Since it's launch announcement, the UFC Fight Pass, the promotion's new digital network, has brought a combination of excitement for it's potential and criticism of the current unfinished product. However, earlier this week Bloody Elbow's Iain Kidd drew attention to security dangers related to the service. Specifically, he brought up the concern of the password storage and the liabilities if their system or accounts were to be hacked.
On Friday in a Bleacher Report article about the online service, Jonathan Snowden asked UFC Chief Content Officer Marshall Zelaznik about the potential dangers:
Bleacher Report: I've read recent articles on Bloody Elbow regarding security issues with UFC Fight Pass. What steps has the UFC taken to protect its customers?
Zelaznik: Having a secure product is always a top priority for us. The system we use for UFC Fight Pass is the same as UFC.tv, and we are always evaluating ways to ensure we continue to deliver a secure environment. When we see the need to update the service, we will, and the fact of the matter is we have been evaluating this as part of our normal course of business.
In addition to Zelaznik's response Steph Daniels received this message in reply to a service cancellation email where she asked about the issues:
In regards to your concerns for your account information all UFC.tv payment card information is secured using payment card industry (PCI) standards that are verified during annual certifications. Transfer of payment information is via secure socket layer (SSL) protocol; cryptographic storage of payment information is via PCI approved data encryption standard. The same data encryption standard is used for storage account password, which we do recommend changing at regular intervals.
Despite the reassurances of Zelaznik and UFC support, Iain Kidd still has misgivings:
"As briefly mentioned in the Fight Pass Security article, the two-way encryption used by the UFC on passwords is not recognized as a safe way to store them, regardless of whether or not the encryption is of PCI standard. Passwords should only ever be stored after hashing and salting. You can read more about this in an article recently published by leading computer security company, Sophos, here"
Additionally, he referenced Adobe Systems, Inc having been hacked and passwords compromised while employing a PCI standard two-way encryption.