InetSolution Blog

Unusual E-mail Marketing Move That Caught My Attention

Sat, 05 May 2012 08:25:00 -0400

If you’re an email marketer, you have people – probably the majority – on your marketing lists that never open your email campaigns. They promptly delete, ignore or flag your emails as spam. Yet, like most marketers, you keep sending more campaigns until the recipient either unsubscribes or permanently relegates you to the rank of Junk Sender in their email system. Continuing to send to these people wastes money, computing resources and reduces your open and click-through ratios on your campaigns. Have you considered simply removing these subscribers who never open your emails?

Yesterday I received a campaign from Stonyfield. I must have subscribed to receive their offers in the past, though I don’t recall when. I do recall seeing and deleting (without reading) their messages numerous times in the past. But today this particular message subject line caught my attention.

This email subject line caught my eye

The subject line says “Sorry to see you go.” That caught my attention because I didn’t recall unsubscribing. My first thought was that it might be a scam, but that proved false. To my pleasant surprise, Stonyfield’s marketers were actually removing me from their list because their analytics show that I never open their emails.

Stonyfield's email message to notify me of my pending removal from their list

Removing people from email lists (after all, the monetary cost to continue sending is next to nothing) may make most marketers wriggle uncomfortably in their seats. But I applaud Stonyfield's proactive approach to clearing out the dead wood and applaud Stonyfield’s marketers.

While I have no concrete, peer-reviewed data to back up my hypothesis, I would be willing to bet that Stonyfield will not see a negative sales impact from this move. I predict they will, however, gain an measure of increase in goodwill with customers (I do buy their products, I just don’t read their emails). They’ll also most likely see an increase in their open rates on their next round of campaigns.

If you’re an email marketer, have you tried this before? Also, what percentage of people who receive this type of notification actually choose to stay subscribed?

[UPDATE: See The Financial Brand's take in the comments below on why Stonyfield may be using this approach]

Why a simple typeo may be leaking your business's private data

Fri, 09 Sep 2011 12:16:00 -0400

Have you ever mistyped an email address? Ever had someone misspell yours? Email address typos occur all the time, and these misspellings can actually be a very large security concern for your business.

We've all had this phone conversation:

"That sounds great, let me just email you that document. What's your email address?"

"Mark Williams at co solution dot com", "Great, is it Williams with one l or two? "One l", and you said solution or solutions with an s?" "no s", and how do you spell co".

Recently a group of security researchers setup an experiment where they registered domain names that were common misspellings Fortune 500 company domains. The researchers then setup email servers that were configured to receive all email sent to any address ending in that misspelled domain name.

You can think of an example of someone at fedex. An email intended for mwilliams@fedex.com might easily be misspelled mwilliams@fedx.com by someone in a rush. That email could have sensitive information, as the security researchers clearly demonstrated.

These researcher's were able to collect over 20 GB of e-mail over the course of six months. 20 GB! These emails included everything from usernames and passwords to trade secrets and highly sensitive network configuration information.

Tips to Protect Your Organization

1. Register Common Misspellings

If you have a domain name that is commonly misspelled, register those variants. Heather Pizzala at Tri-Pointe Community Credit Union recognized years ago that people might forget to include the dash in their name when typing their domain name, so Heather wisely registered the tri-pointe and tripointe versions of their domain. Heather also correctly predicted that people may forget to include the E at the end of the name, so she also registered variants without the E at end.

For credit unions especially, it's not uncommon for people to forget to include the "cu" that is commonly at the end of many credit union domain names, such as applevillecu.com. If you're able to register the variant of your domain name without the CU (i.e., appleville.com in this example), we recommend doing so. You can register domain names at Network Solutions or many other registrars.

2. Do Not Use Email for Sensitive Communications

Secure File Exchange came out of our own needs to prevent exactly this kind of security issue. You must not trust email to share sensitive information. When you are dealing with loan documents, payroll files, tax forms, passwords and other sensitive data, you must take extra precautions to ensure the file you're sending is going to the intended recipient and only to that recipient.

Secure File Exchange helps fix this by only letting you send files to those people you've configured and authorized to receive files. In addition, you receive a read-receipt when the recipient picks up the payload so you know for sure it arrived. Finally, Secure File Exchange automatically purges data you've sent so that it's not a sitting target for data theft.

Give Secure File Exchange a try (free trial, whoo-hoo!) and let us know what you think, we're always looking for great feedback.

Book: Read This Before Our Next Meeting

Wed, 31 Aug 2011 09:51:00 -0400

I recently finished Read This Before Our Next Meeting, a great short book explaining how to re-purpose our traditional meetings into those that are concise, thorough and purposeful.

The message of the books rings to many concepts we've heard around from the likes of Seth Godin and the 37 Signals crew. Have a purpose, do your homework and make decisive decisions and stop stalling/wasting time.

Al Pittampalli introduces his concept of the "modern meeting" with the basic premiss that a meeting has only two reasons for being, to resolve conflict or coordinate efforts. At the core of it any meetings purpose is to support a decision that has already been made.

I really liked Al's point that today our use of "meeting" has really grown to encompass so many different activities, and thus everything is now regarded as a "meeting". When in fact so many things fall into the other two categories he delves into of a conversation or a brainstorm.

Al explains the idea that the burden of the meeting preparation goes onto the shoulders of the organizer. Not that participants shouldn't be prepared but its up to the organizer to do the leg work that will provide enough information and background to make a decision before the meeting begin. Then the actual meeting time can be used to communicate the reasoning for that decision and address any questions or concerns.

Overall the book can be boiled down to:

Have an agenda
Stick to your time limit
Only invite those that are absolutely needed
Do your homework

I enjoyed it and it's worth the very quick read. All in all, stop stalling with meetings, take decisive action and move on, communicating as needed.

Are you choosing a good password?

Wed, 10 Aug 2011 09:48:00 -0400

Passwords, ugh, don't you hate them? Passwords are a shared annoyance and inconvenience for all of us these days. Passwords are our main line of defense to verify we are who we say we are and to protect our identity and data. Since passwords are such a critical component to our daily technology lives we've been forced to make them less "guessable" more cryptic and thus harder to remember.

The most common technique for making your password has been to take a word, it is called a pass-WORD after all, and add some capitals, a number and then maybe some funky symbol like #, % or !. This is great, but surprisingly enough, this isn't really as secure as it could be AND it's silly hard to remember.

Today the witty folks at xkcd, an online daily comic for techie nerds such as ourselves, posted a great little comic covering this topic.

Comic courtesy of xkcd

The first row explains, in some super geeky math, that a "standard" "secure" password, with today's computing power, is hackable/guessable in around three days...Scary right?

The second row shows the technique that I really like and have been using for years. A simple sentence with regular words that may or may not correlate with one another. In their example it would take nearly 530 years to crack the example passprhase and is probably 100 times easier to remember.

So next time you're forced to reset your password or need to think of a new one, try a short sentence. You can still capitalize and use punctuation as you'd like, but at least you won't need that sticky note on the side of your monitor to help you remind you what cryptic non-english word you choose this month.

5 Creative Uses for Secure File Exchange

Tue, 02 Aug 2011 16:57:00 -0400

Secure File Exchange is one of those apps that we just love to work on because there are so many creative ways our customer's using it. So, we figured we would share a few:

New Customer Signup - When you're in the financial field, getting someone to come to your office and sign paper work isn't always convenient (or possible). When a digital PDF is all that's required, a customer can fill out their application and then send it to you with ease.
Fax Replacement - Who does business by fax anymore? Besides, faxing a form isn't any more secure than sending an email.
Engineering Drawings - Engineering these days is done with expensive CAD software, resulting in huge 3D rendering files and plenty of intellectual property. Most email servers are not too fond of 1GB files be sent through them.
Adoption Paperwork - The adoption process involves a lot of sensitive and personal data being transferred between potential families, agencies and governments throughout the world.
Secret Newsletter - Sneaky right? A newsletter that shouldn't be sitting around in an old email inbox. You have to know who's who and the secret handshake to get onto this list.

If you're using Secure File Exchange in a creative way please drop us a message or leave a comment below, we'd love to hear your stories.

Upgrade InetActive or any Website CMS to Meet New FFIEC Guidelines with Multi-Factor Authentication

Mon, 01 Aug 2011 09:20:00 -0400

The latest FFIEC security guidelines recommend that financial institutions add multi-factor authentication (MFA) to all Internet systems, including website content management systems. Our 2011 InetActive includes multi-factor authentication support, but the older versions do not, nor do most other website content management systems (CMS).

Thanks to Authly®, we now can offer an affordable solution to add MFA to your older InetActive or other website CMS.

Authly works by generating a one-time use pass code when you logon to InetActive. Authly delivers this pass code to either your cell phone via a text message or to your email address. The pass code expires in 60 seconds or immediately after you’ve used it. This helps make it very difficult for hackers to gain access to InetActive even if they somehow steal or guess your username and password.

What is Multi-factor Authentication?

Multi-factor Authentication is the act of verifying a user by something they have, a pass code sent to a cell phone, with some thing(s) they know – like a username and password.

How much does Authly cost?

There are two costs involved in adding multi-factor authentication to any website.

Integration: $1,500 (typical InetActive integration)
Monthly Authly service: $50.00 (up to 500 logon codes per month)

Call Mac Fowler at (586) 726-9490 or contact us to schedule your upgrade
before your next website audit.

5 Tips to make Instant Messaging more effective

Thu, 21 Jul 2011 16:36:00 -0400

This topic has probably been written to death, and I'm sure we're all instant message experts by this point, but every once in awhile it's good for a reminder.

With our team here at InetSolution the most used tool in our collaboration toolbox is probably instant message chat. While it's the most frequently used instant messages and chats are probably the easiest place for misunderstandings and miscommunications to occur. IM’s are typically rapid and un-edited messages. To help make IM's be more effective I wanted to put out a couple of points that I keep in mind in hopes to minimize confusion and miscommunication.

1) Re-read before you hit enter – I’m as fast of a typer as the next web-geek, unfortunately my brain works faster than my fingers. I often find that I’ve left out a word, combined two words or some combination of the two in probably half of my messages. Take the extra second to read your sentence before hitting enter.

2) Discuss one thing at a time – It’s very easy to get two or three threads of thought going at any one point. Take a breath, and just pick one thread, answer one question and finish that train of thought, then come back to the other and repeat as needed.

3) Emoticons help – Everyone says to leave these out of “business conversations”. Forget that, I want to know when someone is frustrated, upset or just being a goof. A simple smile, frown or wink helps. Granted you don’t need a wink at the end of every line, so don’t abuse it.

4) Ask if now is a good time – I know the question you have is just burning waiting for a great answer! It’s so easy to send along that simple harmless message. Instead of posting your question to them, simply ask if it’s a good time or when a good time would be. You don’t want to break someone out of their flow.

5) Respect someone’s status – If their status is Busy or DND then don’t bother them, easy. On the other side, use statues, don’t make yourself available all the time, it opens you to more interruptions and distractions.

6) Bonus tip: Tell someone what you’re doing – If a team-mate asks you a question that requires a little leg work, let them know first, then go looking. Nothing’s worse than sending someone a question, waiting 10 minutes before you realize that they didn’t see your question and now you’ve just wasted 10 minutes. Oups!

Web Analytics that Measure Website Value for Credit Unions and Banks

Fri, 01 Jul 2011 08:23:00 -0400

If you're a bank or credit union marketer, you should be using an analytics tool to measure your website's impact on your organizational goals. But what metrics are you paying attention to? If you're like most executives, your answer is probably visitor count, page views, referrals and, if you're doing pay-per-click advertising, then PPC spend. But what good are these numbers? How do these metrics translate into dollars, either earned or saved? If those are the only analytics you're paying attention to, you need to read this.

Hits, Views and Visitors Do Not Show Actual Value

Good web analytics packages will allow you to assign monetary values to actions visitors perform on your website. For example, when a visitor applies for a loan, you can record the dollar value associated with that loan.

Larger or more sophisticated financial institutions track these metrics in their CRM, MRM or other back office systems. Many small & mid-size institutions do not have systems or processes to track this data offline, so actual monetary impact of the website goes untracked. Without this data, executives make decisions based on website hits, page views and visitor counts without any correlation to the actual value of those activities. You can do better.

A Simple Example of Tracking Loan Application Values

Every bank and credit union website has online loan applications. (I realize some banks don't have online loan apps, but frankly there is no valid excuse for not having online loan applications in 2011.) Loans have value that you can track easily through web analytics, such as loan principal amount, loan fees and interest revenue. The easiest metric to start with is the actual loan principal value.

In the example below, we're looking at the online loan app activity for one day for a small credit union. The report shows that three loan types produced applications with a cumulative principal value or $257,500.

Principal value of online loan applications by type

What or Who Drove the Revenue

Knowing the type and dollar amount of loan applications the website produces is a good starting point. It's also helpful to know the which sources drove these applicants to your website.

You can see from the report below that when we drill down into the Home Equity loan apps, Google delivered the applicants to the website. You can also see the keywords that the applicants used in Google.

Report showing the referral source for home equity loan apps

Which Campaign Generated Which Loan?

What you can't see in the above report (the data is available, just not in this screen shot) is that a series of pay-per-click campaigns generated these visits.

The report below shows each loan application (the Transaction column contains the ID number the website assigns to each loan application) and the campaign that drove the visitor to the website.

Report showing each loan application and which campaign led the visitor to the website

This is a simplistic example, but it illustrates the premise. There are numerous aspects of this tracking that I haven't discussed, such as how we coded the administration side to account for approvals versus declines, as well as handling situations where the approved loan amount differs from the application. That's not important right now. Getting started is important.

Start Now. Get the Budget You've Dreamed About

If you're not tracking this type of data on your website, it's time to start. You probably already have all the technology you need. If you lack motivation, consider how much easier it could be to get your board to approve your budget increase when you can show data like this, rather than hits, visits and page views.

Do you want help improving your web analytics?

Request a Meeting

Security Tips for Banks to Protect Themselves and Customers Through Better Online Banking System Security

Tue, 28 Jun 2011 15:55:00 -0400

A judge in Michigan may have set a precedent when he ruled in favor of a small business that sued Comerica Bank for reimbursement of $561,000 to recover money that hackers stole from the business' account as a result of a phishing scam. The judge believed that Comerica should have done more to safeguard its customer's assets. Unfortunately many banks and credit unions lack adequate security & notification features in their online banking systems to help customer protect themselves. But many of the tools and technologies that could have prevented Comerica's loss are available to all banks and at minimal cost.

I'm going to introduce you to four security features that can help customers proactively protect their assets and subsequently lower the loss risk to banks and credit unions. In 2011, every online banking system should, at a bare minimum, use these security features:

Strong password and pass phrase support
Risk-based authentication
Multi-factor authentication
Real-time out of band transaction alerts

Strong Password or Pass Phrase Support

A common practice in online banking systems is to require passwords that meet certain criteria:

Minimum length requirement (usually eight characters)
Use upper and lower case letters
Must include a number or special character

Passwords like this were ok in 2002, but today it's not enough for banking systems. Banks should be encouraging customers to use long pass phrases, such as "Turkey and stuFFing at 4599 Pet$ Road." Pass phrases like this are difficult to guess or crack using brute force password attacks.

While a few banks do support pass phrases, some online banking systems force users to use short passwords. Amazingly, some banks even still disallow special characters in passwords!

A surprising number of banks still prevent special characters in passwords

Banks and credit unions need to update their online banking systems to accept long, complex pass phrases. In addition, the systems need to enforce password expiration rules that require scheduled password changes and prevent re-use of old passwords.

Risk-Based Authentication

Many online banking systems today employ risk-based authentication (RBA) to prevent unauthorized access to customer accounts. A common RBA method uses a combination of challenge questions and security images. A weakness in many systems is the use of questions that hackers can easily answer with a minimal amount of research on Facebook, Geni.com or similar social sites.

For example, many systems ask, "What is your favorite color?" Even if the customer doesn't have a Facebook profile, this question has a small pool of common answers that a hacker can easily guess without knowing anything about the victim. When choosing RBA questions, the advice I offered in 2008 on best practices for choosing challenge questions is still relevant today.

The purpose of using a security image in online banking systems is to help a customer identify phishing sites. In theory a phishing site would not be able to show the correct security image for a specific user and therefore the user would not enter his credentials into the phishing site. One vulnerability of these systems is image harvest attacks. When the collection of available images is small, hackers can successfully harvest the images and execute a phishing scam.

A common method of using a security image in an RBA process. If the user does not recognize the image, she should not enter her password.

To mitigate the risk of successful image harvest attacks, some RBA frameworks employ more sophisticated RBA image techniques. For example, MemberProtect has the ability to dynamically generate security images with embedded text to make each image unique to a specific customer. By adding an extra degree of protection like this to their online systems, a bank gives customers more options and further demonstrates to jurors how the bank took reasonable measures to protect customers.

A security image with an embedded security phrase

Multi-factor Authentication

In the Comerica Bank scenario, a multi-factor authentication system could have prevented the hackers from gaining access to the business accounts from which they transferred the money. One method of multi-factor authentication is RSA's SecurID keyfob system. SecurID uses small, electronic keyfobs that use an algorithm to generate a random pass code every 60 seconds. A user must enter this pass code in order to log into any system that the SecurID protects. Unfortunately, SecurID and similar systems are expensive to purchase and support due to the hardware and licensing costs, so few banks use them for customer accounts.

A newer and more cost effective solution uses something that many customers already have – a mobile phone or even landline telephone. Services like Authly will easily plug into an existing online banking system to generate one-time-use pass codes that are sent to a customer's mobile phone. To logon to online banking, the customer enters her username and password like normal, and then immediately she receives an eight character pass code on her phone via text message that she enters into the site to complete her login. The pass code can only be used once and expires shortly after the Authly system issues it. These types of systems make it very difficult for hackers to steal logon credentials and even if they do steal a code, it will have likely expired before the hacker can even use it.

Online banking systems should use tools like Authly for more than just logon. We recently implemented an online banking system that allowed customers to create domestic and international wires. To complete wires over a certain dollar amount, the customer had to enter a unique pass code for each wire. This system also made use of the pass codes for certain administration activities, such as adding users to certain privileged administrator-level roles within the online banking system. (Also, these systems put a daily cap on the number and total dollar amount of wires that a customer can perform in a day, which ads further protection.)

Real-time Out-of-Band Transaction Alerts

Thefts like the one in the Comerica case go undetected for days or weeks because most users do not check their banking activity on a daily basis. In the case of ACH and wire transfers, it's possible for a hacker to clean out a bank account in a matter of hours. When the account owner finally notices the loss days or weeks later and reports the theft, the funds are unrecoverable.

But banks and credit unions can easily provide customers with tools to monitor their accounts for unusual activity and thus give customers more control and responsibility in protecting their assets. Using services like Authly, or even simple email, a bank can allow a customer to configure notification rules on her accounts.

For example, Tina Marie could create a rule for the system to send her a text message anytime a transaction over $500 posts to her account. Many large banks and credit card issuers already have near real-time alerting systems integrated into their transactional systems, but small and mid-size banks and credit unions are lagging behind in this type of technology.

Real-time email or SMS text notification can help customers halt fraudulent transactions quickly

Better Security Adds Value for Customers

Implementing these types of security features will not create an impenetrable system. No internet facing system is 100% secure; however, by putting these four types of security mechanisms in place, banks and credit unions can better arm customers with the tools they need to protect their assets. In addition, the financial institutions will be in a better position to defend themselves when customers sue to recover losses from phishing and other scams.

If you're not sure your bank's security is up to par, then we should talk. We can help you identify weaknesses and recommend solutions to better protect your customers and their data.

Credit Union and Bank Video Highlights from the Web this Week

Fri, 17 Jun 2011 07:40:00 -0400

Credit unions and banks are using YouTube and other video sharing services to get their messages out. A few videos posted recently caught our attention this week.

Member Upset that His Credit Union Isn't a Fan of Bicycles

An agitated credit union customer complains about an Alaskan credit union refusing to provide service to him while on his bicycle at the drive-up banking window. (Based on his exploitation comment, he may already have a negative bias toward the credit union to begin with.) The tree in the background seems quite fond of him.

No bicycles in the drive-up ticks this guy off

Interesting Voice Talent Selection for this Demographic

Altura Credit Union incorporated text messaging into this radio promo featuring their iChecking product and singer Taylor Swift (well, sort of). While the ad sounds like it's targeting a crowd more interested in monster trucks and demolition derbies, the promotion actually seems targeted at a softer, gentler crowd. Of course, no one here has ever been to a Taylor Swift concert, so our opinion could be utterly wrong.

Altura Credit Union radio promo

Community Outreach Done Well

This video features First Tech Federal Credit Union promoting a community outreach program called Community Re-Build. We could find no information on the credit union's website about this program, but the video is well done.

Community outreach program featuring First Tech Federal C.U.

Credit Union Golf Lessons

Pace Credit Union is helping members improve their golf game in this series of golf lessons on YouTube. Is it true that better golfers make better members?

Pace Credit Union helps members improve their golf swing

Bank Puts Employees to Work to Recruit New Employees

Union Bank has produced series of videos to use in the career area of their website to attract new hires. The videos feature interviews with current employees, perhaps assuming that talent attracts similar talent.