Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: To Hack Or Not To Hack?

Posted by Soulskill on from the ethics-and-responsibilities dept.

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

45 of 517 comments (clear)

  1. First thing first by CmdrPony · · Score: 5, Informative

    Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?

    1. Re:First thing first by Anonymous Coward · · Score: 4, Insightful

      Someone left their front door open, lets go torch the house before someone steals something of value.

    2. Re:First thing first by Zaphod+The+42nd · · Score: 5, Informative

      He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

      He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
      Computer Fraud and Abuse Act State laws on Computer Hacking and Unauthorized Access

      I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
      To go to jail, or not to go to jail?

      --
      GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
    3. Re:First thing first by S73rM4n · · Score: 5, Insightful

      I would second this opinion (also, as above, assuming USA as OP's location). Though your intentions are noble it is highly illegal to breach a computer system without permission/ownership, regardless of intent. Similar to other crimes - you would still be arrested for breaking and entering a property even if your intent was to show the owner that their security system was flawed, unless they asked you to test it out for them.

      My advice - do nothing further. You discovered the flaw and told them about it, the onus is on them to make sure that their systems are secure. Just make sure that you don't leave a trail for other, less scrupulous people to follow...you certainly wouldn't want a future breach and malicious use of this flaw to point to you as the one who discovered it!

    4. Re:First thing first by chill · · Score: 5, Informative

      An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.

      --
      Learning HOW to think is more important than learning WHAT to think.
    5. Re:First thing first by Nethemas+the+Great · · Score: 5, Insightful

      If you "blow it up" you WILL risk very SEVERE consequences. There's no room for the good Samaritan outsider esp. where it concerns security. I'm not sure if there's a reasonable answer that will put a stop to their negligence but I would most definitely tread lightly.

      --
      Two of my imaginary friends reproduced once ... with negative results.
    6. Re:First thing first by tripleevenfall · · Score: 4, Insightful

      Right - I didn't mean "do something nefarious". I meant, go to the media or some authority agency under a white flag, anonymously, whatever, and get some exposure for it.

      By "blow it up" I was thinking, if this company has had a few chances to act and has chosen to ignore the problem, take the next step in generating publicity.

    7. Re:First thing first by Synerg1y · · Score: 4, Interesting

      He never got on the plane, get your facts straight, sounds like he almost did though, cause German kids are the #1 security threat to this country.

      Source:
      http://www.eurogamer.net/articles/2011-02-21-the-boy-who-stole-half-life-2-article

      It's a pretty good read.

      I can't help thinking how a real criminal would have proxied, and sold the code rather than published it, but to the FBI it's all the same.

    8. Re:First thing first by NeverVotedBush · · Score: 4, Informative

      Detail it to Brian Krebs. He would be a very good source of information on what to do.

      http://krebsonsecurity.com/

    9. Re:First thing first by rtfa-troll · · Score: 5, Interesting

      Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.

      The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.

      What to do

      • Get lawyered up. Lawyers are expensive; not lawyers are much more expensive. Make sure you have one who has actually succeeded in protecting people in your exact situation.
      • See if the EFF will support you as a security researcher. Freedom of speech issues may help protect you. They may be able to recommend a lawyer. Unless you see martyrdom as your future, be careful not to become a public case until you know that that would be a benefit for you.
      • Try to find out for sure if you have broken any laws and the consequences. When doing this ensure you only talk to a lawyer (no internet searches!!) so that all discussions remain legally privileged and can't be used against you to show you knew what you were doing / had done
      • Find a CERT that would be interested in this. Do not communicate further with the company directly, only through the CERT. The EFF might do to. Any body which has real experience in doing disclosure and will isolate you from the risk of direct communication.
      • Pretending you don't know about the hole would probably have been best, but assume it's too late for that. You need to now go through the notification; until this is fixed you are at risk of lawsuit or prison.
      • Do not accept any offer of anything; no free travel; no free developer account; no "chance to help us clean up". This is likely an attempt to set you up for an extortion charge.
      • Anything further you do with this case, you do on your own isolated computer.
      • Do not do anything which could be interpreted as destruction of evidence. Your lawyer may be able to help you with advice about any data destruction you could do to minimise risk in a lawsuit.
      • Without legal advice otherwise, do not use any services from the company and don't visit the web site of the company. Beware of anything which might bind you into a contract with the company.
      • Prepare to be raided. All of your computers will be taken from you and any disks you have on site. Your close family and computer friends may also be raided. Make backups of everything and store them in a locked box somewhere which can't be related back to you. E.g. a trusted but distant friend from school times. Alternatively a vault in a private bank (e.g. in Switzerland).
      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    10. Re:First thing first by pla · · Score: 4, Interesting

      Hacking somebody's financial records isn't a just a concept

      A few months ago, I, in the course of my job duties, discovered a massive, glaring, easily exploitable security flaw at a financial transaction processing company that a great many people (as in, somewhere around a third of Americans who pay their bills online) likely use without knowing it. And no, you probably haven't heard of them unless you work in the banking industry.

      I didn't write an SQL injection. I didn't guess passwords. I didn't even probe for hidden options in a CGI... I merely mis-typed a path in a web-scraping script intended to retrieve information I legally had the right to get, and ended up with entirely someone else's information. Yes, literally as simple as "tweak the URL", and you could see anyone's info you want.

      I informed them of this flaw, as an official "you have to fix this now or consider yourself in violation of our contract" communication, and they have made it a bit better - In that you would now at least need to intend to attack them, rather than just anyone having the ability to do so accidentally. Good to know that no more pesky whitehats will bother them about their insecurities.

      But put bluntly, companies don't give two shakes of a rat's ass about us. The very fact that such a trivial weakness existed in the first place demonstrates that they don't pay attention to security in the least; and their fix demonstrates that they don't really care even when they have known flaws. They care about how much it will cost them to fix vs the cost and probability of someone malicious discovering the problem, end of story.

  2. NSA? by Toe,+The · · Score: 4, Funny

    Maybe you could get the NSA to hack them?
    Just brainstorming here...

  3. PCI by Anonymous Coward · · Score: 5, Insightful

    If they don't want to listen, go to Visa and MasterCard. They won't sit on their asses about exposed credit card data.

    1. Re:PCI by Dr_Barnowl · · Score: 5, Insightful

      If you hadn't already exposed yourself to the owner, I'd write a how-to and send it to them anonymously, and later send the credit cards an ANONYMOUS tip.

      Why anonymous? Hacking, even for white-hat reasons, is illegal in most jurisdictions. Even accidental hacking.

      Now that you've exposed yourself to them it would be too easy for them to piece it together who turned them in for a nice PCI audit. It would be all too easy of them to send your emails to a computer crime division and get you busted, especially if they have any friends with influence there. Just avoid using their product and quietly tell your friends not to do the same.

      The only time I have ever even considered informing a company of a security hole is on an occasion when I'd previously worked for them, personally knew the owner, and knew that the owner respected my ability.

    2. Re:PCI by hellkyng · · Score: 5, Insightful

      While you make a good point that Visa and MC won't sit on their asses about data, that is only from a PCI perspective. And realistically its trivially easy to maintain PCI compliance and have an insecure product.

      What I would recommend however is work through a professional service like Secunia: https://secunia.com/company/blog_news/news/271. They can lend credibility to your claim and they provide what I personally would describe as an ethical approach to remediation. I would strongly not recommend any further testing on your part unless you are prepared to deal with legal consequences. Not that I agree with companies going after researchers, but it does happen.

      Good luck.

    3. Re:PCI by the_B0fh · · Score: 4, Insightful

      That will be considered a threat no matter how you word it. Expect to go to jail.

    4. Re:PCI by V!NCENT · · Score: 5, Funny

      "How can I help you?"
      -"Well, I noticed that your bank safe is wide open! You might want to cl-"
      "You asshole! I'm calling the FBI!"
      -"But people their money might get sto-"
      "Son, you are under arrest for looking at something and then notifying the owner about it"

      Why is the world ruled by morons?

      --
      Here be signatures
  4. You're just asking by Vinegar+Joe · · Score: 5, Insightful

    For a 5 year tour of the federal penitentiary system, aren't you?

    --
    "The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
    1. Re:You're just asking by seniorcoder · · Score: 5, Funny

      At least if you are going to do this, simply as a proof of concept of course, steal all their customers money. Then the risk/reward ratio is looking better.

  5. Go to the investors by james_van · · Score: 5, Insightful

    Maybe the company doesn't care, but the people with money on the line will. And when they start to care, the company will start to care. Don't go hacking to try and prove a point, that's just gonna cause you more trouble than it's worth. And if, at the end of the day, no one cares or does anything about it, no sweat off your back.

    1. Re:Go to the investors by Amouth · · Score: 4, Informative

      If it was me - after the company doesn't bother to recognize it - i'd contact the Credit Card clearing house (Visa/MC/AMex) that they use.. Anyone who is processing and storing CC info has to comply with PCI DSS. If you can get access to card info then they are out of compliance, and are subject to have their merchant account deactivated, charges seized, and pay fines.

      The CC companies don't (Normally) play around with it. Contact them and inform them of the situation, IF (AND ONLY IF) they need it provide them a proof of concept CODE/Method only, DO NOT grab card numbers and send them to them as an example, let the CC company evaluate your proof of concept and see if they can access CC numbers.

      This method seems to work (has in the past) to get people to fix their holes.. As for them actually becoming a more responsible company after this, well hell never has been a cold place..

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  6. Oh boy... by Anonymous Coward · · Score: 5, Insightful

    Walk away. You notified the appropriate people. After that, it no longer has anything to do with you, and can only go pear-shaped from here.

    1. Re:Oh boy... by TheSpoom · · Score: 4, Informative

      This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
  7. notify visa by banbeans · · Score: 5, Informative

    U.S. – (650) 432-2978 or usfraudcontrol@visa.com

    1. Re:notify visa by James+Renken · · Score: 5, Informative

      This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.

    2. Re:notify visa by X0563511 · · Score: 4, Informative

      should be -> are :)

      (spoken as someone in the industry)

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:Language matters by pmgarvey · · Score: 5, Insightful

    I think you're fighting a battle that was lost long ago. In the minds of most, what was once called cracking is now hacking.

  9. Retain a lawyer. by chemicaldave · · Score: 5, Insightful

    You should probably hire a lawyer. It doesn't matter how good you're trying to be. Anything you did to come to your conclusions that was illegal is going to be frowned upon... severely. And if you do go public, you'll likely be hit with a C&D letter.

  10. NONONO RED FLAGS!!! by Zaphod+The+42nd · · Score: 5, Insightful

    This is the DUMBEST THING EVER. I cannot believe people actually think this way. Are you familiar with the LAW SYSTEM? People can't just go around doing things without permission like that. If your internet connection crosses a state line, (and due to packet routing it probably is and you might not even know) then you are committing a FEDERAL CRIME. That means that not just the police, but the FBI will come knock on your door. History is just FULL of people who though, hey, I'm pretty clever, I'll hack these people and get a job. NOBODY WILL HIRE A CRIMINAL I PROMISE YOU.

    Cannot stress this enough. Jeeze.

    Here are your options: Call them, email them. Thats it. Move on with your life if they ignore you. There's nothing that says they can't be incompetent if they want to, but there is something that says you can't break into their systems. (yes, even if they're not secured).

    --
    GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
    1. Re:NONONO RED FLAGS!!! by Hatta · · Score: 5, Insightful

      No, the dumbest thing ever is the legal system which punishes whistleblowers. Wait, no, that's the 2nd dumbest thing ever. The absolute dumbest thing ever are the people who support a legal system that punishes whistleblowers.

      --
      Give me Classic Slashdot or give me death!
  11. Journalism works by Anonymous Coward · · Score: 5, Insightful

    If you want to get the word out anonymously, approach a journalist. Journalists have a vested interest in breaking the next scandalous new story, especially those who are new and making a name for themselves. They also have a vested interest in protecting their sources, though you might still want to report it through an anonymous email account.

  12. Don't ask Slashdot, Ask Ed Felten by Anonymous Coward · · Score: 5, Insightful

    Ed Felten himself may not be the best person to contact, actually, since he's currently working for the FTC, but then again he may be worth sending an email to.

    My point is this: ask someone who is respected in the security field and has years of experience. If not Felten, try and contact Moxie Marlinspike, perhaps.

    It sounds like you are young and have very little experience with this kind of stuff. Do not make the mistake of thinking that anyone is going to thank you for your efforts. The company with the bad security may be run by a bunch of technological idiots who will see you as the threat. When the FBI comes calling, they will be more interested in seeing what criminal charges they can bring against you.

    But don't be scared into inaction. Instead seek advice from experts who have been in the same position as you. They may have contacts and could help you present the exploit information in a way that is

    1) legal
    2) professionally done
    3) likely to get taken seriously by the developers at the affected company.

    Good luck! As long as you keep certain cautions in mind, you may have just stumbled onto a career in security!

  13. Oh shut up... by frank_adrian314159 · · Score: 5, Insightful

    Language evolves. You can fight the tide or swim with it. I know which way gets you drowned first.

    --
    That is all.
  14. no you grow the fuck up by unity100 · · Score: 4, Interesting

    Dress it up how you want to, you're still a criminal - legally, morally, and ethically, it's none of your business, you shouldn't have done it in the first place, and quit doing it in general.

    its maybe none of his business, but its MY business AS A USER that some company that i give my credit card to is this irresponsible. Those who would hack it, would hack it, and just use the cards and deduce hard to notice amounts every month and fuck me over.

    if it wasnt for people like the article submitter, THOSE COMPANIES WOULDNT LIFT THEIR ASSES for security. so YOU shut the fuck up. its MY wallet.

    --
    Read radical news here
  15. Walk Away and Forget About It by StormReaver · · Score: 4, Insightful

    Slashdot has had many stories of well-meaning hackers trying to save companies from themselves, only to wind up being the target of federal and/or state prosecutors rather than being considered a good Samaritan.

    Here's my advice:

    1) Stop violating federal and state laws. You've just confessed to the world that you are committing federal and state felonies. Stop being a criminal.

    2) Walk away while you still can, and maybe you'll still have a life to live free of federal and/or state prosecution.

  16. Re:For the love of Christ... by dave562 · · Score: 5, Insightful

    You're being a bit harsh on the guy. A lot of people started their IT careers in the computer underground, myself included. If it were not for LA 2600 meetings and the first few Defcons, I would not have developed the skills and background that landed me my first job as a sysadmin fifteen years ago. More recently (within the last year), the head auditor for my company told me that my background reassured him because he knew that I had a better perspective on computer security and the threat landscape than most "professionals" who picked up all of their knowledge in a classroom.

    WRT the OP, it was dumb for him to go to the company. As everyone else stated, he exposed himself to some liability. Any information that he provides to the company could be used to build a case against him for computer trespass, unauthorized access, etc.

    To call the OP morally and ethically criminal is overboard. He did not do any damage to them and did not profit from his activities. It was a real world learning exercise. It was not the brightest move in the world, but doing a security audit on a random computer system does not make someone morally bankrupt. If he had taken the data and sold it for profit, or even just posted it for fame and notoriety, that would be a different story. Instead he naively did "the right thing" without fully understanding the liability it exposed him to.

  17. Re:For the love of Christ... by jgrahn · · Score: 4, Interesting

    First off, QUIT FUCKING TRESSPASSING.

    I don't care if you're not doing it for money (though, you sound like you might do it for fame). It's wrong.

    As he explained it, it sounds as if he's concerned about the outfit's customers. It's not unheard of -- that people care about the wellbeing of other people. (That Christ guy you mention in the subject line did, for example)

  18. CERT by Z00L00K · · Score: 4, Interesting

    Report it to CERT. (Or other corresponding security organization if you are outside the US.)

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  19. let the card companies know by camusflage · · Score: 5, Insightful

    "If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com."

    --
    The truth about Scientology, Xenu, and you: Operation Clambake
  20. Re:Language matters by hoggoth · · Score: 4, Funny

    Please use the appropriate term. It's "GNU cracking".

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  21. Re:Full disclosure is the most ethical path. by Vellmont · · Score: 4, Insightful

    It's not only the most ethical, it's the only way this company will actually do anything. I'd also suggest to do this anonymously. Corporations have a habit of striking back blindly in random directions whenever they feel threatened, and this will most certainly threaten them. It wouldn't surprise me in the least if they tried to smack you down with restraining orders, defamation suits, or whatever the lawyers think will hurt you the most. If you release the information anonymously (and be very careful how you go about this), then there's nobody to slap down with restraining orders.

    --
    AccountKiller
  22. EFF by bmuon · · Score: 5, Insightful

    Shouldn't he contact the Electronic Frontier Foundation? Isn't its purpose to provide advice in this cases?

  23. Re:this is not news by Fred+Ferrigno · · Score: 4, Insightful

    This is some idiot asking for advice on an absolutely terrible scheme which has been explained before

    Isn't that what Ask Slashdot is all about?

  24. Back Away; You Were Never Here by Pooua · · Score: 4, Interesting

    I'm inclined to agree with those who state this was a honey pot. Maybe it was and maybe it wasn't, but standard security procedure is to have a honey pot open and available for naive, young hackers to fall into. You probably aren't the first person in it, either, if this is a big name institution. I read that an unsecured computer left open to the Internet will have hundreds of attacks compromise it a day, within seconds of going online. So, I would guess those credit card numbers are also fake.

    Your best bet is to leave it alone. If this isn't a trap, that's for the company and the customers to deal with it, and the repercussions that follow. The fact that you need to ask here what to do about it leads me to suspect that you are in over your head.

    --
    Taking stuff apart since 1969 (TM)
  25. The site is www.thelevelup.com by fluffy99 · · Score: 5, Insightful

    How long do you think it will be now before the blackhats start looking at the payment handling processes of 'a rising mobile payment start-up' with 'big-name financial backing' ?
    I don't think there are too many companies that match your description..

    No need to search to hard for the company. Our illustrious OP, aka Mr. Christopher Reed (http://seeread.info/) was naive enough to post this on twitter (http://twitter.com/#!/seereadnow).
    "@TheLevelUp I think I found a trivial way to hack user accounts. Please get in touch to resolve."

    At least he can point to the twitter feed as evidence that he was trying to contact them. This /. article where he considers "blowing them out of the water" would undoubtedly work against him though.