Live Chat Security: Everything You Need to Know for Secure Live Chat

Editor’s note: This post was originally published in January 5th, 2021 and has been updated for comprehensiveness.

Live chat software connects website visitors to agents in real-time so customers can receive fast and efficient support. But while its popularity and effectiveness have soared in recent years, some worry – is live chat safe? This is understandable. After all, customers often share personal and sensitive information with agents, and it’s critical that none of it falls into the wrong hands.

Over the years, SaaS developers have worked with businesses to increase the efficacy and security of live chat and try to overcome live chat security issues. However, the level of security offered by different vendors does vary widely. This makes it all the more important to know how your live chat provider is managing your and your customers’ data, and what measures it has in place to detect and neutralize security breaches.

This blog post breaks down potential live chat security issues and outlines how Comm100 delivers a secure live chat solution through industry-leading security features and compliances.

Comm100 - The most secure live chat software

Comm100 Live Chat is the most security and privacy compliant software, used and trusted by financial institutions, government agencies & healthcare.

Find out more

Solution

What are the key live chat security issues – and what can be done to prevent it?

Live chat data can be breached several ways: some of them are unique to this platform while others may be threatening to other channels as well. We’ve compiled a list of live chat security issues that are most common, along with ways that Comm100’s secure live chat can help protect your company from breaches.

1. Software updates  

Improperly coded or tested software updates by SaaS providers can leave customer data vulnerable. A recent example of this comes from SolarWinds, a networking and security software that is used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions. 

In this case, 18,000 customers downloaded a corrupt software update that had been compromised and altered by hackers to gain a backdoor into the system. While this attack was highly sophisticated, it points to a need that companies have when assessing software vendors: be aware of what security measures software vendors are implementing when it comes to installing security patches and updates. 

How Comm100 stays secure: To avoid compromising updates, Comm100 performs rigorous testing of security patches and updates before a CAB (Change Advisory Board) committee approval. Comm100 also conducts internal audits, including a formal risk assessment process that identifies threats and vulnerabilities. All development staff are rigorously trained for security-compliant coding standards and web security to ensure total live chat security.

2. Flawed chat window code  

Sometimes it isn’t a security update that is flawed — it’s the live chat code itself. Live chat providers with inadequately secure chat windows and/or poor data handling practices pose enormous threats to customer privacy by leaving customer information and transcripts vulnerable to misuse by cyber attackers.  

US telecommunications giant Verizon experienced exactly this type of breach in December 2020. Ars Technica reported that Verizon had been leaking addresses, phone numbers, account numbers, and other personal information through a chat window on its website. 

Verizon recently acknowledged this glitch with a statement, telling users: 

“We’re looking into an issue involving our online chat system that assists individuals who are checking on the availability of Fios services. We believe a small number of users may have seen a name, phone number, and/or a home or building address from an unrelated individual who had previously used this chat system to enter that information. Since the issue was brought to our attention, we’ve identified and isolated the problem and are working to have it resolved as quickly as possible.” 

Unfortunately for Verizon, it wasn’t just the public live transcript leaks that were damaging: reports show that this problem was happening as far back as June 2020, meaning that this leak was going on for months before it was addressed.  

How Comm100 stays secure: For secure live chat, Comm100 uses a PCI DSS compliant Secure Form to request sensitive data through the chat window. Data is TLS encrypted to ensure account privacy and data integrity, and because the data is not stored in the database, it is not accessible after the session has ended. Comm100 also has a complete incident response plan with alarm tools to notify the Information Security Team immediately of any live chat security incidents. If any real or suspected incidents are identified, they are classified and taken care of according to specified procedures. 

3. Vulnerable chatbots  

Chatbots have become a natural extension of live chat by helping businesses offer 24/7 customer assistance. Despite their usefulness, chatbots can also be vulnerable to attack by hackers who are trying to gain entryway into the system.  

In November 2020, Ticketmaster UK was fined £1.25m for failing to keep its customers’ personal data secure in a chatbot data breach that took place in 2018. According to the BBC: 

“An investigation found a vulnerability in a third-party chatbot that Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud. Online bank Monzo had to replace 6,000 payment cards due to fraud.”  

Ticketmaster UK isn’t the only company to fall victim to a chatbot breach. In 2019, Delta Airlines sued their chatbot provider over a data breach that occurred in 2017. The Wall Street Journal reports: 

“The airline accuses the vendor of failing to implement basic security controls such as requiring multifactor authentication for employees accessing source code and forbidding staff members from using the same login credentials, according to the complaint. Hackers modified the chatbot’s source code using compromised credentials, then monitored activity on Delta’s website and captured data that visitors entered there.” 

Delta’s lawsuit adds that the breach wouldn’t have happened if the vendor had implemented “even basic access restrictions,” which were unfortunately an afterthought for the chatbot provider.  

How Comm100 stays secure: Comm100 combines classic protections with the latest in security technology. All incoming chat requests are validated through a third-party firewall, to help ensure that only legitimate requests will be answered by your chatbot or live agent. This prevents the security of the host website, and the chatbot, from being compromised, and blocks foreign or unknown entities from getting a hold of secure information. 

Additionally, Comm100 ensures that any credit card information accepted over live chat or via a chatbot is concealed and encrypted so that it cannot be improperly used by hackers. If your live chat is available on multiple channels, it is imperative that this be the standard there too: Comm100’s Credit Card Masking feature automatically hides credit card numbers that are sent by visitors via secure live chat and other integrated channels including Facebook, Twitter, Email, SMS, WhatsApp for Business, WeChat, SMS, and more.

4. Phishing attacks  

With live chat, you can support your customers from literally anywhere: in the office, at home on your laptop, or even via mobile app. With this convenience comes potential live chat security risks. You need to use live chat software that can mitigate the risks of malware attacks targeting a range of devices.

Mobile phishing attacks have been on the rise since the beginning of the COVID-19 pandemic. This spike has been particularly evident in the pharmaceutical industry, where phishing attacks more than doubled from 7.06% in Q4 2019 to 15.26% in Q1 2020. This trend is in part due to the fact that well-crafted attacks are harder to spot on mobile devices. It also coincides with the targeting of employees who are working from home, where people may exercise less caution.  

How Comm100 stays secure: For secure live chat, Comm100’s Lightweight Directory Access Protocol (LDAP) and other single sign-on protocols allow your agents to access Comm100 via centralized authentication. This provides better security by helping agents move between applications without having to re-enter usernames and passwords, which could make them vulnerable to attacks. Agent passwords are protected by authenticating them via HTTPS and by storing them in company databases that are kept private through irreversible encryption. Password complexity standards, account lock-outs, and CAPTCHA protections are also in place to prevent malicious attacks no matter where your agents sign on from.  

5. Internal breaches  

When questioning if live chat is safe, you can’t only consider external breaches – but internal too.  Reliable live chat providers must protect against internal breaches as well.

Internal breaches aren’t always intentional–some blur with external breaches, such as if an employee’s information has been compromised by cyber attackers and their login is being used to commit systemic harm. Other times, a disgruntled employee might act on their own volition to steal or leak customer or company information. Take for example, an ex-employee of SunTrust bank who attempted to download information on 1.5 million clients to share with a criminal third-party. Or, the Tesla insider who made “extensive and damaging” code changes to the Tesla Manufacturing Operating System before exporting large amounts of sensitive information to an unknown organization.  

How Comm100 stays secure: Comm100’s PCI DSS compliant system lets you strictly designate who is allowed access to sensitive data. Customer payment information is encrypted and kept stored in secure servers, where it cannot be re-accessed. All agent activity, as well as all changes made to your system, can be tracked via audit logs, providing accountability and protection across the board. Formal risk assessment is conducted via intensive internal audits, and any changes at the foundational level are heavily managed and regulated. 

Live chat security compliance: How Comm100 guarantees secure live chat 

It’s safe to say that the more security regulations your live chat complies with, the better. Comm100’s security regulations are designed to keep our partners and their customers safe from data breaches. Here are just some of the major security standards that Comm100 is compliant with:  

1. SOC 2 Type II — SOC stands for “system and organization controls,” and includes a series of standards designed to help measure how well a given service organization conducts and regulates its information. SOC 2 Type II compliance is based on five key trust principals, and denotes the highest degree of excellence in security, availability, processing integrity, confidentiality, and privacy of customer data.  
2. ISO 27001 — ISO 27001 certification denotes live chat providers who have implemented an ISMS (Information Security Management System) which complies with an internationally recognized set of policies, controls and practices for systematically managing information.  
3. PCI DSS — PCI DSS compliance denotes the highest standard of security for companies who handle credit card data. PCI DSS live chat providers mask credit cards, secure forms, and use irreversible encryption to keep passwords and other sensitive information as safe as possible.  
4. HIPAA (Health Insurance Portability and Accountability Act) — A United States federal statute, HIPAA was enacted to help keep patient information safe and confidential. A HIPAA-compliant live chat solution is absolutely necessary for healthcare providers who engage digitally via secure chat with their clients.  
5. GDPR — The GDPR (The General Data Protection Regulation) was introduced in 2018 and gives European citizens the right to request, access, and delete data stored by companies. Companies based in the EU or handling the data of EU citizens must use GDPR-compliant live chat, or risk steep penalties. 

Wrap-up 

As data collection and customer service platforms become more centralized, the need to get serious about digital security is clear. Your live chat provider needs security features that will keep you and your customers safe – not just on live chat, but across every customer service channel you support. 
   
Comm100 takes security seriously. Our secure live chat platform is enterprise-grade, with security features that perform at the top of the industry. As a customer-driven company, we know the true challenges of providing quality and secure live chat services, inside and out. 

Comm100’s secure live chat is used by thousands of businesses worldwide to support website visitors in real time, promoting improved customer satisfaction, improved conversions, and lower operating costs. To learn about all the security compliances that Comm100 offers, take a look here for more detail. 

Let us keep your chat safe.

Book a 30-min, obligation-free demo with our specialists to find out how you can benefit from a live chat solution featuring top security setting.

Click here

Demo