in the box. They sent me my current password!

It's not just ArbiterPay. If you have an Arbiter account of any kind, this affects you.

If you are one of those people that has the same password everywhere, I suggest you change it everywhere. And when you change your Arbiter password, use a different password.

Even better: Don't use the same password twice. Instead use a password database like KeePass or LastPass.

[luvhoops]

Quote:

Originally Posted by Nevadaref

This has now happened to me twice and I wanted to let as many of my fellow officials now about this so that you may take steps to protect yourself from possible theft.

I sent the email below as a response to ArbiterPay upon receiving the email generated by their system.

If/when I hear back from the people at ArbiterPay, I will update this thread.


==================================================
To Whom It May Concern with the ArbiterPay Support Team:

I need to bring a programming issue to your immediate attention on behalf of all of your customers.

I called and spoke with a customer service representative during the Fall of 2014 about this issue and it still has not been fixed. The problem is that when an individual changes his/her password, your system generates an automated email notifying the person of the change AND INCLUDES THE NEW PASSWORD!

Obviously, email is NOT secure and this process presents a serious breach in the security of your payment system. Any cyber-criminal who hacks into an individual's email account could obtain the login & password information for an official and then transfer any funds in his/her ArbiterPay account to themselves. This would leave the person who earned the money without pay.

Below is a copy of the email which I received today from your system with my personal password redacted as I do not wish to perpetuate the error of your system.

I ask that you immediately have someone from your programming team correct this issue such that the notification of change emails which are sent out no longer include this information. Please contact me to confirm that you received this email and will be correcting the issue.

(My real name)


> Date: Thu, 8 Jan 2015 20:43:55 -0500
> Subject: Modified login details for ArbiterPay
> To: (my email was here)
> From: [email protected]
>
> Your login details have been modified. Contact us immediately at [email protected] if you did not initiate this change.
>
> Username: (my email was here)
> Password: [my new password was listed here]
>
> Regards,
>
> ArbiterPay Support Team
>
>

Um, this is unacceptable in the IT/Finance world. Major, major no no. Passwords are NEVER to be sent via email.

[Texas Aggie]

Quote:

I was told there wouldn't be any math.

I was told there was going to be refreshments served!

Now, wait a minute: what does encryption mean?? (J/K)

Reminds me a little of law school. During our Estates and Trusts class, there was some math to figure out who inherits what. One of the guys in my class had a math PhD from a previous life and offered to tutor anyone who didn't understand the math involved. I told him I would help (decent math background, but no math degree), and we spent a good afternoon going over this stuff with about 15 people. I think about 8 actually got it.