Shoppers Beware: Future Shop Shadow Site May Lead to Orders that Never Arrive
By Julie King | December 22, 2012
CanadaOne.com is warning Canadians to take extra care when shopping online this holiday season.
A website that looks like Future Shop and performs like Future Shop is in fact a shadow site hosted by Best Buy, Future Shop's American parent company . The site looks just like the real Future Shop website, right down to fine details like being functional in both English and French and being able to buy gift cards or apply for a credit card.
We would like to have had time to gather more information and answers, but with Christmas just days away we believe it is important to alert Canadians to the fact that they may have ordered gifts that will never arrive. We will be updating this article as more information is received.
Unsuspecting shoppers may not recognize that some Future Shop products that are listed in Google click through to a test site that should never have been accessible to the public. It is possible to go through the full process of placing an order, even to the point of getting an order confirmation number. However those orders do not appear to be connected to the live order system. They do not appear in the live customer care centre database. So it is likely that anyone who ordered through the shadow site will not see their orders fulfilled.
"I stumbled on the "shadow" Future Shop website after Googling a product name plus where to buy in Canada. Because I was having difficulty finding a place to buy the product in stores I ended up placing an order," says Julie King, co-founder and editor of CanadaOne.com. "When I called the next day to change my shipping selection I was told the order did not exist. At that point I realized that a huge error had likely been made, an error that could lead to many disappointments this Christmas."
What appears to have happened is that a test website was published and then indexed by Google. An advanced search for the shadow domain - str1-fsca-ssl.bestbuy.ca - shows 3410 results, of which a whole slew are products that range from games and televisions to personal care items. (Those pages now return a 404 page note found error, but are still indexed in Google.)
In some cases, those product pages outrank pages from the legitimate Future Shop and Best Buy websites.
"The holiday season comes with an explosion in the number of fraudulent e-commerce sites," says Claudiu Popa, one of Canada's leading experts in privacy and security and president of Informatica. "Sites that pretend to sell electronic goods at good prices with trustworthy interfaces and name brand products. From that perspective there is no difference between a malicious phishing site that rates high in search engine rankings and a deceptively attractive site on a legitimate domain. Trust is something that is difficult to earn but easy to lose and Christmas is a bad time to disappoint people."
There was a strong incentive for someone to use the shadow website: each product prominently promotes free same day shipping.
"The shadow site asks for and accepts personal payment information, assures users that their transactions are secure and makes further allowances for the way personal information is treated. It offers credit cards, gift cards, corporate and personal alongside thousands of name brand products with non-existent SKUS," says Popa.
"Whether this was a failure in the software development life cycle or simply a rogue employee publishing the entire test site in plain view of Google's crawler, this is a process issue that will necessarily result in a review of security and privacy policies, systems development, online presence management, and public relations. It's certainly significant enough to warrant a review of the policies, procedures, systems, roles and individuals that enabled this embarrassing event to occur at a critical time for Canadian shoppers".
CanadaOne is working with Best Buy and Future Shop to try to discover what happened and how the indexing of the shadow site will impact Canadians this Christmas. We will be following this story in the New Year to look at important issues related to privacy, security and what companies need to do to avoid a similar situation.
Yet right now what matters most is that Christmas Day is just around the corner and there are many unanswered questions about the situation with the shadow site. Important questions like:
- How many Canadians have placed orders through the shadow site? (We do not know. It could be just one person... but it could also be thousands.)
- What happened to the orders that were placed through the shadow site? (We do not know.)
- What happened to the credit card and personal information from orders placed through the shadow site? (We do not know.)
- Was any personal or credit card information transmitted through the shadow site potentially sent in an unencrypted format? (It looks like the information is encrypted, but this needs further clarification.)
- How and when will Future Shop and/or Best Buy notify those who were affected by the deception of the shadow site? (We do not know.)
- What are the legal implications of this error and what can customers who placed orders expect?
Mesiano-Crookston, a lawyer with Goldman Hine LLP, notes that if the ads (indexed product pages) on the shadow site were found to be false or misleading as prohibited by the Competition Act, the corporation running the website (either Future Shop or Best Buy) could conceivably be liable for a fine of up to ten million dollars for a first offence, with possible reduction of fines and penalties if the ads were all published by accident.
To be fair to Future Shop and Best Buy, the company only appears to have learned that the shadow site was live after King's inquiry this morning. We are in touch with their media relations department and will share answers we receive as soon as they are available.
"I don't think anyone is implying that this was done maliciously, but it is an incident that can impact buyer confidence and therefore negatively impact Best Buy's reputation and the FutureShop brand," says Popa , a trusted Risk Advisor to Canadian enterprises. "Clearly a large volume of traffic has gone through the fake site resulting in a potentially significant volume of transactions. Whether these completed transactions result in the transfer of funds from clients is not as relevant as the fact that Future Shop customers may feel that they have been deceived or duped into disclosing their payment details to a fake site."
In the meantime, if you placed an order through the Future Shop website after clicking on a search engine link, it would not hurt to confirm that you were on the live site, not the shadow version.
Start online first to avoid clogging call centre lines and if you can't find your order, escalate the issue to Future Shop's customer care line.
"I would recommend that anyone who placed an order through Future Shop first stop and ask if they noticed anything unusual, like a bestbuy.ca domain, when placing their order," says King. "If you followed a link from Google to a site that appeared to be Future Shop, try tracking your order and call the customer support centre if it is not coming up."
If you enjoyed this article, be sure to visit CanadaOne's article knowledge base for more informative articles.