Comment It's called fraud (Score 5, Insightful) 275
This is called "fraud". Look it up. It's been around for a long time, a lot longer than HTTP. There are standard business practices for dealing with it. Not all of them are technical. This system's technical defenses are probably sufficient to raise an alarm (delayed by a few weeks as the results are collated), and it will produce a pretty good paper trail leading to the owner of the Bing account. Some of the systems take into account minor details such as the existence of accountants, a police force, a paper trail, and a legal system. Obviously some stronger technical measures might have made it a bit more difficult to pull off this partucular fraud, or maybe it might have even stopped it, but the non-technical measures will also work just fine if they are called into play.
Whether or not the door is obviously guarded, it's still illegal to steal stuff from a store. The fact that the door was not protected with the latest and greatest in RFID theft detection systems doesn't change the fact that what you are doing is illegal. And perhaps the tracking process is slower than what you see in movies, people still get tracked down and arrested, days or weeks after the event. Moving from the streets onto the Internet doesn't really change the rules much (except that your case will probably wind up with Federal jurisdiction).
In this case, the poor "hacker" (I wish him/her luck!) appears to have done the following:
1. Used a specially formatted HTTP request to get a small fabricated purchase to show up as credited to his/her Bing account.
2. Noticed that the cash back did show up with no problem as "available for withdrawal".
3. Tried again with a much larger purchase. Again the purchase shows up in his account.
4. Hacker is hoping that the amount will soon become available for withdrawal.
On the other side of the world, the accounting systems for Microsoft and the associated merchant have likely compared invoices and noticed the discrepancies. The small ones got noted, but they were thrown out as "somebody is playing with the system, but it's not worth dealing with it". But this month, when going over the books, they're going to find a nice big 100,000 item that doesn't match up with any purchase recorded on the store's official records. However, they do have the account number of the buyer that should be getting the cash back. I'm not sure what typically happens at this point, but it probably involves cancelling dinner for the wolf pack so that by the time they're ready to send out the posse, the wolves are hungry.
In this case, Microsoft has apparently (I haven't looked into this) provided an API by which a store can report a sale and attribute the sale to a particular Bing account. The API has varying levels of security, depending on how much effort the store wants to put into preventing fake transactions from entering the system. Low effort might be fine and takes less time to set up, but it's easier to attack and that means more work to do when reconciling the accounts. Just like many other mechanisms for quickly distributing non-critical information between merchants, this isn't meant to be the authoritative information transmission system, just a way for people to keep status on accounts in between the regularly-scheduled account reconciliations. This way Bing can update your account balance within seconds of the purchase. Of course, the payback won't happen until they've gone back and checked Microsoft's records against the merchant's records and pulled out any differences. The differences go to the auditor and possibly to the police or FBI.
Could we maybe just think for a second before acting like jerks? Being a jerk means everybody suffers. I mean, just because I see a way to deface somebody's website doesn't mean I am obligated to do so. I walk by 100 cars a day, and I could easily spray shaving cream all over them and not get caught. But if everybody did that, quality of life would go down for everybody. Same thing on the internet.
I hate this attitude out there that "if it isn't nailed down, I have every right to grab it and take it home, and if it is nailed down, I have every right to destroy it". I don't want a world (or even an Internet) where everything is nailed down and/or destroyed. I like being able to sit down on the occasional park bench. I like seeing the quick web sites put up by some teenagers to show off whatever crazy idea has their attention this week. It would be a pity for the park bench to be vandalized "just because it wasn't properly secured -- to teach those guys a lesson!", because then the park would have to hire security guards (paid for by my taxes) or close down. And simple kiddie web sites about cute kittens shouldn't become defaced just because they were using a version of Drupal that they didn't know how to lock down.
In my sister's neighborhood, people actually know each other and are friendly, but there have been some break-ins the past few weeks. That just plain shouldn't happen -- it causes real harm to people. But when my sister saw that a neighbor had left the garage door open, she called the neighbor and the problem was solved. I'm not sure what the problem was -- perhaps the door was closed immediately, or maybe it was open for a reason (people were in the garage working, or there was nothing in the garage to steal, or the police were baiting the people who had been breaking in). But the problem didn't have to be resolved by stealing stuff out of the garage as a "proof of concept".
Certainly security ought to be part of our thinking as we develop and deploy software. I don't want my mom's computer to get screwed up by the next big virus (though Vista's UAC has been doing its job pretty well so far for her). But honesty and responsability should guide our thinking as we use software. And just as we have to learn that there are non-technical attack vectors (75% success rate for "I'll give you a candy bar if you give me your password"), we shouldn't be so narrow-minded as to think that there are no non-technical mitigations (the inevitable paper trail and the criminal justice system help keep me from trying to scam Bing, just in case my personal code of honor should somehow fail).
