-
@ lontivero
2025-02-27 14:19:33
I worked for a credit card company, and they always denied all kinds of reports. To illustrate how far they went in that practice, it is enough to mention that after a release, many users started reporting that the home banking website was displaying porn site ads, but the support team just blamed users for having their computers infected.
After a few days, the top management saw the ads and finally called the dev team. There was a JavaScript added by the InfoSec team using the reverse proxy. That script was provided by the local branch of Visa.
A Visa developer created a silly script to do something, but it seems he believed that his code had to be "protected" somehow, so he pasted his code into an online JavaScript "encryptor," which returned a self-decrypting version of his script plus something else.
I told the managers what the problem was, and they called Prisma (Visa), who denied the problem. I created an extremely detailed analysis with a step-by-step guide showing how the script worked, but they simply denied it.
Meanwhile, I suggested removing the script, but InfoSec said no because, as Visa partners, they needed it. I could have also fixed the script, but you learn that somehow that backfires on you, so it is not 100% incompetence but the logic of the system.
One day after, InfoSec decided to remove the script, and the problem disappeared. It wasn't until other partners started to complain that Prisma finally accepted that their script was injecting ads.
Something funny is that nobody detected that earlier because porn ads are blocked in all banking offices.