[Cryptography] Walmart fooled by non-authenticated web pages

Jerry Leichter leichter at lrw.com
Thu Nov 20 22:11:47 EST 2014


On Nov 20, 2014, at 7:46 PM, Henry Baker <hbaker1 at pipeline.com> wrote:

[Walmart scammed into matching the "price" of either fake or erroneous on-line pages.]

It's not as if this is a new possibility.  Stores have long matched prices in newspaper ads - which are also sometimes erroneous, and it's not all that hard to fake a newspaper ad either.  In fact, I recall getting prices matched *entirely on my say-so* of a price someone else gave me.  Stores have considered this an acceptable risk because most people wouldn't bother.

But ... they've also had a simple way of preventing significant fraud.  The cost to the store of the item, and its general price in the market, are both things that are pretty well known to the sellers.  They know what a reasonable markup is, and what a reasonable price is.  If you come in with a newspaper ad offering an item at an "unreasonable" price ... at that point, they'll want proof.  In the case of an erroneous listing, they can generally avoid paying because they can call the other store and ask what it's price is - and they'll get a confirmation that the ad was wrong, and won't match it.

The only unusual thing here is that Walmart apparently believed that someone else was selling a popular, in-demand device for a quarter the going price.  That's highly unlikely.  It's particularly unlikely that anyone would go to a quarter of *Walmart's* price, since they are pretty aggressive on being the low-price supplier.  I would have expected them to check.  (Then again, reports are that Walmart has seriously cut back on store personnel in an effort to keep margins up.  Perhaps the real vulnerability here has nothing to do with the Web and everything to do with not enough people with not enough time to check things properly.)
                                                        -- Jerry




More information about the cryptography mailing list