Can someone please explain to me why companies make decisions like this? I have been on HN long enough to see many stories like this, but never once hear the suggestion of a rational line of human behavior.
Is it lawyers misunderstanding the value of security research?
In my experience, it's that people without experience with security researchers tend to think of security issues as having been fundamentally been created by the researchers themselves, rather than already existing in the system.
If you have no idea how someone finds such things, your first read is that the researcher has created the problem by finding it when it could have just never been found by anyone instead. It's cliché, but portrayal of hackers in films always implies that they could get into anything, with reasoning in a similar vein to if I knew all about windows and used that knowledge to smash the window of someone's house, then claimed it was a flaw I could get in that'd be on me.
Then, there is the problem of communication. An external person discovering such a flaw is already going out of their way to do something for the maker of the software, and I find that those being communicated with often find this interaction grating.
I think the psychology is complicated but it's somewhere between alarm that such a flaw was found, fear that the finding of such a flaw is a reflection on you, or your engineering team that will harm you and that researcher, unpaid and not expecting anything isn't there to hold their hand and reassure / explain such things. As a researcher, I want to spend the minimum time on this.
The only thing I'll insist on is that it gets fixed in time, and if this draws out for months I eventually get in a position where I have to make threats of disclosure or nothing will get done.
I think you got this exactly right. The reaction of an uneducated manager here was probably “Wow this guy hacked our system by doing things he wasn’t supposed to do. You’re not allowed to transfer between cards. He broke the rules.”
It’s not unlike the logic that says “We left our front door unlocked and someone walked in. How dare they.”
I can imagine that something like this happened:
1. Based on the disclosure, usage of multiple sessions was marked as possible fraudulent activity
2. When a new signal for fraudulent activity is added, accounts and transaction in the past are checked as well
3. OP's account comes up as fraudulent activities (ofcourse it does, he's the one who found it)
4. Nobody at Chase takes the effort to see what exactly happened here and that this account (or at least the specific transaction) should be excluded from positive results
Remember that Facebook reported the BBC to the police for telling them there was CP on their network [0]? I think something similar happened.
I work on a fraud team for a big loyalty program, and unfortunately, I can definitely see something like this happening within my organization. I don't think it's even necessary that this person's account got swept up when looking for similar transactions. It's very easy for the nuances of complicated situations like these to get lost as they pass through the organization.
Eventually the issue could've been forwarded to a lower level employee who spends 99.9% of their time reversing fraud caused by unrelenting fraudsters, and so they figured that must be what's going on here too. So they closed the account, closed any connected accounts, and sent a generic sternly worded email.
But equally likely is that Chase deliberately and short-shortsightedly thought, "this sort of shit just isn't something we want our customers to be doing; get rid of him."
This appears to suggest otherwise: "about a week later they followed up with an email which legally I cannot disclose as they have been quite hostile with me."
Company managers become upset because this makes them look bad. Most corporate security depts spend a lot of money on salaries, devices, etc. And then some hacker kid comes along and embarrasses them. They retaliate and try to 'kill the messenger' to save their reputation (internally) and continue to 'play security' with big budgets and vendor conferences. Really, all they do is CYA. That's all that matters to them.
Edit: This happened to me when I compromised a Windows Active Directory (got domain admin on all the domain controllers) and it has happened to my colleagues as well. The default corporate response is to threaten, marginalize or try to fire the security researcher.
Corporate managers and lawyers in particular have to constantly monitor for and defend against legal attacks, both legitimate and illegitimate. They have to stay on their toes about tricks and traps built into contracts and business deals and that sort of thing.
When a nerd comes to them to report a true fact about reality that will help them to know, we (the nerds) expect them to be grateful and cooperative.
But in fact they are trying to figure out what the angle is, or if not, what the angle could possibly be. One nerd's helpful security disclosure is a corporate lawyer's extortion attempt: "Nice corporation you got there. Too bad about this critical security vulnerability that may or may not constitute fiduciary negligence, but would definitely harm customer trust in your financial institution. Maybe we can help each other out, friendly like..."
So when someone comes at you like that, what do you do? If you're a hardass corporate lawyer you posse up, lock down, stonewall, shut off any practical ability for the person to have any further interaction with you, use all legal means at your disposal to get them to shut up about the issue now and forever. After all, this person just proved they have the ability and probably the willingness to discover vulnerabilities and extort you with them. Maybe. Why risk it?
That's the story I made up about it. I think it's a combination of incentives in the legal landscape and a huge culture clash.
I have approached hundreds of people out of the blue on the street in large cities and the vast majority are not startled or scared. Most just greet you in return.
IT is a cost center to them and they want to build/maintain their software as cheaply as possible. Short term it's cheaper to sweep this under the rug than to actually build a culture where security and best practices are important. Long term it doesn't matter because the senior management will have moved on.
I think it could be that nobody wants to be the bearer of bad news which might reflect very poorly on themselves/their team, so they rather ignore the issue compared to asking budget from the higher ups to deal with the issue.
"Someone closed an account with a balance of -5M reward points" might automatically trigger this. Plenty of account closures happen without a human ever seeing it.
It would be a federal crime to mention the words "money laundering," let alone specific tells, to the owner of an account suspected of money laundering. Chase policy probably applies this gag rule to any account being closed by Chase rather than splitting hairs about AML vs. other reasons.
I understand the laws behind that, but personally still think there is a large gap between "we legally can't disclose the reason" and "we are telling every employee to just shut up and say nothing".
I would expect a reasonable middle ground of letting employees say "I'm sorry, but it's corporate policy and I can't disclose more information."
I think most likely is that the fraud team flagged the account and deactivated it, and there's no process internally to stop that so SVP guy couldn't do anything.
Sort of like the Google account issue where employees can't internally appeal to stop account suspensions.
Is it lawyers misunderstanding the value of security research?