You might want to consider fighting it, though. It seems that it was a decision done at a pretty low level, or even automatically. Chase, like most US big banks, are under constant scrutiny and hate bad PR. Write to their top HR, say you are submitting a formal request to <pick a four-letter financial oversight agency> and send a copy to your congressman. What do you have to lose?
Since it's a financial institution and the accounts were closed by the bank, I wouldn't be surprised if this dinged his credit report in some serious way.
More seriously, is it possible to get in writing that disclosure would not result in negative repercussions if there is no bounty program? Perhaps dealing with large banks in a security context requires a less forgiving mentality.
Did you have to return the $5k? At least maybe you gained that?
The only compensation I received with this whole situation was the termination of my accounts, and a family members account being terminated as well.
It's very hard to know the reasoning behind the termination as they never gave me any information.
Lawyers are paid to keep your best interests in mind.
Cops will investigate the shit out of you and will do nothing to help, at all.
I'm interested in why do security researchers or bug hunters do this kind of work for free. It really devalues the proposition long term imo, but I don't have a horse in the race. My POV is megacorps with bottomless pockets and armies of highly paid engineers miss these critical security issues all the time, and the best reporters can hope is chump change (if not abuse).
edit: Even more specifically I'm wondering why can't the security community work together, denounce the current practice of exchanging bugs potentially worth $$$ for ~nerd cred? Make some high profile disclosure if that is what it takes to take the work seriously. Wouldn't it work out better in the long run?
Is it lawyers misunderstanding the value of security research?
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
It’s not unlike the logic that says “We left our front door unlocked and someone walked in. How dare they.”
If they want you to pen test their systems they will hire you. It's not your job.
Vote with your feet and walk to a local credit union which may embrace your help (talk to them before starting your pen tests).
Remember that Facebook reported the BBC to the police for telling them there was CP on their network [0]? I think something similar happened.
[0] https://gizmodo.com/bbc-tells-facebook-about-child-porn-on-t...
Eventually the issue could've been forwarded to a lower level employee who spends 99.9% of their time reversing fraud caused by unrelenting fraudsters, and so they figured that must be what's going on here too. So they closed the account, closed any connected accounts, and sent a generic sternly worded email.
But equally likely is that Chase deliberately and short-shortsightedly thought, "this sort of shit just isn't something we want our customers to be doing; get rid of him."
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
Here's what I made up in my head:
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
I would've thought it would be more likely some middle manager who doesn't understand tech and just knows this person was ""abusing"" their system.
The account was brought back to normal well before the termination of all of our accounts.
I also expected them to have automatic triggers, but at the time they did not.
I would generally also suggest incompetence above malice, but above fact makes that very hard.
Sort of like the Google account issue where employees can't internally appeal to stop account suspensions.
It's always a scary experience.
The funny thing is according to them I was the only contributor from 2016 to the end of 2017. So they must not get many reports.
Since then they did develop a disclosure program, but it would be great to hear from anyone else that reported things to them after the end of 2017.
Probably because there's no obvious way to submit one.
If someone discovers a security vulnerability in a computer system, and they notify the operator or party responsible for maintenance of the system, then, starting 90 days after the notification was received, they may publicly disclose the vulnerability without fear of civil or legal repercussions.
If they use the vulnerability to exploit a system that is outside of their own administrative control (beyond developing a proof of concept), or transfer the information with intent to facilitate third party exploitation of the vulnerability, then the above protections do not apply.
I’m sure a lawyer worth their salt could turn that into an iron-clad law.
Best we can hope for is that the EU or some other trigger-happy regulators do the same for security as they tried to do for privacy: mandate a dedicated security contact that legally has to respond to your disclosure. Then at least we'll have some form of direct contact and not have to resort to twitter for "secure" disclosure.
A credit union I previously had an account with required your passwords to be exactly six characters long. Then they added "two factor authentication" via SMS or phone call. Except now if you forgot your password then you just have to go to "forgot password" and get an SMS code sent to your phone to reset your password... So it was actually single factor authentication, you didn't need the password at all, just the phone.
They only just changed to complex passwords this year.
https://arstechnica.com/information-technology/2013/04/why-y....
An attack on the US Banking system is a matter of when, not if.
This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it's only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn't make it worth the time it took. The sky's the limit on the worst you can get.
The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.
Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.
Because let's be honest, that is Occam's razor most probabilistic outcomes.
So accurate. It's doom and gloom in that space, you either do it because you couldn't literally see yourself doing anything else - or for ego/cash. I'd argue there's much better ways to make cash in other engineering jobs, often skills in security overlap with SRE, admin and compliance roles.
It's the golden years for blackhats right now. And it has been for about 15 years, and I really don't see it changing at all any time soon.
“My boss told me to do it” is not a defense against criminal charges.
https://www.techdirt.com/articles/20200131/11153743831/crimi...
I'm getting out of ops for the simple reason that it's way more lucrative to be called in after the fact rather than try to stop incidents ahead of time (whether by probing and disclosing or trying to build out a blue team without being paid a contract to do so).
If they write you off as a client for accounts/credit cards, why not also for the mortgage/loans?
Back when this originally happened they gave me 60 days for the credit cards, and 30 days for the checking/savings account.
Closing a credit card just disallows new purchases, you still need to pay the minimum payment every month until the balance is zero.
Bank account they just give the money back
They're buried in deep strata of horrible legacy tech, they have huge middle-manager bureaucracies and politics, ridiculous and ineffective security that slows IT processes to a crawl, and the whole thing bleeds money to maintain -- so in the end they are kind of tech-hostile and will do anything to keep programmer salaries down, avoid promotions, etc.
Banks lose talent because they view tech as cost centers.
Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.
And this was a tech company, everything they did was technology, located in the valley... they still didn't get it.
Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.
One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn't want to break relationships they had with researchers / the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.
The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).
For the record this is my perception from working with security minded folks, and not actually working in that industry myself.
But I'm inclined to think to start that groups in a company are incentivized to do what they think their job is... bring something to legal, they'll have a legal type answer. Bring something to the engineers, you'll get some code.
Need a customer to stop clicking a button? Engineering will code it to be disabled at times. Legal will demand a prompt with a legal agreement you have to check before the action takes place. HR might even come up with some training classes ;)
Chase is a global bank with ~200k employees. There's always issues, most of which are fairly minor/low-risk financially, but may have significant reputational or other impacts. In this scenario, you have counsel and risk management people looking at a scenario where a guy basically stole $5,000 from the bank, due to an error on the part of the bank. They don't give a flying leap about the error -- it's not their job to care, the event becomes the problem.
$5,000 from an FDIC institution is a very serious crime. My guess is that the internal discussion was filing a criminal complaint and exposing their dirty laundry in court, or cutting the losses and severing the relationship. But the guy in question here did something really dumb, was very lucky, and should stfu.
Long story short, I found a bunch of mdb files with personal information about people's ambulance rides. I reached out to EMS and they were very nice and took the drive back with them. A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.
It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.
In 2008, in London, a commuter found top secret counterterrorism documents on the train. That person was smart enough to go to a BBC reporter.
I heard a similar story years ago about a high school student finding an SD card. It was full of illegal underage pictures so he turned it into the school admins, told the story, and ended up getting charged for it.
Did you actually have to do that?
This will have some amount of Streisand effect. I doubt they've really fixed the race conditions. And, the story itself is interesting enough to take off.
From what I understand they can close your accounts for any reason.
The CFPB or the FDIC are far more likely to have jurisdiction here.
Just because I keep my front door unlocked it doesn't mean you can walk in nor does it mean you can break the glass on my back one. Leave it alone. And thinking that some community rep on the frontlines of a Twitter account can give permission to run a security exercise is totally asinine.
They didn't in this case. Though, maybe you could argue that the engagement wasn't formal enough.
They found the initial hint of the bug from normal use, and requested permission before doing the actual pen test.
Regarding the analogy, this isn't some random house they wanted to test. It's an essential service they used and depended on. Perhaps your analogy can be improved by them being an apartment building resident interested in the security issues of the building as a whole, since it affects the security of their own apartment. Even then, it doesn't seem like a perfect analogy that accurately reflects the situation. In the analogy, you could argue that they should change buildings if they're concerned, but banking options seem way more limited in comparison.
It is? In what way? Afaik banks give themselves a lot of power to close your accounts for a lot of different reasons - "suspicious activity," "rewards abuse," etc.
Fair on the reward abuse though. But to close ALL accounts?
Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.
Your statement is misleading.
By "cashed out" he transferred $5000 into another account of his at Chase. It's not like the took the money out of an ATM and spent it on hookers and blow.
This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.
Don't expect them to adjust their behavior any time soon, but the "HN effect" might make them undo this action to avoid bad PR and make a few vague promises about "fixing the issue to avoid it happening in the future".
To read without Javascript:
curl https://chadscira.com/post/5fa269d46142ac544e013d6e/DISCLOSURE-Unlimited-Chase-Ultimate-Rewards-Points|sed '
s/%3A/:/g;
s/%2C/,/g;
s/%2F/\//g;
s/%3D/=/g;
s/%3B/;/g;
s/%3F/?/g;
s/%26/\&/g;
s/%22/\"/g;
s/%20/ /g;
s/%28/(/g;
s/%29/)/g;
s/%3C/</g;
s/%3E/>/g;
s/%27/'"'"'/g;
s/%0D//g;
s/%0A//g;'|grep -o "<p>.*</p>" > 1.htm
firefox ./1.htmFor example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.
The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.
This is the type of thing to test in a QA environment, not in real life with your real money.
We found a major national bank's newly public merchant gateway allowed anyone who knew the IP address of an authorised merchant facility (such as an EFTPOS terminal) to spoof its IP address and submit requests to the gateway. It seemed they just relied on the supplied IP address in the XML payload to verify that a device was authorised to use the gateway.
A small proof of concept showed that it was exploitable, e.g. a small script proved a bank card would be processed successfully without needing to actually be on an authorised network or go through any kind of session handshake - we didn't try any of the other functions like requesting refunds or cancelling payments but figured the bank would like to know they had a big glaring hole in their security.
After finally getting through their merry-go-round of customer "support" to someone in their IT/Security team, the initial cordial emails stopped and we received a threatening letter from their legal department blathering about legal repercussions of cyber crime and fraud etc. They also contacted the client and threatened to shut down their accounts and merchant facilities for our transgressions.
Anyway, definitely makes me think twice about reporting any public-facing security issues directly to a company, I don't have the resources or willpower to fight a major corporation if they decide to swing that way, that's for sure.
Twenty years ago or so, I offered help to parties and every one of them accused me of causing the problem or otherwise being malicious. Let them find their own problems, I'll focus on my own.
A major US retailer used to have their entire OMS/back-office on an ip, it was that way for years despite multiple reports. And then they got ravaged when the first bad actor came along, easily preventable and they were warned.
The risk is not worth the merit.
I suppose somehow, legally, this became the best course of action for Chase bank - to cut the customer off immediately and give them zero information about it. But it really doesn't feel right and made me never want to do business with Chase again.
> While transferring balances between accounts on an unstable internet connection I saw that the system did a double transfer resulting in one card having a negative balance.
> This reminded me of issues I reported in the past with Starbucks US, and Starbucks TH. Both of those entities had major issues with race conditions.
How does this happen in 2016? It's as if software developers have somehow gotten collectively worse than they were 20 years ago.
https://www.ft.com/content/93a47a62-daf0-11e1-8074-00144feab...
I can't find anything referencing it, but something happened similar with Zelle back 2017, and then 2015 also with it's mobile app.
Feels kind of an American thing.