Spacer Image Spacer Image Spacer Image
Web Informant
Mappa.Mundi Magazine
Spacer Image David
David Strom is a networking and communications consultant based in Port Washington, NY. Along with Marshall Rose, he co-authored
Internet Messaging: From the Desktop to the Enterprise (Prentice Hall).



» Complete Bio
» Informant Archives
Spacer Image
Spacer Image
Spacer Image
Spacer Image
Spacer Image Related Links
Spacer Image

Links that are related to the article:

» Priceline.com

» Americart.com

» Study: Six Million Victimized By E-Commerce Fraud By Michele Masterson Associate Editor, E-Commerce Guide May 20, 1999.
Spacer Image
Spacer Image
Spacer Image
Internet Messaging
Buy the Book Today!
Spacer Image
Spacer Image
Editor's Choice
Spacer Image
Check out these past articles by David Strom hand-picked by the staff at Mappa Mundi.

» Attention loyal shoppers
» Why search engines are clueless
» Recommended Reading
» Making Beautiful Music on Your PC
» The coming broadband congestion

Spacer Image
Spacer Image
Khaki Left Top Corner
By David Strom, david@strom.com Web Informant Archives »
Spacer Image

Don’t let shoppers name their price

Web Informant #171, 11 October 1999

      You have probably heard about Priceline.com, the web site that lets those in pursuit of bargains – particularly for airline tickets and hotel accommodations – name their own price. While I have never been able to conclude a transaction there (guess I’m too much of a cheapskate), several friends did get last-minute plane tickets and were grateful to avoid the ridiculous sums airlines charge for eleventh hour planning.

      I found another way to get online bargains, though. It involves a simple hack to web shopping cart pages. All it takes is a text editor, a browser, and about five minutes of spare time. To see what I mean, go to the link below and check out the copy I made of a storefront demo, called Wayne’s Widget World, which is maintained by Americart.

      Notice the first item has a pull-down list to specify different metal types for your widget. Choose one, and jot down the price you see on this screen. Now click on the button used to add the item to your shopping cart and note the difference between this price and what you are about to pay.

      How was this done? Simple. I used Wordpad to change the price listings in this page. Then I saved the page to my hard disk (and also to my site, so you can see how I did it). Then I opened this new page inside my browser. The entire process took about five minutes. It required no cryptography experience. No “social engineering” (calling up people on the phone and tricking them into giving you passwords and other company confidential information). No backdoor Unix commands.

      Now, I am obviously not saying that you should do this. Nor do I mean to pick on Americart – plenty of other shopping cart systems can be similarly tampered with. But I do want to show you how frighteningly easy it is to make these changes, and how important it is for eCommerce proprietors to scrupulously explore all security holes – not just the ones involving complex technologies like cryptography. Fraud will become a big problem as eCommerce explodes, and it’s essential to do what it takes to identify (and fix) the vulnerabilities in your shopping cart systems. If you use another shopping cart program and can easily edit the prices as I’ve done here, consider switching to something more secure.

      If you are interested in this topic, and plan to be in the Boston area this week, consider spending a day or two at the Internet Security Conference. I’ve designed a full-day program on Tuesday that will address these and other eCommerce security issues. They will have presentations from several panels of experts and fellow journalists. For the details on this panel and the conference in general click here.































 Copyright © 1999, 2000 media.org.

      Web Informant copyright 1999 by David Strom, Inc., reprinted by permission
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.



Spacer Image
Mappa.Mundi
contact | about | site map | home T-O