Tag: cybersecurity

Evil Bot or Personal Shopper? Consumer eCommerce is Broken

Chief Pixie

The idea that you must prove you are an individual human before entering an online store is a ludicrous relic of the past. Bots have become synonymous with evil when they should be seen as enablers that aren’t going away – for better or worse. Time for them to work for us, not against us.

On the one hand, consider a recent article in the Wall Street Journal:

Nike to Crack Down on Sneaker-Buying Bots, Dealing a Blow to Resale Market

https://www.wsj.com/articles/nike-moves-to-crimp-resellers-and-might-cancel-orders-made-using-bots-11665506775?st=wv2y4g08jyn7iqn&reflink=desktopwebshare_permalink
Wall Street Journal

On the other hand, every week, a new consumer business data breach brings about new knee-jerk reactions and pushes us further into a more frustrating online customer experience.

These are two symptoms of an increasingly broken digital engagement model for consumers.

B2B vs B2C

Business-to-business digital engagement practices evolved from a long history of distant geographic relationships. Delegations, contracts and financial intermediaries grew to scale business to incredible volumes and geographic breadth. This scale would never have been possible if the CEO had to personally sign into every supplier website, place every order and make every payment from their personal wallet.

During this time, business-to-consumer digital engagement practices have not evolved at all. An online store still assumes that a person ‘walks’ into that store as they’ve done for thousands of years. If the consumer isn’t using cash (difficult in an online store), they have to provide some ID – not to prove who they are – but to prove that they have access to the non-cash finance in their name – i.e. know your customer has the money.

Early in my lifetime, you needed to show a driver’s licence to pay with a cheque to see if the names were the same. Now you have to use an email/password/MFA combination to authenticate via a payment provider’s interface and return a token to the merchant to prove you have access to the non-cash finance.

Somewhere along the way, the need to prove that the non-cash finance is available became a ‘need’ to capture as much data as possible. This ‘allowed’ the business to ‘serve you better’ and market to you independent of any financial requirement – sometimes that includes the store keeping your driver’s license details too.

The idea that you must prove you are an individual human before entering an online store is a ludicrous relic of the past. 

Untapped Digital Consumer Opportunities

Digitisation should offer amazing opportunities for consumers to discover and acquire amazing products from anywhere in the world, whenever they want them.

The global digital marketplace is too large for any individual consumer ever to know and offers an extraordinary opportunity for intelligent search, ‘AI’ machine learning services etc. Your current Google search result is more like an old local phone book when compared to the vast size of today’s global digital marketplace.

While Amazon markets itself as the ‘everything store’ – it only covers the merest fraction of the online consumer market. Even then, I defy anyone to stroll through the Amazon aisles confident that they found the best supplier, product and price to meet their requirements in the marketplace.

To tap into the potential value of global digital commerce, consumers must delegate their shopping to ‘digital buyers’ – authorised agents that are always scanning the market for buried treasure and buying it ‘on the spot’.

Unfortunately, today, consumer-facing search APIs are restricted to discourage high-volume scanning. eCommerce website and app interfaces do their best to get you to prove that you are indeed the unique individual who has entered the store.

There’s an ongoing battle between the eCommerce developers, search platforms and the ‘bot’ developers to be able to discover and interact with services programmatically. To a large extent, this battle is being fought by businesses that still try to be your only store in the area (or at least in your attention span).

Bots have become synonymous with evil when they should be seen as enablers that aren’t going away – for better or worse.

I’m confident that this engagement model will evolve, but I hope it won’t take thousands of years.

What to do?

Developers should redirect some of the time fighting the bots to making it easier for customers to delegate to their authorised buying bot – leading to more sales for the retailer and better consumer experiences for the customer.

In the short term, you can help by lobbying your service providers to offer an option for you to formally delegate some of your account access to approved and secure programmatic buying services.

Identity Compromise as a Service

Chief Pixie

Yet another report of a massive leak of personal data by a large service provider in the news. No longer surprising and no sign of legitimate mitigations on offer – other than ‘be vigilant – keep on the lookout for unexpected uses of your personal information’.

Many of the posts in this series have focused on the evolution of digital service models in which consumers pay the price of attention, management oversight, and data entry effort on behalf of service providers. In addition, consumers also agree to provide personal information as a prerequisite to accessing a service to ‘authenticate’ the consumer and make it easier for the supplier to provide services through digital interfaces.

Historically we have encouraged diverse ecosystems of suppliers to ensure competition and incentivise innovation. An owner’s experience can be enhanced with a greater choice of service providers and product suppliers – particularly if our ‘relationship’ begins and ends when we enter or walk out the door. In this early digital era, we enter into a ‘relationship’ with every supplier through consensual access to our personal information as a prerequisite to receiving the product or service.

My personal information is held by thousands of suppliers who have no incentive to care for that information in the way I would. Redundant and outdated copies of my data are spread across countless data stores – I’ll never know where and most of my ‘trusted’ service providers don’t know where it is either.

In the Business to Business space, it would be ludicrous for a company to keep the corporate information of every one of their customers. A tax file number, maybe bank account or payment intermediary details – that’s all. In the Business to Consumer space, gathering as much data as possible about customers has become the norm and exploiting that data to push more sales the goal.

The much vaunted 2-factor authentication does nothing to limit the policy of consumer data scraping. It does, however, move us to the point where we’ll need to use a combination of user, password and mobile phone code every time we want to access a service – more work for the consumer and no responsibility being taken by the service provider. Passive data harvesting and analysis is still a very rewarding activity and does not require 1 or n factor user authentication.

The only way this situation will improve is for providers to accept and consumers to adopt a personal authentication agent that provides approved interface keys and negotiates and records all data exchanged with each provider. While an individual’s data can still be hacked, the damage is limited to one individual. The same hack on today’s providers damages millions of consumers.

Who or what do you trust #1?

Chief Pixie

Despite some technology hype, there’s no such thing as ‘trustless’ transactions between humans. Just because I have a valid key doesn’t make me a trustworthy key holder and if my digital credentials are invalid it doesn’t necessarily mean that I am untrustworthy. Digital security and trust, like other themes explored in this blog, are evolving in ways that are often incompatible with a world that increasingly relies upon the blending of electrons and humans.

I recently visited my elderly parents who live in a beautiful semi rural area in the US where many of the people are holiday makers or retirees. The area has all the modern conveniences as well as some vestiges of the land that time forgot – including a local internet service provider that has aged along with many in the community.

This ISP offers email services and bandwidth that’s about a tenth of the speed and capacity at a similar price to national competitors. It also offers extraordinary customer support that reflects the community they support.

Soon after I arrived, both of my parents began having issues with their email. Their first thought was that I might have broken the home wifi due to my excessive (ie that of an average digital participant) data consumption through multiple concurrently connected devices (crazy stuff!). Looking into it, I saw that the ISP plan they were on offered very low speeds but the modem and router were working albeit slowly. As a trusted intermediary I asked them for their passwords so I could look at the ISPs email account setup and was given a collection of coloured post-it notes with three or for passwords on each marked with uncertain notes like ‘pc’, ‘ipad’, ‘apple’, ‘nokia’, ‘old’, ‘lulu’, ‘new’, ‘newer’ etc.. None of these seemed to work – not even the blue ones – and they suggested calling the ISP. I said that the ISP wouldn’t be able to help because their passwords were encrypted and we’d have to reset them – no, we need to call Mike or Lulu.

So I called, and the phone was answered in 2 rings (!) by Mike, who spoke to my Dad and got him to guess what parts of the correct password might be – I think it has this or that number in it – yes, says Mike, and there’s a short word before the number – what might that be? No, not that one, yes, that’s the one. Password (unencrypted on Mike’s end) confirmed – first problem solved, but my cyber security sensibilities were in meltdown.

Mike and I could then establish that my parents had thought that every email client had its own password (totally reasonable for those who became digital aliens around 1998). Each time a device was turned on (because of course you don’t want to wear out your mobile phone and tablet by leaving them on all the time) it would try to connect to the email account with a different (out of date) password and lock the account after three failed tries.

After an hour or so of deducing all this, everything was sorted – fixed the email set up on the pcs and portable devices and Mike and I tested each connection with me on the clients and his observation on the server. During all this time Mike had to stop and take other calls and then called me back!

Some of you reading this would have paused at the point where Mike was clearly looking at my parent’s unencrypted passwords and reading their email to see if test messages were getting through. Without this level of service though, my parents simply wouldn’t be able to reliably manage their email access on a day-to-day basis.

My parents trust Mike and his employer and Mike trusts that my parents are who they say they are – and that’s pretty easy because they have some consistent, unique and sometimes pretty frustrating analog characteristics. They have a human trusted relationship and a service arrangement that is ‘old fashioned’, and simply unavailable through ‘modern’, secure and less expensive competitors.

Thanks for your care and patience Mike – a pixie in human form.