Slashdot Mirror


Ask Slashdot: To Hack Or Not To Hack?

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

1 of 517 comments (clear)

  1. Re:First thing first by rtfa-troll · · Score: 5, Interesting

    Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.

    The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.

    What to do

    • Get lawyered up. Lawyers are expensive; not lawyers are much more expensive. Make sure you have one who has actually succeeded in protecting people in your exact situation.
    • See if the EFF will support you as a security researcher. Freedom of speech issues may help protect you. They may be able to recommend a lawyer. Unless you see martyrdom as your future, be careful not to become a public case until you know that that would be a benefit for you.
    • Try to find out for sure if you have broken any laws and the consequences. When doing this ensure you only talk to a lawyer (no internet searches!!) so that all discussions remain legally privileged and can't be used against you to show you knew what you were doing / had done
    • Find a CERT that would be interested in this. Do not communicate further with the company directly, only through the CERT. The EFF might do to. Any body which has real experience in doing disclosure and will isolate you from the risk of direct communication.
    • Pretending you don't know about the hole would probably have been best, but assume it's too late for that. You need to now go through the notification; until this is fixed you are at risk of lawsuit or prison.
    • Do not accept any offer of anything; no free travel; no free developer account; no "chance to help us clean up". This is likely an attempt to set you up for an extortion charge.
    • Anything further you do with this case, you do on your own isolated computer.
    • Do not do anything which could be interpreted as destruction of evidence. Your lawyer may be able to help you with advice about any data destruction you could do to minimise risk in a lawsuit.
    • Without legal advice otherwise, do not use any services from the company and don't visit the web site of the company. Beware of anything which might bind you into a contract with the company.
    • Prepare to be raided. All of your computers will be taken from you and any disks you have on site. Your close family and computer friends may also be raided. Make backups of everything and store them in a locked box somewhere which can't be related back to you. E.g. a trusted but distant friend from school times. Alternatively a vault in a private bank (e.g. in Switzerland).
    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();