The MSA and Hackers!

Raised by a father that worked in a state prison, have looked at the worst in man, as what we can do onto each other. If … wanted to be a hacker, identity theft, willing to pay the small amount of money for a hacker tournament – could cause a great deal of problems for the members of the federation.

All “certified tournament directors” should get a pin number, reason for the pin number, the director is the first line of defence in the event of a hacker.The MSA can give a great deal of public information, it shows the rating, shows past tournament history, shows if you are a tournament director, a hacker can spend hours looking at the data. If you are a player or a director, it would not be that hard to find a director online, fine the players online, then find a affiliate online. Any hacker can fake a event, the mission of a hacker is wasting their time so somone has to wast hours of time to fix the problem

The MSA just gives any hacker a field day, what does the federation ask from my personal information when sending in a tournament report. They ask what level is my certification, the MSA gives that out; they ask for my ID number, the MSA gives that out; they ask for my signature and my name printed, the federation does not have a copy of my handwritting. They ask my address and phone number, could have just moved and changed my number – do the rating department check my phone numbers before rating a event, think not.

If the federation does go and have online tournament report forms, can anyone be sure that the information is correct in the raw data is correct could have been sent from me in the first place. With the problems with hackers, they can hack the data and sent in a false tournament report in any directors name, send in false tournament activity of any player, use any affiliate number, the smart hacker would use the same number as the director used in the past events; as it would raise a red flag for some reason used the affiliate number of the Marshall Chess Club when never being in the city of New York, and hundreds of miles away from the chess club.

It is time that the certified directors are issued pin numbers.

For the most part, I agree. Here’s what I said about this issue in the Tournament Organization forum:

[i]The security issue shouldn’t be a problem. Provided we have a secure website to log into, with unique user names and passwords (in addition to our USCF numbers) for the TDs, the system should be reliable. However, the individual TDs will have to be responsible for keeping their user names and passwords to themselves.

If TDs aren’t comfortable with that, then perhaps there could be a verification process. After a submission is made to the USCF by a TD, the USCF could send an e-mail to the sponsoring affiliate of the tournament/match to verify that it actually took place. Some might consider that to be too much back-and-forth communication, but it would provide an extra level of security, assuming affiliates stay on top of their e-mail messages. Maybe a non-response should be treated as confirmation, so at least the club will have had an opportunity to stop false reports.

I don’t really think the e-mail verification is necessary, I just suggest it as a possibility. No matter what system we use, we’ll ultimately have to trust the TDs to be responsible. Besides, fake paper reports are probably easier to produce and submit than electronic ones. The only difference is the manual signature, which can be forged. I’d much prefer to submit tournament reports via the Internet, for both convenience and security.[/i]

You bring up another question, though. Regarding the availability of so much information about individual USCF members and affiliates on the USCF website, do the benefits outweigh the liabilities? In my opinion, yes. As my club’s webmaster and as one of my club’s TDs, I consider the MSA a valuable tool for legitimate club purposes, and it’s also fun to be able to check on my own playing history, as well as the progress (or lack thereof) of my friends and other fellow players, at all levels. I think the benefits of the MSA are obvious, but I don’t think there’s enough information there (addresses, birth dates, and phone numbers aren’t available) for hackers to do any more damage than they could before the MSA existed. It’s easier and faster now, but what could a hacker potentially do now that he couldn’t have done before the MSA, had he really wanted to? I don’t think 100% security is a condition that exists anywhere in the world, but as long as we maintain tight controls on access to the tournament reporting system, we should be relatively safe.

One of the reasons we are asking TD’s to go to the current Members Only area and give us their e-mail addresses is so that we have a way to contact them to send them signup instructions for the TD-only area when it becomes available.

We’re still planning how that area will work, so I cannot give specifics yet, but we definitely want that area to be a secure site, in part because we would like to have TD’s help us identify potential duplicate members.

To do that we may have to give them access to some data (such as addresses and birthdates) that is not available to the public. That may require that TD’s return a signed confidentiality agreement.

A login ID that is not the TD’s USCF ID is a distinct possibility.

Dear Steve:

There is no birthdates or phone numbers on the MSA, all that a player is looking for is the information of their past events; myself look to see if my events are rated, check to make sure the data is correct, check the progress of the players. The MSA does not need my birthdate, my address or phone number, that information is my personal life.

Before the MSA went up or even the old days before the webpage, someone would have to get a copy of the USCF rating list, then know the name of a director, then pick members out of the rating list. For someone that had nothing to gain from the event would have to be cruel and go out of there way to have a fake event. The only person would do this would be someone that wanted to raise their rating. Even if it was done for that, in the real events the rating would drop, faking the event would do nothing as the rating gains would be lost in real events.

For what the MSA can give, a hacker can fake a event, then send the report on the internet when the federation has the website up for tournament reports. If the federation can issue a different ID number other then the membership ID number would help take care of the security of reporting, even the official tournament report form should be updated.

Earnest,
Douglas M. Forsythe, local TD
12313120

People were submitting falsified events for ratings over 20 years ago.

I have not seen any indication that the ratings supplement files (introduced in 1992) or MSA have increased falsification of tournament reports.

If anything, I suspect that MSA is likely to cut down on such activity, because quite a few players check their tournament records frequently on MSA.

We get e-mails nearly every day from people who discover their ID in an event that they did not participate in. I’ve checked a number of those events and while I found a handful of events that had gotten submitted and rated twice, I really didn’t find any pattern indicative of deliberate ID errors. (I did find one TD who was using the same incorrect ID repeatedly, my guess is he has it wrong on his local player database.)

Under the USCF’s privacy policy we do not even keep sensitive information, such as addresses and birthdates, on the public web server, so not only does that information not appear in MSA, it isn’t on the server at all.

Members can also opt out of having their name and address included in mailing list labels that we sell to TD’s.

This evening I’m working on a scoring algorithm to match new memberships up against our internal records for duplicates. The goal is to use this algorithm to check new memberships submitted by TD’s.

Whether or not we send the TD a list of ID’s of the potential duplicates or just notify them that those memberships have been referred to USCF staff to double-check has not yet been decided.

Cool.