14 DAY TRIAL // Up until recently, Betfair had some nasty security issues with the password recovery feature on their website, allowing anyone with minimum information on a subscriber to take over their account.
Company representatives denied the insecure operation until irrefutable proof emerged convincing them to change the procedure.
Password reset without verification
Armed with just the username (which, in fact, is the email address) and the date of birth of the subscriber, some accounts could have been hijacked by an attacker.
Microsoft MVP for Developer Security Troy Hunt from Australia captured the entire process in a video (embedded below), showing that no security questions were asked during the request, and that the password reset did not have to be confirmed via a link sent to the legitimate owner’s email address.
As per Betfair’s terms and conditions, the client is responsible for keeping their account username secret, just like in the case of bank account data.
However, since the username is an email address, making it a secret would either mean creating a new one for the sole purpose of placing bets on Betfair, or quit using it for communication with other people. As Hunt points out, though, keeping the email address hidden is not a valid option for most of the users.
As for the date of birth, with all the information attached to social networking accounts, this is no longer a detail known only by a limited group of people.
Betfair Australia blames the UK for the security issue
It appears that the method tested by Hunt worked for accounts that had less than £100 ($153 / €137), according to Tom Thorpe, an iOS developer at Yahoo.
Betfair had received reports of the insecure password recovery method before, but it delayed acting on them.
Hunt said in a blog post that a customer support representative from the company assured him that the password reset problems at Betfair had been repaired and pinned the blame on the UK branch, who delivered the software product to Australia.
