Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

Where are the security trolls?

[ScentCone]

I clicked to read more so I could see how many people would be saying that it's not really theft if Lowes didn't prevent it from happening. You know, like if a shoplifter walks out of their store with a $20 impact socket in their pocket, and Lowes didn't notice him doing that, then it's totally Lowes' fault that he stole that.

Re:Where are the security trolls?

[chuckugly]

More like if Lowes self checkout station set the price on some goods at $0 if they were scanned upside-down, and people just checked out and left. And then got arrested.

Re:Where are the security trolls?

[sjames]

Don't be silly. This wasn't just Lowe's not noticing some stealthy action, this was Lowe's willingly packing up and shopping the goods to the couple after receiving no money.

Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

Re:Where are the security trolls?

[JaredOfEuropa]

This is more like those people hearing about that trick (or maybe finding out themselves), then making sure they scanned every item upside down. It's similar to incorrectly priced items, and over here (NL) the law is sort of clear on that. If an item is priced too low by accident (or rung up incorrectly at the register), the customer gets to keep the purchase at the lower price... unless there is a "clearly apparent mistake". A €1000 TV priced at €800 would not be a clear mistake; a €200 discount would be a really good one, but plausible. That same TV priced at €100 is clearly a mistake though. Same as someone who manages to order over $18.000 worth of goods on a $20 gift gard because of a flaw in the system. Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here. How does that work in the States?

Re:Where are the security trolls?

[mikelieman]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Lowes is just full of fail on this one.

Re:Where are the security trolls?

It's not theft when you voluntary give some item to another person.

Re:Where are the security trolls?

[ShanghaiBill]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

Re: Where are the security trolls?

/. already reported Lowes outsourced IT to India

Re:Where are the security trolls?

[SCVonSteroids]

Nevermind that, would the stuff even blend?

Re:Where are the security trolls?

[rmdingler]

Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

Well, unless they were under the impression the gift-card-that-kept-on-giving was a magical talisman, I'd have to lean towards some malfeasance. For certain, their story won't be retold on an episode of Criminal Masterminds... they apparently had the purchases sent to their home and were reselling them on the Facebook

Re:Where are the security trolls?

If you picked up a couple of goods like that in a basket, I'd call the arrest unreasonable.

If you went back and picked up an entire trailerload of those goods and only those goods, and walked out without paying a cent, I'd say at that point you should have realized something was wrong, and now we've got clear evidence of malicious intent.

Re:Where are the security trolls?

[JaredOfEuropa]

I've no idea, honestly. A lot depends on the exploit they used, how well they cooperate once caught... In this case the fact that they went all out and put a bunch of their ill gotten items up for sale doesn't speak well of their intent. My guess is yes, they would be charged. But if you get a €20 card and use it to order €100 worth of stuff and kept all of it for yourself, I doubt there'd be any charges.

Re:Where are the security trolls?

I guess there is "validate name/address", "validate credit card/store card/gift card ID/amount", "validate product ID and amount". They purchase online using a gift card , then cancel after the items have been sent out of the warehouse, thus getting a refund of the money deducted.

Re:Where are the security trolls?

[Dragonslicer]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

How would a warehouse worker or truck driver know that the customer wasn't correctly charged by the website for their purchase?

Re:Where are the security trolls?

[ClickOnThis]

Come on everybody. This is Slashdot. We need a car analogy.

Re:Where are the security trolls?

[ClickOnThis]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

Re:Where are the security trolls?

[Ichijo]

So that customer found multiple vulnerabilities in Lowe's order fulfillment process. I think that's worth a bug bounty of well over $13k. Lowe's should say thank you and call it even.

Re:Where are the security trolls?

[jellomizer]

Which state? The United States has 50 states with often different laws. They may be some federal over reaching laws but the details are managed by each state.

Normally a store can refuse to sell until they pay.

Often they will let mistakes like this slide as to keep the customer happy and there isn't the big of a loss. But they can refuse to sell if there is a mistake in the price... but if they don't fix the problem quickly then they may be going info false advertising.

For Lowes, I expect if these people only got under a thousand dollars with of goods they would let it slip. But they took a lot of stuff.

Re:Where are the security trolls?

[AmiMoJo]

In the UK they might, if it could be shown that they realised what was happening and decided to abuse it. All EU countries are similar I think.

It's similar if someone accidentally transfers money to your bank account. If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money. You could not have reasonably have thought it was yours. If it's just 100 Euros and you normally get thousands a month from your job anyway it could be an honest mistake to spend it and you wouldn't be arrested.

Re:Where are the security trolls?

[ClickOnThis]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Lowes is just full of fail on this one.

Agreed. But Lowes did not commit a crime. The NJ couple allegedly did. They found a flaw in their online commerce system and exploited it repeatedly.

In large corporations, one hand often does not know what the other is doing. Once a shipment is authorized, shipping ships it. Eventually somebody might notice that the same address keeps receiving items for $0.00, and notify someone.

Yes, Lowes screwed up. But nobody expects a company like Lowes to give away stuff for free. They might be expected to write off a few errors due to bugs in their software. But IMHO, they do have a legal case against someone who exploits such a bug repeatedly.

Re:Where are the security trolls?

This involves a ton of contract law and consumer protections laws, which span huge volumes of the law. Trying to condense this to a simple yes/no is going to miss a ton of nuance.

But, ultimately, if the seller can demonstrate that the buyer had intent to defraud, they will have no problem prosecuting the buyer.

In the case of Lowe's here, intent to defraud is pretty clear, since a) the software glitch was used repeatedly and consistently - showing that it wasn't an accident nor a mistake - and b) no honest person expects to "buy" $200k worth of stuff for $0. I don't know if this is enough - IANAL - but this certainly doesn't paint the buyer in a pretty light.

But again, this is going to have to be settled by a court.

Re:Where are the security trolls?

[quonset]

how many people would be saying that it's not really theft if Lowes didn't prevent it from happening.

And you were correct in your assumption. Looking below, one can find many people blaming Lowe's. Not the criminals who deliberately exploited this flaw, not the criminals who were trying to resell their ill-gotten goods, not the criminals with piles of merchandise they obviously knew were stolen. Nope, it's all on Lowe's.

One can imagine a scenario where people who go to Lowe's, pick up an item and walk out of the store without paying for it would be considered completely absolved of their crime because Lowe's didn't prevent it from happening.

It's amazing the excuses used to justify criminal behavior.

Re:Where are the security trolls?

[Registered+Coward+v2]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

Re:Where are the security trolls?

[blindseer]

Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

In the Army there's a lot of delegation and division of duties. I've seen this used and abused. A fellow recruit (happened to be prior service Marine so he knew the system better than I) and I needed to get some luggage before getting our orders but we knew that if we simply asked for permission to go to the PX it would likely be denied. He just said to follow him and I did, I watched him go from one sergeant to the next with BS and half truths and in 20 minutes we were walking to the PX. He just did a Jedi mind trick on three sergeants to get us what we wanted. That's a pretty mild abuse of the system and if someone ever asked too many questions it would have been a "don't do that again" warning.

Another recruit would like to pull this trick by claiming "Sergeant Major says..." which got annoying real quick. Going to ask the Sergeant Major every time would have taken more time than just doing what he asked and I don't know if he got nailed on it. I got my luggage and my orders and I was gone before that happened.

Re: Where are the security trolls?

[kenh]

But would they be charged with a crime?

This couple (likely) did something to activate the 'mistake' in the website, once they intentionally repeated their activation they flipped from customers to thieves, so they should be charged with a crime.

I suspect they discovered some 'test' credit card info that Lowe's uses to test the software that by-passes credit authorizations, likely revealed to them by a friend or relative that works at Lowe's corporate offices.

If what I suspect is what happened, that would be an example of a chargeable crime.

If they used their own valid CC info and the website never charged the order, that would not necessarily be a crime, assuming they agreed to have the valid charges run again.

Re:Where are the security trolls?

[intermelt]

Most references to US law imply that they would need to return the merchandise or pay for it if it is an obvious error in pricing. However this all probably depends on how they received the discount on the merchandise. If it was a coupon code or certain methods of clicking, then they are probably ok. However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

Re:Where are the security trolls?

[blindseer]

Okay, car analogy...

Imagine your car goes to the Lowes website to buy tires. Your car finds out a way to get the tires shipped to the house without paying for them. Your car is now selling the tires at half price on eBay, and for some reason you don't mind a pile of tires in your garage. Now, should your car be sent to prison for this, or should your car have the remaining tires returned and then told to... retire... from selling things on eBay?

No, don't get up, I can find the exit myself.

Re:Where are the security trolls?

[blindseer]

I'd agree with you on two conditions. First, if the stuff they ordered were stuff that they intended to keep and use themselves. Second, if they reported the flaw themselves.

Among the items were 3 vacuum cleaners, multiple pairs of boots, and... $25000 in underwear? Lowes sells underwear? If they hadn't bought enough furniture to furnish their house many times over then they might have an excuse for this being a "mistake". It still could have ended in criminal charges but they'd have a better bargaining position for getting the charges dropped or a plea deal for "$50 and time served".

They tried to get away with a quarter million dollars. The $13k was just what wasn't recovered when they were caught.

Just "calling it even" encourages further abuse like this. Jailing people that found such flaws honestly, and reported it, encourages abuses like this too. If people expect to get cuffed for reporting flaws then people will just keep quiet and the abuse will continue. A line must be drawn somewhere and that is going to be difficult to do. The suspects here didn't just step over the line, they leaped over with both feet and started running. They deserve jail.

Re:Where are the security trolls?

[thegarbz]

But would they be charged with a crime?

That really comes down to intent. If a mistake happens and you walk away with a lot of change then no crime was committed. You're not required to correct other people's mistakes.

If you knew that one person made the same mistake over and over again and you went to that specific person to knowingly exploit his mistake then you're defrauding them. That is a crime.

I bought 4 HDDs for $23 ea from an online retailer in Australia (list price $230 at the time). I did it once. The law is on my side. If I went back and then stocked them out ordering over and over again, and then went to on-sell the HDDs to someone else at a much higher price that would be committing a crime.

Re:Where are the security trolls?

[thegarbz]

There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Nope. You're assuming that every point in the line checks forward and checks back. That's just not the case. The 3 computer functions and the dozen physical acts work in isolation without knowing what happened prior or post. The reason for this plentiful. There are legitimate reasons for some things to be shipped for free. There are legitimate reasons for some things to cost nothing. There's legitimate reasons for multiple bits of paperwork that control different parts of the process being generated (such as packing slips not agreeing with receipts). The next chain in the link doesn't check over if the previous chain did the work.

Not everything is interconnected and self checking.

Re:Where are the security trolls?

[xlsior]

Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

Except they've already re-sold part of it for a fraction of the value, so it'll be impossible for them to just hand everything back.

Re:Where are the security trolls?

[iCEBaLM]

That's Lowe's problem, or at least it should be. If a company is like a person then there's no excuse. If you ask a person to ship you free things, and they do, then I fail to see how this is a crime.

Re:Where are the security trolls?

[sjames]

That's why I am suggesting they return the goods and get a non-custodial sentence rather than "not guilty".

Re:Where are the security trolls?

[angel'o'sphere]

If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money.
Actually not.
The guy who made the wrong transfer can cancel it.

Such mistakes happened and the receivers did not get charged. Especially if it is an error of the bank, as a twisted account number.

Re:Where are the security trolls?

[Aereus]

I assume they repeated the exploit an inordinate number of times to attempt purchasing $250k worth of products. Therefore the intent to defraud Lowes was clear.

Re:Where are the security trolls?

[ClickOnThis]

On top of that, theres intent to sell.

If you get a $250 discount off a $1000 TV by accident and then keep that TV for yourself, the law is pretty much going to ignore you.

But if you get a $250 discount off a $1000 TV by accident but then use said accident to buy 500 TVs and proceed to re-sell all 500 TVs for $900, the law will happily slap you down.

I dunno. $750 might very well be a reasonable price for the item. If you bought 500 of them in good faith, and sold them to get the arbitrage, I think it might be hard to prosecute you. (Dealer authorization issues notwithstanding.)

On the other hand, if you got them for a price that was indisputably far below their market value because of a glitch in the seller's software, then I think the law can step in.

In either case, it's probably up to the courts to decide who prevails. As it should be.

Re:Where are the security trolls?

[angel'o'sphere]

I would buy that car!
Smart car!

How much?

Re:Where are the security trolls?

[gfxguy]

Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

The rest of your comment aside, a warehouse worker or truck driver shouldn't need to know the price of the items they are packing and delivering - they get their marching orders from a printout (or electronic message) that tells them what to pack and likely prints a shipping label for them.

Re:Where are the security trolls?

[hjf]

In Argentina there is no "clear mistake" option. The seller is obligated to sell the product at whatever price he put in the price tag. It doesn't matter if it was a mistake. Learn from your mistakes, I suppose.

I filed a claim against a seller for precisely that. They were selling a machine with 64% discount. I paid for it, then they canceled the order. So, I filed the claim. There was no mistake, though. It was labeled "HOT SALE". So if they advertise "AMAZING DEALS" and one product is 64% off, then it's most likely NOT a mistake.

Re:Where are the security trolls?

[I'm+New+Around+Here]

Actually, we don't know that "they sold them for free". They could have sold them, charged to a gift card that for some reason never has its value decreased. So Lowe's sold items for their regular or sale price, but never received the money the computer system expected.

Tellingly, eventually someone caught on, and looked into what was happening in this particular circumstance. It may have taken a while, but until numbers get big, many things go unnoticed.

Re:Where are the security trolls?

[hjf]

Heh, here in taxland (Argentina) we have tax on deposits. 0.6% of every deposit in any account. So if someone deposited 1M in your account and removed it, you'd still get taxed $6K.

It has happened before.

Re:Where are the security trolls?

[blindseer]

No consequences? Theft and fraud costs them money. Catching these people will cost them money since now they have to provide company resources to this case if they want their stuff back. Covering these costs will affect profits. There are consequences here. Best they can do now is minimize the losses.

I have little doubt they had security people look over the code. It may be that they weren't experienced, didn't have enough time to look over everything before it went live, or managers overrode their recommendations. They will fix it or stockholders will bail.

Screwing up isn't always a crime. The punishment is having to clean up the mess left by the screw up.

Re:Where are the security trolls?

[Dog-Cow]

And when someone rips your penis off and forces you to choke to death on it, I want to be on the jury so I can rule in favor of the defendant.

Re:Where are the security trolls?

[someone1234]

They exploited a flaw, caused material damage. They also profited from it. Any more questions?

Re:Where are the security trolls?

[skovnymfe]

Maybe the first time, but not the $250,000 worth of consecutive times. By then it's intentional.

Re:Where are the security trolls?

[houghi]

If you see a new car that would cost 25.000USD and you get it for 22.000USD. There is no issue. When you get that car for 25USD, there clearly is an issue. When you go back several times, there is clearly an intend to defraud. At least that is how it works in Belgium.

Re:Where are the security trolls?

[zmooc]

I'm not familiar with the local law, but I don't think it's a crime unless they refuse to give it back. Where I live that would be the default lawful way to go. The article isn't really clear on this, but it doesn't sound like they asked them to give the stuff back at all. Instead, they went to the police and had them arrested for theft, which it obviously wasn't since the so called victim shipped the goods to them.

Where I live (the Netherlands), the law is very clear on this: this would definitely not be theft, it wouldn't even be a crime. They would, however, be required to give back the goods since it's an obvious error in the system (as opposed to a not-so-obvious error like a ridiculous but not implausible discount, in which case they'd get to keep the stuff).

I suggest they counter-sue for damages of, say, $258,068.01 plus legal costs.

Re:Where are the security trolls?

[houghi]

Receiving the money and the sending of the packages will be done by completely different departments.
On the one side you have a system that verifies if the payment is ok. The moment that is ok, it will be send to the department (or company) that does the packaging. They have no idea with the pricing or promotions. They just verify (if that) if there is an OK for payment. They should not even need to do that.

I have worked at a company and we had a promotion where if you bought one item, you would get another item for free. Instead of doing a separate order ID, they placed 2 items in the basked and 1 was at 0 EUR (This due to legal issues, but that is not important right now).
So what some people did was remove the item they needed to pay and left in the item for free.

They did the payment (transport) so the payment was ok.

When we noticed, it was because it was strange we had 3 orders of that one item, we looked into it. Changes where done immediately and we just send out those 3, taking the loss. The sole reason we did that was because it would be cheaper to just take that loss than to go through the hassle of canceling the order, contacting the people and what not.

Now if the person sending out the item would not have done more than was expected of him (e.g. just packing the boxes and not care what was in them) much more would have gone out. We where a small company where the person had to take the item by hand.

If you have a much larger company, much of the packaging will be automated. That will mean that the few people who handle it will have no idea what is in the packages.

What I am interested in is HOW they found out. My guess is that the number of orders triggered a warning and a manual override would be needed for further orders. This normally would be just an OK when they see all is done nicely. In this instance they saw something was weird, looked into it and that is how they are where they are now.

The fact that they did this over and over again makes it clear they where fully aware what was going on. Then saying "I did not know it was a crime" is an extremely weak excuse as they should know that what they where doing was wrong.

What sentence they get depends on the laws. People get send to prison for much less.

Re:Where are the security trolls?

However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

If you can do that, they are asking the users computer to tell them what the price is / should be, and the computer not being a person, this thus becomes asking the user.

Basically a "name your own price" scheme, as has been used before for things like music and indie-games.

I would not consider any place a civilized country where a customer could be convicted of answering "nothing" when asked what he wants to pay for an item. In any reasonable law, that answer is considered an offer to buy the item at that price, and it is up to the shop to accept or reject the offer.

Re:Where are the security trolls?

[Big+Hairy+Ian]

Normally when retailers ship goods to me there's an invoice that says how much was paid

Re:Where are the security trolls?

[AmiMoJo]

Indeed, zero cost orders are not that uncommon as they are used for things like warranty replacements and exchanges.

Re:Where are the security trolls?

[jabuzz]

I should have said that it is common practice in the UK to pounce on these sorts of web site and even in store pricing mistakes. There are even web sites that are dedicated to carrying them with hotukdeals being the most well known.

Right now hotdealsuk is showing up to 90% for some watches at Amazon, and a Panasonic sound bar that that is 100GBP off (200GBP normal price) when brought with any TV, with the cheapest model that works with the deal being 99GBP.

So clearly deep discounting is not unheard off, and under what legal principle am I prohibited from flogging the unwanted TV off if I get the soundbar?

Re:Where are the security trolls?

[K.+S.+Kyosuke]

Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

In the Land of Affluenza, anything seems to be possible. Some call it "the land of unlimited possibilities" after all...

Re:Where are the security trolls?

[AmiMoJo]

In the UK it could be argued that the seller "accepted" the sale. In a physical shop, if you see an item mis-priced you can't just take it to the sales counter, slap down the cash and walk out. The shop has to agree the sale with you, typically by putting it through the till and producing a receipt.

Years ago, in the early 2000s I think, some supermarket sold TVs for £0.10 instead of £1000 on their web site. They argued that even though the web site had taken the order, they had not accepted and shipped it. In the end they prevailed and no-one got their 10p televisions.

In the bank example, if you spent the money the bank wouldn't be able to reclaim it. This has happened to people with things like house purchases. The bank isn't going to create a debt by making the receiving account go negative, for two reasons. First, that debt would be the banks in reality. If it was theft they might never recover the cash and be left in the hole for potentially millions. Secondly, if it was a genuine mistake that person might have spent money they thought they legitimately had, and the general principal in law is that you should not lose out (with fees etc.) when it is someone else's mistake.

Re:Where are the security trolls?

[stealth_finger]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

It depends on scale, doing it now and again on small things for yourself would probably get you told off. Ordering a quarter millions worth of everything you can and you'd probably be looking at some kind of fraud or intent charges.

Re:Where are the security trolls?

[parkinglot777]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Lowes is just full of fail on this one.

If you don't know, then you don't understand how a simple work flow works (especially for a big companies/corporations). It is just a simple logic why they do it the way they did.

Each check point is supposed to correctly validate inputs. If it works properly, there should NOT NEED to have redundant validations along the line later on because other processes do not need to know what other process is doing because it is not their job to validate others' work. In this case, the validation happens at the POS department, and the other department is delivery. As far as the delivery department knows, they received correct inputs (order list). Can you give me a good reason why does shipping/delivering department need to know which item has been paid and which has not when they expected POS to correctly do that already?

You can think of this as a simple program/assignment. For example, your assignment is to implement a factorial calculator. The input from users should be an integer. You implements 3 functions for your program -- acceptInput, calculateFactorial, and displayResult. For sure, you need to validate the user input to make sure that it is a positive integer (or zero) in your acceptInput() before you pass the input value to calculateFactorial(). If the input is invalid, acceptInput() should deal with the issue. Is there any reason that you need to validate the input again in your calculateFactorial() if you properly validate acceptInput() already? Then if calculateFactorial() can't compute certain factorial values due to overflow, who makes the decision on what to be displayed? Of course, it is calculateFactorial(), not displayResult() function. In other words, whatever comes out of calculateFactorial() should not need to be validated in displayResult() because it is not displayResult() job/purpose.

A proper flow is both efficient (simple work flow), speedy (no redundancy), and cost saving. However, the weak point is that if the validation failed at some point, all latter processes may be affected. In this case, the failure happened at the beginning of the process -- POS. Still, this does not directly affect latter processes (still correctly functioning) but rather the financial point of view.

The person/company who implements the application should be in big trouble because the validation of the application should have caught the bug before it went out live. Besides, this bug could cause a lot of damage to the company...

Re:Where are the security trolls?

[parkinglot777]

What does Lowe's deserve for creating the loophole and not hiring qualified security people to find and fix it? Do we really want a world where companies don't have to face the consequences of their actions?

You go overboard in this case. If the couple did it once and report to Lowe, then I agree that the company should not pursue any law suit against the couple and it would be similar to paying the bounty. However, the couple abused the bug (repeatedly exploited the bug). Are you still seeing the action as consequence against the company? Because you do not like corporations doesn't mean any actions, including abuses, against the company flaw are acceptable and/or lawful.

Re:Where are the security trolls?

[Chris+Mattern]

I don't know the facts; the article didn't give them. It depends on what they had to do; if they didn't have to actively subvert the site, it's more like they took it to the checkout counter and the register charged them $0 for it. They even have the receipt. Is that theft?

Re:Where are the security trolls?

[ElizabethGreene]

>> If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money.
> Actually not.

It depends on the Country you are in. My understanding is that under the Union Jack it's called "Theft by finding."

The trick with laws is to remember that what is right is not necessarily the law, and what is the law for you is not necessarily the law for someone else.

Re:Where are the security trolls?

[Ichijo]

It may be that they weren't experienced, didn't have enough time to look over everything before it went live, or managers overrode their recommendations.

These are all signs of a company that doesn't respect security and that expects taxpayers, through law enforcement, to pick up the slack. I don't like paying taxes and so I have little tolerance for such incompetence

Re:Where are the security trolls?

[LynnwoodRooster]

Awesome analogy! Now if you can change the size of the trailer used to haul the goods out to be measured in Libraries of Congress - we'd be set!

Re:Where are the security trolls?

[Ichijo]

What would jailing the couple accomplish? Do you think society needs to be protected from them because they might find and exploit another vulnerability?

What not jailing them would so is send a powerful message to Lowe's and all other companies that they need to stop shifting their costs onto taxpayers and start hiring better people instead of outsourcing at every opportunity.

Re:Where are the security trolls?

[ScentCone]

Even TFS tells you the details. They found and continued to exploit a security vulnerability on the Lowes web site, and were busily shipping tens of thousands of dollars of stolen goods to themselves and trying to fence it. You know, crime.

Re:Where are the security trolls?

[houghi]

This would fall under 'human error' and can be reversed as it is clear that this is not normal.
This is how it is written in European law.

The moment they ask you to either reverse the deal or pay the rest and you refuse, you are breaking the law.

Also something similar:
There was a woman in The Netherlands who received a serious sum of money on her bank account. She had not asked for it and she used it to pay her debt and buy a car. She was found guilty for fraud when she was unable to pay back.
OTOH a cow orker of mine received 6 months pay after he left. They asked it back + interest. He said ok to the money, but not to the interest. He knew his rights and could keep the interests.

In Europe, the law is much more concerned to the intention of the law than the letter of the law.

Buying a 25.000EUR car for 25EUR makes it clear that there is something weird going on.

OTOH I once saw a pair of headphones in a store and they where priced 8EUR or something like that. The actual price would be something like 38EUR. I got them for 8. They could have argued that the difference was too much, but they didn't. It was cheaper to just take the 30EUR loss and correct the price.

In yet other ads they make an actual expensive product and sell it for cheap, but have only 3 items. This is illegal as well, as it is false advertisement, even if they can prove that they had 3 items in stock and it said 'limited, first come first served'.

Courts in Belgium do not like it if you use the excuse of a 12 year old broy saying "Stop hitting yourself" or "But you SAID I could not have 1 cookie, so I took 2., not 1"

Re:Where are the security trolls?

[sjames]

The fact that the seller is an elephantine organization where the left hand doesn't know what the right hand is doing is legally irrelevant. They are a single legal entity that accepted the order and shipped it. I'm not saying what the couple did was right and proper, but since the company kept willingly sending the goods, it would be easy for the couple to think of it as "not really a crime". Yes, people have been imprisoned for less because we have a punitive culture that jails more people than China, but really, a non-custodial sentence makes more sense and will likely be enough to get them to not do this sort of thing again (supposedly the aim of our justice system).

Re:Where are the security trolls?

[LeftCoastThinker]

Honestly I need more details than this to know if it was stealing or not. If I find an item on Amazon or some other online marketplace that shows up in the cart for $0.00 and I put it in my cart and "buy" it, does that make me a thief? If I walk into a brick and mortar store and I buy something that rings up for $0, and then go back and "buy out" the store of their free item, does that make it theft?

If I were to take the UPC from the "free" item and affix it to something else, now that would clearly be stealing, but it just depends on whose fault it is for making something free, IMHO.

The business has the right to charge what they want for items, and it is not up to the consumer to pay for something the business is giving away. In many states, laws specifically state that if you incorrectly price an item either in an advert or on store shelves, the business must honor the transaction or they can be in big legal trouble...

Re:Where are the security trolls?

[LeftCoastThinker]

Any decent lawyer will get this thrown out in 5 minutes and get the ADA who brought the charges sanctioned for overcharging and incompetence. The fact that the article did not describe how they did it likely indicates it was a flaw in the gift card processing code on Lowes end (i.e. exactly using up a gift card's balance resulted in the card remaining fully charged). If there was no code manipulation, intrusion or abnormal software used on the client side, this entire case falls apart.

The couple will not get to keep the merchandise because it was sent to them due to computer error on the part of Lowes, but the problem was apparently not on their end, it was on Lowes. A good attorney would probably also file a civil suit for a few hundred thousand in damages due to negligence on the part of Lowes because Lowes chose to pursue charges against the couple instead of apologizing to the couple for their mistake as the took back the merchandise. We will have to see when more facts come to light.

Bottom line, there is no substitute for good code, and good software engineers are worth their weight in gold, especially in this day and age. Lowes will probably end up spending north of $500K on this mess, assuming they don't get sued by the couple. That could easily double if they get sued. Thee error was probably in less than 2 lines of code.

Re:Where are the security trolls?

[LeftCoastThinker]

The difference from the example that you cite (someone walking out of the store with unpaid merchandise) is flawed. There is active theft on the part of the person via walking past the registers, past the security measures with a product for which money is requested in exchange.

What happened with this couple is much more similar to a pricing error or items ringing up at $0. Most states have laws that not only protect the consumer in that situation, but they require the merchant to let them keep the merchandise on penalty of fines and criminal charges of fraud towards the merchant. It is irrelevant how many times it happens before the merchant catches it, it is fully the merchant's responsibility to ensure proper pricing and billing.

Those charges will very likely be dropped, and I will expect a judge to sanction the ADA that brought them along with a counter suit against Lowes for harassment, pain and suffering, fraudulent prosecution, etc. as those laws don't discriminate between brick and mortar and online stores. Unless they have withheld a lot of detail about real, actual hacking (back end/front end manipulation by non standard software/something other than an OTS web browser, etc.)

Re:Where are the security trolls?

[LeftCoastThinker]

And if the gift card system was broken internally by Lowes, as long as the couple legally owned the gift card, it is still not stealing or hacking or computer fraud. What they did may not be ethical, but it was not criminal as far as we know right now.

Should they have told Lowes? Probably.

Should they get to keep the stuff that Lowes shipped to them in error? Not in that case.

Should they get prosecuted for fraud or theft? Um no. Not unless they created the bug or colluded with an employee to create the bug or a fraudulent unlimited gift card.

If they are stupid or get a bad lawyer, they will be frightened by the ADA's massive overreach and take a plea deal with several years of probation and community service. If they are smart and/or get a good attorney, they will get the case thrown out, sanction the ADA and counter sue Lowes and publicize how Lowes is trying to get the family torn apart and the parents thrown in jail for an error that Lowes made on their website. After that makes it on the national news, Lowes will be throwing cash at them to shut up and go away as the American people hate corporations shitting on the little guy to cover up a mistake made by the corporation which is essentially what this is.

Re:Where are the security trolls?

[LeftCoastThinker]

No, the article doesn't go into details more that saying that it was a "flaw" in the gift card system, so you can't say that it was a security vulnerability. It may well have been a logic flaw in how gift cards are processed, and if so, that is not hacking and not a crime, no mater how hard Lowes and the ADA might wish otherwise.

Re:Where are the security trolls?

[I'm+New+Around+Here]

And if the gift card system was broken internally by Lowes, as long as the couple legally owned the gift card, it is still not stealing or hacking or computer fraud.

Considering the couple has been arrested, that seems to be exactly what the authorities do consider their actions.

Re:Where are the security trolls?

[ScentCone]

It's every bit a crime, if for no other reason than demonstrable intent. You're exactly the troll I was expecting, here. If there was a "flaw" in the point of sale area at a walk-up Lowes location, which manifested itself as a particular cashier always forgetting to look on the bottom shelf of your shopping cart ... and you realized that and specifically went there to exploit that weakness so they could rip off a bunch stuff to sell ... you'd be a thief. For the same reason they are thieves. So, this isn't you playing dumb. What is it? What's your agenda, trying to wish away the obvious, here?

Re:Where are the security trolls?

[parkinglot777]

What would jailing the couple accomplish? Do you think society needs to be protected from them because they might find and exploit another vulnerability?

You think the fault solely lies on a big company. I don't know if you are naive or simple minded. Jailing is a kind of punishment and it DOES accomplish certain moral stand point. This is NOT just about the couple only, but it also shows others who may think of doing the similar in the future. If no punishment which is hard enough to show others, there will be copy-cat all over the place. There are "risk" and "reward" here. The risk is being punished when get caught. I can't believe you don't realize this. You are teaching the moral that it is OK to abuse vulnerability of big companies because they are at false.

What not jailing them would so is send a powerful message to Lowe's and all other companies that they need to stop shifting their costs onto taxpayers and start hiring better people instead of outsourcing at every opportunity.

Again, it shows that you hate big companies/corporations. I don't mind that because I don't like them too. The message is sent to both sides, However, you seem not to be able to see the message that is sent to people as well as to the corporations. I don't know why you are so fearful of what corporations could gain but you can't seem to see what they could also lose at the same time. I have already stated why these couple needs to be punished, but I will state it again. To me, the wrong doing start when they repeat the action to abuse the bug, period. Jailing may not be the choice of punishment (and I didn't say they must be jailed anyway), so if you choose to FINE them & return all stuff would be OK to me. They MUST be punished because they "intended" to exploit the situation. As I said before, if they did once and stop, it wouldn't be a case and I would support them. However, they INTEND to do it again and gain as much benefits off others regardless who they are doing to (it's just in this case is a corporation). That is the whole point of punishment.

Re:Where are the security trolls?

[JohnFen]

How does that work in the States?

I think it depends on what state you're in. In my state, anyway, if you encounter a systems flaw (it doesn't have to be a computer-based one) that lets you get deals that an ordinary person can see aren't intended, and you take advantage of that, you're engaging in theft.

Re:Where are the security trolls?

[shentino]

Lowes may be full of fail, but it's entirely possible that the shipping and handling department had no knowledge of billing information.

Re:Where are the security trolls?

[shentino]

I'm not sure the shipping and handling department has the actual billing information. It is also possible that even if any employees willingly shipped them free goods, they were doing so without the authorization of their employer.

If a rank and file peon at a merchandising company gives away free stuff that doesn't mean it's legal. If you give (or even sell) someone stolen property, the cops will yank it back from whoever received or bought it and they'll be out the money they spent for it. The errant wanna-be customer would be left to recover what they spent from the thief who sold them the confiscated goods.

Re:Where are the security trolls?

[shentino]

If it's a mistake, then lowe's shouldn't be held to the mistake. This is a clerical error.

Holding lowes responsible for return shipping and making them eat the depreciation until they receive them back, however, would be fair game.

The problem is the so called "mistake" was deliberately exploited by people who knew damn well they were taking advantage of a defect in the ordering process and thus damn well that lowes had no intention of giving its stuff away.

Re:Where are the security trolls?

[LeftCoastThinker]

I can see where you are coming from, but please restrain yourself and your use of invective. The bottom line is we are both speculating and I think the simple truth here is that we do not have enough information on the flaw and how it manifested (not a security exploit) to know if it was criminal theft or not. There are a number of consumer protections that hold businesses accountable for their own mistakes, and prevent businesses from going after consumers or trying to charge them further after a transaction has been completed.

Re:Where are the security trolls?

[LeftCoastThinker]

There are any number of ADAs who are looking to make their name. They will arrest and overcharge to the point of the ridiculous. It is SOP for district attorneys as a tactic to get a plea deal, saving them from actually having to prove their case in court which takes real evidence.

Arrest is not evidence of either a crime or culpability. The evidence was likely provided by Lowes as well as a request to arrest the couple, so how much leg work was actually done by real police detectives was little to none. If the district attorneys office actually has to face a real defense attorney (not a public defender) the case will probably fall apart pretty quickly.

Re:Where are the security trolls?

[stephanruby]

No, this is more like a big-box hardware store finding a legal loophole and not paying 10 billion dollars in corporate property taxes.

It's criminal and its executives should spend a couple of years in prison for it.

Re:Where are the security trolls?

[jabuzz]

I have a Kodak DX3700 camera in my draw from the early 2000's where Kodak had a mistake on their website with the camera for something like 35GBP instead of 135GBP. So acceptance of the sale would generally come with payment. You debit my card and send me a nice email confirming that you have accepted my order and it is now being processed for delivery and the game is over, we have offer, acceptance and consideration and a legally binding contract is now in force.

Also with the bank error, they emphatically *DO* just reverse the transaction. If you have shifted money out the account and it is now in the red, that is *YOUR* problem. If you are a foreign student have drained the account into cash and pushed off back to say darkest Africa somewhere then it's going to be the bank standing the loss; assuming the error was their fault in the first place.

Re:Where are the security trolls?

[Ichijo]

You think the fault solely lies on a big company.

Who do you think created the vulnerability in the first place?

But you are right, I prefer to blame the process, not the people. That implies blaming the big company before the individual.

The risk is being punished when get caught.

You are referring to the theory of justice that punishment is a deterrence (which, by the way, doesn't seem to have worked in this case). Are you sure that throwing people in jail is a good way to keep people out of jail?

Again, it shows that you hate big companies/corporations.

I hate big companies because I want them to take responsibility for their mistakes and stop shifting their costs onto taxpayers?

To me, the wrong doing start when they repeat the action to abuse the bug, period.

To me, the mistakes began long before that. But maybe it's just me because I'm an engineer and I prefer to proactively find and fix the root cause of a problem rather than try to reactively clean up the mess it makes. "An ounce of prevention is worth a pound of cure."

Re:Where are the security trolls?

[chuckugly]

It was intentional, and also what Lowe's implemented and released for use. At some point web "devs" need to be held responsible for releasing crap like this. Consumers using a device or site 'as implemented' shouldn't really be *criminally* responsible for the stupidity of the devs.

Re:Where are the security trolls?

[iCEBaLM]

If it's a mistake, then lowe's shouldn't be held to the mistake. This is a clerical error.

Remember, companies are legal persons. If you ask me to send you something for free, and I do by mistake, do I have recourse to come after you after the fact for what I sent you? Also, would it be a crime?

The problem is the so called "mistake" was deliberately exploited by people who knew damn well they were taking advantage of a defect in the ordering process and thus damn well that lowes had no intention of giving its stuff away.

So at what point does it become someones responsibility to make sure their process is working properly?

Suppose I setup an automated system where if you email a special address I setup asking for a nickel, I will send you a nickel. The system will then send a notification to me when anyone emails it requesting a nickel. I advertise this nickel sending service and people start emailing it. My system has a bug though, if anyone whose last name begins with the letter X requests a nickel, my system will actually send me a notification to send them a gold bar.

Now suppose I honor every request, including sending out gold bars. Can I then go back after a month and make people send the gold bars back? I never advertised the service as sending out gold bars, I never intended to send out gold bars. Also, would this be a crime?

If I can't do it, why can Lowes? We're both equal under the law, right?

Re:Where are the security trolls?

[Actually,+I+do+RTFA]

Sounds like they need a better system then.

Re:Where are the security trolls?

[parkinglot777]

Who do you think created the vulnerability in the first place?

But you are right, I prefer to blame the process, not the people [wikiquote.org]. That implies blaming the big company before the individual.

Now you oversimplify/generalize the situation. The case should NOT be applied with what you are saying at all because there are other actions involved, and they aren't something you can overlook.

You are referring to the theory of justice that punishment is a deterrence (which, by the way, doesn't seem to have worked in this case). Are you sure that throwing people in jail is a good way to keep people out of jail?

No, this is NOT a theory but rather a simple psychology and real human behavior (don't you know?). Again, you kept saying jailing people. You are too stubborn to think out of the box. Punishment is NOT ONLY jail. There are many other ways and I already suggested one. However, some people could come to their sense when they are put in jail because they have common sense. Though, some don't.

I hate big companies because I want them to take responsibility for their mistakes and stop shifting their costs onto taxpayers?

See? You let your hatred blind you from reasoning and logic. Whatever cost them is your joyful. You need to let go your hatred and start using reasons to judge rather than your emotion. Again, let me try to put this on the table again. JAILING is NOT the ONLY WAY of PUNISHMENT.

To me, the mistakes began long before that. But maybe it's just me because I'm an engineer and I prefer to proactively find and fix the root cause of a problem rather than try to reactively clean up the mess it makes. "An ounce of prevention is worth a pound of cure."

I knew that the mistake began before that and I didn't deny it. However, the "wrong doing" is NOT a mistake. A wrong doing is done with an intention. A mistake is done without intent. This case contains 2 different parts of issues. Also, you will NEVER prevent every mistake from what you are doing. Your quote has nothing to do with this case. It is rather a suggestion of what (everyone) should be doing. It does NOT offer a solution if a mistake happens. If you want to quote it on any case like this, you would become a SJW, but I don't want anyone including you to be that kind of a person.

What is right should be acknowledge, and what is wrong should be punished. Simply throw all the blames to one side when it is clearly both have done wrong is extreme. An extreme solution often times (if not every time) never solves any issue but rather creates issues of the other extreme side ON TOP of the current issue. I know that I will not be able to convince you to move toward the center because that what extremists are (for both sides). I just want other readers to see my point if they ever come across these posts.

Re:Where are the security trolls?

[Methadras]

I don't see how. Lowes accepted the transaction and delivered the merchandise. A clear transaction occurred even though there was an anomaly to it. No one at Lowes thought to say, "Oh, we have a problem here?" after nearly a quarter million dollars of merch goes out for free? Yes, deliver it, sign on the dotted line you received it and have a nice day. I'm not seeing a problem here at all. This story simply proves a subtle observation I've had for a long time, in that laws are written to protect one thing, not the people that law falls onto, but to protect the wealth/money of the state. NJ was pissed they didn't get the tax money from 250K worth of merch and sent out the money enforcers to reclaim it. Not out of an act of goodwill against some bad people who took advantage of a loophole in a system, but one which saw the state believing it was being robbed instead. Laws ranging from Murder to Jaywalking all have one singular thread in them all; to protect the stream of money into government coffers. That's it. This story highlights that to me in spades.

The excuses people make up...

[MindPrison]

>insisted instead that his client just had a really special knack for finding good deals.

Right, nothing beats a five-finger discount for a "good deal", and add free shipping to boot - priceless!

Re:The excuses people make up...

[citizenr]

Have you seen any of those coupon shopping reality TV garbage shows? Its perfectly plausible to buy $500 worth of random clearance crap with $10 and a binder of coupons.

Re:The excuses people make up...

[swb]

There's an entire subculture of people that do that. My brother in law used to work in some kind of security department at Target and he worked on a team that specifically focused on people who had kind of figured out how to exploit the system this way. They were serious enough about it to use the security cameras to track people down to their vehicles.

I don't really know if this was actual fraud, like counterfeit coupons or just collections of really lucrative coupons in combination. The casino analogy would be did they learn to count cards or were they actively cheating in some way?

Re:Approximately

[__aaclcg7560]

Doesn't include sales tax.

Lowe's Fault

They authorized the purchases. Sucks for them their system doesn't detect huge discrepancies.

Re:Lowe's Fault

They authorized the purchases. Sucks for them their system doesn't detect huge discrepancies.

You must understand; It's not that big business and the government are against theft and fraud per se, they just don't like the competition.

Re:Lowe's Fault

[arbiter1]

Well it would be one them if it was a small purchase maybe few hundred 100$. When its 10k+ or 250grand that the couple tried to charge it becomes fraud since its a flaw they knew was a flaw and exploited.

Re:Lowe's Fault

[GuB-42]

It there is a clear mistake on the wholesaler part and Lowe's clearly exploited it, then it could be prosecuted. Not "arrested" but a fine and damages are to be expected. In fact, even if there is no mistake, this could fall under anti-dumping laws.
The issue with the couple is that they already resold the goods for a fraction of the price and thus, can't return them or pay back their debt.

Odd variety

"Below is a list of the most expensive items found at the couple's home:
Approximately $2,500 Victoria Secret Underwear"

Lowes sells Victoria Secret underwear?

Re:Odd variety

[93+Escort+Wagon]

Wow, suddenly I feel an urgent need to do some home improvement!

Re:Odd variety

[Mr+D+from+63]

"Below is a list of the most expensive items found at the couple's home: Approximately $2,500 Victoria Secret Underwear"

Lowes sells Victoria Secret underwear?

Welding lingerie is expensive.

Re:Odd variety

[ClickOnThis]

"Below is a list of the most expensive items found at the couple's home:
Approximately $2,500 Victoria Secret Underwear"

Lowes sells Victoria Secret underwear?

Imagine it was Home Depot instead. "You can do it. We can help."

Victoria's Secret?

[SoundGuyNoise]

What aisle of Lowe's do they sell that?

Some deals can be too good and too real...

[__aaclcg7560]

Many years ago I bought my current desk from the OfficeMax store for $55. Several months later I got an OfficeMax coupon for $50 off ANY desk with no other restrictions listed. So I went back to the store, pulled the desk off the shelf, and presented the coupon to the cashier clerk. The register refused to accept the coupon. When the manager came over, I pointed out the word "ANY" on the coupon, and he overrode the register. I got a $55 desk for $5 plus tax. Later on I got another $50 coupon without the word "ANY" and restricted to $500+ desks.

Re:Some deals can be too good and too real...

[ShanghaiBill]

Why do you need two desks?

Re:Some deals can be too good and too real...

[__aaclcg7560]

Why do you need two desks?

One desk for my laptop, file server and 23" monitor, the other desk for my video editing PC, Red Hat Linux PC, and 23" monitor. I also have folding table to store my electronic parts, soldering irons and testing equipment.

Re:Some deals can be too good and too real...

[dunkindave]

About 15 years ago when I moved and signed up with Comcast for a cable modem (they were the only high speed choice there - too far for DSL), the lady tried to upsell me by adding a TV package. She said If I bundled the two I would get a $15 discount. and mentioned various TV packages from $40 to over $100. I asked if there was anything cheaper since I had heard about a basic "must carry" level, and she admitted it existed and was $8. I confirmed with her that by signing up for a $8 basic TV package, I would get a $15 discount off the pair, and she said yes. So by letting TV signals enter my house (no TV attached though), I paid $7 less than just getting Internet. Sadly, about three years later the price increases and new FCC taxes for cable TV made the TV portion more expensive than the discount so I dropped it. I still have a grandfathered plan though that gives me 100Mbps at half the cost of my neighbors.

Re:Some deals can be too good and too real...

[__aaclcg7560]

You forgot to mention that one is also used as your dining table and the other one as your bed in your Japanese style apartment.

I have a separate kitchen table and a twin bed. My 475-sqft studio apartment would be a mansion in Japan.

Life in a Crazy-Small 8m2 Tokyo Apartment
https://www.youtube.com/watch?v=TYVJbupG3Xg

Re:Some deals can be too good and too real...

[__aaclcg7560]

In Japan, I would be too skinny to qualify as a sumo wrestler (400 to 600 pounds).

Re: Some deals can be too good and too real...

Comcast was charging me $12 for 3 years for the Blast internet service upgrade. Problem was I was ONLY being charged for the Blast upgrade and nothing else. The first month I started an online chat and they did not understand, the second month I called them, they did not understand. Finally just a few months ago after being billed $12/month total, they fixed it. I tried 2 times to make it right but their dumb ass outsourced customer service could not understand. I guess they didn't have a script for that.

Re:Some deals can be too good and too real...

[__aaclcg7560]

Those new meds are working great, Chris.

Oh, crap! I forgot to take my vitamins this morning!! I've been pissing cheap urine all day!!! Thanks for reminding me!!!!

Re:Some deals can be too good and too real...

[angel'o'sphere]

There actually have been quite a few very successful Sumo Tori that were around your weight.

Re:Some deals can be too good and too real...

[LeftCoastThinker]

And they had to do it because laws in nearly all US states will heavily fine or even charge companies with fraud if they do not honor their posted prices/advertisements.

The first rule of Software Development is....

[mikelieman]

Lol... Isn't like the FIRST FUCKING RULE of software development, "Don't migrate to production until it passes ALL QA tests. And if their QA tests left a hole like this open, time to hire a new QA manager!

(Lowes, contact me and I'll send a resume )

Re:The first rule of Software Development is....

No, generally the rule is don't migrate to production till all known critical flawes are fixed. most code goes to production with many known QA issues. QA generally also gets underfunded and even when well funded they won't find everything.

class warfare

[PopeRatzo]

When a consumer exploits a bug in the system, they get arrested. When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

Re:class warfare

[sjames]

Mod parent up!

Re:class warfare

[drinkypoo]

When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

Those are not bugs. They are intentional features, which were implemented deliberately at the request of the highest-paying customers, like most new features.

Re:class warfare

[Rick+Schumann]

Hear, hear.
The worst that should happen to these people is they should be required to return any goods they received, and maybe pay Lowes any money they made from selling the aforementioned merchandise. All Lowes is doing is being falsely righteously indignated because their system was borqed. Who they should go after (in civil court) should be the company that designed their software, for doing such a poor job.

Re:Victoria's Secret? At Lowes?

[PopeRatzo]

How in the hell did they buy Victoria's Secret items from Lowes? Asking for a friend...

The Victoria's Secret branded tool apron is hot as hell. And who knows what the Victoria's Secret impact drill is actually used for? If you catch my drift.

Ethics

[siamesevodka]

His Ethics are better than most Pharmaceutical Companies. In fact they will probably incorporate this in a reverse method to use on customers.IE: Kroger ran an add for 5 dollars of any Seafood purchase. But in fine print so small you could not read it, it said you must purchase 15 dollars worth of food. I found this out in the checkout line with 5 people behind me.The cashier said I could go back and get more seafood to make it 15 dollars.I could see the 5 shoppers in line behind me wanting to burn me at the stake if I did that. So I did the next best thing, I told the snarky cashier that she could keep the seafood and the coupon as well. I said I'm felling generous today you remove the seafood from my bill. I got applause. It felt good.

Re:Ethics

[RazorSharp]

People actually applauded? While your little anecdote is far too mundane to be totally fictitious, I don't believe the applause part and I also don't believe the "fine print so small you could not read it." Who doesn't know to look at the fine print on a coupon? And if the print was too small to read, how was the cashier able to read it?

The image of your fellow grocery patrons vigorously clapping in support of your heroic stand against a duplicitous coupon is comical.

Seems legit!

[kenh]

One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

Yeah, good luck with the 'good deal' defense...

Re:Seems legit!

[Mondor]

I like how a wealthy lawyer implied that it's OK to steal from LOEWE because it's a "Fortune 500" company. There was no reason to mention how wealthy this company is. So, I guess it's OK to steal from this lawyer too?

Re:Seems legit!

[drinkypoo]

The difference is that incompetence could keep the couple out of a cell.

It might, but it probably shouldn't, and it probably won't. They knew what they were doing. Nobody actually thinks a gift card is supposed to keep on giving forever.

Impact drill

[fyngyrz]

No one's going to catch that bit of drift unless you provide serious amounts of lube.

So, assuming you get that handled, what time do you want to come over?

Exploiting Gift Card Loophole

The story goes that they were able to use MasterCard Gift Card ("burner cards") to purchase the goods, and because of the way Lowes didnt check the pending balance (most companies sweep their card purchases once each night, and pending purchases are held in a "temporary authorization" state), they were able to make multiple purchases on the same Gift Card since each purchase was under the current balance.

Re:Exploiting Gift Card Loophole

[Actually,+I+do+RTFA]

This really sounds like it's MasterCard's fuck up then.

What was the glitch?

[reboot246]

Has Lowe's fixed it yet?

I need a new riding mower. :)

bargain is a crime now

[superwiz]

It sounds like they discovered a way to combine a few offers to reduce the purchase price to zero or close to it. If Lowe's made those offers (intentionally or not) and the couple didn't change the pricing through hacking the system, this is indeed just high-tech bargain hunting. If they changed any of the site's content (even if it's client-side code), then it's manipulation which could be considered hacking. But if all they did was take advantage of the offers, Lowe's made them, then it's just criminalizing of getting a good deal.

Re:bargain is a crime now

[uvajed_ekil]

It sounds more like they were using fake/non-existent gift cards, as the summary and article state there was a flaw in the Lowe's gift card "module." An acquaintance did something similar (though likely much more low-tech) at a restaurant where he worked. His method was obviously illegal, though he got away with close to $50k in embezzlement before he got caught, and convicted.

Re:bargain is a crime now

[superwiz]

GIGO

Yes, generally, AC in, garbage out. I agree with you on that.

What you think it sounds like and what actually happened aren't the same thing.

Well, the article doesn't say what actually happened. So I'll judge what it says based on what it says rather than based on what really happened. Because what I am judging is the validity of the stated conclusions from the stated premises.

Re:bargain is a crime now

[superwiz]

That would mean that what the lawyer claimed wasn't true. If their lawyer makes the argument that they were good at bargain hunting, it's valid to assume that he is not lying. Despite their reputation, lawyers cannot knowingly present false facts in a courtroom. So it wouldn't benefit him to state facts which are only disproven if this ever gets to trial. In fact, if the facts the lawyer claims to be true are, in fact, false, then he just gave an easy win to the prosecution. They just have to disprove his claims. And then the jury would never believe anything he says. And if the facts support the conclusion that they were good bargain hunters, then they had to have done it without lying at any point. Here's another possible scenario: buying a gift card gets you 2-3% discount on a purchase. And then you buy gift cards with gift cards until you are paying next to nothing on the next gift card that you buy. If the website didn't have protections against something like that, then I would consider this to be above water. This is no different from what traders do. If Lowe's made public offers which allowed the public to trade with Lowe's at a disadvantage to Lowe's, that's bad business, but it's not being a victim of a crime. Offering others to do something which results in your own financial losses is something that happens all the time. Sometimes it's even deliberate (think of selling of merchandise for pennies on a dollar to avoid the cost of restocking or garbage pickup). I can totally see a few scenario in which companies would sell gift cards at a huge loss (trying to expedite ending a contract with a 3rd party, for example).

Wells Fargo

[Herkum01]

Did Lowe's contact them, submit a ticket complaining about the problem? Unless they spent 3 hours waiting on the phone, I think they jumped the gun calling the police.

Sounds ridiculous? Well that is what Wells Fargo was doing to its customers and it was called an accounting error. Trying calling the police on Wells Fargo when they are making up bank accounts in your name, or forcing you to buy un-requested care insurance.

what about the ANY coupons that have a long

[Joe_Dragon]

what about the ANY coupons that have a long list of stuff they don't cover.

Zero customer service + deals managed by computers

[Kris_J]

When there are no customer service agents to assist, and the answer is always "what does the website say?", this is the risk you run. At what point does it become a customer's responsibility to sanity-check a massive corporation's self-service portal? I say at no point. If your system stacks multiple discounts and you don't have rock-solid rules and checks, and I find a way to reduce the price to zero, then I assume that *is* a really good deal I've found. This is extreme couponing, not hacking. If an instant cash-back offer is more than the sale price, am I stealing? I think not.

I've seen $100 items...

...sold for $10, it happens all the time. It's called a clearance sale.

Re:Lack of empathy

[sjames]

To be fair, sometimes the limits really are too small to read if your vision is less than perfect.

It's the Jury.

[Marc_Hawke]

You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials. Specifically it's supposed to be your 'peers.'

The question is asked, "Do you think this person is guilty of stealing from this company?"
The judge says, "This is what the law is and what it says."
The lawyers say, "this is what the defendant did or didn't do."
Then it's up to the Jury to decide if what the defendant did or didn't do counts as breaking the law.

Sometimes it's cut and dried...but if it was always black and white like that we wouldn't need juries. Juries are specifically for cases like this where the people say, "Yes, I ordered all that stuff, but I didn't think it was breaking the law." The people on the jury say, "You know...I probably wouldn't have known it was against the law either." or they say, "Don't be an idiot. That's obviously against the law." That's why they are supposed to be 'peers.' People who 'generally' think the way you do.

Other examples of 'great jury fodder' is self-defense. "I would have done the exact same thing in the situation."

Re:It's the Jury.

[dryeo]

The Judge usually, at least around here, gets the first chance to throw the case out. The defendant also has a choice of whether to have a jury trial or bench trial.

I have to say...

[Yosho]

Not exactly on-topic, but that headline style is absolutely atrocious. Here, let me help: "Bug in Lowe's Site Sold Goods for Free; Couple Arrested for Exploiting It"

I think it's too verbose as well, but that's beside the point.

EditorDavid, you need to either go read over the Chicago Manual of Style or remove "Editor" from your name.

Accidental hack defense?

[duke_cheetah2003]

One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

"Yeah, your honor, I was on the website and I pushed some stuff and it started sending me free stuff. I didn't mean it!"

Which of course is invalidated the moment they use the 'problem' again for more and more free stuff. Shameful.

Unlocked door doesn't make it suddenly OK to steal other people's stuff, sorry!

Did they close the loophole?

[beckett]

I needed a circular saw; mine broke today.

Lowes, you just 'lost' a 'customer'.

Re:Did they close the loophole?

[Dog-Cow]

A "customer" who wants to illegally and immorally exploit flaws to get free stuff is not a customer that Lowes wants. For that matter, no one does, so please use your new saw to cut your face off.

"approximately $12,971.23 worth of merchandise"

[Bugdanoff]

I am (approximately) like you, I hate it when people are so imprecise !

Re:"approximately $12,971.23 worth of merchandise"

[Dog-Cow]

Approximation refers to accuracy, not precision.

Jury trials are the last defence against bad law

[Bruce66423]

There are a number of occasions in England where a jury's refusal to convict whistleblowers for releasing embarrassing state 'secrets' have done a lot to reign in the government. Yes, you pay a price in terms of some real crimes being unprosecutable as well - receiving stolen goods for example - but overall I think the price is worth paying.

So does your definition of 'civilised' equal 'authoritarian'?

Back in the days of coupons...

[MMC+Monster]

Back in the 1990s you'd get the occasional feelgood story on TV about someone using stacks of coupons to get a cartload of goods for a couple dollars.

They'd use multiple double or triple coupons with a series of other coupons and such to make many of the items free when you bought them with other items that were heavily discounted.

If these people used a flaw in the gift card system, it sounds like something similar.

Re:Back in the days of coupons...

[devjoe]

Unless the flaw in the gift card system they were exploiting was by checking the balances on Lowe's gift cards they didn't own, but had determined the sequence of numbers for, and spending other people's balances as soon as they saw the cards had value. Or they found some way to recharge a gift card without paying money. Or some similar glitch in the gift card system.

Re:Back in the days of coupons...

[MMC+Monster]

True. But that would be fraud and I would hazard a guess that it would have been mentioned as such.

Not the couples issue or fault

[Murdoch5]

The reason they were able to get the good was the direct result of a bug in the website, and they were not responsible for the creation of the bug or what the bug could exploit, therefore, leaving the couple completely in the clear. The couple could easily explain that they figured the bug was a feature and because they had no hand in the original design of the website / infrastructure, they had no way to know or question its operation.

Sterling is an offshore India shithole

Lowes contracts all its online ordering dev to a company called Sterling and a handful of in house programmers and both are based in (guess where!) INDIA.

They produce SHIT CODE (both Sterling and in house devs) that I'm sure there is more of this going on.

I met the Dept manager for online sales and all he does is heard cats... shitty programmers with shitty skills cranking out code that barely works.

Wha???!??

[andyring]

Lowes sells Victoria's Secret underwear? I must have missed that aisle when I was in there last night getting parts for my sprinkler system.

We Don't Have Jury Trials

[SeattleLawGuy]

You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials.

Jury trials happen in a tiny percentage of cases. Insisting on a jury trial means you're willing to risk years (or perhaps decades) of your life for the chance that the jury will agree with you. People generally only do that if they're looking at VERY serious time. VERY occasionally you run into someone who refuses to settle because they're innocent, and are willing to roll the dice a jury will believe them. And then they go to jail for longer than if they had been guilty.

Re:Lack of empathy

[sjames]

I have seen disclaimers such that even back when I had better than 20/20 vision, I needed a magnifier to read it.

Try printing at a regular size rather than being sneaky.

As always need a lawyer

[Zontar_Thing_From_Ve]

There have been cases in the USA where airlines made a huge pricing mistake and sold very expensive long distance flight tickets for unrealistically low prices and then the airline woke up after hundreds of people bought them and fixed the error. They've refused to honor the prices and the tickets, customers sued, and the customers lost.

I talked some years ago with a friend who is an attorney about a case where a guy on Ebay was selling a plasma TV for something like $1000, which at the time was actually a very low price. Well, the guy was actually selling a photo, not a real TV. He got arrested and charged with a felony. I asked my friend about it and he explained that even though the guy had used tricky wording in his Ebay ad that if you paid careful attention made it clear you were buying a photo and not a TV, that the law covers this and nobody would be expected to pay $1000 for a photo and this was clearly fraud. I'm not a lawyer but I suspect that this kind of behavior crossed the line into fraud because of the scope of the purchases. Yes, Lowes should have been smarter than shipping all this stuff. But as someone who has actually served multiple times on a jury in the USA I can tell you that the DA will frame this in terms to make it look like willful thievery, like someone forgetting to lock a back door and then having somebody walk in and grab everything they can carry. This is not going to be an easy case for the defendants to win, especially with the type of legal help I suspect they'll get. My guess is they'll get convicted. Believe it or not, the law doesn't really want to see people get ripped off because of mistakes and there are various laws on fraud and theft that can cover this situation for the benefit of Lowe's.

Re:Zero customer service + deals managed by comput

[phorm]

Yeah, depending on what was "exploited", it could have still been a legit purchase.

I've heard of this happening in stores with people who do "extreme couponing", sometimes to the extent where combined coupons equal a negative balance at the till.

I've also heard of cases with things like points-cards where people use the card to buy a cash-value item, then use the cash to pay off the card (free points). E.G. buying several hundred bucks of "commemorative coins" on a special sale of 10 for $10, then using said coins as currency to pay off the card balance.

Catastrophic bug in the e-commerce site, you say?

[user+no.+590291]

Hmm . . . Looks like Instant Karma