Risk
8/14/2013
01:28 PM
Kevin Casey
Kevin Casey
Commentary
50%
50%

How One SMB Manages Customer Identity Data

Armed Forces Eyewear sells discounted gear to military personnel and their families. Here's why you won't hear customers grumble about their personal data and online privacy.

Some customers don't mind if you run a behind-the-scenes check on their personal information. It helps if you're giving them a nice price break as a result.

In a sense, Armed Forces Eyewear has it easy when it comes to handling customer data. The online retailer's customers, primarily military personnel and their families, rarely grumble about verifying their identities -- especially if their military status earns them a discount or other benefits.

AF Eyewear, a division of Frames Direct, sells eyewear at up to 30% off retail price -- but only to active-duty military personnel, reservists, and their family members. The site recently expanded its eligible customer base to include veterans and first responders such as police and firefighters. Transactions are completed only after a back-end database check -- and in some cases an extra paperwork request -- verifies that the customer is who they say they are. In an age when a Facebook privacy tweak causes minor mayhem online, AF Eyewear's shoppers don't seem to mind the process.

"We haven't gotten a lot of negative [privacy-related] feedback," said marketing manager Lauren Purcell in an interview. Purcell, whose spouse serves in the military, noted that it's long been common for military families to show extra identification when shopping offline if it gets them special pricing and other perks. That habit has translated for online shopping and other Internet use. "It's kind of an accepted practice in the military world: If you're going to get a discount, you've got to step up to the plate and prove it. Most people don't have a problem with that."

[ New technology can thrive even in old-fashioned businesses. Read How To Innovate In A Low-Tech Industry. ]

It's a sunnier side of the often stormy environment of online privacy, consumer data breaches, social media scams and other information security matters.

Military culture and a good deal on a pair of Ray-Bans or Oakleys aren't the only factors that keep customer privacy concerns to a minimum at AF Eyewear. The company doesn't use more than the customer's name and date of birth to verify current and former military status. According to Purcell, this is a welcome change from the not-so-distant days when military ID cards included social security numbers in plain view.

Most shoppers probably don't even notice the verification process, which checks customer information against government databases, as it happens. AF Eyewear once partnered with the online arm of the Army & Air Force Exchange Service to authenticate military status. It recently began using the SheerID verification service, in part so it could broaden its audience to include veterans and first responders. The latter group, which includes law enforcement and other emergency personnel, must complete additional paperwork at the time of purchase. That can take as long as 30 minutes, a lifetime relative to the one-click shopping expectations fostered by Amazon Prime and similar online services. Even then, though, Purcell said AF Eyewear customers don't seem to mind.

AF Eyewear doesn't store any sensitive customer data, another asset in managing privacy concerns. The company's decision to expand its customer eligibility rules and corresponding verification process was a major requirement in its build-versus-buy decision. "That was our biggest issue if we were going to develop something in-house," Purcell said. "We didn't want to [store] that information."

As with most e-commerce sites, fraud and other security matters are top of mind. Purcell credits FramesDirect, AF Eyewear's 60-person parent company, for strong fraud prevention protocols. But the military ID check itself keeps scammers at bay.

"With AF Eyewear, we don't experience much fraud because we are going through that validation process," Purcell said. "We've had a few cases here and there, but it's not as prevalent as it is in our FramesDirect.com site [which sells to the general public]."

It also helps that AF Eyewear doesn't ship internationally; that alone slashes fraud dramatically. When its customers are deployed overseas, they typically use an APO address via the military mail system.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/15/2013 | 11:11:09 PM
re: How One SMB Manages Customer Identity Data
How do you think this translates to more-general audience? As you note, military families may be more open to showing ID.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report