Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

How this Retailer Could have Kept my Business with Better IT Security Process

Hmm, I thought I remembered my password. As I tried to log into my account with a large retailer known for their athletic wear, I click the forgot password link. I enter my email address.

In red letters, I see “email address/account does not exist.”

What? Must have misspelled it. Nope. Again I see “email address/account does not exist.”

Better Retail IT Security

Being in IT Security, the hair on the back of my neck raised. I immediately fear my account has been compromised. I frantically look for a support number. I dial the phone number to speak with someone in the guest education center (GEC). There is a 45 min phone wait so I click on chat help function and click connect.

After waiting 30 min to connect to chat (these people need more customer service people!)  the chat agent says:

“you don’t have an account. I see you have purchased before, but you did so anonymously. I would be happy to create a new account for you.”

I tell her that no, that’s not correct. I have had an online account with them for years.

“Well you must not have had an actual account because my system shows you as purchasing items anonymously. I’m happy to create a one for you. I can do that right now.”

I know this is not true. I did have an account. When I tell her I fear there has been a security compromise and that I’d like to speak with someone more knowledgeable about security I’m floored.

“No. Sorry, only I can help you. There is no one else. I can just create a new account for you.”

I respond no thank you and end the chat with no escalation.

Anger, frustration, fear. They did not seem concerned about my security issue at all. No path to resolution. I quickly look at the activity on my credit cards. No suspicious purchases yet; that’s something.

I need to actually talk to a live person so I call in and wait almost an hour when told there is a 45-minute wait.

Finally a live person. Fast forward, essentially I go through the exact conversation with the agent as I did on chat. Live rep from the GEC says:

 “Looks like you don’t have an account. I can create a new account for you.”

I respond firmly “NO!  I need to find out what happened to my original account. I did have one” I press on and have to insist there is a security issue and she needs to take this seriously.

She relents and digs in further and she actually finds my account. Relief….they have finally after at least an hour and a half confirmed I have or had an account.

“That’s strange, it looks like you changed your login to a nonsense email. But you don’t have the ability to change your login.”

OK, since “I” can’t change it, that seems suspicious now doesn’t it! She gives me the nonsense email and a temporary password over the phone. I was able to login successfully. I see all my past orders so yes, confirmed. It is my account.

And then I see it. There is a new Ship-To address. An address I’ve never seen before going to a strange address in Delaware. I copy the address and do a quick web search and what pops up are 10 links to “SCAM – Beware of this address” links.

Just as I feared. I tell the agent, I need to speak with someone in IT or Security right now.

I am now over two hours into this process and I am finally forwarded to someone in IT. It’s the company’s internal IT group for employees, not customers, but, hey, I’ll take it. I’m getting closer to someone that might be able to help me.

“Yes, this does sounds suspicious. The only thing I can do is create a ticket for the security team. They can investigate it. Call me back tomorrow and I’ll try to give you an update if I have one.”

Two and a half hours.


I call the next day (why couldn’t they proactively call me?) and the rep I spoke with has gone for the day. Nobody else there can help me and I’m told to call tomorrow.

Two days later, I speak with the IT person who says,

“Yes, your account was compromised. Security has confirmed it. I can’t help you because I’m in internal IT. Please send the security team an email at this address and they’ll get back to you…”

Good grief, now I have to send an email?  Why couldn’t they have sent me an email right away tell me to do this rather than making me call in?  And why isn’t someone from security reaching out to me directly? Why didn’t they give me that email address two days ago?

Another day goes by but security finally responds to my email and calls me. They said they recognized it was a fraudulent shipping address and they cancelled the order and purposely killed my account by changing the address to a nonsense email. I asked when this happened.

“It happened about 2 months ago.”


In the end, it took almost FOUR days for me to speak with someone who could tell me what happened and answer where my account went and that there was an issue two months ago that nobody told me about.

AND, there is no way to recover my account. All my past history is gone. Along with my spirit.

A benchmark report from New Voice Media found that 62 billion dollars were lost in 2016 due to poor customer service.

This entire experience dealing with the company was exhausting and unsatisfying. I don’t view their brand the same anymore and I’m not sure I will shop there again.  If I had not been savvy from a security perspective, I probably would have just had the new account created and been none the wiser.

The fact that my credentials were compromised and the fact that customer service didn’t instinctively think there was a security issue was not exactly a surprise to me. In the latest Verizon Data Breach Investigations Report, 81% of data breaches involved weak or stolen credentials. And in another study on the Growing Security Threat of Insiders found that even though 95% of organizations provide security training, only 10% believe the training is very effective.

How could this have gone better? Wow. In so many ways!

Here are a few ideas on how they could better address both customer service and preventing credential compromise. In the end, these things can go a long way to retaining customers and keeping the bottom line growth in the right direction.

4 Things Online Retailers can do to Better Address Customer Security Concerns/Issues and Retain Customers

IT Security Awareness for Customer Service

Customer service is the front line of every business. They need to be trained to identify possible security concerns and If a customer “thinks” there is a security issue, don’t argue with them or dismiss their concerns. A customer is voicing distress and it’s possible the security team isn’t aware of the issue so it needs to be taken seriously. Customer service needs to be given a clear path on how to escalate these types of customer concerns to a specialized team that can address these issues.

Provide a Security / Fraud Hotline

If people think there is a security issue, assume there is and give them a quick easy path to get support fast. 

Be Proactive with Communications

If a customer thinks they were a victim of fraud, or if the company knows a customer is a victim of fraud, provide timely and clear communications. Tell them exactly what happened to their account and how/when they were exposed. Proactively reach out to them. Don’t put the burden on the customer. 

Add Multi-Factor Authentication

Adding some type of multi-factor authentication to the checkout process when an address different than a billing address is used for shipping can help with verifying that the transaction and the buyer are legitimate. This would let a customer know in real-time if someone might be trying to use their credentials allowing them to deny the transaction and quickly remedy the situation. It could also prevent having to completely kill someone’s account. This blog on “Finding Nirvana: Preventing Threats vs Disrupting Business” talks about more ways that MFA can be used for threat prevention.

Taking customer’s IT Security concerns seriously is extremely important. It can have a huge impact on the business both in terms of customer retention and protecting an organization from a security breach.

Topics: Credential Compromise, Identity Verification, Multi-factor Authentication, Security Skills,

Posted by Preempt on November 3, 2017 8:24 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More