mr. r. s. braythwayt,
esquire


JavaScript Allongé
JavaScript Allongé


What I've Learned From Failure
What I've Learned From Failure


Creative Commons License Tweet Follow @raganwald

Reporting a Vulnerability

I have a chequing account at First Trustworthy. My home mortgage is with Neighbourhood Savings and Loan. As a condition of my mortgage, I have a chequing account with Neighbourhood Savings and Loan to make my payments.

Every month, I transfer money online from my First Trustworthy account to my Neighbourhood Savings and Loan account, the day before my payment is due. The next day, Neighbourhood Savings and Loan withdraws the payment amount from my account, and all is well.

vault

One month, I happened to be shopping near Neighbourhood Savings and Loan the day before my mortgage was due, so I dropped in and wrote them a cheque from my First Trustworthy account, the old fashioned way to transfer money. They credited my Neighbourhood Savings and Loan account right away.

Which got me thinking: How did they know to credit my account, the cheques only clear at night? Maybe it’s because I have a mortgage with them, so they trust me.

A few days later, I decided to test their security. My First Trustworthy account had a balance of just a few hundred dollars, the cheque for the mortgage payment had cleared, and I was waiting for my next paycheque. I went into Neighbourhood Savings and Loan, and wrote myself a cheque for $5,000 from my First Trustworthy account. They credited my account, even though I didn’t have the funds to cover the cheque.

So I withdrew the entire amount. No problem! I went back to First Trustworthy and deposited the money so that the cheque wouldn’t bounce, I’m not a thief.

Then I wrote Neighbourhood Savings and Loan a letter walking through my actions and explaining how their procedures left them vulnerable to fraud. I waited for their response.

To my shock, instead of a thank-you, I got a visit from the police, at work, who were investigating what they called “Uttering a false document.” A complaint had been filed by the bank, who were also closing my accounts and calling my mortgage.

Here I am trying to helpfully report a vulnerability, and the treat me like a criminal.

I told this to the police officers, and they simply asked me if the bank had engaged me to test their procedures, or if I had chosen to commit fraud of my own free will. They asked me if the bank had a written policy of inviting its customers to try to defraud them. They asked me if the law had special provisions for citizens deciding to investigate theoretical crime by carrying it out, unbidden.

I need a lawyer. I’m meeting one for coffee.