Hey guys,<p>First, excuse the messy title - I was limited to 80 characters.<p>I recently found a way to create money out of thin air through a loophole in my bank's current banking portal.
I tried reporting it a few times, but every time I am stonewalled by a low-level employee, telling me they will call me back later in the day, which never ends up happening.
The furthest I've come is to call their abuse department, found on their ARIN records, who seemed to take it seriously, but I ended up going full circle - back to the low level-guys.<p>I discovered it inadvertently and, technically, defrauded them of ~0.32 US$ using legitimate transactions that the bank's software should have handled differently. Pennies, but still.<p>I also confirmed the issue with other accounts and other transactions - my account is not a glitch in the system.<p>What is the best course of action? How would you get in touch with security officials at a big bank?<p>I mostly don't want to get caught or charged with (attempted?) fraud over $0.32.<p>I have also spent quite a few hours trying to disclose it, unsuccessfully. What would be the best way to get some of this time spent trying to do things right compensated?<p>Thanks!
Stop.<p>You're risking your freedom to save a corporation.<p>If you press ahead you will be dealing with people who lack knowledge and are scared of what you did affecting their career. They will rake you over coals. And you will have gained what? The minute pleasure of helping them save a few bucks?<p>You have a desire to help people. That's great and noble and commendable. But that's not what you would be doing here.<p>My advice: drop it. It's not worth it. If there was no risk to life or liberty from what you found, then yes chase the disclosure. But there isn't. Drop it and forget it ever happened. Your life is worth it.
I use LinkedIn when I have to penetrate a bureaucracy such as this.<p>Nothing gets action faster when a VP or higher get a personal email / phone call regarding something like this.<p>Step 1: Troll linkedin to find these people in positions of real power.<p>Step 2: If they are easy to reach via email or on the platform, try that. Failing that, call their HQ and work the phones until you get to them.<p>Step 3: Win.
Document your attempts to alert the bank. You should have proof that you contacted them about it. Don't use the loophole obviously. Definitely switch banks.
Just drop it. It only hurts the bank and you did your best to warn them. At this point the only reason to peruse it is to get recognition/reward or attention for being clever.
I am a developer who works with one of the largest US banks and I would love to speak with you about what you have found and pass it along to the head of security in my office.. Unfortunately like others have pointed out you will more than likely encounter low level employees who dismiss you OR, and this is the dangerous part.. you may bruise the ego of someone in a position who can and should listen to you.. possibly resulting in adverse actions being taken against you. Do you have an email address I could contact you at? I could conference you in to my department and see the exploit you found(MOST banks share the same backend software for their online services so this is alarming)
Call the bank's regional HQs. Ask to speak with the manager of security. Report the instance. Ask for his/her name and number. Tell the individual you plan to go public with the information in 48 hours if there's no resolution.<p>The individual will feel a career risk and act accordingly.
Try to find developers that work at the bank via LinkedIn or something. Ask if they have a bug bounty program, and disclose things appropriately. You won't ever get to the right person calling in on the customer support or abuse numbers. You need to go around.<p>EDIT: Also, how long does that money stick around in your account? I wonder if there is some kind reconciliation processes that go through and square everything up. The web software is probably just a replica of the actual ACH data, so maybe those processes would correct things and it's not as big of a deal as it seems to be?
STOP, you're already done this on multiple accounts that is asking for trouble.<p>I wouldn't risk interacting with them further if they aren't interested in listening.<p>Document that you tried to contact them and report it so they can fix it.<p>But you're in the gray area where they could attack you feeling you were attacking their their system.<p>Forget it and move on.<p>Otherwise you're going to be tempted to:
<a href="https://www.youtube.com/watch?v=GyB6ffmXsZo" rel="nofollow">https://www.youtube.com/watch?v=GyB6ffmXsZo</a>
(Office Space Virus Scene)
And we all know how that ends.
Document the vulnerability.
Document your attempts to contact the bank.<p>Contact your local[1] newspaper. Particularly one that is big on investigative journalism, and technology.<p>A good hint is if they covered the recent SWIFT bank heists.<p>[1]Local is relative. If it is a big national bank, go national.<p>The idea is for them to do an article, not necessarily exposing the vulnerability, but how processes (or lack thereof) in the big banks allow security holes to go unfixed.
I have to ask the folks here. Given the OP used an ID that seems easily traceable and he/she admits to defrauding the bank publicly (I know, just .32 USD, but still people are going to prison these days for so many silly things). Should OP retain legal counsel and have the lawyer make contact with a VP?<p>Or does lawyer-ing up make OP look guilty from the start?
It's amazing that any large firm who business heavily relies on security doesn't have some kind of report a bug or bounty system easily findable. This should be as standard as a 404 page.
> What would be the best way to get some of this time spent trying to do things right compensated?<p>That depends how quickly you can get the money out of the bank, and get yourself out of the country!
The bank isn't going to pay you money. You gain <i>nothing</i> from reporting this, and risk getting fucked over for mere pennies. Just forget about it and move on with your life.
You could contact a legitimate security firm that buys vulnerabilities to get the credit (and knows how to report responsibly).<p>You want one that immediately discloses and does not resell.
> What would be the best way to get some of this time spent trying to do things right compensated?<p>Creating more money out of thin air seems like the appropriate compensation. /s
Is this a big bank? If so I would let it slide.<p>If you really understand how big banks stole from the US taxpayer in 2008, you might want to steal more.
<i>defraud</i> is the verb form. To defraud is to illegally obtain money from (someone) by deception.<p><i>fraud</i> is the noun form. 1) wrongful or criminal deception intended to result in financial or personal gain or 2) a person or thing intended to deceive others, typically by unjustifiably claiming or being credited with accomplishments or qualities.<p>The English language is changing. Modern usage has promoted some nouns to verbs in informal use, but for many of us, the change is a bit like scratching your fingernails on a blackboard. In a situation like this, where credibility is important, careful attention to usage and spelling is critical.