Slashdot Mirror
Hacker Group Demands "Idiot Tax" From Payday Lender
snydeq writes "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an 'idiot tax.' The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. 'This page allows its affiliates to see how many loan applicants they recruited and how much money they made,' according to the group's post on dpaste.com. 'Not only was this page unsecured, it was actually referenced in their robots.txt file.'"
It's not stealing, since they didn't delete the original file...
By putting a file on a public webserver, they were PUBLISHING that data. Wether they did so intentionally or not is irrelevant, they did publish it.
Anyone who accessed it did nothing wrong, they were simply using the website for the function it was intended, to access data made available to the public on it. They did not have to exploit any vulnerable services, nor did they bypass any form of access control.
The fault lies purely with the company for publishing such information.
The only thing the "hacking" group have done wrong is the attempted blackmail, they got the actual information fair and square.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If it was explicitely mentions in their robots.txt file, I assume it was done so to be excluded from robots.
More like having an unlocked door with a sign saying "Do not enter".
Yes, it was pretty damn stupid and very easy to avoid. That still doesn't make it okay for anybody to copy the data. If you see such security failures on a website, the right response is to inform the website owners. As I said; it's a strange sense of morals.
If those hackers get caught and fined, I assume the hackers will consider that an "idiot tax" as well. Afterall, they were idiotic enough to get caught.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Even if they did delete the original file it would not be stealing, but destruction of property.
Thank you for pointing out the flaw in the open door analogy that always gets trotted out. Although intent does play a factor, the important word in the law is "unauthorized" or whether or not actions "exceeded authorization".
Web servers are not open doors, and they are not like TRON.
They simply serve documents. Sometimes they will ask for security credentials before serving the document, or check internal policies (htaccess/session based authorization and ACL), but always end up serving a document even if it is a simple response in a header like a 404.
The only thing these hackers did was ask for a file (robots.txt) and notice that it mentioned another file and then asked for it directly.
"Exceeded authorization" would be an interesting argument because computers always do what you tell them to do, not what you meant for them to do. So while this company may not have intended to give authorization, they did in fact, give authorization to download the file. At the very least, they did not deny the hackers the ability to download the file, and were at no time confused about the identity of the hackers (representing public users).
If there is any appropriate analogy here it is that the company had a moron executive walking around with a briefcase full of business data, some random person asked if it was the business data and if they could have it, and the moron executive said why not, here it is. After the fact, random person contact company, informs them of said stupidity, and attempts to assess "idiot tax".
Idiot tax is highly appropriate here.
I would not prosecute these so-called hackers for computer crimes, but simple extortion.
Accessing a page referenced in robots.txt is not "hostile penetration analysis." It's basically just picking up a dollar bill left on the ground. Just because half the population doesn't know how to look at the ground (metaphorically) doesn't mean that it's stealing.
If those hackers get caught and fined
These geniuses will get more than a fucking fine if they're caught. Blackmail and extortionare serious criminal offences, so fthey'll be spending some quality time in prison.
To have a right to do a thing is not at all the same as to be right in doing it
More accurately, it's like accidentally posting a photocopy of your credit card on a bulletin board, presumably with a variety of other documents.
Interestingly enough, if you were to do the above and be so careless, I'm not entirely sure if the bank would be obligated to refund your money. Certainly, most banks/credit card companies have policies speak about only 24 hours to report "stolen" credit card information to maintain minimal liability on the card holder's part. Having said that, the criminal is still, well, criminal.
Considering the GP didn't speak about "just copying" information being harmless, I'd gather the answer is no. After all, the point isn't that blackmail or clearing out someone else's bank account isn't illegal and unethical/immoral. It's that one can't charge the person with "hacking" just because you're careless anymore than you could charge people with theft because they took a photo of your photocopied credit card. I mean, a lot of people may have accessed the information and done little or nothing with it; but certainly, there's a lot of legal things you could do, like mock the person who was so careless with their personal/company details.
Eurohacker European paranoia, gun rights, and h
Sorry, but gl4ss was right when he said:
no, the reason to hate them is that they're giving loans to people who shouldn't be given loans in the first place. otherwise they could be getting it from the bank for 15% apr.
You give a few specific examples of times when people need to take payday loans, but the simple reality is that if you have a credit card or an overdraft with the bank, you don't need a payday loan. That's what credit and overdraft are for.
And I'm not entirely sure where you get the idea that a $300 loan with a $90 finance charge is "much, much cheaper than bank overdrafts". I have an overdraft on my chequing account, and the APR for going into it is prime + 2%. Prime lending rate with my bank right now is 2.25%, meaning that the *annual* interest rate for going into overdraft is 4.25% for me. There is a "convenience fee" stipulated in the contract of $25, but that gets waived if I haven't used the overdraft in more than 30 days. The point of an overdraft is *not* to give you an extra $1000 to spend as you will, it's to let you write cheques for emergency things like fixing your car without worrying about whether you'll have the money until next Friday.
And the funny part is, despite the expense, the only people who hate payday loans are the people who have never had one. The lenders are scared of being legislated into the dog house, so they're careful and play nice.
29.97% interest rate on loans is *not* playing nice. That's how much the payday loans people charge in this neck of the woods, and the only reason they charge so little is because usury laws prohibit charging 30%. My Visa rate is 12.9%. It could be lower if I was willing to pay an annual fee, but I don't carry a balance, so I don't really care what the rate is. It is cheaper, by far, for almost all of us to put that car repair on credit than it is to get a payday loan. The only people who *need* to get a payday loan are the people whose credit is bad enough that they can't get a credit card, and you need to have pretty bad credit to be in that situation. (if your credit is absolutely *terrible* you can still get a card at 29% annual interest, which is the same that the payday lenders charge, but the credit card won't charge you the $90 processing fee on a $300 loan, they'll just start charging interest 30 days after the purchase date).
If a customer is having trouble, all they have to do is say so. Generally they'll stop assessing interest, and then they'll create an installment plan that works best (e.g. one that makes the customer happy so they won't walk away).
If you think credit cards and bank loans don't work like that, then you've never dealt with a credit card or a bank. If you have a good relationship with your bank manager, then this kind of thing is easy to arrange with them. Even if you don't have that kind of relationship, most of them have a clause that will let you skip a payment, and most credit card companies will lower your interest rate without argument if you call them and ask them to do it. (the "official" interest rate on my Visa is 19.99% to start... I called them and asked them to lower it).
So yeah. I do hate payday lenders. And no, I've never needed to use one. But I still have a legitimate reason for hating them: their client base is, by and large, people who are at the lower income tiers and can *least* afford to pay the exorbitant rates they have. Beyond that, their client base is, largely, people who were never taught how finance actually works, and they are being taken advantage of. Nobody has bothered to explain to these people that they are buying the most expensive credit on the market, and it sets up a vicious cycle. I know too many people who get into a payday loan and end up getting one every paycheque because they have bills that they can't pay because they're paying last week's loan.
So yes. I have an ethical problem with payday lenders... they are the dregs of society, and they are feeding on the poor. And they are set up in such a way that keeps the poor down. They need to go.
So if I set up a public webserver and send out an internal memo saying only certain people can access my web page and then google finds my webpage and you click on the link, I can have you charged with a computer crime?
robots.txt doesn't say "do not go here," instead it says "do not index this page." You can put a page in robots.txt that is meant to be accessed.