You had the best of intentions, and tried to do everything right. Unfortunately, in modern times that just paints a bigger target on your back.
This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.
I agree with you. My view now when approaching all (and similar) situations in life - is "Can someone with mild to average intelligence interpret this negatively against me and act upon that perception?"
Because let's be honest, that is Occam's razor most probabilistic outcomes.
100%. Joe Bureaucrat doesn't give one whit about race conditions in his employer's business logic. He has no reason to. If he can creatively interpret the situation as himself catching a hacker (the hacker being the researcher submitting the report)? That's prime. He can brag about it to the end of his days and monetize it at promotion time.
I may have been - but it opened up a whole new thought process. Imagine bounded logic competing for resources and otherwise causing mis-appropriated logic. Profound.
So accurate. It's doom and gloom in that space, you either do it because you couldn't literally see yourself doing anything else - or for ego/cash. I'd argue there's much better ways to make cash in other engineering jobs, often skills in security overlap with SRE, admin and compliance roles.
It's the golden years for blackhats right now. And it has been for about 15 years, and I really don't see it changing at all any time soon.
100% correct. What I meant though was that the good security companies get their clients to sign a contract that precludes the security company, or it's employees, from being sued as long as their penetration falls within the parameters specified by the client (the Rules of Engagement if you will). That is the protection I would want.
I'm getting out of ops for the simple reason that it's way more lucrative to be called in after the fact rather than try to stop incidents ahead of time (whether by probing and disclosing or trying to build out a blue team without being paid a contract to do so).
Due to fear of retaliation I decided initially not to share this story, but enough time has passed, and I feel the security community should know how one of the largest banks treats security researchers.
Since they effectively banned you from Chase service, what other retaliations were you worried about? Honest question.
You might want to consider fighting it, though. It seems that it was a decision done at a pretty low level, or even automatically. Chase, like most US big banks, are under constant scrutiny and hate bad PR. Write to their top HR, say you are submitting a formal request to <pick a four-letter financial oversight agency> and send a copy to your congressman. What do you have to lose?
Since they effectively banned you from Chase service, what other retaliations were you worried about?
Since it's a financial institution and the accounts were closed by the bank, I wouldn't be surprised if this dinged his credit report in some serious way.
The last time I checked my credit reports, closed accounts had indications of if the accounts were closed by me, or by the issuer, and if the accounts were closed on good terms.
Having Chase cut off five accounts involuntarily probably looks pretty bad to whatever "AI" is used to create the scores.
In the USA the three main banks are Chase, Wells, and Bank of America.
Wells is notoriously crooked. Bank of America was a primary player in structuring withdrawls to maximize overdraft fines on their customers.
Chase has its own problems, but it would add a lot of inconvenience to your life to eliminate it.
Those three big players have purchased the majority of other banks in the country, leaving a scattered few credit unions and smaller banks around, which will be extra inconvenient when you travel and they absolutely will not offer the same range of credit cards with good rewards programs.
Fidelity [1] and Schwab [2] are both options for checking (deposit accounts), reimbursing all ATM fees domestically (Fidelity) and even internationally (Schwab), with no fees or minimum balances. Amex has rewards on par with Chase [3]. Credit unions [4] are always preferable, of course, if you don't need ATMs frequently or branch services. Ally Bank or Discover Bank are also no fee options for checking and savings accounts if you need Zelle support (which should only be a thing for another 2-3 years as the Fed rolls out instant payment infrastructure). TransferWise is a low cost option if you need international funds transfer services (it plugs into Fidelity and Schwab accounts without issue).
You don't need to touch Wells, Chase, or BoA to have financial infra in the US, although you might be stuck with them if you have a mortgage, auto loan, or other lending they originated or service. My condolences in that case.
Fidelity reimburses international ATM fees as well. I've been a customer for 10+ years and have had my fees reimbursed in multiple Asian countries as well as Europe & Mexico.
Just went through the USAA signup flow. No military service or affiliation with someone with military service indicates ineligibility for both banking and insurance products (and bounces you out).
Routing # 121202211 (Schwab checking) resolves to Charles Schwab Bank in Henderson, NV. I was unable to find a connection to Chase plumbing. Have more context to provide? I could be wrong, just looking for an independent citation. If true, you still get Schwab customer service (luckily) instead of Chase.
We don't need to rely on profit-driven banks while credit unions exist. I'd really recommend that anyone and everyone switch to their local credit union to deprive these awful banks of their money.
It is slightly less convenient, but much better for the country.
I did this during the banking crisis, but I can't recommend it. The problem is most credit unions suck.
Examples:
* it's 2020 and my credit union doesn't have autopay for my credit card.
* someone stole my cards and made some unauthorized charges at an unattended parking lot -- they did it almost 40 times in a single day across 3 cards that I rotated between. Chase and Amex took a 5 minute phone call each. My credit union took more than ten hours of work to get my money back, including demanding that I go to a -- remember, unattended -- parking lot that was near a job I hadn't worked at in 6 months to try to get a refund.
The real answer is if you qualify for eg a chase sapphire reserve, you get excellent service and an excellent product.
You are 100% correct that most credit unions have terrible credit cards. Unfortunately most of them also have terrible online banking. They also have terrible fraud detection.
The balance that I have found works good for me is that I keep liquid assets at credit unions and I will get a debit card from them, but try to avoid using it if at all possible. I also hold credit cards with the major banks (except Wells Fargo, which I refuse to bank with in any capacity). I make all purchases throughout the month on credit cards with the exception of things like mortgage, car payment, etc.. Obviously also paying those cards off each month. There are numerous advantages to using credit cards over debit cards that I won't get into here.
I have a variety of credit cards that use Chase, BofA, AMEX, and Capital One. I also have at least one of each of the three major card brands (Visa, Mastercard, Amex).
Then of course I have a couple investment accounts I use for holding long term assets.
I find that this balance is the best that you can come up with. My liquid assets (money I make from work for example) goes into my primary credit union account. I try to hold mortgage and car loans through the same credit union and those get paid directly from the checking account. I try to avoid any other line items on that account other than payments to pay off credit cards. Then day-to-day expenses (food, amazon, stuff from Target, etc) get paid with credit cards. This way no one has direct access to my liquid assets if a card number gets compromised. I also don't have to deal with the bad online banking experience of the credit unions because I don't really use them for much other than a selected number of major payments each month. Instead my general purchases are on well known credit cards that have really good apps (Like Chase for example) and online experiences and reward programs.
This balance is great. You build a good relationship with a credit union and you keep your primary liquid assets with them instead of the major banks. Credit Unions are particularly good when you want things like Mortgages, construction loans, lines of credit, or car loans. So you can use credit unions for these things and maintain a good relationship with them. But where the credit union is weak, you leverage the strength of the major banks for good credit cards, good rewards programs, good fraud detection, good apps, and so forth. But at the end of the day they don't actually hold any of your money.
This. I've tried credit unions and big banks. I really wanted to like the credit unions, but their general level of operational competence is a small fraction of the big banks.
Everything takes much longer and major hassles are far more frequent. They have automated little to none of their operations. They are so small that their tiny staff has never had to deal with your particular issue before, and doesn't know what to do about it.
The big banks, on the other hand, deal with other versions of your problem dozens to hundreds of times a day, and have evolved a very high degree of efficiency in handling your case.
I've used credit unions since my first "BofA experience" in my 20s. School's First FCU, BECU, etc. They have all been great and I highly recommend them. I charge something to a card outside of the state but have recently bought a plane ticket to that area, it's fine. If I don't buy a ticket and my card is charged in some out of state area or 2 charges are made within a few hours across 100 miles in distance, instant lock on my card and a phone call.
This stuff is just wonderful. No monthly fees. Can use a debit anywhere Mastercard is valid, even overseas.
> The problem is most credit unions suck.
This has not been my experience. Chase is miserable, but if you need a business account, credit unions can't help you there.
I second this. In my limited experience (2 at universities) they are frequently run by very well meaning and very incompetent folks. Like really incompetent, from storing cleartext passwords to messing up simple payments. My 2c.
> leaving a scattered few credit unions and smaller banks around, which will be extra inconvenient when you travel and they absolutely will not offer the same range of credit cards with good rewards programs.
A lot of credit unions are members of the CO-OP program, which gives you access to more ATMs than any of the big banks (possibly more than all of the combined). At least for travel within the US, being part of that CO-OP credit union is much more convenient than BoA and their ilk.
I just checked: 50 BoA ATMs within 20 miles of me. Over 100 within the CO-OP network. This is in a decent sized metro area.
I just checked my small undergrad town: 3 in the city, and 2 in the adjacent city. BoA has only 1 - and only in the adjacent city.
In my experience, it's always been able to find a Co-Op ATM than a BoA one.
Others complained about poor services, web sites, etc. I suppose that can be true, but it isn't for mine. In fact, I had to ditch one of the national banks because it couldn't provide simple features that my local credit union does - stuff like limiting which of my checking accounts is tied to my ATM card - without limiting it in their online site. So if I tied my ATM card to only one account, then when I logged in to the account's site, it would not let me transfer money between the accounts that are not on the ATM (although it would let me view transactions, etc).
I've also used my debit card in other countries. It worked just like any other card would (I did have to inform them in advance so it wouldn't trip up fraud detection).
> and they absolutely will not offer the same range of credit cards with good rewards programs.
You do not need to have a bank account with Chase and other companies to get good credit cards with rewards programs.
> leaving a scattered few credit unions and smaller banks around
Your comment would imply a huge gap between this top tier of 3 banks and the rest of FDIC banking; there are quite a large number of large banking institutions available which are not as small as you've positioned them. https://www.mx.com/moneysummit/biggest-banks-by-asset-size-u...
A bank I’ve never had a problem with is USAA (yes, they do banking as well). So if you qualify to have insurance with them, check out their banking. Never had an issue with them in half a decade. They also reimburse ATM fees up to a certain amount per month ($20?)
I use a local credit union, and have for 20+ years. What problems do people run into while traveling? I've been to a few other countries and never had problems.
Irs themselves don't put out much information on the topic, without any other guidance from them it's generally understood that financial compensation (points, miles, cash) you get from using your credit cards are not taxable because they are considered rebates on purchases. Its considered like a discount on the purchases you made with the card, kinda like a coupon.
They're a way for the already financially well-off to pay less for everything. Why would the IRS crack down on just one example of this, when there are so many others?
You're probably thinking of employer-paid business travel, passing on "air miles" to an employer. It's 2020, my friend.
Thanks for sharing and sorry such a shitty action was the result.
More seriously, is it possible to get in writing that disclosure would not result in negative repercussions if there is no bounty program? Perhaps dealing with large banks in a security context requires a less forgiving mentality.
Did you have to return the $5k? At least maybe you gained that?
This sounds like the closure was due to Anti Money Laundering. I suspect this sort of activity triggers the banks AML procedures and it's standard operating procedure (sometimes mandated by law) that you can't disclose if an account was closed due to AML breaches. Obviously agree that you weren't money laundering but that's what this closure sounds like.
Technically, if a SAR was filed, even the engineer he spoke to would not have known. Every training I've ever taken in that field basically says you don't tell anyone but your company's team that you filed such a report. Not a coworker, not even a Manager.
As I was reading your story and got the the part where they said they didn't have a bounty -- for some reason I anticipated that the next line would be them telling you that you could keep the $5,000.
I suspect they know they have a lot of vulnerabilities and they don't want to encourage people to poke around. I mean, their passwords aren't even case sensitive. This is also probably why they fired you as a customer, to discourage anyone else from even trying.
The core skill of bankers is trading money and risk. They lend you money based on one risk calculation. They put aside more money against default if your loan gets riskier. They set budgets for whole departments of people based on how much they help mitigate risk.
So yes, I absolutely expect them to be good at saying, "Well, if we pay $X this year for bugs, that's better than losing $Y directly and paying $Z in cleanup costs."
Uhh, I would expect them to do exactly that for someone who presented them valid proof and and an MVP for how someone could get away with stealing tens, hundreds, thousands? of pizzas undetected. Rewarding someone for helping them with their “bread and butter” is how I would expect to be compensated for helping.
JPMorgan Chase is an international company with a massive portfolio of products so there are quite a lot regulators floating around. Even outside Chase Ultimate Rewards, I imagine someone, somewhere would be concerned with their vulnerability disclosure process/practices.
Don't involve law enforcement unless you absolutely have to. The first thing they'll do is investigate TF out of you and your friends/family and they absolutely cannot be trusted to "do the right thing" or especially not to protect you in any way. They are not your friend.
Because you want to be on record as having notified an attorney and law enforcement of the problem and your intention to experiment with the company's permission.
You want things on record in any way possible.
Just getting an emailed "okie dokie" back from some company executive and then doing something that could later be construed as illegal is a bad idea.
I understand what you're saying but strongly disagree with the strategy. Telling the police you intend to do something that could be illegal is a truly terrible idea. Are you hoping they will testify in your defense as a character witness? Law enforcement is tasked with making arrests not facilitating security disclosures.
Maybe let's just agree to get a good lawyer first and follow their advice about who to talk to.
Yeah there is a pretty good chance that the police officer responds with a vague answer that implies everything is fine and then you unknowingly end up committing a crime by accident. The police isn't obligated to help you not break the law. It's only there to enforce it.
Because you want to be on record as having notified an attorney and law enforcement of the problem
You're almost right. You have your attorney notify law enforcement. That's what he's for. He'll keep all the records and act as a buffer between you an any misunderstanding with the police.
At that point why bother? Why would I spend my time and money for something that is simply not my problem? To do the right thing? The bank doesn't consider it the right thing. It's not clear that the law does.
Superficially speaking, he defrauded a US bank of $70k ($5k of which he transferred to his bank account).
Yes, he disclosed exactly how he did it to the bank. Yes, he returned it all. Yes, he had no intent to keep it. And yes, he still defrauded them in the process. Yes, he had permission to do so. But permission doesn't always prevent situations from going awry, even if it can help clear things up after the fact.
If you walk into a physical bank and notice a potential security issue, point out the potential security issue to the teller, come back to exploit that potential security issue just to see if you can, succeed and make off with $70k, then bring it all back in and walk the bank manager through how you robbed his bank, he's still going to call the cops on you. Or maybe you spoke to him before and got permission, but his communication to corporate after the fact gets misconstrued/misunderstood and someone else calls the cops.
Closing all of the accounts like they did was a crap reaction, but he could have just as easily been hand delivered an arrest warrant by an FBI agent for bank robbery and fraud if someone internally decided to take the position that what he did was analogous to the above scenario. And it may have just as easily occurred due to some internal miscommunication/misunderstanding by a non-technical person or being flagged by some type of automation/reporting, rather than deliberately taking such a stance.
That's where involving a lawyer would have been valuable. It may not have protected him from the consequences that did occur, since they could close his accounts for whatever reason they wanted. But a lawyer would have provided greater assurance against substantially worse outcomes, by ensuring more drastic outcomes were identified and addressed/mitigated upfront. And potentially saved his accounts from getting closed - the decrease in his cumulative credit limit plus closure of such long-lived credit cards translates into real economic harm due to the likely impact on his credit score. I could see a lawyer being able to use that fact somehow to persuade Chase that it was not in their best interests to take such an action.
Law enforcement - I'd leave that up to the lawyer. As another user commented, your lawyer is explicitly employed to protect your interests. If involving law enforcement furthers that aim, they'll tell you. If involving law enforcement is detrimental to that aim, they'll tell you. So consult with several first, hire one second, and let them direct what happens after. If what they do/recommend ends up being incredibly stupid, you at least have their malpractice insurance to appropriately compensate you for their stupidity. But you have no such insurance to compensate you for your own.
> Once I had permission quickly made a proof of concept ...
So unless you want to accuse him of lying, there's no fraud here. And the fact that Chase didn't file a police report makes me convinced there was nothing remotely illegal about his actions.
He mentioned having permission, but not by whom nor any assurances that said permission was appropriately disseminated to all relevant parties internally or appropriate lines of communication established to someone with the authority to expeditiously intercede in the case of issues.
As I said, such a situation could have occurred due to a miscommunication/misunderstanding, rather than taking a deliberate stance to prosecute him. A team (or member on said team) or some automated system unaware of that permission could have flagged the fraud and involved the authorities. Communication silos are a fact of big businesses. Politics and power tripping executives are too, who may decide whoever gave such permission didn't have the authority and push ahead anyway for whatever reason. And inflexible legacy systems are too, which may trip some automated fraud detection system that automatically triggers a legal reaction.
The charges may have ultimately been dropped when everything got sorted out, or a judge could have dismissed the case based on the permission he was given (if the situation got to that point). But that's not for the law enforcement agent serving your warrant to decide, his job is just to bring you in. And in the event that happens, it's far better for your lawyer to already be prepared on how to address the situation than only getting them involved at that stage.
Whether or not Chase filed a police report has nothing to do with the legality of his actions. There are lots of reasons to file or not file: Publicity, hassle, likelihood of recovery, and on.
It seems like he took great pains to keep it legal, but the presence or absence of a police report means nothing.
As I mentioned in a sibling post, that's a legal defense in the event such a drastic reaction occurs. Not a foolproof preventative measure to ensure it doesn't.
Involving your lawyer isn't a foolproof preventative measure either. But your lawyer having an established line of communication with their lawyers can get things cleared up a whole helluva lot faster than if you get booked, have no lawyer, and are having to find and get one up to speed only after you're sitting in jail.
The entire experience with Chase while I was assisting them was very positive, and they even mentioned something about putting me on their upcoming researcher leaderboard.
Since chase is a very big organization I would have to assume that another department took over the situation after, and decided to terminate my accounts to avoid any risk.
I will never know for certain as they have been very close lipped about the whole event.
I have had an unrelated similar problem with Chase before, local interaction was all positive in sorting out a cross border issue, about a week later someone from a different office closed the account without notification, information or recourse.
Local branch manager was frustrated but couldn't get any more information. The timing really made my life difficult for a few months, completely unnecessarily.
That was the last time I banked with Chase. A few colleagues told me they proactively left after also, due to the way it was handled - who knows if that was true.
I'm happy your experience (excepting the account closure) was positive! :)
I've got several Chase accounts myself, and glad to know they're not horribly hostile to such disclosures.
The original comment I replied to asked what difference it would have made in response to someone's "always involve a lawyer instead of trust these companies to do the right thing" post. Which is a generally good rule of thumb, as there's no guarantee someone else's experience would go as positively as yours did with Chase. So I wanted to point out a much more hostile outcome someone may feasibly experience in such a situation, to highlight the difference involving a lawyer could make.
I'm not a lawyer either (just enough lawyer friends to be terrified of the legal system), although as far as I'm aware you're correct. I'm not even sure if such actions meet the legal definition of fraud, nor if it's be the most likely/appropriate charges brought in such a scenario.
But
1) Mens rea isn't an absolute defense. It doesn't refer to malicious intent, but more so specific intent[1], in this case, specifically performing a sequence of actions in order to discover/validate/confirm a vulnerability. You also don't have to know if what you're doing is a crime; if what you did fit the legal definition of fraud, and you performed that action fully cognizant of and in control of what you were doing, then it's still a crime irrespective of your awareness that it was a criminal act.
2) Mens rea is a legal argument. It may protect you from successful prosecution, but if you've hit this point, lawyers are already involved and you've more than likely already been arrested/charged.
3) The prosecutor could dismiss the case if they feel the likelihood of successful prosecution is minimal (such as when you produce the original permission you received) or the bank requests it. Or they could force a settlement if they think the case is shaky. Or they could be an ass and force the court/judge to decide. But you've still been arrested, your life has been disrupted, you've potentially sat in jail for some amount of time (at least until your bail hearing), and you've likely been economically harmed (via legal bills, cost of bail, potential impact to your state of employment, potential impairment to future earnings based purely on the arrest record even without prosecution, etc).
Which is why it's always good to involve or consult a lawyer before engaging with the company - the cost of doing so is effectively an insurance policy protecting you from ending up in a situation where you need to employ one for damage control. And you're likely to end up with a far larger bill if you end up having to pull a defense attorney in after the fact for damage control/crisis management than the bill you'd get for upfront risk mitigation.
If Chase had an official responsible disclosure policy at the time, I'd agree. But he mentioned his actions pre-dating Chase having any such thing. That is a far less solid footing, and one where talking to a lawyer can drastically improve your situational awareness.
Most lawyers will give you an initial consultation for free. Even if you don't hire one, just consulting with one can immensely improve your ability and confidence in navigating things solo.
I could definitely see that. Your $70k+ worth of travel estimate would have cost Chase $100k+, as airlines charge credit card companies about 2¢ for every point transferred[1].
He mentioned in this[1] comment that his overall experience during the whole thing was positive, so there wasn't really any specific problem, other than the annoyance over having his accounts unexpectedly terminated after it was all over.
But
- Shit happens. Even legitimately contracted pentesters can run into legal issues. These guys[2] worked for a firm hired by the state court system to pen-test the courts (from application testing to physical building security), were ultimately arrested due to a power play, railroaded by an embarressed local authorities, had their charges trumped up to the point of being considered a felony, were disavowed by the powers that hired them who went into "cover our ass" mode, and ultimately spend 5 months fighting the charges before the state legislature ultimately pressured the local authorities to drop them. And even with the charges dropped, the felony arrest record was not expunged and has lasting damage/implications both personally and professionally.
- In the above case, the client was not only the very same court/legal system overseeing their case, but also had an established, multi-year relationship with the security firm they worked for. Yet it still went that terribly wrong, took almost half a year to get legally resolved, and resulted in permanent felony arrest records. If things can go so terribly wrong for legitimately contracted professionals, how badly do you think it could go for a private citizen, with no official contract in place and only some form of written permission from the company that has not been vetted by a lawyer representing that individual's interests, and may not have even been vetted by that company's lawyers?
- He was dealing with a bank. Who are subject to a massive amount of legal and regulatory requirements for their customers that are specific for the banking industry, all of which tend to get interpreted/applied from a conservative standpoint due to the risks and penalties they're subject to for non-compliance.
- He was using his real, live accounts during the process. His actions could have easily triggered their fraud detection system to automatically generate and submit a SAR[3] due to "suspicious activity that might signal criminal activity* report for For example, it could have triggered. Even if someone fully aware of the situation (and granted permission) intercepted such a SAR before it was submitted, it may be decided that such actions from a private individual not contracted by the company to perform such work fit the threshold of "might signal" and still ultimately get submitted. Triggering who-knows-what downstream repercussions/investigations after it's submitted to the government.
- Their responsible disclosure program[4] did not exist at the time, so there were no explicitly documented and legally vetted acceptable rules of engagement publicly available. It's possible that rules of engagement were part of his communications with them, but not mentioned in the article (nor again, vetted by a lawyer bound to represent his interests).
So while there was ultimately no problem in this instance beyond the inconvenience of his accounts getting closed, doing so without the aid/guidance of legal counsel involved assuming an unknown and potentially substantial large amount of personal risk/liability in the process. Which is why it would be highly advisable for someone in a similar situation to speak to or retain a lawyer.
Why did you report it in the first place? What did you expect to happen? Let's say they did not terminate your accounts but sent a thank you letter, would that be satisfactory?
I'm interested in why do security researchers or bug hunters do this kind of work for free. It really devalues the proposition long term imo, but I don't have a horse in the race. My POV is megacorps with bottomless pockets and armies of highly paid engineers miss these critical security issues all the time, and the best reporters can hope is chump change (if not abuse).
edit: Even more specifically I'm wondering why can't the security community work together, denounce the current practice of exchanging bugs potentially worth $$$ for ~nerd cred? Make some high profile disclosure if that is what it takes to take the work seriously. Wouldn't it work out better in the long run?
Not long ago I worked at a big name tech company and with someone who interacted with folks who reported security concerns.
Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.
And this was a tech company, everything they did was technology, located in the valley... they still didn't get it.
Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.
One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn't want to break relationships they had with researchers / the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.
The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).
For the record this is my perception from working with security minded folks, and not actually working in that industry myself.
I never had a good view of what their motivations were. Honestly I've found legal groups in companies to be generally pretty secretive.
But I'm inclined to think to start that groups in a company are incentivized to do what they think their job is... bring something to legal, they'll have a legal type answer. Bring something to the engineers, you'll get some code.
Need a customer to stop clicking a button? Engineering will code it to be disabled at times. Legal will demand a prompt with a legal agreement you have to check before the action takes place. HR might even come up with some training classes ;)
It’s an organizational/professional culture issue. Lawyers are trained to instinctively operate and communicate in a way that seems outrageous and like straight up bullying to reasonable non-lawyer colleagues, but seems to them perfectly reasonable and simply being competent at their job. I think this disconnect is a big part of why lawyers hold such a reviled place in polite society.
Sometimes folks have a thought process or philosophical approach towards risk management where having the ability to not know about a problem is more important than the problem itself. Other times, you become aware of the problem and need to decide how to deal with it.
Chase is a global bank with ~200k employees. There's always issues, most of which are fairly minor/low-risk financially, but may have significant reputational or other impacts. In this scenario, you have counsel and risk management people looking at a scenario where a guy basically stole $5,000 from the bank, due to an error on the part of the bank. They don't give a flying leap about the error -- it's not their job to care, the event becomes the problem.
$5,000 from an FDIC institution is a very serious crime. My guess is that the internal discussion was filing a criminal complaint and exposing their dirty laundry in court, or cutting the losses and severing the relationship. But the guy in question here did something really dumb, was very lucky, and should stfu.
My domain is much less rigorous than banking, and even here, account closures are beyond discussion. The humans in the loop are low-wage, low-autonomy workers bound by detailed SOPs that have been lawyered to death. Owners of closed accounts sometimes sue, and the program's determinism / consistency are valuable defenses. So even if the process does something obviously wrong in the eyes of the senior people looking at it, as long as the process is correctly applied, they are very hesitant to make exceptions.
My guess is that the people he worked with were genuinely positive and grateful, but then his account got caught in a machine like this and they were powerless to stop it.
> But the guy in question here did something really dumb, was very lucky, and should stfu.
What did he do wrong? He already had permission from Chase:
> But because this was a bank I wanted to get their explicit permission before researching any further
> Once I had permission quickly made a proof of concept
So I would be surprised if they would be able to make the criminal charges stick.
> The next test was to see if their system would actually allow the withdrawal of the points into cash. If this were to be possible the potential ramifications of this issue would be extremely severe. I attempted to deposit $5,000 USD directly into a checking account. This also worked, and was not flagged.
The article doesn't discuss if he returned this or not...
Wow. You did the best you could to let them know about the problem, returned the $5k, etc. And they chose to be arseholes and just close your accounts and pretend you don't exist.
This will have some amount of Streisand effect. I doubt they've really fixed the race conditions. And, the story itself is interesting enough to take off.
I proposed the SEC because they are well-known for vigorously protecting their witnesses. AFAIK, the CFPB is a joke. FDIC might be a good pointer though. Not so sure about jurisdiction, I'm not from the US.
We need to pass laws that forbid retaliation against disclosure, and require bounty programs. It might even make sense to have disclosure go through a public agency to arbitrate, and bond companies to that agency, much like we do with contractors.
They probably want to check PoC into their repository and banks take a very dim view on unprofessional language in the DB. I would only be slightly surprised had the terms included: "All code must be written while wearing professional attire"
You may be right, but I suspect the causality is reversed: maybe there's a widespread sense that good laws cannot be written because, empirically, the people who make laws do so in devastatingly dumb ways.
Whatever issue will immediately become a political football, and will end up being not only ineffective at the initial intention, but also include terrible side effects and dangerous footguns. Whether this is the result of a basically broken system of legislature, or of allowing the laws be drafted by the people they are supposed to protect against, or a combination of both, or something else entirely, I'm not qualified to say.
But I can say this: when I hear of some political ambition to make something better with a new law, I don't expect it to go well.
When I hear of some political ambition to make something better through inaction or through demolishing Chesterton's Fence, I don't expect it to go well.
It's also a product if writing good laws is really hard because the people writing them are outside the industry, different from the people enforcing them, and often different from the people it affects.
Better to remove barriers and things that silo and centralize power.
Which is why lobbying ostensibly exists: people in the industry know best.
To counteract this a consumer group or union of those affected would be required, but that's a bit tough when they are usually the ones spending the money, not earning it.
If someone discovers a security vulnerability in a computer system, and they notify the operator or party responsible for maintenance of the system, then, starting 90 days after the notification was received, they may publicly disclose the vulnerability without fear of civil or legal repercussions.
If they use the vulnerability to exploit a system that is outside of their own administrative control (beyond developing a proof of concept), or transfer the information with intent to facilitate third party exploitation of the vulnerability, then the above protections do not apply.
I’m sure a lawyer worth their salt could turn that into an iron-clad law.
Since the people in charge are basically the same rich morons as (or in the pocket of) the ones doing this to researchers, I wouldn't hold my breath.
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
Congratulations Chase. You've just increased the probability that the next security researcher who discovers a vulnerability says nothing to you, or worse sells the exploit on the black market.
I once applied for an IT Security job at Citibank - as I’m walking to the conference room for the interview I notice that every single desk had a beat-up dog-eared copy of “Computer Security For Dummies” on it. It didn’t do them much good, a year later I read they had lost $60 million because you could go into their web banking system, and once authenticated you could access any retail bank account by changing the account number in the URL.
Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.
I can't watch "The Office" because I've worked in corporate America and that show is just too real and hits too close to home. However, I would watch the shit out of "The Office Tech".
about 5 years ago I took my infant son for a morning stroll and found an SSD drive laying in the grass next to a busy street (jamaicaway in JP). I picked it up and later looked to see what was on it because I wanted to know why someone would throw out a perfectly good SSD (they were still expensive back then).
Long story short, I found a bunch of mdb files with personal information about people's ambulance rides. I reached out to EMS and they were very nice and took the drive back with them.
A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.
It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.
Note that in the EU this would be a pretty bad violation of GDPR, so going to your local branch of government responsible for GDPR enforcement (e.g. the Information Commissioner's Office[1] in the UK) would be another good avenue.
Doing the right thing in these situations is like playing with fire. Lots of times nothing happens but you can easily get burned hard. Legal expense to defend yourself are no joke.
I heard a similar story years ago about a high school student finding an SD card. It was full of illegal underage pictures so he turned it into the school admins, told the story, and ended up getting charged for it.
Can someone please explain to me why companies make decisions like this? I have been on HN long enough to see many stories like this, but never once hear the suggestion of a rational line of human behavior.
Is it lawyers misunderstanding the value of security research?
In my experience, it's that people without experience with security researchers tend to think of security issues as having been fundamentally been created by the researchers themselves, rather than already existing in the system.
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
I think you got this exactly right. The reaction of an uneducated manager here was probably “Wow this guy hacked our system by doing things he wasn’t supposed to do. You’re not allowed to transfer between cards. He broke the rules.”
It’s not unlike the logic that says “We left our front door unlocked and someone walked in. How dare they.”
I can imagine that something like this happened:
1. Based on the disclosure, usage of multiple sessions was marked as possible fraudulent activity
2. When a new signal for fraudulent activity is added, accounts and transaction in the past are checked as well
3. OP's account comes up as fraudulent activities (ofcourse it does, he's the one who found it)
4. Nobody at Chase takes the effort to see what exactly happened here and that this account (or at least the specific transaction) should be excluded from positive results
Remember that Facebook reported the BBC to the police for telling them there was CP on their network [0]? I think something similar happened.
I work on a fraud team for a big loyalty program, and unfortunately, I can definitely see something like this happening within my organization. I don't think it's even necessary that this person's account got swept up when looking for similar transactions. It's very easy for the nuances of complicated situations like these to get lost as they pass through the organization.
Eventually the issue could've been forwarded to a lower level employee who spends 99.9% of their time reversing fraud caused by unrelenting fraudsters, and so they figured that must be what's going on here too. So they closed the account, closed any connected accounts, and sent a generic sternly worded email.
But equally likely is that Chase deliberately and short-shortsightedly thought, "this sort of shit just isn't something we want our customers to be doing; get rid of him."
This appears to suggest otherwise: "about a week later they followed up with an email which legally I cannot disclose as they have been quite hostile with me."
Company managers become upset because this makes them look bad. Most corporate security depts spend a lot of money on salaries, devices, etc. And then some hacker kid comes along and embarrasses them. They retaliate and try to 'kill the messenger' to save their reputation (internally) and continue to 'play security' with big budgets and vendor conferences. Really, all they do is CYA. That's all that matters to them.
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
I have approached hundreds of people out of the blue on the street in large cities and the vast majority are not startled or scared. Most just greet you in return.
IT is a cost center to them and they want to build/maintain their software as cheaply as possible. Short term it's cheaper to sweep this under the rug than to actually build a culture where security and best practices are important. Long term it doesn't matter because the senior management will have moved on.
I think it could be that nobody wants to be the bearer of bad news which might reflect very poorly on themselves/their team, so they rather ignore the issue compared to asking budget from the higher ups to deal with the issue.
"Someone closed an account with a balance of -5M reward points" might automatically trigger this. Plenty of account closures happen without a human ever seeing it.
It would be a federal crime to mention the words "money laundering," let alone specific tells, to the owner of an account suspected of money laundering. Chase policy probably applies this gag rule to any account being closed by Chase rather than splitting hairs about AML vs. other reasons.
I understand the laws behind that, but personally still think there is a large gap between "we legally can't disclose the reason" and "we are telling every employee to just shut up and say nothing".
I would expect a reasonable middle ground of letting employees say "I'm sorry, but it's corporate policy and I can't disclose more information."
I think most likely is that the fraud team flagged the account and deactivated it, and there's no process internally to stop that so SVP guy couldn't do anything.
Sort of like the Google account issue where employees can't internally appeal to stop account suspensions.
Remember Chase is the bank where your passwords couldn't contain special characters and were limited to 12 characters up until 2017-2018 (I lost track, don't quote me). I wouldn't hold my money there if they paid me.
This is par for the course for financial institutions.
A credit union I previously had an account with required your passwords to be exactly six characters long. Then they added "two factor authentication" via SMS or phone call. Except now if you forgot your password then you just have to go to "forgot password" and get an SMS code sent to your phone to reset your password... So it was actually single factor authentication, you didn't need the password at all, just the phone.
That's nothing. One of the largest banks in North America (BMO), limited passwords to 6 characters. Worse, for compatibility with telephone banking the characters were mapped to digits. That means there were only 1,000,000 possible unique passwords! They have 12,000,000 customers!
They only just changed to complex passwords this year.
At one point, my main bank (Charles Schwab) limited passwords to 6-8 characters (inclusive). You could type more if you wanted, but it would get truncated down to 8 characters.
I dont think this behaviour is reserved only to banks. I once worked for a tech company which treated a security researcher who found a vulnerability with the same hostility, They had an "easter" egg in the code saying "F* you <name of the researcher>". Needless to say I left that place soon after this incident. It baffles me why companies wont reward these people for doing the testing for them instead of taking these disclosures as act of war against them.
I'm guessing because they sell off the mortgages and loans they originate? So they are only acting as a processor and there are no other processors to send you to (or it would be a massive hassle to do it).
I'm pretty sure they do not. I'm currently working on a refi for my house and I considered Chase solely because I already have one account with them and it would simplify things if my mortgage was there too. I asked and was told that they do not sell their loans.
I would be absolutely shocked if Chase held all of their mortgages on their own books. They are one of the biggest originators in the US. They’d have trillions of
mortgage debt on their books if they didn't offload it.
A quick google search shows at least some of the mortgages have em sold by Chase.
I haven't actually gotten a mortgage with them yet, still shopping. So it's always possible they're just lying to me too. I think it might be more likely that they split along the lines of current customers. I.e., if you don't have other accounts with Chase they may sell the loan.
I honestly don’t know, but my limited understanding was that the banks sell off pretty much all their mortgages except for the one off that they can’t. Maybe Chase is different? Or maybe your type of mortgage is held on the books?
One would think that banks, who are the prime target for every person that "wants to hack", would be leading the way in terms of bug bounty programs and benefiting from smart people finding gaping holes in their systems.
This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.
Don't expect them to adjust their behavior any time soon, but the "HN effect" might make them undo this action to avoid bad PR and make a few vague promises about "fixing the issue to avoid it happening in the future".
It is interesting that the only way to draw attention to this issue was via Twitter DM. For many big companies this seems to be the one place where you can hope to get a response.
For example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.
The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.
This is why the so called responsible disclosure isn't a silver bullet. I believe, in cases when there is no bounty program and no substantial risk for the users' data or resources, one should go with full, anonymous disclosure.
This is very hard because the actual research required you to use real accounts, and you would need to contact them to correct your account after you proved it was indeed an issue.
Interesting that the bounty program is only mentioned in the text screenshot and not the article. While it’s unfortunate that this happened, randomly pen-testing a bank then presumably asking for money is not something I would advise.
It won't, but don't worry -- megabanks can't hire anybody good anymore now that FANG pays the big bucks. Yes, they've got deep pockets, but they are bean counters and notoriously cheap -- startups and tech cos are way, way better about everything from decent coffee to healthcare benefits.
They're buried in deep strata of horrible legacy tech, they have huge middle-manager bureaucracies and politics, ridiculous and ineffective security that slows IT processes to a crawl, and the whole thing bleeds money to maintain -- so in the end they are kind of tech-hostile and will do anything to keep programmer salaries down, avoid promotions, etc.
Banks are like the second employer of tech right behind web companies. They can be quite competitive, though usually more on the investment/market side than the retail side.
I was involved in a somewhat similar situation in the late 2000's when working on a team building an eCommerce website.
We found a major national bank's newly public merchant gateway allowed anyone who knew the IP address of an authorised merchant facility (such as an EFTPOS terminal) to spoof its IP address and submit requests to the gateway. It seemed they just relied on the supplied IP address in the XML payload to verify that a device was authorised to use the gateway.
A small proof of concept showed that it was exploitable, e.g. a small script proved a bank card would be processed successfully without needing to actually be on an authorised network or go through any kind of session handshake - we didn't try any of the other functions like requesting refunds or cancelling payments but figured the bank would like to know they had a big glaring hole in their security.
After finally getting through their merry-go-round of customer "support" to someone in their IT/Security team, the initial cordial emails stopped and we received a threatening letter from their legal department blathering about legal repercussions of cyber crime and fraud etc. They also contacted the client and threatened to shut down their accounts and merchant facilities for our transgressions.
Anyway, definitely makes me think twice about reporting any public-facing security issues directly to a company, I don't have the resources or willpower to fight a major corporation if they decide to swing that way, that's for sure.
And this is why I've never notified anyone about any security issues I find, better to laugh and move on.
Twenty years ago or so, I offered help to parties and every one of them accused me of causing the problem or otherwise being malicious. Let them find their own problems, I'll focus on my own.
A major US retailer used to have their entire OMS/back-office on an ip, it was that way for years despite multiple reports. And then they got ravaged when the first bad actor came along, easily preventable and they were warned.
My wife and I got banned by Chase, also. They don't tell you why, but I accidentally submitted two credit card applications (one for myself and one for my wife) with identical northwest airlines frequent flier miles numbers. I think this must have flagged something because one day I noticed all of my Chase cards and accounts stopped working and I got a letter in the mail a few days later. There was no phone number, only an address to mail a letter for further inquiries. I mailed a letter explaining that I thought they made a mistake. Someone called me back and told me it wasn't a mistake and they wouldn't give me any more information.
I suppose somehow, legally, this became the best course of action for Chase bank - to cut the customer off immediately and give them zero information about it. But it really doesn't feel right and made me never want to do business with Chase again.
We aren't seeing the whole set of messages here but from what is in the post the customer rep asked for confirmation that an account could be left with negative point balance so the researcher went ahead and created negative 5 million points and cashed out $5000. This doesn't seem responsible in the slightest.
the researcher went ahead and created negative 5 million points and cashed out $5000. This doesn't seem responsible in the slightest.
Your statement is misleading.
By "cashed out" he transferred $5000 into another account of his at Chase. It's not like the took the money out of an ATM and spent it on hookers and blow.
You're right, I worded it badly. By "cashed out" I only meant that they turned imaginary points into 'real' money, though both are probably treated as a liability by Chase.
> This happened on November 17th 2016, and I am just publicly disclosing it today.
> While transferring balances between accounts on an unstable internet connection I saw that the system did a double transfer resulting in one card having a negative balance.
> This reminded me of issues I reported in the past with Starbucks US, and Starbucks TH. Both of those entities had major issues with race conditions.
How does this happen in 2016? It's as if software developers have somehow gotten collectively worse than they were 20 years ago.
Why do security researchers keep being nice to these companies when said companies mistake good intentions with malicious ones and treat the security researchers like shit?
Why do security people feel compelled to pen test sites without a contract or formal engagement? Such a super simple lesson to be learned. If you are not approached, leave it alone. If you offer your services and they aren't accepted, leave it alone.
Just because I keep my front door unlocked it doesn't mean you can walk in nor does it mean you can break the glass on my back one. Leave it alone. And thinking that some community rep on the frontlines of a Twitter account can give permission to run a security exercise is totally asinine.
> Why do security people feel compelled to pen test sites without a contract or formal engagement?
They didn't in this case. Though, maybe you could argue that the engagement wasn't formal enough.
They found the initial hint of the bug from normal use, and requested permission before doing the actual pen test.
Regarding the analogy, this isn't some random house they wanted to test. It's an essential service they used and depended on. Perhaps your analogy can be improved by them being an apartment building resident interested in the security issues of the building as a whole, since it affects the security of their own apartment. Even then, it doesn't seem like a perfect analogy that accurately reflects the situation. In the analogy, you could argue that they should change buildings if they're concerned, but banking options seem way more limited in comparison.
Is this legal? The chase team should follow up, because it seems like a termination elligible offense on their end. Especially as the individuals are clearly identified. Access to credit and banking is a protected right in America. If Dave and friend want to circumvent the rules they should be eligible to lose their jobs as well.
>Access to credit and banking is a protected right in America
It is? In what way? Afaik banks give themselves a lot of power to close your accounts for a lot of different reasons - "suspicious activity," "rewards abuse," etc.
It’s regulated on race / etc, it’s also (as written) potentially retaliation what happened to the family member. Credit is a resources and having old accounts be deleted like that causes real damage to an individual.
Fair on the reward abuse though. But to close ALL accounts?
Okay, but so is every other service open to the public. It also has nothing to do with this situation
>it’s also (as written) potentially retaliation what happened to the family member
But in no way illegal (or retaliation) to close associated accounts when terminating a relationship with a customer. The GP was probably once a joint account holder with the family member, or had them as an authorized user on their credit card.
>Credit is a resources and having old accounts be deleted like that causes real damage to an individual.
Okay... So? That doesn't make it somehow "a protected right," legally speaking. From everything I've read financial institutions have gigantic leeway to close accounts for basically any reason The personal experiences I've heard back this up.
>"Nobody has the right to a credit card, a bank account, a debit card or a merchant account," said Ulzheimer. "You have to earn it and the banks set the rules. If you are what they perceive to be too risky, they'll shut you down and you have no recourse."
>Fair on the reward abuse though. But to close ALL accounts?
When a financial institution chooses to end their relationship with your they generally end their relationship with you.
Chase Bank has previously closed without notice the checking accounts of felons, and right-wing political activists. Despite no abuse happening on the accounts.
Would this kind of attitude by an organisation incentivise malicious/nefarious activities? Is it because if actual funds are stolen they'd be covered by insurance and could leverage law enforcement, but open security research may just cause extra internal costs?
I wonder if legal obligations surrounding responsible disclosure and treatment of security researchers should be brought in. GDPR-sized fines for treatment like this, as well as negligence in fixing reported vulnerabilities, could go a long way to improving the lives of security researchers wrt security of their livelihood, and improve the security of the digital world for all of us.
This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.