Re: Bank Exploit

[krymson () gmail com]

There are a number of rubs with this question, making it very interesting.

1) If you decide to anonymously divulge the issue, make sure you're conscious of how you found out about the issue in 
the first place. Did your friend find it from his home system? Any team worth their pay that receives this information 
may look into their exposure, i.e. did someone already leverage this exploit? They check their logs, see you've done 
it, track you down anyway. This is especially easy if the methods leave distinct and easily-searchable log entries.

2) If your friend or you are a customer of that bank, you might be a little "safer" than if you were just some third 
party. As a concerned customer, you could present your findings and they may treat your differently.

3) So, let's say you're a customer of this bank for the sake of this third point. You find this exploit. You read 
advice on this board that says, "don't divulge it, just keep quiet and move on with life." You found it, which means 
others can likely find it. Do you remain a customer? Do you feel less secure? That's an interesting dilemma and I think 
I know what the business would rather have you do: remain a customer.

If you and your friend have no ties to the bank, then I think you're back in an "easier" seat of either divulging, 
anonymously divulging, or just walking away.


<- snip ->
> > > > > Friend of mine (not me, really) is working with a client of his who
> > claims to have inadvertently discovered a few web exploits of several
> > financial institutions. Does anyone have any insights as to how this guy
> > could bring these to the attention of the organizations involved without
> > being seen as a hacker? His minimal goal is to help the institutions,
> > optimally he would like to consult to help them rectify the issues.