

How I Hacked a Bank and Made 40 Bucks - lovelyLaney
https://www.golemtechnologies.com/blog/how-i-hacked-a-bank-and-made-40-bucks

======
spydum
Summary: Security tester is paid to scan a bank, finds a vulnerable asset,
reports back to the customer. Customer tells him he doesn't charge enough.

Here's my take: if he is charging $7, $10, $40, whatever, he's running
automated scans. If the customer is suggesting they'd be willing to pay $10k,
they are most likely under the impression this is a real, full-fledged pen-
test. That is a massively dangerous assumption. A real pen-test is not just
some process you kick off and walk away. It involves real investigation,
testing, and analysis. Charging $7, $40, would bankrupt a tester.

------
pbhjpbhj
I'm guessing a bank of such size won't believe that a $7 scan can tell them
anything. If he charged $10k they would probably think that it was worth
acting on too ...

------
pavel_lishin
> I have since lowered my prices (I love my customers, and want them to be
> secure).

So why not charge $0?

If you love your customers, crank the price up - that'll encourage them to
actually _listen_ to the results you give them.

------
dfxm12
Until these businesses (small and large) become responsible, either legally or
financially, for the security of their websites, we'll see this continue to
happen.

They simply don't care about the security of their customers because they have
no incentive to.

I get that security is hard, but in this specific case, they knew about a hole
and left it open for two months. That's negligence.

------
tnorthcutt
The post title doesn't make sense to me. Wouldn't something like "My service
works, and now I charge even less" be more accurate?

------
ryanhuff
I love how the author emphasizes the size of the bank: "one hundred million in
assets bank. One Hundred Million.", as if they are flush with money. In
reality, this is a rather small bank, likely with a 2-3 people running the IT
operations.

And to say that they don't care about security is wrong. Generally, small
financial institutions like this are scared to death about security breaches,
but in many cases, they simply don't have the expertise to properly assess and
deal with them. The example of the calendar application is just one example.

------
kaib
So I tried to order a scan, given the low price of $7 only to realize the
author of this service does not accept customers outside the U.S. and Canada.

------
pavel_lishin
Seems to be down; anyone have a mirror?

~~~
aw3c2
copy the URL, go to Google, type "cache:" and hit Ctrl+v ->
[http://webcache.googleusercontent.com/search?hl=en&q=cac...](http://webcache.googleusercontent.com/search?hl=en&q=cache%3Ahttps%3A%2F%2Fwww.golemtechnologies.com%2Fblog%2Fhow-
i-hacked-a-bank-and-made-40-bucks)

~~~
sundarurfriend
Or use the Resurrect Pages extension if you're in Firefox:
[https://addons.mozilla.org/en-US/firefox/addon/resurrect-
pag...](https://addons.mozilla.org/en-US/firefox/addon/resurrect-pages/) and
choose among the many cache sources.

------
soci_rich
wasn't there a wall street journal article talking about how poor small
business security was recently? How does this tie in?

