This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.
Because let's be honest, that is Occam's razor most probabilistic outcomes.
And your deduction on the outcome is very likely!
So accurate. It's doom and gloom in that space, you either do it because you couldn't literally see yourself doing anything else - or for ego/cash. I'd argue there's much better ways to make cash in other engineering jobs, often skills in security overlap with SRE, admin and compliance roles.
It's the golden years for blackhats right now. And it has been for about 15 years, and I really don't see it changing at all any time soon.
“My boss told me to do it” is not a defense against criminal charges.
I'm getting out of ops for the simple reason that it's way more lucrative to be called in after the fact rather than try to stop incidents ahead of time (whether by probing and disclosing or trying to build out a blue team without being paid a contract to do so).
You might want to consider fighting it, though. It seems that it was a decision done at a pretty low level, or even automatically. Chase, like most US big banks, are under constant scrutiny and hate bad PR. Write to their top HR, say you are submitting a formal request to <pick a four-letter financial oversight agency> and send a copy to your congressman. What do you have to lose?
Since it's a financial institution and the accounts were closed by the bank, I wouldn't be surprised if this dinged his credit report in some serious way.
Having Chase cut off five accounts involuntarily probably looks pretty bad to whatever "AI" is used to create the scores.
Wells is notoriously crooked. Bank of America was a primary player in structuring withdrawls to maximize overdraft fines on their customers.
Chase has its own problems, but it would add a lot of inconvenience to your life to eliminate it.
Those three big players have purchased the majority of other banks in the country, leaving a scattered few credit unions and smaller banks around, which will be extra inconvenient when you travel and they absolutely will not offer the same range of credit cards with good rewards programs.
You don't need to touch Wells, Chase, or BoA to have financial infra in the US, although you might be stuck with them if you have a mortgage, auto loan, or other lending they originated or service. My condolences in that case.
https://www.usaa.com/inet/wc/why_choose_usaa_main (Control-F “Who can join”)
It is slightly less convenient, but much better for the country.
* it's 2020 and my credit union doesn't have autopay for my credit card.
* someone stole my cards and made some unauthorized charges at an unattended parking lot -- they did it almost 40 times in a single day across 3 cards that I rotated between. Chase and Amex took a 5 minute phone call each. My credit union took more than ten hours of work to get my money back, including demanding that I go to a -- remember, unattended -- parking lot that was near a job I hadn't worked at in 6 months to try to get a refund.
The real answer is if you qualify for eg a chase sapphire reserve, you get excellent service and an excellent product.
The balance that I have found works good for me is that I keep liquid assets at credit unions and I will get a debit card from them, but try to avoid using it if at all possible. I also hold credit cards with the major banks (except Wells Fargo, which I refuse to bank with in any capacity). I make all purchases throughout the month on credit cards with the exception of things like mortgage, car payment, etc.. Obviously also paying those cards off each month. There are numerous advantages to using credit cards over debit cards that I won't get into here.
I have a variety of credit cards that use Chase, BofA, AMEX, and Capital One. I also have at least one of each of the three major card brands (Visa, Mastercard, Amex).
Then of course I have a couple investment accounts I use for holding long term assets.
I find that this balance is the best that you can come up with. My liquid assets (money I make from work for example) goes into my primary credit union account. I try to hold mortgage and car loans through the same credit union and those get paid directly from the checking account. I try to avoid any other line items on that account other than payments to pay off credit cards. Then day-to-day expenses (food, amazon, stuff from Target, etc) get paid with credit cards. This way no one has direct access to my liquid assets if a card number gets compromised. I also don't have to deal with the bad online banking experience of the credit unions because I don't really use them for much other than a selected number of major payments each month. Instead my general purchases are on well known credit cards that have really good apps (Like Chase for example) and online experiences and reward programs.
This balance is great. You build a good relationship with a credit union and you keep your primary liquid assets with them instead of the major banks. Credit Unions are particularly good when you want things like Mortgages, construction loans, lines of credit, or car loans. So you can use credit unions for these things and maintain a good relationship with them. But where the credit union is weak, you leverage the strength of the major banks for good credit cards, good rewards programs, good fraud detection, good apps, and so forth. But at the end of the day they don't actually hold any of your money.
Everything takes much longer and major hassles are far more frequent. They have automated little to none of their operations. They are so small that their tiny staff has never had to deal with your particular issue before, and doesn't know what to do about it.
The big banks, on the other hand, deal with other versions of your problem dozens to hundreds of times a day, and have evolved a very high degree of efficiency in handling your case.
It doesn't have to be an either/or proposition.
* I keep my savings, checking, and loan accounts at a local bank, which also issues a debit card.
* I have credit cards from Discover and BoA, so that I get big-bank services for them.
The bulk of my value as a customer is tied to my mortgage, so my local bank, and possibly Fannie Mae, holds onto those profits.
This stuff is just wonderful. No monthly fees. Can use a debit anywhere Mastercard is valid, even overseas.
> The problem is most credit unions suck.
This has not been my experience. Chase is miserable, but if you need a business account, credit unions can't help you there.
A lot of credit unions are members of the CO-OP program, which gives you access to more ATMs than any of the big banks (possibly more than all of the combined). At least for travel within the US, being part of that CO-OP credit union is much more convenient than BoA and their ilk.
I just checked: 50 BoA ATMs within 20 miles of me. Over 100 within the CO-OP network. This is in a decent sized metro area.
I just checked my small undergrad town: 3 in the city, and 2 in the adjacent city. BoA has only 1 - and only in the adjacent city.
In my experience, it's always been able to find a Co-Op ATM than a BoA one.
Others complained about poor services, web sites, etc. I suppose that can be true, but it isn't for mine. In fact, I had to ditch one of the national banks because it couldn't provide simple features that my local credit union does - stuff like limiting which of my checking accounts is tied to my ATM card - without limiting it in their online site. So if I tied my ATM card to only one account, then when I logged in to the account's site, it would not let me transfer money between the accounts that are not on the ATM (although it would let me view transactions, etc).
I've also used my debit card in other countries. It worked just like any other card would (I did have to inform them in advance so it wouldn't trip up fraud detection).
> and they absolutely will not offer the same range of credit cards with good rewards programs.
You do not need to have a bank account with Chase and other companies to get good credit cards with rewards programs.
The reward program through the credit union is not that great, but I'm okay with that.
Your comment would imply a huge gap between this top tier of 3 banks and the rest of FDIC banking; there are quite a large number of large banking institutions available which are not as small as you've positioned them. https://www.mx.com/moneysummit/biggest-banks-by-asset-size-u...
(there are similarly very large Credit Unions such as NavyFederal with lots of asset: https://www.mx.com/moneysummit/biggest-us-credit-unions-by-a... )
FWIW, Citigroup is almost as big as Wells Fargo.
You're probably thinking of employer-paid business travel, passing on "air miles" to an employer. It's 2020, my friend.
More seriously, is it possible to get in writing that disclosure would not result in negative repercussions if there is no bounty program? Perhaps dealing with large banks in a security context requires a less forgiving mentality.
Did you have to return the $5k? At least maybe you gained that?
The only compensation I received with this whole situation was the termination of my accounts, and a family members account being terminated as well.
It's very hard to know the reasoning behind the termination as they never gave me any information.
My gut agrees with this statement.
Technically, if a SAR was filed, even the engineer he spoke to would not have known. Every training I've ever taken in that field basically says you don't tell anyone but your company's team that you filed such a report. Not a coworker, not even a Manager.
I was extremely disappointed. :(
Thank you for sharing.
You would think out of all people a bank would have deep enough pockets to afford a proper bounty program, as well as treat researchers well.
And in practice, it's less than one bit, since not all characters are letters.
So yes, I absolutely expect them to be good at saying, "Well, if we pay $X this year for bugs, that's better than losing $Y directly and paying $Z in cleanup costs."
Sorry but trusting local cops with anything technical is a fools errand.
You want things on record in any way possible.
Just getting an emailed "okie dokie" back from some company executive and then doing something that could later be construed as illegal is a bad idea.
Maybe let's just agree to get a good lawyer first and follow their advice about who to talk to.
You're almost right. You have your attorney notify law enforcement. That's what he's for. He'll keep all the records and act as a buffer between you an any misunderstanding with the police.
Lawyers are paid to keep your best interests in mind.
Cops will investigate the shit out of you and will do nothing to help, at all.
Yes, he disclosed exactly how he did it to the bank. Yes, he returned it all. Yes, he had no intent to keep it. And yes, he still defrauded them in the process. Yes, he had permission to do so. But permission doesn't always prevent situations from going awry, even if it can help clear things up after the fact.
If you walk into a physical bank and notice a potential security issue, point out the potential security issue to the teller, come back to exploit that potential security issue just to see if you can, succeed and make off with $70k, then bring it all back in and walk the bank manager through how you robbed his bank, he's still going to call the cops on you. Or maybe you spoke to him before and got permission, but his communication to corporate after the fact gets misconstrued/misunderstood and someone else calls the cops.
Closing all of the accounts like they did was a crap reaction, but he could have just as easily been hand delivered an arrest warrant by an FBI agent for bank robbery and fraud if someone internally decided to take the position that what he did was analogous to the above scenario. And it may have just as easily occurred due to some internal miscommunication/misunderstanding by a non-technical person or being flagged by some type of automation/reporting, rather than deliberately taking such a stance.
That's where involving a lawyer would have been valuable. It may not have protected him from the consequences that did occur, since they could close his accounts for whatever reason they wanted. But a lawyer would have provided greater assurance against substantially worse outcomes, by ensuring more drastic outcomes were identified and addressed/mitigated upfront. And potentially saved his accounts from getting closed - the decrease in his cumulative credit limit plus closure of such long-lived credit cards translates into real economic harm due to the likely impact on his credit score. I could see a lawyer being able to use that fact somehow to persuade Chase that it was not in their best interests to take such an action.
Law enforcement - I'd leave that up to the lawyer. As another user commented, your lawyer is explicitly employed to protect your interests. If involving law enforcement furthers that aim, they'll tell you. If involving law enforcement is detrimental to that aim, they'll tell you. So consult with several first, hire one second, and let them direct what happens after. If what they do/recommend ends up being incredibly stupid, you at least have their malpractice insurance to appropriately compensate you for their stupidity. But you have no such insurance to compensate you for your own.
> Once I had permission quickly made a proof of concept ...
So unless you want to accuse him of lying, there's no fraud here. And the fact that Chase didn't file a police report makes me convinced there was nothing remotely illegal about his actions.
As I said, such a situation could have occurred due to a miscommunication/misunderstanding, rather than taking a deliberate stance to prosecute him. A team (or member on said team) or some automated system unaware of that permission could have flagged the fraud and involved the authorities. Communication silos are a fact of big businesses. Politics and power tripping executives are too, who may decide whoever gave such permission didn't have the authority and push ahead anyway for whatever reason. And inflexible legacy systems are too, which may trip some automated fraud detection system that automatically triggers a legal reaction.
The charges may have ultimately been dropped when everything got sorted out, or a judge could have dismissed the case based on the permission he was given (if the situation got to that point). But that's not for the law enforcement agent serving your warrant to decide, his job is just to bring you in. And in the event that happens, it's far better for your lawyer to already be prepared on how to address the situation than only getting them involved at that stage.
It seems like he took great pains to keep it legal, but the presence or absence of a police report means nothing.
No he didn't. Intent / mens rea matters.
He established a pretty solid record of prior communication about what his intent was.
Involving your lawyer isn't a foolproof preventative measure either. But your lawyer having an established line of communication with their lawyers can get things cleared up a whole helluva lot faster than if you get booked, have no lawyer, and are having to find and get one up to speed only after you're sitting in jail.
The entire experience with Chase while I was assisting them was very positive, and they even mentioned something about putting me on their upcoming researcher leaderboard.
Since chase is a very big organization I would have to assume that another department took over the situation after, and decided to terminate my accounts to avoid any risk.
I will never know for certain as they have been very close lipped about the whole event.
Local branch manager was frustrated but couldn't get any more information. The timing really made my life difficult for a few months, completely unnecessarily.
That was the last time I banked with Chase. A few colleagues told me they proactively left after also, due to the way it was handled - who knows if that was true.
I've got several Chase accounts myself, and glad to know they're not horribly hostile to such disclosures.
The original comment I replied to asked what difference it would have made in response to someone's "always involve a lawyer instead of trust these companies to do the right thing" post. Which is a generally good rule of thumb, as there's no guarantee someone else's experience would go as positively as yours did with Chase. So I wanted to point out a much more hostile outcome someone may feasibly experience in such a situation, to highlight the difference involving a lawyer could make.
So far as I know, fraud isn't a strict liability crime. It requires intention ("mens rea") as well as action ("actus rea") to be prosecuted.
I am of course not a lawyer.
1) Mens rea isn't an absolute defense. It doesn't refer to malicious intent, but more so specific intent, in this case, specifically performing a sequence of actions in order to discover/validate/confirm a vulnerability. You also don't have to know if what you're doing is a crime; if what you did fit the legal definition of fraud, and you performed that action fully cognizant of and in control of what you were doing, then it's still a crime irrespective of your awareness that it was a criminal act.
2) Mens rea is a legal argument. It may protect you from successful prosecution, but if you've hit this point, lawyers are already involved and you've more than likely already been arrested/charged.
3) The prosecutor could dismiss the case if they feel the likelihood of successful prosecution is minimal (such as when you produce the original permission you received) or the bank requests it. Or they could force a settlement if they think the case is shaky. Or they could be an ass and force the court/judge to decide. But you've still been arrested, your life has been disrupted, you've potentially sat in jail for some amount of time (at least until your bail hearing), and you've likely been economically harmed (via legal bills, cost of bail, potential impact to your state of employment, potential impairment to future earnings based purely on the arrest record even without prosecution, etc).
Which is why it's always good to involve or consult a lawyer before engaging with the company - the cost of doing so is effectively an insurance policy protecting you from ending up in a situation where you need to employ one for damage control. And you're likely to end up with a far larger bill if you end up having to pull a defense attorney in after the fact for damage control/crisis management than the bill you'd get for upfront risk mitigation.
I absolutely agree. Always have your own lawyer!
This story is exactly why the newer fintech startups will take over banking.
Most lawyers will give you an initial consultation for free. Even if you don't hire one, just consulting with one can immensely improve your ability and confidence in navigating things solo.
"Can you also confirm if this allows additional points to become available for use?"
This was why I had to remove the negative points, and make a transfer to prove that they indeed could be used.
The post doesn't actually confirm this. Might that be the problem?
- Shit happens. Even legitimately contracted pentesters can run into legal issues. These guys worked for a firm hired by the state court system to pen-test the courts (from application testing to physical building security), were ultimately arrested due to a power play, railroaded by an embarressed local authorities, had their charges trumped up to the point of being considered a felony, were disavowed by the powers that hired them who went into "cover our ass" mode, and ultimately spend 5 months fighting the charges before the state legislature ultimately pressured the local authorities to drop them. And even with the charges dropped, the felony arrest record was not expunged and has lasting damage/implications both personally and professionally.
- In the above case, the client was not only the very same court/legal system overseeing their case, but also had an established, multi-year relationship with the security firm they worked for. Yet it still went that terribly wrong, took almost half a year to get legally resolved, and resulted in permanent felony arrest records. If things can go so terribly wrong for legitimately contracted professionals, how badly do you think it could go for a private citizen, with no official contract in place and only some form of written permission from the company that has not been vetted by a lawyer representing that individual's interests, and may not have even been vetted by that company's lawyers?
- He was dealing with a bank. Who are subject to a massive amount of legal and regulatory requirements for their customers that are specific for the banking industry, all of which tend to get interpreted/applied from a conservative standpoint due to the risks and penalties they're subject to for non-compliance.
- He was using his real, live accounts during the process. His actions could have easily triggered their fraud detection system to automatically generate and submit a SAR due to "suspicious activity that might signal criminal activity* report for For example, it could have triggered. Even if someone fully aware of the situation (and granted permission) intercepted such a SAR before it was submitted, it may be decided that such actions from a private individual not contracted by the company to perform such work fit the threshold of "might signal" and still ultimately get submitted. Triggering who-knows-what downstream repercussions/investigations after it's submitted to the government.
- Their responsible disclosure program did not exist at the time, so there were no explicitly documented and legally vetted acceptable rules of engagement publicly available. It's possible that rules of engagement were part of his communications with them, but not mentioned in the article (nor again, vetted by a lawyer bound to represent his interests).
So while there was ultimately no problem in this instance beyond the inconvenience of his accounts getting closed, doing so without the aid/guidance of legal counsel involved assuming an unknown and potentially substantial large amount of personal risk/liability in the process. Which is why it would be highly advisable for someone in a similar situation to speak to or retain a lawyer.
I'm interested in why do security researchers or bug hunters do this kind of work for free. It really devalues the proposition long term imo, but I don't have a horse in the race. My POV is megacorps with bottomless pockets and armies of highly paid engineers miss these critical security issues all the time, and the best reporters can hope is chump change (if not abuse).
edit: Even more specifically I'm wondering why can't the security community work together, denounce the current practice of exchanging bugs potentially worth $$$ for ~nerd cred? Make some high profile disclosure if that is what it takes to take the work seriously. Wouldn't it work out better in the long run?
They were one of the first companies to have solid mobile banking.
Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.
And this was a tech company, everything they did was technology, located in the valley... they still didn't get it.
Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.
One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn't want to break relationships they had with researchers / the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.
The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).
For the record this is my perception from working with security minded folks, and not actually working in that industry myself.
But I'm inclined to think to start that groups in a company are incentivized to do what they think their job is... bring something to legal, they'll have a legal type answer. Bring something to the engineers, you'll get some code.
Need a customer to stop clicking a button? Engineering will code it to be disabled at times. Legal will demand a prompt with a legal agreement you have to check before the action takes place. HR might even come up with some training classes ;)
Chase is a global bank with ~200k employees. There's always issues, most of which are fairly minor/low-risk financially, but may have significant reputational or other impacts. In this scenario, you have counsel and risk management people looking at a scenario where a guy basically stole $5,000 from the bank, due to an error on the part of the bank. They don't give a flying leap about the error -- it's not their job to care, the event becomes the problem.
$5,000 from an FDIC institution is a very serious crime. My guess is that the internal discussion was filing a criminal complaint and exposing their dirty laundry in court, or cutting the losses and severing the relationship. But the guy in question here did something really dumb, was very lucky, and should stfu.
My guess is that the people he worked with were genuinely positive and grateful, but then his account got caught in a machine like this and they were powerless to stop it.
What did he do wrong? He already had permission from Chase:
> But because this was a bank I wanted to get their explicit permission before researching any further
> Once I had permission quickly made a proof of concept
So I would be surprised if they would be able to make the criminal charges stick.
Otherwise simple accounting errors would be criminal acts.
That's them asking for more information about a points glitch, not telling him to steal $5000 from them.
The article doesn't discuss if he returned this or not...
Your comment started out reasonable, wandered around, and then veered into outright malice.
As others pointed out, the OP had permission from the bank to carry out an investigation. From his telling, he did not, at any point, steal money.
The permission appeared to me to be about points. I can’t imagine a bank being ok with someone depositing $5000 into your checking account.
This will have some amount of Streisand effect. I doubt they've really fixed the race conditions. And, the story itself is interesting enough to take off.
From what I understand they can close your accounts for any reason.
Of course, in the US, it’s essentially impossible to get your case to be tried in a fair court.
The CFPB or the FDIC are far more likely to have jurisdiction here.
It's always a scary experience.
The funny thing is according to them I was the only contributor from 2016 to the end of 2017. So they must not get many reports.
Since then they did develop a disclosure program, but it would be great to hear from anyone else that reported things to them after the end of 2017.
Probably because there's no obvious way to submit one.
Whatever issue will immediately become a political football, and will end up being not only ineffective at the initial intention, but also include terrible side effects and dangerous footguns. Whether this is the result of a basically broken system of legislature, or of allowing the laws be drafted by the people they are supposed to protect against, or a combination of both, or something else entirely, I'm not qualified to say.
But I can say this: when I hear of some political ambition to make something better with a new law, I don't expect it to go well.
Better to remove barriers and things that silo and centralize power.
To counteract this a consumer group or union of those affected would be required, but that's a bit tough when they are usually the ones spending the money, not earning it.
If someone discovers a security vulnerability in a computer system, and they notify the operator or party responsible for maintenance of the system, then, starting 90 days after the notification was received, they may publicly disclose the vulnerability without fear of civil or legal repercussions.
If they use the vulnerability to exploit a system that is outside of their own administrative control (beyond developing a proof of concept), or transfer the information with intent to facilitate third party exploitation of the vulnerability, then the above protections do not apply.
I’m sure a lawyer worth their salt could turn that into an iron-clad law.
It wasn't the public disclosure Chase retaliated over here. The disclosure came after the retaliation.
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.
Long story short, I found a bunch of mdb files with personal information about people's ambulance rides. I reached out to EMS and they were very nice and took the drive back with them.
A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.
It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.
In 2008, in London, a commuter found top secret counterterrorism documents on the train. That person was smart enough to go to a BBC reporter.
I heard a similar story years ago about a high school student finding an SD card. It was full of illegal underage pictures so he turned it into the school admins, told the story, and ended up getting charged for it.
Did you actually have to do that?
Is it lawyers misunderstanding the value of security research?
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
It’s not unlike the logic that says “We left our front door unlocked and someone walked in. How dare they.”
If they want you to pen test their systems they will hire you. It's not your job.
Vote with your feet and walk to a local credit union which may embrace your help (talk to them before starting your pen tests).
Remember that Facebook reported the BBC to the police for telling them there was CP on their network ? I think something similar happened.
Eventually the issue could've been forwarded to a lower level employee who spends 99.9% of their time reversing fraud caused by unrelenting fraudsters, and so they figured that must be what's going on here too. So they closed the account, closed any connected accounts, and sent a generic sternly worded email.
But equally likely is that Chase deliberately and short-shortsightedly thought, "this sort of shit just isn't something we want our customers to be doing; get rid of him."
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
Here's what I made up in my head:
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
I would've thought it would be more likely some middle manager who doesn't understand tech and just knows this person was ""abusing"" their system.
The account was brought back to normal well before the termination of all of our accounts.
I also expected them to have automatic triggers, but at the time they did not.
I would generally also suggest incompetence above malice, but above fact makes that very hard.
I would expect a reasonable middle ground of letting employees say "I'm sorry, but it's corporate policy and I can't disclose more information."
Sort of like the Google account issue where employees can't internally appeal to stop account suspensions.
A credit union I previously had an account with required your passwords to be exactly six characters long. Then they added "two factor authentication" via SMS or phone call. Except now if you forgot your password then you just have to go to "forgot password" and get an SMS code sent to your phone to reset your password... So it was actually single factor authentication, you didn't need the password at all, just the phone.
They only just changed to complex passwords this year.
An attack on the US Banking system is a matter of when, not if.
If they write you off as a client for accounts/credit cards, why not also for the mortgage/loans?
Back when this originally happened they gave me 60 days for the credit cards, and 30 days for the checking/savings account.
Closing a credit card just disallows new purchases, you still need to pay the minimum payment every month until the balance is zero.
Bank account they just give the money back
A quick google search shows at least some of the mortgages have em sold by Chase.
That said, Chase may not sell mortgages like the one you got. I know non-conforming mortgages are sometimes held on the banks books.
Interesting either way!
curl https://chadscira.com/post/5fa269d46142ac544e013d6e/DISCLOSURE-Unlimited-Chase-Ultimate-Rewards-Points|sed '
s/%0A//g;'|grep -o "<p>.*</p>" > 1.htm
This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.
Don't expect them to adjust their behavior any time soon, but the "HN effect" might make them undo this action to avoid bad PR and make a few vague promises about "fixing the issue to avoid it happening in the future".
For example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.
The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.
Banks lose talent because they view tech as cost centers.
They're buried in deep strata of horrible legacy tech, they have huge middle-manager bureaucracies and politics, ridiculous and ineffective security that slows IT processes to a crawl, and the whole thing bleeds money to maintain -- so in the end they are kind of tech-hostile and will do anything to keep programmer salaries down, avoid promotions, etc.
This is the type of thing to test in a QA environment, not in real life with your real money.
We found a major national bank's newly public merchant gateway allowed anyone who knew the IP address of an authorised merchant facility (such as an EFTPOS terminal) to spoof its IP address and submit requests to the gateway. It seemed they just relied on the supplied IP address in the XML payload to verify that a device was authorised to use the gateway.
A small proof of concept showed that it was exploitable, e.g. a small script proved a bank card would be processed successfully without needing to actually be on an authorised network or go through any kind of session handshake - we didn't try any of the other functions like requesting refunds or cancelling payments but figured the bank would like to know they had a big glaring hole in their security.
After finally getting through their merry-go-round of customer "support" to someone in their IT/Security team, the initial cordial emails stopped and we received a threatening letter from their legal department blathering about legal repercussions of cyber crime and fraud etc. They also contacted the client and threatened to shut down their accounts and merchant facilities for our transgressions.
Anyway, definitely makes me think twice about reporting any public-facing security issues directly to a company, I don't have the resources or willpower to fight a major corporation if they decide to swing that way, that's for sure.
Twenty years ago or so, I offered help to parties and every one of them accused me of causing the problem or otherwise being malicious. Let them find their own problems, I'll focus on my own.
A major US retailer used to have their entire OMS/back-office on an ip, it was that way for years despite multiple reports. And then they got ravaged when the first bad actor came along, easily preventable and they were warned.
The risk is not worth the merit.
I suppose somehow, legally, this became the best course of action for Chase bank - to cut the customer off immediately and give them zero information about it. But it really doesn't feel right and made me never want to do business with Chase again.
Your statement is misleading.
By "cashed out" he transferred $5000 into another account of his at Chase. It's not like the took the money out of an ATM and spent it on hookers and blow.
> While transferring balances between accounts on an unstable internet connection I saw that the system did a double transfer resulting in one card having a negative balance.
> This reminded me of issues I reported in the past with Starbucks US, and Starbucks TH. Both of those entities had major issues with race conditions.
How does this happen in 2016? It's as if software developers have somehow gotten collectively worse than they were 20 years ago.
Just because I keep my front door unlocked it doesn't mean you can walk in nor does it mean you can break the glass on my back one. Leave it alone. And thinking that some community rep on the frontlines of a Twitter account can give permission to run a security exercise is totally asinine.
They didn't in this case. Though, maybe you could argue that the engagement wasn't formal enough.
They found the initial hint of the bug from normal use, and requested permission before doing the actual pen test.
Regarding the analogy, this isn't some random house they wanted to test. It's an essential service they used and depended on. Perhaps your analogy can be improved by them being an apartment building resident interested in the security issues of the building as a whole, since it affects the security of their own apartment. Even then, it doesn't seem like a perfect analogy that accurately reflects the situation. In the analogy, you could argue that they should change buildings if they're concerned, but banking options seem way more limited in comparison.
It is? In what way? Afaik banks give themselves a lot of power to close your accounts for a lot of different reasons - "suspicious activity," "rewards abuse," etc.
Fair on the reward abuse though. But to close ALL accounts?
Okay, but so is every other service open to the public. It also has nothing to do with this situation
>it’s also (as written) potentially retaliation what happened to the family member
But in no way illegal (or retaliation) to close associated accounts when terminating a relationship with a customer. The GP was probably once a joint account holder with the family member, or had them as an authorized user on their credit card.
>Credit is a resources and having old accounts be deleted like that causes real damage to an individual.
Okay... So? That doesn't make it somehow "a protected right," legally speaking. From everything I've read financial institutions have gigantic leeway to close accounts for basically any reason The personal experiences I've heard back this up.
>"Nobody has the right to a credit card, a bank account, a debit card or a merchant account," said Ulzheimer. "You have to earn it and the banks set the rules. If you are what they perceive to be too risky, they'll shut you down and you have no recourse."
>Fair on the reward abuse though. But to close ALL accounts?
When a financial institution chooses to end their relationship with your they generally end their relationship with you.
I can't find anything referencing it, but something happened similar with Zelle back 2017, and then 2015 also with it's mobile app.
Feels kind of an American thing.