Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Businesses

How Do You Handle the Discovery of a Web Site Disclosing Private Data? 230

An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?
This discussion has been archived. No new comments can be posted.

How Do You Handle the Discovery of a Web Site Disclosing Private Data?

Comments Filter:
  • Krebs (Score:5, Insightful)

    by kylemonger ( 686302 ) on Sunday March 01, 2015 @08:24PM (#49161091)

    Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

    • Re: (Score:3, Funny)

      Absolutely. Tell lots of high profile people who loose lips. Hey, tell your favorite prostitute while you are at it!

      Blab about it on the internet on a very popular website also. That will increase your chances of being personally identified before you notify the appropriate people and ensure that the preemptive action they will take against you will not work. Alternatively they can also use that against you after the fact instead/as well.

      I would also suggest as "icing on the cake" to paint red circles of de
      • but that's putting you in bed with the weasels.

        take some IT guys out for lunch with their laptop, show them how to lose their appetite. on a company computer.

        things will happen at a good rate of speed.

        if yoiu happen to have one of the security guys along, that will seal it quickly.

    • I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.

      Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play th

      • Re: Krebs (Score:4, Insightful)

        by devilspgd ( 652955 ) on Monday March 02, 2015 @01:12AM (#49162183) Homepage

        Or just walk away.

        While true, this solution doesn't allow one to protect their own data which is also exposed.

    • Re:Krebs (Score:5, Interesting)

      by Jane Q. Public ( 1010737 ) on Sunday March 01, 2015 @09:56PM (#49161509)

      Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.

      Don't be so sure.

      I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.

      A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.

      After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.

      I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)

      Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.

      • Re:Krebs (Score:5, Interesting)

        by camperdave ( 969942 ) on Sunday March 01, 2015 @10:20PM (#49161585) Journal
        Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.
        • Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.

          I probably should have done this. I didn't WANT to create a stink, but by the end of this sequence of events I was just plain dumbfounded that they would be -- pardon my language -- so fucking stupid.

          When going to the paper didn't work, I probably should have contacted the authorities. Instead, I just switched to another bank.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          Do NOT give them anything in writing that is an admission of "hacking".

      • Re:Krebs (Score:4, Insightful)

        by plover ( 150551 ) on Sunday March 01, 2015 @10:29PM (#49161611) Homepage Journal

        Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.

        Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.

        • Nobody took computer security seriously back in 2001. Things have changed a lot since then.

          I have to agree with you in general, but banks should have been concerned about it. Online banking was a fairly new thing, but even then, I am pretty sure this mistake violated Federal regulations.

          • Re:Krebs (Score:4, Interesting)

            by AchilleTalon ( 540925 ) on Monday March 02, 2015 @06:45AM (#49163123) Homepage
            Having written the on-line banking communication protocol of a bank back in 1995 I can assure you they were not taking security seriously. I explicitly asked about requirements for encryption and they had none. They didn't want to bother with encryption because the infrastructure was running on dialup lines connected directly to their infrastructure and they wanted to be the first bank to make on-line banking available to its customers. At this time, the internet was in its infancy, hence the choice for the dialup infrastructure, and everyone was subscribing dialup lines for the Internet access DSL and cable-modem was still waiting to be invented. It was even Windows 3 and OS/2.
            • Re:Krebs (Score:4, Interesting)

              by cusco ( 717999 ) <brian@bixby.gmail@com> on Monday March 02, 2015 @01:20PM (#49165729)

              In the last '90s I worked as System Operator for a company which sent several thousand automated account renewals to credit card companies each month. We had been sending 9-track tapes via Fed Ex, and I was tasked with converting all these to digital transfers. We ended up with a mish-mash of different methods, dialup modem, encrypted email attachments, etc. but American Express had a rather unique approach.

              They had us FTP an unencrypted, unzipped text file to a folder with our account number on their ftp site. Logged in as anonymous. With full access to all the other folders showing all their other customers' data transfers. They didn't clean up the folders either, so some of the other customers had a year's-worth of data transfers piled up. We couldn't believe it.

        • Correction: it wasn't a "mistake". It was intentional. It was just half-assed design.
      • Re:Krebs (Score:4, Informative)

        by Anonymous Coward on Sunday March 01, 2015 @11:25PM (#49161763)


        I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story.

        Notorious troll Weev" [wikipedia.org] did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.

        • Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.

          Very different situation. This leak was TO computers, and didn't involve going to "unauthorized" addresses. The information was right there on your local machine if you knew where to look. No remote exploration necessary. I would rather not discuss the details but if you knew them I am sure you would agree that it was alarmingly stupid.

          Agreed, though, that Weev was railroaded. He did nothing wrong except to piss off powerful people. It was (is) a travesty of justice. Same with Aaron Swartz.

      • by drolli ( 522659 )

        As a user you are not supposed to make sensible input to the support hotline. Also the head of the local branch is a user.

        IT departments in banks are behemoths, never changing course. They can't react quickly. A mess of different never integrated systems which were kept over decades, "tailored" solutions by consultants with too little a time budget in the projects, and department heads for whom the internet is a new technology create an impenetratable mess where even the support doen not know whom to turn t

      • Comment removed based on user account deletion
    • You don't want to end up like Weev, even though they did eventually let him out of jail. And you're apparently not somebody who's got the kind of personality he has, which, while it may make you less likely to end up in jail, isn't necessarily going to get you off the hook either.

  • by BoRegardless ( 721219 ) on Sunday March 01, 2015 @08:25PM (#49161095)

    Those people will definitely take your info and get it acted upon.

    • This -- in a small organization the CEO reads their email and forwards to the appropriate people. In a large organization the CEO has a team of people that help them with this. Either way, it is likely to get top down (rather than bubble up) attention.

      • In my experience, it won't.

        I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address. It might not have been a hack that caused my address to leak, but, irrespective of the means by which my email address had leaked, there should have been an investigation.

        I reported it to the CEO, who passed it to the IT head, who basically could not get his head around the idea

        • by pepty ( 1976012 ) on Sunday March 01, 2015 @10:20PM (#49161587)

          In my experience, it won't.

          I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address.

          Most likely, the non-profit sold your email address (along with the rest of their list), leading to embarrassment all around when you contacted them about the spam.

      • by AK Marc ( 707885 ) on Sunday March 01, 2015 @09:28PM (#49161403)
        I worked for a 10,000+ person company, the CEO read the emails identified by his secretary as important. I worked for a 200+ person tech company where the CTO read some of the emails the secretary printed out for him. He didn't have a computer (not in the office, and not at home). If he sent an email, he dictated it to his secretary, and she would then send it for him.

        For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.

        I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.
        • The best approach is to call them. However most people don't feel comfortable doing this.

          If you pick up the phone and call their head offices number (as opposed to customer support number) and ask for the CEO you will almost always get put through to them. You may hit a voicemail system after that but because most people won't actually call someone they voicemails are usually listened to. Keep it polite, and to the point and you will be surprised as to how quickly they will act.

          • by AK Marc ( 707885 )
            The 10,000 person company I worked for, that would never work. At best, you'd get his secretary, who would hand-write a note. Though, the smaller companies I've worked for, that'd work if you asked for him by name. But "may I speak with the CEO" coming in to the reception would get you hung up on in many cases. If you don't know enough to know who the CEO is, then you obviously can't actually need to speak with him. Though hanging up on people is rude, so death-by-hold was second on the list. Put them
            • I call the CEOs, State Managers, Divisional Directors etc etc of companies that range in size from 20 person to 75,000 person on a daily basis for my job. You absolutely need the name in order to get anywhere but that information is very very simple to get. To get through to those people all you need to do is sound like you expect to be put through.

              Worst case scenario is you are referred down the chain of command. There is no way that the CEO of a 10,000+ person is going to be the right person to speak t

      • by Alan Shutko ( 5101 ) on Sunday March 01, 2015 @11:43PM (#49161813) Homepage

        In my Fortune 25 company, we have a department of people devoted to resolving issues of people who contact the CEO, President, or other members of senior staff. This method absolutely will light a fire under the IT staff to fix it. I don't know whether he reads every incoming letter or email, but I do know that each one is handled by the presidential escalation team, and tracked, and reported out regularly.

        We also have a Chief Information Security Officer who will personally latch onto this like a bulldog and ensure that it's fixed. We had a breach a number of years ago and it's still used as a reminder that "That will NOT happen again."

        • The "lighting a fire under the IT staff" too often results in the manager of IT having meetings, submitting checklists and expense reports, and doing _nothing_ to address the actual issue. Too often it's not a specific line of code, which can be corrected, but poor practices and attitudes about what security can and should be applied to projects.

    • Nah! Show a reporter how to do it he'll then use it to spy on Celebs, Missing persons and murder victims just like they do with Voice Mail!
  • by Anonymous Coward on Sunday March 01, 2015 @08:29PM (#49161117)

    ... That way we can help, too.

    Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?

  • by Vinegar Joe ( 998110 ) on Sunday March 01, 2015 @08:29PM (#49161123)

    You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.

    • Also, die in a fire. It would be more pleasant.

      Expect none of the above, but do take every possession you can out of the institution. Digital or otherwise.

      The art of the CEO mailbomb is lost, perhaps - send an email to the executives of every person attached to the company, and explain why you took action.

      NOT WHY YOU ARE CONCERNED.

      Why you took action is more meaningful. Take action first to protect yourself. If you want to file a lawsuit, it's going to be time consuming and expensive. Protect yourself

    • by pollarda ( 632730 ) on Sunday March 01, 2015 @08:44PM (#49161205)
      Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.
      • Dan Cuthbert, UK (Score:2, Informative)

        by Anonymous Coward

        Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.

        http://www.scl.org/site.aspx?i=ed832

        (Slashdot is one dot away from a crime!)

        It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".

        A law designed pre-internet, yet the RFC for the web permi

      • Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.

        I thought of one particular case as soon as I read the summary: https://www.eff.org/cases/us-v... [eff.org].
        Aernheimer was charged under the CFAA for exposing a similar problem with AT&T's website.

    • by borcharc ( 56372 ) * on Sunday March 01, 2015 @09:02PM (#49161293)

      This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.

    • Obama doesn't have anyone sent to Gitmo anymore.. expect a drone to bomb his house instead.
    • As other replies have said, you are probably better off getting a lawyer BEFORE you go to the bank or anyone else.

      Why?

      1) If they've already discovered this themselves they may be working with the FBI and there may be a subpoena in your ISP's hands within minutes of you making your discovery.

      2) Even if there isn't, the veiled threat of prosecution can be very intimidating.

      3) By having your attorney speak to the bank and/or the government/police authorities for you BEFORE the police contact you, it will be ab

  • by Anonymous Coward on Sunday March 01, 2015 @08:32PM (#49161135)

    You called the bank and admitted manipulating the site in order to view other people's private financial information.

    Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).

    Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.

    • I agree. We all like to think we're being responsible citizens and good Samaritans by alerting people to dangerous situations. In an ideal world, that would be true. With the trend of treating whistleblowers in the U.S. as criminals, criminal prosecution is a very real possibility. Think about what happened to Randal Schwartz. I would absolutely not move forward with something like this without benefit of legal counsel.
    • Goodness gracious. I hope this isn't the true state of the CFAA here in the US?!!

      • by Anonymous Coward on Sunday March 01, 2015 @10:10PM (#49161555)

        In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.

        The man who discovered it was prosecuted for hacking their website:

        http://www.scl.org/site.aspx?i=ed832

        "He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "

        "But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "

    • Re: (Score:2, Informative)

      by Anonymous Coward

      About 20 years ago I had something similar happen, I emailed people about a bug (not even as important as people's financial data, but still similar). It was a large company (30B market cap). Anyways, I received no response and didn't really think much of it, Several months later, the local FBI team came in and took all my computers, we had a short meeting with them about a year later, where they explained that I had hacked and then threatened that company, And then never heard from them again. This was

    • by Anonymous Coward on Sunday March 01, 2015 @09:51PM (#49161487)

      Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.

      It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.

    • by bigtrike ( 904535 ) on Sunday March 01, 2015 @11:11PM (#49161711)

      The one time I ran into this, I informed the company from an anonymous email account. I claimed that I'd accidentally typed a number into the URL bar and someone else's complete order information came up. I stated that I had not shared the information with anyone and did not plan to (to cover my ass and make it clear I was not threatening them). I was still worried that they'd send the FBI after me, but I also felt that I had a moral obligation to inform them of the issue before someone else discovered it and stole a bunch of customer information.

    • Regardless of your intentions, you may be treated as the wrongdoer here

      Not likely. Just because you've heard of some idiots who try to pretend they 'just accessed some urls' while stealing and republishing other peoples data doesn't mean that the FBI (who would handle such things) is a bunch of raving nutters.

      You're just being silly and making things up. Banks are regulated, they don't get to randomly freeze your account because they feel like it. Stop believing random crap you read on the Internet. The things you've seen reported on slashdot and other places are ALWAYS BS

  • Troy Hunt has a great article here on the responsibility of public disclosure:

    http://www.troyhunt.com/2013/0... [troyhunt.com]
  • by belmolis ( 702863 ) <billposer@@@alum...mit...edu> on Sunday March 01, 2015 @08:49PM (#49161239) Homepage
    Post the URL in a Slashdot article. There's a good chance a technical person in the company will read it. And since the site will be Slashdotted, you're probably not exposing any data. :)
  • by Tillman ( 32891 ) on Sunday March 01, 2015 @08:59PM (#49161267)

    Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.

    Do not reveal the information to anyone else, and don't go poking around.

  • by ZipK ( 1051658 ) on Sunday March 01, 2015 @09:04PM (#49161295)
    Try mailing security@companydomain.com. Follow-up on Monday by calling the company's headquarters and asking for the CSIO (chief security information officer). If neither of those work, ask to speak to the CIO's or COO's office.
  • by mallyn ( 136041 ) on Sunday March 01, 2015 @09:26PM (#49161395) Homepage
    Folks:

    Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.

    Here is what I would probably do:

    1. Remove all of my own assets from the company/institution.

    2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.

    3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.

    4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.

    5. Shut up and go about your business.

  • Talk to, call, or send an email to your boss If he's not an idiot things will end soon. If that doesn't work. If' you have a contract. read it carefully, find the exit clause and use it.
  • You done fucked up (Score:5, Informative)

    by ArchieBunker ( 132337 ) on Sunday March 01, 2015 @09:39PM (#49161439)

    Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.

  • Get off my lawn (Score:5, Interesting)

    by fulldecent ( 598482 ) on Sunday March 01, 2015 @09:44PM (#49161457) Homepage

    I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.

    FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... [blogspot.com] and usually give the vendor a heads up.

    You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.

  • It is one of those mail-in-rebate houses. I am surprised there are people who still use them. The whole idea is a scam. To help them advertise a low low price, but small print reveals mail-in rebate to get the advertised price. I stopped using them long ago. They rely on consumers not bothering to send in the rebate coupons. Looks like now they allow the mail-in rebate to be claimed over the net, and the proof of purchase could be credit card statements.

    It is a security hole and all the dire warnings by others are true. Most of these companies are run by people with no IT or computer expertise. The top man is going to haul the IT dept on the carpet and demand an explanation. You think the IT chief is going to admit that he/she was running a moronic system? No, she/he is going to shift blame and find some convenient scape goat. Given the top honchos don't know much about anything other than their bonus calculation, IT chief is going to claim, "It is a hack! That guys hacked into my super secure site". Then the PHBs running the company would call in the lawyers and make a mess out of the situation.

    One thing the anonymous guy can do is to call the company that issued the mail-in-rebate and tell them, the outfit they had out sourced their rebate processing has holes in the system. Now it is the very big company that issued the rebate coupons run by PHBs fighting a smaller company that got the rebate processing contract run by PHBs. And quietly withdraw without drawing too much attention.

  • Go directly to your FSA (or FBI) field office. This shit has the potential to cost MILLIONS if not dealt with IMMEDIATELY, and you could be implicated having knowledge of such vulnerability and not reported it to competent authorities.

  • by MrKaos ( 858439 ) on Sunday March 01, 2015 @10:01PM (#49161525) Journal

    Accept this, as you have uncovered something they didn't know and can potentially damage them.

    I did this with a government tax office and tried to alert them by calling the very number they advertised to handle this sort of issue. The response went like this:

    • Yeah there is a number you can call for this
    • There is a what in our what?
    • please provide you contact details

    The problem is, you want to help them and all they can see is 'random person the phone saying we have a problem' so it is easier to solve you. If the company is responsible enough to have a CERT team and a reporting mechanism you may stand a chance but it is more likely you will draw their ire because you can hurt the companies reputation.

    If you can't change institutions then you should consider establishing what their data privacy policies are, hire a lawyer and then frame legal action to protect your own data whilst seeking damages to the value of your life earnings for exposing you to identity theft and fraud. You should be pissed off.

    They won' t play nice so neither should you. Seek legal advice about the possibility for damages because you have been exposed to fraud. Leave it to them to discover the mechanism, because if they are that bad there are probably more.

  • Rookie mistake... (Score:5, Informative)

    by Fallen Kell ( 165468 ) on Sunday March 01, 2015 @10:09PM (#49161553)
    Well as others have already stated, you already made the rookie mistake of trying to report the issue and gave them your name and contact information. Now you are on the record as having breached their "security", even as pathetic as it is. When big money is possibly involved (as it would be in the case that financial information of hundreds/thousands of people are involved), you just became the "scapegoat". They will now use you as "hacking" them to attempt to make claims on their insurance to cover the cost of fixing the problem. That also means they will need to report to law enforcement, etc., to have the case brought forward.
    • by Fallen Kell ( 165468 ) on Sunday March 01, 2015 @10:15PM (#49161571)
      DO NOT DISCLOSE THE INFORMATION TO ANYONE ELSE!!!! I can't state that enough. Also, DO NOT ACCESS IT EVER AGAIN!!!!!! I also can't state that enough either. Any subsequent accesses/"breach" of their security will be blamed on you, and used as evidence that you sent others the information, since you were the only one who knew. Anything anyone else does will be painted as you working in conjunction with a "group of hackers" in an attempt to defraud others, or even possibly extort the company in some way. Any continued access attempts on your part will be used to show that it wasn't a onetime mistake that let you uncover the issue, and that you continued to "hack" the site over a period of time.
    • According to James Clapper, "Even more than terrorism, the threat of cyberattack is the biggest peril currently facing the United States". If Cybersecurity is a major threat to the US, you would think that some agency in the government would be interested in making it easy to report security flaws and not prosecute people for reporting security flaws. "And I said to myself, what a F&$#ed up world."
  • by FrozenGeek ( 1219968 ) on Sunday March 01, 2015 @10:42PM (#49161645)
    Give them, maybe, one day to respond to your complaint. If they do not respond to your satisfaction, close your account and go elsewhere. It's your money. If they won't take good care of it, someone else will.
    • by abies ( 607076 )

      Adn this will help exactly how versus his private details being available on unsecured webpage? Is process of withdrawing money somehow securing this data? We dont' know details, these things can stay there forever, even if he closes the account/stops dealing with them. Most companies/banks are not allowed to remove traces of anything happening for at least 5+ years.

  • Confidence (Score:2, Funny)

    by Anonymous Coward

    That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org [4chan.org].

  • 1. Send it to wikileaks.
    2. Send anon email to company saying the information has been posted tow wikileaks.
    3. Watch them have massive coronaries.
  • by DERoss ( 1919496 ) on Sunday March 01, 2015 @11:56PM (#49161867)

    Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.

    If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.

    It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.

  • I would e-mail, not telephone. Phone calls are too short and simplified.

    Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.

    That's what I would do.

  • by Lehk228 ( 705449 )
    use at least 14 proxies and post the details all over 4chan. the ensuing shitstorm will get the problem fixed PDQ.
  • by matthewv789 ( 1803086 ) on Monday March 02, 2015 @01:11AM (#49162179)

    There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.

    1. 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
    2. 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
    3. 3. Try to notify executive management directly.
    4. 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
    5. 5. Report it to CERT.
    6. 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
    7. 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
    8. 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
    9. 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
    10. 10. And of course once the flaw is fixed, you could discuss it more widely as well.

    (IANAL)

  • Just name them anonymously, this is the only way executives move, bad press. Example, that time A UPS driver threw a TV over a fence. They guy had a video. At first they refused to pay to replace it, so he posted it to youtube and sent a copy to the 10 o'clock news. They paid up pretty fast. Their are tons of examples like this. You might think you are protecting people by hiding the bug, but you are not.
  • and contact the persons whose privacy was violated in the documents. You probably can not sue, they can.

    Make sure to contact a lawyer first.

  • I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me.

    Presumably, then, your data is viewable to others. First thing I'd do is demand that my data gets removed until the problem is fixed. Then I'd tell everyone who needs to know that I won't be uploading any more documents to this other website until someone else tells me I must, thereby taking responsibility for me doing so.

    Mind you, I'm in the fortunate position of having directors who take me seriously when I tell them things like that.

  • Threaten to sue them and if they fail to act post details of the vulnerability. What's the name of this 'partner web site' again?
  • Email the CEO, keep the body of the email short and simple enough for an IT illiterate to undestand the problem. Don't worry him/her about the consequences of the problem. Be sure to use a click bait subject line (they're probably very busy) e.g. Your account details for account [their bank account number] are attached. Don't forget to attach their bank account details

    Oh - and don't do any of this from your computer - or via your internet connection. And don't expect credit, just that the problem will be r

  • Because the CFAA is being abused in this realm, major nations need to pass responsible disclosure laws that protect people who report security flaws so long as they follow proper procedure.

  • Report the vulnerability to CERT.
    https://forms.cert.org/VulRepo... [cert.org]
    http://www.cert.org/vulnerabil... [cert.org]?

  • ... contact DHS and tell them you were at the library and you saw a guy with a scimitar and a Koran downloading private banking information. It will still likely be months before anything changes, but at least you'll know enough bankers are getting adequately inconvenienced in the affair.

If all else fails, lower your standards.

Working...