Network Solutions Ecommerce credit card theft could happen to your e-commerce system too…

Two weeks ago Network Solutions Ecommerce the former MonsterCommerce folks) announced that approximately 573,928 customer accounts and their credit cards had been compromised -- but they were quick to point out that they had followed proper PCI DSS compliance procedures for storing the card data which is possibly how they were able to detect the breach in the first place. So, what they are saying is that they did everything correctly and still someone was able to steal a lot of credit card data. What appears to have happened, based on the reported details, is that someone was able to access the Network Solution (NetSol) servers and intercept the credit card details on the server itself – in other words the bad guys broke into their servers, changed the code and stole the information – let me explain.

Credit Card Data Vulnerability

When you visit a retail website and input your credit card information here are the main points where your personal information is vulnerable:

1. Over your shoulder: You first shoulder check to ensure that no other person can see you input your precious credit card and even more precious verification number (that number on the back of your card near your signature that tells the credit card company that the person inputting this number is holding the physical card). Being the clever one you are you always hunch over and block anyone from seeing you key in those precious numbers with your free hand -- so far so good.


2. From your computer: You have scanned and secured the computer you are working on to ensure that no one is recording every key that you press on your computer so you are certain that you have not allowed someone else to capture your unencrypted credit card information before it even leaves your computer… they can do this via the power cable you are connected to, if they are close enough they can monitor the signature from your keyboard or they have tricked you into installing a key-logger on your computer like this one for the Mac or this one for the PC (and these are the legit ones)... but again, your computer is clean and has anti-virus and anti-malware stuff installed (oh, and a firewall too) – so we've dodged another bullet.


3. From your web browser: You are certain that the web browser we are entering your information into is itself secure and that it has secured the channel between your computer and the retailer's web server using a valid and verified SSL certificate (the little yellow lock) and you are certain that the web server on the other end is actually who they say they are and not someone else who has taken control of the retailer's website. If you're scratching your head at this one let me simplify it… you have the latest version of your browser software and you read any security warnings or pop-ups from your browser (typically there are none but when they do appear you did read them right?) – again, you're doing all the right things so far so you’re confident that you're following proper credit card security procedures...


4. From the "website": You are certain that the web page that we are entering your information into is actually the retailer's server and not another site that has somehow tricked you into visiting their bad-guy website while masquerading as your target website. See #3 above and make sure you read the URL in your browser’s address bar, you know that long string at the top of your browser that should read something like: https://www.retailersite.com/something... and not something like http://www.retailersite.badguysite.com/something... but you are not worried here, you’re confident that the site you are visiting is your target site...

Okay, so you've successfully made it over the moat and to the castle's door to deliver your precious credit card so they will ship you the items you desire, now comes the twist.

5. From the web server: You are certain that no one has compromised the retailer's server and injected their own software between you and the retailer's e-commerce software – this of course is a trick question because this isn't your job and even I can't verify this one (even I have my limits). It's the retailer's and their service provider's responsibility and according to the news reports this is where NetSol appears to have fallen victim.

PCI DSS compliance requires that the retailer ensure that their physical security and software security are covered but this is where the story gets a bit vague (PCI folks please hold on, we'll get to this later in the program). What I mean by the story being vague isn't that the PCI DSS standard doesn't cover this, it does, it's that most of the claims that I see amongst my peers is that they have ensured that the data they store to disk is encrypted... good, because that is required. But PCI DSS is beyond just the software, it's also about the safety and security of the servers, their operating system and the application source code and this is where NetSol got hit, again according to the published reports -- the source code for their application was compromised somehow.

For the non-programmers in the room let's try an analogy (if you haven't left the room already). Suppose you visit your favorite restaurant and you give the waiter your credit card and he happily takes it to the point-of-sale (POS) terminal and swipes the card… no, the waiter is not the villain in this story (not this time), instead the guy who came the day before to "fix" the POS terminal swapped out the credit card reader with one that he made at home that reads the credit card information off of your card and records it to a little device inside the POS terminal that isn't supposed to be there. The device then takes the credit card information and passes it to the device which then encrypts it and sends it to the bank, etc. The problem isn't that the data wasn't encrypted it's that the data was intercepted before it was able to be encrypted and so your information has been compromised – again not by the waiter but by someone who planted a shim of some sort between where your information is input and the bank.

Now, let's look for someone to blame:

1. Did the restaurant owner verify that the guy from the POS-company installed a fully compliant device? Of course not, he's not technical he just runs the restaurant. In our story the retailers assumed, rightfully-so that NetSol would take care of this (and it appears they did in the end).


2. Did the POS-company knowingly plant this device? Unlikely, it's more likely that someone inside the POS-company did this or someone else knows enough about the device to swap it with their own device… one credit card terminal looks like another if someone has the time and access to swap the devices. In NetSol's case it was either an inside job including a former contractor or former employee, though this is unlikely, but possible, or someone externally gained access to the server or software somehow and compromised it (most likely).


3. Did anyone at the restaurant verify that the guy fixing the POS-terminal was actually from the POS-company? Probably not, it's called social engineering and if someone shows up wearing the right clothes and the necessary name tag/ID the support staff aren't going to verify anything, they got stuff to do. Ah... this doesn’t apply to the NetSol story unless someone claiming to be NetSol tricked all of these retailers and from the sounds of it that's not the case... but it lets me round out my list with three things and it's a security issue nonetheless.

Let's get back to NetSol for a second and explain what they (and your current provider) should be doing:

1. Source Code Control: No one should be able to modify their source code without them knowing about it. Now, I don't know their policies around letting customers edit the source code but assuming that their customer’s are not permitted or able to edit the source code then this was either an inside job at NetSol or someone got to the servers, which leads me to #2.


2. Server Access Control: No unauthorized persons should be able to access the server's such that they can get to where the application is installed and change it. This is like physical security, i.e. you cannot swap something out if you can't get to it. This is covered by PCI DSS (see PCI folks I said I would cover this later) and it's just plain-old common sense network administration – only give the minimum of access and log and audit all of the time.


3. Restrict Third-Parties: There is a third possibility namely that someone wrote a plug-in for the NetSol application that was popular and this plug-in somehow injected itself into the unencrypted stream of information or was able to access the data in an unencrypted format before they were able to encrypt it. This should not have been possible but since I don't know their application well enough to comment on it I'll just leave it as a possibility situation albeit unlikely in this case.

Okay doctor, what do I do now?

So, you have your own store and you're sweating right now because you don't know if someone has done this to your application and you're asking yourself is there anything that a non-technical person can do to prevent this? What questions should I be asking my e-commerce software/service provider right now to ensure that I don't fall victim to this – oh, and if you are thinking of switching away from NetSol and I've been seeing a lot of companies advertising their software on the back of poor NetSol you should be asking them these tough questions too before you jump ship:

1. Trustworthy Employees: What process do you have in place to ensure that the people who work on your source code have not planted a back-door or their own logging code into the application such that if they get tired or fired they just flip a switch and start skimming card or customer information? The right answers include employee contracts, background checks and code audits.


2. Source Controls and Audits: What process do you have to ensure that someone hasn't compromised the software on the servers? The right answers include verifiable* code audits on all of the installed versions of their application to ensure that no-one outside of the authorized personnel have been able to update the software on your servers and the worst-case scenario is that there is a complete audit trail... oh, and saying that they use source control is like saying that you have a sign-in sheet at the front door to your office and that you are certain that the bad guys will sign their real name on the sheet as they pass by to do their dirty work – it ain’t gonna happen.


3. Server Security: What process do you have to ensure that someone hasn't compromised the server itself? The right answer includes a combination of tools like Tripwire, anti-virus, root-kit scanning and standard system-administrator tasks that monitor and audit servers. Again, you need to verify that they actually do these things and not that they just say they do.


4. Disaster Recovery Procedures**: What procedures do you follow when something bad like this happens? The right answer includes at a minimum an action plan related to securing the information and servers and working with you to meet disclosure requirements to your customers, your bank, etc. This is something that NetSol has reportedly been working to do with their merchants and their merchant's customers.

* When I say verifiable I mean that they actually have a documented policy that they will show you (under NDA) that spells out their audit and review process and that they guarantee that they will conduct these at regular intervals to ensure your safety and security.

** Okay now I've offended all of the Business Resumption Planning (BRP) people by using their term "Disaster Recovery" but for our purposes this is when something bad happens and that's what BRP is for and so I'm using it... my blog, my terms.

Did I scare you?

I hope I scared you just enough to realize the vulnerability that you may face each day with your software and not so much that you have shut down your online store out of fear of bad things happening. I happen to have been a system administrator and a programmer and I know that each group can get locked into thinking only about their individual piece of the system thus ignoring the system as a whole and leaving a hole just big enough for someone to take advantage of as it appears was the case with NetSol. I also know that with proper procedures and policies this can be avoided or at a minimum it can be detected and stopped with minimal damage to your company and its online reputation – as appears to have also been the case with NetSol in that they did catch it. Put yourself in the shoes of the retailers who must now report to their customers that their service provider, albeit a very big one, allowed their information to be compromised… would you as a consumer be placing the blame on NetSol or on the retailer?

What is NetSol doing about it?

To NetSol's credit they have launched a website to answer questions for their merchants and their customers including letters and such that will go out to customers and they are offering free credit monitoring for all potentially impacted customers through a third-party agency.
Their incident website is here: Ecommerce Security: What Happened
There are still individual US State laws that must be followed and if you are interested follow the link.

Any questions?

I hope I have given you enough to take action immediately but feel free to ask questions in the comments below or contact me with your questions directly:
Chris Kerslake, President, XModus
Email: chris@xmodus.com
Twitter: chris_kerslake
Phone: (604) 732-7337 x101

Sources for this article:

[1] Network Solutions Hack Compromises 573,000 Credit/Debit Accounts
[2] About the PCI Data Security Standard (PCI DSS)
[3] Ecommerce Security: What Happened (Network Solutions' website to explain the situation)
[4] Mac Key-Logger
[5] Windows Key-Logger
[6] Configuration Control - Tripwire
[7] Business Resumption Planning: Justification, Implementation & Testing
[8] State Security Breach Notification Laws (As of July 27, 2009)

Privacy Filters Blocking Google Analytics eCommerce Tracking

Some of our customers use Google Analytics' eCommerce tracking on their website to record order revenue information into Analytics for matching with their Google AdWords spend. In theory this should be perfect because they can record their website analytics and at the same time also record their marketing spend on Google. Unfortunately Google Analytics relies on a script embedded within the order confirmation page to be executed at the time of purchase and this particular method of reporting is falling victim to various privacy protection mechanisms employed by online shoppers today.

Here is what happens...
Shopper places an order on your website and during the order completion phase a Google-supplied script is embedded into the order comfirmation page. The shopper's browser is then asked, implicitly, to execute this Google script to send the data to Google. This script takes some of the order information and transmits this to Google for reporting within Google Analytics. Unfortunately this relies on the shopper's browser to cooperate with the implicit request and send the information to Google, which the user's browser can choose not to.

What we discovered...
What we discovered is that on average approximately five percent of transactions were not being sent to Google. We checked and noticed a pattern of newer browsers specifically FireFix, IE, Safari, and Sunbird were showing up in our browser logs for the 'missing' orders. A bit of poking around led us to a variety of discussions about these various browsers and how they can thwart various tracking techniques. We did a couple of quick tests and confirmed that in fact the two that we tested, IE 8 using InPrivate privacy mode and FireFox 3.0 with AdBlock Plus could block Google Analytics (among other tracking scripts and pixels).

Is it only Google Analytics that is blocked?
No. The basic assumption that all tracking pixels, cookies and scripts rely on is that the user's browser will act in a consistent manner and transmit the necessary and requested data from the browser back to the third-party's server. If this trend continues and browsers start to block more and more of these scripts, pixels and cookies then the reliability of these methods of tracking will decrease as well.

Are there alternatives?
Yes, there are two classic ways around this. The web server that is being called already has all of the information that Google Analytics is looking for and thus could submit that information directly to Google, thus bypassing the user's browser, or it could choose to process the information itself. The advantage of having the user's browser do it is that the user's browser controls the privacy level the user wants to enforce and the web server does not have to do any additional work. If the web server must process the request itself then it will require additional resources to do so something that is avoided today by having the user's browser do the work for it.

Is five percent that big of a deal?
That depends. Obviously knowing that 5% of sessions are currently being impacted allows for factoring in this level of error and using simple mathematics our customers can extrapolate the difference. Where this becomes problematic though is if you are using these numbers and assuming they are accurate and thus could be making inaccurate (or even incorrect) assumptions. Also, it's only five percent today but as users upgrade their browsers and add these privacy mechanism in then we expect this number will increase as well.

How did we know there was a difference?
Our Rebus eCommerce software receives all of the orders and processes them so it has the actual order totals, revenue, costs, etc. and it is Rebus that transmits the order details to Google Analytics. One of our customers was using the Google Analytics data for a report and was comparing the Rebus report and the Google Analytics report and contacted us to find out why there was a difference. They pulled the raw order numbers and discovered that a a bunch of orders were missing and reported it to us. We checked our logs and could see that we were sending the information to Google and so we looked further to see if we could discover the reason and that led to this article.

More information:
Google Analytics - How do I track e-commerce transactions?

AdBlock Plus Forum: how block Google Analytics

IE8 and Privacy

IE 8 feature thwarts targeted ads, Google


If you have a question about this topic or article or any other articles on this blog please contact me, chris@xmodus.com or you can call me (604) 732-7337 x101 or follow me on Twitter chris_kerslake.

Keep your customer's passwords safe

A few years ago a friend of mine had the unfortunate task of being forced to fire an employee for cause. In this case the employee in question did something to my friend's online customers which at the time if his customer's had discovered it could have meant the end of his online business. The crime here was the result of a bored customer service representative (CSR) who accessed customer's email accounts using the same email address and site password the customer had used on my friend's e-commerce web site. This CSR didn't set out to break into customer's email accounts instead one fateful telephone call from a customer tipped this CSR to the problem of customer's using the same passwords in more than one place.

Here's how it happened...
One day a customer called in to customer service with a question about their order and during the conversation the CSR asked the customer to confirm some security information about their account, i.e. zip code, street address and account name. While finishing off the customer's inquiry the customer mentioned that he needed to also update his account password but could not accomplish this via the shopping site and wondered if the CSR could do it for him. Of course he could and so the customer read off the new password and the CSR dutifully entered it into their back end system, problem solved. The customer then made a problematic statement to the CSR to the effect that he was updating his password on all of his accounts, including this one. The CSR didn't realize it until later that the customer was employing a single password for all of his online accounts and had just given this CSR that password to all of his accounts! At first the CSR didn't believe the customer but didn't pay it any heed until later that night (he was working the night shift) he was bored and for some reason decided to test the customer's single password comment himself. He noticed that the customer had a Hotmail email address and so he visited the Hotmail website, entered the customer's email account and password and voila he was granted access to the customer's email account. He was shocked but also a bit excited as he could read this customer's emails. He should have stopped there but he didn't and if he had stopped there he probably wouldn't have lost his job several months later.

As with many addictions the CSR wondered if other customer's also employed this single password ethos and so he decided to experiment further. Unfortunately my friend's e-commerce back end did not limit access to customer's accounts and did not provide an audit trail or alerts to this type of fraudulent behavior and so during the normal course of the evening this CSR would record all of the Hotmail accounts he came across as well as their account password and then later when he was bored he would try and access their Hotmail accounts. As he slithered his way through these online customer's accounts he began to discover personal emails about things that he should never have had access to and I'm sure customer's would not have wanted anyone to see. Finding a few juicy nuggets led to a full-fledged addiction to snooping in other people's email accounts, an email voyeur of sorts. But like those before him he got too brazen and with his mind filled with other people's personal information he hinted to the wrong person one day and this led to rumors about someone snooping on customer's records... a misinterpretation of his transgressions but one that ultimately led to the IT folks putting a tap on all external access and discovering his exploits. Finally, suspecting that he was up to no good, and thinking it was online fraud, my friend contacted the authorities who monitored and recorded the actions for a possible criminal case. Luckily for the CSR his online voyeurism was only deemed embarrassing but not criminal (at the time) and so with transcripts of his late night exploits he was confronted and shown the door.

Moral of the story...
1. Don't use the same password on other sites, at least come up with a variant if you want to avoid this 'one password to rule them all' problem.
2. Don't allow you customer's passwords to be accessible by your staff.

Other variations of this act...
1. Changing the email account to one that the fraudster can access. They will change the email to their own, email themselves the password and then change the email back so no one knows.
2. Customer data exported for transport containing customer's passwords.

Solutions:
1. Secure customer passwords by not allowing anyone to see the plain-text password.
2. Allow passwords to be reset and emailed to the original email only.
3. Audit all password and email account resets.
4. Alert customers at their original email address if any of these events occur.
5. Review audit trails for patterns... most people won't stop at one.

How Rebus handles this
It's surprisingly a common question that we get asked by new customers, "How do we access customer's account passwords so we can change them.", to which we reply, "You can only access their password in plain text if you have the necessary permissions." They inevitably reply with either a "that's great", "that's too complicated", or "please don't allow us to do that". We also have an audit trail that allows customers to watch for this particular type of internal fraud (as well as others too).

Do you have a question or comment? Email me, follow me on Twitter (chris_kerslake) or give me a call on the phone (604) 732-7337 x101.

Why you should care about Twitter

I've been using Twitter now for the past month and I have to say that I can appreciate why people are excited about it but I can also appreciate why not everyone is keen on it, bottom line: lots of people are doing it, it's still very early and it can take a lot of time.

What is Twitter?
Twitter is an online service where users submit short text messages, up to a maximum length of 140 characters at a time (called 'tweets'), to individuals or simply to the steady stream of other 'tweets'. Think of a web page where new information is appearing every time you refresh the page from individuals telling you about themselves, about information they found, asking questions and just talking all of the time. There is a now infamous article by Guy Kawasaki, one of the most prolific Twitter users and biggest cheerleaders for Twitter:

Late one night in a hotel, I discovered I hadn't brought a MacBook power supply, and I was leaving early the next morning for a remote location. I posted a message to Twitter, and within 10 minutes, five people offered to bring me a power supply; one delivered it to me within an hour.

I haven't had the same response as Guy and when I have asked a question (so far 3 questions) I have not received any responses other than a new group of 'followers' who triggered on some keyword in my Tweet. For example I asked a question about Customer Relationship Management (CRM) and within a few minutes I received a wave of new followers and one that sells Sage CRM... my question was about something related to CRM not about me wanting to buy a CRM.

What is the point?
Initially I was skeptical and unsure of why I would want to keep announcing my every single move to the Internet. I decided early on that I would tweet only interesting or relevant things, not that my son just went potty or that I'm out for dinner at a particular restaurant. So when I initially signed up I was flattered that immediately all sorts of 'people' were interested enough in my profile to start following me, little 'ol me, why how cool is that... but then the reality of the situation set in quickly. Most of these 'followers' were simply automatic software programs, Twitter agents, that saw my new account and told Twitter that they were interested in following me. Being a good Twitter citizen (Twitterzen?) I decided to follow them too and there was the catch. The next day they would drop their following of me but I would continue to follow them and hear their message every time they tweeted. So I quickly developed some following criteria and for those that I thought were not interesting I let them continue to follow me but I did not return the 'favor'. I suspect the reason that so many people immediately follow those that follow them is a variation on THOMAS (The Human Oxytocin Mediated Attachment System) and thus works in their favor. On Twitter so many people are just trying to get the most followers that it's like a cross between narcissism and a game of who collects the most.

Why did I join?
I joined for a couple of reasons:

1. I'm a geek -- I'm a technologist and like to experiment with new technology -- I'm typically an early adopter and this is something new and interesting.

2. My friends are doing it -- Many of my friends were doing it and they told me stories of meeting and talking (tweeting) with people they had heard about but had never had a chance to talk to before.

3. I like to network online -- As I began to research Twitter I began to find a lot of people that I know from LinkedIn and Facebook on Twitter as well as some target customers and industry insiders on Twitter... all simply a tweet away.

4. I see gold -- I'm not alone in seeing a potential paradigm shift for online retailers to listen to and target consumers directly with specific advertising. One of my staff discovered an online retailer on Twitter, followed them and immediately received a message from the with a free gift offer as a thank-you for following them... she was flattered.

But what about ROI?
So far, like my friends before me, I haven't really seen any specific ROI. My investment so far has been learning and trying Twitter and I must say that it is very easy to spend a lot of time reading tweets and following links to read articles and such that people have posted. Let me tell you some of the people that I have tweeted with or who I follow or have followed: a competitor, some of my customer's competitors, potential customers, people I've read about but never met, anyone who I follows me and looks interesting.

Why should you join Twitter?
A constant stream of keywords from people 24x7 on everything; including your target customers, your competitors and other people you want to follow or who want to follow what you have to say. This is not the Matrix, you don't have to watch a black screen with green letters scrolling down it, it's just a list of comments from all the folks you are following.

Why you should not join Twitter.
Don't expect that if you join Twitter that they will come and you will somehow automatically be rich. Twitter is a social tool and that means you need to contribute to the community (i.e. work), just like blogging... in fact Twitter is considered micro-blogging, 140 characters at a time. Don't be afraid though, it's not just for bloggers.

Some "interesting" Twitter stories in the news recently:
1. Guy Kawasaki's request for a power cord from a hotel room...
2. Juror causes mistrial proceedings by tweeting...
3. US Congressmen post their experience during the recent US Presidential inauguration...
4. A Silicon Valley executive tweets during a break-in at his house...
5. Actor Ashton Kutcher posts photos of his wife Demi Moore and then tweets about it...


Are you using Twitter? Let us know what you think about Twitter and tell us your stories about Twitter in the comments below... or email me with your story, or better yet, follow me on Twitter! chris_kerslake - http://twitter.com/chris_kerslake.

Go back to the floor to reconnect with your business and customers.

Recently Jeff Bezos, CEO of Amazon.com decided to spend a week working at one of Amazon's distribution centers. From the article:

Jeff Bezos is spending this week working in an Amazon distribution center in Lexington, Kentucky (AMZN). He apparently wants to see what it's like to be a rank-and-file Amazon employee. More CEOs should try that once in a while.

Like many entrepreneurs a friend of mine started off in the family business, starting off in the stock room, and growing with the business. Recently one of his key employees needed an extended time off and rather than hiring someone into the position or promoting someone temporarily he decided to take the opportunity to return to his roots and so he took over the vacant customer service manager position, in essence returning to the floor.

Now, there is an argument that the CEO doesn't have time to stop doing their CEO job and to be fair, he took on both positions at the same time with a known end time. His decision to step into the customer service position was, in his mind, an opportunity to answer the phones and talk to (his) customers again, something he hadn't done in a few years and here is what he found:

1. Staff were spending too much time on the phone answering questions about when customer orders would ship. When the umpteenth customer asked the same question during a call he decided to ask the next few customers what their expectation was and he got different answers and so he looked into it and discovered that the wording on their website was causing many of these unnecessary customer contacts. They reviewed the wording on their order confirmation page and also their order confirmation emails and discovered that the wording was ambiguous and after a couple of wording changes these calls almost completely stopped.

2. Customers were calling in and emailing asking for help with tracking their orders. Odd he thought, the tracking number is on their emails... until he asked a customer why they didn't just use the tracking number on their shipment confirmation email and the customer said that there must be a problem with his e-commerce system because the tracking number was blank! As you can imagine an investigation ensued and it turned out that some USPS packages were being sent out without a tracking number because the shippers were trying to keep costs down and so for low value shipments they weren't choosing to use a tracking number (an extra $0.18 per shipments). What the shippers didn't realize was that their eighteen-cent saving was actually costing the company more in dealing with customer contacts. A change was made to their emails text and processing to tell customers without a tracking number that their packages would take a certain number of days, instead of being blank and again the call volume dropped substantially.

So, even if you aren't the CEO of a company, returning to the floor today is important and here is why you need to reconnect with your customers:

1. Your staff are doing things that are costing you money (and they don't know it). You will find things as you do their jobs that you could eliminate or streamline. You will find that they are doing what they think is what needs to be done but don't typically have the authority to make changes or the goal of keeping costs down. You however will see these opportunities quickly and you have the authority to make the changes necessary to fix them. To be fair, in many cases that I have seen the line staff do know that things should be done differently and they may have even told you about them but until you actually see them for yourself you may not give them the authority to make the necessary changes.

2. Talking with your customers will help you find new opportunities or products. You pay good money to attract customers to your web site and then when you lose them it's so disappointing and damaging to your company. Talking directly to your customers will once again expose you to their problems and as any entrepreneur knows, problems are opportunities. When you talk to your customers you will find your next big idea.

3. The real world doesn't work the way you expect it to. When you return to actually doing the job, whether that is packing a box, picking an order or answering a customer's phone call you also challenge your mind's internal model of how the business runs with the realities of how your business actually runs. This reality will either inspire you or depress you, depending on what you find, but it will also put you in a position to correct the problems with your knowledge and authority.


Have you returned to the floor yourself or been there when the CEO did so, tell us about it. It's worth noting that the comments on the Bezos article I mentioned above has some great related stories. I know from my own personal experience that challenging how things are done and doing them yourself from time to time is a great way to discover issues and fix them.

Don't Make Customers Test Your Website – It's Cheap and They Won't!

When was the last time someone other than you and your team reviewed your website? Your customers visit (and test) your website every day but have you ever asked them to comment on your website – other than having them comment by just leaving your website frustrated because they can't find what they are looking for or you possibly seeing them exit, via a page bounce report, after you have already paid for the click to bring them there in the first place? Simple usability testing is a great way for you to review your shopping site without spending much money and before your customers do.

Joel Spolsky (www.joelonsoftware.com), founder of Fog Creek Software and software best-practices teacher, notes in his Joel Test that "hallway usability testing", grabbing average, nontechnical people at random from the hallway and having them test or review your work, is a simple but effective way to improve your software. Since our customers are not themselves software companies we work to educate them about the importance of software testing – we test our software before we give it to them but once they change the user interface they need to test it again for usability.

Steve Krug, author of, "Don't Make Me Think, A Common Sense Approach to Web Usability", my favorite book on the subject of website usability, has a couple of quick points that I think are important for testing – because most people don't like to do testing:

1. If you want a great website you have to test.
We've already established that you need to test before your customers do. Customers are the worst testers because they just assume that your site will work the way they expect it to and they are not forgiving if it doesn't. This means that if you paid money to get them to your site and so when they are unhappy you not only lose that direct marketing money but also any possible future revenue from them as a loyal returning customers, not to mention their network of friends – "Their site was buggy or hard to use", won't draw their friends to your site. Also, visitors are busy and rarely will any of them drop you a note of any kind to let you know that there is an issue with your site. We have seen sites with Customer Experience Management (CEM) links and buttons – the "Report a problem with our site" – but our own experience on our own website and discussions with others that have employed CEM themselves is that it doesn’t work as you expect it to work in catching issues because people are just too busy and CEM is not for testing for bugs, it's for providing another channel for customers to communicate with you.

2. Testing with a single tester is 100% better than testing with none.
The math is simple, if one person tests then you are 100% better off than having zero people test your site. A few caveats though, not everyone is going to be a good tester and testing is not a one-time event. Testing needs to be done every time you make a change to the way your site functions.

3. Testing one user early is better than testing 50 users near the end.
Testing at the beginning is cheaper and better because once you build something there is all the extra effort that you must expend that you wouldn’t have had to have expended if you had tested earlier. Imagine that you are building a house and you decide after the house that you want another bathroom up stairs. If your house is finished then you have to wreck the walls, floor and plumbing to add the extra bathroom but if you had tested earlier and discovered that an extra bathroom was needed you could have added the bathroom at the start and not had to suffer the cost of building once and then wrecking and rebuilding a second time.

How to test your website on the cheap:
Steve Krug calls this "Lost Our Lease Testing":

1. Who are these mythical and magical testers? A tester is any reasonably patient human being, ideally someone who uses the web and has some experience buying online. Try to find users who reflect your target audience but don't get too caught up on this point because remember that having someone is better than having no one. Also, if you get more than two testers you are more likely to notice the difference between folks who are good testers and those that are not – take it from me the difference is huge and finding a really good tester is critical and hard – you don't need the best (yet) you just need someone who is acceptable and will get you started.

2. How many testers? Ideally 3 or 4. You want more than one so you get at least two opinions and when you get three or four then you should start to see patterns of problems. A single person is still better than zero though and two is twice as many people... you get the point.

3. Where to test: In person at your office or conference room where you and your team can observe them in person and possibly even video tape them. From personal experience, avoid, where possible, having them do the testing remotely and phone it in. If this is all you can get then do it but ideally you want to see them in person because you will be amazed at the level of detail that you will catch just watching someone try and navigate what you thought was a completely intuitive website! My favorite moment is when they fill in the form "wrong" and it causes an issue with the application – what were they thinking is usually the comment, to which I respond, "fix it".

4. Budget: $50/person or lunch or dinner depending on whether these are your friends or not.

5. How long should they test? No more than 1 hour at a time – think of how long your average shopper on your site spends on each visit, one hour is a long time to get through all the basics and some of the more advanced stuff. Ideally you want them to perform at least the basic tasks of buying a product, searching for a product, browsing for a product, and checking out. If you have time get them to also try and cancel an order, check order status, and even find answers to their questions. I would suggest that you record all the different ways that these folks use your site so that each tester is given the same set of tasks and you can compare them. Ideally though you want to start by just telling them to buy a couple of products and tell them to do it the way they always shop and see what and how they do it – I guarantee you will be surprised.

The take-away:
Test your website because your customers won't and it's cheaper, faster and easier than letting your potential customers leave because of something you could have found and fixes for the price of some pizza and beverages.

Turning Away (Known) Bad Customers

Credit card charge backs are like thefts to retailers and in this case the retailer got the last word... the second time.

I received a telephone call from a friend recently to tell me that she had just turned away a sale on the phone. The shopper that had called in had placed an order with her company before and while she was placing their new order she noted that this particular shopper had done a charge back on their last order. A charge back is when a credit card customer disputes a charge on their credit card with their bank and the bank then disputes the charge with the retailer and unless the retailer can provide real tangible proof that they shipped an order to the card owner then the retailer is charged a fee, sometimes as much as $75, they get a warning from their payment provider (too many and you lose your merchant account), they lose the sales revenue, the shipping revenue, and they also lose the goods and the shipping cost to the 'shopper'... so charge backs are bad and merchants take them very seriously (and personally). So, knowing that this particular person had previously done a charge back she stopped the call, asked the 'shopper' to hold for a moment and went and got the owner. The owner verified the shopper's information and then stopped the order and told the customer that he was not welcome to buy from them any more due to his previous charge back and he ended the call.

This was a case of, "fool me once, shame on you, fool me twice, shame on me". I suspect the caller was shocked. If the caller was a scammer then he might try again and next time their fraud rules should catch him (assuming he uses the same name, address or credit card) but if he doesn't then at least he knows that this friend of mine won't put up with it, nor should they.

For those of you who do not have a way of flagging problem customers you should at least keep a "watch list" of shoppers (I hate to call them customers) who have initiated a charge back against you so you can block them or challenge them. Obtaining the credit card's card verification number is an effective, but not fool-proof, way to protect yourself from this. You should also verify that the shipping address is an approved address for the card holder to avoid them disputing the delivery to someone else and you should, where possible, always obtain a signature. I know in one case the courier did not obtain a signature, even though it was requested by the merchant, and the merchant was able to pass the charge back cost on to the courier company.

One question I was asked when writing this is, "How did your friend know about this person's previous charge back?". Our software has two mechanisms for protecting merchants from this... I didn't ask which one helped in this scenario but one of them did and I was happy to hear (and share) her story.

Do you have an e-commerce charge back story or want to know more about preventing and blocking repeat charge backs? Email me, chris@xmodus.com.