While this finding is significant, I have other concerns. The posting only gave the companies two weeks to respond. Big problems usually require big solutions, and those do not happen overnight. It might take the company two weeks just to verify the findings. Was this posting more about helping society, or self publicity?

The Internet Storm Center today posted about a professor assigning "hacking" homework that requires illegal actions by students (http://isc.sans.org/diary.php?storyid=1155). The ISC updates show that this is unacceptable behavior. With regards to ExpressPay... Even if the exploit authors were only testing to see if the exploit worked, it still seems to be financial fraud. Did they have permission to test the exploit at a Kinkos? Did they have permission from ExpressPay? Since they had trouble contacting anyone, I suspect the answer is no.

The exploit shows how to create money from nothing. How much money was virtually created and actually spent during the testing? Was it paid back to Kinkos? Is it ok to illegally create and spend a few cents? a dollar? What is the cutoff for unacceptable fraud? Do the ends justify the means?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/150/658#658