On April 26, Walmart's e-commerce site launched a pay-with-cash feature, allowing shoppers to reserve products for pickup for shipment and pay for them at a local Walmart store. While the feature opens up e-commerce to a larger number of potential transactions—including purchases by teenagers and others without credit cards—it also has opened up the company to potential attacks against its inventory system, using the e-commerce site against the company.
The cash-based payment program, which among other things required millions of dollars worth of changes to Walmart's in-store point of sale systems, gives customers 48 hours to come into a Walmart store with an order number to pay for it. When the customer pays a Walmart "associate," a button on the point-of-sale system connects to the Walmart.com e-commerce site and completes the online transaction.
But as Evan Schuman of retail technology trade site StorefrontBacktalk has reported, that system could be used to jam up Walmart's logistics system—allowing a competitor or other party to perform a "denial of inventory" attack on items that may be in high demand and short supply (such as hot holiday gift items around Black Friday).
Such an attack could be launched through a botnet using "webinject" malware to make scripted Web requests, or via other more manual means, spreading out transactions geographically. An e-commerce competitor seeking an advantage during peak shopping days, for example, could try to limit the number of customers who could purchase a limited-availability item—reducing Walmart's sales.
In an interview with Ars, Schuman said that Walmart had considered the risks posed by the program—during the three-and-a-half years the program was under development—but decided it was not a major issue, based on the belief that such an attack would be easily picked up by fraud detection systems. He said that contacts at Walmart had told him the company anticipates 20 percent of online cash purchases will be abandoned—the customers will never come in to pay for them.
Ravi Jariwala, a Walmart spokesperson, told Ars in an e-mail that Walmart has "systems in place that allow us to closely monitor 'Pay with Cash' transactions and flag suspected fraudulent orders immediately." He added that Walmart can disable cash purchases for "specific items and events, such as the day after Thanksgiving," and will continue to tweak the service to reduce the threat of fraud.
reader comments
43