please dont rip this site

Price "Fixing" and identity theft in shopping carts for third party CC processors.

One common problem with basic shopping carts or "buy now" buttons is that the data in the form is visable to the shopper. In fact, in many cases (PayPal for example) the price to be changed for the item, as well as the merchants ID (your email address for PayPal) is contained in the form submitted by the shopper.

Problem: Public, clear text, non-obfuscated merchant email addresses: Putting up PayPal "Buy Now" buttons without encryption (which PayPal does provide but seems to be infrequently used) is an invitattion to spammers to grab a known valid email address.

Problem: Undetected Price Modification: Most buttons or shopping carts must send the price of an item to the processor from the form on the users computer. Less than honest shoppers can choose to copy the HTML in the button or cart and modify the price to reflect a "digital finger discount" which will then be sent on to you in place of the price you expected. In many cases this isn't a problem since you will see the price is wrong and reject the transaction. But there are cases where no human looks at the order: Online software sales with automatic email or download delivery are one example. And it is very possible to just miss the amount when you (or an unmotivated employee) are processing a large number of orders for a large number of different products. Even easier to miss is a group of products in a shopping cart; did you really add it up again to verify the total?

Solution: Encryption: One solution is to encrypt the data in the form or at the very least, "sign" it with a cryptographically secure value that ensures the cart is not altered; a sort of crypto-checksum such as the HMAC_SHA1 function. How do the major players manage this?

See also:

file: /Techref/ecommerce/secureshopcarts.htm, 4KB, , updated: 2006/10/20 14:20, local time: 2024/5/30 13:05,

 ©2024 These pages are served without commercial sponsorship. (No popup ads, etc...).Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE. Questions?
Please DO link to this page! Digg it! / MAKE!

<A HREF=""> Price "Fixing" and identity theft in shopping carts for third party CC processors.</A>

After you find an appropriate page, you are invited to your to this massmind site! (posts will be visible only to you before review) Just type a nice message (short messages are blocked as spam) in the box and press the Post button. (HTML welcomed, but not the <A tag: Instead, use the link box to link to another page. A tutorial is available Members can login to post directly, become page editors, and be credited for their posts.

Link? Put it here: 
if you want a response, please enter your email address: 
Attn spammers: All posts are reviewed before being made visible to anyone other than the poster.
Did you find what you needed?


Welcome to!


Welcome to!