Can I get in trouble for reporting security issues to my bank?
June 27, 2006 11:11 PM   Subscribe

Can I get in trouble for reporting security issues with my banks' online interface?

I want to be discrete because I'm slightly worried about getting in trouble. I recently discovered that I can decrease a single number in a URL at an online financial institutions' website and see other people's linked checking accounts from other banks. I could get their routing numbers and checking account numbers. I have a big long email written that explains the issue in detail, however I'm worried I could somehow face trouble. At first I thought the most I'd get out of it was a reward, but paranoia has me thinking I might face scariness. Should I send the mail?
posted by floam to Law & Government (43 answers total) 16 users marked this as a favorite
 
Of course they will screw you. Don't send he mail, just switch banks.

More reasonably put, what does opening up yourself to that liability benefit you?
posted by 517 at 11:22 PM on June 27, 2006


Hmm.
  1. That good- samaritan warm feeling.
  2. I get to keep my very high percent interest savings account.
  3. Reward?
I really want to do the right thing. Someone else could decide to steal a few thousand people's information.
posted by floam at 11:29 PM on June 27, 2006


Send it anonymously?
posted by thirteenkiller at 11:33 PM on June 27, 2006


Yeah, send it anonymously. Drop it in the mail w/o a return address.
posted by special-k at 11:34 PM on June 27, 2006


Might do that. Would rule out reason number three though.
posted by floam at 11:35 PM on June 27, 2006


report this anonymously and see if something changes.
posted by cellphone at 11:40 PM on June 27, 2006


Any legal experts know specifically what to watch out for?
posted by floam at 11:42 PM on June 27, 2006


You could also consider writing and reporting to the FTC or BBB or.. hrm... someone. That shit ain't right. A URL should NEVER contain an unencrypted account number for myriad reasons.

Meanwhile, maybe you could cough up the bank name so that, for instance, if I was keeping money there... you know... I could remove it.

I once used a company's billing software. When browsing their site, it went into PHP source code. Embedded in this source code was their Authorize.net user name and password. I called them to inform them that there had been a breach in their security. They gave me 3 years of free, unlimited account support and bend over backwards for us, because they knew we could have had them bent over their own barrel.
posted by disillusioned at 11:44 PM on June 27, 2006


I can't imagine that you would get into trouble, you haven't done anything wrong, they have.
posted by fshgrl at 11:57 PM on June 27, 2006


you haven't done anything wrong

Well, in this crazy new world of computing where everything is a crime, simply changing a value in a URL can constitute hacking in the authorities' eyes, so I'd tread softly.
posted by influx at 12:03 AM on June 28, 2006


I'd even hesitate anonymously reporting this. With decent logs, they could pull the IP addresses of people making those kind of sequential address requests, and then, if they wanted to get dirty, subpoena your ISP to see who you, the dirty hacker, are.

Then again, banks are notorious for keeping these issues silent. I know local law enforcement here in Southern California has a tremendous problem getting banks to even file a report or cooperate in financial crimes. It's written off as a loss and (occasionally) the hole is fixed. And there's no bad publicity.

So, flip a coin if you want, but I wouldn't say a word.
posted by empyrean at 12:15 AM on June 28, 2006


It makes me sick to say it, but you may be better off not reporting it at all. In theory, you could report anonymously, but their server logs still tie you to this "hack" of their system -- and unfortunately too many companies have demonstrated a preference for lashing out at the bug reporter rather than fic the reported bug. And law enforcement backs them in it.

Switch banks.

(on preview, seconding what empyrean said)
posted by nakedcodemonkey at 12:18 AM on June 28, 2006


If you want to tell them, I have two ideas.

(a) Try to get in contact with someone as relevant to the problem, and as high up in the organisation as possible. They will have someone who manages account security on staff. Get in contact with them - they are more likely to understand what you are trying to tell them. Telling a teller, or the call centre staff, either won't get you far, or will set off inappropriate alarm bells in some lower-end manager's head.

(b) If that isn't possible, frame this as a concern about your own account security. That is to say, complain about the possibly of someone hacking into your account, rather than telling them about your ability to hack into other people's account. They might smell litigation, and do everything they can to make sure the hole is fixed.
posted by Jimbob at 12:20 AM on June 28, 2006


If you do choose to put yourself at risk just for the sake of doing the noble, ethical thing (thank you), maybe do that anon report through US-CERT instead of direct to the bank. That'd put more pressure on them to actually deal with the problem since CERT won't help them sweep it under the rug.
posted by nakedcodemonkey at 12:28 AM on June 28, 2006


Jimbob: That's pretty much how I have the letter written right now (concerned about my security). Here's a censored version of it:


Hello,

I am logged in and was about to enter the two deposits in order to verify a new linked checking account at:

http://***********************

My information shown there is:

**BANKNAME** **CHECKING ACCOUNT NUMBER**

I accidentally hit backspace in the URL and so I tried to replace the final number there to get back to where I was. I apparently changed the number ***** to ***** in the address.

I can see some other guy's private checking account information!

http://***********************

**HIS BANKNAME** **HIS CHECKING ACCOUNT NUMBER**

I do not like the idea that anyone who owns a keyboard and can count is capable of viewing my checking account number from my other bank. This is a major issue. It appears that one could keep decreasing that number and be shown many people's confidential information.

I'm very very upset with *******'s security! I would very much appreciate it if you guys could fix this and assure me that my sensitive information is safe with *******.

Thanks

posted by floam at 12:28 AM on June 28, 2006


That's not bad. Now ring up the bank and get the address of the security officer, or web site administrator to send that to - by snail mail, if possible.
posted by Jimbob at 1:23 AM on June 28, 2006


You should also sue them if they don't fix it within the week for not properly protecting your assets.
posted by beerbajay at 1:34 AM on June 28, 2006


If you do send it, don't think you should get your hopes up of any sort of reward, other than a thank you.
posted by necessitas at 1:39 AM on June 28, 2006


1) The bank will not reward or thank you.

2) It is entirely possible that the bank and local law enforcement will come after you for "hacking". From the bank's point of view, they want the public story to be "Hacker Arrested for Crime" rather than "Bank Programmer's Incompetence Exposes Account Information". They may be willing to lie or distort the information they present to law enforcement in order to secure the first narrative rather than the second. It's their reputation on line (CYA), and potentially millions of dollars. If their customers sued for exposure of their financial data, the bank would look much better in court if it was caused by external hackers rather than internal incompetence. Consider: the bank would stand to gain millions of dollars by getting you arrested.

I wouldn't touch this with a ten-foot pole if I were you. If you do decide it has to be exposed, the best way might be contacting your local newspaper, and giving them the story. Publication will cause the problem to be quickly fixed, and you avoid any direct contact with the bank.
posted by jellicle at 2:24 AM on June 28, 2006


Following on from jellicle's comment, floam could always control the public story by going to the press himself -- it's doubtful that if he reported the incident to the press as a concerned customer, the bank would then try to attack him. At that point, they'd probably just be trying to damage-control.
posted by ukdanae at 2:28 AM on June 28, 2006


Sadly, most companies don't react well to having Bad Things pointed out.

I spotted a security hole in a major UK retailer's web site a couple of years ago and dropped them a polite, helpful email. I got a rather stern reply telling me how they're fully aware of those kinds of security issues, with a clear 'shut up and go away' vibe.
It still isn't fixed, and I won't be reporting anything in future. It's too risky nowadays, and most people just don't want to hear bad news.
posted by malevolent at 2:38 AM on June 28, 2006


I certainly wouldn't expose the problem through a media agency as that only puts all account holders at a greater risk, giving would-be criminals a street map to money.

The online site must have a contact form of some sort. Submit a generic/anonymous comment about the ability to view other accounts (don't call it hacking). Do it from an internet cafe. One that doesn't require you to log in with a name?
posted by medium format at 2:41 AM on June 28, 2006


Perhaps things are really different in North America. When I worked for a multinational bank based in Australia, on their internet banking product, we were very, very concerned about security, and grateful for tip-offs. We certainly did not try to punish concerned citizens with information, which would have made for terrible PR.

I read a lot of speculation in this thread about adverse consequences for you, but no evidence. The one link provided says in the first paragraph "nothing bad happened to me" and finishes with the advice that you could safely go through CERT.

You're all a bunch of paranoid bank-haters.
posted by i_am_joe's_spleen at 3:08 AM on June 28, 2006


I would tell them. I would phrase it as best practices would not include the user's account number in the URL.

I recently received a new account email with the name and password. I informed them that this is not a good idea, and they reacted like they were unaware and would work to fix it.
posted by Gungho at 4:14 AM on June 28, 2006


I would send an email to full-disclosure@lists.netsys.com or some other full disclosure mailing list, but, maybe that's just me. If it's not fixed after that, I would probably stop doing business with them, since they either don't care to fix it, or don't have the resources to fix it. In any case, your money is no longer safe with them, you should consider switching to a different bank if at all possible.

I definitely think contacting the media is a good thing. In many cases, the only thing that will cause a company to fix anything at all is the bad publicity... Especially if this is a local bank, where a local newspaper or tv station may have some influence in the community.
posted by yeoz at 4:26 AM on June 28, 2006


You could consider sending an email to one of the 'nets security celebs such as Steve Gibson or Bruce Scheier. These guys might be able to get someone a little higher up at the bank to pay attention (and can threaten with publicity if the bank does not fix the problem in a timely manner).
posted by Tallguy at 4:29 AM on June 28, 2006


I tried to report a security risk to my bank after I inadvertently linked my account to my landlord's account, but the person on the help line had no clue that there was a problem.
posted by bleary at 4:30 AM on June 28, 2006


I work for a bank. Managing our online channel. Unless this bank is one of the national behemoths, I guarantee you that the best way to bring this to someone's attention is to write a letter to the head of the company. Find out who that person is (chairman, CEO, whatever - should be in an annual report if you get one) and send the letter to him or her by name. He or she won't get the letter until lots of people have seen it, but he will get it, and wonder what the hell is going on, and the lots of people who have seen the letter will have scurried around and done something by then, even if it's just locking down the goddamned channel until they can figure it out.

The wording of your proposed letter seems fine to me.

I can also guarantee that someone will pull IP logs and review your activities. If what you say is true and you just pecked around long enough to go "oh, shit!", I know how we would handle it, but I wouldn't make any assumptions about how you bank might, as they seem to be an ignorant lot of fools.
posted by ersatzkat at 5:04 AM on June 28, 2006


Just track down the IM director at the bank, and send him an anonymous email. He'll have the power to get it fixed, and the self-interest to do that instead of making nonsensical accusations against you.
posted by Goofyy at 5:25 AM on June 28, 2006


I'm one the people who the technical aspect of the problem would come to at a bank (hopefully not the one you're referring to :-> ) - however, this is just my opinion. First off, yes, you should absolutely report it to them, for a couple of reasons:
* If someone else reports the problem to them, they may comb back through their logs looking for people who have exploited the bugs previously. Then you are a possible malicious hacker instead of someone who made a mistake.
* If it continues to go unreported, someone much more malicious could discover it, and exploit it to cause many problems.
The absolute worst thing you could do would be what a few people have suggested and take it to media, full-disclosure, or whatever - this would also pretty much guarantee that you would be viewed by the bank as someone who was out to a.) exploit the security issue, or b.) blackmail them to some extent. Granted, at our bank, a posting to full-disclosure would be a quick way to get the issue to the right people, as we all monitor that list actively.
The route I would take would be to phone the bank directly, from a pay phone if it makes you more comfortable, and ask to speak to someone in their IT Security department (hopefully they have one - you don't mention the size of the bank) regarding an issue with their website. If they're unwilling to put you through to someone, then scour their website for a security contact, and put that to use - I think the e-mail you wrote sounds fine. Nobody at our bank anyway, is going to chase you down as a hacker for that.
That said: MOVE YOUR MONEY TO A NEW BANK ASAP. If they have a security hole this huge in their online banking, there are more. I guarantee it.
posted by jferg at 5:59 AM on June 28, 2006


Jesus Christ, do not report it. As simple as this problem is, no law enforcement official will be able to understand it and you will be arrested for "hacking." I'm sorry to say that being a good samaritan is no longer possible in these scenarios, but the incompetence of police and prosecutors demands that you cover your ass and just wait for the bank to get royally fucked. Switch banks.
posted by Optimus Chyme at 6:17 AM on June 28, 2006


Can you contact your state's attorney generals office? Many now have divisions for cyber crime, which are staffed by people much more knowledgable about how computers and computer security work than the average law enforcement schmoe. Tell them you've discovered a huge security hole at your bank, and you're terrified

Your profile says you're in Vancouver, Washington. I happen to work in Vancouver, and just two weeks ago I went to a seminar there given by the AG's office about staying "safe" online. I talked to a couple of AG employees, who seemed knowledgable and genuinely concerned about this sort of thing. Here's their net safety site.

I'd suggest you call the AG's consumer protection office in Vancouver, at (360) 759-2150 and tell them you want to talk to someone about computer fraud or cyber security. That hotline is staffed by volunteers who probably won't be able to help you much, but they have some insight into the inner workings of the AG's office and should be able to tell you who you do need to talk to.

In my experience with Washington state government offices, making initial contact over the phone is much more effective than using e-mail or web-based forms. If you're not good on the phone, maybe write out a script that helps you explain your concern -- something similar to the letter you wrote.
posted by croutonsupafreak at 7:07 AM on June 28, 2006


PS -- I'm also a business reporter at a Vancouver newspaper, and I'm working on a story about Internet security. If you're willing to talk to me further about this issue, I'd love an e-mail. My contact info's in my profile. Any initial conversation would be off the record, and if I did write about your bank's security issue (with your permission) I would do so in a way that obscures how you got access to other people's accounts.
posted by croutonsupafreak at 7:11 AM on June 28, 2006


TELL THEM NOW. Contact the bank's online banking department, and ask to speak with a support engineer or someone in web security.

And for the responders who say that he'll get screwed, I have two remaining points/queries:

1) Quote your source: nobody is going to come down on someone who points out a security flaw, and if that were to happen, the good samaritan would have a field day in court and in the press. What bank is going to allow the press to run with a story that says "customer points out security flaw in bank's software, gets cornholed as thanks."

2) If he doesn't tell them, and someone defrauds the bank, and they find out that the hacker discovered the technique by reading a MeFi question (or troll the logs and find that the OP was the first to attempt it), some lawyer's going to have his way with the poster
posted by Merdryn at 7:16 AM on June 28, 2006


One of the things I used to do in a previous job is deal with this kind of problem for a large, well-known and highly paranoid national bank.

No, don't report it to the bank. Report it to The Office of the Comptroller of Currency of the US Department of the Treasury which is the federal regulator for national banks. Send a letter to the OCC, and a copy to your bank's legal/compliance department. I guarantee you'll be treated with far more respect this way than you would by trying to fiddle your way through a bank's customer contact maze.
posted by majick at 7:46 AM on June 28, 2006


Yeah, I can only imagine that actually coming forward and pointing out a security breach is pretty much a surefire way to exonerate yourself as a "hacker", particularly if you honestly haven't taken advantage of the breach in any way.

Sure they could get snippy about it and may even question you-- because they ought to, for security reasons-- but the odds of you facing any huge problems because of this seem remote to me. And while I wouldn't rule out the possibility of reward, Iimagine that helping to have fixed this problem will at the very least make a great story.

The longer you wait, the less convincingly you will be able to sound indignant that your own information is also vulnerable. Don't write a letter-- call immediately, and get as high up as you possibly can. If anyone asks you what you were doing when you figured this out, tell them you just wanted to see whether the most rudimentarry precautions had been taken to guard your own information-- clearly not the case.
posted by hermitosis at 7:48 AM on June 28, 2006


The OCC may not be the right authority. I worked for a Federal Savings Bank, and it reported to the Office of Thrift Supervision.

You're describing a set up that sounds familliar to me, and I find myself wondering if you are working for my former employer. I hope not, but considering I still know a lot of people there, would be willing to bring it to the right person's attention if it turned out to be my old employer. At Ye Olde Former Employere, you would not be persecuted (or at least my experience with similar issues indicates to me that you would not).
posted by Medieval Maven at 9:22 AM on June 28, 2006


If you don't report it, they've still got the logs of you exploiting it -- better hope no-one else ever discovers it and reports it, or you end up just the guy that exploited it instead of the guy that discovered and reported it.
posted by mendel at 9:48 AM on June 28, 2006


Could someone please expand on why this is actually an issue? Not being familliar with US accounts, it seems a big deal over little?

What can anyone do with your account number anyway? Isn't a sort code required? And/or various passwords to actually perform any sort of transactions?
posted by DrtyBlvd at 10:39 AM on June 28, 2006


1) I would report a stolen checkbook and close the account with that as the given reason. Just say you would "feel better." This gives you plausible deniability if the logs are examined. Of course, this very suggestion being online may hurt that.

2) Anonymously report it. You want to do the right thing, but you should definitely protect yourself against our insane legal system.
posted by sonofsamiam at 10:46 AM on June 28, 2006


What can anyone do with your account number anyway?

Print up fake checks and cash 'em, make electronic payments from the account, etc.

Isn't a sort code required?

I think that's the same thing as the US routing number, in which case yes you do need that, but it's easy to find (Google bank name "routing number").
posted by kindall at 11:34 AM on June 28, 2006


Take the situation to a lawyer, and have him contact the bank on behalf of "an anonymous client".
posted by yclipse at 3:23 PM on June 28, 2006


Okay. I altered the mail a bit and decided to Just Sent It. I really can't be bothered to figure out which agency to report them. If they resolve it, great. If they make this a pain for me, I'm resting assured that crazy online bloggers love this kind of thing and will make it a pain for Bank. If nothing happens, I'll look for a new channel to report this to.

I'll update this if I hear anything. I'll let you all know the name of the bank once I feel I'm not opening them up to Haxoring.
posted by floam at 4:53 PM on June 28, 2006


« Older Help a girl who doesn't really...   |  Please help me figure out how ... Newer »
This thread is closed to new comments.