ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
The Lack of Sanity Checking in Web Shopping Cart Software or "The Story of the 1.1 Cocktail Shakers"
Recently, I was browsing the web site of a large Burlington,NJ-based retailer, and decided to add a cocktail shaker to my shopping cart.
Due to some slightly twitchy fingers resulting from my morning coffee, I accidentally entered the number 1.1 (instead of 1) to the the "quantity desired" box, and found myself with a shopping cart containing 1.1 cocktail shakers at $9.99/each, for a grand total of $10.99 plus shipping of $5 (shipping is $5/item, for a total of $5.50 for 1.1 items). At this point curiosity got the best of me, and I decided to check out. To my surprise, the site's shopping cart software never did a sanity check on the data, and simply confirmed my order for 1.1 cocktail shakers, and I also received an email confirmation for "Qty: 1.1." My credit card was charged for $16.49.
Due to the atomic nature of cocktail shakers, it's obvious that at some point something was going to have to give, and this apparently happened in the shipping department: my "Shipping Confirmation Notice" listed the quantity shipped as "1", but confirmed that the total charges were still those for 1.1 shakers ($16.49) instead of the appropriate charges for a single shaker ($14.99). Indeed, as expected, I received a single cocktail shaker in the mail, with a receipt for "Cocktail Shaker, Qty 1", also listing the inappropriate price.
It was relatively easy to square the charges away, but the company's customer service representative had to get a supervisor involved, as they apparently hadn't seen this before.
The RISK is obvious: a lack of sanity checking on input data resulted in a spurious order being sent through the system, with additional lack of double-checking resulting in a discrepancy between what was shipped and what was billed. Months later, the error remains uncorrected, and you can still order fractional items, with the additional risk that a dishonest customer may be able to able to get a discount by ordering slightly less than a single item and hope for a "roundup" when it gets shipped.
Really, it's too bad, because I was really thinking that my cocktail shaker is a bit small, and could use another 10% of volume. :) That, or perhaps I should buy 0.9 shakers to go with my 1.1 shakers to make a matched pair.
Richard W Kaszeta
[On the other hand, a round-down would be more consistent: Suppose you
had ordered .99 shakers. You probably would have been billed for .99
shakers and received none. Shake-ri-la PGN]
[On the other hand, a round-down would be more consistent: Suppose you had ordered .99 shakers. You probably would have been billed for .99 shakers and received none. Shake-ri-la PGN]