I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example:
@BetfairHelpdesk Is it right that all one needs to change their password is their username and date of birth?
— Paul Sawers (@psawers) April 23, 2015 Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair responses be removed, Paul captured the discussion here. Now before we go on, do read that discussion in its entirety because context is important here. Read it all? Still got your sanity? Yeah, only just, let’s move on.
Paul is 100% correct despite the somewhat obnoxious customer service response to the contrary. Clearly they are confused and even towards the end of the discussion where he really couldn’t have been any clearer, the closest Betfair comes to a concession is “Thanks for contacting us”.
Obviously what’s needed here is a demo! Here it is with my account (which has now been closed) using my email address (the one that’s allegedly meant to be treated like a bank account and is not to be shared with anyone) and my birthdate. I’ve obfuscated the latter but if you want to work it out, I’d try looking at my publicly shared education history to work out the year of birth (you’ll get it in one or two guesses) and then combine that with public birthday wishes the last time that annual event came around.
Incidentally, within an hour of creating the account I was called by Betfair in Australia (I used legitimate details when registering). Expecting to help me top it up with money, the operator was surprised to learn of my dismay as to the state of their security. After initially taking the same line as customer service did with Paul and denying this was possible (there’s a training issue there guys), she conceded that it needed further investigation. To her credit, she was courteous, friendly and not at all like Paul’s mate on Twitter. But she still had the facts fundamentally wrong and could not understand the problem with their implementation. The call finished with my request to delete the account and remove all my data. She called back a little later confirming the account had gone and that also, yes, I (and of course Paul) were correct in terms of the password reset behaviour. She explained that it’s the UK’s fault (seriously) in that the software product had come from there.