
Ask HN: Found a way to fraud my bank thru a loophole, how to disclose properly? - alexleclair
Hey guys,<p>First, excuse the messy title - I was limited to 80 characters.<p>I recently found a way to create money out of thin air through a loophole in my bank&#x27;s current banking portal. 
I tried reporting it a few times, but every time I am stonewalled by a low-level employee, telling me they will call me back later in the day, which never ends up happening.
The furthest I&#x27;ve come is to call their abuse department, found on their ARIN records, who seemed to take it seriously, but I ended up going full circle - back to the low level-guys.<p>I discovered it inadvertently and, technically, defrauded them of ~0.32 US$ using legitimate transactions that the bank&#x27;s software should have handled differently. Pennies, but still.<p>I also confirmed the issue with other accounts and other transactions - my account is not a glitch in the system.<p>What is the best course of action? How would you get in touch with security officials at a big bank?<p>I mostly don&#x27;t want to get caught or charged with (attempted?) fraud over $0.32.<p>I have also spent quite a few hours trying to disclose it, unsuccessfully. What would be the best way to get some of this time spent trying to do things right compensated?<p>Thanks!
======
brador
Stop.

You're risking your freedom to save a corporation.

If you press ahead you will be dealing with people who lack knowledge and are
scared of what you did affecting their career. They will rake you over coals.
And you will have gained what? The minute pleasure of helping them save a few
bucks?

You have a desire to help people. That's great and noble and commendable. But
that's not what you would be doing here.

My advice: drop it. It's not worth it. If there was no risk to life or liberty
from what you found, then yes chase the disclosure. But there isn't. Drop it
and forget it ever happened. Your life is worth it.

~~~
piron_t
I can't agree more with Brador, you're really risking your freedom and if they
don't have a bug bounty, you might end up in court / being sued.

Here is a google translate from a French article that you might find
interesting :
[https://translate.google.com/translate?sl=fr&tl=en&js=y&prev...](https://translate.google.com/translate?sl=fr&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fkorben.info%2Ferreurs-
dun-professionnel-pentest.html&edit-text=)

~~~
alexleclair
Thanks for the link

------
sheraz
I use LinkedIn when I have to penetrate a bureaucracy such as this.

Nothing gets action faster when a VP or higher get a personal email / phone
call regarding something like this.

Step 1: Troll linkedin to find these people in positions of real power.

Step 2: If they are easy to reach via email or on the platform, try that.
Failing that, call their HQ and work the phones until you get to them.

Step 3: Win.

~~~
otterley
I think you mean "trawl," not "troll." :-)

~~~
sheraz
...or do I ;-) ?

------
smt88
Document your attempts to alert the bank. You should have proof that you
contacted them about it. Don't use the loophole obviously. Definitely switch
banks.

~~~
alexleclair
Yep, good idea.

I'm documenting everything I can think of. Tried the loophole three times -
once inadvertently, a second time to try a different approach and a third time
on a different account. Told the low-level techs all about that, they didn't
seem too concerned about le ~0.32$ I created, but still being careful.

I'm documenting everyone I talk to as well - there is never any case file #
though. Are there any other things you think I should document?

As for switching banks - definitely will. This is realllllly bad.

~~~
smt88
If it's possible for regular transactions to look like fraud due to this
loophole, you should make sure all your legit transactions have a paper trail
(receipts or whatever).

~~~
alexleclair
Good idea, thanks!

------
chrisbennet
Just drop it. It only hurts the bank and you did your best to warn them. At
this point the only reason to peruse it is to get recognition/reward or
attention for being clever.

------
ChuckSanders
I am a developer who works with one of the largest US banks and I would love
to speak with you about what you have found and pass it along to the head of
security in my office.. Unfortunately like others have pointed out you will
more than likely encounter low level employees who dismiss you OR, and this is
the dangerous part.. you may bruise the ego of someone in a position who can
and should listen to you.. possibly resulting in adverse actions being taken
against you. Do you have an email address I could contact you at? I could
conference you in to my department and see the exploit you found(MOST banks
share the same backend software for their online services so this is alarming)

------
boodm
Call the bank's regional HQs. Ask to speak with the manager of security.
Report the instance. Ask for his/her name and number. Tell the individual you
plan to go public with the information in 48 hours if there's no resolution.

The individual will feel a career risk and act accordingly.

~~~
alexleclair
Bold. Love it!

------
cweagans
Try to find developers that work at the bank via LinkedIn or something. Ask if
they have a bug bounty program, and disclose things appropriately. You won't
ever get to the right person calling in on the customer support or abuse
numbers. You need to go around.

EDIT: Also, how long does that money stick around in your account? I wonder if
there is some kind reconciliation processes that go through and square
everything up. The web software is probably just a replica of the actual ACH
data, so maybe those processes would correct things and it's not as big of a
deal as it seems to be?

------
saluki
STOP, you're already done this on multiple accounts that is asking for
trouble.

I wouldn't risk interacting with them further if they aren't interested in
listening.

Document that you tried to contact them and report it so they can fix it.

But you're in the gray area where they could attack you feeling you were
attacking their their system.

Forget it and move on.

Otherwise you're going to be tempted to:
[https://www.youtube.com/watch?v=GyB6ffmXsZo](https://www.youtube.com/watch?v=GyB6ffmXsZo)
(Office Space Virus Scene) And we all know how that ends.

------
tapiwa
Document the vulnerability. Document your attempts to contact the bank.

Contact your local[1] newspaper. Particularly one that is big on investigative
journalism, and technology.

A good hint is if they covered the recent SWIFT bank heists.

[1]Local is relative. If it is a big national bank, go national.

The idea is for them to do an article, not necessarily exposing the
vulnerability, but how processes (or lack thereof) in the big banks allow
security holes to go unfixed.

------
jason_slack
I have to ask the folks here. Given the OP used an ID that seems easily
traceable and he/she admits to defrauding the bank publicly (I know, just .32
USD, but still people are going to prison these days for so many silly
things). Should OP retain legal counsel and have the lawyer make contact with
a VP?

Or does lawyer-ing up make OP look guilty from the start?

~~~
alexleclair
Well, there are audio recordings of bank staff asking to demonstrate the flaw
and there are also recordings of the same staff telling me that going public
is within my rights, but they don't seem to understand the underlying issue.

Not sure about lawyering up, maybe it's something that I should do (should
have done?)..

~~~
jason_slack
IANAL, but I thought I would mention it anyway. Do you have these recordings
for safe keeping?

~~~
alexleclair
Some places, yes. But you're right, definitely. Better safe than sorry!

~~~
jason_slack
One more idea. I once witnessed another company being shown a competing
companies unreleased product while testing my own product in a testing
facility. I send them an unmarked envelope with a letter of what I saw and the
names of the people involved (as they were wearing name tags). This is stone-
age now, but perhaps it might help.

------
exolymph
You've tried to disclose and they made it impossible. Time to post it on
Twitter and cc @troyhunt.

~~~
alexleclair
Hah! Yeah, that's definitely something I'll try if my latest inquiries don't
go through! :) Thanks!

~~~
exolymph
Good luck! I respect that you're making the effort to do the right thing, even
though I don't think the bank deserves it.

------
Gustomaximus
It's amazing that any large firm who business heavily relies on security
doesn't have some kind of report a bug or bounty system easily findable. This
should be as standard as a 404 page.

------
WhatIsThisIm12
> What would be the best way to get some of this time spent trying to do
> things right compensated?

That depends how quickly you can get the money out of the bank, and get
yourself out of the country!

------
dreamdu5t
The bank isn't going to pay you money. You gain _nothing_ from reporting this,
and risk getting fucked over for mere pennies. Just forget about it and move
on with your life.

------
loumf
You could contact a legitimate security firm that buys vulnerabilities to get
the credit (and knows how to report responsibly).

You want one that immediately discloses and does not resell.

------
miguelrochefort
> What would be the best way to get some of this time spent trying to do
> things right compensated?

Creating more money out of thin air seems like the appropriate compensation.
/s

------
chad_strategic
Is this a big bank? If so I would let it slide.

If you really understand how big banks stole from the US taxpayer in 2008, you
might want to steal more.

------
dragonbonheur
Don't call from your land line. Don't call from your cell phone. Find a public
phone, away from cameras.

------
tmaly
apply for a job with the bank

~~~
alexleclair
Well, I don't really want to work there. And I wouldn't be able to disclose
the info simply by applying, I'm sure.

The real question is - how can I get the higher ups attention? Or would I be
better off going public with it, given the private disclosure didn't work out?

~~~
partisan
When I worked at a big company, one thing that always got everyone's attention
was when the CEO received written letters from his customers. It's a very slow
way of going about airing grievances, but it might work the same way. The CEO
was notified and every letter was responded to.

~~~
alexleclair
Similar to the LinkedIn[1] idea - I like it! Nice, clever and convenient :)
Thanks

[1]
[https://news.ycombinator.com/item?id=11772336](https://news.ycombinator.com/item?id=11772336)

------
drallison
_defraud_ is the verb form. To defraud is to illegally obtain money from
(someone) by deception.

 _fraud_ is the noun form. 1) wrongful or criminal deception intended to
result in financial or personal gain or 2) a person or thing intended to
deceive others, typically by unjustifiably claiming or being credited with
accomplishments or qualities.

The English language is changing. Modern usage has promoted some nouns to
verbs in informal use, but for many of us, the change is a bit like scratching
your fingernails on a blackboard. In a situation like this, where credibility
is important, careful attention to usage and spelling is critical.

