1

We are in the process of designing an app which, simply put, will allow people to accept payments easily.

The customer won't need an account and we'll be linking customer data (name, address, and phone) via emails used through their payments e.g.

When the user fills out the data and hits "Continue" they are prompted to fill out their name, address, and phone. If the user is a new customer, we have no issues, they'll fill it all in and be on their day. Our issue is with existing customers, our plan was to autofill the information with what we have in our records and allow them to edit it as they deem appropriate.

Now, obviously, after some consideration we realised that it wouldn't be ideal to do this because we'd essentially be doxxing our customers by showing all their info without some proper authentication. Someone could just sit there entering emails and view people's data.

Our immediate second thought was to show the redacted version of the info we have (last 4 of the phone or partial address) and let the customer select if they want to use the partially shown data. We'd never publicly show that info but in the backend we'd fully use that data.

So, my questions are as follows:

  • Would my second suggestion be valid/safe?
  • If not, what alternatives do I have?

A few clarifying points:

  • It wouldn't be possible to purchase on behalf of someone because you'd need to enter your card details on each purchase. That wouldn't be prefilled.
  • Customers are stored against organisations, organisations are the only people that can view customer information, specifically, their customers only.
  • The redacted information would purely be used as a convenience, it will only ever be used to quick fill info such as names and addresses, nothing like card details.

I was going to post this on UX but ultimately decided this was more of a security issue than a UX issue.

Script47
  • 217
  • 1
  • 11
  • So a thought about showing redacted information: You have redacted info on your site, other sites show other redacted parts. Put it together and you get a whole. For example, your last 4 digits of a phone number can be combined with Microsoft showing all _but_ the last 4 digits during two-step verification. (Reminds me a little of this story: [How I Lost My $50,000 Twitter Username](https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd)) Is there any chance that you can require existing users to log in? – Fire Quacker May 28 '20 at 14:11
  • @FireQuacker I hadn't even considered those implications. I don't think it'd be possible to work around the log in aspect though. – Script47 May 28 '20 at 14:30
  • Well, without authentication, it's just not good to display any private information. The only way around that is to finagle some sort of authentication into the process. Like instead of doing a username/password, maybe use an app on the end-user's cell phone, or send an SMS, or something like that. – Fire Quacker May 28 '20 at 14:57

1 Answers1

1

The customer won't need an account

This requirement is fundamentally inconsistent with your intent to store personal [and payment?] data for customers and have it be re-usable on subsequent purchases.

If you're storing that information for re-use, then it needs to be protected by some form of authentication - password, SMS token, cookies, something that the customer presents to validate their ownership of that personal information. Otherwise, as you say, anyone can pull it up.

Redacted information doesn't work properly as an authenticator - it's intent as you've described it to keep honest people honest, so that someone seeing the wrong details will abort their purchase. But with dishonest people, with malicious purchases, that helps you not at all - they can click 'Yes' to charge someone else's account. If delivery isn't tied to that account's address, then they can try to gain delivery; if it is, they can still grief legitimate customers with bogus purchases.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • A few counterpoints points: **1.** It wouldn't be possible to purchase on behalf of someone because you'd need to enter your card details on each purchase. That wouldn't be prefilled. **2.** Customers are stored against organisations, organisations are the only people that can view customer information, specifically, *their* customers only. **3.** The redacted information would purely be used as a convenience, it will only ever be used to quick fill info such as names and addresses, nothing like card details. – Script47 May 28 '20 at 15:22
  • 1
    @Script47 Thank you for clarifying - that makes a difference; the stakes are lower. An authenticated account is still the appropriate way to protect the information you do store, however. – gowenfawr May 28 '20 at 15:26
  • Alas, the requirements are out of my hand. I can only convey the advices imparted. I appreciate the assistance. – Script47 May 28 '20 at 15:29
  • @Script47 Might be time to brush up your résumé just in case... – Fire Quacker May 28 '20 at 15:59
  • 1
    @FireQuacker quick update, we're going to be parking the autofill idea for now and force customers to fill that each time and connect the dots in the backend via emails used. (**General Point:** Of course I'd still be interested in other suggestions/answers). – Script47 May 28 '20 at 16:13