Flaws in the processes, or business logic, for Web sites can prove highly profitable to hackers, require little skill to exploit and are sometimes technically not illegal to take advantage of, said Jeremiah Grossman, CTO of WhiteHat Security, at the Source Boston Security Showcase.

"These issues are common if you know what to look for," he said.

He offered several examples of these flaws, including those found in Web site designs, Captcha authentication systems and user privileges. People who take advantage of them are often simply banned from using a service, although sometimes they are prosecuted.

In 2007 a woman was accused of scamming QVC out of US$412,000 by exploiting a flaw in its business logic. She placed orders for 1,800 items with the home-shopping network and then cancelled the orders on its Web site. She received credit for returning the merchandise, but the items were sent to her anyway and she sold them on eBay, the Department of Justice said. QVC became aware of the matter when eBay users contacted it about receiving items still in its packaging. The woman eventually pled guilty to wire fraud.

Password reset features can lead to unauthorized account access if they ask obvious questions and hackers have minor pieces of information about their victims. Grossman offered an example involving former mobile service provider Sprint. To reset its passwords, he said, a hacker needed to know only a person's mobile-phone number and a basic piece of information such as where they lived or the car they drove. This could have allowed a hacker to order new phones in the victim's name or install new services on their phone.