Yes, he disclosed exactly how he did it to the bank. Yes, he returned it all. Yes, he had no intent to keep it. And yes, he still defrauded them in the process. Yes, he had permission to do so. But permission doesn't always prevent situations from going awry, even if it can help clear things up after the fact.
If you walk into a physical bank and notice a potential security issue, point out the potential security issue to the teller, come back to exploit that potential security issue just to see if you can, succeed and make off with $70k, then bring it all back in and walk the bank manager through how you robbed his bank, he's still going to call the cops on you. Or maybe you spoke to him before and got permission, but his communication to corporate after the fact gets misconstrued/misunderstood and someone else calls the cops.
Closing all of the accounts like they did was a crap reaction, but he could have just as easily been hand delivered an arrest warrant by an FBI agent for bank robbery and fraud if someone internally decided to take the position that what he did was analogous to the above scenario. And it may have just as easily occurred due to some internal miscommunication/misunderstanding by a non-technical person or being flagged by some type of automation/reporting, rather than deliberately taking such a stance.
That's where involving a lawyer would have been valuable. It may not have protected him from the consequences that did occur, since they could close his accounts for whatever reason they wanted. But a lawyer would have provided greater assurance against substantially worse outcomes, by ensuring more drastic outcomes were identified and addressed/mitigated upfront. And potentially saved his accounts from getting closed - the decrease in his cumulative credit limit plus closure of such long-lived credit cards translates into real economic harm due to the likely impact on his credit score. I could see a lawyer being able to use that fact somehow to persuade Chase that it was not in their best interests to take such an action.
Law enforcement - I'd leave that up to the lawyer. As another user commented, your lawyer is explicitly employed to protect your interests. If involving law enforcement furthers that aim, they'll tell you. If involving law enforcement is detrimental to that aim, they'll tell you. So consult with several first, hire one second, and let them direct what happens after. If what they do/recommend ends up being incredibly stupid, you at least have their malpractice insurance to appropriately compensate you for their stupidity. But you have no such insurance to compensate you for your own.
> Once I had permission quickly made a proof of concept ...
So unless you want to accuse him of lying, there's no fraud here. And the fact that Chase didn't file a police report makes me convinced there was nothing remotely illegal about his actions.
As I said, such a situation could have occurred due to a miscommunication/misunderstanding, rather than taking a deliberate stance to prosecute him. A team (or member on said team) or some automated system unaware of that permission could have flagged the fraud and involved the authorities. Communication silos are a fact of big businesses. Politics and power tripping executives are too, who may decide whoever gave such permission didn't have the authority and push ahead anyway for whatever reason. And inflexible legacy systems are too, which may trip some automated fraud detection system that automatically triggers a legal reaction.
The charges may have ultimately been dropped when everything got sorted out, or a judge could have dismissed the case based on the permission he was given (if the situation got to that point). But that's not for the law enforcement agent serving your warrant to decide, his job is just to bring you in. And in the event that happens, it's far better for your lawyer to already be prepared on how to address the situation than only getting them involved at that stage.
It seems like he took great pains to keep it legal, but the presence or absence of a police report means nothing.
No he didn't. Intent / mens rea matters.
He established a pretty solid record of prior communication about what his intent was.
Involving your lawyer isn't a foolproof preventative measure either. But your lawyer having an established line of communication with their lawyers can get things cleared up a whole helluva lot faster than if you get booked, have no lawyer, and are having to find and get one up to speed only after you're sitting in jail.
So far as I know, fraud isn't a strict liability crime. It requires intention ("mens rea") as well as action ("actus rea") to be prosecuted.
I am of course not a lawyer.
But
1) Mens rea isn't an absolute defense. It doesn't refer to malicious intent, but more so specific intent[1], in this case, specifically performing a sequence of actions in order to discover/validate/confirm a vulnerability. You also don't have to know if what you're doing is a crime; if what you did fit the legal definition of fraud, and you performed that action fully cognizant of and in control of what you were doing, then it's still a crime irrespective of your awareness that it was a criminal act.
2) Mens rea is a legal argument. It may protect you from successful prosecution, but if you've hit this point, lawyers are already involved and you've more than likely already been arrested/charged.
3) The prosecutor could dismiss the case if they feel the likelihood of successful prosecution is minimal (such as when you produce the original permission you received) or the bank requests it. Or they could force a settlement if they think the case is shaky. Or they could be an ass and force the court/judge to decide. But you've still been arrested, your life has been disrupted, you've potentially sat in jail for some amount of time (at least until your bail hearing), and you've likely been economically harmed (via legal bills, cost of bail, potential impact to your state of employment, potential impairment to future earnings based purely on the arrest record even without prosecution, etc).
Which is why it's always good to involve or consult a lawyer before engaging with the company - the cost of doing so is effectively an insurance policy protecting you from ending up in a situation where you need to employ one for damage control. And you're likely to end up with a far larger bill if you end up having to pull a defense attorney in after the fact for damage control/crisis management than the bill you'd get for upfront risk mitigation.
This story is exactly why the newer fintech startups will take over banking.
Most lawyers will give you an initial consultation for free. Even if you don't hire one, just consulting with one can immensely improve your ability and confidence in navigating things solo.
"Can you also confirm if this allows additional points to become available for use?"
This was why I had to remove the negative points, and make a transfer to prove that they indeed could be used.
[1] https://www.forbes.com/sites/advisor/2020/07/15/how-airlines...
The post doesn't actually confirm this. Might that be the problem?
But
- Shit happens. Even legitimately contracted pentesters can run into legal issues. These guys[2] worked for a firm hired by the state court system to pen-test the courts (from application testing to physical building security), were ultimately arrested due to a power play, railroaded by an embarressed local authorities, had their charges trumped up to the point of being considered a felony, were disavowed by the powers that hired them who went into "cover our ass" mode, and ultimately spend 5 months fighting the charges before the state legislature ultimately pressured the local authorities to drop them. And even with the charges dropped, the felony arrest record was not expunged and has lasting damage/implications both personally and professionally.
- In the above case, the client was not only the very same court/legal system overseeing their case, but also had an established, multi-year relationship with the security firm they worked for. Yet it still went that terribly wrong, took almost half a year to get legally resolved, and resulted in permanent felony arrest records. If things can go so terribly wrong for legitimately contracted professionals, how badly do you think it could go for a private citizen, with no official contract in place and only some form of written permission from the company that has not been vetted by a lawyer representing that individual's interests, and may not have even been vetted by that company's lawyers?
- He was dealing with a bank. Who are subject to a massive amount of legal and regulatory requirements for their customers that are specific for the banking industry, all of which tend to get interpreted/applied from a conservative standpoint due to the risks and penalties they're subject to for non-compliance.
- He was using his real, live accounts during the process. His actions could have easily triggered their fraud detection system to automatically generate and submit a SAR[3] due to "suspicious activity that might signal criminal activity* report for For example, it could have triggered. Even if someone fully aware of the situation (and granted permission) intercepted such a SAR before it was submitted, it may be decided that such actions from a private individual not contracted by the company to perform such work fit the threshold of "might signal" and still ultimately get submitted. Triggering who-knows-what downstream repercussions/investigations after it's submitted to the government.
- Their responsible disclosure program[4] did not exist at the time, so there were no explicitly documented and legally vetted acceptable rules of engagement publicly available. It's possible that rules of engagement were part of his communications with them, but not mentioned in the article (nor again, vetted by a lawyer bound to represent his interests).
So while there was ultimately no problem in this instance beyond the inconvenience of his accounts getting closed, doing so without the aid/guidance of legal counsel involved assuming an unknown and potentially substantial large amount of personal risk/liability in the process. Which is why it would be highly advisable for someone in a similar situation to speak to or retain a lawyer.
[1] https://news.ycombinator.com/item?id=24990202
[2] https://www.darkreading.com/vulnerabilities---threats/pen-te...
[3] https://www.occ.treas.gov/topics/supervision-and-examination...
[4] https://responsibledisclosure.jpmorganchase.com/hc/en-us
