A security hole was reported in ImageMagic, a tool that many websites including RunSignUp use for image resizing and processing. We learned of this issue yesterday and have updated the site with fixes last night. We did not detect any breaches as a result of this hole.
We have added the ability to collect Social Security Number, Drivers License and Passport as highly secure options to race registration. This was done at the request of a race held on a military base, but may be useful for other purposes as well (such as border crossing races that might require Passport numbers).
The data is stored in our database using 4096-bit RSA encryption. We generate a “Private Key” for the race – it is the only key that will unlock the data. This means that no one else, including the administrators of the database at RunSignUp, can decrypt the data. If the race loses the key, the data cannot be decrypted and is lost forever.
The setup is under Race > Registration > Sensitive Information Collection. Only RunSignUp can enable this feature for races.
Once enabled, the race must set up their private key:
Once the private key is set up, the following form will show. NOTE – THIS IS THE ONLY TIME YOU WILL SEE THE PRIVATE KEY. You need to copy it into a secure place – we recommend a password protected document. THIS IS THE ONLY KEY THAT WILL UNLOCK THE DATA!
Once you copy the Private Key and close the pop-up, you will then select which data elements you want to ask for from registrants on a per event basis:
What Participants See
Participants are asked for the data when they register. The Social Security number is validated as a 9 digit number. The fields are set as required and must be filled in.
The “Download Participant Data” button downloads all data. The user will see this popup, where they will need to enter their private key – yes that long string of numbers and characters. If filled in properly, then you will get a CSV spreadsheet download of the data. Make sure you properly protect this file and the data, as it is your responsibility.
One of the ways that you can keep this secure is to grant access to just this page for the Security Agent who is assigned to review the data. Then give them the Private key for them to download the data and do the background checks.
There is the ability to reset the private key. If the private key is reset, all previous data is lost – you will NOT be able to go back and retrieve any of the previous data.
We have added a new access level of partners who want to give some of their staff access to gift certificate information, but restrict any other financial access. It is in the Partner Dashboard under Account -> Partner Access.
RunSignUp has a simple and powerful way to share access to your race dashboard with multiple people – giving each person access to just the areas that they have responsibility for. For example you might have a Volunteer Coordinator and they only need access to that. Or you might have people who are doing participant management, but there is no need for them to see the financials.
You simply type in the email of the person you want to give access to and then set what things they have access to. If the person will receive an email with an invite to go to the race dashboard. If they are a new user, they will be asked to register and create a password first. We offer selection based Categories, Features, and Individual Pages.
There was an recent article “HTTPS-crippling attack threatens tens of thousands of Web and mail servers” that caused us to evaluate our configuration and up our encryption to 2048-bit. This had been lower to support older browsers and and versions of Java – if you find any issues of the site not working please let us know.
Qualys has a nice free audit tool that will check any website – the results above are from that test. You can test any website. Older websites, or companies that do not invest much in technology may have low scores. This is another advantage of using RunSignUp so that your runner’s information stays secure using the latest technology.
If you are running a widget on your website, we strongly suggest that you make sure your site has an SSL certificate and the pages with RunSignUp widgets are https://mywebsite.com format – with the “s” after “http”.
In fact, even sites that do not have ssl certificates are safe since the RunSignUp widget uses SSL and the data being transferred from a runner’s registration widget in their browser is being transferred with TLS (the newer form of SSL) and is encrypted.
- It is a good practice. All websites should use SSL.
- Some browsers will show Error and Caution messages like the one above or to the right. Even though it is secure, they will think it is not.
You can get an SSL certificate from many different vendors (Google “buy ssl” and you will see plenty of ads!). GoDaddy is a well known one and has good information on their SSL Page – https://www.godaddy.com/ssl/ssl-certificates.aspx. It typically costs less than $60 per year and will require you to make some webserver configuration changes described on the GoDaddy pages as well as your webhost. There is a new low cost SSL certificate authority that will be coming out in mid-2015 that some in the tech community are excited about – https://letsencrypt.org.
Attached are detailed documentation and sample code in PHP and Node for connecting with RunSignUp via OAuth. This is useful for our partners who want to integrate tightly with our security system and give users bi-directional access to their information.