Nordstrom IT Lapse Fueled $1.5 Million Fraud

Nordstrom found itself paying nearly $1.5 million last year in a scam that was ironically made possible because the chain had banned two brothers, and then compounded the problem with what Nordstrom described as "a lapse in communication" with an affiliate.

The retailer's system for blacklisting lost-package fraudsters worked fine. So did its system for sending commissions to affiliates. But no one ever realized that the two systems might someday interact. After all, why would a blacklisted fraudster keep trying to order online, knowing the order would always be blocked? How likely was that? And the thing that made the systems interact was something that Nordstrom's software developers had no control over: the homegrown system that the affiliate site used to handle Nordstrom orders. That's what couldn't be tested until a problem actually showed up.

On March 14, the U.S. Attorney's Office in Seattle charged Allen J. and Andrew S. Chiu with wire fraud after the two ordered $23 million in merchandise from Nordstrom through its affiliate FatWallet. The brothers knew the orders wouldn't go through, because the retailer had already blackballed them. But they also knew they would collect half of FatWallet's 7 percent commission on the orders, due to a communication glitch between Nordstrom and FatWallet.

According to the indictment, the Chius (Allen from Dallas, Andrew from Anaheim) first showed up on Nordstrom's fraud radar in 2008, when the retailer notified both brothers that they could no longer shop online at "because of their excessive claims for refunds purportedly due to lost or undelivered merchandise."

Ironically, it was because Nordstrom blacklisted the brothers that they became eligible for their much bigger fraud.

The pair discovered that their orders were refused whether they tried ordering directly or through FatWallet, an affiliate site that splits its commission with shoppers who buy through the site. But due to what a Nordstrom spokesperson called "a lapse in communication" with FatWallet, when an order was blocked, Nordstrom still paid the commission.

"As a result, no merchandise was ever shipped to Allen Chiu or Andrew Chiu, and none of the credit cards they submitted for the attempted purchases were ever charged," the indictment said.

But "Nordstrom continued to make commission payments to FatWallet, based on those blocked purchases, and FatWallet, in turn, continued to credit Allen Chiu and Andrew Chiu with the cash-back awards based on those blocked purchases," the indictment continued. "Between January 2010 and December 2011, Allen Chiu and Andrew Chiu fraudulently submitted approximately $23 million in purchase orders on, and successfully obtained more than $650,000 in undeserved cash-back payments before their scheme was discovered."Nordstrom won't say exactly when its fraud-detection systems finally noticed that it had paid out more than $1 million in commissions for sales (that would be half for the Chius and the other half for FatWallet) that were never completed. Eventually, the retailer spotted the situation, closed the loophole and notified authorities. Prosecutors seized more than $970,000 from the brothers' investment accounts, including IRAs. They're now waiting for a court date.

Nordstrom also wouldn't divulge details of the brothers' original suspicious behavior. It's a good bet they didn't try that "my package never arrived" routine to the tune of $650,000, though. In fact, it was probably letting their sure-to-be-rejected purchases run into the tens of millions that eventually did the brothers in.

And because neither FatWallet nor Nordstrom was watching for that sort of glitch—the Chius' orders were correctly blocked, FatWallet got paid its commission—everything looked on the surface as if there wasn't a problem.

Unfortunately, that type of interaction isn't just limited to Nordstrom and FatWallet, or even to retailer-affiliate chains. Last year, three researchers tested single sign-on (SSO) systems from Google, PayPal, Facebook and others. The way they're supposed to work is that, for example, a customer can sign into using his Facebook account.

All of the SSO systems were theoretically secure. But the researchers (two from Indiana University, one from Microsoft Research) found ways to steal credentials from each of the systems they tested. (They reported the security holes, and all have since been fixed.)

The biggest source of problems, according to the researchers, was the places where a retailer or other Web site was trying to interface with an SSO system. No one rigorously tested the interfaces for security—even though the researchers couldn't actually see the Sears and Facebook code and could only observe the packets that went in and out of their own browsers, it was clear to them that the connection had been set up to get it working, not to make it secure.

In a much less rigorous, academic way, that's pretty much what the Chiu brothers discovered, too.

The Internet makes stitching together an E-Commerce chain look very easy. Getting that chain of players working together takes a little work. But once it's connected, there's a strong temptation to declare victory and start doing business. That may even work, as long as there aren't any grifters around.

And how likely is that?