Don't involve law enforcement unless you absolutely have to. The first thing they'll do is investigate TF out of you and your friends/family and they absolutely cannot be trusted to "do the right thing" or especially not to protect you in any way. They are not your friend.
Because you want to be on record as having notified an attorney and law enforcement of the problem and your intention to experiment with the company's permission.
You want things on record in any way possible.
Just getting an emailed "okie dokie" back from some company executive and then doing something that could later be construed as illegal is a bad idea.
I understand what you're saying but strongly disagree with the strategy. Telling the police you intend to do something that could be illegal is a truly terrible idea. Are you hoping they will testify in your defense as a character witness? Law enforcement is tasked with making arrests not facilitating security disclosures.
Maybe let's just agree to get a good lawyer first and follow their advice about who to talk to.
Yeah there is a pretty good chance that the police officer responds with a vague answer that implies everything is fine and then you unknowingly end up committing a crime by accident. The police isn't obligated to help you not break the law. It's only there to enforce it.
Because you want to be on record as having notified an attorney and law enforcement of the problem
You're almost right. You have your attorney notify law enforcement. That's what he's for. He'll keep all the records and act as a buffer between you an any misunderstanding with the police.
At that point why bother? Why would I spend my time and money for something that is simply not my problem? To do the right thing? The bank doesn't consider it the right thing. It's not clear that the law does.
Superficially speaking, he defrauded a US bank of $70k ($5k of which he transferred to his bank account).
Yes, he disclosed exactly how he did it to the bank. Yes, he returned it all. Yes, he had no intent to keep it. And yes, he still defrauded them in the process. Yes, he had permission to do so. But permission doesn't always prevent situations from going awry, even if it can help clear things up after the fact.
If you walk into a physical bank and notice a potential security issue, point out the potential security issue to the teller, come back to exploit that potential security issue just to see if you can, succeed and make off with $70k, then bring it all back in and walk the bank manager through how you robbed his bank, he's still going to call the cops on you. Or maybe you spoke to him before and got permission, but his communication to corporate after the fact gets misconstrued/misunderstood and someone else calls the cops.
Closing all of the accounts like they did was a crap reaction, but he could have just as easily been hand delivered an arrest warrant by an FBI agent for bank robbery and fraud if someone internally decided to take the position that what he did was analogous to the above scenario. And it may have just as easily occurred due to some internal miscommunication/misunderstanding by a non-technical person or being flagged by some type of automation/reporting, rather than deliberately taking such a stance.
That's where involving a lawyer would have been valuable. It may not have protected him from the consequences that did occur, since they could close his accounts for whatever reason they wanted. But a lawyer would have provided greater assurance against substantially worse outcomes, by ensuring more drastic outcomes were identified and addressed/mitigated upfront. And potentially saved his accounts from getting closed - the decrease in his cumulative credit limit plus closure of such long-lived credit cards translates into real economic harm due to the likely impact on his credit score. I could see a lawyer being able to use that fact somehow to persuade Chase that it was not in their best interests to take such an action.
Law enforcement - I'd leave that up to the lawyer. As another user commented, your lawyer is explicitly employed to protect your interests. If involving law enforcement furthers that aim, they'll tell you. If involving law enforcement is detrimental to that aim, they'll tell you. So consult with several first, hire one second, and let them direct what happens after. If what they do/recommend ends up being incredibly stupid, you at least have their malpractice insurance to appropriately compensate you for their stupidity. But you have no such insurance to compensate you for your own.
> Once I had permission quickly made a proof of concept ...
So unless you want to accuse him of lying, there's no fraud here. And the fact that Chase didn't file a police report makes me convinced there was nothing remotely illegal about his actions.
He mentioned having permission, but not by whom nor any assurances that said permission was appropriately disseminated to all relevant parties internally or appropriate lines of communication established to someone with the authority to expeditiously intercede in the case of issues.
As I said, such a situation could have occurred due to a miscommunication/misunderstanding, rather than taking a deliberate stance to prosecute him. A team (or member on said team) or some automated system unaware of that permission could have flagged the fraud and involved the authorities. Communication silos are a fact of big businesses. Politics and power tripping executives are too, who may decide whoever gave such permission didn't have the authority and push ahead anyway for whatever reason. And inflexible legacy systems are too, which may trip some automated fraud detection system that automatically triggers a legal reaction.
The charges may have ultimately been dropped when everything got sorted out, or a judge could have dismissed the case based on the permission he was given (if the situation got to that point). But that's not for the law enforcement agent serving your warrant to decide, his job is just to bring you in. And in the event that happens, it's far better for your lawyer to already be prepared on how to address the situation than only getting them involved at that stage.
Whether or not Chase filed a police report has nothing to do with the legality of his actions. There are lots of reasons to file or not file: Publicity, hassle, likelihood of recovery, and on.
It seems like he took great pains to keep it legal, but the presence or absence of a police report means nothing.
As I mentioned in a sibling post, that's a legal defense in the event such a drastic reaction occurs. Not a foolproof preventative measure to ensure it doesn't.
Involving your lawyer isn't a foolproof preventative measure either. But your lawyer having an established line of communication with their lawyers can get things cleared up a whole helluva lot faster than if you get booked, have no lawyer, and are having to find and get one up to speed only after you're sitting in jail.
The entire experience with Chase while I was assisting them was very positive, and they even mentioned something about putting me on their upcoming researcher leaderboard.
Since chase is a very big organization I would have to assume that another department took over the situation after, and decided to terminate my accounts to avoid any risk.
I will never know for certain as they have been very close lipped about the whole event.
I have had an unrelated similar problem with Chase before, local interaction was all positive in sorting out a cross border issue, about a week later someone from a different office closed the account without notification, information or recourse.
Local branch manager was frustrated but couldn't get any more information. The timing really made my life difficult for a few months, completely unnecessarily.
That was the last time I banked with Chase. A few colleagues told me they proactively left after also, due to the way it was handled - who knows if that was true.
I'm happy your experience (excepting the account closure) was positive! :)
I've got several Chase accounts myself, and glad to know they're not horribly hostile to such disclosures.
The original comment I replied to asked what difference it would have made in response to someone's "always involve a lawyer instead of trust these companies to do the right thing" post. Which is a generally good rule of thumb, as there's no guarantee someone else's experience would go as positively as yours did with Chase. So I wanted to point out a much more hostile outcome someone may feasibly experience in such a situation, to highlight the difference involving a lawyer could make.
I'm not a lawyer either (just enough lawyer friends to be terrified of the legal system), although as far as I'm aware you're correct. I'm not even sure if such actions meet the legal definition of fraud, nor if it's be the most likely/appropriate charges brought in such a scenario.
But
1) Mens rea isn't an absolute defense. It doesn't refer to malicious intent, but more so specific intent[1], in this case, specifically performing a sequence of actions in order to discover/validate/confirm a vulnerability. You also don't have to know if what you're doing is a crime; if what you did fit the legal definition of fraud, and you performed that action fully cognizant of and in control of what you were doing, then it's still a crime irrespective of your awareness that it was a criminal act.
2) Mens rea is a legal argument. It may protect you from successful prosecution, but if you've hit this point, lawyers are already involved and you've more than likely already been arrested/charged.
3) The prosecutor could dismiss the case if they feel the likelihood of successful prosecution is minimal (such as when you produce the original permission you received) or the bank requests it. Or they could force a settlement if they think the case is shaky. Or they could be an ass and force the court/judge to decide. But you've still been arrested, your life has been disrupted, you've potentially sat in jail for some amount of time (at least until your bail hearing), and you've likely been economically harmed (via legal bills, cost of bail, potential impact to your state of employment, potential impairment to future earnings based purely on the arrest record even without prosecution, etc).
Which is why it's always good to involve or consult a lawyer before engaging with the company - the cost of doing so is effectively an insurance policy protecting you from ending up in a situation where you need to employ one for damage control. And you're likely to end up with a far larger bill if you end up having to pull a defense attorney in after the fact for damage control/crisis management than the bill you'd get for upfront risk mitigation.
If Chase had an official responsible disclosure policy at the time, I'd agree. But he mentioned his actions pre-dating Chase having any such thing. That is a far less solid footing, and one where talking to a lawyer can drastically improve your situational awareness.
Most lawyers will give you an initial consultation for free. Even if you don't hire one, just consulting with one can immensely improve your ability and confidence in navigating things solo.
I could definitely see that. Your $70k+ worth of travel estimate would have cost Chase $100k+, as airlines charge credit card companies about 2ยข for every point transferred[1].
He mentioned in this[1] comment that his overall experience during the whole thing was positive, so there wasn't really any specific problem, other than the annoyance over having his accounts unexpectedly terminated after it was all over.
But
- Shit happens. Even legitimately contracted pentesters can run into legal issues. These guys[2] worked for a firm hired by the state court system to pen-test the courts (from application testing to physical building security), were ultimately arrested due to a power play, railroaded by an embarressed local authorities, had their charges trumped up to the point of being considered a felony, were disavowed by the powers that hired them who went into "cover our ass" mode, and ultimately spend 5 months fighting the charges before the state legislature ultimately pressured the local authorities to drop them. And even with the charges dropped, the felony arrest record was not expunged and has lasting damage/implications both personally and professionally.
- In the above case, the client was not only the very same court/legal system overseeing their case, but also had an established, multi-year relationship with the security firm they worked for. Yet it still went that terribly wrong, took almost half a year to get legally resolved, and resulted in permanent felony arrest records. If things can go so terribly wrong for legitimately contracted professionals, how badly do you think it could go for a private citizen, with no official contract in place and only some form of written permission from the company that has not been vetted by a lawyer representing that individual's interests, and may not have even been vetted by that company's lawyers?
- He was dealing with a bank. Who are subject to a massive amount of legal and regulatory requirements for their customers that are specific for the banking industry, all of which tend to get interpreted/applied from a conservative standpoint due to the risks and penalties they're subject to for non-compliance.
- He was using his real, live accounts during the process. His actions could have easily triggered their fraud detection system to automatically generate and submit a SAR[3] due to "suspicious activity that might signal criminal activity* report for For example, it could have triggered. Even if someone fully aware of the situation (and granted permission) intercepted such a SAR before it was submitted, it may be decided that such actions from a private individual not contracted by the company to perform such work fit the threshold of "might signal" and still ultimately get submitted. Triggering who-knows-what downstream repercussions/investigations after it's submitted to the government.
- Their responsible disclosure program[4] did not exist at the time, so there were no explicitly documented and legally vetted acceptable rules of engagement publicly available. It's possible that rules of engagement were part of his communications with them, but not mentioned in the article (nor again, vetted by a lawyer bound to represent his interests).
So while there was ultimately no problem in this instance beyond the inconvenience of his accounts getting closed, doing so without the aid/guidance of legal counsel involved assuming an unknown and potentially substantial large amount of personal risk/liability in the process. Which is why it would be highly advisable for someone in a similar situation to speak to or retain a lawyer.