Thursday, October 09, 2008

Is CAPTCHA still effective as a security test?

CAPTCHA is a security provision designed to confirm that an online user is actually human by asking them to complete a simple test which is difficult for computers to interpret.

Often appearing as wavy or handwritten words and numbers, CAPTCHA (standing for Completely Automated Public Turing test to tell Computers and Humans Apart) has been widely implemented as an online security confirmation system within email systems, blogs, ebusiness and egovernment sites. In fact you'll see it in use when commenting on this blog.

Example of a modern CAPTCHA image (source: Wikipedia)


However CAPTCHA is increasingly under threat due to the multiple ways of circumventing this security and organisations need to consider whether it is still worth implementing CAPTCHA or more advanced security systems.

How effective is CAPTCHA?
As was recently reported in AllSpammedUp, Spammers are once again attacking Microsoft's CAPTCHA, used in their Hotmail email system to distinguish between legitimate human customers and automated spam systems.

While 10-15% doesn't sound that significant, given that spammers are able to use automated systems to create hundreds of email addresses a minute - then use the successful ones to distribute spam email - that level of success is quite high.

Hackers are also able to use cheap eyeballs from third world countries to break CAPTCHA - with Indian crackers paid $2 for every 1,000 CAPTCHAs solved.

Other techniques also exist to break CAPTCHA, such as advertising a porn site, embedding CAPTCHA codes from legitimate sites and asking people to solve these codes in order to access the adult content for free.

Given all these different ways to defeat CAPTCHA tests, and the barriers for those with vision impairments (who often unable to complete visual tests where an audio equivalent is not provided), let alone the difficulties real humans have in interpreting CAPTCHA tests correctly, this approach to security is seriously under threat.

However effective alternatives to validating that humans are really humans are not yet available for use.

Where next for CAPTCHA?
Microsoft and other large providers of online systems remain dedicated to strengthening CAPTCHA technology, even where the line of what is actually readable by the average human begins to blur.

They have limited alternatives as to effective tests of whether a user is human or computer to help minimise the success of automated hacking attempts.

Some mechanisms already coming into use are to ask questions via CAPTCHA text which is based on trivia more difficult for a machine to guess, or to have multiple CAPTCHA images which must be reinterpreted based on additional text - also stored as a CAPTCHA image.

All of these remain vulnerable to cheaply paid third-world CAPTCHA breaking groups, albeit increase the difficulty for machines.

Where should organisations use CAPTCHA?
Given the lack of alternatives, organisations need to continue using CAPTCHA, but selectively apply other methods of detecting machine-based attacks (such as rapid or logically sequenced attempts at creating accounts or logging in).

Where possible CAPTCHA should be used only to validate the 'humanness' of a user, rather than as an outright security measure, thereby limiting system vulnerability.

Finally organisations need to use the most current versions of CAPTCHA and update regularly to reduce the risk of intrusion to only the most sophisticated hackers.

Read full post...

The case for offering live customer support online

There are a variety of ways to simply and cost-effectively offer customer support online and,  given that it's not yet common in the Australian public sector, I thought I'd quickly outline my own thinking on the case for and against offering this type of service.

In this post I'll focus on text chat - the simplest mechanism for live customer engagement online.

There are also more complex approaches, including asynchronous voice chat, synchronous voice chat, video-conferencing, co-browsing and virtual presence. I believe that an organisation needs to come to terms with basic text chat before exploring these options.

What is text chat?
Text chat refers to the ability to send and receive text between individuals via the internet. In context of customer support, this approach commonly involves accessing a chat window within or as a pop-up out of an organisation's website.

Within the window the participants can type in their questions, comments and responses, review them and then send them to the other person in real-time.

This is different to email in that the exchange is real-time and is fully visible to both parties at all times.

Who uses text chat?
USA.gov, the main US government portal, uses a Java custom-built web text chat tool with set opening hours and a decent privacy policy regarding use.

The Utah and Virginia state governments makes good use of text-based chat, via a third-party service named Livehelper. This is a footprint free, low cost approach well suited to initial steps into the channel. Also using the tool is the US National Cancer Institute.

In Australia, there are few governments agencies using text chat at this time for customer or public engagement, with the National Library being a standout - supporting cobrowsing via a third party service, Questionpoint produced by the US Library of Congress and the Online Computer Library Center.

Others include the National Cervical Cancer Screening Program and the State Library of Victoria.

The Queensland government used to provide an online chat service for community consultation via Generate, using IRC (Internet Relay Chat), however discontinued this in 2004. A good presentation on the service, Ministers Online (PDF), is available from AGIMO.

Several government bodies, such as NSW Health, use it within elearning sessions and some, such as the NT Department of Employment, Education and Training, make it available for supporting remotely located students and teachers, however do not make it publicly available.

Benefits of text chat
There are a number of benefits in the use of text chat, both for customers and an organisation.

For organisations,

  • A single customer service operative can engage with multiple customers at once, each in a separate text chat window (my rule of thumb is that a person can effectively engage in one phone conversation or three chat windows - making chat a more effective use of resources).
  • Customers can be anonymous or required to self-identify (according to the needs of the organisation).
  • Text chat can be secured - making the information sent and received difficult to tap into and protecting customer privacy.
  • Text chats can be queued like phone calls, with a timer providing details of where the person is on the queue to be answered.
  • Text and web addresses can be pasted into the chat window to provide 'canned' answers for common questions, or to point to further information.
  • Customer service operatives can review the text they intend to send a customer before sending it (whereas on phone calls it is much harder to review the words before they leave a mouth). This lets them remove potentially emotive words or phrases that detract from the message.
  • The text chat is recorded, leaving a permanent (legal) record of the conversation and can be saved and stored in the organisation's CMS application.
  • The customer IP address can be logged for use if the customer is threatening or abusive. This reflects having their phone number - the customer is traceable.
  • Text chat logs are fully searchable by keyword, and can be organised into topics to support later analysis.
  • Chat doesn't need to be available all the time. The organisation can switch it on and off as resources are available (whereas phones are required to be 'on' at published business times).
  • Customers who refuse to call may engage via this channel, meaning that otherwise unraised issues can be addressed.
  • Chat can be managed from any staff location - even offsite. It is possible for home-based staff to provide chat responses, if the organisation allows this, much more cost-effectively than when attempting to route phone calls.
  • Customers can be sent on to an (optional) online survey addressing the quality of the chat when it concludes. This provides an effective interface for quality-checking the channel and each individual engagement.

For customers,
  • Text chat is less invasive than waiting on a phone line, requiring less attention and freeing the customer to go on with other things while waiting to have their 'call' answered.
  • Customers can engage in text chats more discreetly than they can engage in phone calls.
  • Customers can provide customer service operatives with links to or paste in the information they are having difficulty understanding.
  • Customers also receive a permanent record of the conversation for their own records - removing any ambiguity on what was discussed (as can occur with phone calls).
  • Having the exchange in text reduces the emotional context of voice.
  • Lower cost than a phone call where a free number does not exist.

Disadvantages and risks
  • Text chat doesn't provide the same number of conversational cues as voice chat or face-to-face meetings. However it is possible to escalate a text chat by asking a customer to call (or calling them) or come to an office.
  • The organisation or customer may perceive security risks in text chatting. Although these risks are generally equivalent to the those of a telephone conversation, chat is newer and some people have greater trust issues with it purely due to their lack of familiarity with it.
  • It may not be possible to get sufficient information about the customer to exchange certain information. In this case the customer service operative can escalate to phone or face-to-face.

Reasons to not introduce text chat
  • It is an additional service to manage (though can normally be managed via existing resources).
  • The customer need for this channel is undefined (and will remain so until a pilot is run).
  • As it is online, the channel is less established and not as well understood by organisations (and will remain so if not trialled).
  • An organisation may receive more customer enquiries (as the barrier to contact is lowered).
  • It may require ongoing ICT support (though options exist to fully outsource a text chat function and indeed this is the more usual practice).

In brief
Text chatting can be a more efficient use of customer service operative time while simultaneously supporting more flexible information sharing than phone-based communication.

It does not replace phone use, instead supplements it by providing an alternative customers can choose to use to engage an agency. It can be managed through existing call centres and generally through phone and written correspondence policy and be easily run as a pilot before a more complete implementation.

Due to chat logging, both the organisation and the customer can have an accurate record of the contact. This can be stored with the official customer record for later reference in a way that is difficult to achieve with phone based communication.

The primary risks are around security and staff written communications ability - both of which can be managed.

Security can be addressed through appropriate communication of the risks to customers, allowing them to choose whether they wish to engage in this manner, similar to the warnings at the start of phone conversations "This call may be recorded". As chat doesn't replace other engagement channels, customers are not disadvantaged if they do not wish to use it.

Staff's ability to manage the channel can be addressed through training, selecting staff already competent at written customer communications and by placing appropriate guidelines in place (as commonly exist for phone or written correspondence).

Read full post...

Wednesday, October 08, 2008

Do your customers expect you to be online?

The 2008 Cone Business in Social Media Study in the US, has found that 93 percent of social media users believe a company should have a presence in social media, while 85 percent believe a company should not only be present but also interact with its customers via social media.

With 60 percent of Americans now reportedly using online social networks, this means that more than 50 percent of the US population believes that the organisations they engage with require a social media presence.

Extrapolating this to Australia, which generally runs a few years behind the US, there's strong reasons to look seriously at engaging via social media channels.

It is estimated that almost half of all Australians use online social media (Neilsen). As such I'd expect that at least a third of Australians would similarly want to find Australian organisations represented at social media sites and around a quarter expect to engage them online.

As Australian Anthill's Brad Howarth suggests in the article, Not just for kids - social networks just grew up,

If social networking isn’t part of your marketing strategy, the only person’s time you’re wasting is your own.


Here's a couple of other interesting findings from Cone's report on how organisations are expected by their customers to engage,
  • Companies should use social networks to solve my problems (43%)
  • Companies should solicit feedback on their products and services (41%)
  • Companies should develop new ways for consumers to interact with their brand (37%)
  • Companies should market to consumers (25%)

Read full post...

Tuesday, October 07, 2008

50 ideas on using Twitter for organisations

Following from my post this morning on Telstra's use of Twitter, Chris Brogan wrote an excellent piece last month on how organisations can use Twitter to better engage their customers titled, 50 Ideas on Using Twitter for Business.

For me (as it was for Chris) the number one reason or idea for using this type of tool is for listening to your constituency. Hearing what real people are saying about your organisation, services and topic area provides an ongoing temperature of public opinion.

Another key reason in my view is for building an organisation's online reputation.
Most communicators understand that their organisation's public reputation shapes how people engage with them, thereby influencing their capacity to send messages out to their customers as well as their capacity to provide effective customer service.

However in my view few Australian organisations (particularly in the public sector) have as yet grasped how important it is to establish a sound online reputation. Assuming that their past reputation will carry over only goes so far, and it can rapidly be damaged through inept online engagement (or no online engagement at all!)

Laurel Papworth explains this well in her article, Twitter: Reputation Management in Social Networks.

She uses the diagram (illustrated below) to explain the stages in development from creating an online profile (not simply a 'corporate' website!!) to building reputation and trust-based relationships.



Incidentally, the power of Twitter to allow customers to self-organise rapidly is demonstrated in one of the most recent posts in Laurel's blog, Twitter Agency - crowd sourced consultancy.

Read full post...

Telstra does Twitter

Telstra recently took up 'tweeting' as a channel for providing customer service.

Discussed via their Nowwearetalking site, there's been a lot of initial feedback on the approach taken.

Telstra has also linked to some of the broader online commentary in their post.

This step helps legitimise Twitter and microblogging as a customer service option for Australian organisations.

It also provides insights for other organisations so they can learn from both Telstra's missteps and successes.

I'm watching carefully to see how Telstra's foray into microblogging goes. The channel has been used successfully in the US.

When executed well I believe it has customer service and marketing/PR benefits in some, but not all, service delivery areas.

Read full post...

Bookmark and Share