JPAY FORCED PASSWORD CHANGES CAUSE SEVERE SECURITY ISSUES THROUGHOUT IDOC

In yet another JPay snafu, the service provider informed all IDOC prisoners via memo on January 22, 2018 that due to an unforseen technical issue, all inmate passwords would (on January 23) be reset to a temporary password consisting of the inmate's 4 digit birth month and year, but as it turned out, the temporary passwords were the birth month and day (e.g. 0404 for April 4th). The memo also advised prisoners - in bold and capitalized text - that to protect their account, prisoners were to log into their account, "as soon as possible after 0900 to reset the temporary password to a different password."

Unfortunately, the new JPay system will not allow inmates to change their passwords and there are no options in the drop-down menu to contact JPay regarding password matters using their madatory "communications center" on the kiosk. According to staff, JPay has told IDOC administrators as late as Tuesday afternoon (1/23) that the system is working perfectly. The security concerns of this matter are significant.

In IDOC, all prisoner identification cards (which are required to be worn in the open at all times outside one's cell) contain the prisoner's complete birthday. Living in a dorm or a cell also gives rise to opportunities for other inmates who live in the area to view the birthdate several times throughout the day in that unlike staff, inmates are prohibited from covering, obscuring or oblitering data on their ID cards.

Further, and very much a concern, is the fact that every person who has enrolled in certain education or vocational classes at ISCC (and some other facilities) has been required to use their birthdate as part of their computer login data. For this purpose, inmate teacher's assistants have for years collected this data from prisoners enrolling in their classes, both on paper and entering same into student files. This data is accessible to the inmate TA's at any time, without the need for staff authorization or oversight as part of the inmate's regular duties.

Already there have been issues - a prisoner accessed another's account without his permission which almost ended up in a fight. In another instance, an inmate has threatened to use this data to log in to another prisoner's account and order (unwanted) music and other media data - depleting the funds on the prisoner's account. That prisoner now has to watch to make sure that nobody else logs into his account on behalf of the inmate who threatened to use his account. If any accounts are accessed by unauthorized persons, is unlikely that JPay will reimburse the account based on fraud - fraud which JPay has invited prisoners to commit by failing to secure their system.

According to internet sources, JPay has been around for more than 25 years, providing kiosk and other services to prisons, jails and other facilities, so it is inconceivable that the inability of JPay to figure out how to get even basic services to Idaho is based on being new to the state. Idaho prisoners who have family and friends in far away states and countries have been waiting for more than 2 years to use video visitation, but the IDOC has taken the stand (according to CenturyLink staff) that JPay needs to get the basic system straightened out before moving to video visits... looks like we will be waiting a long time.

DS