Blog: How Tos

Collateral Damage: Top 5 Reasons You Should be Scared of Your Customers

Ken Munro 26 Nov 2015


Is this the elephant in the room? Customers consider the security of their data stored on your web site to be your problem, even if they take no care when sharing it with you.

You need to be aware of this if you’re to stop your business being the victim of collateral damage from data breaches elsewhere.

Here are our top 5 reasons to think deeply about the problems that your customers can cause for you.

We’ve recorded a video with BrightTalk explaining this too, it just needs you to login/register.

Number 5: 2 Factor Authentication

Customers want the benefit of security but they don’t want the overhead of dealing with it themselves. What happens (or is likely to happen) when you introduce 2FA to the process to improve security? “Damn, where did I put my phone” they say, and your transaction completion rate drops.

If you do see 2FA having an impact on shopping cart completion rates, have a think about what the consequences of a data breach might be if your customers’ accounts were compromised as a result of no 2FA. Which has a bigger effect on revenues; lower completion rates or a significant data breach. Ask yourself that.

There’s some more advice below about 2FA and mobile apps, where there is far less of an impact.

Number 4: Weak mobile app security

Customers will use your mobile app on their phone, often with no PIN on the phone itself. Their password to your app is stored on that phone. No PIN = almost no security. When the phone is lost and suddenly there are a bunch of fraudulent transactions on their account on your ecommerce site, is that your fault or the customer’s fault?

The phone itself can be a source of a third-party data breach too, resulting in collateral damage to you, particularly concerning theft of re-used passwords from phones.

Number 3: Jailbroken and rooted mobile devices

What about when a customer installs your app on their rooted or jailbroken phone? This causes all sorts of problems as they have effectively removed the security controls that the device came with. This means that there is an opportunity for their password to your app to be stolen through malware and rogue apps. Verify that your mobile apps won’t run on rooted or jailbroken devices, unless you can deal with the implications of customers’ accounts being compromised.

Number 2: Phone scams aren’t their fault, right?

Customers perceive that any access to their data is your fault. Even if your environment wasn’t compromised, just by the scammer quoting your business name on a phone call to a customer, the perception is that it is now your problem. Some crook with a few snippets of information from another breach phones them up and says “I’m calling from Company X, I must be legitimate as here’s your bank account number, now I need your password etc.”

Customers fall for the same old tricks every time, yet point the finger of blame at you even though it wasn’t your fault.

Number 1: password re-use

Customers see security as your problem. You ask them to create a strong unique password and they don’t; they just use the same password that they have for everything else, for every ecommerce site, web login, and app. So, a website gets breached, one that is nothing to do with you, and the customer has reused their password. The password hashes get stolen and cracked.

This means that every other online account where they re-use that password can now be compromised. That’s not your fault, but the customer will see it as your problem because it was their account with you that was compromised.

Who is liable for the loss? Your business, the customer or the breached business? The customer certainly won’t hold their hand up and admit their fault for re-using passwords!

What to do?

Your ecom and marketing teams will probably put up barriers to 2FA as it may affect transaction completion rates. However, mobile apps usually have long session validity, so one 2FA auth on first login/setup of the mobile app will solve the problem and not get in the way of future transactions.

Try to sell the benefit of 2FA to your customers – security may actually HELP increase transactions through increased customer confidence. “We look after your security, so we’re going to send you a one-time code”.

How do you prevent password re-use happening? Show your customers where to get a free password manager from, show them how to set a good password, and to not reuse it.

Every time there’s a big data breach in the press, multiple unrelated businesses are affected by collateral damage as a result of the above and other issues. Make sure you’re not one of them.