Does anyone know how secure ArbiterPay is? I know that ArbiterSports is incredible insecure. Every time a new school adds me to their group my password is sent to me in clear text which means they aren't storing it in a hash text and their just one hack away from all the information being in the hands of criminals. That makes me not want to trust ArbiterPay either and as it's apparently becoming a requirement for HS in this area this fall, I may just have to stop refereeing before putting my bank information in a web site that's security is 10+ years behind times.
I've never had any issues. Most of the college conferences that I work for use ArbiterPay, and it's been just fine. You just have to remember to check your account from time to time. You don't get any notification that money has been deposited into your account. I usually check mine twice a month during the fall season. Oh, and don't be surprised when you get that 1099 from ArbiterPay next year.
Those are my feelings about ArbiterPay as well. I have never had problems with it. You just need to remember to check. I just discovered that I have some money there from last fall.
If you notice they have a green lock in your URL bar, which means they force HTTPS connections and their SSL Certificate has been validated by a 3rd party (GeoTrust in this case), so all data you send it encrypted as soon as you submit it until it hits their servers. As far as how they store their data, I have no idea, but I'd assume they store their data very securely since they are dealing with payments and bank information. Additionally, I just tried the reset password and I had to answer a security question and was then emailed a link to reset my password. My new password couldn't match my old password, and they also force a password change every 6 months I believe.
Good stuff. At the very least their using much better practices than ArbiterSports. Of those of you using it, do you link your ArbiterSports account?
Some of those sound like settings that your assignor has set up. I have never changed my arbiter password in 9 years.
Are you sure you're not thinking of ArbiterSports rather than ArbiterPay? Two different sites with, apparently, significantly different security regimes.
Partially for security reasons, but more so for tax purposes, I decided to setup a separate account for soccer income. Thus, if it is ever hacked it has limited information and funds that hackers can access.
Assignors shouldn't have access to any ArbiterPay settings. Also I have my ArbiterPay account hooked up and it is used by 3 different Arbiter groups without issue.
Those all should be sitewide settings, but my account is also a lot newer than 9 years so that might account for some of the differences as well. I'd also be happy to try and explain any of the technical stuff in a bit more detail if anyone is interested.
If you connect your accounts, do you still have to use the Pay credentials at Pay or does it accept the Sports credentials?
They are still two different websites, so even once you connect the accounts, you still log in to each site with the login for that site. Linking the accounts just allows payment provided by an association/school/etc. to be directed to your specific account.
Other way around I believe, was RefPay and now it has been bought by Arbiter and is officially ArbiterPay. Still uses the refpay domain for simplicity.
All of that is minimum security for a web app that has bank information. What it doesn't address is the original password issue. If they have the ability to send you your password as the OP said, then it is 100% unacceptable for storage of any bank account, or any other type of PII. Storage of passwords in the clear is a MAJOR security flaw. Any hacker that gets onto the server then has every password. Not good. That said, I seriously doubt any banking related application that can do deposits will have that large of a flaw.
You don't have any banking information on the arbiter site. You're banking info is on the part website which works entirely different.
I realize that, but the explanation about SSL encryption etc. does not address the password question. If either site has un-hashed passwords, it's a HUGE hole. Just adding that the original pwd based question isn't addressed by the SSL connection, that covers your data in transit, nothing else.
Obviously we can't tell exactly how ArbiterPay stores security, but I'd be willing to guess that since they started as a separate company and haven't ever sent a plaintext password via email that they do not store any passwords in plaintext
I agree, I'd be shocked if it was an issue, but since they are related, who knows. Saying they started separately also adds support that it probably isn't an issue. My entire point for posting is the SSL angle does nothing to the password in the clear issue that the OP mentioned. Now back to your regularly scheduled soccer talk, not network and cyber security