This is page 3 of:
Letting Customers Chase Your Thieves Gets Something More Valuable Than A Nabbed Thief: A Loyal and Happy Customer
For merchants or others who suffer breaches, the lesson is that your customers may be more interested in conducting an investigation than you are. They may have more information, resources or abilities than you do. If a breach is the result of a “skimmer” attached to a terminal or ATM machine, some customer may have seen something but will report it to you only if you provide the customer with enough information to enable him/her to help you.
The customer or you can use things like social networking and crowdsourcing to learn of patterns of activity surrounding the fraud that may not have been possible with discrete bits of information. This may, or may not, result in better investigations and possible prosecution and deterrence.
Even if there is no criminal prosecution as a result, this gives the merchant the ability to enlist the help and support of the data subject. It empowers that person, gives him/her a sense of control (and not mere powerlessness) and reinforces the position that you, like that person, are the victim of a crime, not a perpetrator. It reinforces the idea that you and your customers are working together and that you have their interests at heart.
If the data subject’s assistance is particularly useful or diligent, you can reward his/her efforts with things such as discounts or coupons. Indeed, these things can be used as incentives for information—you know, like a digital wanted poster. In doing so, you will need to be careful as you tread the fine line between encouraging investigation and vigilantism.
In the E-mail hack case, I wanted to find out the IP address from which the spam was sent, whether my wife’s user ID and password were used or whether there were multiple unsuccessful attempts to access the account. I also wanted to know whether spam was sent to people on her contact list, or others, and if there was a pattern. The provider was, shall we say, uncooperative and disinterested. And that is not what you want to be in the event of a breach—especially if the breach may have been your fault.
If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.
–Sophia Shahnami contributed to this column.
-Marc
November 8th, 2011 at 11:51 pm
I absolutely agree with you. Anything less than getting your customers involved is like watching someone get beaten in front of your house while you do nothing.
If more merchants and customers got involved, I think we’d see a less cyber-crime. As you mentioned, privacy issues and all the other excuses are tossed around and anonymity runs wild.
Merchants, service providers, and all the others need to share information. It’s proven to make things happen. Programs like Ethoca’s FraudStop have proven it.
November 10th, 2011 at 10:07 am
Unfortunately, no one of importance, the merchant much less the police or card issuers and associations, are interested in pursuing these criminals. Criminals know this so they continue to operate with reckless abandon. UNTIL someone in one of those entities or who is high profile is compromised, then it’s Katie, bar the door.
If you remember the article about how one broken window leads to another then to more vandalism and crime you see how important it is to pursue, apprehend and punish to the greatest extent possible the small time hacker you send a strong message that this activity will not be tolerated at any level, hence diminishing the overall problem. Yes it takes investing a dollar on dime issue but dime make dollars and dollars left unprotected leads to hundreds of dollars of problem.