It’s Only ‘Hacking’ When Bad Guys Do It

A virtual lynch mob has swarmed the Facebook page of the Budapest Transit Authority (BKK in Hungarian), leaving more than 45,000 one-star reviews after the BKK arranged for the arrest of a helpful teenage “hacker” who exposed a loophole in its payments system.

The 18-year-old, a high school graduate who wished to remain anonymous, is far from the only tech-savvy person who knows his way around the inner workings of the digital world, and others may not share his sense of moral responsibility. The U.K. government has created a program to intervene with young hackers caught engaging in small-time cybercrimes, like knocking servers offline or defacing websites.

While the hackers may think their mischief is all just fun and games, without intervention, their behavior could lead them down a criminal path. The weekend “rehab camp” hopes to become that intervention, nudging these youths away from a life of hacking and toward a career in cybersecurity.

For the so-called BKK hacker, his activity was nothing so malicious, or even sophisticated. He discovered that he could use the F12 button to access the browser’s developer tools mode and change the price of a monthly transit ticket from 9,500 Hungarian forints ($36.23 USD) to 50 (about $0.19 USD). Lacking client- or server-side validation, the system simply accepted what the teen told it to do and issued him the ticket for $0.19.

The teen turned the evidence over to the organization in order to alert officials of the bug and urge them to fix it. But instead of patching the bug, the BKK sent the police to his house in the middle of the night to arrest him.

“I did not use the ticket,” the teen said in a statement on Facebook, which has been translated from Hungarian. “I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at half price for their own benefit).”

However, after four days without a response, the teen found himself being questioned by police, with BKK claiming in its press conference that he had perpetrated a cyberattack against them.

The BKK had recently launched the online payment system in preparation for the FINA world championships in Budapest. It built the system over three months with the help of Deutsche Telekom’s consulting arm, T-Systems Hungary. T-Systems claimed that the teen had not contacted them, and therefore the company had had no choice but to press fraud charges against the unknown offender.

Once the so-called hacker opened the floodgates, others jumped on board to criticize the site’s totally secure CAPTCHAs and an administrative screen whose password was set to “adminadmin.” Oh yeah, and to leave those 45,000 negative Facebook reviews.

Neither the BKK nor T-Systems took any responsibility for the bugs, claiming that there was nothing wrong with the system and that all holes in the software had been patched.

BKK apparently pays about $1 million per year for T-Systems to maintain its IT infrastructure, which was so easily compromised by a data breach. The teen said that anyone with a passing knowledge of modern browsers would have been able to do what he’d done, as the loophole was an “amateur bug.”

Even more ironically, T-Systems has, in the past, sponsored an “ethical hacking” contest and now seems interested in collaborating with the teen, despite having turned him over to law enforcement for committing fraud.

He’d probably have more fun at the U.K.’s cybersecurity rehab camp.

In other news…

Like a hurricane or tsunami, a huge cyberattack is sexy news when it happens, but it doesn’t take long for people to forget about it. Meanwhile, its victims continue to suffer. The full extent of damage often remains unknown until some time later. But by then, the news cameras are gone, and injured parties are left to fend for themselves. That’s what victims of May’s WannaCry and June’s Petya/NotPetya cybercrimes are experiencing as the costs related to these attacks continue to mount.

TNT depots are stacked to the ceilings with parcels, reports The Guardian, because employees are still stuck processing international shipments by hand. Frustrated customers have been unable to learn the status of their undelivered parcels, other than “probably lost in the depot somewhere.” Parent company FedEx warned the New York Stock Exchange that its earnings will be down “materially” because of this.

CPG giant Reckitt Benckiser issued a similar warning, reported The Telegraph. The company’s healthcare business took the biggest blow after the NotPetya virus infected 500 systems, 2,000 servers and 15,000 laptops. The hygiene sector was not affected as severely, since it is more spread out globally, while the healthcare business is centered in Europe — where sites were most affected.

The Boris Clinic, Kiev’s largest medical clinic, tallied around $60,000 in damage, according to the BBC — a relatively small blow when compared with some of the other victims. Many won’t even talk about the extent of damage done by the incident.

CNBC reported that Nuance Communications is looking at third-quarter earnings between two and three cents less per share than initially predicted. Revenue projections have been adjusted from $510 million to between $494 million and $498 million. Some doctors are still unable to use Nuance’s transcription service.

Erie County Medical Center in Buffalo, N.Y., declined to pay a $30,000 ransom (unrelated to WannaCry) in May, but it estimates that expenses tied to the cybercrime incident totaled nearly $10 million, The Buffalo News reports. Plus, the center anticipates pouring six figures into technology upgrades and employee education each month going forward.