This is page 2 of:
Nordstrom IT Lapse Fueled $1.5 Million Fraud
Nordstrom won’t say exactly when its fraud-detection systems finally noticed that it had paid out more than $1 million in commissions for sales (that would be half for the Chius and the other half for FatWallet) that were never completed. Eventually, the retailer spotted the situation, closed the loophole and notified authorities. Prosecutors seized more than $970,000 from the brothers’ investment accounts, including IRAs. They’re now waiting for a court date.
Nordstrom also wouldn’t divulge details of the brothers’ original suspicious behavior. It’s a good bet they didn’t try that “my package never arrived” routine to the tune of $650,000, though. In fact, it was probably letting their sure-to-be-rejected purchases run into the tens of millions that eventually did the brothers in.
And because neither FatWallet nor Nordstrom was watching for that sort of glitch—the Chius’ orders were correctly blocked, FatWallet got paid its commission—everything looked on the surface as if there wasn’t a problem.
Unfortunately, that type of interaction isn’t just limited to Nordstrom and FatWallet, or even to retailer-affiliate chains. Last year, three researchers tested single sign-on (SSO) systems from Google, PayPal, Facebook and others. The way they’re supposed to work is that, for example, a customer can sign into Sears.com using his Facebook account.
All of the SSO systems were theoretically secure. But the researchers (two from Indiana University, one from Microsoft Research) found ways to steal credentials from each of the systems they tested. (They reported the security holes, and all have since been fixed.)
The biggest source of problems, according to the researchers, was the places where a retailer or other Web site was trying to interface with an SSO system. No one rigorously tested the interfaces for security—even though the researchers couldn’t actually see the Sears and Facebook code and could only observe the packets that went in and out of their own browsers, it was clear to them that the connection had been set up to get it working, not to make it secure.
In a much less rigorous, academic way, that’s pretty much what the Chiu brothers discovered, too.
The Internet makes stitching together an E-Commerce chain look very easy. Getting that chain of players working together takes a little work. But once it’s connected, there’s a strong temptation to declare victory and start doing business. That may even work, as long as there aren’t any grifters around.
And how likely is that?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
