EBG Divisions Unchecked Security Flaws

Evidence exists that demonstrates that the EBG divisions, Plum Benefits, Working Advantage and Tickets at Work allow unauthorized members of the public to easily circumvent their weak website security controls and garner access to employee only “protected” offers and discounts. These offers are intended only for employees of member organizations and not the general public, but is the latter that can easily access the offers, therefore nullifying the value of the service as a protected vertical market and making it more comparable to a publicly available daily-deal website, like Groupon.

EBG Divisions Allow Unauthorized Users To Circumvent Security Controls, Easily Gain Access To Restricted Discount Offers

Table Of Contents:

  1. Document Overview – Entertainment Benefits Group (EBG) divisions and websites discussed
  2. EBG Internal Power Struggle Results in Removal of Access Controls
  3. Documented Vulnerability No.1 – Illicit Users Using Fake Corporate Email Addresses To Gain Entry
  4. Documented Vulnerability No.2 – Illicit Users Using Personal Email Address and Stolen Company Code
  5. Documented Vulnerability No.3 – Lack of a Means Test to Ensure That The Employee Still Works for an Organization
  6. Does EBG Damage Brands By Pretending To Be An “Employee Only” Service By Making Unapproved Access Easy For Non-Employees?
  7. Security of the Plum Benefits Website During the SVM and Shara Mendelson era – circa 1997-2011
  8. EBG and NYC Broadway Shows
  9. The Future of EBG – Entertainment Benefit Group Strategic Direction
  10. EBG Story Conclusion
  11. Major Discount Offer Provider Companies Affected By This Document

Section 1: Document Overview: The Entertainment Benefits Group (EBG) divisions and websites discussed in this document are:

PlumBenefits.com
WorkingAdvantage.com
TicketsAtWork.com

Entertainment Benefits Group is an employee benefits conglomerate that includes the three main brands; PlumBenefits, Tickets at Work, and Working Advantage. These three services appear to attempt to maintain the illusion that their discounts and offers are only accessible to employees of approved companies and organizations, but upon closer review, the perceived security controls are actually very weak and all three websites are easily accessible to anyone who knows how to use a search engine and who has a couple seconds of time to look up a corporate access code to gain illicit entry. Users can even just make up any corporate email address and each of the EBG divisions will still allow instant access, despite using flawed credentials. The weak front end security that EBG has employed upon each of its brands is easily defeatable and may actually be so designed to allow EBG’s own client base to grow exponentially, with possible damage to the brand they may be offering. Offer providers do not seem to know these vulnerabilities and may be risking their own brand in what they think is a protected sales market, but may likely be the regular and public retail marketplace, without even knowing it.

It was in early 2014 when users discovered an access control change at the EBG divisions of Plum Benefits, Tickets at Work, and Working Advantage.  At this time three things changed at EBG. Firstly, the user requirement of a validated corporate email address was changed to allow an unvalidated corporate email address. This allowed illicit users to make up corporate email addresses to garner access to the offers and discounts. The second change was to add an option that allowed users to register using a personal email address and a corporate access code, that is supposed to be secret and supplied by the employer to the employee. The problem with that setup is the corporate access codes have been published all over the internet and can no longer be deemed secret. The third change is that users accounts are never actually reviewed to ensure that the user is still entitled to access the employee offers of which their account is registered. Existing users face no tests to see if they are a current employee or have ever actually been an employee.

Section 2. EBG Power Struggle May Have Removed Access Controls In Favor of Corporate Growth

Tug of War security vs sales

A reported internal power struggle at EBG in 2014 may have resulted in the significant strategy change that highlighted the new direction EBG would follow. The choice was between protecting clients brands or a fast track to growth. The result was Brett Reizens’s fast-track vision won out on that battle, but it may not have won the war. More of EBG’s clients are now waking up to the fact that their brands are now at risk with the EBG employee benefit companies making it very easy for unauthorized users to access their offers and discounts. This means that The EBG model became a daily deal free-for-all, not much different to Groupon or Livingsocial – a brand marketer’s nightmare. A common offer provider question is now: “EBG companies may put butts in seats but with such poor access control over the offer, what is long-term cost and damage to my brand?”

The three main security weaknesses with the EBG systems are:

  1. EBG does not verify the corporate email address that a user supplies, allowing access to anyone who can just make up a corporate email address.
  2. As an alternative access method, EBG will allow users to signup with a personal email address, but requires a  corporate access code, but those codes are posted all over the internet and can be used to circumvent this control.
  3. EBG does not test to see if the user is actually still an active employee of the stated employer. They may have left employ years ago, but are still allowed to access these benefits in perpetuity

It appears that these above vulnerabilities are not disclosed to offer vendors who are under the impression that EBG has strong protection against unauthorized access. Offer leakage is clearly a big problem at EBG, but it often plays second fiddle to EBG’s desire for its own corporate growth.


Section 3. Documented Vulnerability No.1 – Illicit Users Using Fake Corporate Email Addresses To Gain Entry

On the Plum Benefits website, any person can sign up with a fake corporate email address to create an account as long as the email domain suffix matches an approved domain already on the EBG list. This vulnerability can be seen with the Plum Benefits product, but is no longer seen on Working Advantage and Tickets at Work websites, which have switched to the personal email address and corporate access code as their only method of securing their website. This means that fakename@us.ibm.com can garner access to Plum Benefits, despite it being a fake email address and regardless of who they actually work for.


Section 4: Documented Vulnerability No.2 – Illicit Users Using Personal Email Address and Stolen Company Code
Plum Benefits Sign Up Screenshot

Each of the EBG websites formerly required employees to sign up for access by using their corporate email address, which they then validated by sending a validation link to that email address. This ensured that the employee was in fact a bona-fide employee of the organization they had specified. Since 2014, all EBG services have allowed users to sign up using a personal email address from any email service provider or ESP ( like Yahoo, gmail, AOL, Hotmail, Ymail, outlook.com)  to gain entry to EBG’s “protected” websites. This means a person can access EBG’s employee offers by using their own personal email address, thus removing a significant portion of the means test to ensure that they are in fact a current employee of an organization, now putting the onus of access control squarely on the corporate access code (which has its own problems documented below).

This unannounced change to use the personal email address was intended to simplify the employee sign-up process and ultimately drive growth of the EBG company divisions and products through more signups and ultimately more customers. It allowed anyone without a corporate email to access the EBG websites, but this came with the consequence of leaving the site wide open to anyone that may not actually be qualified or approved for access. While Plum Benefits still suggests that you use a corporate email address (but does not actually mandate it), Tickets at Work and Working Advantage no longer even mention it. In fact, any fake email address can be used to sign up for the services, as EBG does not even require confirmation or verification of the given email address. In addition, the websites only require a first name, leaving even more room for unapproved people to sneak in anonymously.

The remaining bastion of access control that the various EBG companies and division still use to control access to employee offers and discounts is the requirement for users to provide a corporate access code during the signup phase. The major problem with the use of these “secret” access codes is that they are publicly published over the web and EBG has done very little to keep them secret.  It appears that EBG cares very little about protecting these “essential keys” that provide access to their supposedly “employee only” services. A quick google search reveals the following corporate access codes have been published on many websites that will allow access to Plum Benefits:

4.1 Plum Benefits Corporate Access Codes

Access ID or Company CodeApproved Company or OrganizationGoogle Search Results
AC0228116Ascend LeadershipPlum Benefits search results
AC0424727Bethpage Federal Credit Union
AC0424581Manhattan College
AC0428342Purchase College
AC0428337SUNY Polytechnic
AC0526905Patrolmens’ Benevolent Association
AC0728632Academic Federal Credit Union
AC0727255United Public Service Employees Union
AC0124145Chanel Inc.
AC0725259New York Institute of Technology
AC1025828Montefiore Medical Center
AC1230167Nassua BOCES
AC1221094United Federation of Teachers
AC130262NYC Department of Education
SIART212Sotheby’s Institute of Art
PLUM38906Yeshiva University
PLUM36753SUNY Medical Center
PLUM30666Ithaca College
DEA212Detective’s Endowment Fund
NJIT862New Jersey Institute of Technology
ARCHPHILA215 Archdiocese of Philadelphia
SBUALUMStony Brook Alum Association

Working Advantage does not do much better, with corporate access codes posted all over the internet. Tickets At work suffers from the same problem with their codes posted in all kinds of odd locations including user discussion forums, online blogs and even “in the clear” on supposedly “secure” government websites. The public postings of the access codes are:

4.2 Working Advantage and Tickets At Work Corporate Access Codes

Access ID or Company CodeApproved Company or OrganizationGoogle Search Results
423860401University of MinnesotaWorking Advantage Search Results
513489214Tops Associates
831685271 Provista
586309784Junior Chamber International
708016141NJ State Employees
780351669 Arizona State University
Tickets At Work
CUMCColumbia University
DCDeptHRDC.gov HR Department
IBMSFLAIBM South Florida
USFUniversity of South Florida
JUPMEDJupiter Medical Center
KIStateState Highway Patrol
MAYOMN Mayo Clinic
IDEALMD Anderson Cancer Center
TAAAC Teachers Association Anne Arundel County
NASAEXCHANGENASA Exchange
HDSHitachi
CSUSTANStanislaus State
KBFRCCRiverside City College
KBFUOCOPUniversity of California
JERSEYNew Jersey State Employees

4.3 Guessing The EBG Corporate Access Codes:

The security of EBG corporate access codes may be poor, but any web user can just guess access codes, as they are usually not well secured or are often easily guessable. Most of them are also sequential adding to their vulnerability. For example, the following access codes were just guessed by entering random numbers and then the organization names will pop up.
AC0124146 – Fairview Nursing
AC0728633 – Alliance Bernstein Inc
AC0228126 – Ametek Corp
AC1221095 – Southern Wine & Spirits of NY
AC1025829 – Grace Health Svcs

4.4 The Anatomy of the EBG Corporate Access Code For All Three Divisions

Each of the corporate access codes do not use a hash algorithm or a parity check bit, so the level of security is practically zero. The only saving grace is that the access codes are not interchangeable across the three websites, but this is more down to luck than design as EBG acquired these websites from other companies, therefore they inherited the other company’s access code standards, rather than dictating their own security standards. Going forward, it is expected that EBG will fold all three businesses into the single “Tickets At Work” brand and that brand will probably be the only one still around in five years.  EBG is still enjoying the fact that google does not yet realize that all three brands are actually serving up pretty much the same content and but are still are benefiting from the fact that Google still thinks they are still three separate companies and accordingly giving them separate Google search entry results, putting their competition at a major disadvantage.


Section 5: Documented Vulnerability No.3 –  Lack of a Means Test to Ensure That The Employee Still Works for an Organization

Sherlock Holmes at a computer

As we have seen, the means test for new accounts is very low, so it is not surprising that the test for a change in an existing user’s employer status is essentially zero. With the EBG model, there is no process to ensure that an employee even works for a given corporation anymore, or even ensure that an employee accessing the benefits ever worked for a company. During the account signup phase, the EBG websites only require a first name and any email address, along with the company access code (only if a personal email address is supplied). If EBG required a company email address to be used, fact checking that a sign-up is a genuine employee would be entirely possible, but EBG has little motivation on making a change that will reduce their client list. However, given the current registration model used by EBG, verifying that skatergrl89@yahoo.com is really Holly from IBM HR is practically impossible. It is as if the EBG companies do not really want to know how many of their users are illicit. If you don’t ask the question, then you can always have plausible deniability when your client asks you about it.

Given this, it is impossible for EBG to determine which users are previous employees and are still able to access EBG benefits even though their employment may have ended years ago. Any employee who has retired or been fired can still access discount codes and still see deals. Due to the low exclusivity of access, users are not linked to a unique code that will tell an employer the exact identity of the user, and therefore, there is little control over who can access the discounts. Other employee benefit websites, such as Abenity, Anyperk, Beneplace, Perkspot, Youdecide, Motivano, Nextjump, Ticket Monster Perks and Corestream all use far more substantial security controls in limiting access to make sure that the offers are for “employees only”. These other companies realize that if their offers leak out to the public sector then the offer providers will balk, so it is a surprise why EBG is still the darling of Disney, Six Flags and Busch Gardens who traditionally hate offer leakage and demand that these services are fenced in, with a good fence that does not have wide open holes that can damage their retail brand.


Section 6: Does EBG Damage Brands By Pretending To Be An “Employee Only” Service By Making Unapproved Access Easy For Non-Employees?

Do the EBG websites damage brands in a similar way to using Groupon, because the “employee only” service leaves deals (that should be exclusive) are in the “practically public” space? Having easily accessible coupons cheapens brands, as it allows the perceived value of the product to go down. After all, if a customer sees a public deal, they would probably not ever pay full price for the product in the future, and think of it as a “cheap” brand. Having discounts on a more private network allows for the illusion of exclusivity and rarity, and does not damage the overall image of the brand and allows it to be marketed differently. This is all despite an EBG Website Statement:
”Your Company ID is provided by your employer. This website is for corporations, employees and members only and products listed are not available to the general public”

Section 7: Security of the Plum Benefits Website During the SVM and Shara Mendelson era – circa 1997-2011

During the years 1997-2011, Plum Benefits was ruled with the iron fist of its founder and CEO, Shara Mendelson, who was not just its notoriously fickle founder and CEO, but also the CIO. During her tenure the requirement for a corporate email address and a secret corporate access code was mandatory. At times, Ms. Mendelson was so paranoid about non-approved people getting access to her discount offers that she would not only password protect the web site and all its PDF’s, but even the website password would change every month. Those days are long gone and the security of EBG’s products, including Plum Benefits, is now somewhat looser, now just a thinly veiled attempt at security, rather than an effective security control, that speaks more to the implied direction of EBG to grow their client base than the lack of IT infrastructure skill they have in house.

Section 8: EBG and NYC Broadway Shows

A big part of EBG’s business is in Broadway tickets in NYC. Given that EBG (and all of its divisions) are part owned by the Shubert Organization in NYC, it is surprising that the notoriously conservative Shubert organization is complicit in allowing unauthorized users access to the employee Broadway offers, that are usually more closely guarded. Broadway show producers have long resisted the urge to allow discounts to appear in public forums for their shows and have fought against many discount services like Goldstar, Groupon and (now defunct) Google Offers, that are seen to damage the overall Broadway brand and weaken the Broadway ticket buying market. But given that EBG’s wbsites, that include PlumBenefits.com, WorkingAdvantage.com and TicketsAtWork.com, are so easy to access without any proper employee authorization, it may speak to a certain degree of hypocrisy on the part of the Shubert Organization. Because they are part owners of EBG you could expect that they have some ethical responsibility for its failure to protect the discount offers. This could be a big conflict of interest for The Shubert Organization, encouraging Broadway show producers to use the potentially flawed EBG services and discouraging use of other competing services, effectively locking other businesses out, all the while damaging Broadway.

What is most surprising is that big Broadway show producers like Disney Theatrical Productions, Stuart Thompson Productions, Foresight Theatrical, Davenport Theatrical, Richards Climan, Alchemy Production Group, Stage Entertainment, Dodger Properties, 101 Productions, Scott Rudin Productions, Manhattan Theatre Club, Jam Theatricals, Alchemation, Herrick Entertainment LLC, Universal Stage Productions and baseline theatrical are all perfectly fine with EBG’s employee-only offers being accessed by all manner of unapproved users including by the dreaded ticket brokers, who love to buy their tickets low and sell them high, effectively stealing profits directly from the Broadway show producers themselves.

These organizations have yet to comment on this story, but it appears that the Shubert Organization may be exercising their firm-grip on the dialog, as they are, after all, both the largest landlord on Broadway, with just over half of the theatres on Broadway and a large shareholder in EBG.

Section 9: The Future of EBG – Entertainment Benefit Group Strategic Direction

The Strategic Direction of EBG

Given the lack of security controls on the EBG divisions offers and discounts, it is the opinion of this author that EBG intends to morph into another Groupon clone over the next couple of years and may even drop “employee” requirements altogether. This will leave product and service companies, that want to protect the retail sector of their brands, high and dry as any retail marketing they may undertake could be at odds with the marketing provided by a daily-deals website like a new EBG, that may well undercut the offer producer in its own retail market. A quick search of google will show how often Groupon buys a google ads keyword that undercuts the actual offer producer, and the problem can only get worse. Marketing and sales professionals already know all too well how much a daily deal website offer damages their brand, despite the potential of huge sales, the long term effect on a brand can be disastrous. There is good reason why Groupon never gets an offer for a bottle of Champagne, but last time I checked, Costco had Veuve Clicquot for $20 off and that model has been working well for twenty years.

A possible morph of EBG into a daily deals Groupon clone puts the Shubert Organization, that sold Plum Benefits to EBG (and is now a part owner of EBG) in a very awkward position as they clearly will have a conflict of interest, but with a move to a retail discount site, the Shuberts may be forced to give up their sizable shareholding of EBG by their biggest clients including Disney on Broadway and other Broadway show producers. Other EBG clients like Disney, Six Flags, Sesame Place, Dorney Park, AMC Theaters, Enterprise Car Rentals, Busch Gardens, Knottsbury Farm, Cinemark Theatres and Universal Parks may balk at the transition of EBG to a daily deals model, which is not really that far from where they currently are.


Section 10: EBG Story Conclusion:

It appears that EBG has created the illusion that they have access control security measures in place to prevent unauthorized access to their websites, but the reality is that they have made it very easy to access their websites without actually being an employee of any organization. A simple google search is all you need to find company access codes, and you can even use a fake name and a fake email address. Ticket brokers are always on the lookout for ways to get tickets at lower prices to resell them for profit and this mechanism is tailor made for them, with what appears to be little oversight or control by EBG. It may appear that EBG cares more about its own corporate growth and sales than securing the offers that it provides, which would be greatly  impacted by enacting any stricter security measures. Any security changes to lock down the offers to employees only, would benefit the companies who provide the codes in the first place but not the EBG bottom line. Offer producers have to ask themselves if they are willing to put their product or service up on EBG websites, that offer little to no access security, are they OK with the damage this does to their retail bottom line? They may think differently of the EBG market solutions as more like Groupon and a lot less like Costco, because leaking employee offers out to the retail market and ticket brokers can change pricing strategy, marketing and ultimately total sales. When organizations see their retail sales start to flat-line (or even dip) and the EBG sales continue go up, it is a big indicator of discount offer leakage and the sales and marketing trouble that lies ahead.


Section 11: Major Discount Offer Provider Companies Affected By This Document:

Walt Disney WorldDisneyland ResortUniversal Orlando ResortSeaWorldBusch Gardens
Cirque Du SoleilUniversal Studios HollywoodSix FlagsCedar FairAnastasia
Book of MormonFrozen The Broadway MusicalPark City Mountain ResortNew York GiantsEnterprise Car Rental
AMCWaitressA Bronx TaleMountain CreekThe Lion King
AllStateCostcoHewlett-Packard (HP)AladdinVerizon Fios
Hunter MountainGore Mountain Ski ResortAlpine Meadows Ski ResortCamelback Mountain ResortShawnee Mountain Ski Area
New York MetsDeer Valley ResortWhistler Blackcomb Ski ResortSquaw Valley Ski ResortSnowbird Ski Resort

Susan Abrahamson

Recent written research pieces have been printed in Wired Magazine, Tech Review, Business Insider and Cat Fancier. Although the latter story did not require any hands-on tech knowledge, Mr Tiddles gave it his full approval and his fuzzy logic is really rather cute.