11 months ago
Due to fear of retaliation I decided initially not to share this story, but enough time has passed.
This happened on November 17th 2016, and I am just publicly disclosing it today.
While transferring balances between accounts on an unstable internet connection I saw that the system did a double transfer resulting in one card having a negative balance.
But because this was a bank I wanted to get their explicit permission before researching any further. I tried reaching out through many forms of communication but the one that finally got me into contact with a team that could assist was the @ChaseSupport twitter account, and after that I proceeded with proving that this was indeed an issue.
This was before they even had a responsible disclosure program (they created one shortly after I reported this to them).
Once I had permission quickly made a proof of concept that used multiple sessions, and started to transfer balances back, and fourth concurrently. This worked too well, and resulted in the creation of 5,000,000 rewards points ( $70,000+ USD in travel ).
I failed to take a screenshot of the card with the negative balance, but at the time the points summary showed 120,698 available points, but one card had 5,120,698 points, and the other had negative -5,000,000 points. I knew that Chase had a rule where if you cancelled a card that had a positive rewards points balance that those points would vanish, and I suspected the same would happen if I had a negative points balance.
This instantly worked, and resulted in the screenshot here:
The next test was to see if their system would actually allow the withdrawal of the points into cash. If this were to be possible the potential ramifications of this issue would be extremely severe. I attempted to deposit $5,000 USD directly into a checking account. This also worked, and was not flagged.
Here is the screenshot from the Chase banking side of things.
I sent all of these photos to the @ChaseSupport twitter account in realtime, but it took about than 8 hours to finally arrange a conference call with the correct people (An SVP by the name of Thomas, and his colleague named Dave which was on the engineering side of things).
The call went well, and they proceeded to fix the issue, and about a week later they followed up with an email which legally I cannot disclose as they have been quite hostile with me.
Years later this resulted in them sending me the following letter
They were terminating my 5 credit cards with them (some of which I had for 10+ years), and my checking/savings account. I called them, and even reached out of Thomas to confirm that this was not a mistake, but after he put me into contact with someone on the Executive team it was indeed intentional decision, and NO ONE could not provide me with any details.
To make matters worse one of my family members received the same letter, and this was obviously because of me.
It's very sad that banks still wish to treat the people that help them in this manner, and I hope in the future they realize that this kind of retaliation to researchers damages their reputation, and will make people like myself not wish to report/research issues (especially when we are doing these things for free).
A recent response from a Chase represenative claims that the termination of all of my accounts, and a family members account was NOT related to this report.
However they were still unable to tell me what the reason is, and this still seems very odd. But going back to what I dicussed with other represenatives over the phone Chase does claim that they can close your accounts for whatever reason they please, and are not required to explain how, or why.
This seems like common practice in the banking sector, and I do not expect to ever know if this was really not the reason, or if they are just deciding to fallback on their ability to close accounts for any reason.