Risk
8/14/2013
01:28 PM
Kevin Casey
Kevin Casey
Commentary
50%
50%

How One SMB Manages Customer Identity Data

Armed Forces Eyewear sells discounted gear to military personnel and their families. Here's why you won't hear customers grumble about their personal data and online privacy.

Some customers don't mind if you run a behind-the-scenes check on their personal information. It helps if you're giving them a nice price break as a result.

In a sense, Armed Forces Eyewear has it easy when it comes to handling customer data. The online retailer's customers, primarily military personnel and their families, rarely grumble about verifying their identities -- especially if their military status earns them a discount or other benefits.

AF Eyewear, a division of Frames Direct, sells eyewear at up to 30% off retail price -- but only to active-duty military personnel, reservists, and their family members. The site recently expanded its eligible customer base to include veterans and first responders such as police and firefighters. Transactions are completed only after a back-end database check -- and in some cases an extra paperwork request -- verifies that the customer is who they say they are. In an age when a Facebook privacy tweak causes minor mayhem online, AF Eyewear's shoppers don't seem to mind the process.

"We haven't gotten a lot of negative [privacy-related] feedback," said marketing manager Lauren Purcell in an interview. Purcell, whose spouse serves in the military, noted that it's long been common for military families to show extra identification when shopping offline if it gets them special pricing and other perks. That habit has translated for online shopping and other Internet use. "It's kind of an accepted practice in the military world: If you're going to get a discount, you've got to step up to the plate and prove it. Most people don't have a problem with that."

[ New technology can thrive even in old-fashioned businesses. Read How To Innovate In A Low-Tech Industry. ]

It's a sunnier side of the often stormy environment of online privacy, consumer data breaches, social media scams and other information security matters.

Military culture and a good deal on a pair of Ray-Bans or Oakleys aren't the only factors that keep customer privacy concerns to a minimum at AF Eyewear. The company doesn't use more than the customer's name and date of birth to verify current and former military status. According to Purcell, this is a welcome change from the not-so-distant days when military ID cards included social security numbers in plain view.

Most shoppers probably don't even notice the verification process, which checks customer information against government databases, as it happens. AF Eyewear once partnered with the online arm of the Army & Air Force Exchange Service to authenticate military status. It recently began using the SheerID verification service, in part so it could broaden its audience to include veterans and first responders. The latter group, which includes law enforcement and other emergency personnel, must complete additional paperwork at the time of purchase. That can take as long as 30 minutes, a lifetime relative to the one-click shopping expectations fostered by Amazon Prime and similar online services. Even then, though, Purcell said AF Eyewear customers don't seem to mind.

AF Eyewear doesn't store any sensitive customer data, another asset in managing privacy concerns. The company's decision to expand its customer eligibility rules and corresponding verification process was a major requirement in its build-versus-buy decision. "That was our biggest issue if we were going to develop something in-house," Purcell said. "We didn't want to [store] that information."

As with most e-commerce sites, fraud and other security matters are top of mind. Purcell credits FramesDirect, AF Eyewear's 60-person parent company, for strong fraud prevention protocols. But the military ID check itself keeps scammers at bay.

"With AF Eyewear, we don't experience much fraud because we are going through that validation process," Purcell said. "We've had a few cases here and there, but it's not as prevalent as it is in our FramesDirect.com site [which sells to the general public]."

It also helps that AF Eyewear doesn't ship internationally; that alone slashes fraud dramatically. When its customers are deployed overseas, they typically use an APO address via the military mail system.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/15/2013 | 11:11:09 PM
re: How One SMB Manages Customer Identity Data
How do you think this translates to more-general audience? As you note, military families may be more open to showing ID.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.