A woman has pleaded guilty to fleecing the QVC home-shopping networking of more than $412,000 by exploiting a gaping hole in its website that allowed her to receive merchandise without paying for them. Quantina Moore-Perry ordered handbags, jewelry and electronics and then immediately canceled the transactions. The flaw allowed …
I think QVC should pay her for discovering the ecommerce exploit
That is a pretty major fault in the billing system there and she has done them a favour highlighting that by performing rigorous stress testing of their system.
It must have taken her hours of strict testing to thrash out this flaw and document it so that she could bring it to their attention.
Unfortunately, the QVC system also had another huge flaw in that it didn’t appear to tie up sales with payments or lack of and it took other individuals to highlight this to them.
Love the fact she also recycled the packaging to help the environment!
...where the illegality in this lies? OK, it's obviously not 'right', but what specifically is the crime? If all she did was order and then cancel, it's kind of QVC's problem that they sent the item anyway.
If I order something from Amazon, and they ship it, and then randomly start sending me other stuff, I'm not obligated to pay for it. If I paint a painting, then ship it to some random dude, can I get him nailed for grand theft if he doesn't send it back?
Unless she actually compromised their systems, or undertook direct action to prevent the scheme from failing, I'm not sure where the literal illegality is. It's not fraud - it's QVC screwing up. Suppose QVC accidentally ships me a 500 pound thing - am I obligated to pay to send it back? I'd sure as hell hope not. If they send me five hundred of them, am I obligated then? Do I have some obligation to tell them, "Hey, idiots, you're sending me stuff I didn't order"?
Is 'wire fraud' a catch-all for 'anything we don't like'?
Where the illegality lies..
.. is she did it intentionally. If you received, say, one shopping basket of items having canceled your order - and decided to keep them, you could excuse it on premise that it was their mistake not yours. An accident of circumstances rather than a premeditated attempt to steal. You know what you did was wrong, but you could consider this on the same level as receiving the wrong size bank note in change at the checkout.
Using that example, if realising there was an exploit you could manipulate, you then decided to go back to the store over and over again - each time receiving say 20 pounds in change having paid with a fiver you - would have to agree you were deliberately stealing from that store.
The first time was a mistake - you didn't mean to do it, and it's pretty much your decision to come clean and return the money or say "tough titty mate, you made an error and I'm keeping the money".
The next time you are deliberately stealing, and what's worse for her, is the manner in which she committed the theft. Stealing via the internet puts her into a whole new level of theft - wire fraud. This could have gone really, really badly in terms of sentencing, so she did the right thing in giving up everything she made.
@ David Wiernicki
I think the issue is: If the woman FOUND a flaw in the QVC system - maybe she originally ordered something, decided to cancel and then found it was delivered anyways - then the issue is that she CONTINUED to use this scheme to defraud QVC of other items - as she clearly didn't want to pay for the goods, when she found out that she wasn't being charged....
It's not as if QVC were just sending her goods "willy-nilly" - she obviously was selecting the items she wanted...and getting them for free :-)
Of course, QVC should now have tightened this loophole to prevent anyone else trying it...and in a way, QVC are obliged to the woman for finding the "fault".
In this case "if it looks too good to be true.....don't worry......you won't have to pay for it...!"
The problem is intent. If you did it once or twice you could go "whoops" but by continuing to do it she showed an intent to get free merchendice. If all were an accident then then she would be fine. Unfortunatly for her she did it to exploit.
Is it "hacking"? Is it "fraud"?
First of all, I'd say that this is one of those cases where I would get paid big bucks to find a flaw like this. But not $412,000! I can only wish that I could bill like that. Even my lawyer can't bill like that! But this isn't so much "hacking" as it is "gaming the system". Or scamming.
Is it fraud? Well, she did know what she was doing. If it happens once, I might say oops, my bad. If it happens thirteen or fourteen times, it's more likely that I know what I'm doing. Had she taken the effort to contact QVC, then she might look "innocent" to me.
If some not too bright (based on her selling the bits on scambay) woman did them for $400k how much more did they get done for by the ones they didn't catch yet.
A flaw like that must have been 'discovered' by loads of other people.
Similar problem with dominoe
I found something similar with the dominos website a few years ago (2004?) when I was still at uni.
You made an order big enough to qualify for something free, then next time you logged in it gave you the option to order the same stuff again - which you could click on multiple times before the next page loaded. Having done this you could remove all of the paid items, leaving just multiple free ones (plus one paid one to make the order look more reasonable).
Good whilst it lasted, but they cottoned on after a few months - not before my poor, starving, uni mates and myself had abused it rotten of course ;)
Goes to show that testing is an important step whose importance is often missed in large corporate projects run by people who are not as committed as they should be.
Not so much an accident
I think there is a distinct element of this case that stands out.
Yes, the woman has stumbled across a flaw in the QVC system and managed to recieve free goods, im sure initially by accident. You could go as far as saying a few times would be an error on QVC's part. However, managing to recieve over 1800 items clearly shows she was well aware of the exploit and was using it to gain free items. This falls into the 'premeditated' theft scenario.
Further more, she has then used these items to sell on ebay to make subsequent profit, indicating that she has deliberately ordered them knowing she will recieve the items for free and can then sell these on ebay to make profit as a direct result of exploiting QVC.
As for leaving the QVC packaging on the item intact, well thats just asking for trouble!
It does make me wonder how many other people have found and exploited this flaw if this woman was able to notch up $412,000 worth of goods without QVC even being aware! I wonder what time period that was over aswell??
Did QVC try to bill her?
It's very curious how this thing is wire fraud? Did QVC try to bill her?
And, what is customers' obligation if QVC sent items which were cancelled? Amazon once sent me a wrong item (worths $7.99), I emailed them (they said they will email a return label, but they didn't); I called them (they said they will email a return label, but they didn't); they wanted the stuff back, but they never email me a return label. It's more than one year, the item is still in my garage, what should I do?
Re: Did QVC try to bill her?
In the UK if a company (i.e. mail order) sends you good that you didn't request, if you keep the items for 6 months then legally they are yours (I believe that you must not attempt to sell, use or damage the items during this time). Alternatively if you inform the company of the mistake then they have a much reduced time (1 month, I think) during which they must arrange for the return of the items (at their expense) or the items become your property.
That's as I remember it, of course our beloved dictators have heaped so many laws and changes to existing law in the last 12 years that nobody really knows for sure any longer. Jobs for the boys (lawyers) anyone?
We had a similar case with an insurance company. They were supposed to collect the goods which had been damaged but didn't, we called a number of times and they still failed to pick up the items (they were serviceable just needed someone to do it).
In the end we wrote to them outlined out case and gave the legal 28 days notice. After 28 days they hadn't collected the items so we sold them as we stated we would do in our letter to them.
By allowing them notice to collect at their cost you are providing a legal framework which shows that you have made an effort to return the items.
Alternatively you could always keep them....
@David - unsolicited goods
Given your use of $ one assumes you are not in the EU. However, here, after 90(60?) days you can dispose (i.e., including keep or sell) of the goods because they were not solicited and you've invited Amazon to take them back.
in response to david
" If I paint a painting, then ship it to some random dude, can I get him nailed for grand theft if he doesn't send it back?"
In the UK at least, this is called inertial selling and is in itself, illegal
@David re:Amazon return
Dates given below might be out by a dayish Im relying on my bad memory
A few years ago about Xmas time I ordered a few items (for presents) through Amazon UK, with a delivery due date of something like the 19th Dec, when they hadn't arrived by the end of the 20th I emailed them, I got a very pleasant reply saying sorry, they are out for delivery, its probably just delayed due to Christmas.
On the morning of the 22nd(quite late morning) I emailed them again, stating that they were presents, and got a very quick reply saying something along the lines of "oops sorry, we said they'd be there in time, here have you money back, and go get them in the shops, if they arrive, dont worry about it, if they dont you havent really lost out" They arrived about an hour after I got the refund email.
That made me think Amazon's customer service is brilliant.
Like in a shop...
If you go in to a shop, buy something by cheque and then cancle the cheque its fraud (And is done by people, which is why so few shops now take cheques)
You should go and give yourself up at your local police station immediately.
The ironic thing is you can't even warn the retailer
Back in 1999 a major highstreet operation sent me a whopping five-quid voucher after I notified them of a similar although less spectacular hole in their flagship "e-commerce" application. Fast-forward though to 2007 and I doubt if I would do the same thing again, not in these dark times when you can get had up for tiddly stuff like changing parameters in a URI. Notifying the merchant would probably get "so you admit hacking our website" accusation in return.
not sure of the law in USA but here in UK if you wanted some fun;
1) email them again giving them a last chance advising you will look to recover your costs, including your standard administration fee for returns (look up their own fee & use that value)
2) next you could send them a bill for storage / insurance etc. - something modest say $0.10 per day - plus the admin fee
3) then when they don't pay your bill issue a 'small claims court' proceedings - for bill plus a charge for your standard 'administration charge' and the court fees
4) when they contact you to ask for a return, you (of course) can't discuss "matters that are subject of court proceedings"
5) . . .
sound far fetched? . . . well think, isn't this how most of these sort of businesses treat us - their customers?
Doesn't say much for QVC...
if they failed to notice they had shipped nearly half a million dollars worth of goods without getting paid!
Don't tell Amazon, then ebay it to yourself so either you or your partner wins it. Then when they authorities come knocking (because Amazon and large companies don't care until they think they could have made more money) and demanding the money, give them the item back :o) And demand a refund for your ebay listing. Get a nice shiny cheque for 50p and frame it!
QVC in 2001
Damn it! I had this happen with a TV I purchased from QVC in 2001 they telephoned to tell me it was out of stock and not coming back in so the order would be cancelled. I recieved a refund to my account then 2 weeks later the TV arrived, along with another refund.
I had assumed it was a cockup on their part and returned their refund but kept the TV (they never contacted me to why I sent their refund back)
If I had known their billing systems where this shoddy I could have exploited them for 6 years! Alas for missed opportunities!
Whether QVC billed her is not the point
There's a general principle in law almost everywhere in the civilized world that if you intend to defraud someone/commit a fraud/do something that is onviously against the spirit of the law, then you can be charged and condemned even if the letter of the law is respected.
Seeing a blind person without a cane, and opening a sewer hole in the ground 100 meters before her is nothing illegal per se, you just opened a hole in the ground.
You'll still end up in prison for years, as in practice that's murder, though you didn't touch the person.
"Oh, but I do't see why he went to jail. Did he do anything to the person? Was it his fault that the person went out without a cane?"
That's very general: and that's fortunate cos' otherwise it would soon be chaos, since it's always very easy to do something respecting the letter of the law that is completely and obviously wrong.
And that's also why laws are quite generic and state such things as "Anyone who willingly causes harm to someone is obliged to repair it", or whatever depending on the country.
Did the woman willingly cause harm to QVC? Check.
Then she's guilty, final.
That she did so abusing a ludicrous failure of QVC doesn't change it more than abusing the ludicrous failure of a blind person forgetting to take his/her cane when he/she should never ever forget it.
I also take the occasion to note that it's a typically geek way of seeing the law, those comments on "but she only did legal steps one after the other, so that shouldn't be illegal". Come to the real world guys. I like algorithms more than the next guy, but I can still see that the law is fortunately focused on intent and not only on individual steps to achieve that intent.
Sell it on the bahia of diavolo?
(a different david)
you could sue them for ill health from stress of the ordeal...
It's my understanding that if you receive something clearly by mistake then you are obliged to make reasonable efforts to inform the sender so that they can arrange for the return of it. In the same way if you find a wallet/valuable in the street then you should hand it in to the police. If having done this duty and after 6 months the sender/owner hasn't responded/arranged for the return then you can legally claim it.
The law is quite clear about this....
...at least in the UK, and I'd be surprised if it wasn't the same in the US.
If someone sends you something you didn't ask for, you are NOT entitled to keep it just like that. You should contact the sender and ask them to collect it or enable you to send it back at their expense. If you do this, and ensure you've kept records of your request, then - assuming they don't bother to collect it or send you a mailing label - after a certain time limit (I think it's six months) you can keep it.
What you CAN'T do is just keep it and say - hey, it's their mistake. That's theft. Just like if the bank make a transfer into your account by accident, you can't keep it.
Some time ago I ordered some blank minidiscs (so it must have been a fair few years ago) from Amazon, but instead they sent me a digital camera. I emailed them to let them know of the mistake, and they replied ever so apologetically telling me they'd send out my minidiscs right away, and I should get them in the next few days, which I did.
They never even asked for the camera back. :/
I ordered a memory card from an etailer. Then they emailed me to say it was out of stock and would be a few weeks, so I cancelled my order and got a refund.
2 weeks later I recieved the item from them. Woop.
Of course I informed them of the mistake and returned the item.....
....is surely buying anything from QVC in the first place!?
More Change than you paid
One comment reminded me about when Debenhams (I think) first allowed customers to pay in Euro's, but the change was only in sterling. So some youth tried it and got more change than he'd paid. He did it again, ending up with a bit more money and the goods before telling Debenhams what was happening. They said nothing was wrong etc, so he did it a few more times. Finally they realised the exchange rates were wrong.
If this woman could prove she tried informing QVC of their mistake(s), then she'd get off, but it looks like she didn't.
What should you do? Simple. Send their head office a letter stating that you have their item available for *collection*. Tell them they are welcome to collect at a time suitable for them, but before you release it you want a reasonable fee for the secure storage you have provided for the item in the meantime. Tell them they have 28 days to take up this offer or you will re-sell the item.
Or, to be blunt.. christ, it's $8. That's what, £4? Just post them bloody 8 dollars!
IANAL, but I am from the US
Here basically it goes like this: you are allowed to keep an item delivered to you if you did not order it. Asking for payment for an unrequested item is a form of mail fraud. This person did order the items, and then canceled the order, so its a grey area. Its very likely that a judge will side for QVC since she showed intent by doing it multiple times. Now if her neighbor ordered and canceled, had her address listed for delivery, and never told her, QVC would be in trouble, and the neighbor might be too, but QVC could make no claims against the person who accepted the packages.
Generally, you try and pay out only the people who seek to inform you of these drastic problems, not those who try and scam you for all your worth.
She was up to 412,000, but its not like she was going to stop from the sounds of it.
Sorry, trying it out a couple times to see if it actually is a flaw is different than purchasing a ton of stuff and hawking it off on ebay.
close... another 7 k$ and this would have officially been a 419 (k) scam
Is it still wire fraud if she did it through WiFi?
I believe the time limit is 28 days in the UK. It's certainly not as long as 6 months. I remember covering this in Modern studies all those years ago.
Why bother writing a post claiming that you know what you're talking about because of a half-remembered course from years ago? You're on the bleedin' internet, google is only a click away.
And the answer is ..... everybody's right! It's six months if you don't say anything to the sender and wait for them to contact you, but it's only thirty days if you notify them and ask that they come and collect the stuff.
Also, as a result of recent amendments to the law designed to prevent inertial selling, if the sender *knows* that the goods are unsolicited and still sent them anyway, you are allowed to keep them immediately and treat them as a free gift. Nice!
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...