Bug In Lowe's Site Sold Goods For Free. Couple Arrested For Exploiting It

An anonymous reader writes: A couple from the Brick Township in New Jersey stands accused of using a flaw in the Lowes online portal to receive goods for free at their home. According to the Ocean County Prosecutor's Office, the couple tried to steal goods worth $258,068.01, but only managed to receive approximately $12,971.23 worth of merchandise. Officers executing a search warrant said the residence resembled "more of a warehouse than a home." Investigators said they recovered enough merchandise to fill an 18-foot trailer. Most items were in their original packaging and still had their price tags. Police say one of the suspects posted ads for some of the stolen goods on a Facebook group used to buy and sell used objects. The suspect was selling most of the items at half the price offered on the Lowes website. Authorities did not provide in-depth technical details but revealed the flaw resided in the site's gift card module.
One of the suspects' lawyer argued that his client didn't have the skills to penetrate the security on the web site of a Fortune 500 company -- and insisted instead that his client just had a really special knack for finding good deals.

Where are the security trolls?

[ScentCone]

I clicked to read more so I could see how many people would be saying that it's not really theft if Lowes didn't prevent it from happening. You know, like if a shoplifter walks out of their store with a $20 impact socket in their pocket, and Lowes didn't notice him doing that, then it's totally Lowes' fault that he stole that.

Re:Where are the security trolls?

[chuckugly]

More like if Lowes self checkout station set the price on some goods at $0 if they were scanned upside-down, and people just checked out and left. And then got arrested.

Re:Where are the security trolls?

[sjames]

Don't be silly. This wasn't just Lowe's not noticing some stealthy action, this was Lowe's willingly packing up and shopping the goods to the couple after receiving no money.

Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

Hopefully, they will be required to return the goods and receive a non-custodial sentence and a stern warning.

Re:Where are the security trolls?

[JaredOfEuropa]

This is more like those people hearing about that trick (or maybe finding out themselves), then making sure they scanned every item upside down. It's similar to incorrectly priced items, and over here (NL) the law is sort of clear on that. If an item is priced too low by accident (or rung up incorrectly at the register), the customer gets to keep the purchase at the lower price... unless there is a "clearly apparent mistake". A €1000 TV priced at €800 would not be a clear mistake; a €200 discount would be a really good one, but plausible. That same TV priced at €100 is clearly a mistake though. Same as someone who manages to order over $18.000 worth of goods on a $20 gift gard because of a flaw in the system. Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here. How does that work in the States?

Re:Where are the security trolls?

[mikelieman]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

Lowes is just full of fail on this one.

Re:Where are the security trolls?

[ShanghaiBill]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

Re:Where are the security trolls?

[rmdingler]

Given the volume and value of the goods, I find it hard to believe that the couple had no idea it wasn't just a really good deal, but I can somewhat see why they might not have fully realized it was a crime.

Well, unless they were under the impression the gift-card-that-kept-on-giving was a magical talisman, I'd have to lean towards some malfeasance. For certain, their story won't be retold on an episode of Criminal Masterminds... they apparently had the purchases sent to their home and were reselling them on the Facebook

Re:Where are the security trolls?

If you picked up a couple of goods like that in a basket, I'd call the arrest unreasonable.

If you went back and picked up an entire trailerload of those goods and only those goods, and walked out without paying a cent, I'd say at that point you should have realized something was wrong, and now we've got clear evidence of malicious intent.

Re:Where are the security trolls?

[Dragonslicer]

Lowes packed up their order and had it delivered to their house! There should be like 3 computer functions that mitigate that risk and oh, a dozen PHYSICAL ACTS that should have stopped it.

How would a warehouse worker or truck driver know that the customer wasn't correctly charged by the website for their purchase?

Re:Where are the security trolls?

[ClickOnThis]

Come on everybody. This is Slashdot. We need a car analogy.

Re:Where are the security trolls?

[ClickOnThis]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

Re:Where are the security trolls?

[Ichijo]

So that customer found multiple vulnerabilities in Lowe's order fulfillment process. I think that's worth a bug bounty of well over $13k. Lowe's should say thank you and call it even.

Re:Where are the security trolls?

[AmiMoJo]

In the UK they might, if it could be shown that they realised what was happening and decided to abuse it. All EU countries are similar I think.

It's similar if someone accidentally transfers money to your bank account. If you suddenly find a million Euros in there that you weren't expecting and decide to spend it, you stole that money. You could not have reasonably have thought it was yours. If it's just 100 Euros and you normally get thousands a month from your job anyway it could be an honest mistake to spend it and you wouldn't be arrested.

Re:Where are the security trolls?

This involves a ton of contract law and consumer protections laws, which span huge volumes of the law. Trying to condense this to a simple yes/no is going to miss a ton of nuance.

But, ultimately, if the seller can demonstrate that the buyer had intent to defraud, they will have no problem prosecuting the buyer.

In the case of Lowe's here, intent to defraud is pretty clear, since a) the software glitch was used repeatedly and consistently - showing that it wasn't an accident nor a mistake - and b) no honest person expects to "buy" $200k worth of stuff for $0. I don't know if this is enough - IANAL - but this certainly doesn't paint the buyer in a pretty light.

But again, this is going to have to be settled by a court.

Re:Where are the security trolls?

[quonset]

how many people would be saying that it's not really theft if Lowes didn't prevent it from happening.

And you were correct in your assumption. Looking below, one can find many people blaming Lowe's. Not the criminals who deliberately exploited this flaw, not the criminals who were trying to resell their ill-gotten goods, not the criminals with piles of merchandise they obviously knew were stolen. Nope, it's all on Lowe's.

One can imagine a scenario where people who go to Lowe's, pick up an item and walk out of the store without paying for it would be considered completely absolved of their crime because Lowe's didn't prevent it from happening.

It's amazing the excuses used to justify criminal behavior.

Re:Where are the security trolls?

[Registered+Coward+v2]

Even if it is clear that the system was at fault and that no exploit was used, that person would not get to keep the goods over here.

But would they be charged with a crime?

If they exploited the flaw over and over and over again, then I would think yes. Just like the couple allegedly did in TFS.

Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

Re:Where are the security trolls?

[blindseer]

Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

In the Army there's a lot of delegation and division of duties. I've seen this used and abused. A fellow recruit (happened to be prior service Marine so he knew the system better than I) and I needed to get some luggage before getting our orders but we knew that if we simply asked for permission to go to the PX it would likely be denied. He just said to follow him and I did, I watched him go from one sergeant to the next with BS and half truths and in 20 minutes we were walking to the PX. He just did a Jedi mind trick on three sergeants to get us what we wanted. That's a pretty mild abuse of the system and if someone ever asked too many questions it would have been a "don't do that again" warning.

Another recruit would like to pull this trick by claiming "Sergeant Major says..." which got annoying real quick. Going to ask the Sergeant Major every time would have taken more time than just doing what he asked and I don't know if he got nailed on it. I got my luggage and my orders and I was gone before that happened.

Re:Where are the security trolls?

[intermelt]

Most references to US law imply that they would need to return the merchandise or pay for it if it is an obvious error in pricing. However this all probably depends on how they received the discount on the merchandise. If it was a coupon code or certain methods of clicking, then they are probably ok. However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

Re:Where are the security trolls?

[blindseer]

Okay, car analogy...

Imagine your car goes to the Lowes website to buy tires. Your car finds out a way to get the tires shipped to the house without paying for them. Your car is now selling the tires at half price on eBay, and for some reason you don't mind a pile of tires in your garage. Now, should your car be sent to prison for this, or should your car have the remaining tires returned and then told to... retire... from selling things on eBay?

No, don't get up, I can find the exit myself.

Re:Where are the security trolls?

[iCEBaLM]

That's Lowe's problem, or at least it should be. If a company is like a person then there's no excuse. If you ask a person to ship you free things, and they do, then I fail to see how this is a crime.

Re:Where are the security trolls?

[ClickOnThis]

On top of that, theres intent to sell.

If you get a $250 discount off a $1000 TV by accident and then keep that TV for yourself, the law is pretty much going to ignore you.

But if you get a $250 discount off a $1000 TV by accident but then use said accident to buy 500 TVs and proceed to re-sell all 500 TVs for $900, the law will happily slap you down.

I dunno. $750 might very well be a reasonable price for the item. If you bought 500 of them in good faith, and sold them to get the arbitrage, I think it might be hard to prosecute you. (Dealer authorization issues notwithstanding.)

On the other hand, if you got them for a price that was indisputably far below their market value because of a glitch in the seller's software, then I think the law can step in.

In either case, it's probably up to the courts to decide who prevails. As it should be.

Re:Where are the security trolls?

[angel'o'sphere]

I would buy that car!
Smart car!

How much?

Re:Where are the security trolls?

[gfxguy]

Got that right. There is a communication problem in any big organization. This can be taken advantage of if you know the system.

The rest of your comment aside, a warehouse worker or truck driver shouldn't need to know the price of the items they are packing and delivering - they get their marching orders from a printout (or electronic message) that tells them what to pack and likely prints a shipping label for them.

Re:Where are the security trolls?

[houghi]

If you see a new car that would cost 25.000USD and you get it for 22.000USD. There is no issue. When you get that car for 25USD, there clearly is an issue. When you go back several times, there is clearly an intend to defraud. At least that is how it works in Belgium.

Re:Where are the security trolls?

[houghi]

Receiving the money and the sending of the packages will be done by completely different departments.
On the one side you have a system that verifies if the payment is ok. The moment that is ok, it will be send to the department (or company) that does the packaging. They have no idea with the pricing or promotions. They just verify (if that) if there is an OK for payment. They should not even need to do that.

I have worked at a company and we had a promotion where if you bought one item, you would get another item for free. Instead of doing a separate order ID, they placed 2 items in the basked and 1 was at 0 EUR (This due to legal issues, but that is not important right now).
So what some people did was remove the item they needed to pay and left in the item for free.

They did the payment (transport) so the payment was ok.

When we noticed, it was because it was strange we had 3 orders of that one item, we looked into it. Changes where done immediately and we just send out those 3, taking the loss. The sole reason we did that was because it would be cheaper to just take that loss than to go through the hassle of canceling the order, contacting the people and what not.

Now if the person sending out the item would not have done more than was expected of him (e.g. just packing the boxes and not care what was in them) much more would have gone out. We where a small company where the person had to take the item by hand.

If you have a much larger company, much of the packaging will be automated. That will mean that the few people who handle it will have no idea what is in the packages.

What I am interested in is HOW they found out. My guess is that the number of orders triggered a warning and a manual override would be needed for further orders. This normally would be just an OK when they see all is done nicely. In this instance they saw something was weird, looked into it and that is how they are where they are now.

The fact that they did this over and over again makes it clear they where fully aware what was going on. Then saying "I did not know it was a crime" is an extremely weak excuse as they should know that what they where doing was wrong.

What sentence they get depends on the laws. People get send to prison for much less.

Re:Where are the security trolls?

However of they say used something like the Chrome inspector to change prices submitted to the backend then they are probably liable for theft and/or hacking.

If you can do that, they are asking the users computer to tell them what the price is / should be, and the computer not being a person, this thus becomes asking the user.

Basically a "name your own price" scheme, as has been used before for things like music and indie-games.

I would not consider any place a civilized country where a customer could be convicted of answering "nothing" when asked what he wants to pay for an item. In any reasonable law, that answer is considered an offer to buy the item at that price, and it is up to the shop to accept or reject the offer.

Re:Where are the security trolls?

[AmiMoJo]

Indeed, zero cost orders are not that uncommon as they are used for things like warranty replacements and exchanges.

Re:Where are the security trolls?

[jabuzz]

I should have said that it is common practice in the UK to pounce on these sorts of web site and even in store pricing mistakes. There are even web sites that are dedicated to carrying them with hotukdeals being the most well known.

Right now hotdealsuk is showing up to 90% for some watches at Amazon, and a Panasonic sound bar that that is 100GBP off (200GBP normal price) when brought with any TV, with the cheapest model that works with the deal being 99GBP.

So clearly deep discounting is not unheard off, and under what legal principle am I prohibited from flogging the unwanted TV off if I get the soundbar?

Re:Where are the security trolls?

[K.+S.+Kyosuke]

Exactly. I f they stumbled onto a "great deal" once and bought it I would say they shouldn't be charged with a crime. However, find over 250k$ of "good deals" (as their lawyer claims) crosses the line into criminal, IMHO.

In the Land of Affluenza, anything seems to be possible. Some call it "the land of unlimited possibilities" after all...

Re:Where are the security trolls?

[AmiMoJo]

In the UK it could be argued that the seller "accepted" the sale. In a physical shop, if you see an item mis-priced you can't just take it to the sales counter, slap down the cash and walk out. The shop has to agree the sale with you, typically by putting it through the till and producing a receipt.

Years ago, in the early 2000s I think, some supermarket sold TVs for £0.10 instead of £1000 on their web site. They argued that even though the web site had taken the order, they had not accepted and shipped it. In the end they prevailed and no-one got their 10p televisions.

In the bank example, if you spent the money the bank wouldn't be able to reclaim it. This has happened to people with things like house purchases. The bank isn't going to create a debt by making the receiving account go negative, for two reasons. First, that debt would be the banks in reality. If it was theft they might never recover the cash and be left in the hole for potentially millions. Secondly, if it was a genuine mistake that person might have spent money they thought they legitimately had, and the general principal in law is that you should not lose out (with fees etc.) when it is someone else's mistake.

Re:Where are the security trolls?

[Ichijo]

What would jailing the couple accomplish? Do you think society needs to be protected from them because they might find and exploit another vulnerability?

What not jailing them would so is send a powerful message to Lowe's and all other companies that they need to stop shifting their costs onto taxpayers and start hiring better people instead of outsourcing at every opportunity.

Some deals can be too good and too real...

[__aaclcg7560]

Many years ago I bought my current desk from the OfficeMax store for $55. Several months later I got an OfficeMax coupon for $50 off ANY desk with no other restrictions listed. So I went back to the store, pulled the desk off the shelf, and presented the coupon to the cashier clerk. The register refused to accept the coupon. When the manager came over, I pointed out the word "ANY" on the coupon, and he overrode the register. I got a $55 desk for $5 plus tax. Later on I got another $50 coupon without the word "ANY" and restricted to $500+ desks.

Re:Some deals can be too good and too real...

[dunkindave]

About 15 years ago when I moved and signed up with Comcast for a cable modem (they were the only high speed choice there - too far for DSL), the lady tried to upsell me by adding a TV package. She said If I bundled the two I would get a $15 discount. and mentioned various TV packages from $40 to over $100. I asked if there was anything cheaper since I had heard about a basic "must carry" level, and she admitted it existed and was $8. I confirmed with her that by signing up for a $8 basic TV package, I would get a $15 discount off the pair, and she said yes. So by letting TV signals enter my house (no TV attached though), I paid $7 less than just getting Internet. Sadly, about three years later the price increases and new FCC taxes for cable TV made the TV portion more expensive than the discount so I dropped it. I still have a grandfathered plan though that gives me 100Mbps at half the cost of my neighbors.

class warfare

[PopeRatzo]

When a consumer exploits a bug in the system, they get arrested. When a corporation or rich person exploits a bug in the system, it's called, "smart tax planning".

Re:Victoria's Secret? At Lowes?

[PopeRatzo]

How in the hell did they buy Victoria's Secret items from Lowes? Asking for a friend...

The Victoria's Secret branded tool apron is hot as hell. And who knows what the Victoria's Secret impact drill is actually used for? If you catch my drift.

Re:Odd variety

[ClickOnThis]

"Below is a list of the most expensive items found at the couple's home:
Approximately $2,500 Victoria Secret Underwear"

Lowes sells Victoria Secret underwear?

Imagine it was Home Depot instead. "You can do it. We can help."

Impact drill

[fyngyrz]

No one's going to catch that bit of drift unless you provide serious amounts of lube.

So, assuming you get that handled, what time do you want to come over?

Wells Fargo

[Herkum01]

Did Lowe's contact them, submit a ticket complaining about the problem? Unless they spent 3 hours waiting on the phone, I think they jumped the gun calling the police.

Sounds ridiculous? Well that is what Wells Fargo was doing to its customers and it was called an accounting error. Trying calling the police on Wells Fargo when they are making up bank accounts in your name, or forcing you to buy un-requested care insurance.

Zero customer service + deals managed by computers

[Kris_J]

When there are no customer service agents to assist, and the answer is always "what does the website say?", this is the risk you run. At what point does it become a customer's responsibility to sanity-check a massive corporation's self-service portal? I say at no point. If your system stacks multiple discounts and you don't have rock-solid rules and checks, and I find a way to reduce the price to zero, then I assume that *is* a really good deal I've found. This is extreme couponing, not hacking. If an instant cash-back offer is more than the sale price, am I stealing? I think not.

It's the Jury.

[Marc_Hawke]

You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials. Specifically it's supposed to be your 'peers.'

The question is asked, "Do you think this person is guilty of stealing from this company?"
The judge says, "This is what the law is and what it says."
The lawyers say, "this is what the defendant did or didn't do."
Then it's up to the Jury to decide if what the defendant did or didn't do counts as breaking the law.

Sometimes it's cut and dried...but if it was always black and white like that we wouldn't need juries. Juries are specifically for cases like this where the people say, "Yes, I ordered all that stuff, but I didn't think it was breaking the law." The people on the jury say, "You know...I probably wouldn't have known it was against the law either." or they say, "Don't be an idiot. That's obviously against the law." That's why they are supposed to be 'peers.' People who 'generally' think the way you do.

Other examples of 'great jury fodder' is self-defense. "I would have done the exact same thing in the situation."

Re:It's the Jury.

[dryeo]

The Judge usually, at least around here, gets the first chance to throw the case out. The defendant also has a choice of whether to have a jury trial or bench trial.

Re:"approximately $12,971.23 worth of merchandise"

[Dog-Cow]

Approximation refers to accuracy, not precision.

Jury trials are the last defence against bad law

[Bruce66423]

There are a number of occasions in England where a jury's refusal to convict whistleblowers for releasing embarrassing state 'secrets' have done a lot to reign in the government. Yes, you pay a price in terms of some real crimes being unprosecutable as well - receiving stolen goods for example - but overall I think the price is worth paying.

So does your definition of 'civilised' equal 'authoritarian'?

We Don't Have Jury Trials

[SeattleLawGuy]

You said 'Court' but I want to point out, it's not for the judge to decide, it's for the Jury. This is why we have Jury trials.

Jury trials happen in a tiny percentage of cases. Insisting on a jury trial means you're willing to risk years (or perhaps decades) of your life for the chance that the jury will agree with you. People generally only do that if they're looking at VERY serious time. VERY occasionally you run into someone who refuses to settle because they're innocent, and are willing to roll the dice a jury will believe them. And then they go to jail for longer than if they had been guilty.