TweetFollow Us on Twitter

eCommerce and Security

Volume Number: 13 (1997)
Issue Number: 11
Column Tag: Webtech

eCommerce and the Security Myth

by Jay Van Vark

The real security issues of eCommerce

eCommerce in Today's Market

Business is done with many communication technologies today, walk-in retail, mail-order phone, mail-order fax etc. The Web and the Internet are just one another communication medium with its own benefits and disadvantages. The cost for a business to have a world wide presence is the lowest in history with the World Wide Web. Budgets of the 1980's would have listed at least $100,000 per month in expenses to have a business handling international customers 24 hours a day, 7 days a week. Today those same budgets are closer to $5,000 per month and some even much lower. Yet the quality of service that the customer of these businesses is expecting continues to climb.

With these demands you need a scaleable sales force, immediate, accurate and secure information exchange, automatic delivery of products, and accurate tracking information for package delivery. In this article we will discuss the issues in constructing a web site that can give you all of this and much more. However, there are some pitfalls to be watchful of. The anonymity of the people buying from you can make you feel like you are talking to Mr. X. You rarely have the chance to speak directly with your customers. It is also far more difficult to get a feel for the size and condition of your vendors and your competitors. You have to help your customers overcome the fear that many people have putting their credit card number into a form on a web page. Using and understanding eCommerce can give you a strong advantage over your competitors while providing greater value and comfort to your customers.

How eCommerce is Different from Normal Business

eCommerce is very similar to the mail-order business. You normally do not have your customer right in front of you to confirm the signatures with the back of their credit card. You do have an advantage in eCommerce in that you can track exactly where your customer is "calling" from. This can help to reduce fraud, unlike mail-order and other types of communication. It also doesn't cost you any more to be open 24 hours a day, 7 days a week.

You have the opportunity to give your customer more information about their purchase, both in terms of product information and in delivery tracking, you can provide direct links to shipping services with tracking numbers and much more. With many of the emerging payment technologies you will also be able to offer smaller priced items for sale, that is, access to a complete new story for 50 cents is now practical in eCommerce, but it would be silly to do with mail-order. If you sell electronic products, like software, your customer doesn't have to wait for overnight delivery services, you can give them immediate delivery once the payment has been cleared.

To make sure that all of this access to information is accurate and secure, there are some precautions that you should take. Don't be like most people and assume that eCommerce is just an electronic catalog on a SSL server. These are the same people that are happy to accept the price for a product from a static HTML page. That would be like honoring a faxed order form that a customer has written their own prices written on; imagine buying a new PowerBook 1400 cs for, oh, how about $10. We will come back to this issue later, first what do we mean by SSL server?

What is SSL?

SSL stands for Secure Sockets Layer. This is the technique in which web servers and web browsers encrypt and decrypt all of the information that they transmit and recieve. Secret decoder ring time. Both ends establish and use the same scheme for making sure that no one else is listening to their conversation. Web browsers will typically indicate a secure connection with an alert when the connection is first established and with a key graphic somewhere in the window. As of this writing (August 1997), the only current SSL server implementation available on the Macintosh is from StarNine, WebStar SSL.

SSL encrypts every bit of data that is transmitted from the server to the customer and vice versa. Think about that one, every bit of data, text, pictures and all. This can be very wasteful if you don't use it carefully. Not to mention the fact that there are still some browsers out there that aren't capable of SSL and those users wouldn't be able to access the secure part of your site. You don't want to slam the door on any customers. So now that we have a technique to keep our conversation private, what does the conversation look like?

Flow of a eCommerce transaction

We often describe the web as being analogous to doing business with faxes. Imagine that the home page of your site is a fax back form. You have checkboxes for people to indicate what they are interested in and, in return, you send them another fax. The customer then fills out some more check boxes and we continue the exchange until they get what they want. The web is very similar, the site must respond with a page which elicits more information from the customer guiding them to their buying decision.

The basic flow of a eCommerce site has 4 major sections 1) Entry & Search, 2) Results, 3) Invoice, 4) Thank You. Each of these sections can be a single page on simple sites, or become complete sections on more complicated sites. On the Entry & Search page you must have some way for the customer to select what they want to see. (This actually can be embedded right in the Entry page if you only have a few products, but to keep the flow simple we'll assume that it is its own page.) On the Results page you display information about a product or products and the option to add it to the customer's shopping cart or Invoice. Once you are on the Invoice page you collect the necessary payment information from the customer and complete the order. These steps are illustrated in Figure 1.

Figure 1. Flow of a eCommerce Web Site, courtesy of Pacific Coast Software.

Here are some sites that follow the above flow, just to mention a few:

As you can tell from this type of flow, all of the pages past the entry page are returned from a CGI. There are a number of commercially available CGIs designed for both database access and the complete eCommerce process, including WebCatalog from StarNine, Tango Merchant from Everyware, Icat from Icat, and many others, both commercial and shareware. You can even write all of this interaction in your own CGI with AppleScript, Frontier or another programming language. Many of the commercial products have their own language to help you. Let's spend just a few minutes talking about the key functions reguired for the CGI to handle the eCommerce transaction.

Tracking the customer

Of primary importance in any transaction is that the customer feel comfortable with your communication. To make it seem like the website is talking to each customer individually you must track who the customer is and what they are interested in. The most common way this is achieved on the web is with the shopping cart concept. This allows many different people to be shopping on your site and all have their own sets of items in their cart. In our fax back example you would have to use something like the fax number to keep track of each customer. The equivalent with the web would be the IP number (known as IP tracking). The one major difference is that a customer's fax number doesn't change very often, while a customer's IP number can change everytime that they connect to the Internet -- for those people using dial up accounts or other dynamic addressing situations -- so IP numbers are not a very reliable way to track customers.

Another common tracking technique is cookies. You can have your website put a cookie onto the customer's machine so that it maintains important information, like the contents of their shopping cart. A better technique that I have found is tag propagation. This is a technique in which the first page that someone hits when they enter the site assigns a unique number, something like the number of seconds since 1904. This number is in turn passed thru every page on the site and the shopping cart information is stored in a file with that number on the server. This allows a customer to disconnect (by choice or happenstance) from the Internet and not loose the shopping cart information. This can be very important in situations where buying approval from someone else is required for the purchase. Most of the commercial products include a way of doing this. With WebCatalog you insert a cart=[cart] parameter into every HREF and form on your site.

Tracking the customer is very useful not just for the convenience of a shopping cart, but for things like tracking down people that you think are using stolen cards and, more importantly for that all allusive goal, to make the site more usable. Correlating this tracking information with the general web server logs can be used to determine trends of the people visiting your site, are they getting all the information they need to make a buying decision, are they understanding the buying process, are they loosing interest after a certain amount of time. One big advantage of this tracking log is to look for all the searches that people are doing on your site and were they are not finding any products. Maybe you should describe the products more effectively. All of these answers can help you understand ways to change your site to make it more useful.

Calculating Accurate Invoices

The hardest part about calculating invoices is just like fax transactions, you have to wait until you get all of the information from the customer before you can have accurate results. The most obvious place this happens is on the invoice page. Let's just say we had SKU, TITLE, QUANTITY and PRICE on our invoice. In the simplest case the customer gets to the invoice from the result of a search, usually with a simple hyperlink, so you assume a quantity of one. Since you want to allow the customer to order more than one of a product, you make the QUANTITY an input field on the invoice. To provide as much feedback as possible there may be a subtotal and other information on the invoice, so if the user changes the quantity, then they may no longer have accurate information.

This should be the first area of concern for the WebMaster. Once the customer has chosen some products, is the subtotal always accurate? Do they understand what they are looking at? Are there any ways to get the system to accept a "bad" subtotal? If the eCommerce product does not confirm the field "PRICE" from the web page with the value in the database, it will accept whatever the incoming page said the price was. What does that mean? You may have a sneaky customer looking at an invoice for a PowerBook 3400. The original page from the web server says the price is $3799. The sneaky customer can save the web page locally as source from his web browser, open the file with SimpleText and change the price to $10. Now the sneaky customer uses his web browser to view that file, fills in the rest of the purchase information and submits the form to the web server. Obviously, you must make sure that your site uses the "real" price for the PowerBook and not the $10 price!

This is just a simple example of calculation issues; add in taxes and shipping costs and you can see that this can easily get very complex. The best way to overcome these issues is to split the invoice into two pages, a proforma invoice and a final invoice. Most of the commercial products do a very good job taking care of these situations. The proforma invoice shows a listing of the shopping cart, possibly with a subtotal, as well as any other information that you need to complete a final invoice, like quantity for each item, what state they are buying from to help with the tax calculation, choice of shipping method etc. Collecting all of that information will allow you to calculate and display a final invoice. With Lasso and Tango you can communicate back to your current database, SQL, FileMaker etc., to calculate these numbers for your website. Not until you get to the Invoice page is any information sensitive. From this point on, you want to make sure that you are communicating only with the customer. You should make sure that no one is listening in.

Security Concerns

Areas that we DO care about security

As mentioned in the section about SSL we do want to protect the transmission of sensitive information with something like SSL to keep the eavesdroppers away, but another equally important issue for security is protection from attacks on your web server. People trying to find credit card numbers in accounting logs or just trying to steal products, to buy at ridiculously low or free prices. Prevention of this type of security breach is the most overlooked area. Much of the information on the machine should not be allowed any access. You don't want people knowing even about access statistics without you knowing about it.

The first obvious area to secure is the accounting files. Let's say the web server is doing a great job of keeping people out of sensitive areas, but the same machine is also your ftp server. People are prevented by the web server from getting to your accounting log, but maybe there is a security hole because your ftp server software allows access to this log... so my first advice, limit the access protocols to all sensitive data -- 1) store your accounting logs and other sensitive files outside of the web server folder, WebStar and many other web server products will not serve files outside of their folder tree, 2) don't run ftp and other protocol services on the same machine. Also, make sure that if you are delivering electronic product, only the person that bought it, gets it. For this you should either be copying the product to some unique place only that person is given access to or have a one time password scheme allowing only one shot at downloading the product.

The concern of the web server allowing access to files that are sensitive is best taken care of by your disk organization. Below is a screen shot of a sample organization of your web server folder structure using WebStar and WebCatalog:

Figure 2. Folder Structure for a typical web server.

Figure 3. Folder structure inside WebStar.

Figure 4. Folder structure inside WebCatalog.

Areas that we DON'T care about security

There are many areas within the selection and buying process that are considered public information and therefore don't need security. In fact, the whole process would be slowed down if it sent everything through a SSL server. Imagine if you received a mail-order catalog from MacWarehouse or Club-Mac and you had to put a decoder ring over each letter to figure out what it really was, that would take you hours just to read one page. That is what your browser is doing with SSL data. So, big picture, you only want to use SSL when you are expecting sensitive data from the customer, like a credit card number. Protect that from eavesdroppers with SSL, everything else should go thru the non-SSL server.

Conclusion

eCommerce is more secure than most business we conduct everyday and is getting better every minute. Knowing various hacking techniques on the Internet and having built an eCommerce package, if I wanted to get a few credit card numbers I would head for the local bar and go thru the dumpster long before I would start going after websites. Give yourself time to understand and work with your new sales force. A properly constructed website benefits the consumer with up to the minute information and immediate response. The same website serves as hundreds of sales people for the merchant, all trained with exactly the right information as well as access to tracking information etc. The positive return for the customer and the merchant will help to overcome the myth and fear of the security on the Internet. I would like to end on a observation about most credit cards, even if it is stolen, the owner is only liable for $50.

There are a variety of tools on the market to help you construct your eCommerce web site. Each has its own strengths and weaknesses. To choose the best for your needs, you must carefully research the speed and responsiveness of the server under load, how they handle the security areas and your database connectivity needs, do they have to handle a live existing database. You can find more information to help you with your research at these web addresses:


Jay Van Vark is the founder and CEO of Pacific Coast Software a Internet commerce tool and commerce site hosting company, developers of WebCatalog & WebMerchant, marketed by StarNine. Jay has an engineering background and continues to do much of the engineering on the products and services that Pacific Coast Software offers. He is also an active speaker with the MacCryptography conference as well as other Internet & Macintosh conferences. You can reach him at jayv2@pacific-coast.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Adobe Illustrator 24.0.3 - Professional...
You can download Adobe Illustrator for Mac as a part of Creative Cloud for only $20.99/month (or $9.99/month if you have also purchased an earlier software version). Adobe Illustrator for Mac is the... Read more
Adobe Dreamweaver CC 2020 20.1 - Build w...
Dreamweaver CC 2020 is available as part of Adobe Creative Cloud for as little as $20.99/month (or $9.99/month if you're a previous Dreamweaver customer). Adobe Dreamweaver CC 2020 allows you to... Read more
Adobe Audition 13.0.3 - Professional pos...
Audition is available as part of Adobe Creative Cloud for as little as $20.99/month (or $9.99/month if you're a previous Audition customer). Adobe Audition empowers you to create and deliver... Read more
Adobe After Effects 17.0.3 - Create prof...
After Effects is available as part of Adobe Creative Cloud for $52.99/month (or $20.99/month for a single app license). The new, more connected After Effects can make the impossible possible. Get... Read more
Audio Hijack 3.6.4 - Record and enhance...
Audio Hijack (was Audio Hijack Pro) drastically changes the way you use audio on your computer, giving you the freedom to listen to audio when you want and how you want. Record and enhance any audio... Read more
Eye Candy 7.2.3.96 - 30 professional Pho...
Eye Candy renders realistic effects that are difficult or impossible to achieve in Photoshop alone, such as Fire, Chrome, and the new Lightning. Effects like Animal Fur, Smoke, and Reptile Skin are... Read more
Notability 4.2.2 - Note-taking and annot...
Notability is a powerful note-taker to annotate documents, sketch ideas, record lectures, take notes and more. It combines, typing, handwriting, audio recording, and photos so you can create notes... Read more
Adobe Acrobat Reader 20.006.20034 - View...
Adobe Acrobat Reader allows users to view PDF documents. You may not know what a PDF file is, but you've probably come across one at some point. PDF files are used by companies and even the IRS to... Read more
Adobe Acrobat DC 20.006.20034 - Powerful...
Acrobat DC is available only as a part of Adobe Creative Cloud, and can only be installed and/or updated through Adobe's Creative Cloud app. Adobe Acrobat DC with Adobe Document Cloud services is... Read more
Day One 4.8 - Maintain a daily journal.
Day One is an easy, great-looking way to use a journal / diary / text-logging application. Day One is well designed and extremely focused to encourage you to write more through quick Menu Bar entry,... Read more

Latest Forum Discussions

See All

Marvel Strike Force introduces new brawl...
FoxNext's squad-based RPG Marvel Strike Force is set to receive some fresh characters from the X-Men and Iron Man series. They'll arrive as part of the game's latest update, which follows a sizable spending boycott on the title due to complaints... | Read more »
Speed Dating for Ghosts is a narrative a...
Speed Dating for Ghosts originally released on Steam back 2018, since then it has received honourable mentions for narrative during the Independent Games Festival. Now it's made its way over to iOS devices where it's available as a premium title... | Read more »
Fast-paced multiplayer title Tennis Star...
Tennis Stars: Ultimate Clash is the latest free-to-play tennis title to hit iOS and Android. It's said to be a fairly casual experience, offering easy-to-learn controls and fast-paced, mobile-friendly matches. [Read more] | Read more »
Super Mecha Champions' latest updat...
Super Mecha Champions' latest update sees the addition of a brand new character called R.E.D. Alongside that, there's news about the current season and a series of Emojis that have been added to the game. [Read more] | Read more »
Isle Escape: The House is an upcoming pu...
Isle Escape: The House is an upcoming puzzle game from Simeon Angelov that's intended to serve as an introduction to a saga they're planning on releasing in an episodic fashion. The first chapter is set to release for both iOS and Android on 29th... | Read more »
Company of Heroes, the classic RTS, is n...
Feral Interactive has finally released their highly anticipated iOS version of the strategy classic Company of Heroes. It's available now for iPad as a premium title and has had various tweaks to ensure that it's optimised for touch controls. [... | Read more »
Mario Kart Tour's Vancouver Tour ha...
With Mario Kart Tour's Valentine's Tour now at an end (suspiciously before Valentine's Day has even arrived), it's now time to move on to the all-new and exciting Vancouver Tour. This time around, the featured drivers are Hiker Wario and Aurora... | Read more »
A new PictoQuest update makes it a much...
PictoQuest is a charming little puzzle game, but it left us a little disappointed. The game just didn’t seem to use screen space effectively, to the point that using the touch controls (as opposed to the default virtual d-pad) could lead to errant... | Read more »
Alley is an atmospheric adventure game a...
Alley is an atmospheric adventure game that sees you playing as a young girl trapped in an inescapable nightmare. Surrounded by her worst fears, every step forward for her is a huge challenge that you'll help guide her through using some simple... | Read more »
Fight monsters and collect heroes in Cry...
From Final Fantasy to Chaos Rings, Japanese roleplaying games have found a large and loyal fanbase on mobile devices. If you’re seeking a more under-the-radar JRPG to escape into, Lionsfilm’s Cryptract could be the one. The game has been around... | Read more »

Price Scanner via MacPrices.net

Apple AirPods are on sale for $30 off today
Amazon has new 2019 Apple AirPods (non-Pro models) on sale today for $30 off MSRP, starting at $129. Shipping is free: – AirPods with Wireless Charging Case: $169 $30 off MSRP – AirPods with Charging... Read more
27″ 3.7GHz 6-Core 5K iMac on sale for $2099,...
B&H Photo has the 2019 27″ 3.7GHz 6-Core 5K iMac in stock today and on sale for $200 off Apple’s MSRP. Overnight shipping is free to many locations in the US: – 27″ 3.7GHz 6-Core 5K iMac: $2099 $... Read more
Save up to $250 on a 12.9″ iPad Pros with the...
Apple has Certified Refurbished 12.9″ iPad Pros available on their online store for up to $250 off the cost of new models. Prices start at $849. Each iPad comes with a standard Apple one-year... Read more
Save up to $220 on 11″ iPad Pros with these r...
Apple has Certified Refurbished 11″ iPad Pros available on their online store for up to $220 off the cost of new models. Prices start at $679. Each iPad comes with a standard Apple one-year warranty... Read more
8-Core 27″ iMac Pro available for $4249, Cert...
Apple has Certified Refurbished 27″ 3.2GHz 8-Core iMac Pros available for $4249 including free shipping. Their price is $750 off the cost of new models. A standard Apple one-year warranty is included... Read more
$749 MacBook Airs continue to be available on...
Amazon has the 2017 13″ 1.8GHz/128GB MacBook Air on sale today for only $749 shipped. That’s $250 off Apple’s original MSRP for this model and the cheapest new MacBook available from any Apple... Read more
HomePods on sale for $204 at Other World Comp...
Other World Computing has discounted, new, Apple HomePods on sale for up to $95 off Apple’s MSRP: – HomePod Space Gray: $207.99 $92 off MSRP – HomePod White: $204.99 $95 off MSRP These are the same... Read more
Get a Certified Refurbished iMac at Apple for...
Apple has Certified Refurbished 2019 21″ & 27″ iMacs available starting at $929 and up to $350 off the cost of new models. Apple’s one-year warranty is standard, shipping is free, and each iMac... Read more
A Look Back At The Top 5 Most Read Stories Of...
FEATURE: 02.21.20 The best of the best are now history and we’re not talking about Super Bowl LIV from earlier this month but rather, coverage from the past year (its second and first full one at... Read more
Apple offers wide range of discounted custom...
Save up to $610 on a custom-configured 21″ or 27″ iMac with these Certified Refurbished models available at Apple. Each iMac features a new outer case, free shipping, and includes Apple’s standard 1-... Read more

Jobs Board

Medical Assistant - *Apple* Valley Clinic -...
…professional, quality care to patients in the ambulatory setting at the M Health Fairview Apple Valley Clinic, located in Apple Valley, MN. Join the **M Health Read more
Geek Squad *Apple* Consultation Professiona...
**756636BR** **Job Title:** Geek Squad Apple Consultation Professional **Job Category:** Store Associates **Store NUmber or Department:** 001053-Arundel Mills-Store Read more
Medical Assistant - *Apple* Valley Clinic -...
…professional, quality care to patients in the ambulatory setting at the M Health Fairview Apple Valley Clinic, located in Apple Valley, MN. Join the **M Health Read more
*Apple* Certified Repair Technician - Utah S...
…selected candidate will work in the USU Campus Store Tech Department as an Apple Certified Repair Technician and floor associate. This position is for both summer Read more
*Apple* Mobility Pro - Best Buy (United Stat...
**744429BR** **Job Title:** Apple Mobility Pro **Job Category:** Store Associates **Store NUmber or Department:** 000574-Garner-Store **Job Description:** At Best Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.