[HN Gopher] Ask HN: If your SaaS was used to commit a financial ...
___________________________________________________________________
Ask HN: If your SaaS was used to commit a financial crime, what
should you do?
Hypothetically, if your Solo-Founder SaaS was used a suspicious
customer based in Russia to access a USA financial institution.
Author : cuz-reasons
Score : 65 points
Date : 2022-02-17 16:56 UTC (6 hours ago)
| tempnow987 wrote:
| Ignore all the folks saying don't ask this question. Dealing with
| fraud / abuse issues is not uncommon.
|
| Generally you do a few things.
|
| If something makes you feel uncomfortable, and your agreement
| allows it, close out the customers account.
|
| Just like facebook / google and friends, I've found it better NOT
| to get into a lot of back and forth or just point to a generic
| policy (ie, overseas accounts not supported).
|
| If you need to refund money, make sure you only refund to same
| payment method. Ie, a credit card refund should not go out by
| check. I've seen scammers use this with a stolen card, then try
| and get the refund by check. A few months later card owner
| contests bill. If you refund back to same card, then when owner
| protests, the money is already back, nothing to protest.
|
| Consider a hold on funds if you are concerned that they will be
| returned to issuing entity if you a in the middle on a payment
| flow. If so you want to make sure your money handling stuff is
| compliant anyway with KYC and transfer licensing needs.
| danso wrote:
| I wouldn't leave this up
| dogman144 wrote:
| Dump and save _all your logs_ tied to this, and try to go back as
| far as possible as it pertains to this user and related infra
| they used. Start an excel sheet w / <time>, <action done> and
| <result> on the headers, and log everything you do as part of
| figuring out what to do about this, i.e (Feb 17, asked what to do
| on hackernews, took advice and called a lawyer). Put it in a
| gdrive. Essentially, establish an audit trail of you doing the
| right thing once you realized what was going on.
|
| Get a lawyer involved, and then ring up the local cyber crimes
| unit and be prepared to dump all this evidence. There's a lot of
| interplay b/t security teams and law enforcement over this stuff
| so it's not unusual. They'll be happy you reported. Anyone can
| use a SaaS platform, worst case you might get a rude awakening on
| the need to do KYC/AML or some sort of user onboarding
| regulations that you weren't aware you had to follow. This is all
| about due diligence and if you did it once you knew you had to.
|
| Using intermediary infrastructure to dodge OFAC sanctions or w/e
| like this is isn't uncommon. The uncommon part is being able to
| get knowledge on the intermediary infra (your saas), so you're
| doing a solid by reporting it and providing logs.
| low_common wrote:
| grue_some wrote:
| This is the main lawyer that handled PIA's (Private Internet
| Access) legal challenges: https://www.linkedin.com/in/jarsenault
| Being a VPN, they would get contacted about a lot of stuff like
| this. He is a decent guy from my personal experience and maybe he
| would be a good contact if you don't already have a lawyer
| handling this.
| [deleted]
| 8bitbuddhist wrote:
| I wouldn't leave this up. Maybe create a retrospective post once
| the case is over if you want to help others, but don't share
| details (even minute details) publicly until you've talked to a
| lawyer first.
| gnicholas wrote:
| If you email hn@ycombinator.com, they may be willing to take
| this down for you, assuming you can't currently delete it on
| your own. I understand they do this very occasionally, when
| there is good reason to do so. Good luck!
| ASalazarMX wrote:
| Interesting dichotomy between the people upvoting and the
| people recommending deletion. Surprisingly, no one has
| flagged this.
| throwawaymanbot wrote:
| igammarays wrote:
| How can a solo founder SaaS "be used" to access financial
| institutions? Do you mean simply creating a bank connection
| through an API like Plaid? People in Russia may have bank
| accounts in the US, you know?
| lesbianbezos wrote:
| What are you trying to do?
| [deleted]
| conductr wrote:
| > Mid-term, I am going to add detailed logging of all customer
| activity, and a workflow to analyze these logs.
|
| I'd recommend not changing anything about how your app functions
| until you follow the common advise here. Ask your attorney when
| you can make code changes. You may be destroying evidence even if
| it's just "the path they took"
| dc-programmer wrote:
| 1. Delete this post
|
| 2. Lawyer up
| steve_g wrote:
| Contact your favorite lawyer first.
| ackbar03 wrote:
| Is it inappropriate to say that I'm jealous your SaaS is good
| enough to be used by Russians for financial crime? I mean your
| gonna take this post down anyways right?
| mrintellectual wrote:
| Hypothetically, you should report what happened and hire an
| attorney ASAP.
| jffry wrote:
| But not in that order. Hire the attorney, and ask them about
| whether and how and where to report.
|
| An attorney will know how to navigate this in a way that
| protects you.
| milesdyson_phd wrote:
| Seek counsel prior to anything else
| prichino wrote:
| Why do you care? Don't assume and ask a lawyer. Ban the user for
| not following TOS and should be good
| elliekelly wrote:
| This is terrible advice. When there is a US financial
| institution and a country currently subject to sanctions
| involved there could be OFAC/AML/BSA implications. In some
| instances there is an affirmative obligation to report
| suspicious activity. And depending on what (if any) PII was
| accessed there could also be an affirmative obligation to
| notify impacted customers or state AGs. Hiring a lawyer (where
| OP can give a full a candid disclosure of _all_ relevant facts)
| is the only reasonable advice OP can get. Maybe it 's
| absolutely nothing and OP can ban the user for TOS violations
| and be done with it. But maybe it's not. No one here has enough
| information to make that assessment with any degree of
| certainty whatsoever.
| Taylor_OD wrote:
| Yeah take this post down and contact a lawyer who specializes in
| financial crimes. You shouldnt be taking legal advice from the
| internet.
| stared wrote:
| Technically speaking, you gave them a piece of advice.
|
| But in all seriousness - yes. The only viable piece of advice
| is which lawyers should one consult.
| cellis wrote:
| > You shouldnt be taking legal advice from the internet.
|
| Why not? I always find this "don't take advice from non-
| lawyers" to be annoying when I've listened to a lot of really
| idiotic theories by lawyers. And who knows, you might also find
| some lawyers right here on HN.
| torstenvl wrote:
| There are indeed plenty of us here on HN. But you still
| shouldn't take legal advice from the Internet.
|
| There are only two possible outcomes to such a thing: (a) you
| are not entirely forthcoming about all potentially relevant
| details in that public forum and therefore the advice cannot
| be relied on in your particular situation; or (b) you are
| entirely forthcoming about all potentially relevant details
| in that public forum and therefore you've waived at least
| some of the protections of confidentiality and privilege.
| ksdale wrote:
| Lawyers say a lot of stupid things to be sure, but generally
| not when it pertains to their practice area. Some things they
| say that _sound_ stupid are actually how the law works, and
| in my experience as an _actual_ lawyer, people who are not
| lawyers vastly overestimate how much they know about the law,
| and are far more confident when giving opinions than a lawyer
| would be.
| runnerup wrote:
| > generally not when it pertains to their practice area.
|
| https://a16z.com/2014/02/06/why-i-did-not-go-to-jail/
| lazide wrote:
| Ah, I wish that was the case.
|
| I've had multiple high priced lawyers with years of
| experience in the area give me completely, factually wrong
| information about THEIR PRIMARY PRACTICE AREA over the
| years. It still blows my mind.
|
| In one case, I was stupid enough to believe them even
| though I knew it didn't quite sound right and it cost me an
| immense amount of money and a huge amount of stress in the
| resulting litigation.
|
| And I know they were completely factually wrong because I
| had double checked with them what they said, they confirmed
| it (reiterated it actually) - and then it was very much not
| correct, as confirmed by the following court case which I
| had to settle, because I had been operating under a
| factually wrong view of the law. Not even 'eh, could go
| either way', but 90% of the lawyers I interviewed for the
| follow-up litigation literally said 'Well, that's dumb. Why
| did you do that? Of course you're going to get sued. Did
| you write it down you were doing that? Well, you're in deep
| trouble. Sorry, my calendar is booked solid, can't help
| you.'
|
| More recently, while interviewing civil litigation
| attorneys, I had one who was referred to me with excellent
| references. Easily 20 years of practice too, I forget the
| exact number I pulled from the Bar.
|
| I had done quite a bit of research on the area.
| Specifically I had tracking down and read the complete
| civil procedure that defined the applicable statue of
| limitations, and did some cursory research on the case law
| around it. I also pulled the applicable penal codes, case
| law, and civil damage claims - in this case Conversion,
| Grand Theft, Subornation of Perjury, Perjury, and a few
| others - and had figured out the likely elements of the
| crimes that were applicable, which I could prove and how
| easily, which ones were iffy, etc.
|
| When I laid out the evidence and the case, he tried to
| convince me that I was outside the statute of limitations
| (even though it had only been 6 months since the event had
| first occurred, and was still ongoing), and that the court
| would throw it out and I'd be liable under anti-SLAPP -
| even though I could prove the party involved had committed
| perjury and filed a false police report, and there was no
| plausible claim it was a matter of public interest.
|
| The case law is quite clear that perjury is not a protected
| type of speech, and matters of public interest are also
| clearly defined enough that this wouldn't apply at all. So
| the anti-SLAPP statute couldn't apply.
|
| I would have to prove perjury, but I literally had solid,
| fully contextual video evidence that showed that what was
| claimed in the other parties court filing (initial AND
| follow-up) was not and could not have happened, AND it
| showed that the opposite had happened - they were the party
| at fault, and they had to have known it, or were clearly
| mentally incompetent.
|
| This video was from cameras the other party had requested
| be installed, AND knew recorded these things/area, AND that
| they knew I had access to and had their permission to
| access/download from.
|
| When I asked him why he thought it was outside the statute
| of limitations since the applicable statute of limitations
| for civil claims in that state cut off at 1, 2, or 3 years
| for civil claims (and this was likely a 3 year case due to
| violations of the penal code), he literally sputtered out
| 'you knew that?' before making a rapid 'I wish you luck
| sir', and hanging up on me.
|
| Bullshitters abound, and Lawyers are better than most at
| Bullshitting as it's a large part of the job. Same as sales
| folks. Most lawyers customers are in dire straights,
| overwhelmed and overloaded, and in trouble and changed life
| circumstances that they don't understand for reasons they
| have difficulty processing/understanding, let alone
| breaking down or describing in a coherent way.
|
| If they run across someone who looks good, says what they
| want to hear, and has the trappings (books, the office, the
| tie, whatever), 99% of these customers can't or won't be
| able to do critical thinking on what is being said, let
| alone cross reference it with something concrete or do
| their own research.
|
| They also don't have the time or are in life circumstances
| in most cases to interview enough attorneys and learn the
| relevant sections of law to do basic bullshit checks
| either.
|
| There is a reason the Bar and licensing/testing exists -
| without it, it would be an even bigger disaster and shark
| chum feed. It's also been my experience that about 80% (or
| more) of licensed practicing attorneys are happy to
| bullshit you with happy go lucky stories about how they'll
| get x thing done, or you totally have a case, or you can
| totally do this thing and it'll be fine, when, while not
| impossible, that's just not really a good idea for you. And
| will happily turn the crank on billable hours producing
| things that look really cool and impressive if you don't
| know what's going on, but are often riddled with factual
| errors, missing useful procedural elements, or not
| providing evidence in a way that is going to make the case
| clear and easy to judge. At least that gets them paid in
| the resulting disaster or while it churns on with no end in
| sight anyway.
|
| You also can end up with 'this is impossible', or 'that is
| not how it works', when actually, it could be done, it's
| just outside of their area of expertise (and they don't
| want to admit they don't know).
|
| To the original point, it is rare to have someone give
| completely, clearly factually incorrect information about
| their specialty, but it does happen. If you interview 10
| lawyers, you'll find at least one, probably two in my
| experience who will do so.
|
| If I had written records of the wrong advice in my
| situation (instead of phone calls), I would have filed a
| complaint with the Bar, but lawyers are unfortunately ALSO
| pretty good at covering their asses, and the Bar is pretty
| good at looking like it's going after folks without really
| changing anything. So not worth trying frankly.
|
| Caveat emptor.
| gamblor956 wrote:
| _Why not?_
|
| For the same reason you wouldn't take technical advice about
| how to structure a scalable backend from the guy who mows
| your lawn.
|
| _I 've listened to a lot of really idiotic theories by
| lawyers_
|
| Lawyers can, and will, say a lot of stupid things, because
| lawyers are very opinionated people and like to argue. It's
| why many of us became lawyers. But when we have _a client_
| the things we say and do with respect to that client 's case
| are made on a professional basis (i.e., with at least some
| support from the facts, law, cases, etc.).
| dragonwriter wrote:
| > > You shouldnt be taking legal advice from the internet.
|
| > Why not?
|
| Lack of expertise. Likelihood of conflict of interest. Lack
| of accountability. Lack of (because you almost certainly
| won't be willing to disclose enough, and if you _did_ that
| has its own problems for your legal situation in many case)
| adequate information about the relevant facts.
|
| (That's not to say you can't get legal _information_ on which
| you can follow up from the internet, but there is a _big_
| difference between that and legal _advice_.)
| csee wrote:
| Aside from the possibility of self incrimination, the whole
| IANAL thing is mostly just a meme. People are more than happy
| to feign expertise on epidemiology or any number of topics
| but legal advice should only be trusted if it comes from a
| Lawyer.
| cmeacham98 wrote:
| > Why not?
|
| Liability (there's other good reasons the other commenters
| are pointing out too, but this is the most important one).
|
| If your lawyer tells you something completely wrong that gets
| your entire business fucked by the US government then they
| (and ultimately, their insurance) is on the line for that.
|
| If you follow a dumb comment from HN and destroy your
| business that's all on you.
| dragonwriter wrote:
| > If your lawyer tells you something completely wrong that
| gets your entire business fucked by the US government then
| they (and ultimately, their insurance) is on the line for
| that.
|
| The attorney you consult about the potential malpractice
| claim against the first lawyer may tell you that that's not
| an accurate description of the professional standard of
| care that is applicable, but, still, a lawyer you hire is
| more accountable than hnwhiz679.
| lazide wrote:
| Also, while true there is the bar, and licensing, and
| insurance - be aware, you will be attempting to make a
| claim against someone who literally - as their entire
| profession - is a professional ass coverer, deflector of
| blame, and finger pointer.
|
| Is it possible to win? Yes. May god have mercy on your
| soul.
| hacker_newz wrote:
| If you're genuinely asking why you shouldn't publicly
| incriminate yourself on the internet that might explain why
| you have interacted with so many subpar lawyers.
| 0xJRS wrote:
| A husband and wife can't be tried for the same crime!
| elil17 wrote:
| A lawyer has attorney-client privilege. Writing a HN post, on
| the other hand, produces public evidence which could be used
| against you in court.
| codingdave wrote:
| Because even those of us with some knowledge do not know all
| the details of all the laws. We don't know what jurisdiction
| you live, what jurisdiction the other folks live in, which
| one might actually be correct for your suit. Because of that,
| we cannot know the details of the specific laws for specific
| situations. After all, the very first thing they taught us in
| law school was that the answer to every question is "It
| depends."
| jamal-kumar wrote:
| if you needed a recommendation for legal representation:
|
| https://www.torekeland.com/
| themodelplumber wrote:
| Keep your notes on it handy. Contact your legal rep or team.
|
| When something similar happened to me I was eventually contacted
| by the California computer crimes task force, IIRC. Very simple
| phone call, asking for notes I kept on the situation. Polite.
|
| Then I got looped into the prosecution's long and kind of
| annoying email chain to everybody involved before there was an
| eventual going-nowhere of it all. Surprising but that's what
| happened. So you never know but some basic diligence is typically
| a good idea. This is not legal advice.
| eddieh wrote:
| Call the FBI!
|
| You shouldn't be talking about this publicly either. You could be
| compromising the future investigation.
| stets wrote:
| delet this op
| cjf4 wrote:
| Hire a lawyer.
___________________________________________________________________
(page generated 2022-02-17 23:02 UTC)