Yash KS, the security researcher that recently released a PoC video to show how HSBC bank transactions can be manipulated by launching Man-in-the-Browser (MitB) attacks, told Moneylife not only that the institution tried to force him to remove the video, but that they also sent “goons” to his house.
“After failed attempts to bring down content with the help of service provider, HSBC sent goons to my residence. I was not present at that time; they have asked my family members rude questions,” he said.
Yash claims that he found other vulnerabilities and the banks simply refused to collaborate with him on addressing the issues. Fortunately, even if their representatives were hard-headed and didn’t tell the researcher anything, some organizations at least fixed the flaws in secrecy.
“Citibank has never responded when I contacted them to talk about malware. But when I posted my videos online, they mitigated the risk to some level within 10 days. It’s a good response. (However) Before fixing it, they blocked my video in YouTube saying it is harmful content," he added.
In the case of ICICI Bank, the expert tried to demonstrate to bank officials that malware can harm their account holders, but they refused to believe his claims, determining him to publish a PoC several months later in the attempt of forcing ICICI to address the problem.
Instead of handling the problem, the bank threatened Yash with legal action if he refused to remove the material.
The bottom line is that most researchers contact the company involved before publishing a proof-of-concept, especially if sensitive information is involved and customers could suffer. The organizations that find themselves in these situations should seriously consider adjusting their attitude to ensure that the security holes are resolved as quickly as possible.