RSA 2009: Businesses at risk from e-commerce vulnerabilities

Faults in e-commerce systems can cost firms dear

E-commerce vendors need to tighten up their systems to avoid being ripped off by canny scammers, the RSA 2009 conference was told.

In his address to the conference, Trey Ford, director of solutions architecture for WhiteHat Security, explained how simple faults in procurement systems could cost companies hundreds of thousands of dollars.

Some of these techniques required little or no technical skill at all, he said. For example, a woman in North Carolina found that by making an order and then cancelling it before the browser had reloaded she would still be sent the products but not billed for them.

She sold more than $400,000 of these goods on eBay before being caught – not because the company identified her but because buyers of the products became suspicious.

The reload function of the browser could also be used by "pump and dump" scams – where stock prices are manipulated by online information – by interfering with Google News rankings, he said.

It would be easy to write code that reloaded a certain news page many thousands of times and shift it up into the Google News top stories page, he said, and this could be very profitable for a pump and dump scam.

“Pump and dump is highly profitable,” he said. “In a good stock market you can make seven-figure sums by gaming the market correctly.”

He gave the example of United Airlines, which lost 75 per cent of its stock price temporarily after an outdated and inaccurate Bloomberg report about the airline jumped into the Google News rankings.

While he said this wasn't the activity of pump and dump scammers as far as anyone knew, it showed how the savvy scammer could make huge sums by manipulating online information.