Watch out! E-Shoplifters About!

Published: 11th June 2008
Views: N/A

We're all heard about the cost to a business of shoplifting, how a certain percentage of a shops retail stock will disappear without ever going out through the till. Thieves head into a store, look out for hidden weaknesses in the environment and walks off with an unknown amount of merchandise, all without getting detected. It's a really simple thing to do for those with no conscience, but surely in this electronic age, this can't happen with e-commerce websites? Wrong! Unfortunately this can happen in a minority of cases, but it is preventable.



What many business fail to understand in these Internet days, are that a poorly constructed e-commerce website can enable electronic shoplifting in the Internet age.



With the Paypal "Buy Now" buttons, they are really convenient if you are selling a small quantity of products where generally only one type of product is bought at a time. Unfortunately if they are not setup correctly, they create an easy way for a user to modify the HTML code and edit this to whatever they like. There is a quite a large proportion of these buttons that fit this category. The problem in most cases is easily rectified. When creating a button, you have the option of making the button encrypted or normal. By encrypting the code for the button and changing your setup to accept encrypted payments only, the problem is eliminated.



For shopping carts, when entering the quantity of a product when it is added to the shopping cart there are two different methods to input a quantity, or edit one in the shopping cart - drop down menus or edit boxes. Drop down menus are fine, though they lack the flexibility of an edit box (an edit box can have any quantity, a pulldown menu only has preset quantities) though they are faster. But the edit box, unless it has any form of server side validation on the entered value, this can cause a potential problem. If a user already has some items in the shopping cart, then enters a negative quantity this will produce a credit instead of a debit, and not only does the user get the item for free, he/she will also receive a credit on the cost of that particular item. Though for a small order this could be noticed, unfortunately with a large order this could easily get missed. Though the number of websites this can be performed on is decreasing over the last few years, it still is a problem, particularly for older e-commerce websites or websites developed by the unwary or inexperienced.



A third area where e-shoplifting can be performed again is with poorly designed data control. Typically the costs of items on a website are held on a database, and the required cost is then retrieved when each product page is displayed in a web browser. The user purchases an item, and places this into the shopping cart, then proceeds to the checkout and then purchases the items. This arrangement is fine, only if the prices are again retrieved from the database for both the shopping cart and the checkout. However if the e-commerce site is poorly designed and the prices are passed from the user back to the shopping cart and checkout, this causes a problem as the user can save the webpages to a hard disk and easily modify the prices through the HTML or Javascript code. With this information being passed back to the storeowner, the owner has no control over these prices, and again e-shoplifting can occur. As above, this particularly affects older e-commerce sites, which are constructed in this way.



If you are an e-commerce storeowner your site falls into one of the above three categories then you do have a potential problem.



The first problem is easy to spot by checking the HTML code for you Paypal button.



The second problem is also easy to spot and to rectify by adding some server side validation coding, however the third problem is a bit harder to spot, and easily could go unnoticed. This is quite a bit more difficult to fix. If you are unable to fix some of these problems, the best option would be to keep alert on your orders and have in yours "Terms of Use" a note prohibiting data modification, otherwise you might have a difficult time fighting this one in court.

Paul Roberts



I run a software development company specialising in E-Commerce, Search Engine Optimization, and Print Estimation software called ROBO Design Solutions. I also develop New Zealand E-Commerce Solutions and Software under the name ROBO Design.


Report this article Ask About This Article


Loading...
More to Explore