Ask HN: Found a way to fraud my bank thru a loophole, how to disclose properly?
Hey guys,
First, excuse the messy title - I was limited to 80 characters.
I recently found a way to create money out of thin air through a loophole in my bank's current banking portal. I tried reporting it a few times, but every time I am stonewalled by a low-level employee, telling me they will call me back later in the day, which never ends up happening. The furthest I've come is to call their abuse department, found on their ARIN records, who seemed to take it seriously, but I ended up going full circle - back to the low level-guys.
I discovered it inadvertently and, technically, defrauded them of ~0.32 US$ using legitimate transactions that the bank's software should have handled differently. Pennies, but still.
I also confirmed the issue with other accounts and other transactions - my account is not a glitch in the system.
What is the best course of action? How would you get in touch with security officials at a big bank?
I mostly don't want to get caught or charged with (attempted?) fraud over $0.32.
I have also spent quite a few hours trying to disclose it, unsuccessfully. What would be the best way to get some of this time spent trying to do things right compensated?
Thanks! Stop. You're risking your freedom to save a corporation. If you press ahead you will be dealing with people who lack knowledge and are scared of what you did affecting their career. They will rake you over coals. And you will have gained what? The minute pleasure of helping them save a few bucks? You have a desire to help people. That's great and noble and commendable. But that's not what you would be doing here. My advice: drop it. It's not worth it. If there was no risk to life or liberty from what you found, then yes chase the disclosure. But there isn't. Drop it and forget it ever happened. Your life is worth it. I can't agree more with Brador, you're really risking your freedom and if they don't have a bug bounty, you might end up in court / being sued. Here is a google translate from a French article that you might find interesting : https://translate.google.com/translate?sl=fr&tl=en&js=y&prev... Thanks for the link Yeah, makes sense. I'll probably just forget about it (but switch banks beforehand!) Please see my other comment and contact me, this is my job and I can get you in touch with the right folks without any kind of risk or BS I use LinkedIn when I have to penetrate a bureaucracy such as this. Nothing gets action faster when a VP or higher get a personal email / phone call regarding something like this. Step 1: Troll linkedin to find these people in positions of real power. Step 2: If they are easy to reach via email or on the platform, try that. Failing that, call their HQ and work the phones until you get to them. Step 3: Win. I did this recently when I noticed a way into a company customer database that had name/address/phone/purchases. Initially I contacted 3 different employees who I had emails addresses and nothing happened. Some months later when I saw nothing changed I contacted the CEO on Linkedin. Surprisingly he wrote to me saying thanks and this was really bad, rather than the expected no response or legal nothing to say response. He also said someone would be in contact to thank we and then some days later I got a call from the CIO who asked 'what do you think I should do to fix'... very strange call. Most importantly I made sure on the email sent to the company clearly stated I had accidently found this error in their systems, only told them and worded it in a way that if by small chance they went legal on me I would post the correspondence on social media (they are several very large brands) and get the relevant attention that would likely make them back off. I aslo found one that I feel is, while less relevant, a breach of data trust with Google but they believe this is a 'feature': I posted about this one here: https://news.ycombinator.com/item?id=10591980 Personally I find it strange Google would confirm an email address exists and share my first/last name with anyone. I think you mean "trawl," not "troll." :-) ...or do I ;-) ? Actually a pretty good idea!
Thanks! Document your attempts to alert the bank. You should have proof that you contacted them about it. Don't use the loophole obviously. Definitely switch banks. Yep, good idea. I'm documenting everything I can think of. Tried the loophole three times - once inadvertently, a second time to try a different approach and a third time on a different account. Told the low-level techs all about that, they didn't seem too concerned about le ~0.32$ I created, but still being careful. I'm documenting everyone I talk to as well - there is never any case file # though. Are there any other things you think I should document? As for switching banks - definitely will. This is realllllly bad. If it's possible for regular transactions to look like fraud due to this loophole, you should make sure all your legit transactions have a paper trail (receipts or whatever). Good idea, thanks! Just drop it. It only hurts the bank and you did your best to warn them. At this point the only reason to peruse it is to get recognition/reward or attention for being clever. I am a developer who works with one of the largest US banks and I would love to speak with you about what you have found and pass it along to the head of security in my office.. Unfortunately like others have pointed out you will more than likely encounter low level employees who dismiss you OR, and this is the dangerous part.. you may bruise the ego of someone in a position who can and should listen to you.. possibly resulting in adverse actions being taken against you. Do you have an email address I could contact you at? I could conference you in to my department and see the exploit you found(MOST banks share the same backend software for their online services so this is alarming) Call the bank's regional HQs. Ask to speak with the manager of security. Report the instance. Ask for his/her name and number. Tell the individual you plan to go public with the information in 48 hours if there's no resolution. The individual will feel a career risk and act accordingly. Bold. Love it! Try to find developers that work at the bank via LinkedIn or something. Ask if they have a bug bounty program, and disclose things appropriately. You won't ever get to the right person calling in on the customer support or abuse numbers. You need to go around. EDIT: Also, how long does that money stick around in your account? I wonder if there is some kind reconciliation processes that go through and square everything up. The web software is probably just a replica of the actual ACH data, so maybe those processes would correct things and it's not as big of a deal as it seems to be? STOP, you're already done this on multiple accounts that is asking for trouble. I wouldn't risk interacting with them further if they aren't interested in listening. Document that you tried to contact them and report it so they can fix it. But you're in the gray area where they could attack you feeling you were attacking their their system. Forget it and move on. Otherwise you're going to be tempted to:
https://www.youtube.com/watch?v=GyB6ffmXsZo
(Office Space Virus Scene)
And we all know how that ends. Document the vulnerability.
Document your attempts to contact the bank. Contact your local[1] newspaper. Particularly one that is big on investigative journalism, and technology. A good hint is if they covered the recent SWIFT bank heists. [1]Local is relative. If it is a big national bank, go national. The idea is for them to do an article, not necessarily exposing the vulnerability, but how processes (or lack thereof) in the big banks allow security holes to go unfixed. I have to ask the folks here. Given the OP used an ID that seems easily traceable and he/she admits to defrauding the bank publicly (I know, just .32 USD, but still people are going to prison these days for so many silly things). Should OP retain legal counsel and have the lawyer make contact with a VP? Or does lawyer-ing up make OP look guilty from the start? Well, there are audio recordings of bank staff asking to demonstrate the flaw and there are also recordings of the same staff telling me that going public is within my rights, but they don't seem to understand the underlying issue. Not sure about lawyering up, maybe it's something that I should do (should have done?).. Find a good lawyer. Reach out to them and let them know what's going on and that you may require their services in the future. Just establish the relationship now so that you don't have to do that legwork on a 2 minutes phone call. IANAL, but I thought I would mention it anyway. Do you have these recordings for safe keeping? Some places, yes. But you're right, definitely. Better safe than sorry! One more idea. I once witnessed another company being shown a competing companies unreleased product while testing my own product in a testing facility. I send them an unmarked envelope with a letter of what I saw and the names of the people involved (as they were wearing name tags). This is stone-age now, but perhaps it might help. You've tried to disclose and they made it impossible. Time to post it on Twitter and cc @troyhunt. Hah! Yeah, that's definitely something I'll try if my latest inquiries don't go through! :)
Thanks! Good luck! I respect that you're making the effort to do the right thing, even though I don't think the bank deserves it. It's amazing that any large firm who business heavily relies on security doesn't have some kind of report a bug or bounty system easily findable. This should be as standard as a 404 page. > What would be the best way to get some of this time spent trying to do things right compensated? That depends how quickly you can get the money out of the bank, and get yourself out of the country! The bank isn't going to pay you money. You gain nothing from reporting this, and risk getting fucked over for mere pennies. Just forget about it and move on with your life. You could contact a legitimate security firm that buys vulnerabilities to get the credit (and knows how to report responsibly). You want one that immediately discloses and does not resell. > What would be the best way to get some of this time spent trying to do things right compensated? Creating more money out of thin air seems like the appropriate compensation. /s Is this a big bank? If so I would let it slide. If you really understand how big banks stole from the US taxpayer in 2008, you might want to steal more. Don't call from your land line. Don't call from your cell phone. Find a public phone, away from cameras. apply for a job with the bank In 2016 I've found that this strategy — "hey, I found a really bad security thing, and a pattern of really bad security things" or "hey, I did something 100x better than what you're doing and people know it, here's my stuff, let's join forces" — doesn't work like it used to. In fact, any advice often falls on deaf ears and feels like pandering. I'm looking at you (however among many others), YC's favorite payment processor. There are a few reasons for this. 1. What constitutes a valid security report and what constitutes evidence of overall competency are not the same thing. Many bug bounty reports and vulnerability disclosures, even if they are valid, are not strong evidence of a potential candidate really being able to perform well as a stable, full-time security engineer. In the consulting industry this is especially problematic, where folks will try to jump into top firms like NCC based on a rèsumè of bug bounties disclosed to 20 or more well-known companies. They can find CSRF immediately by checking if there are CSRF tokens in the headers or request body and report instances like a numbers game. That says absolutely nothing about their ability to make a qualified recommendation about proper character sanitation mechanism to an engineering team, or about their ability to perform consistently over a long period of time (instead of jumping from bug bounty to bug bounty every few days or weeks). To give an example, Facebook and Google routinely reward bug bounty participants who find real security issues by popping open Burp Suite and happening upon random errors - maybe a developer left a debug parameter in, maybe there is no restriction on adding phone numbers belonging to other accounts, etc (both of these are actual disclosures that happened and allowed arbirary account takeover). While reports like these are eligible for a reward, it's really not impressive enough in isolation because there isn't any evidence the submitter would perform consistently at a deeply technical level needed for the security team. Finding an exposed Jenkins server using nmap does not a security engineer make (another real example). In contrast, security researchers who display a consistent history of valid bug bounty reports across a variety of vulnerability classes demonstrate a greater level of overall rigor and competence, especially if those vulnerabilities are more complex to exploit. Comprehensive reports like Stephen Sclafani's legacy API-based account takeover or Reginaldo Silva's OAuth callback remote code execution are much more likely to earn the recruiting attention of companies like this (and Silva now works on the Product Security team at Facebook). 2. This might come across as counter-intuitive, but it's often not all that helpful to send a company "suggestions" about how to improve security issues you've found. Unless you've found something actually high severity, they may not care about it all that much. At that point, you come across as someone who cares very much about something that is a marginal risk for them, or even a "Won't Fix." Sending a company an email about e.g. permissive CORS headers is going to be met with a "Thanks!" and not much else in the best case scenario, because while it's a valid observation it's not something that will cause a Business Continuity Risk alert for them. Furthermore, it's really not impressive enough a find to impress them (this goes back to #1). Information security is ideally a collaborative process integrated into the SDLC; unless they have specifically welcomed suggestions (such as through an outside consultant), you are coming across as someone who is technically right, but utterly tonedeaf to that process. Good teams don't have suggestions put forward unsolicited from the void. As someone who has at best a limited understanding of the company's internal risk assessments, business goals, development resources and technical infrastructure, you're almost certainly not going to be helpful by doing this. 3. Pontificating. Almost all emails I have ever seen like this follow a similar format - a security researcher of unknown ability submits a report (the potential validity of which is inversely proportional to how famous the receiving company is) and identifies a security flaw. If it is a valid one, they then decide to launch into mitigation strategies as though the report is an audition. This is often perceived as somewhat disrespectful to the receiving party's time, because suggestions are generally not needed. As an example, almost all reports like these are identifying low hanging fruit and/or well known security issues. The engineering team almost certainly recognizes the issue and probably has a good understanding of it if it is in the OWASP Top Ten or any sort of mainstream consciousness. To identify a valid cross-site scripting error and then pontificate about character sanitation and escaping strategies is unnecessary. Barring a huge organization that makes no effort to educate developers in security matters (in which case, why are you hoping to get recruiting attention by doing this anyway), you'll come across as someone reading from a textbook that everyone else has also read from. 4. The communication is inherently adversarial. Submitting a security report as an unaffiliated non-employee will be met with default:distrust reactions. You can resolve this by not making any of the aforementioned mistakes, but it's frankly not a good time to suggest working together. A better method would be to identify the vulnerability, have steady back and forth communication if the receiving party appears receptive, and then mention this successful interaction in a formal application or interview. I'm not trying to take a side here, just pointing out how it is invariably perceived (consciously or otherwise) by the vast majority of companies. Well, I don't really want to work there. And I wouldn't be able to disclose the info simply by applying, I'm sure. The real question is - how can I get the higher ups attention? Or would I be better off going public with it, given the private disclosure didn't work out? When I worked at a big company, one thing that always got everyone's attention was when the CEO received written letters from his customers. It's a very slow way of going about airing grievances, but it might work the same way. The CEO was notified and every letter was responded to. Similar to the LinkedIn[1] idea - I like it! Nice, clever and convenient :)
Thanks Also, stop doing anything that involves creating money from thin air. In today's world, that could get you sent to prison. Hah! Yeah. The last time I did it was on the phone after a low-level tech from the bank asked me to do it. I have her name and employee number, in case anything happens.
But yes, definitely. defraud is the verb form. To defraud is to illegally obtain money from (someone) by deception. fraud is the noun form. 1) wrongful or criminal deception intended to result in financial or personal gain or 2) a person or thing intended to deceive others, typically by unjustifiably claiming or being credited with accomplishments or qualities. The English language is changing. Modern usage has promoted some nouns to verbs in informal use, but for many of us, the change is a bit like scratching your fingernails on a blackboard. In a situation like this, where credibility is important, careful attention to usage and spelling is critical.