Ask Slashdot: To Hack Or Not To Hack?

seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."

First thing first

[CmdrPony]

Don't talk about it much publicly. You never know what kind of people there are on the internet and what they could do once they figure out what company you're talking about. Now Slashdot, what are your suggestions to him?

Language matters

[colinrichardday]

Please don't call such activity "hacking". It is cracking. Learn the difference.

notify visa

[banbeans]

U.S. – (650) 432-2978 or usfraudcontrol@visa.com

Re:notify visa

[James Renken]

This! If you're able to see credit card information, then they are not storing it in a PCI DSS compliant manner, and Visa/MasterCard should be extremely interested.

Re:First thing first

[Zaphod The 42nd]

He is clearly miles and miles in over his head. My advice: STOP. NOW. Don't touch anything and don't say anything. Go read books on ethical hacking and wiretapping / unauthorized access law. He's likely already in violation of several laws, possibly several federal laws. And now he's admitted to them publicly on the internet. -__-

He's already violated several conditions of the Computer Fraud and Abuse act: conspiracy to access a computer without permission, accessing a computer without permission, including financial records
Computer Fraud and Abuse Act [wikipedia.org] State laws on Computer Hacking and Unauthorized Access [ncsl.org]

I suppose I'm getting ahead of myself by assuming he is in the United States. Regardless though, I ask:
To go to jail, or not to go to jail?

Re:Oh boy...

[TheSpoom]

This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.

Re:First thing first

[chill]

An anonymous tip to US-CERT might not be a bad idea. But, yes, he is in over his head and opening himself up for nasty reprisals when the company looks for someone to blame.

Re:Go to the investors

[Amouth]

If it was me - after the company doesn't bother to recognize it - i'd contact the Credit Card clearing house (Visa/MC/AMex) that they use.. Anyone who is processing and storing CC info has to comply with PCI DSS. If you can get access to card info then they are out of compliance, and are subject to have their merchant account deactivated, charges seized, and pay fines.

The CC companies don't (Normally) play around with it. Contact them and inform them of the situation, IF (AND ONLY IF) they need it provide them a proof of concept CODE/Method only, DO NOT grab card numbers and send them to them as an example, let the CC company evaluate your proof of concept and see if they can access CC numbers.

This method seems to work (has in the past) to get people to fix their holes.. As for them actually becoming a more responsible company after this, well hell never has been a cold place..

Re:PCI

[X0563511]

The difference is that Ford doesn't head up a cabal of auto makers that hand out outragious fines to those who handle said cars insecurely.

Here, since you obviously don't realize what PCI means in this context. [pcisecuritystandards.org]

Re:notify visa

[X0563511]

should be -> are :)

(spoken as someone in the industry)

Re:First thing first

[NeverVotedBush]

Detail it to Brian Krebs. He would be a very good source of information on what to do.

http://krebsonsecurity.com/ [krebsonsecurity.com]

Re:First thing first

[JMJimmy]

Blow it up sounds fun but it'll get you sued or worse.

http://seclists.org/fulldisclosure/ [seclists.org]

I had to threaten to expose a security flaw which exposed hundreds of thousands of peoples info (luckily no financial info) - within an hour of threatening full disclosure they'd closed my "tech ticket" and an administrator was emailing me for more details and a timeline for a fix.