Happy birthday! Now anyone can login to your Betfair account

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example:

Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair responses be removed, Paul captured the discussion here. Now before we go on, do read that discussion in its entirety because context is important here. Read it all? Still got your sanity? Yeah, only just, let’s move on.

Paul is 100% correct despite the somewhat obnoxious customer service response to the contrary. Clearly they are confused and even towards the end of the discussion where he really couldn’t have been any clearer, the closest Betfair comes to a concession is “Thanks for contacting us”.

Obviously what’s needed here is a demo! Here it is with my account (which has now been closed) using my email address (the one that’s allegedly meant to be treated like a bank account and is not to be shared with anyone) and my birthdate. I’ve obfuscated the latter but if you want to work it out, I’d try looking at my publicly shared education history to work out the year of birth (you’ll get it in one or two guesses) and then combine that with public birthday wishes the last time that annual event came around.

Incidentally, within an hour of creating the account I was called by Betfair in Australia (I used legitimate details when registering). Expecting to help me top it up with money, the operator was surprised to learn of my dismay as to the state of their security. After initially taking the same line as customer service did with Paul and denying this was possible (there’s a training issue there guys), she conceded that it needed further investigation. To her credit, she was courteous, friendly and not at all like Paul’s mate on Twitter. But she still had the facts fundamentally wrong and could not understand the problem with their implementation. The call finished with my request to delete the account and remove all my data. She called back a little later confirming the account had gone and that also, yes, I (and of course Paul) were correct in terms of the password reset behaviour. She explained that it’s the UK’s fault (seriously) in that the software product had come from there.

Tweet Post Share Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals