6 Ways to Improve ecommerce site search

Site search is arguably the most important area when it comes to user experience. Buyers don’t have time to hunt for products.

Here are some practical action steps for improving site search on your ecommerce site.

There are three options for buyers to find products on an ecommerce site.

• Keyword search occurs when a buyer uses the search bar to find products. Keywords can be anything, from terms relating to products or categories to specific part numbers — UPC, MPN, EAN, internal, competitive, and industry-specific.
• Category browsing occurs when users select a category and drill down to find the items they are looking for in sub-categories.
• Faceted search is when users refine their search by narrowing the results via filters, such as size, color, length, and brand.

6 Ways to Improve ecommerce site search

Multiple factors impact whether buyers can easily find products via site search. Focus on these six items to make it easier.

• Synonyms and substitute terms. Users will search for the same items in different ways. For example, a pair of gloves could be "construction gloves", "work gloves", or "leather gloves".
• Abbreviations and industry terms. Every industry has its own terminology. We see many searches that contain slang, which can lead to a zero results page.
• Misspellings. Users will misspell words as they search. It's up to merchants to decide how tolerant site search should be with misspellings. "Edit distance" determines how many letters in a word can be replaced by other letters to determine search matches. An edit distance of 2 could show "book" in the results for the search term of "back." That scenario would increase the number of results, and decrease the relevancy.
• Predictive search. This feature will help users save time by suggesting products and categories in real time based on the keywords they are searching for.
• Type-ahead. This will show autocomplete suggestions to keyword phrases being entered into a search box. It reduces the typing required of users and, also, helps them understand what other users are searching for.
• Product taxonomy. This is the system to classify and organise products on an ecommerce site. It becomes more complex as the number of items increases. Browse through a category search or look at breadcrumbs on a product page to see a product taxonomy at work.

Saying Goodbye to SSL

Does your website still use SSL or an early TLS protocol?  Are you an ecommerce or member only site or yet to start the migration away from SSL to a more secure encryption protocol? Read on for key questions and answers that can help with saying goodbye to SSL and TLSv1.1 and reducing the risk of being breached. 

What happens on 30 June 2018?

The 30th June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardised by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, TLS 1.2 in 2008 and in March 2018 TLS 1.3.

What is the risk of using SSL/early TLS?

There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.

According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

Who is most susceptible to SSL/early TLS vulnerabilities?

Online and e-commerce environments using SSL and early TLS are most susceptible to the SSL exploits, but the 30 June 2018 PCI DSS migration date applies to all environments - except for payment terminals (POIs) (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS.

What should you do if your Security Scans flag the presence of SSL and the scan fails?

Between now and 30 June 2018 organizations that have not completed their migration should provide the Approved Scanning Vendor (ASV) with documented confirmation that they have implemented a Risk Mitigation and Migration Plan (see Migrating from SSL/Early TLS for information on this) and are working to complete their migration by the required date. Receipt of this confirmation should be documented by the ASV as an exception under “Exceptions, False Positives, or Compensating Controls” in the ASV Scan Report Executive Summary.

What can and should organizations do now to protect themselves against SSL and early TLS vulnerabilities?

If you have not already considered, it takes time to migrate to more secure protocols and organizations should not delay:

• Migrate to TLS 1.2. While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS 1.2 or 1.3 is encouraged) is the only reliable method to protect against the current protocol vulnerabilities.
• Patch TLS software against implementation vulnerabilities. Implementation vulnerabilities, such as Heartbleed in OpenSSL, can pose serious risks. Keep TLS software up-to-date to ensure it is patched against these vulnerabilities, and have countermeasures for other attacks.
• Configure TLS securely. In addition to providing support for later versions of TLS, ensure the TLS implementation is configured securely. Ensure that secure TLS cipher suites and key sizes are supported, and disable support for other cipher suites that are not necessary for interoperability. For example, disable support for weak “Export-Grade” cryptography, which was the source of the recent Logjam vulnerability.

TLS 1.3 vs TLS 1.2

The Internet Engineering Task Force (IETF) is the group that has been in charge of defining the TLS protocol, which has gone through many various iterations. The previous version of TLS, TLS 1.2, was defined in RFC 5246 and has been in use for the past eight years by the majority of all web browsers. As of March 21st, 2018, TLS 1.3 has now been finalized, after going through 28 drafts.

Speed Benefits of TLS 1.3

TLS and encrypted connections have always added a slight overhead when it comes to web performance. HTTP/2 definitely helped with this problem, but TLS 1.3 helps speed up encrypted connections even more with features such as TLS false start and Zero Round Trip Time (0-RTT).

To put it simply, with TLS 1.2, two round-trips have been needed to complete the TLS handshake. With 1.3, it requires only one round-trip, which in turn cuts the encryption latency in half. This helps those encrypted connections feel just a little bit snappier than before.

Improved Security With TLS 1.3

A big problem with TLS 1.2 is that it’s often not configured properly it leaves websites vulnerable to attacks. TLS 1.3 now removes obsolete and insecure features from TLS 1.2, including the following:

• SHA-1
• RC4
• DES
• 3DES
• AES-CBC
• MD5
• Arbitrary Diffie-Hellman groups — CVE-2016-0701
• EXPORT-strength ciphers – Responsible for FREAK and LogJam

Because the protocol is in a sense more simplified, this make it less likely for administrators and developers to mis-configure the protocol.

TCP Handshake over IPv6

The internet we know today heavily relies on TCP/IP to send our information around the world at lightspeed.  With more devices than ever connected to the internet (insert link to back this up, it sounded cool), using IPv4 we're soon going to run out of addresses.  And in fact if it weren't for technologies such as NAT we'd be in a stickier situation than we already are.   In preperation of running out of IP addresses, IPv6 was mustered up around 1998 by the IETF, a 128-bit addressing convention vs the old IPv4 32-bit addressing.

So that means IPv6 has been around quite a while now.  Almost 20 years, yet still IPv4 is all the rage.  Perhaps us techies have trouble letting go of what we know.  I mean why set up an AAAA record, when you only need to set up an A record right?  Why configure DNS to use  2001:4860:4860:0000:0000:0000:0000:8888 or 2001:4860:4860::8888 when you can just use 8.8.8.8 right?  Well yeah, let's save all that for another article, once I've had a beer.

I got thinking - I wonder if the TCP Handshake has changed though?  You know with all the added improvements IPv6 is meant to bring.  Has the secret handshake been updated too?

Turns out, I didn't have to think to very hard.  TCP and IP are two different protocols, 2 different layers of the OSI model and TCP/IP Model (depending on where you're from).  So in theory we should be able to swap out IPv4 for IPv6 and keeping the same old TCP we're used too.

According to the very trustworthy Wikipedia, the only subtle change when TCP and IPv6 are used together comes in the checksum calculation.

When TCP runs over IPv4, the method used to compute the checksum is defined in RFC 793:

The checksum field is the 16 bit one's complement of the one's complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.

When TCP runs over IPv6, the method used to compute the checksum is changed, as per RFC 2460:

Any transport or other upper-layer protocol that includes the addresses from the IP header in its checksum computation must be modified for use over IPv6, to include the 128-bit IPv6 addresses instead of 32-bit IPv4 addresses.

So there you have it.
Thanks for reading.

Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited

There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.

The Phishing Attack: What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there.

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

"The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team."

The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.

Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.

Described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.

How to protect yourself against this phishing attack

You have always been told: "Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password."

In the attack above, you did exactly that and saw 'accounts.google.com' in the location bar, so you went ahead and signed in.

To protect yourself against this you need to change what you are checking in the location bar.

This phishing technique uses something called a 'data URI' to include a complete file in the browser location bar. When you glance up at the browser location bar and see 'data:text/html…..' that is actually a very long string of text. If you widen out the location bar it may appear to have html tags towards the end.

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

You might see on the far left of the browser location bar, instead of 'https' you have 'data:text/html,' followed by the usual 'https://accounts.google.com….'. If you aren't paying close attention you will ignore the 'data:text/html' preamble and assume the URL is safe.

You are probably thinking you're too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it. There is a specific reason why this is so effective that has to do with human perception.

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. In Chrome this is usually a green padlock and green https text.

Make sure there is nothing before the hostname 'accounts.google.com' other than 'https://' and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this "2- step verification" and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack.

Official Statement from Google

This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:

"We're aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

[https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/]

Improve Brand Loyalty with Artificial Intelligence

Over a billion pounds was invested by start up companies in the first part of 2016 on AI.  Most of those companies were e-commerce and digital shopping, catering to retailers that are using AI to improve customer shopping experiences. While retail applications of AI might not grab the headlines like self driving cars, it will be just as impactful, affecting almost every retail purchase decision that a consumer makes.

AI will allow retailers to build an incredible level of customer loyalty. The three most common ways will be through individual segmentation, real time communication, and personalisation. Used tactfully, these techniques can help brands transform shoppers into lifetime consumers.

Individual Segmentation

Amazon and Google use a simple form of AI to curate product recommendations without needing human intervention. This is called collaborative filtering. A more advanced form of this is individual segmentation, where brands create profiles based off of behavioural shopping habits that can be maintained at scale.

Here a brand will use AI to collect and maintain the data from customer decisions over the span of a few years and make recommendations based on that information. The more data a brand has on a customer, the better it can predict his or her wants and needs. Over time, brands using this AI will have so much information about a customer, their recommendations will be nearly perfect.

Kevin Kelly, Author of The Inevitable, writes on the above topic, stating: “The longer you are with a service, the better a brand gets to know you; and the better it knows you, the harder it is to leave and start over again. It’s like being in a committed relationship. Naturally, the producer strives for this kind of loyalty, but the customer gets many advantages for continuing as well: uninterrupted quality, continuous improvements, and attentive personalization”.

Real Time Communication

Brands will use AI to communicate with customers in real time. Our appetite for speed is insatiable. The cost of real-time engagement requires massive coordination and degrees of collaboration that were impossible a few years ago. Now that most people are equipped with a smart phone, entirely new economic forces are being unleashed.

Many companies are planning to use geolocation services that will alert customers, inside or nearby a store, about sales or discounts on products based on previous shopping decisions. This real time outreach could help guide customers throughout the shopping journey, making a store visit highly personalised.

Some large stores in America have already experimented with real time in-store communication.  Opening text services where customers can ask an AI bot questions while they shop. The bot can tell you where the closest restroom is or what floor a certain department is on, making it easier for customers to find products and navigate their way through a store.

Personalisation

Brands intend to use AI to help personalise the shopping experience for customers online and in store. Because AI is great at collecting data and working in real time, it will soon be possible for a completely personalised, connected shopping experience.

Online retailers that sell many products will be able to identify what a shopper is looking for and tailor the website to fit his or her needs. The online store will constantly adapt, making the shopping experience near effortless.

The North Face is already using this technology. Powered by IBM’s Watson, the expert shopper prompts you to answer questions about an article of clothing like “where and when will you be using the jacket?”. After answering a few questions, the AI program makes smart suggestions based off the information you submitted.

The ability for a brand to narrow down product options to customers in an intelligent way could help improve brand loyalty. Often, the the biggest obstacle in purchasing something is having too many options. If AI can alleviate burdensome decision making, both the customers and brands win.

Embrace Change

It seems the future vitality of brands will weigh heavily on a company’s willingness to adopt AI. Used creatively, AI can win loyal customers, track their data, and personalise their shopping. These benefits, combined with human guidance, could make the difference between a timeless brand, and a one hit wonder.

Design trends in ecommerce for 2016

ECommerce is now a daily part of our on-line lives.  During 2016 we predict to see an increase in eCommerce and on-line sales across mobile devices while people move away from traditional desktop and laptop PC's.

Some of these design trends include:

1. Material Design
Now being adopted by eCommerce companies, the vibrant and content focused design style continues to make waves since its launch in 2014.  It's unified experience across platforms makes it a great for developing an engaging eCommerce.  This has been utilised very well by sites such as PA Design and Bewakoof.

2. Hidden Menus
Popular for cleaning up cluttered eCommerce designs, these menus used to be used mainly on mobile versions of sites where space was limited, however are now making their way into desktop sites to allow a bigger canvas for more creativity.  These are in use on many desktop sites and should continue well into 2016, on sites such as House of Fraser.

3.  Upwardly Responsive
Responsive sites are all the rage these days, with everyone thinking about their site being usable on mobile devices.  It is worth bearing in mind upwardly responsiveness though, as going through 2016, more and more customers will use TV's and larger devices for browsing the web and eCommerce purchases. An example is Firebox.

4. Rich Animations
These are a great way to engage customers and make them feel confident about your brand.  Animations at the right time can make your customers feel like you care and add some play-ability and enjoy-ability to a design.

5. Storytelling
In an every growing competitive arena of on-line retailers, it is important to capture your visitors attention. Telling the story of your brand or products is a great way to do this.  Story telling can bring your brand to life and build loyalty with customers.



http://www.webdesignerdepot.com/2016/01/9-ecommerce-design-trends-to-embrace-in-2016/

Mixed reactions on Facebook today

Just in case you haven't noticed.  Facebook are rolling out a new feature across their platform called Reactions.

This appears to be off the back of the community requesting for a long time a Dislike button on posts.  It is clear to see however this is having mixed... well, reactions across the globe.

Facebook founder Mark Zuckerberg posted:

Today is our worldwide launch of Reactions -- the new Like button with more ways to express yourself.

Not every moment you want to share is happy. Sometimes you want to share something sad or frustrating. Our community has been asking for a dislike button for years, but not because people want to tell friends they don't like their posts. People wanted to express empathy and make it comfortable to share a wider range of emotions.

I've spent a lot of time thinking about the right way to do this with our team. One of my goals was to make it as simple as pressing and holding the Like button.

The result is Reactions, which allow you to express love, laughter, surprise, sadness or anger.

Love is the most popular reaction so far, which feels about right to me!

Try them out, by hovering over the Like button the desktop, or by holding down the Like button on your mobile to express your reactions to your friends posts and updates.  It is worth noting Facebook are doing a phased roll out over a short period of time, so it is likely you will see this already, but if not, check back in a few hours as may be it's not got your part of the world yet.