Information Security News mailing list archives
Hacking Demonstration Shows Dangers of E-Commerce
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Thu, 4 Nov 1999 10:10:23 -0700
From: darek.milewski () us pwcglobal com Hacking Demonstration Shows Dangers of E-Commerce Software to protect sites goes on market JAN BOYD, STAN BUNGER Monday, November 1, 1999 http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1999/11/01/BU20148.DTL&type=tech_article Before you get excited about doing all your Christmas shopping online, you might want to read this: Peggy Weigle is CEO of a Silicon Valley software company. She knows her way around a computer, and she's a regular Internet user. But you won't catch her doing any online shopping this holiday season. ``I probably would have done it last year,'' Weigle said. ``But knowing what I know now, I'm physically going to the stores.'' The source of Weigle's fear is her company's founder, an Israeli military veteran named Eran Reshef. Before she took the job at Perfecto Technologies in Mountain View, Reshef showed Weigle how easily he could penetrate an e-commerce Web site and find loads of detailed information. We watched, too, as Reshef logged on to a bookseller's site. Within minutes, he'd retrieved customer records dating back to 1997: thousands of records, each listing name, address, e-mail address and book titles ordered. Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.'' Although Web developers have put a great deal of effort into encrypting customer data and building network fire walls to keep out hackers, the approach Reshef used exploites another vulnerability: Web site applications. The actual e-commerce software that lets you order a book or CD online can be attacked. Reshef learned the tricks of the trade during a five-year stint in the Israeli Defense Force. Ask him what unit he served in and he replies, ``I can't tell you.'' [snip...] ISN is sponsored by Security-Focus.COM
Current thread:
- Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 04)
- <Possible follow-ups>
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 06)
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 06)
- Re: Hacking Demonstration Shows Dangers of E-Commerce mea culpa (Nov 08)