Jump to content

Archived

This topic is now archived and is closed to further replies.

AngusD

Advantage and disadvantage of a customer login action recorder

Recommended Posts

Hi,

 

I'm thinking about adding a customer login action recorder, but I'm not sure about the advantages and disadvantages.

 

Advantage:

"Brute force" login attempts harder to achieve?

Increased customer security?

 

Disadvantage: 

Chance to annoy forgetful customers? (negligible?)

 

Are there any other points that speak in favor or against a customer login action recorder?

 

AD

Share this post


Link to post
Share on other sites

Hi,

 

I'm thinking about adding a customer login action recorder, but I'm not sure about the advantages and disadvantages.

 

Advantage:

"Brute force" login attempts harder to achieve?

Increased customer security?

 

Disadvantage: 

Chance to annoy forgetful customers? (negligible?)

 

Are there any other points that speak in favor or against a customer login action recorder?

 

AD

Are you facing any unauthorized login attempts now ?


Chris, Developer
Oscommerce, Magento and Opencart Programmer

Share this post


Link to post
Share on other sites

What kind of information about the user are you trying to collect, and what will you do with that information? What are your aims here?

Share this post


Link to post
Share on other sites

A possible advantage would be to see which customers are logging but not going on to complete a purchase.  A report could be written to enable that, with an email link or something like that ...


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

@@MrPhil @@burt

 

 Hi,

 

no, nothing like that. Just a simple: You try to login into a customer-account with the wrong password (3 times) and the login for this account gets suspendend (5 Minutes).

 

Just like the Admin Login Action Recorder-Module, only for the customer login. Nothing more.

 

AD

Share this post


Link to post
Share on other sites
I just want to know if there could be a reason that such a module could backfire.

 

Keep in mind people that are logging in are potential buyers. If you block them you loose their business.

 

Ive went round and round with this on strong password enforcement in the past, after seeing results of a couple of sites that receive several orders a day, enforcing anything that makes it harder for the customer to get in is a mistake.

 

Things would be different if you're business required to store sensitive information, but for the standard shop, the most one can gain from hacking a customer account is an address book, date of birth, phone number. Just general information that can generally be found otherwise,  nothing that can be used to open credit lines or impersonate someone.

 

Customers want it easy - those that do believe securing things at the bottom of the ocean in a padlocked chest surrounded by submarines will generally takes the steps needed to stay secure on their own.

 

However, the idea that @@burt mentioned would be a very handy tool, just so long as it's used to collect entry data to gain business, and not lock out potential business.


Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Share this post


Link to post
Share on other sites

Thanks for the input.

 

 

True, but by restricting the login attempts could be seen as beneficial by the customers, because someone can't just infinitely try to gain access to their accounts.

 

I believe most of the people save their login information either in their browsers or in "password safe"-applications. The only people affected would be those, who didn't logged in in a long time and somehow lost their passwords. So, those people would sooner or later reset their passwords (and thus resetting the login attempts).

 

I don't know how you could possibly gain the information why people don't complete a purchase. By mail? "Hey, we noticed you spend some time in our store. What made you not complete the purchase?" Sounds a bit desperate. ;)

 

Or I just misunderstand burt's idea.

 

AD

Share this post


Link to post
Share on other sites

The mailbeez add on can do exactly that - send emails to customers who have registered and not purchased anything. It can also send emails to customers who have not been back to the store in a while. - I run it weekly, not really desperate, just another selling tool


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Well, you can certainly enforce a strong password system, with a timeout after N unsuccessful attempts in M minutes. As others have said, you do run some risk of alienating forgetful customers, but others could be reassured that their data is somewhat safer than average. At the least, I'd put out a message "Someone at your IP address has attempted to sign in N times in no more than M minutes. As this may be a brute-force attempt to break in to your account, access is being suspended for T minutes. We apologize for any inconvenience to you. If you have forgotten your password, click the 'Forgot Password' link, and a new password will be sent to your registered email address." If a customer is so offended by such simple security measures, you will probably find them to be a pain in other ways, and it's better to lose them.

Share this post


Link to post
Share on other sites

If you see a report saying (for example)... in the last week, 12 buyers logged in and did nothing, what would the conclusion be ?

 

As a shopowner I'd like to know why they ended up doing nothing...

 

is my site broken ?  

is my shipping too high ?  

is my https showing as insecure ?

is the carts restore function putting potential buyers off ?

is the lack of a cart restore putting potential buyers off ?

 

Whatever the reason, if I can fix what's broken (even if what's broken is as easy as offering a discount voucher the next time they login) => create 1 sale => it's a win.

 

Or perhaps you are right - knowing that info, does stink of desperation ;)


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

Of course, every shopowner will want to know why visits aren't converting into sales, but if you're not very careful, it's easy for this to seriously annoy a potential customer. I go into e-stores all the time to look around and kick the tires, but don't end up ordering. I am careful to empty the cart if I've put anything in it. I would not visit a store again if I immediately got an email asking me what went wrong and why I didn't buy. Following a customer through the store and seeing what they did could be useful analysis, but without feedback from the customer, it will usually be no more than an educated guess. The further a signed-in visitor got through the system before bailing out, the more likely they would be willing to give feedback. Multiple customers doing the same thing may indicate something is broken.

 

It is unfortunate that HTTP design is such that it is possible to jump out of a store at any point (and go to another site), without giving your site a chance to do something like ask the visitor if they're really leaving (and why). Maybe some hacks can be done to "trap" a visitor on your site until they fess up as to why they're leaving, but I would avoid manipulation like that. And if they're not signed-in, you don't know who to email to anyway. A reasonable timeout or cookie expiration should be used before concluding that the visitor has abandoned the store -- maybe they just got called downstairs to dinner!

 

A random thought: I suppose you could have a prominent button on each page "Leaving without purchasing?", which would ask for feedback on why the visitor is leaving early, and then take them back to the store entrance and log them off, but 1) that could be very annoying, 2) it seems almost like an admission of defeat, and 3) probably very few would use it.

Share this post


Link to post
Share on other sites

I have found that, unless a site is offering either free shipping or a flat-rate shipping, I usually don't know what the shipping cost would be unless I go through most of the checkout process. While I will use my actual ZIP code (in order to determine the shipping costs), I may or may not use my actual name, address, etc. This may be a large source for abandoned carts.

 

I use a Guest Checkout on my site(s). If a site requires me to create an account before I can get a shipping cost, I move on.

 

Many sites leave cookies, and recognize me when I first load their site. I still have to 'log in' in order to actually make a purchase.

 

For the OP,

 

1) As others have already mentioned, if you want to log/track who logs in but doesn't buy anything, this could be a useful tool if used correctly. Otherwise, it could chase off potential customers.

 

2) If you want to enforce some sort of log-in attempt rules, you have to really promote this as a safety feature. Otherwise, some customers may get frustrated and never come back.

 

3) Having a system in place to record multiple failed log-in attempts, and being able to notify customers that an attempt has been made on their account can be seen as a safety measure 'if promoted as such'.

 

HTH

 

Malcolm


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

×