One common problem with basic shopping carts or "buy now" buttons is that the data in the form is visable to the shopper. In fact, in many cases (PayPal for example) the price to be changed for the item, as well as the merchants ID (your email address for PayPal) is contained in the form submitted by the shopper.
Problem: Public, clear text, non-obfuscated merchant email addresses: Putting up PayPal "Buy Now" buttons without encryption (which PayPal does provide but seems to be infrequently used) is an invitattion to spammers to grab a known valid email address.
Problem: Undetected Price Modification: Most buttons or shopping carts must send the price of an item to the processor from the form on the users computer. Less than honest shoppers can choose to copy the HTML in the button or cart and modify the price to reflect a "digital finger discount" which will then be sent on to you in place of the price you expected. In many cases this isn't a problem since you will see the price is wrong and reject the transaction. But there are cases where no human looks at the order: Online software sales with automatic email or download delivery are one example. And it is very possible to just miss the amount when you (or an unmotivated employee) are processing a large number of orders for a large number of different products. Even easier to miss is a group of products in a shopping cart; did you really add it up again to verify the total?
Solution: Encryption: One solution is to encrypt the data in the form or at the very least, "sign" it with a cryptographically secure value that ensures the cart is not altered; a sort of crypto-checksum such as the HMAC_SHA1 function. How do the major players manage this?
|file: /Techref/ecommerce/secureshopcarts.htm, 4KB, , updated: 2006/10/20 14:20, local time: 2018/4/25 19:04,
|©2018 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions?|
<A HREF="http://www.piclist.com/techref/ecommerce/secureshopcarts.htm"> Price "Fixing" and identity theft in shopping carts for third party CC processors.</A>
|Did you find what you needed?|
PICList 2018 contributors:
o List host: MIT, Site host massmind.org, Top posters @20180425 RussellMc, Van Horn, David, Sean Breheny, Isaac M. Bavaresco, Bob Blick, Neil, David C Brown, alan.b.pearce, Brent Brown, John Gardner,
* Page Editors: James Newton, David Cary, and YOU!
* Roman Black of Black Robotics donates from sales of Linistep stepper controller kits.
* Ashley Roll of Digital Nemesis donates from sales of RCL-1 RS232 to TTL converters.
* Monthly Subscribers: Gregg Rew. on-going support is MOST appreciated!
* Contributors: Richard Seriani, Sr.
Welcome to www.piclist.com!