Every day, millions of consumers jump online to purchase products they want and return those they don’t. However, if online retailers have critical weaknesses in their database architecture, they may be susceptible to significant financial loss from digital shoplifting. For example, digital shoplifters can manipulate transactions to their benefit so that a shopper buys a pack of $10 pens online, adds a $2,000 laptop during checkout, but pays only for the pens. Another shoplifter can trick a retailer into accepting a $50 gift card that allows them to spend $500. Could your business be at risk?
In November and December of 2017 consumers spent $108.15 billion online — a 14.7% increase from the 2016 holiday season — but lost significant revenue due to shrink (a loss of inventory related to theft, shoplifting, error or fraud). To put things in perspective, shrink cost retailers about 1.33% of sales on average in 2017 — a total impact on the overall U.S. retail economy of a whopping $46.8 billion. In today’s rapidly expanding and competitive online retail environment, the stakes are higher than ever, with the potential to have a significant impact on our global economy.
What Causes Digital Shoplifting?
Researchers at Stanford University found that e-Commerce applications rely on databases that execute transactions using weak isolation. Under the right conditions, weak isolation allows conflicting transactions to complete simultaneously based on the same data — like an account balance, airline tickets or a store’s inventory. Multiple reads, writes and transactions based on the same data result in ‘concurrent anomalies’ that corrupt the data to the benefit of an attacker. Worst of all, by the time the anomalies are resolved, the digital shoplifters have usually moved on to another site running vulnerable e-Commerce software.
The Stanford researchers explored problems in 12 popular e-Commerce applications deployed on over two million web sites, verifying 22 critical vulnerabilities that allow attackers to corrupt store inventory, overspend gift cards or store credit and steal inventory. Vulnerable e-Commerce software includes Broadleaf, Lightning Fast Shop, Magento, OpenCart, Oscar, PrestaShop, Ror_ecommerce, Saleor, Shopizer, Shoppe, Spree and WooCommerce. The researchers did not analyze hosted e-Commerce software like Shopify.
What Does Digital Shoplifting Look Like?
Once an e-Commerce site’s vulnerability has been detected, digital shoplifters are able to wreak havoc in a variety of different ways. For example, cyberthieves can transfer the same funds multiple times — an account balance can show $1,000 and someone can make two separate withdrawals for $990 at the same time before the data is resolved.
On e-Commerce sites, a digital shoplifter with multiple browser windows open on the same online store can be at the point of checkout in one browser, add an expensive item like a laptop to the cart from another browser, and then check out without paying for that last purchase. These vulnerabilities can also result in double-booked airline tickets, hotel reservations and movie tickets. For example, if three people click on the same airline seat or the last hotel room at the same time, each person thinks he or she has it, but two will be left a few hundred dollars out of pocket with no reservation to their name.
How Does Digital Shoplifting Happen?
E-Commerce sites that are vulnerable to digital shoplifting do not have processes in place to ensure that transactions are executed correctly. Without a strong database architecture, e-Commerce sites ultimately provide a poor customer experience (slow loading times, latency issues, etc.). A common example is not being able to purchase a concert ticket when the source says there are tickets still available.
Fortunately, there are strategies to combat latency while still optimally securing transaction execution. These strategies include efficient queueing mechanisms (such as a countdown clock) that preserve information throughout a transaction — allowing transactions to proceed in parallel where the contention does not require mutual exclusion in transaction execution. Most consumers are familiar with this solution when purchasing something like concert tickets, often seeing a countdown clock showing how much time is left to make the purchase before the session expires. These types of e-Commerce sites have a high volume of transactions running at ultra-fast speeds and are at a high-risk unless the web site architecture is designed with strong transaction guarantees — specifically, strong isolation and serializability. Given the computing power of today’s database platforms and the ability to accelerate transactions with new and additional hardware, it’s surprising that more databases do not offer serializable transactions. This method ensures allocation for limited items like concert tickets, without getting scammed in the process.
Don’t trust that your e-Commerce software and database architecture are protecting your site from digital shoplifters. In order to ensure your site is secure, IT departments and decision makers should talk to the architects who run their database platform to confirm if their shops are running one of the vulnerable e-Commerce applications.
Spencer Kimball is the co-founder and CEO of Cockroach Labs, where he maintains a delicate balance between a love for programming distributed systems and the excitement of helping the company grow smoothly. He cut his teeth on databases during the dot-com heyday and had a front-row seat at Google for a decade’s worth of their evolution.