Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: To Hack Or Not To Hack?

Posted by Soulskill on from the ethics-and-responsibilities dept.

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

12 of 517 comments (clear)

  1. First thing first by CmdrPony · · Score: 5, Informative

    Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?

    1. Re:First thing first by Zaphod+The+42nd · · Score: 5, Informative

      He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

      He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
      Computer Fraud and Abuse Act State laws on Computer Hacking and Unauthorized Access

      I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
      To go to jail, or not to go to jail?

      --
      GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
    2. Re:First thing first by chill · · Score: 5, Informative

      An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:First thing first by NeverVotedBush · · Score: 4, Informative

      Detail it to Brian Krebs. He would be a very good source of information on what to do.

      http://krebsonsecurity.com/

    4. Re:First thing first by JMJimmy · · Score: 3, Informative

      Blow it up sounds fun but it'll get you sued or worse.

      http://seclists.org/fulldisclosure/

      I had to threaten to expose a security flaw which exposed hundreds of thousands of peoples info (luckily no financial info) - within an hour of threatening full disclosure they'd closed my "tech ticket" and an administrator was emailing me for more details and a timeline for a fix.

  2. Language matters by colinrichardday · · Score: 1, Informative

    Please don't call such activity "hacking". It is cracking. Learn the difference.

  3. notify visa by banbeans · · Score: 5, Informative

    U.S. – (650) 432-2978 or usfraudcontrol@visa.com

    1. Re:notify visa by James+Renken · · Score: 5, Informative

      This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.

    2. Re:notify visa by X0563511 · · Score: 4, Informative

      should be -> are :)

      (spoken as someone in the industry)

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Re:Oh boy... by TheSpoom · · Score: 4, Informative

    This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  5. Re:Go to the investors by Amouth · · Score: 4, Informative

    If it was me - after the company doesn't bother to recognize it - i'd contact the Credit Card clearing house (Visa/MC/AMex) that they use.. Anyone who is processing and storing CC info has to comply with PCI DSS. If you can get access to card info then they are out of compliance, and are subject to have their merchant account deactivated, charges seized, and pay fines.

    The CC companies don't (Normally) play around with it. Contact them and inform them of the situation, IF (AND ONLY IF) they need it provide them a proof of concept CODE/Method only, DO NOT grab card numbers and send them to them as an example, let the CC company evaluate your proof of concept and see if they can access CC numbers.

    This method seems to work (has in the past) to get people to fix their holes.. As for them actually becoming a more responsible company after this, well hell never has been a cold place..

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  6. Re:PCI by X0563511 · · Score: 3, Informative

    The difference is that Ford doesn't head up a cabal of auto makers that hand out outragious fines to those who handle said cars insecurely.

    Here, since you obviously don't realize what PCI means in this context.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...