Security issues w/ UFC fight pass

Ian Kidd wrote:The UFC's Fight Pass has launched to mixed reviews. Generally the feeling is that once it's up and running as promised, it's going to be pretty great. There are a few teething problems at the moment - in terms of content delivery and user friendliness - which Trent Reinsmith covered in detail here.

My concern is less with that, and more with the security and support side of things. My background is in developing software solutions for companies' online web presence, and security of user data is a pretty fundamental pillar of that. The security of user data on UFC.TV, which is the home of the user data for fight pass, has some flaws which are sounding alarms with many, myself included.

User passwords are shown in plain text (you can test this by telling the UFC.TV site you forgot your password. They'll email you your own password.) In short, what this means is your password is at some point visible to anyone with access to the UFC's user database. That means UFC employees, and anyone who may gain access to it through nefarious means, such as hacking the UFC's DB server, which is a relatively common type of web hack, can see the password you use on UFC.TV.

To elaborate, what usually happens when you set a password for a website is that password is encrypted and/or hashed; it's turned into a string of numbers and letters much longer than your original password through a cryptographic process. The server never actually stores your password; it only ever stores this string of numbers and letters, and if someone gets access to the server they have to be able to crack this encryption to see your original password. UFC.TV simply has your unencrypted password stored somewhere. It's possible the passwords are encrypted, and the UFC also stores & uses the decryption key on the server. This means anyone with access to the server can decrypt your password anyway, though, making it pointless from a security standpoint.

I always advise people to never use the same password for more than one service, but the truth is, no one can remember 300 different passwords and some re-use will occur. The UFC's set up makes it easy for people to see your password; they'll even email it out to you completely unencrypted/unhashed if you use the ‘forgot password' function. If anyone ever gets access to your email account, they can now find out what at least one of your passwords is. If they have access to the UFC servers? They now know what at least one of your passwords is. If the UFC gets hacked like Linkedin, which recently had 6.5 million encrypted passwords stolen, hackers now have at least one of your passwords... And, almost certainly, your email address to go with it.

Hackers love it when sites do this, because it allows them to create and sell huge ‘dumps' of emails with matching passwords. Unscrupulous groups then buy these dumps, and start trying that combination anywhere an email address is used as a login name. Do you use the same password for your PayPal account? Your Xbox live account? Your Amazon account? Hackers could now have access to accounts they can use to purchase things using your credit cards, all because one site didn't properly protect your password; UFC.TV.

There are other issues as well. Personal information such as name and address appears to be unencrypted/unhashed. There is no way to remove your credit card information once it's in there; you can only edit it, and the edited number as to be a valid credit card. This means you can't just put fake numbers in there to protect your data. Currently, credit card is the only way to pay. If you want Fight Pass, you have to give the UFC your credit card information. It should be noted that there is no evidence that credit card information is stored in an unencrypted format.

If you decide you want to cancel your subscription, there's no "cancel" button. You have to manually email the UFC support team who currently have a response time of about one week.

Our own Steph Daniels requested her account be cancelled and credit card information removed on Saturday 4th January at 4:38pm Pacific, pasted below:

You have numerous issues with this system, the foremost being the lack of security with the passwords being stored in plaintext. Considering the fact that your sites were overrun by hackers recently, I would like to cancel my Fight Pass trial and subscription. I am also requesting that my credit card information be deleted, as you do NOT provide this option to your subscribers. Thank you.

She received an automated email informing her that the UFC had received the email and had created a ticket for her 7 minutes later at 4:45pm Pacific, pasted below:

Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately.

Ticket ID: [REMOVED]

Subject: Please cancel my account to Fight Pass

Department: UFC

Type: Issue

Status: Open

Priority: Normal

Do you have questions regarding FIGHT PASS? Please visit our FAQ located at http://www.ufc.com/ufc-tv-help

Kind regards,

On Thursday the 9th of January at 1:19pm Pacific, five days later, she received her first response from a human, pasted below:

Thank you for your inquiry.

Please provide us with your UFC.tv username (alphanumeric characters only, cannot be a complete email address) so that we can further assist you.

If you are unsure of your UFC.tv username (login) please provide us with the cardholder name, phone number, billing address and last 4-digits of the credit card that was entered during registration.

If you paid using PayPal we will need the Email address associated with your PayPal account, the Party ID# or transaction confirmation number found on your receipt confirmation sent from PayPal.

Best regards,

UFC.TV Support

Interestingly, Fight Pass has no PayPal payment method at the moment that I am aware of.

I reached out to the UFC several times since Saturday the 4th of January, with a number of questions covering these issues and their plans for addressing the problems going forward. Eventually I was put in touch with Ant Evans on January 9th, who proceeded to decline to respond to any of the questions I raised, stating:

"Thank you for your email. We will pass on this opportunity at this time."

Below are the questions as sent to the UFC.

1) Currently UFC.TV stores user passwords in plaintext/cleartext, which is a potential security flaw for a few reasons. Does the UFC have any plans to start encrypting user passwords, and if so what is the time frame for this?

2) What encryption methods does the UFC use to protect other potentially sensitive user information, such as name and address?

3) What encryption methods does the UFC use to protect credit card information?

4) Currently there is no way for someone to remove their credit card information through the account settings page on UFC.TV, is this functionality something the UFC plans to add, and if so what is the time frame for this?

5) Currently the only payment method available is credit card. Are there any plans to support other payment methods that allow people to avoid exposing their credit card information, such as PayPal?

6) Currently the only way to cancel a Fight Pass subscription is by emailing the support team, which at the moment is taking about a week to respond to people. There are some security issues associated with this method of cancellation (e.g spoofed email addresses being used to cancel accounts, since a validated login isn't required). Can you let me know what steps the UFC takes to prevent this?

7) Are there any plans to include a "cancel my subscription" button on UFC.TV, as is the industry standard? If so, what is the time frame for this?

8) When will the prelims become limited to Fight Pass subscribers, and how does this affect international viewers who are currently unable to sign up to Fight Pass?

kayneoTheRisingWarrior wrote:

Slugger O'Toole wrote:I signed up for fight pass and now my bank is saying I bought $1500 worth of wallet chains and flame decals