Disclosure: Unlimited Chase Ultimate Rewards Points

You had the best of intentions, and tried to do everything right. Unfortunately, in modern times that just paints a bigger target on your back.<p>This is why I got out of cybersecurity. Even when you are a good guy, the other folks look at you like it&#x27;s only a matter of time before you steal the crown jewels while their back is turned. And if you are disclosing vulns you found when not actually hired to do so, forget about it - the best you can hope for is a thank you and a bounty that doesn&#x27;t make it worth the time it took. The sky&#x27;s the limit on the worst you can get.<p>The prospects of folks probing systems for the fun of it and disclosing how to secure them better to the owners in order to make the world a better place have become too grim. If you really want to do this, then I recommend you join a security company and do it as an employee to get that protection.<p>Every decade since 1989 I have marveled at how much closer our world has gotten to the world of Shadowrun. I just wish we had gotten the magic to go with the pall of shadows that hang over us now.

Due to fear of retaliation I decided initially not to share this story, but enough time has passed, and I feel the security community should know how one of the largest banks treats security researchers.

Not long ago I worked at a big name tech company and with someone who interacted with folks who reported security concerns.<p>Half the time the security team was scrambling to prevent various people from sending legal on a crusade to attack the latest researcher who responsibly told them about a security issue. It only got better after legal was educated enough to not just shoot from the hip with threats... but really they were just acting like a firewall for much of the management team who saw any such disclosure as some sort of attack.<p>And this was a tech company, everything they did was technology, located in the valley... they still didn&#x27;t get it.<p>Even just getting these researchers token recognition (many asked for almost nothing) was an uphill battle.<p>One of the challenges was that the folks on the security team were really passionate about doing the right thing and they didn&#x27;t want to break relationships they had with researchers &#x2F; the community. They were prone to leave companies who were bad at handling those relationships ... leaving bad companies with fewer such people and accordingly things would fester.<p>The security industry is full of straight up charlatans and legit people. The legit people are super sensitive about being associated with charlatans and thus the charlatans are often left to their own devices after the legit folks run for cover (elsewhere).<p>For the record this is my perception from working with security minded folks, and not actually working in that industry myself.

Wow. You did the best you could to let them know about the problem, returned the $5k, etc. And they chose to be arseholes and just close your accounts and pretend you don&#x27;t exist.<p>This will have some amount of Streisand effect. I doubt they&#x27;ve really fixed the race conditions. And, the story itself is interesting enough to take off.

We need to pass laws that forbid retaliation against disclosure, and require bounty programs. It might even make sense to have disclosure go through a public agency to arbitrate, and bond companies to that agency, much like we do with contractors.

Congratulations Chase. You&#x27;ve just increased the probability that the next security researcher who discovers a vulnerability says nothing to you, or worse sells the exploit on the black market.

I once applied for an IT Security job at Citibank - as I’m walking to the conference room for the interview I notice that every single desk had a beat-up dog-eared copy of “Computer Security For Dummies” on it. It didn’t do them much good, a year later I read they had lost $60 million because you could go into their web banking system, and once authenticated you could access any retail bank account by changing the account number in the URL.<p>Years earlier I was at Chase Manhattan when they decided to hire at IT security role. The guy they selected was a tradesman who specialized in brickwork. Computer Security For Dummies was also his goto and it never left his hands. Most of our interaction with him was his trying to find “the NFS”. We told him several times that we didn’t use NFS but he was convinced we did and were hiding the NFS from him. He called all of us individually into meetings with him and our manager to try and get us to crack and admit where we had hidden the NFS but was unsuccessful - it was a conspiracy. He hired in a couple of consultants find where the NFS was but they couldn’t find it either. When I left he was having the network engineers trace all of the cables to see if we had hidden the NFS in a closet or under the floor.

about 5 years ago I took my infant son for a morning stroll and found an SSD drive laying in the grass next to a busy street (jamaicaway in JP). I picked it up and later looked to see what was on it because I wanted to know why someone would throw out a perfectly good SSD (they were still expensive back then).<p>Long story short, I found a bunch of mdb files with personal information about people&#x27;s ambulance rides. I reached out to EMS and they were very nice and took the drive back with them. A few weeks later I got a scary lawyer email asking me to submit all my computers for a search because I hacked their security to get the data.<p>It eventually turned out OK, but the moral of the story is that I will never again do the right thing if I happen to discover a problem that makes a large entity look bad.

Can someone please explain to me why companies make decisions like this? I have been on HN long enough to see many stories like this, but never once hear the suggestion of a rational line of human behavior.<p>Is it lawyers misunderstanding the value of security research?

Remember Chase is the bank where your passwords couldn&#x27;t contain special characters and were limited to 12 characters up until 2017-2018 (I lost track, don&#x27;t quote me). I wouldn&#x27;t hold my money there if they paid me.

I dont think this behaviour is reserved only to banks. I once worked for a tech company which treated a security researcher who found a vulnerability with the same hostility, They had an &quot;easter&quot; egg in the code saying &quot;F<i></i>* you &lt;name of the researcher&gt;&quot;. Needless to say I left that place soon after this incident. It baffles me why companies wont reward these people for doing the testing for them instead of taking these disclosures as act of war against them.

Funny that they are always quick to close your accounts and credit cards but if it&#x27;s about mortgages&#x2F;loans they leave those open.<p>If they write you off as a client for accounts&#x2F;credit cards, why not also for the mortgage&#x2F;loans?

Guesses why the HTML page is URL-encoded and inserted into a script tag.<p>To read without Javascript:<p><pre><code> curl https:&#x2F;&#x2F;chadscira.com&#x2F;post&#x2F;5fa269d46142ac544e013d6e&#x2F;DISCLOSURE-Unlimited-Chase-Ultimate-Rewards-Points|sed &#x27; s&#x2F;%3A&#x2F;:&#x2F;g; s&#x2F;%2C&#x2F;,&#x2F;g; s&#x2F;%2F&#x2F;\&#x2F;&#x2F;g; s&#x2F;%3D&#x2F;=&#x2F;g; s&#x2F;%3B&#x2F;;&#x2F;g; s&#x2F;%3F&#x2F;?&#x2F;g; s&#x2F;%26&#x2F;\&amp;&#x2F;g; s&#x2F;%22&#x2F;\&quot;&#x2F;g; s&#x2F;%20&#x2F; &#x2F;g; s&#x2F;%28&#x2F;(&#x2F;g; s&#x2F;%29&#x2F;)&#x2F;g; s&#x2F;%3C&#x2F;&lt;&#x2F;g; s&#x2F;%3E&#x2F;&gt;&#x2F;g; s&#x2F;%27&#x2F;&#x27;&quot;&#x27;&quot;&#x27;&#x2F;g; s&#x2F;%0D&#x2F;&#x2F;g; s&#x2F;%0A&#x2F;&#x2F;g;&#x27;|grep -o &quot;&lt;p&gt;.*&lt;&#x2F;p&gt;&quot; &gt; 1.htm firefox .&#x2F;1.htm</code></pre>

One would think that banks, who are the prime target for every person that &quot;wants to hack&quot;, would be leading the way in terms of bug bounty programs and benefiting from smart people finding gaping holes in their systems.<p>This bank could have gotten into serious trouble with regulators if a bad actor exploited this bug and stole millions.<p>Don&#x27;t expect them to adjust their behavior any time soon, but the &quot;HN effect&quot; might make them undo this action to avoid bad PR and make a few vague promises about &quot;fixing the issue to avoid it happening in the future&quot;.

It is interesting that the only way to draw attention to this issue was via Twitter DM. For many big companies this seems to be the one place where you can hope to get a response.<p>For example, a year ago I was in a pinch and ended up booking a flight on Delta via Twitter DM.<p>The problem with this is that the escalation chain and documentation to go along with it is unclear. The author could only hope that he was being connected with the right people. Likewise, I was just crossing my fingers that there was, indeed, a ticket waiting for me.

This is why the so called responsible disclosure isn&#x27;t a silver bullet. I believe, in cases when there is no bounty program and no substantial risk for the users&#x27; data or resources, one should go with full, anonymous disclosure.

Interesting that the bounty program is only mentioned in the text screenshot and not the article. While it’s unfortunate that this happened, randomly pen-testing a bank then presumably asking for money is not something I would advise.

This story will hurt the bank&#x27;s ability to hire talented programmers and developers in the future.

Thanks for sharing this. I just closed my account citing Chase&#x27;s poor behavior towards security researchers.

Very very strange that instead of getting written approval from their counsel you just did it.<p>This is the type of thing to test in a QA environment, not in real life with your real money.

I was involved in a somewhat similar situation in the late 2000&#x27;s when working on a team building an eCommerce website.<p>We found a major national bank&#x27;s newly public merchant gateway allowed anyone who knew the IP address of an authorised merchant facility (such as an EFTPOS terminal) to spoof its IP address and submit requests to the gateway. It seemed they just relied on the supplied IP address in the XML payload to verify that a device was authorised to use the gateway.<p>A small proof of concept showed that it was exploitable, e.g. a small script proved a bank card would be processed successfully without needing to actually be on an authorised network or go through any kind of session handshake - we didn&#x27;t try any of the other functions like requesting refunds or cancelling payments but figured the bank would like to know they had a big glaring hole in their security.<p>After finally getting through their merry-go-round of customer &quot;support&quot; to someone in their IT&#x2F;Security team, the initial cordial emails stopped and we received a threatening letter from their legal department blathering about legal repercussions of cyber crime and fraud etc. They also contacted the client and threatened to shut down their accounts and merchant facilities for our transgressions.<p>Anyway, definitely makes me think twice about reporting any public-facing security issues directly to a company, I don&#x27;t have the resources or willpower to fight a major corporation if they decide to swing that way, that&#x27;s for sure.

And this is why I&#x27;ve never notified anyone about any security issues I find, better to laugh and move on.<p>Twenty years ago or so, I offered help to parties and every one of them accused me of causing the problem or otherwise being malicious. Let them find their own problems, I&#x27;ll focus on my own.<p>A major US retailer used to have their entire OMS&#x2F;back-office on an ip, it was that way for years despite multiple reports. And then they got ravaged when the first bad actor came along, easily preventable and they were warned.

The terrible summary is: never ever do a favour to a Company. Ever.<p>The risk is not worth the merit.

My wife and I got banned by Chase, also. They don&#x27;t tell you why, but I accidentally submitted two credit card applications (one for myself and one for my wife) with identical northwest airlines frequent flier miles numbers. I think this must have flagged something because one day I noticed all of my Chase cards and accounts stopped working and I got a letter in the mail a few days later. There was no phone number, only an address to mail a letter for further inquiries. I mailed a letter explaining that I thought they made a mistake. Someone called me back and told me it wasn&#x27;t a mistake and they wouldn&#x27;t give me any more information.<p>I suppose somehow, legally, this became the best course of action for Chase bank - to cut the customer off immediately and give them zero information about it. But it really doesn&#x27;t feel right and made me never want to do business with Chase again.

We aren&#x27;t seeing the whole set of messages here but from what is in the post the customer rep asked for confirmation that an account could be left with negative point balance so the researcher went ahead and created negative 5 million points and cashed out $5000. This doesn&#x27;t seem responsible in the slightest.

&gt; This happened on November 17th 2016, and I am just publicly disclosing it today.<p>&gt; While transferring balances between accounts on an unstable internet connection I saw that the system did a double transfer resulting in one card having a negative balance.<p>&gt; This reminded me of issues I reported in the past with Starbucks US, and Starbucks TH. Both of those entities had major issues with race conditions.<p>How does this happen in 2016? It&#x27;s as if software developers have somehow gotten collectively worse than they were 20 years ago.

Why do security researchers keep being nice to these companies when said companies mistake good intentions with malicious ones and treat the security researchers like shit?

Is this legal? The chase team should follow up, because it seems like a termination elligible offense on their end. Especially as the individuals are clearly identified. Access to credit and banking is a protected right in America. If Dave and friend want to circumvent the rules they should be eligible to lose their jobs as well.

Would this kind of attitude by an organisation incentivise malicious&#x2F;nefarious activities? Is it because if actual funds are stolen they&#x27;d be covered by insurance and could leverage law enforcement, but open security research may just cause extra internal costs?

Reminds me of Patrick Coombs and his junk mail check experience. “I wonder what happens...”<p><a href="https:&#x2F;&#x2F;www.ft.com&#x2F;content&#x2F;93a47a62-daf0-11e1-8074-00144feab49a" rel="nofollow">https:&#x2F;&#x2F;www.ft.com&#x2F;content&#x2F;93a47a62-daf0-11e1-8074-00144feab...</a>

You weren&#x27;t the only one, back then it was known race conditions triggered stuff on Chase.<p>I can&#x27;t find anything referencing it, but something happened similar with Zelle back 2017, and then 2015 also with it&#x27;s mobile app.

I guess the consensus I can draw from this post is that is it&#x27;s never worth the effort to disclose security vulnerabilities....<p>Feels kind of an American thing.

I like crypto lockers. It means researchers can set the price of the vulnerabilities discovered, not shitty corporations.

The OP won in the casino too much, so they decided to show him out and bar him from the property.

I wonder if legal obligations surrounding responsible disclosure and treatment of security researchers should be brought in. GDPR-sized fines for treatment like this, as well as negligence in fixing reported vulnerabilities, could go a long way to improving the lives of security researchers wrt security of their livelihood, and improve the security of the digital world for all of us.

Fuck chase, they did the same to me and my family too

Good timing. I just ended my moving from Chase to Ally as my main bank account.