Tag Youre Hit

 
 
By eweek  |  Posted 2001-03-05
 
 
 

As if things werent already hard enough, online retailers are experiencing yet another e-rip-off: electronic price tag alteration.

An estimated one-third of all shopping cart applications at Internet retailing sites have software holes that make them vulnerable to the price switching scam, said Peggy Weigle, chief executive of Sanctum, a security software company in Santa Clara, Calif.

For example, a major PC manufacturer sells a sleek new laptop for $1,600, but Weigle knows how to manipulate the companys shopping cart software code to change the price to $1.60. Its so easy, even novices can alter prices, she said.

"Thieves are coming in the front door," Weigle said. "A lot of security products have been geared to the network level, not the application level."

Heres how it works: After choosing a product and receiving pricing information, a hacker can use a standard browsers "edit page" feature to show the hidden HTML code on the page. The thief then saves the page to his computer, alters the price information and then hits the "publish" key on the browser. In many cases, that page is then accepted by the shopping cart software — and that $999 watch becomes a $3 special.

The problem isnt just in the U.S. — an estimated 40 percent of all e-commerce sites in the U.K. are susceptible to the price changing glitch, according to Saalim Chowdhury, CEO of e-commerce software development company Alphakinetic, which has been studying the flaw.

Internet retailers in the U.K. such as concert ticket sales site Aloud.com, domain name retailer CheapNames.co.uk and Welsh Internet shop Wales Direct have all been victims of the price changing scam, according to The Daily Telegraph in London.

Gauging the scope of the problem is difficult because few Internet retailers will talk about the rip-offs or admit to being hacked. Overall, fraud is estimated to occur in 11 percent of all online transactions, said Paul Fichtman, president and CEO of the Internet Fraud Council.

Many Web sites are vulnerable to hackers because the task of auditing their applications and detecting hacking is time-consuming, Weigle said.

Yet Tom Arnold, chief technology officer at CyberSource, an e-commerce software company, said most major merchants are aware of the problems and are fixing them. The merchants also have 24 hours to review orders, Arnold said, and many of them catch the pricing mistakes before the merchandise leaves the warehouse. "The more sophisticated merchants look at their orders on a daily basis," he said.

Egghead.com, an Internet retailer of electronics and software, has a software program that alerts its staff to any irregular pricing on its products, said Jeff Sheahan, Eggheads president and CEO. If a price comes up low or negative, Egghead does not honor it, he said.

Some Web sites, however, dont discover the price changes until they audit their sales at the end of the quarter or the end of the year, said Yaron Galant, director of product management at Sanctum. By that time, the thief can be far away.

To prevent price tag tampering on Web sites, Sanctum offers software tools AppScan and AppShield. AppScan is an offline security program that engineers can use while developing Web-accessible software applications. The program runs simulated hacking attacks so that programmers can plug holes before the application is made accessible to the public.

In the past few months, many Web sites have been plagued with pricing snafus resulting in a smorgasbord of bargains for consumers. Most of the problems resulted from internal computer glitches or typos, according to the companies.

A few weeks ago, 143 consumers bought round-trip tickets to Paris for $25 from United Airlines during a 55-minute window on the companys Web site. United said a computer bug caused the pricing snafu by zeroing out fares so that travelers were charged only tax and miscellaneous fees. After initially refusing the fares and getting bad publicity, the air carrier finally agreed to honor the tickets.

"Internet retailers dont want the bad publicity, so they will not admit to being hacked. Its often advertised as glitches, but looking under the hood, its nothing more than a hack," Galant said.

Rocket Fuel