How I Hacked a Bank and Made 40 Bucks

Summary: Security tester is paid to scan a bank, finds a vulnerable asset, reports back to the customer. Customer tells him he doesn't charge enough.<p>Here's my take: if he is charging $7, $10, $40, whatever, he's running automated scans. If the customer is suggesting they'd be willing to pay $10k, they are most likely under the impression this is a real, full-fledged pen-test. That is a massively dangerous assumption. A real pen-test is not just some process you kick off and walk away. It involves real investigation, testing, and analysis. Charging $7, $40, would bankrupt a tester.

I'm guessing a bank of such size won't believe that a $7 scan can tell them anything. If he charged $10k they would probably think that it was worth acting on too ...

&#62; I have since lowered my prices (I love my customers, and want them to be secure).<p>So why not charge $0?<p>If you love your customers, crank the price up - that'll encourage them to actually <i>listen</i> to the results you give them.

Until these businesses (small and large) become responsible, either legally or financially, for the security of their websites, we'll see this continue to happen.<p>They simply don't care about the security of their customers because they have no incentive to.<p>I get that security is hard, but in this specific case, they knew about a hole and left it open for two months. That's negligence.

The post title doesn't make sense to me. Wouldn't something like "My service works, and now I charge even less" be more accurate?

I love how the author emphasizes the size of the bank: "one hundred million in assets bank. One Hundred Million.", as if they are flush with money. In reality, this is a rather small bank, likely with a 2-3 people running the IT operations.<p>And to say that they don't care about security is wrong. Generally, small financial institutions like this are scared to death about security breaches, but in many cases, they simply don't have the expertise to properly assess and deal with them. The example of the calendar application is just one example.

So I tried to order a scan, given the low price of $7 only to realize the author of this service does not accept customers outside the U.S. and Canada.

Seems to be down; anyone have a mirror?

wasn't there a wall street journal article talking about how poor small business security was recently? How does this tie in?