Everything has a price. And the price for a richer consumer experience online and via mobile — one of the defining trends of payments and commerce in 2019, and probably well into the 2020s — is that the code that creates those experiences often leave opening for fraudsters to exploit.
In a new PYMNTS interview, Karen Webster talked with Sumit Dhawan, CEO of Instart, about the reasons for that problem and what can be done to fix it. At stake could be nothing less than merchant reputation and revenue as eCommerce continues to take up a bigger part of retail.
The problem, in one sense, is that retailers are creating deeper and richer consumer experiences via browsers, Dhawan told Webster — browsers where consumers enter a host of personal information including addresses, ages and payment details. The problem extends beyond retail into an area such as healthcare, where personal information can be even more sensitive. But the people who write the code for those better, richer sites don’t always put enough focus on security — either from ignorance or because of the pressure of tight deadlines — and that leaves what amounts to holes in the digital fence that criminals can use to steal personal data.
“It’s fairly new,” Dhawan said of this particular fraud and hacking threat. For some companies, it will be less of a problem than for others. “Amazon can hire an army of engineers,” he said. Smaller players cannot. They buy modules and code from third-party vendors and the larger supply chain and don’t write the code themselves.
That leaves such companies vulnerable to weaknesses in such code — gaps that may be widespread and well-exploited by fraudsters. And all that code is running on browsers that consumers use for retail, payments, healthcare and other common activities. Not only that, but pressures keep building for better consumer experiences and more and more code to make that happen, which leaves even less time to figure out where those fence holes are.
The problem is pretty far-reaching, Dhawan told Webster, with monitoring showing that many companies that would be considered pretty good on security having these browser flaws. The company pointed to an incident in 2018 as one example of this trend. That’s when a hacker group known as Magecart reportedly stole payment details from thousands of Ticketmaster customers. As well, the FBI recently issued a warning about web skimming.
“Across all industries,” Dhawan said, “we were surprised at how much of this information was vulnerable.”
One would think merchants would be first in line to fix it, but they are not. The reasons include not only cost and time, but the tendency of many merchants to wait until consumers complain before fixing something. And not all developers — even if they have the time — have the necessary knowledge of security to write those fixes into the code under tight deadlines.
So that leaves matters largely in the hands of consumers, at least according to how Dhawan told it to PYMNTS. Instart has just launched a product called Privacy Alert, which the company describes as “a free Chrome plugin that makes it easy for anyone to understand if websites are potentially allowing third parties, such as Facebook, Google, a chat widget, or even a malicious piece of web code, to access the private information like a credit card number, password, or even a Social Security number that they enter into form fields or that is stored in cookies.”
The idea, according to Dhawan, is to not only give consumers more visibility into potential security threats as those consumers go about their online business, but perhaps even provide an incentive to developers to fix those fence holes in their code. “Our objective is to raise awareness of this issue,” he told Webster. “Consumers can see what type of risk their information has as they are entering their information on a website. We give them information about what fields might have vulnerabilities.” As well, the product warns that uncommon scripts might be in use — a signal of potential risk and potential fraud. “We have the vision of making the Internet safer to browse,” he said. Such alerts, he added, could encourage developers to think harder about security and strive for zero vulnerability in their code.
Consumer experience will become even more vital in the coming years, assuming current trends hold. But whether consumers take more control of their security via plug-ins or other methods is a big question. And you can bet criminals know that and are working hard to find ways inside those systems. Every little bit can help, but preventing fraud is always a tall order.