Hacker News new | comments | show | ask | jobs | submit login

On a similar, but separate note, my bank launched a new version of its online banking platform. From launch I noticed it opened my accounts in a new tab while leaving my credentials (password and all) in the sign-in form. Not so bad when signing in from home - horrific if you're signing in from a public computer. I tweeted to the bank and spoke to someone on the phone about it. It's been 3 months and the bug is still there.

[EDIT] I decided to log in today just to see if it's still there (was a couple days ago), and it's finally been patched. If I had used a throwaway I would gladly let you guys know the bank, but I won't since it's trivial to find out who I am from my handle.

Tell us what bank so we can avoid them.

So far, I count three separate replies to this article along the lines of "I also found my bank doing so-and-so thing insecurely, but LA LA I'm not going to tell you which bank it is!" These kinds of comments don't help anyone--you might as well not post them.

Yeah I genuinely don't understand the point here. Who is protecting what?

So the article mentions the threat of retaliation against the security researcher, and you are surprised people are afraid to come out publicly?

I read more in the article so I am updating my comment - the FBI's involvement is surprising and alarming.

When in doubt, people, call your attorney.

Who just has an attorney sitting around who is competent to handle such things? I wouldn't know who the fuck to call if I found something on my bank's website.

I am one such attorney.

Can I get your number?

My sn is my name. I am the only lawyer named Liberty that I am aware of.

More easily, my profile on my firm's website: lawyernamedliberty.com. I'm fairly easy to get in touch with.

So just assume it's your bank, and do whatever you would do next.

Oh, new bank? Just assume it's your bank, and do whatever you would do next.

This is still useful. You can go see if your bank does the described behavior. If not, you're not affected by that particular thing.

This deserves more than an upvote. This is exactly the right attitude. It puts the incentives in the right place and will let the market do what she does best: work.

> let the market do what she does best: work.

Hm, I recall the Comodo hack. I think it Comodo was hacked twice or more times that year. It won many rewards and continued leading the CA space. The market did not work apparently...

Well, in a way, it did: people voted and said "we don't care la la la what did you just say?".

The security market is working exactly as it was designed and evolved to. Far as when high-assurance started, the Black Forrest Group of execs of big companies convening on INFOSEC told one of INFOSEC founders they thought companies would refuse to sell them highly-assured software. The reason was they suspected they intended to make extra profit two ways: cutting QA for immediate profit; selling the fixes for later profit. This proved true with lock-in strategy combining for what was essentially checkmate to lots of companies.

The other end are buyers. Most of them don't know what to expect for security or how to evaluate it. Most attempts to solve this failed. They've been conditioned to expect constant hacks, crashes, or data loss. So, they see Comodo etc get hacked and shrug. They'll usually stay if their end of whatever they bought works. The sector that will pay for highly reliable or secure software is probably under 1% of the market or projects. It's enough companies keep forming to do real thing but tiny, tiny few struggling to justify the extra costs or less features necessary for higher security.

Better yet: Short their stock, then write a scary blog post about the problem.

Just curious, what would the legal implications of something like that be? It seems like you're still benefitting from criminal activity that you enable, but what would the specific charge (if any) be? And any examples where people have tried this?

Although I guess it could help align customer and business goals, since no one wants to lose money

Not at all. You're making bets based on public information only you have realized is meaningful before informing the rest of the public to make money off that discovery. Quite a few folks make a lot of money this way and (nearly) everyone benefits: https://www.bloomberg.com/news/articles/2015-03-04/how-a-25-...

Maybe but I, personally, would not want to take the risk that I might need to defend that proposition in court.

Nothing can protect you from the lawsuit being brought, but it will likely be thrown out. That's the same with anything, and whether you short a stock or not.

If you short it, at least you might make some money to offset any pending lawsuit. There's plenty of examples of people doing the same thing to fall back on, such as the guy who found out a newly listed company wasn't actually real[1].

1: http://www.npr.org/2015/01/30/382587945/winning-at-short-sel...

And even more general. Any form of profit will attract the possibility of defending yourself in court.

IANAL but there is no risk that you may have to defend that proposition in court as long as you don't actually exploit the vulnerability and simply point it out.

It's public information.

Now if someone who works at the bank had told you about it, you'd be in a lot of trouble.

IANAL either but my understanding is that you can be prosecuted under U.S. law for poking around on servers in any unconventional way. The text of the CFAA forbids "unauthorized access" or "exceeding authorized access".

I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).

At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.

"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."

BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.

It sounds awfully close to what got weev sent to jail.

This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:

1. conspiracy to access a computer without authorization

2. fraud in connection with personal information

This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.

Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.

According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).

I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.

Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.

Again, not a lawyer.

[0] https://www.eff.org/document/criminal-complaint

Would this really be considered public information, since the existence of that vulnerability it's not known to the public or literally anyone else until you publish that blog post?

That's not really true; anybody can sue you if they want, whether or not you're in the right.

I agree that making bets by noticing public information earlier is 100% okay (and in the case of Lumber Liquidators, a better outcome for almost everyone).

But would this case with the bank be different because the vulnerability, unlike formaledehyde, could be actively exploited? Encouraging a stock price to fall because of bad practices seems alright (like the LUmber Liquidators example), but if in the process you become an accessory to smaller-scale fraud against individual account owners, is it still "alright"?

That question has nothing to do with shorting stocks and everything to do with vulnerability disclosure: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-g...

There are law firms working with hedge funds that specialize in doing exactly this when they are about to file a class-action suit. It's possible to be criminally charged if you know that the information you are spreading is false. But other than that limited circumstance, you are free to trade on any information you have about a company that you did not illegally obtain from an insider. Even in the case that the information was obtained from an insider, to convict you, the government must be able to prove that you knew that the insider both a) received a benefit (usually money) in exchange for the information, and b) breached their fiduciary duty by disclosing the information.

That said, technical glitches tend to not affect the fortunes of companies nearly as much as we (the HN crowd) think. Tradeking had the glaring vulnerability outlined in this article for years, and they are doing just fine.

Great point, I think the tech crowd may overestimate the cost of glitches, relative to everything else at play in a business.

I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)

I believe that responsible disclosure is a courtesy to the vendor and its customers. Afaik, there is nothing in the law that requires it. Exploiting vulnerabilities like the one you are discussing here yourself certainly would be illegal, and you could possibly be implicated in a conspiracy if you disclosed the vulnerability solely to one person or group that you knew would exploit it (so "I told my Russian hacker friend about this..let's short the stock before he nails them with it!" would probably be a conspiracy case, whereas a press release or HN posting would not be).

But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.

The Lumber Liquidators short-seller is quite a famous example of this strategy being executed.

Before writing his blog-post, he short-sold a bunch of Lumber Liquidator stock and made tons of money during the fallout.

Martin Shkreli claims to have made a lot of money by shorting pharma companies ahead of their FDA results - he would read their studies and make reasonably accurate predictions as to the outcome.

Shkrelli has shuttered two hedge funds (Elea Capital Management & MSMB Capital Management) when he was unable to cover shorts and put options when the stock price moved away from him. He is also currently awaiting trial for securities fraud. So I would take his comments with a grain of salt.

This is why I said "claims". He no doubt failed at some of his shorts. On a livestream he said he made all the money he still has on his companies, not trading. The strategy is still relevant to the discussion, though.

I posted this downstream, but it's happened and there weren't charges filed.


Great link, thanks for sharing. The quote that stood out to me was “My issue was that patient safety wasn’t front and center.”

I don't have a problem with MedSec making money by shorting St. Jude's stock (that seems to align incentives to take care of security issues as early as possible). But if MedSec publicly disclosed specific, exploitable vulnerabilities (I'm not sure about specifics from the article), they shouldn't be able to hide behind the "doing what is best for the consumer" argument. It's definitely a clever business hack, and that's alright, but the fake sense of moral superiority isn't.

Attempted stock manipulation, probably

This has been done!


A company discovered vulnerabilities in some medical devices, then shorted the stock of the company before disclosing them.

Alternatively, publish it in an obscure place online, get proof you published it in archived medium (eg Gmail or Archive.org), short the stock based on that now-public information, and then reveal it again in a way that will get stock-smashing attention. That's my hypothetical model I came up with when trying to figure out how to incentivize apathetic, but public companies, to care about security a bit. You can even follow up offering them security consulting but don't expect a yes haha.

I feel like someone would try to sue over such an action, but would they have any ground to stand on?

And get sued for libel and market manipulation.

The idea of the banking system being subject to market forces is nice.

I don't think it's HSBC, but they do similarly horrific stuff. Almost all banks have a truly terrible online service.

I'm a happy user of N26. I very, very highly recommend it to all european customers. I'm never dealing with shitty bank service again. https://n26.com/ (Email me if you want a referral invite).

N26 had some of the worst security until a researcher came along. See https://media.ccc.de/v/33c3-7969-shut_up_and_take_my_money

People often confuse lack of published security issues with the existence of strong security. It was the rally cry all along of techies opposing Apple's security-based advertisements.

I use HSBC for personal and business, can confirm personal is bad but HSBCnet (business) is the worst software application I've ever used, period. http://john.je/k7X2

Wells Fargo and Schwab seem ok in my experience. Wells Fargo even updated their site with slick new UI and menu options are actually findable. Amazing!

It was discovered today that Wells Fargo passwords are case-insensitive:


Just today...? Chase Bank has been case-insensitive for several years now. I even contacted them about it when I found out and they outright told me they had no plans to fix it.

Tons of companies do this because it substantially diminishes the number of support calls/complaints that they get related to unsuccessful logins.

It's 2017, and I still have online financial accounts that are "secured" by short numeric PIN, so count yourself lucky that you can at least use some letters in your password.

C-mp-t-rsh-r-: your website's trash and you should be embarrassed with yourselves.

To be fair, until sometime in the last ~2 years, Schwab PWs were alphanum case-insensitive 6-8 characters only.

So I know this also :) I am a techie that made a bit of money and it was kept at Schwab. I made a big enough issues of it that they arranged a call with their security team. The call was good and they explained the reason why (legacy system) and their plans to update / fix it. They also address my questions about password storage (hashing/salt) - they did it correctly. They showed a great deal of knowledge and competence in their job, such that I was willing to leave my money. I applaud their willingness to have the call. My dealings with them have always been pleasant.

I sent feedback about the WF interface and it was actually addressed with 2 weeks. I was floored.

I clicked the transfer money button from chrome and it logged me out for months if not years. I called them and it still took them forever

Wells Fargo seems ok in your experience??!! Is that a joke? Your account is wide open to any of thousands of employees who conspire against you. You're ok with that?

It's people like you who keep companies like that in business and encourage such atrocious activity.

What I love most about n26 is the lack of foreign currency transaction fees.

Then you're going to adore Revolut: http://revolut.com/

Do they have direct debits yet?

Who logs into their bank from a public computer? Genuinely curious.

And the kind of people that don't have access to anything else.

My bank (arguably) condones use from public computers by asking me if they should "trust" the computer I'm on.

Right, most public computers I've seen would be trivial to bug with a key logger. Though with 2fa, I suppose it wouldn't be quite as bad (but then again, those using public computers might not be using 2fa).

When on holiday this is quite common. With 2-factor auth this is fine.

There's plenty of laggards who don't have home internet and only browse through e.g. a library computer. Some of them are probably doing banking too, given the recent trend of preferring online transactions

> laggards

Or, you know, poor people.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact