A Possible Vulnerability: Store and Forward
By placing an order with a merchant using either a Buy Button or a Shopping Cart Order, Eve[1] can copy the URL with the XML encoded document and store it to her local machine. She edits the URL, changing the amount of the transaction to a lower amount, and then pastes this URL back into her web browser and executes the redirect. The transaction proceeds as normal. If the merchant does not validate the total amount of the transaction against the shopping cart or catalog value before fulfilling the order, Eve has effectively marked down the price of her purchase without the merchant’s knowledge.
If the merchant does notice that the amount is incorrect and does not fulfill the order, there are three possible scenarios:
- The merchant discards the order and credits the original amount back to the cardholder, absorbing any transaction charges as the cost of doing business.
- The merchant contacts the cardholder to request payment of the remainder of the amount owing. Eve would most likely claim that that was the price advertised on the web site and the merchant is obligated to fulfill the amount for this price. The merchant has no evidence to repudiate Eve’s claims.
- The merchant reports Eve’s attempts as an attempted fraud to the authorities. Provided the fraudulent amount is large enough, and Eve resides under the same judicatory system as the merchant, this response might be reasonably successful. Eve, in her defense, could mount the same rebuttal as mentioned in the previous scenario. Alternatively, Eve could ensure that she does not live in the same province or country as the merchant, and that her fraudulent attempts are under the threshold amount to trigger a robust response from the authorities.
[1] When discussing security, it is common to describe various scenarios for analysis. In these scenarios, a malefactor trying to break into a system or compromise its security or integrity is often personified by the name "Eve." With apologies to all people named Eve who are honest, well-intentioned and honourable people, this paper will continue with this tradition.