How this Retailer Could have Kept my Business with Better IT Security Process

Posted by Heather Howland on Nov 3, 2017 8:24:28 AM
Find me on:

Hmm, I thought I remembered my password. As I tried to log into my account with a large retailer known for their athletic wear, I click the forgot password link. I enter my email address.

In red letters I see “email address/account does not exist.”

What? Must have misspelled it. Nope. Again I see “email address/account does not exist.”

Angry-ITSecurity-Pulling-Hair-Out.png

Being in IT Security, the hair on the back of my neck raised. I immediately fear my account has been compromised. I frantically look for a support number. I dial the phone number to speak with someone in the guest education centre (GEC). There is a 45 min phone wait so I click on chat help function and click connect.

After waiting 30 min to connect to chat (these people need more customer service people!)  the chat agent says:

“you don’t have an account. I see you have purchased before, but you did so anonymously. I would be happy to create a new account for you.”

I tell her that no, that’s not correct. I have had an online account with them for years.

“Well you must not have had an actual account because my system shows you as purchasing items anonymously. I’m happy to create a one for you. I can do that right now.”

I know this is not true. I did have an account. When I tell her I fear there has been a security compromise and that I’d like to speak with someone more knowledgeable about security I’m floored.

“No. Sorry, only I can help you. There is no one else. I can just create a new account for you.”

I respond no thank you and end the chat with no escalation.  

Anger, frustration, fear. They did not seem concerned about my security issue at all. No path to resolution. I quickly look at activity on my credit cards. No suspicious purchases yet; that’s something.

I need to actually talk to a live person so I call in and wait almost an hour when told there is a 45 minute wait.

Finally a live person. Fast forward, essentially I go through the exact conversation with the agent as I did on chat. Live rep from the GEC says:

 “Looks like you don’t have an account. I can create a new account for you.”

I respond firmly “NO!  I need to find out what happened to my original account. I did have one” I press on and have to insist there is a security issue and she needs to take this seriously.  

She relents and digs in further and she actually finds my account. Relief….they have finally after at least an hour and a half confirmed I have, or had,  an account.

“That’s strange, it looks like you changed your login to a nonsense email. But you don't have the ability to change your login.”

OK, since "I" can't change it, that seems suspicious now doesn't it! She gives me the nonsense email and a temporary password over the phone. I log in successfully. I see all my past orders so yes, confirmed. It is my account.

And then I see it. There is a new Ship To address. An address I’ve never seen before going to a strange address in Delaware. I copy the address and do a quick web search and what pops up are 10 links to “SCAM - Beware of this address” links.

Just as I feared. I tell the agent, I need to speak with someone in IT or Security right now.

I am now over two hours into this process and I am finally forwarded to someone in IT. It’s the company’s  internal IT group for employees, not customers, but, hey, I’ll take it. I’m getting closer to someone that might be able to help me.  

“Yes, this does sounds suspicious. The only thing I can do is create a ticket for the security team. They can investigate it. Call me back tomorrow and I’ll try to give you an update if I have one.”

Two and a half hours.

Exhausted.

I call the next day (why couldn’t they proactively call me?) and the rep I spoke with has gone for the day. Nobody else there can help me and I’m told to call in tomorrow.

Two days later, I speak with the IT person who says,

“Yes, your account was compromised. Security has confirmed it. I can’t help you because I’m in internal IT. Please send the security team an email at this address and they’ll get back to you…”

Good grief, now I have to send an email?  Why couldn't they have sent me an email right away tell me to do this rather than making me call in?  And why isn’t someone from security reaching out to me directly? Why didn’t they give me that email address two days ago?

Another day goes by but security finally responds to my email and calls me. They said they recognized it was a fraudulent shipping address and they cancelled the order and purposely killed my account by changing the address to a nonsense email. I asked when this happened.

"It happened about 2 months ago."

OK.

In the end it took almost FOUR days for me to speak with someone who could tell me what happened and answer where my account went and that there was an issue two months ago that nobody told me about. 

AND, there is no way to recover my account. All my past history is gone. Along with my spirit. 

A benchmark report from New Voice Media found that 62 billion dollars was lost in 2016 due to poor customer service.

This entire experience dealing with the company was exhausting and unsatisfying. I don’t view their brand the same anymore and I’m not sure I will shop there again.  If I had not been savvy from a security perspective, I probably would have just had the new account created and been none the wiser.

The fact that my credentials were compromised and the fact that customer service didn’t instinctively think there was a security issue was not exactly a surprise to me. In the latest Verizon Data Breach Investigations Report, 81% of data breaches involved weak or stolen credentials. And in another study on the Growing Security Threat of Insiders found that even though 95% of organizations provide security training, only 10% believe the training is very effective.

How could this have gone better? Wow. In so many ways!

Here are a few ideas on how they could better address both customer service and preventing credential compromise. In the end these things can go a long way to retaining customers and keeping the bottom line growing in the right direction. 

4 Things Online Retailers can do to Better Address Customer Security Concerns/Issues and Retain Customers

  1. IT Security Awareness for Customer Service
    Customer service is the front line of every business. They need to be trained to identify possible security concerns and If a customer “thinks” there is a security issue, don’t argue with them or dismiss their concerns. A customer  is voicing distress and it’s possible the security team isn’t aware of the issue so it needs to be taken seriously. Customer service needs to be given a clear path on how to escalate these types of customer concerns to a specialized team that can address these issues.
  2. Provide a Security / Fraud Hotline
    If people think there is a security issue, assume there is and give them a quick easy path to get support fast. 
  3. Be Proactive with Communications
    If a customer thinks they were a victim of fraud, or if the company knows a customer is a victim of fraud, provide timely and clear communications. Tell them exactly what happened to their account and how/when they were exposed. Proactively reach out to them. Don’t put the burden on the customer. 
  4. Add Multi-Factor Authentication
    Adding some type of multi-factor authentication to the checkout process when an address different than a billing address is used for shipping can help with verifying that the transaction and the buyer is legitimate. This would let a customer know in real-time if someone might be trying to use their credentials allowing them to deny the transaction and quickly remedy the situation. It could also prevent having to completely kill someone's account. This blog on "Finding Nirvana: Preventing Threats vs Disrupting Business" talks about more ways that MFA can be used for threat prevention.

Taking customer’s IT Security concerns seriously is extremely important. It can have a huge impact on the business both in terms of customer retention and protecting an organization from a security breach.

Topics: Security Skills, Multi-factor Authentication, Identity Verification, Credential Compromise