USA Today has a story about a New Jersey couple who allegedly used a glitch in Lowes website to steal merchandise.
A New Jersey couple used a website glitch to try and get more than $258,000 worth of goods — everything from a gazebo to an air conditioner to a stainless steel grill — for free from a home improvement store, authorities said.
Ultimately, the couple was only able to secure nearly $13,000 worth of merchandise from Lowe's after exploiting "weaknesses" in the company's website to have the items shipped to their home in Brick for free, according to a release from the Ocean County Prosecutor's Office.
Romela Velazquez, 24, was arrested and charged with theft by deception and computer criminal activity for accessing a computer system with the purpose to defraud. She attempted to get about $258,068 worth of unpaid merchandise from Lowe's, according to the release.
She actually received about $12,971 in stolen products, according to the release.
Her husband, Kimy Velazquez, 40, was charged with third-degree receipt of stolen property and fencing for his role in the alleged scheme.
The couple tried to sell some of the products on a local Facebook "buy and sell" group for half of the original sale price, listing the products as "new in box," authorities said.
According to an article on NJ.com, an attorney for the couple has stated that Velazquez is just an expert shopper, not a criminal hacker.
Jef Henninger, an attorney for Romela Velazquez, said his client is "the farthest thing from a computer hacker."
"Like many young mothers, she needs to stretch every dollar she can," Henninger said in a statement. "As a result, she has learned to spot good deals. These are the same deals that any of us can take advantage of, but most of us are too busy to learn how to spot them.
"Buying things at a big discount and selling them is not illegal. As a result, she maintains her innocence (and) looks forward to her day in court."
As far as I have been able to find, no technical details about the hack have been released.
One of the more interesting details that I did see was
Lowe's, makers of Ugg shoes and Victoria's Secret have been identified as victims so far – but many more retailers were also ripped off and will eventually be identified, officials said.
Who knew?
Additional coverage at the New York Post and BleepingComputer.
(Score: 1) by pTamok on Tuesday August 22 2017, @09:59AM (4 children)
I guess it will depend on the details.
There's a concept of reasonable expectations. I don't think, for example, specially crafted http requests, edited cookies, or exploiting lack of input validation would be regarded as legitimate shopping. Give-aways would normally be well signposted.
To use a real-world analogy: if Lowe's left their doors accidentally unlocked over a holiday period, and people went in and helped themselves to whatever was on the shelves, would that be stealing? Exploiting someone else's mistakes for personal gain is, if nothing else, shady practice. Some people regard exploiting marks as entirely legitimate. I don't.
(Score: 2) by aclarke on Tuesday August 22 2017, @11:46AM (3 children)
If Lowes left their doors open and I walked in, I'd call that stealing.
If I was given a coupon that said "100% off lawnmower" and I went in and got a free lawnmower, I'd do that in a heartbeat. That's their problem, not mine, and I am not going to judge their intent. Perhaps they have a reason why they're considering that a loss leader in some way. Companies do weird things sometimes.
If Lowes printed a "50% off lawn ornaments" coupon and I used it for "100% off lawnmower", I'd consider that immoral. I wouldn't do it, in the same way that if I discovered I was given too much change back, I'd let the cashier know.
I don't know what the law says, but to me those are the ethical lines.
(Score: 2) by Fnord666 on Tuesday August 22 2017, @01:47PM
Now to make this a closer analogy, let's say you use photoshop to create your own coupon and you happen to find an employee willing to honor it. The intent is now much more clear.
(Score: 2) by VLM on Tuesday August 22 2017, @08:09PM (1 child)
My guess based on some client interaction and working retail decades ago is the company refund / deal codes are pants on head retarded.
Customer service is supposed to be able to deduct $100, $200, whatever from an order to pay back a legit customer for a problem. Oh you ordered $5000 of lumber for your deck and two pieces are unservicable sry sir have code WTF501234 which entitles you to $50 off on your next order. And the next call for $50 off is WTF501235, you get the idea. Take a guess how much the refund is for code WTF256789, why thats $25 off serial number 6789
Now someone out there can order a pallet of driveway salt online and take a wild ass guess that code WTF001500 is pre-loaded for $50 off.
Obviously this is WAY more fun for applying 100 refund cards on one order, or refund codes worth $2500 not $50. But its the same general idea.
Some coupon codes are just dumb encodings, not exactly a SHA256 hash. Taking a very recent example, so you can get 10% off at papa murphys pizza using tmobile10 and some rocket surgeon out there posts that tmobile50 takes ... 50% off your pizza. There's whole subreddits devoted to this kind of code trading.
(Score: 2) by FakeBeldin on Wednesday August 23 2017, @01:24PM
True, though I have yet to see a "coupon" for a 100% discount. And even if I did, to me there's a huge distinction between "I was given code DISCOUNT10, let's try DISCOUNT25" and "I have code DISCOUNT10, let's try DISCOUNT100".