How Do You Handle the Discovery of a Web Site Disclosing Private Data? 230
An anonymous reader writes I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me. As in, change the document ID in a URL and view someone else's financial documents. This requires no authentication, only a document URL. (Think along the lines of an online rebate center where you upload documents including credit card statements.) I immediately called customer service and spoke with a perplexed agent who unsurprisingly didn't know what to do with my call. I asked to speak with a supervisor who took good notes and promised a follow-up internally. I asked for a return call but have not yet heard back. In the meantime, I still have private financial information I consider to be publicly available. I'm trying to be responsible and patient in my handling of this, but I am second guessing how to move forward if not quickly resolved. So, Slashdot, how would you handle this situation?
Krebs (Score:5, Insightful)
Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.
Re: (Score:3, Funny)
Blab about it on the internet on a very popular website also. That will increase your chances of being personally identified before you notify the appropriate people and ensure that the preemptive action they will take against you will not work. Alternatively they can also use that against you after the fact instead/as well.
I would also suggest as "icing on the cake" to paint red circles of de
I would say "look until you find the CEO" (Score:2)
but that's putting you in bed with the weasels.
take some IT guys out for lunch with their laptop, show them how to lose their appetite. on a company computer.
things will happen at a good rate of speed.
if yoiu happen to have one of the security guys along, that will seal it quickly.
Re: (Score:2)
Although knowing my luck it will be a forced anal invasion in Guantanamo...but beggars can't be choosers I guess...
Re: (Score:3)
Having sex with a spy is on my bucket list.
"Never mind why. Just clip this lapel mic to your blouse."
Re: (Score:2)
...but buggars can't be choosers I guess...
Fixed that for ya...
Re: (Score:2)
Having sex with a spy is on my bucket list.
Although knowing my luck it will be a forced anal invasion in Guantanamo...but buggers can't be choosers I guess...
FTFY
Re: Krebs (Score:3)
I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.
Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play th
Re: Krebs (Score:4, Insightful)
Or just walk away.
While true, this solution doesn't allow one to protect their own data which is also exposed.
Re: (Score:3)
I guarantee you that their lawyers can beat up his lawyers. If he sues, he'll get buried in paper, causing legal fees to quickly attain unmanageable levels, then they'll counter-sue for defaming their name. He'll be lucky to walk away with the shirt on his back.
America!
Re:Krebs (Score:5, Interesting)
Give the information to Brian Krebs and have HIM call them. I guarantee you they will get off their asses and do something then.
Don't be so sure.
I had a similar problem with a bank back in 2000-2001. I called their customer service dept. and they put me in contact with the IT dept. I explained that their web banking portal was spewing private information all over the place. (I was quite alarmed, since I had noticed this when doing my own online banking.) They said they'd see to it right away.
A couple of weeks go by, it's still the same. Now, mind you, this was a MAJOR leak to anybody who knew about it. Arguably worse than OP's problem. So I called them again. I was assured that they were right on top of it.
After about another month went by, I went into the main branch of the bank, and SHOWED this to one of the managers. He seemed quite concerned. Another couple of months go by... nothing.
I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story. (Turned out later, they were best buds with this particular bank.)
Anyway, long story short: they did nothing. It took them a full year and a half to fix the problem. If I had been an unethical person, I could have emptied out the accounts of MANY people over that time.
Re:Krebs (Score:5, Interesting)
Re: (Score:2)
Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.
I probably should have done this. I didn't WANT to create a stink, but by the end of this sequence of events I was just plain dumbfounded that they would be -- pardon my language -- so fucking stupid.
When going to the paper didn't work, I probably should have contacted the authorities. Instead, I just switched to another bank.
Re: (Score:3, Informative)
Do NOT give them anything in writing that is an admission of "hacking".
Re:Krebs (Score:4, Insightful)
Nobody took computer security seriously back in 2001. Things have changed a lot since then. For example, if you were to contact that same bank with the same information today, they would likely know better and would now contact the FBI and have you arrested on charges of violating the Computer Fraud and Abuse Act.
Actually, contacting the FBI might not be a bad choice for the story submitter. They would probably be very interested in working with that bank to shut this problem down quickly.
Re: (Score:2)
Nobody took computer security seriously back in 2001. Things have changed a lot since then.
I have to agree with you in general, but banks should have been concerned about it. Online banking was a fairly new thing, but even then, I am pretty sure this mistake violated Federal regulations.
Re:Krebs (Score:4, Interesting)
Re:Krebs (Score:4, Interesting)
In the last '90s I worked as System Operator for a company which sent several thousand automated account renewals to credit card companies each month. We had been sending 9-track tapes via Fed Ex, and I was tasked with converting all these to digital transfers. We ended up with a mish-mash of different methods, dialup modem, encrypted email attachments, etc. but American Express had a rather unique approach.
They had us FTP an unencrypted, unzipped text file to a folder with our account number on their ftp site. Logged in as anonymous. With full access to all the other folders showing all their other customers' data transfers. They didn't clean up the folders either, so some of the other customers had a year's-worth of data transfers piled up. We couldn't believe it.
Re: (Score:2)
Re:Krebs (Score:4, Informative)
I finally called them up and said if they didn't fix the problem, I was going to the newspapers with it. It didn't faze them. I actually did take it to the local paper, and they weren't interested in the story.
Notorious troll Weev" [wikipedia.org] did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.
Re: (Score:2)
Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.
Very different situation. This leak was TO computers, and didn't involve going to "unauthorized" addresses. The information was right there on your local machine if you knew where to look. No remote exploration necessary. I would rather not discuss the details but if you knew them I am sure you would agree that it was alarmingly stupid.
Agreed, though, that Weev was railroaded. He did nothing wrong except to piss off powerful people. It was (is) a travesty of justice. Same with Aaron Swartz.
Re: (Score:3)
He reported it AFTER exploring it en mass, and while his motives *may* have been pure... the degree he went to can and were used to harm him.
Contrary to what was reported from many sources, he DID go to them first, before publishing the exploit. The fault for not fixing it immediately rests on them, not him.
What he did was normal curiosity. Hell, I've done it. In fact I don't know of any web or security professionals who haven't. Got an ID in the URL? Increment it by one, see what happens. We all do it.
Granted, we don't normally explore it to the degree he did. But what he did was ridiculously simple, and hardly even deserves the term "hac
Re: (Score:3)
As a user you are not supposed to make sensible input to the support hotline. Also the head of the local branch is a user.
IT departments in banks are behemoths, never changing course. They can't react quickly. A mess of different never integrated systems which were kept over decades, "tailored" solutions by consultants with too little a time budget in the projects, and department heads for whom the internet is a new technology create an impenetratable mess where even the support doen not know whom to turn t
Re: (Score:2)
Better Krebs than Weev (Score:3)
You don't want to end up like Weev, even though they did eventually let him out of jail. And you're apparently not somebody who's got the kind of personality he has, which, while it may make you less likely to end up in jail, isn't necessarily going to get you off the hook either.
Re:Krebs (Score:5, Informative)
Re: (Score:2)
Wow, hard to believe that this still happens. First encountered this when I opened my first (and only) online banking account at SeaFirst bank in the late '90s. When I realized that in order to get into someone else's account all I had to do was change the account number in the URL I took some screen shots and sent it off to their webmaster. It was told that it was fixed within a couple of weeks, but I was so appalled that it was even possible that I had them delete my online profile and lock my account
Re: (Score:3)
I think you will find that banks have real liability when they fail to protect customer data. At least here in Europe they would.
Re:Krebs (Score:5, Funny)
I agree. A friendly game of baseball is the perfect opportunity to discuss security issues with them.
Notify CTO, CFO & CEO offices (Score:5, Funny)
Those people will definitely take your info and get it acted upon.
Re: (Score:2)
This -- in a small organization the CEO reads their email and forwards to the appropriate people. In a large organization the CEO has a team of people that help them with this. Either way, it is likely to get top down (rather than bubble up) attention.
Re: (Score:2)
In my experience, it won't.
I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address. It might not have been a hack that caused my address to leak, but, irrespective of the means by which my email address had leaked, there should have been an investigation.
I reported it to the CEO, who passed it to the IT head, who basically could not get his head around the idea
Re:Notify CTO, CFO & CEO offices (Score:4, Insightful)
In my experience, it won't.
I reported to a small non-profit that their list of email addresses had leaked. I knew this because I used a unique address when registering with the site and I later started getting SPAM at that address.
Most likely, the non-profit sold your email address (along with the rest of their list), leading to embarrassment all around when you contacted them about the spam.
Re:Notify CTO, CFO & CEO offices (Score:5, Interesting)
For a 5-man company, you may find CEOs read their own emails. For larger than that, the CEOs don't read emails. The few I know that did, used their personal email for business, and the business email was essentially forwarded to the info@ email box.
I've found that snail mail got insanely quick response. It would get to the CEO and be read. Only obvious advertisements would be withheld by helpers, and even then not aggressively so.
Re: (Score:2)
The best approach is to call them. However most people don't feel comfortable doing this.
If you pick up the phone and call their head offices number (as opposed to customer support number) and ask for the CEO you will almost always get put through to them. You may hit a voicemail system after that but because most people won't actually call someone they voicemails are usually listened to. Keep it polite, and to the point and you will be surprised as to how quickly they will act.
Re: (Score:2)
Re: (Score:3)
I call the CEOs, State Managers, Divisional Directors etc etc of companies that range in size from 20 person to 75,000 person on a daily basis for my job. You absolutely need the name in order to get anywhere but that information is very very simple to get. To get through to those people all you need to do is sound like you expect to be put through.
Worst case scenario is you are referred down the chain of command. There is no way that the CEO of a 10,000+ person is going to be the right person to speak t
Re:Notify CTO, CFO & CEO offices (Score:5, Informative)
In my Fortune 25 company, we have a department of people devoted to resolving issues of people who contact the CEO, President, or other members of senior staff. This method absolutely will light a fire under the IT staff to fix it. I don't know whether he reads every incoming letter or email, but I do know that each one is handled by the presidential escalation team, and tracked, and reported out regularly.
We also have a Chief Information Security Officer who will personally latch onto this like a bulldog and ensure that it's fixed. We had a breach a number of years ago and it's still used as a reminder that "That will NOT happen again."
Re: (Score:2)
The "lighting a fire under the IT staff" too often results in the manager of IT having meetings, submitting checklists and expense reports, and doing _nothing_ to address the actual issue. Too often it's not a specific line of code, which can be corrected, but poor practices and attitudes about what security can and should be applied to projects.
Re: (Score:2)
Post the URL here... (Score:5, Funny)
... That way we can help, too.
Also, and this is a bit off topic, but what high school did you go to and what's your mother's maiden name?
Re:Post the URL here... (Score:4, Funny)
Buy some suntain lotion (Score:5, Funny)
You've hacked a bank and now you're a terrorist. Expect a visit from the FBI and a taxpayer funded trip to Cuba.
Re: (Score:2)
Also, die in a fire. It would be more pleasant.
Expect none of the above, but do take every possession you can out of the institution. Digital or otherwise.
The art of the CEO mailbomb is lost, perhaps - send an email to the executives of every person attached to the company, and explain why you took action.
NOT WHY YOU ARE CONCERNED.
Why you took action is more meaningful. Take action first to protect yourself. If you want to file a lawsuit, it's going to be time consuming and expensive. Protect yourself
Re:Buy some suntain lotion (Score:5, Insightful)
Dan Cuthbert, UK (Score:2, Informative)
Your thinking of Dan Cuthbert I think. A UK case, he donated money to a charity page then entered a directory traversal. Most likely /.. into the URL.
http://www.scl.org/site.aspx?i=ed832
(Slashdot is one dot away from a crime!)
It was a real face palm moment for the British Justice system that they prosecuted him. In effect they said "a directory traversal would not have been authorized, therefore this is unauthorized use of a computer, hence a crime".
A law designed pre-internet, yet the RFC for the web permi
Re: (Score:3)
Actually, this isn't too far from the truth. I've heard of a few cases where simply changing the URL has brought up documents that should be private and the person who reported it was brought up on charges for "hacking". Unfortunately, the public does not understand the difference between simply poking around and trying to mess up someone's system for nefarious reasons. Perhaps someone here on /. will remember the particular cases involved but as sad as it sounds, you are on a shaky legal foundation.
I thought of one particular case as soon as I read the summary: https://www.eff.org/cases/us-v... [eff.org].
Aernheimer was charged under the CFAA for exposing a similar problem with AT&T's website.
Re:Buy some suntain lotion (Score:5, Insightful)
This shouldn't be modded funny, its the most likely outcome. You really should start thinking of protecting yourself now that you have made yourself a target.
Re: (Score:2)
Yea.. one call to Tor Ekeland is a good start
Re: (Score:2)
Yes, get a lawyer (Score:2)
As other replies have said, you are probably better off getting a lawyer BEFORE you go to the bank or anyone else.
Why?
1) If they've already discovered this themselves they may be working with the FBI and there may be a subpoena in your ISP's hands within minutes of you making your discovery.
2) Even if there isn't, the veiled threat of prosecution can be very intimidating.
3) By having your attorney speak to the bank and/or the government/police authorities for you BEFORE the police contact you, it will be ab
Re: (Score:2, Insightful)
reporting vulnerabilities doesn't get you put in Jail, however manipulating sites without permission to look for them does. incidently the guy you linked did a lot more than "just" tell then just discover and tell them of a vulnerability, he exploited it and extracted a ton of information from their systems.
Re: (Score:3)
>reporting vulnerabilities doesn't get you put in Jail, however manipulating sites without permission to look for them does. //
Except that in this case the report is evidence of having "manipulated" the site "without permission" *.
* web accessible documents have an assumed permission IMO; the removal of permission is performed by making the page only accessible with a password or similar auth.
Re: (Score:2)
> reporting vulnerabilities doesn't get you put in Jail, however manipulating sites without permission to look for them does
How orwellian of you. It is totally OK to report vulnerabilities but finding out about them, that's verboten.
So when Target and Home Depot tell you that they've never had a report of a problem, you know that means their sites are 100% secure.
of course it doesn't mean they are secure. That doesn't make it ok to try and break their security. Try going to the backdoor of banks and looking for a way to jimmy the door open to see if you can steal money, it won't matter whether you give the money you take back if you find a way in, or even if you didn't take any money, you will go to jail. If you want to help them do vulnerability scanning for free then approach them with your offering, if you can show you have the skills and background most will tak
If you're in the United States, get a lawyer (Score:5, Informative)
You called the bank and admitted manipulating the site in order to view other people's private financial information.
Regardless of your intentions, you may be treated as the wrongdoer here. A security vulnerability exists, and unfortunately, you are the only one who has admitted to exploiting it. (It's entirely possible that the only person who has actually accessed someone else's private financial information is you.) Organizations in the United States have a long history of seeking sanctions (criminal or otherwise) against people like you who look for vulnerabilities in their systems (I think some similar cases were reported on Slashdot, and I know of one privately).
Maybe withdraw all of your money out of your account in case they freeze it during their investigation (which means you wouldn't even have money to pay your lawyer), but beware that this could appear to be an indication of admission of guilt -- consult a lawyer first if there's time.
Re: (Score:3)
Re: (Score:2)
Goodness gracious. I hope this isn't the true state of the CFAA here in the US?!!
Ass covering, BT Example from UK (Score:5, Informative)
In the UK, British Telecom had a website that took donations for something. They left the website open, simply putting in a URL was enough to get to the private information of the donators.
The man who discovered it was prosecuted for hacking their website:
http://www.scl.org/site.aspx?i=ed832
"He had visited the site and donated £30, but had become concerned at its slow response and what he had regarded as poor graphics. There had been extensive press coverage of “phishing” attempts and a number of these had involved fake sites masquerading as well-known UK financial institutions. His concern was that he had just provided details of his name, address and credit card and that these might be abused. Cuthbert sought to test the site by using a directory traversal test - in effect he re-formed the URL he could see in the command bar of his Internet browser to see whether the security settings on the remote Web site would allow him access beyond the web root. His attempt was rejected, he felt relieved and thought no more of the matter. "
"But the test set off an alarm in an intrusion detection system (IDS) installed by British Telecom, the directory traversal being an obvious alerting signature. It wasn't difficult to trace him - he had just supplied his name, address and credit card details, and his IP address, which resolved to his employer, was captured both by the regular web-logs of the donation Web site and by the IDS. Cuthbert's subsequent interview with the Metropolitan Police Computer Crime Unit went badly. "
Re: (Score:2, Informative)
About 20 years ago I had something similar happen, I emailed people about a bug (not even as important as people's financial data, but still similar). It was a large company (30B market cap). Anyways, I received no response and didn't really think much of it, Several months later, the local FBI team came in and took all my computers, we had a short meeting with them about a year later, where they explained that I had hacked and then threatened that company, And then never heard from them again. This was
Re:If you're in the United States, get a lawyer (Score:4, Interesting)
Personally if it were me, I agree with the statement get a lawyer, but for different reasons. I'd immediately sue them. In a court of law you've now put them on the defensive. If they try to take legal action against you, you have that you discovered a flaw in their system, and immediately held them responsible. If they try to claim you were doing anything malicious, then they have to admit wrong doing and plead guilty to your lawsuit. And in your defense case, then it looks like you happened to find the flaw, was furious and took legal recourse against them.
It may not make technical logic, but as far as I can tell in the legal world, putting them on the defensive as soon as possible is the best move you can do.
Re:If you're in the United States, get a lawyer (Score:4, Informative)
The one time I ran into this, I informed the company from an anonymous email account. I claimed that I'd accidentally typed a number into the URL bar and someone else's complete order information came up. I stated that I had not shared the information with anyone and did not plan to (to cover my ass and make it clear I was not threatening them). I was still worried that they'd send the FBI after me, but I also felt that I had a moral obligation to inform them of the issue before someone else discovered it and stole a bunch of customer information.
Re: (Score:3)
Regardless of your intentions, you may be treated as the wrongdoer here
Not likely. Just because you've heard of some idiots who try to pretend they 'just accessed some urls' while stealing and republishing other peoples data doesn't mean that the FBI (who would handle such things) is a bunch of raving nutters.
You're just being silly and making things up. Banks are regulated, they don't get to randomly freeze your account because they feel like it. Stop believing random crap you read on the Internet. The things you've seen reported on slashdot and other places are ALWAYS BS
The responsibility of disclosure (Score:3)
http://www.troyhunt.com/2013/0... [troyhunt.com]
Slashdot it (Score:3)
Time to sever the financial relationship (Score:3, Insightful)
Either the place is incompetent or made a deliberate design decision. Either way, your best move is to simply move on. There's plenty of competition out there.
Do not reveal the information to anyone else, and don't go poking around.
Contact the company's CSIO (Score:3)
Please be very careful! (Score:5, Informative)
Please be very careful if you discover something like this. Too many of us have been treated incorrectly by the company or the prosecuters.
Here is what I would probably do:
1. Remove all of my own assets from the company/institution.
2. Verbally (phone or preferably in person) tell my family what I have done and suggest they do the same. As I can trust my family, I can say to them that I have been made aware of a possible security situation with the company.
3. Verbally (in person if possible, phone as a last resore, not email) tell any friends THAT I TRUST about what I am doing and why and suggest to them they consider removing their assets. Do not go into any details of how I found out.
4. Once out, stay out. Listen. Don't say anything to anyone else. If I feel that I must do something, I would stop; find an attorney whom I can trust (friend of a friend or family; not just out of the yellow pages). Pay them for an hour or so (which puts into place attorney client privilege) and tell them what is up. Fot God's sake, think twice, no three times before going this far.
5. Shut up and go about your business.
Stop doing business with them (Score:2)
You done fucked up (Score:5, Informative)
Every time someone has tried to be the nice guy its backfired. You see something like this? Keep your mouth shut and forget it even happened.
Get off my lawn (Score:5, Interesting)
I was in a similar situation a few years ago. It involved write access to other people's brokerage accounts.
FINRA, SEC, and FBI are all good points of contact and they have a straightforward complaint/action process. Assuming that you mailed a letter to the CEO first. Otherwise, I just now post live exploits to my blog at http://privacylog.blogspot.com... [blogspot.com] and usually give the vendor a heads up.
You will not get credit for the find. The TLAs will not invite you to give a speech. You will not get a career out of this, or even consulting money. Your end game is getting the thing fixed and moving on. Do this by posting your story which proves how innocent you are and giving the people an honest chance to fix it. Imagine you are in front of a jury of idiots. If you are saying "I wrote down this URL, then I typed it back in and some else's bank records came up... then I found out I made a typo". This is a perfectly reasonable story, there is nothing to be afraid of.
It is not a bank or brokerage account. (Score:3)
It is a security hole and all the dire warnings by others are true. Most of these companies are run by people with no IT or computer expertise. The top man is going to haul the IT dept on the carpet and demand an explanation. You think the IT chief is going to admit that he/she was running a moronic system? No, she/he is going to shift blame and find some convenient scape goat. Given the top honchos don't know much about anything other than their bonus calculation, IT chief is going to claim, "It is a hack! That guys hacked into my super secure site". Then the PHBs running the company would call in the lawyers and make a mess out of the situation.
One thing the anonymous guy can do is to call the company that issued the mail-in-rebate and tell them, the outfit they had out sourced their rebate processing has holes in the system. Now it is the very big company that issued the rebate coupons run by PHBs fighting a smaller company that got the rebate processing contract run by PHBs. And quietly withdraw without drawing too much attention.
take it above EVERYBODY'S heads (Score:2)
Go directly to your FSA (or FBI) field office. This shit has the potential to cost MILLIONS if not dealt with IMMEDIATELY, and you could be implicated having knowledge of such vulnerability and not reported it to competent authorities.
You.will.be.blamed (Score:3)
Accept this, as you have uncovered something they didn't know and can potentially damage them.
I did this with a government tax office and tried to alert them by calling the very number they advertised to handle this sort of issue. The response went like this:
The problem is, you want to help them and all they can see is 'random person the phone saying we have a problem' so it is easier to solve you. If the company is responsible enough to have a CERT team and a reporting mechanism you may stand a chance but it is more likely you will draw their ire because you can hurt the companies reputation.
If you can't change institutions then you should consider establishing what their data privacy policies are, hire a lawyer and then frame legal action to protect your own data whilst seeking damages to the value of your life earnings for exposing you to identity theft and fraud. You should be pissed off.
They won' t play nice so neither should you. Seek legal advice about the possibility for damages because you have been exposed to fraud. Leave it to them to discover the mechanism, because if they are that bad there are probably more.
Rookie mistake... (Score:5, Informative)
Re:Rookie mistake... Also... (Score:4, Insightful)
Re: (Score:2)
Deal with someone else (Score:3)
Re: (Score:2)
Adn this will help exactly how versus his private details being available on unsecured webpage? Is process of withdrawing money somehow securing this data? We dont' know details, these things can stay there forever, even if he closes the account/stops dealing with them. Most companies/banks are not allowed to remove traces of anything happening for at least 5+ years.
Confidence (Score:2, Funny)
That's a confidential web forum that handles cases like this. Just provide the sensitive details and they'll take care of it from there. It's @ 4chan.org [4chan.org].
Wikileaks. (Score:2)
2. Send anon email to company saying the information has been posted tow wikileaks.
3. Watch them have massive coronaries.
Take Immediate and Thorough Action (Score:3)
Send a postal letter to the CEO of the financial institution. Explain the problem. Give the institution a deadline for action. Since I found no actual disclosure of information in my case, I gave the institution a month. In your case, a week should be the maximum.
If you do not hear back in a week, send a postal letter to the government agency that supervises the institution (e.g., SEC, Controller of the Currency, FDIC). Send a copy to the federal Consumer Financial Protection Bureau. Postal addresses are available online for such agencies.
It helps if the institution's privacy policy indicates such disclosures are not permitted. In that case, insist that the government agency enforce the institution's privacy policy.
e-mail, not phone (Score:2)
I would e-mail, not telephone. Phone calls are too short and simplified.
Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.
That's what I would do.
/b/ (Score:2)
Better avenues that public disclosure (Score:5, Insightful)
There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.
(IANAL)
Just name them anonymously (Score:2)
Download some documents (Score:2)
and contact the persons whose privacy was violated in the documents. You probably can not sue, they can.
Make sure to contact a lawyer first.
Demand that your data gets taken down? (Score:3)
I recently discovered that a partner web site of a financial institution I do business with makes it trivially easy to view documents that do not belong to me.
Presumably, then, your data is viewable to others. First thing I'd do is demand that my data gets removed until the problem is fixed. Then I'd tell everyone who needs to know that I won't be uploading any more documents to this other website until someone else tells me I must, thereby taking responsibility for me doing so.
Mind you, I'm in the fortunate position of having directors who take me seriously when I tell them things like that.
Slashdot, how would you handle this situation? (Score:2)
1 step sure-fire solution(?) (Score:2)
Email the CEO, keep the body of the email short and simple enough for an IT illiterate to undestand the problem. Don't worry him/her about the consequences of the problem. Be sure to use a click bait subject line (they're probably very busy) e.g. Your account details for account [their bank account number] are attached. Don't forget to attach their bank account details
Oh - and don't do any of this from your computer - or via your internet connection. And don't expect credit, just that the problem will be r
Laws are required (Score:2)
Because the CFAA is being abused in this realm, major nations need to pass responsible disclosure laws that protect people who report security flaws so long as they follow proper procedure.
Report them to CERT (Score:2)
Report the vulnerability to CERT.
https://forms.cert.org/VulRepo... [cert.org]
http://www.cert.org/vulnerabil... [cert.org]?
Try this ... (Score:2)
Re: (Score:2, Insightful)
Too late...our anonymous submitted has already outed himself to the bank, and even if he hadn't, there should be enough of a trail in the server log to find it was him.
Re: (Score:2)
This is dead wrong. Bad advice.
"Leaking" in this manner is a federal offense.
The answer is to keep pressing and travel up the chain of command.
Do not embed any compromising links in an email. Do not use email at all. Emails are discoverable in litigation.
Use your own telephone. Do not involve your business.
When you find a person who has a major cow when you tell them what you've found, give an example URL on the phone.
Check the site now and then for compliance, but do it using someone else's junk. It sounds
Re: (Score:2)
I personally have seen all kinds of cases where a disaster is required before anybody decides they want to harden their information security.
That said, you might consider just leaking some of these documents to the open internet by simply pasting the URL to public places. For example, put it on twitter and give it an irrelevant but popular hashtag. Then it hits a major news site, and you know the rest.
The trick is doing it without leaving a trail to yourself, otherwise you'll end up like those guys who found that AT&T link to the iPhone accounts.
you know I think this was weev's approach to the att/ipad info leak, and look where it got him. although it turns out he was a scumbag doxxer, so no tears shed here.
Re: (Score:2)
He apparently leaked information about 140,000 accounts. His sentence was vacated and conviction reversed on appeal because the appeals judge felt he should have been tried in his home state.
It's too bad this judge was not available for the "Amateur Action" computer porn case in 1996 (http://fac-staff.seattleu.edu/mchon/web/Cases/thomas.html).
Re: (Score:2)
The folks that discovered the AT&T flaw downloaded information on something like 40,000 people and forwarded it to a journalist. Calling the institution itself after a spot check is pretty tame and seems well intentioned on its face compared to the AT&T situation.
Intent (Score:3)
Re: (Score:2)
How? The data is in the hands of the other. Would you propose hacking them to get that data off their servers? That might land them in legal hot water.
Re: (Score:2)
They didn't disclose any abusable data here.