Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    E-Commerce Insecurity

    By
    eWEEK EDITORS
    -
    April 23, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Thieves can go to jail for switching price tags and attempting to buy merchandise at the lower price in a brick-and-mortar store. Yet online merchants get hit with price switching scams by e-shoplifters all the time, and rarely are thieves detected or caught.

      An estimated one-third of all shopping cart applications at Internet retailing sites are vulnerable to the price switching scam, says Peggy Weigle, CEO of Sanctum, a security software company in Santa Clara, Calif.

      Internet Security Systems, an Atlanta security company, also looked into the problem and uncovered 11 shopping cart applications that were vulnerable to price changing using form tampering. All but three of those programs now have patches to fix the problems, the security firm says, but many Web sites dont even know theyre vulnerable because, in some cases, they hired outside contractors to build their sites and are not familiar with the software.

      Tim Farley, a senior researcher at ISS, says the problem usually occurs when a Web site isnt configured properly. Hackers will use search engines to find vulnerable sites, essentially looking for hidden fields. These are instructions the programmer has coded into a page that usually cant been seen, but by clicking on the “edit page” command in a Web browser, the hidden fields become visible.

      Instead of incorporating back-end programming logic to verify the price of a product with a database, many HTML coders simply place the price in an HTML hidden tag field. So any text editor can change the hidden field value and the price of a $999 watch to 99 cents, giving attackers 1,000 times their normal purchasing power.

      Gartner Group analyst John Pescatore estimates that 75 percent of attacks against Web servers enter at the application level, not at the network level.

      Weigle adds that many Web sites are vulnerable to hackers because the task of auditing their applications and detecting hacking is time-consuming. Thats where Sanctums products come into play.

      Sanctum makes AppScan and AppShield, software that can seal the holes in electronic shopping cart applications and other programs. AppScan is an offline security program that engineers can use while developing Web-accessible software applications. Over several hours, the program runs a series of simulated hacking attacks to identify problems, so security holes can be plugged before the Web site is opened to the public.

      Once a site is running, AppShield is intended to stop intruders from changing prices on the site and other security breaches. If a hacker tries to alter software code to change the price of a laptop computer at an electronics store, for example, AppShield blocks the change and notifies Web site personnel.

      Although the vulnerabilities of Web applications have been known for years and talked about on hacker bulletin boards, few security offerings have been introduced to solve the problems. Thats because most companies concentrated on deploying network firewalls and encrypting data for transmission over the Internet. Few have paid as much attention to the applications running their Web sites, according to security experts.

      Sanctums security system commands a premium price as a result. It charges businesses $15,000 for each copy of AppShield. AppScan, meanwhile, costs $20,000 for a one-year license.

      The marketplace for products such as Sanctums is growing by leaps and bounds. Overall, fraud is estimated to occur in 11 percent of all online transactions, says Paul Fichtman, president and CEO of the Internet Fraud Council.

      In the past few months, many Web sites have been plagued by pricing snafus resulting in a smorgasbord of bargains for consumers.

      “Internet retailers dont want the bad publicity, so they will not admit to being hacked. Its often advertised as glitches, but looking under the hood, its nothing more than a hack,” says Yaron Galant, director of product management at Sanctum.

      Last winter, Ashford.com in Houston offered Gucci, Tudor Chronograph and gold Mont dOr watches for $0.00 with free shipping. Several people placed orders and received e-mail confirmations, but Ashford didnt honor the orders, citing its disclaimer: “We are not responsible for and do not honor pricing errors.”

      In January, IBM advertised $1,899 ThinkPad I Series 1400 laptops for only $1. IBM caught the error and traced it to what it termed a “bad data feed,” but did not honor the sales.

      Pricing glitches have also occurred at Amazon.com, which canceled orders on toys and DVD sets that carried erroneously low price tags, and Buy.com, which offered 19-inch Hitachi computer monitors for $164 — more than $400 off the retail price — as well as Staples, which offered online shoppers $60 briefcases for a penny.

      Overall, e-shoplifting is increasing, Galant says. Its the quiet enemy that the companies would like to keep under wraps. “This is a direct hit to their revenue,” Galant says. “Its like a bank having money stolen. It hits them where it hurts.”

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×