Earlier this week, former Amazon employee Eric Springer shared his recent experience with Amazon customer service, revealing that the e-commerce giant unknowingly gave away his identity to hackers on three occasions. Springer was alerted to the situation after receiving an email confirming a recent interaction with customer service via Web chat that he did not actually have. After reviewing the transcript, he realized someone was posing as him in an effort to get his shipping address and, in a second attempt, the last four digits of his credit card number. For consumers who are already wary about their online security, interactions like these come as no surprise—what's more surprising, Springer points out, is that a behemoth such as Amazon failed to take basic precautions, including requiring his impersonator to log in before initiating a chat.
According to a recent survey conducted by YouGov, 72 percent of consumers are "fairly concerned or very concerned" about the security of the personal data that they provide to brands. Seventy-three percent also said they were "very concerned or fairly concerned with how brands and organizations use their personal information." And, because they don't trust brands, 53 percent of the consumers surveyed said they would share less data over the next three years.
The onus is on companies to earn customers' trust and keep it, and Amazon's failure to protect Springer's identity demonstrates key security gaps that are likely not just an oversight for Amazon, but for other brands as well. Not requiring a customer to sign in before a customer service engagement was one mistake, but there are other steps companies can take as well. The best way to fight these attacks, says Nathan Cooprider, senior software engineer at cloud security company Threat Stack, is to provide more cues to customer service representatives that identify when a connection is not secure.
"When a consumer is browsing the Web, there are things that indicate on the browser whether or not the Web site has a correct certificate, and if it's using the most current protocol. These cues provide a safer Web browsing experience, and companies can provide similar types of cues to customer service representatives when they're helping people. For example, agents should be alerted if the IP address that the customer is using is different than the one he or she normally uses," Cooprider says.
One of the biggest obstacles that companies face when it comes to protecting customer data is the tension between convenience and security. If there are too many security processes that stand in the way of customers getting in touch with customer service representatives and getting the assistance they need, then customer satisfaction will plummet. "You want customers to actually be able to use the system," Cooprider says. "A customer may be applying for a loan and be asked questions about a house they lived in five years ago. They might not remember the apartment number and at that point the security measures are causing a standstill," he adds.
It's also worth noting that there's no way to protect against every single data breach or hacker, and even massive companies such as Amazon can't afford to spend all their resources on prevention. "It's practically impossible, not theoretically, but practically impossible to have something that will not have some sort of hole in it somewhere," Cooprider says. "The sufficiently resourced attacker is going to get through." The aim, instead, should be to not only focus on prevention but also allocate efforts toward repair and recovery as well. And for Amazon, the lesson should be to fix the breach after one incident, not three.