back to article Exploit-wielding boffins go on free online shopping binge

Computer scientists have documented serious flaws in software running some of the world's biggest e-commerce sites and shown how they can be exploited to receive DVDs, digital journals, and other products for free or at sharply reduced prices not authorized by the sellers. The findings, laid out in a paper to be presented at …

COMMENTS

This topic is closed for new posts.
  1. Anomalous Cowlard

    Uh-oh

    The very idea of trying to set something like this straight with Paypal gives me a headache.

    1. Anomalous Cowturd
      WTF?

      @ Anomalous Cowlard

      Me too...

      As long as I get my 17 whatever thingy for 1.7 I probably won't "notice" the error though.

      And I saw what you did with that handle! ;o)

  2. Anonymous Coward
    Badgers

    There's money to be made here

    I'm sure it will all be fixed in a jiffy. Er, I mean, I'm sure we'll be able to purchase some sort of insurance against this kind of fraud.

  3. ShaggyDoggy

    You don't say

    Part of the internet is a bit iffy.

    Whatever will they find next.

  4. An nonymous Cowerd
    Happy

    err....this is news?

    being mildly paranoid about interweb safety I run Apples/Linuxes without flash, with noscript and betterprivacy and with OpenDNS blocking pages and pages of domains and stuff in the cloud before it gets near me, (like the entire .cn domain)

    recently, I attempted to buy a weeks holiday in spain, nice resort 600 squid, but I couldn't complete the booking, I got 99% of the way through - but something didn't let it go through. I started tinkering and permitted scripts, allowed this allowed that, but it wasn't until I let loose the dogs of GoogleAnalytics that the payment page worked - problem was the price changed to 300 squid!

    I said YES and paid. (imagining that if it was a flaw in the backend that the famous company would phone me up for a chat and say NO) got email a day later thanking me and the enclosed receipt showed that holiday was 600 squid plus 300 squid special discount, so yes, either it wasn't an error after-all, or 'special discount' mentioned nowhere else is just a way of reconciling a puzzling GIGO transaction. I assume the first option. Shields now back-up, to be taken down step-by-step next year?

    it sometimes pays to be paranoid

    1. Tom Wood

      Cosy security blanket?

      You do what DNS does, right? And how OpenDNS's "blocking" works?

      Any malicious thingummy worth it's salt isn't going to rely on DNS to enable it to call home.

      1. An nonymous Cowerd
        Black Helicopters

        oDNS is good enough to block the kids!

        and allow some homework to get done, the restrictions on the game sites go away around 3 minutes after the last french verbs are conjugated! The serendipital 50% discount was just a result of 'thinking of the kids' - at least until they can type 50.17.222.156 and get to minecraft.net!

        but you're right about good(bad?) malware always being able to phone home.

        At work we ordered a reasonably expensive reprogrammable widget from a Candian company thru a Paris based dealer, when the actual HP workstation arrived - with sticky labels partially removed but indicating the origin of the HP workstation at a military software company based in the suburbs of Tel-Aviv, we simply stuck the PC in a cupboard and worked on an alternative open source system instead.

        I'm sure we'd never have found the presumed malware content. hope it likes the cupboard. Air gaps are better than openDNS, but I think oDNS will work with kids up to around age 15?

  5. Harry

    In practice, this would probably be harder to get away with.

    It might take some time, but a good accountant would probably spot that his company has shipped x thousand pounds worth of stuff through a particular web site but the site has only paid y thousand for the goods.

    Every transaction presumably leaves a record -- so knowing there's a mismatch, it ought to be easy to reconcile the records with the actual shipments and voila -- why has Joe Bloggs of 99 Nonesuch Street been sent 27 DVDs on 13 different dates and we've never had payment for any of them ?

    Unless 99 Nonesuch Street turns out to be the local pub, its pretty easy to know where to begin making enquiries. And even if it is the pub, chances are that the perpetrant will try it once too many times.

    The reasonable probability of being caught would surely act as a deterrent to actually doing this, except possibly for downloads where the the delivery address is an IPv4 -- though even that is probably traceable.

  6. Estariel

    @Harry

    I think you might find that accounting reconciliation of the kind you envisage, is another one of the things that these vendors just dont do, because its buracratic overhead, costs money, etc.

    Like producing a secure system in the first place.

  7. Anonymous Coward
    Stop

    @Harry

    Very funny, Harry :)

    I wrote a complete system for a now large UK online business. Of course there was no written spec, and no-one had really thought about the accounting. So, when it started taking off (almost immediately), my oppo and I came up with a three-book accounting system for them, each book double-entry. The principle was simple - make sure that what was reported back from the Payment Provider matched the notional charges and that what actually got paid from the Payment Provider to the bank accounts matched the reported payment. All of the necessary information is readily available in a fashion that lends itself easily to automation.

    Did it get fully implemented? Nope. The payments and receipts entries are written at the same time. And they wonder why they (eventually) see large discrepancies.

This topic is closed for new posts.

Other stories you might like