Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: To Hack Or Not To Hack?

Posted by Soulskill on from the ethics-and-responsibilities dept.

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

5 of 517 comments (clear)

  1. First thing first by CmdrPony · · Score: 5, Informative

    Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?

    1. Re:First thing first by Zaphod+The+42nd · · Score: 5, Informative

      He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

      He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
      Computer Fraud and Abuse Act State laws on Computer Hacking and Unauthorized Access

      I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
      To go to jail, or not to go to jail?

      --
      GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
    2. Re:First thing first by chill · · Score: 5, Informative

      An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. notify visa by banbeans · · Score: 5, Informative

    U.S. – (650) 432-2978 or usfraudcontrol@visa.com

    1. Re:notify visa by James+Renken · · Score: 5, Informative

      This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.