Many people throughout the country often are worried about conducting business transactions online. The propensity for hackers to steal under-encrypted information being transmitted through free space or for fake emails to be responded to can be quite high. However, little known to most shoppers, the threats are just as high on the other side.
For most transactions, a complicated dance of data must be communicated between multiple parties. For example, a consumer site such as www.buy.com must speak to both a checkout system such as PayPal and the user’s browser. Since none of the systems are capable of seeing the entire picture at one time, the algorithms between the sites can get pretty complicated pretty fast. And as it turns out, there are many errors in the logic that allows users to take advantage of the system.
This fact was recently exploited by a team of researchers from Indiana University and Microsoft Research in Redmond, Wash. Led by informatics doctoral student Rui Wang and associate professor XiaoFeng Wang, the group managed to trick the system in several ways.
First, they demonstrated how they could pay for an item through Amazon Payment while actually depositing the money into their own seller’s account, thus getting the item for free. They also showed how they could basically name their own price for any item on www.buy.com or www.JR.com. Some of the items they scammed included electronics, DVDs, digital journal subscriptions, personal health care items and much more.
At this point, it’d be great to claim that anyone with $25 and an Amazon Payment account can figure out how to receive free merchandise. But that’s not true at all. In reality, anyone with $25, an Amazon Payment account and the technical knowhow of the acting director of the IU Center for Security Informatics might be able to find some loopholes.
But not the same ones.
The project was closely monitored by an IU lawyer. And afterwards, the team returned all of their merchandise and helped the service providers to close the loopholes that allowed them to play criminal mastermind.
Damn, just when I was so close to finishing my Ph.D. in informatics…