ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

Date: Fri, 27 Aug 2004 14:25:19 -0500 From: Richard Kaszeta Subject: Lack of sanity checking in Web shopping cart software

The Lack of Sanity Checking in Web Shopping Cart Software or "The Story of the 1.1 Cocktail Shakers"

Recently, I was browsing the web site of a large Burlington,NJ-based retailer, and decided to add a cocktail shaker to my shopping cart.

Due to some slightly twitchy fingers resulting from my morning coffee, I accidentally entered the number 1.1 (instead of 1) to the the "quantity desired" box, and found myself with a shopping cart containing 1.1 cocktail shakers at $9.99/each, for a grand total of $10.99 plus shipping of $5 (shipping is $5/item, for a total of $5.50 for 1.1 items). At this point curiosity got the best of me, and I decided to check out. To my surprise, the site's shopping cart software never did a sanity check on the data, and simply confirmed my order for 1.1 cocktail shakers, and I also received an email confirmation for "Qty: 1.1." My credit card was charged for $16.49.

Due to the atomic nature of cocktail shakers, it's obvious that at some point something was going to have to give, and this apparently happened in the shipping department: my "Shipping Confirmation Notice" listed the quantity shipped as "1", but confirmed that the total charges were still those for 1.1 shakers ($16.49) instead of the appropriate charges for a single shaker ($14.99). Indeed, as expected, I received a single cocktail shaker in the mail, with a receipt for "Cocktail Shaker, Qty 1", also listing the inappropriate price.

It was relatively easy to square the charges away, but the company's customer service representative had to get a supervisor involved, as they apparently hadn't seen this before.

The RISK is obvious: a lack of sanity checking on input data resulted in a spurious order being sent through the system, with additional lack of double-checking resulting in a discrepancy between what was shipped and what was billed. Months later, the error remains uncorrected, and you can still order fractional items, with the additional risk that a dishonest customer may be able to able to get a discount by ordering slightly less than a single item and hope for a "roundup" when it gets shipped.

Really, it's too bad, because I was really thinking that my cocktail shaker is a bit small, and could use another 10% of volume. :) That, or perhaps I should buy 0.9 shakers to go with my 1.1 shakers to make a matched pair.

Richard W Kaszeta

[On the other hand, a round-down would be more consistent: Suppose you had ordered .99 shakers. You probably would have been billed for .99 shakers and received none. Shake-ri-la PGN]