Slashdot Mirror
Hacker Group Demands "Idiot Tax" From Payday Lender
snydeq writes "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an 'idiot tax.' The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. 'This page allows its affiliates to see how many loan applicants they recruited and how much money they made,' according to the group's post on dpaste.com. 'Not only was this page unsecured, it was actually referenced in their robots.txt file.'"
Just because I left my door open, doesn't mean it's okay to steal.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
One would suspect the FBI might soon be levying it own 'idiot tax' on Rex Mundi ...
unless of course said hacker is not US-based but that would raise EVEN MORE questions about the ethics if hackers are getting involved in commercial arrangements in FOREIGN countries
So they published the database on the Internet for anyone to access. I would be hard pressed to find a legal cause of action against the "hackers" (web surfers?) who browsed and saved the file. Additionally, because the database contains only a tabulation of factual information, it cannot be copyrighted. Thus, Rex Mundi may be legally allowed to publish it at will. Most of the civil causes of action that could be brought in a case of blackmail or extortion may be unsuccessful here since the "victim" PUBLICLY PUBLISHED the data themselves. Interesting case.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
First time protecting their customers was part of these people's business model.
xkcd is not in the sudoers file. This incident will be reported.
Crypted details about our next Hollywood celebrity victim:
Unp2Z25qY3Z4Znp5b3Z0Z2ptZ3Zwb2l6bW56aHZkZ3Z4eGpwaW9odml0ZGlvem16bm9kaWJ oem5udmJ6bmFtamhidnRodmd6YW1kaXlzcmNqaGN6bXpicGd2bWd0aHp6eW5ham14dm5 wdnFuenNyZGdnbXpnenZuenl2b3Zndm96bQ==
Props to the one who decrypts it first!
Spaces added by me to get past slashdot filter. Any takers?
I.e., they left the front door open and attached a post-it saying "please don't look under the shelf".
King of the world? Seriously? Must have an extremely small set of tackle between the legs :-)
He does. And its not his either.
So basically, they're coming to the defense of customers being ripped off by this lender, and are they're going to show 'em who's boss by widening the customers' exposure to identity theft? Wow, there's some moral high ground there. The customers must be so grateful.
"Howdy neighbor. I happened to hear you beating your wife last night. You can give me $1000 and I'll go away quietly. Otherwise, I'll give her another beating myself."
The only losers here are AmeriCash Advance customers.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Fucking door analogies, how do they work?
It's not okay to steal? No shit, Sherlock.
no it's not, in your analogy the person is consciously sending the contents of the safe to you. at no point in the actual scenario did this happen.
we can agree however, that accessing the information was not a criminal offence.
what they did with the data afterwards quite clearly is though.
i spent five minutes thinking and all i got was this crappy sig
The only losers here are AmeriCash Advance customers.
True. Only losers would get a loan from AmeriCash Advance.
So that's OK then, Mr Fucking Billionaire-Twat?
To have a right to do a thing is not at all the same as to be right in doing it
People don't have a clue as to how difficult that business is!
You have to look at losses as well to judge. Imagine you put your entire savings on the street, and anyone who came to you and said "hey, can I borrow some money?", you simply hand them a stack of bills. How many of those people are going to pay you back?
The loans are expensive because the default rates are phenomenally high (depending on the biz, up to 50% simply walk away from the loan at some point). And they have a specific purpose...they are much, much cheaper than bank overdrafts. The APR's for an NSF fee can run into the Millions of %.
Everyone assumes (people who hate payday lenders, AND people who want to enter the payday business) that they're disgustingly profitable, but that isn't quite the whole story. There are only a few exceptional people on this planet who possess both extremely poor financial planning aptitude, and yet have mad skills at flawlessly servicing their financial obligations.
Although, from what I've seen, these lenders tend to hire the cheapest option for their IT and web dev (clueless foreigners). I'm really surprised these security breaches don't happen more often.
The real path to male liberation
But give me 5 dollar or I tell everyone about this post of yours on slashdot, that is a bit less clear. How can you extort someone with information they published themselves?
Also, for a financial institution, it is illegal to have information so readily available. Who is the bigger criminal here?
If I exort your by saying give me a fiver or I will tell everyone where you buried your victims MIGHT see the police question me but it is YOU that will end up in jail.
Go ahead bank, file charges against the hackers, then explain in court how you violated countless banking and privacy laws.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
no, the reason to hate them is that they're giving loans to people who shouldn't be given loans in the first place. otherwise they could be getting it from the bank for 15% apr.
usually it's just plain old usury.
(I guess in usa you can bankrupt yourself and really walk away from the loan though? or is it like europe where you can't pretty much walk away from it short of stopping to paying taxes and having legal income totally).
world was created 5 seconds before this post as it is.
So, if your car breaks down, just walk that 15 miles to work? There are plenty of cases where the expense makes sense. You gotta do what you gotta do.
The loans are too small for it to be practical to take legal action...your typical loan is $300 with a $90 finance charge. A lawyer costs much more than that... So yeah, you can walk away and forget about it. And many people do, fraud and default is rampant, and that fact makes the entrapment argument is kind of silly.
And the funny part is, despite the expense, the only people who hate payday loans are the people who have never had one. The lenders are scared of being legislated into the dog house, so they're careful and play nice.
If a customer is having trouble, all they have to do is say so. Generally they'll stop assessing interest, and then they'll create an installment plan that works best (e.g. one that makes the customer happy so they won't walk away).
Although, there are some bad eggs, and typically they do business from overseas or from indian reservations. Those are where your horror stories come from.
The real path to male liberation
Sorry, but gl4ss was right when he said:
no, the reason to hate them is that they're giving loans to people who shouldn't be given loans in the first place. otherwise they could be getting it from the bank for 15% apr.
You give a few specific examples of times when people need to take payday loans, but the simple reality is that if you have a credit card or an overdraft with the bank, you don't need a payday loan. That's what credit and overdraft are for.
And I'm not entirely sure where you get the idea that a $300 loan with a $90 finance charge is "much, much cheaper than bank overdrafts". I have an overdraft on my chequing account, and the APR for going into it is prime + 2%. Prime lending rate with my bank right now is 2.25%, meaning that the *annual* interest rate for going into overdraft is 4.25% for me. There is a "convenience fee" stipulated in the contract of $25, but that gets waived if I haven't used the overdraft in more than 30 days. The point of an overdraft is *not* to give you an extra $1000 to spend as you will, it's to let you write cheques for emergency things like fixing your car without worrying about whether you'll have the money until next Friday.
And the funny part is, despite the expense, the only people who hate payday loans are the people who have never had one. The lenders are scared of being legislated into the dog house, so they're careful and play nice.
29.97% interest rate on loans is *not* playing nice. That's how much the payday loans people charge in this neck of the woods, and the only reason they charge so little is because usury laws prohibit charging 30%. My Visa rate is 12.9%. It could be lower if I was willing to pay an annual fee, but I don't carry a balance, so I don't really care what the rate is. It is cheaper, by far, for almost all of us to put that car repair on credit than it is to get a payday loan. The only people who *need* to get a payday loan are the people whose credit is bad enough that they can't get a credit card, and you need to have pretty bad credit to be in that situation. (if your credit is absolutely *terrible* you can still get a card at 29% annual interest, which is the same that the payday lenders charge, but the credit card won't charge you the $90 processing fee on a $300 loan, they'll just start charging interest 30 days after the purchase date).
If a customer is having trouble, all they have to do is say so. Generally they'll stop assessing interest, and then they'll create an installment plan that works best (e.g. one that makes the customer happy so they won't walk away).
If you think credit cards and bank loans don't work like that, then you've never dealt with a credit card or a bank. If you have a good relationship with your bank manager, then this kind of thing is easy to arrange with them. Even if you don't have that kind of relationship, most of them have a clause that will let you skip a payment, and most credit card companies will lower your interest rate without argument if you call them and ask them to do it. (the "official" interest rate on my Visa is 19.99% to start... I called them and asked them to lower it).
So yeah. I do hate payday lenders. And no, I've never needed to use one. But I still have a legitimate reason for hating them: their client base is, by and large, people who are at the lower income tiers and can *least* afford to pay the exorbitant rates they have. Beyond that, their client base is, largely, people who were never taught how finance actually works, and they are being taken advantage of. Nobody has bothered to explain to these people that they are buying the most expensive credit on the market, and it sets up a vicious cycle. I know too many people who get into a payday loan and end up getting one every paycheque because they have bills that they can't pay because they're paying last week's loan.
So yes. I have an ethical problem with payday lenders... they are the dregs of society, and they are feeding on the poor. And they are set up in such a way that keeps the poor down. They need to go.
while questioning suspects & informants, so it must be ok.
Extortion is "acquisition by violence, threat, oppression, or abuse of authority." A threat to release information is still a threat, so blackmail falls within that definition. Thus blackmail is not necessarily much less serious than extortion.
Contribute to civilization: ari.aynrand.org/donate
OK let me get this right. You extort money from a group that preys on the poor then because they won't pay up you expose the financial and personal data of the same poor people you say are being taken advantage of?
It all starts at 0
This here is an example of not using appropriate sources:
Yeah, a wikipedia article that characterizes the law with no citations to primary or secondary sources regarding the law (only citing a general -- not legal -- dictionary and another digital encyclopedia) it characterizes isn't really something you want to rely on.
The actual US federal extortion law is 18 USC Chapter 41; the two general provisions of which (not requiring the perpetrator or victim to be public or foreign officials or specially protected persons or having other similar special limitaitons) or 18 USC Secs. 873 & 875:
I don't think either really applies to the behavior at issue here.
Non-federal extortion provisions will vary considerably from jurisdiction to jurisdiction, so you really need to look at the laws of the jurisdiction applicable to the particular event.
Right, but I think the point is that it's a stupid law. (And therefore nobody respects it or obeys it, and therefore nobody expects anyone else to obey it, and therefore that law is useless to (and probably even contrary to) the cause of justice.) In a thread titled "strange sense of morals" that's not irrelevant.
Are you authorized to read the data at http://amazon.com/? How do you know? Who authorized you? When? What evidence do you have that you were authorized to request that page? What evidence do you have that you were authorized to receive the reply after you request that page?
I know those are all stupid questions, but only because you have not been authorized to read Amazon's page, or if you have, it was done secretly inside Amazon and was never communicated to you. That is why it is a stupid law.
It reminds me of how nobody has ever actually been prosecuted for playing a CSS-protected DVD on a DVDCCA-approved DVD player. Every time you descramble the CSS on a DVD, that's "circumvention" and illegal per DMCA, unless you have authorization by the movie's copyright holder, to do that. But of course, nobody has ever gotten authorization to do that. (Disagree? Prove it, or at least show some modest indirect evidence. This is harder than you think. Hint: purchasing the DVD does not imply permission to descramble the CSS, or else 2600 would have won their DeCSS case.) Every time anyone played a commercial DVD or BluRay, they were breaking the law, and the player manufacturer and the retail store who sold the player, broke the law too. That is, unless there's some sort of secret and uncommunicated authorization.
So how do you know if you're authorized? You don't. You never know, until you moment you die without ever having been called to court.
Same for public web servers. Everyone just assumes that information left in public, and without any notices it shouldnt' be accessed, nor with any even half-hearted ineffective attempts to limit access, is .. well .. publically accessible. But then fuckwits come along with a law saying you need authorization -- something that no one ever has, or at least can never show or demonstrate they have. The only authorization is hidden within the mind of whoever owns the server. It is never revealed, and it's lack is also never revealed, until the moment you get a letter from a lawyer or are confronted by a cop.
They can retroactively say you didn't have authorization, and there's nothing anyone can do about it. Any arguments they make which happen to get applied to clearly valuable or sensitive information (situations where common sense tells you the owner wouldn't want the information to be public -- situations the law was ostensibly intended to cover) apply just as logically to Amazon's home page. It's just that if Amazon prosecuted you for shopping at their store, the judge wouth laugh them out of court despite the technical wording of the law, simply because it's so absurd. Common sense would prevail if Amazon sued you for being a customer -- in defiance of what Congress wrote.
But in between these two extreme examples, is a shitload of gray area. (Nearly everything you did on the web today was technically illegal.) The written law doesn't distinguish between any two points along this spectrum, just as DMCA doesn't distinguish between pirates and people merely playing their DRMed movies on Sony players. It must necessarily comes down to a judge needing to pull an arbitrary decision out of their ass, every single time.
Not that I have any sympathy for the bad guys in this case. The extortion is illegal in itself, and shows some clearly malicious intent. If
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
robots.txt is a hint file to automated software crawling websites.
Note that everything on a web site is published.
Possibly not indexed, but, for an individual, robots.txt is just as valid an index as index.html.
So, the company published the information; the hacker group now has the information.
It wasn't theft -- the company still has the information.
The hacker group now told the company about this information. Actually, this should have been known by the company. Given that the company did not want to pay for suppressing republication, we can assume that they were aware.
The information accessed was a simple data list. Since this is pure information, it cannot be copyrighted.
So, republishing this information is not copyright infringement.
A simple offer was made -- please pay us not to republish the information. This is a normal legal offer. No law would be broken by republishing, and the information was not obtained illegally. It may have been worth something to republish, or (as the government has shown by paying farmers not to grow crops) it may have been worth something to not republish.
Given that the company should have aware of the availability of the information, we must assume that they wouldn't mind the republishing.
The hacker group would wish to remain anonymous. I imagine that the people on the list may like to sue someone, and may try to sue the hacker group. Making this more difficult makes sense. (Especially if the hacker group is not US resident).
This is not illegal access, extortion, copyright infringement or any other crime that I can think of. You may not like it. Heck, I don't like arbitrage.
It appears from your comment (focussing on the header) that you believe there is a difference between moral and legal here (Sophocles' tragedy Antigone comes to mind). As Plato exposes, you may want to work to bring your morality and law closer.
Be careful. Steps in that direction may bring the downfall of the Web (certainly the concept of URLs).
The hacker group has it right. They simply demanded a fee for stupidity. I don't believe that you can legislate stupidity out of existence.
Just another "Cubible(sic) Joe" 2 17 3061
Criminal stupidity is responsible for the vast majority of arrests. So it's not surprising that Rex Mundi went for the absolutely boneheaded move of trying to extort the scumbag AmeriCash. That move is about as lucrative and, only slightly less risky then robbing a bank. They could have made a lot more money --and had a much better chance of avoiding law enforcement-- if instead they had just quietly sold this data to AmeriCash's scumbag competitors.
Instead, their actions have rewarded them with the rapt attention of the same type of law enforcement team that was able to track down members of Anonymous.
Aha, so they probably used that top secret hacker technique known as a "site:url" google search lol.
The difference is that you can't take the picture of the wad of twenties to Best Buy and get a big screen TV.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Their client base is actually, by and large, lower middle to middle class. Of course, I'm sure you can cite one example... I have had the daunting task of referencing tens of millions of these sort of records while doing this that or the other thing for some clients. As your sole point of reference on this topic, I'm observing that you're making things up and getting emotional about it.
I suppose banking is cheaper in the UK, in the US it is quite expensive. As little as a $0.01 cent overdraw is usually an automatic $35.00 fee without additional protection (which requires good credit to obtain).
They are a tool like any other, and to judge an entire ecosystem of commerce on a few hard luck cases is short-sighted. The majority have no trouble. The ones that do typically walk away, and a few come back later when times are better.
There are some adults lending to other adults as a service.
They charge for this service.
Some of them are easier to borrow from then others. The easy ones tend to charge more (aka be mean and nasty and EV1L!!!), as they are taken advantage of more often.
I believe your viewpoint is a symptom of some sort of loneliness...The only thing you reference in your post is what you do and how you feel. What you are talking about has nothing to do with what is actually happening *outside*, you know, the great green and blue and concrete world out there. Even the "bad" stuff really isn't bad, its just life. Everything has a place, even the big bad evil moneychangers.
The real path to male liberation
And you cannot use the customer data for the same purposes as the company who originally compiled it, you have no prior business arrangement with these people while the company clearly does. Your point?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!