E-Commerce Insecurity

 
 
By eweek  |  Posted 2001-04-23
 
 
 

Thieves can go to jail for switching price tags and attempting to buy merchandise at the lower price in a brick-and-mortar store. Yet online merchants get hit with price switching scams by e-shoplifters all the time, and rarely are thieves detected or caught.

An estimated one-third of all shopping cart applications at Internet retailing sites are vulnerable to the price switching scam, says Peggy Weigle, CEO of Sanctum, a security software company in Santa Clara, Calif.

Internet Security Systems, an Atlanta security company, also looked into the problem and uncovered 11 shopping cart applications that were vulnerable to price changing using form tampering. All but three of those programs now have patches to fix the problems, the security firm says, but many Web sites dont even know theyre vulnerable because, in some cases, they hired outside contractors to build their sites and are not familiar with the software.

Tim Farley, a senior researcher at ISS, says the problem usually occurs when a Web site isnt configured properly. Hackers will use search engines to find vulnerable sites, essentially looking for hidden fields. These are instructions the programmer has coded into a page that usually cant been seen, but by clicking on the "edit page" command in a Web browser, the hidden fields become visible.

Instead of incorporating back-end programming logic to verify the price of a product with a database, many HTML coders simply place the price in an HTML hidden tag field. So any text editor can change the hidden field value and the price of a $999 watch to 99 cents, giving attackers 1,000 times their normal purchasing power.

Gartner Group analyst John Pescatore estimates that 75 percent of attacks against Web servers enter at the application level, not at the network level.

Weigle adds that many Web sites are vulnerable to hackers because the task of auditing their applications and detecting hacking is time-consuming. Thats where Sanctums products come into play.

Sanctum makes AppScan and AppShield, software that can seal the holes in electronic shopping cart applications and other programs. AppScan is an offline security program that engineers can use while developing Web-accessible software applications. Over several hours, the program runs a series of simulated hacking attacks to identify problems, so security holes can be plugged before the Web site is opened to the public.

Once a site is running, AppShield is intended to stop intruders from changing prices on the site and other security breaches. If a hacker tries to alter software code to change the price of a laptop computer at an electronics store, for example, AppShield blocks the change and notifies Web site personnel.

Although the vulnerabilities of Web applications have been known for years and talked about on hacker bulletin boards, few security offerings have been introduced to solve the problems. Thats because most companies concentrated on deploying network firewalls and encrypting data for transmission over the Internet. Few have paid as much attention to the applications running their Web sites, according to security experts.

Sanctums security system commands a premium price as a result. It charges businesses $15,000 for each copy of AppShield. AppScan, meanwhile, costs $20,000 for a one-year license.

The marketplace for products such as Sanctums is growing by leaps and bounds. Overall, fraud is estimated to occur in 11 percent of all online transactions, says Paul Fichtman, president and CEO of the Internet Fraud Council.

In the past few months, many Web sites have been plagued by pricing snafus resulting in a smorgasbord of bargains for consumers.

"Internet retailers dont want the bad publicity, so they will not admit to being hacked. Its often advertised as glitches, but looking under the hood, its nothing more than a hack," says Yaron Galant, director of product management at Sanctum.

Last winter, Ashford.com in Houston offered Gucci, Tudor Chronograph and gold Mont dOr watches for $0.00 with free shipping. Several people placed orders and received e-mail confirmations, but Ashford didnt honor the orders, citing its disclaimer: "We are not responsible for and do not honor pricing errors."

In January, IBM advertised $1,899 ThinkPad I Series 1400 laptops for only $1. IBM caught the error and traced it to what it termed a "bad data feed," but did not honor the sales.

Pricing glitches have also occurred at Amazon.com, which canceled orders on toys and DVD sets that carried erroneously low price tags, and Buy.com, which offered 19-inch Hitachi computer monitors for $164 — more than $400 off the retail price — as well as Staples, which offered online shoppers $60 briefcases for a penny.

Overall, e-shoplifting is increasing, Galant says. Its the quiet enemy that the companies would like to keep under wraps. "This is a direct hit to their revenue," Galant says. "Its like a bank having money stolen. It hits them where it hurts."

Rocket Fuel