It seems to be very hard to complete a bug-free and safe e-commerce website.

"The security leak arose out of a programming error in a script called "orderStatus.asp." When customers requested information on their order via the Tower site, the script called up the record, displaying the order number as part of the URL of the resulting page. "

From http://zdnet.com.com/2100-1105-976271.html

I've seen that happen before on a free SMS site from a major telecom company. Just had to change the one digit on the URL and you could view someone elses SMS message including phone number. :D

Going back to the Towerrecords Website there is a typo on one URL, where they have missed out the "s" from https on the link to create an account on the Wish list page. Data is sent unencrypted without it.

Click

http://www.towerrecords.com/wishlist/wishlistSelect.asp

Notice the link below the left hand search icon "Sign Up": its not https

http://www.towerrecords.com/registration/CreateAccount.aspx

<FONT class=body>Don't have a TowerRecords.com account? <A
href="/registration/CreateAccount.aspx">Sign up!</A> </FONT>