E-coupons pose a risk to merchants if coupon numbers are close to each other sequentially. One retailer saw some of its high-priced items selling for a few dollars after a hacker wrote a script to uncover coupon numbers that differed by only a few digits, Grossman said. The retailer discovered the problem when its system logs uncovered an abundance of orders being processed at night while the hacker's script ran.

Hackers can persuade other Web surfers to solve Captcha tests for them by luring them to Web sites with the promise of free music or adult content. Captchas require a person to decipher a string of jumbled characters to sign up for services such as a Web e-mail account. The Web surfers solve the Captchas, which are sent via proxy server to the hacker, who then uses them to sign up for multiple e-mail accounts for sending spam or some other activity.

"As long as you have enough users coming to your Web site, you have the Captcha solved," said Grossman. "Bad guys want to defeat these Captchas so they can spam us."

Another flaw is granting users access to all parts of a Web site when they have a login or password for a particular service there. For example, employees at an Estonian firm signed up for the Business Wire press release service in 2004. It figured out that URLs on the site sometimes contained information about news releases that had not yet been made public. Using a program that searches for URLs, the employees at the firm were able to uncover sensitive business and financial information. After buying and selling stock based on this information, the employees made $7.8 million, but were also hit with fraud charges by U.S. regulators.