Hack the Chat

Last updated August 19, 2022

Summary:

• By the end of 2022, 70% of white collar workers will interact with chatbots on a daily basis—but chatbots can pose a cybersecurity risk if they are not properly protected.
• Chatbots can improve customer experience by identifying leads in real time, improving user engagement, and collecting user data for A/B testing.
• However, cybercriminals can exploit chatbots to impersonate people, deliver malware, steal or alter data, and launch phishing attacks.
• Common chatbot vulnerabilities include unencrypted communications, allowing back-door access, missing protocols, and hosting platform issues.
• Types of chatbot attacks include network hacks, social engineering attacks, and real-time chatbot takeovers.
• Software updates, working with experienced chatbot developers, restricting chatbot access to registered users, and implementing multi-factor identification can all make your chatbot usage more secure.
• Web Application Firewalls, end-to-end encryption on messages, authentication timeouts, self-destructing messages, and other strategies can also improve chatbot security.

Chatbots, those little customer service pop-up menus on websites that ask how they can help you, are becoming ubiquitous, changing how users interact with both websites and the businesses behind them. 

Machine-learning programs such as Siri, Alexa, Google Assistant, and website chatbots have become one of the fastest online sales generating tools businesses have at their disposal. A 2016 study by Oracle found that 80% of businesses planned to onboard customer interaction AIs to their website, and a 2019 article by Gartner predicts that by the end of 2022, a full 70% of white-collar workers will interact with conversational platforms (chatbots) daily. 

However, while website chatbots are incredibly useful, they can also pose a security risk if appropriate cybersecurity measures aren’t taken. In this article, we will discuss how chatbots can leave your organization vulnerable to new hacking tactics and explore steps your organization should be taking to secure your website chatbot.

If your organization has recently experienced, or is currently experiencing, a cybersecurity incident such as a chatbot hack, please contact our team right away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

See also:

• Our managed firewall services
• Our managed endpoint detection and response services

How Chatbots Can Improve the Customer Experience

Chatbots offer many advantages to both customers and businesses. Chatbots allow customers to independently move down the sales funnel, offer users more information about your company’s products and services, and provide your company with valuable data on customer interests. 

By taking over these functions from live staff members, businesses can free up valuable team members for other business-building activities or reallocate the funds that would have been spent on sales staff wages for other uses. Chatbots are also not constrained by reasonable shift lengths or labor laws and never need sick days or vacations.  

When implemented correctly, chatbots can:

Identify Leads in Real Time

Chatbots allow you to engage with customers while they are using your app or website, catching them when they are most engaged. It also allows customers to get answers to common questions right away (an IBM study found chatbots can handle 80% of routine tasks and customer questions) and make the entire website experience more engaging. Chatbots can also gently guide customers towards the next sales funnel stage.

Improve User Engagement

Unlike human beings, chatbots can easily engage with multiple customers at once without losing focus. They can also regularly send customers product updates and offers, offer instant responses to customer inquiries, and are available 24/7/365. They can also be programmed using multiple languages to better engage with all of your target demographics.

Collect Valuable User Data & Engage in A/B Testing

Modern marketing runs on user data, and chatbots are well-positioned to collect it. Chatbots can seamlessly gather customer data in real-time (and ask follow-up questions to gain more information), analyze the data, and provide you with the information you need to continue to improve your products or services and reach new consumers.

Chatbots also allow you to contact A/B tests simultaneously (and much faster than manual A/B testing) and swiftly provide your team with test results and the chatbot’s analysis.

Chatbot Risks

Chatbots are a valuable tool, but like any digital tool, they are also vulnerable to cybercriminals. Without proper security precautions in place, chatbots can be used to:

• Impersonate individuals 
• Deliver ransomware and other forms of malware
• Engage in data-theft
• Alter data
• Engage in phishing or whaling attacks

Many companies offer chatbot programs, but not every chatbot is as secure as it could be. Common chatbot vulnerabilities include:

• Unencrypted communications
• Back-door access by cybercriminals
• A lack of HTTP protocol 
• Absent or insufficient employee security protocols
• Hosting platform issues 

Hack the Chat: How Bad Actors Are Taking Advantage of Chatbots

Before you implement a chatbot, you should ensure it meets your company’s existing security standards and make sure your team is aware of the types of attacks cybercriminals commonly use against chatbots.

Types of Chatbot Attacks

Network Hacks

Much like a burglar can creep through an unlocked window, cybercriminals can use unsecured or insufficiently secured chatbots to gain access to your network. As such, cybercriminals will frequently evaluate chatbots for potential vulnerabilities that can be exploited to gain wider network access.

Social Engineering Attacks Using Chatbots

Cybercriminals can also turn chatbots into tools of their own. If a cybercriminal already has an existing customer’s username, they may be able to leverage the chatbot in a social engineering scheme to reset the account password (granting the cybercriminal access), make unauthorized purchases, or change the payment information on the user’s account.

Real-time Chatbot Takeovers

In this scenario, a cybercriminal would have to have already infiltrated your website and be in a position to intercept customer communication via the chatbot. Because chatbots are an extension of your company, customers may let their guard down as they would around one of your human employees. 

Cybercriminals can take advantage of that presumed trust to ask users for sensitive personal information, such as social insurance numbers or credit card numbers, or direct users to send funds outside of usual payment avenues. 

Safeguard Your Website With These Chatbot Best Practices

Keep Your Software Up to Date

One of the easiest things any company can do to quickly improve their security is keep their software up to date. When software developers discover vulnerabilities, bugs, or other issues with their programs, they release patches to fix them. By downloading all security patches as soon as they become available, you can proactively safeguard your network and the digital assets stored on it. 

Unpatched software is also particularly vulnerable. Companies typically announce when a patch is released, alerting both legitimate users and cybercriminals. This can inadvertently increase a company’s chances of being targeted by cybercriminals as these criminals redirect their attention to companies that they know are using the recently patched software in the hopes of exploiting the vulnerability before all network users have downloaded the patch.

Hire an Experienced Chatbot Developer

While you may be excited to get your chatbot up and running, it pays to shop around and find a developer with chatbot security and design experience. Before you begin production, make sure to ask your developer how they plan to secure your chatbot and make sure their plan meets your high security standards.

Restrict Chatbot Use to Registered Users Only

While restricting chatbot use privileges to registered users may hinder your efforts somewhat from a sales perspective, it can pay attractive security dividends. Cybercriminals are always on the lookout for easy targets, and adding this extra layer of security both eliminates (or at least reduces) anonymity and makes your website chatbot a less appealing target. Requiring users to register with your website before using the chatbot is an easy to implement and cost-effective security measure.

Implement Two-Factor Authentication

In addition to requiring usernames and passwords, you may want to consider implementing two-factor authentication. This adds an extra layer of security during the login process, requiring users to enter two different pieces of information to verify their identity. 

This often takes the form of a strong password paired with a text message prompt or a hardware element. As such, for a cybercriminal to successfully log in to a legitimate user’s account, they would need the user’s username and password as well as access to the one-time code sent to the user’s phone or the physical hardware element attached to that user’s account.

Install a Web Application Firewall (WAF)

Web application firewalls are designed to safeguard your website from malicious traffic and harmful requests. This is critical since it could help prevent cybercriminals or their botnet from using your chatbot to inject malicious code into your network (such as during a ransomware or other malware attack). 

Implement End-to-End Encryption on Chatbot Messages

End-to-end encryption is a critical security measure and should be used both for chatbot conversations and in any context where a message is sent from one person or entity to another (including chatbot sessions, email, and internal employee chat programs). 

Implement Authentication Timeouts

This simple yet effective step, designed to limit how long a user remains logged in before they are automatically logged out, is incredibly effective. If a user remains logged in but inactive for too long, a prompt window will appear asking them to re-enter their login credentials or confirm that they are still active. The prompt window may also be designed to inform the user that they have been logged out. This simple design change can prevent crimes of opportunity, where a cybercriminal is able to take advantage of a still-logged-in user to wreak havoc. 

Self-Destructing Messages

While this may sound like something out of a spy movie, self-destructing messages are a great way to make your chatbot more secure. This security measure is just what it sounds like: either after a chat session has concluded or a select amount of time has elapsed, all messages sent to and any sensitive information shared with the chatbot is automatically erased. While some users may find this inconvenient, the inconvenience is outweighed by this approach’s security benefits.  

Put Your Chatbot to the Test With Pen Testing

As the old saying goes, the best defense is a good offense. Pen (penetration) testing involves hiring an ethical hacker (sometimes called a “white hat”) to stress test your defenses and try to break into your network. The pen tester documents any security gaps or deficiencies they find and then shares their findings and their recommendations with you and your security team once the test is complete. 

By proactively seeking out vulnerabilities, you can ensure these shortcomings are addressed before any actual cybercriminals can exploit them. 

Consider Offering a Bug Bounty

While this option can be risky because it involves actively inviting technically-savvy users to look for security issues, offering a bug bounty can also pay off. Bug bounties are just what they sound like: if a user finds a security bug and tells your team about it, you offer them a reward as a thank you. 

Chatbots can be a great way to reach customers, improve the customer experience, and help move potential customers down the sales funnel. However, like all digital tools, chatbots can pose a risk to your company’s overall security if appropriate measures aren’t taken. 

Worried Your Chatbot is A Security Liability? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. The VirtualArmour team is staffed by security experts from a wide selection of cybersecurity and IT disciplines. Whether you’re starting from scratch or improving an existing website or chatbot, our team is here to help. We offer a variety of services, including vulnerability scanning and managed firewall services.

For more information, or to start improving your company’s security posture, please contact our team.