We have been issued a new Attestation of Compliance for PCI. This is our yearly report issued by an independent auditor that does an annual (and quarterly) multi-dimensional audit of our system and processes to ensure we meet the highest levels of compliance with the credit card industry standards. RunSignup spends considerable effort, and we […]
No, this is not the old abbreviation for the Soviet Union. It is the abbreviation for the California Consumer Privacy Act. This act goes into effect on January 1. Any website that is used by a California resident must comply with the law. RunSignup just released our implementation for our various websites, including all of […]
Any customer using widgets, even Partner Websites, should switch to a simple button and link to the appropriate RunSignup site directly. Unfortunately, Apple has released a new version of Safari that prevents session tracking. This is a necessary feature on complex web applications such as a registration. “ITP will now block all third-party requests from […]
I was talking with someone today about whether races feel an obligation to keep their customer data safe. The conversation was triggered when I was talking to a small registration company owner and found they had many security vulnerabilities like their site being susceptible to SQL Injection, Cross Site Scripting, and lack of a security […]
We have released the capability to do Multi-Factor Authentication (MFA, or sometimes called 2-Step Verification) on RunSignUp. This is optional for all users (required for RunSignUp employees). MFA is currently gaining popularity as an additional layer of security. The basic idea is that in addition to your password, you use another device (typically your phone […]
We have made it simpler to give volunteers access to the legacy version of the check-in app (not the dedicated mobile phone-based check-in app). Previously, you had to grant them access to the race or sign them all into your own account. We now have a specific, secure URL that each race can create and […]
As part of our ongoing efforts to improve our financial and security processes, we are instituting additional controls on new payment accounts. This involves collecting additional information on owners and requiring information be entered by individuals with significant control over the entity. As we have discussed, we are part of the banking network, and require […]
To protect the data the races who use us as their online registration platform, we have made some updates to your race, event and club websites to better protect the online privacy of children, particularly those under the age of 13. Our updates are designed with the Children’s Online Privacy Protection Rule (“COPPA”) in mind and […]
The front Dashboard will become much more powerful in the coming weeks with over a dozen different graphical reports being added. To prepare for this, we have added specific access management for just the Dashboard. To invite others to get access to dashboard graphs, click on the lock in the upper right corner: This will […]
The Electronic Transactions Association (ETA) announced today the launch of a new Payment Facilitator Committee, with Kevin Harris (RunSignUp Chief Finance and Operations Officer) taking the role of Vice-Chair. ETA Press Release: http://www.electran.org/publication/transactiontrends/eta-announces-new-payments-facilitator-committee/ As noted in the release, the committee “will serve as a resource within ETA as the established, valued experts on payment facilitators, enabling deeper […]
We have added an option for customers who are partners and manage a number of races to give employees access to just the Participant Reports. It is on the Partner Access page:
We have installed the patches for the “Dirty COW“, the privilege escalation vulnerability in the Linux Kernel. They even have a logo for it. The AWS patches are here. If you use other systems that run on Linux, you should check to make sure these changes are made: https://alas.aws.amazon.com/ALAS-2016-757.html https://alas.aws.amazon.com/ALAS-2016-758.html
We have been doing a lot of infrastructure improvements over the past couple of months as a part of our PCI Level 1 Certification. That is the highest level and requires extra measures of auditing and security and scanning, including a week onsite visit by a Qualified Security Assessor. Unfortunately most of that is stuff […]
We updated our site with this security patch – https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/. Other webmasters may want to run the free Qualys SSL scanning tool to check their grades – https://www.ssllabs.com/ssltest/index.html. Users can also check out their most common websites as well (proud to say RunSignUp beat the bank I use :-))
A security hole was reported in ImageMagic, a tool that many websites including RunSignUp use for image resizing and processing. We learned of this issue yesterday and have updated the site with fixes last night. We did not detect any breaches as a result of this hole. You can read more here and here. If you know of […]
We have added the ability to collect Social Security Number, Drivers License and Passport as highly secure options to race registration. This was done at the request of a race held on a military base, but may be useful for other purposes as well (such as border crossing races that might require Passport numbers). The […]
We have added a new access level of partners who want to give some of their staff access to gift certificate information, but restrict any other financial access. It is in the Partner Dashboard under Account -> Partner Access.
RunSignUp has a simple and powerful way to share access to your race dashboard with multiple people – giving each person access to just the areas that they have responsibility for. For example you might have a Volunteer Coordinator and they only need access to that. Or you might have people who are doing participant […]
There was an recent article “HTTPS-crippling attack threatens tens of thousands of Web and mail servers” that caused us to evaluate our configuration and up our encryption to 2048-bit. This had been lower to support older browsers and and versions of Java – if you find any issues of the site not working please let […]
If you are running a widget on your website, we strongly suggest that you make sure your site has an SSL certificate and the pages with RunSignUp widgets are https://mywebsite.com format – with the “s” after “http”. In fact, even sites that do not have ssl certificates are safe since the RunSignUp widget uses SSL […]
Attached are detailed documentation and sample code in PHP and Node for connecting with RunSignUp via OAuth. This is useful for our partners who want to integrate tightly with our security system and give users bi-directional access to their information. RunSignUp OAuth Integration
Our cloud provider, Amazon AWS, provided an automated update to our MySQL database service last night. This was to provide a fix to the security report issued by Oracle on Oct. 16. We are happy to report that our highly available configuration allowed our failover database server to be upgraded, and then take the load […]
We are somewhat hesitant to talk about security since we do not want to invite unwanted attention. However, with regular reports of security issues popping up (for example here and here), and now the report of the JP Morgan Chase race security breach, we figured it might be useful to give guidance to our industry […]
We have updated our public facing servers with the patch for this new security vulnerability that was found and reported on yesterday. Here are is a link to learn more if you are interested, or to check to make sure your own servers have installed this: http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html Note there are likely more patches coming from the […]
You can now conveniently add others to help manage your race. By going to the Secure Access/Info Sharing page, you can add email addresses of people you want to share access to your race as a full race director, or with limited amounts of capability. When you add that email address, we will send them […]
Here is a direct link in case you forgot your password (and it works great with the widget!) https://runsignup.com/Login#forgotPswd And we have a nice error message if the email address does not exist:
Races can enable “Find a Runner” capabilities on their races. This can be set up to do a public facing list like shown on the right, or be a search with either first and last name, or first, last and date of birth depending on how secretive you need to be for your race (our […]
We just adding a new level of access to RunSignUp that allows a person to see all of the race information, but not be able to edit anything. We now have the following types of information sharing: Race Director Access – this provides full capabilities. As many race directors can be added as you want […]
As a race director, you have a lot of people that you need to share information with. And the solution is NOT to give your username and password to everyone! RunSignUp provides a simple “Information Sharing” section for your race. You add any number of people to several different types of access: Edit Participants Full […]
RunSignUp by default requires runners to enter a password. We find this to be very helpful to runners long term since they do not have to type in information repeatedly for each race they join. It also enables features like refunds, event-event transfers and bib exchange in a secure manner. However, some races want to […]
We have been giving race directors the ability to add specific people to view different amounts of participant information. We just released an expanded capability that allows race directors to pick each field they want to share with the public, other participants and with Team Captains. This will determine how participants are displayed in the […]
