FIDE (Fédération Internationale des Échecs) is the world federation for the planet’s greatest sport, chess.
(By the way, don’t try to suggest that other sports like football, cycling or tiddlywinks are better than chess – I won’t agree with you.)
I received a tip-off last night that FIDE might be letting the side down when it comes to website security and privacy.
Here’s what happens.
If you visit FIDE’s “Online Arena” at arena.myfide.net you are invited to create an account so you canplay official online FIDE-rated tournaments.
So, I created an account using the chess playing moniker of Arnold Aardvark.
Everything looks alright so far, right?
So, let’s logout, and pretend that I have forgotten my password already. Luckily, the FIDE site has an option for users who find themselves in that predicament.
Sure enough, in the blink of an eye I receive an email from the site in my inbox.
I hope you see the problem.
I’ve just been emailed my account password. That means that the FIDE Arena website is not storing my password securely. If it was taking security seriously, it would have encrypted and hashed my password in a one-way process that would mean *no-one* (not even the mighty FIDE) would ever be able to tell me what my password was, other than myself.
And not only have they shown that they can access my password, but they have also sent it to me via the insecure channel of unencrypted email.
What the website should have done is sent me a link to *reset* my password. Remember, reset don’t remind.
All this would be bad enough, but then I dug a little further into arena.myfide.net, wondering what goodies I might receive if I became a paid-up member.
And there lies the next problem. Because the FIDE Arena site is very keen to verify your identity before allowing you to become a member – which is reasonable enough if it’s planning to manage your FIDE chess rating.
However, the site wants you to upload official identity documents, such as a passport, to its server.
In order to acquire a FIDE number, normal FIDE ID verification is necessary; therefore please upload a scan or photo of a valid identity document, with your photo, name and date of birth clearly visible.
Remember this is the website which has just proven it isn’t storing your passwords securely.
Furthermore, the form to upload your passport isn’t even using HTTPS, meaning anything you upload is unencrypted and could be grabbed en route by an attacker.
Sigh…
Fortunately when it comes to payment, the site uses PayPal – so at least they haven’t screwed that bit up.
By the way, it is bad form that when I fill in the form saying I have forgotten my password for the site, using an email address which has an account on the FIDE site, this message is displayed:
A message has been sent to you with your PremiumChess accounts credentials.
Because when I enter an email address which *doesn’t* have an account, I am shown a different message – telling me that the account doesn’t exist.
Email not present in system
Do you see the problem?
The different messages make it far too easy to determine who does and who doesn’t have an account on a particular website. The correct thing to do would be to display the same response in both scenarios.
If you’re responsible for building a website, be sure to check out Troy Hunt’s excellent article “Everything you ever wanted to know about building a secure password reset feature” before you make similar mistakes.
The Great Courses site does the same thing if you forgot your password, sends it to you in a nice plan text. I pointed out the security issue and they brushed it aside saying they have tight security policies to protect your personal information. Right…..
Another one is Ticket Master, or at least how handle tickets for NFL season ticket holders. I got an email a few weeks back reminding me of the upcoming season and in case I forgot my login information here is your login name and password. I emailed them a couple of times asking why they did this and also how come the site wouldn't let me change my password after they had sent it to me in an email (I was finally able to change me password after two weeks).
Quite apart from the other security blunders committed by the FIDE website (…they want my photo? Forget it…), any website that sends my username and password in unencrypted email fairly screams "We're clueless about sound security practices."
Of course, that's the tip of a much larger iceberg—namely, the epidemic use of unencrypted email by virtually everyone. All civilized email clients accommodate X.509 digital signing and encryption certificates. Yet, in my experience, most people say "Huh? What's that?" Secure email is completely off their radar. I can't name a single company that has ever asked me for my X.509 cert. Not one. Security education has a long, long way to go.
Great article, Graham, and thanks for the link to Troy Hunt's excellent post about secure password reset.
The fact they don't even use HTTPS would be more then enough to deter me. For heavens sake, certs are pretty cheap these days…
Which is also why they're fairly meaningless.
I'm a lot more interested in hashing than certification.
This article mentions salting though which, practically, is unnecessary.
"(By the way, don't try to suggest that other sports like football, cycling or tiddlywinks are better than chess – I won't agree with you.)"
Reading is surely as fun as chess as is anything that requires imagination and intellect (or both!). Actually, I agree that chess is a lot of fun (I only recently got back in to it and after all the time in between, I am absolutely horrible at it) and any other game that requires thinking ahead (and modifying your tactics if you make a mistake or your opponent[s] do something you don't expect). But my thinking is that, those who don't like chess would probably suggest that watching paint dry is more exciting than playing (and more so watching) chess. I would of course suggest that watching paint dry is far more entertaining than say football, cycling or tiddlywinks (and many other things except watching paint dry).
Only one comment (with some elaboration) on plain text passwords in mail: for mailing list reminders it is a bitwise OR (simultaneously) – arguably it could have you reset it, but then you can configure your settings through email itself (e.g. mailman). It is however made clear that you should not ever use an important password for it. Of course you shouldn't reuse passwords in any case, but the point is it is noted (as I recall, anyway). Aside from that, yes, it would be nice if encrypted mail was more common but the problem is similar to how (at this time) DNSSEC is – the chicken and egg problem.
I always stay away from http websites.
It's a good test to run on any website you sign up to. Point well made regarding the documents.