Report a security problem to a bank and get threatened with the FBI

(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at: lawrence@krubner.com, or follow me on Twitter.

It is a bit frustrating that banks show so little interest in increasing their online security:

The next day, I phoned the Zecco office with message to Jeff Chamberlain, and Jeroen Veth to arrange a phone call.

During the week of 2008-01-06 I held phone conferences with Jeff Chamberlain (Fraud Prevention Manager), Jeroen Veth (Founder and CEO), Michael Raneri (then CTO, later promoted to CEO and now Managing Director – PwC), Phil (Penson Bank, their software vendor), Greg (VP of Engineering) Loren Cheng (NCFTA) and the United States Federal Bureau of Investigation (representing NCFTA).

On the phone call I presented that one line of code which innoculously would allow me to purchase Krispy Kreme on an iPhone. But also we discussed the ramification of their insecure implementation. Penson confirmed that this software was affecting over 100,000 North Amerian retail branches (I will not say which). Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.

During our conversation, Chamberlain, Veth and Raneri made it very clear their sole intention was to prevent public disclosure of this incident, rather than actually fix the problem.

Raneci questioned my motivation and I said that I want to give the vendor ample time to resolve the issue and then I want to publish academically. He was very threated by this and made thinly veiled threats that the FBI or other institutions would “protect him”. Then he continued with statements including “we want to hire you but you must sign this NDA first.” He also recommended that I only make disclosure through FINRA, SDI, NCTFA and other private fraud threat sharing organizations for financial institutions.

Jan 2009 — Entriken contacts Penson and NCFTA, Penson and NCFTA are unwilling to schedule a meeting

Dec 15, 2009 — Entriken sent email to Jeroen Veth stating that vulnerability still exists and that he knows how to fix it.
Raneri replies: “Good to hear from you Will, even if it is through Jeroen. I think we are all set on the consulting end of things. Hope all is well with you.”

Oct 6, 2008 — Phone conference with Raneri, Entriken;
Complete vulnerability discussed, possible solution proposed by Raneri, Entriken demonstrates that solution does not work, Entriken offers to provide solution, Raneri declines; Raneri requires completion of NDA and offers to put Entriken in contact with Jeff Chamberlain and Loren Cheng with NCFTA for December meeting
Email sent by Raneri to Gregg Kang and Francesco Matteini regarding the matter

Oct 27, 2008 — Entriken sends executed NDA

Jan 7, 2010 — Entriken provides full details of everything discussed above to FINRA under their “Misconduct” reporting for “Firm policy/procedure” Secondary: Safekeeping/private of information” under MICHAEL PAUL RANERI. Zecco provided a filing ID of 681233 and submission date 1/7/2010 10:40 PM.

2017 I have yet hear from FINRA that any action has been take. I have yet to hear from ZECCO / Trade King that the issue has been resolved.

Post external references

  1. 1
    https://privacylog.blogspot.com/2017/04/what-happens-when-you-send-zero-day-to.html
Source