Why your live chat channel is a back door for cybercriminals

Your customers are sharing personally identifiable information through live chat. Your operators log in to chat with company emails and company passwords. And chat code sits across your public-facing webpages.

Your live chat channel, in short, is a prime target for cybercriminals. Yet live chat security is often treated as an afterthought – if considered at all. For businesses, chat is often conceived of as a quick-fire communication route rather than a critical data touchpoint.

And that’s a risky oversight. The question is: is your live chat channel adequately protected against cybercrime?

Live chat cybercrime

In 2016, the global live chat software market was valued at $590 million. By 2023, it is projected to reach $997 million. This surge in live chat adoption has been eyed – and systematically exploited – by cybercriminals.

The surge in live chat adoption has been eyed – and systematically exploited – by cybercriminals. Click To Tweet

Let’s look at just a few instances of live chat cybercrime from the past few years.


In 2017, a cryptojacking script was found hidden away in chat widgets across some 1500 websites. This nasty piece of malware took advantage of a LiveHelpNow security weakness and hid inside their JavaScript files. Stealthily, the script consumed CPU resources to harm visitors’ machines. Which is not such a great look if you were one of the companies using the offending chat service.

Live chat cryptojacking


Fast-forward to 2018, and the next large-scale live chat security breach affected company employees and their personal details. In this security transgression, two chat vendors (LiveChat and TouchCommerce) were found to be leaking their customers’ chat operator data. Think full names, company email addresses, employee IDs, support centre location, supervisor name, etc. In short, all the data necessary for cybercriminals to perform social engineering attacks and gain access to private internal networks.

2018 also saw a malware attack in [24]7.ai’s live chat software. This time, credit card data was up for grabs – from names, to card numbers, to CVV codes and expiry dates. The malware quietly hid inside the chat widget and collected payment information. Worse, customers of several high-volume brands – Sears, Delta Airlines, Kmart, BestBuy – were affected by the breach. You can imagine how happy those customers were with the leak.


Then, in 2019, security researchers discovered a persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin. Through this vulnerability, hackers could inject malicious scripts on a website and takeover control. Not a comforting thought, is it?


The security breaches haven’t stopped recently, either. In 2020, a live chat user reported a breach in which the operator’s previous conversations with other customers were visible to them from inside the chat window. This included names, numbers, and security answers from the chat operator’s earlier conversations. Imagine how comfortable you’d feel if that were your data? Or, indeed, how happy you’d be if you were the company paying for that chat service?

Live chat security breach

The high cost of live chat cybercrime

So, as these breaches demonstrate, a live chat channel offers a potential back door for cybercriminals. And with a cyberattack occurring every 39 seconds, it’s increasingly imperative to fortify that back door.

Failing to do so is costly. For example, a staggering 78% of consumers would avoid a firm after a data leak. Beyond this loss of customer trust and loyalty are the legal ramifications, too. The average total cost of a data breach comes in at an eye-watering $3.86 million. Then, it takes 280 days (on average) to identify and contain a breach.

All that loss – of time scrabbling around to fix a breach, of public trust in your service, and of vast sums of money – makes safeguarding your chat solution a no-brainer. But that doesn’t always pan out in everyday chat adoption.

Quick, easy, risky?

Part of the problem is that live chat software is so quick and easy to deploy. There are hundreds of vendors to choose from – most offering some kind of free trial. So, within a matter of minutes, you can add a few lines of code to your site and start chatting to website visitors.

And that means that for many firms, chat becomes seen as an ‘easy-peasy’ tech addition. Something you can quickly add on to your service offering without much effort. Something patently value-added that – even better – is supremely easy to incorporate.

Or so it would appear. The truth is that live chat software is a key strategic imperative as well as a sensitive data hotspot. So, though a quick deployment approach is entirely possible, it doesn’t mean that it’s advisable.

Your chat implementation should take time. It should take preparation, research, effort. This isn’t necessarily the flashy advice that firms might want to hear, but it’s the truth.

And the onus isn’t all on you, either. Far from it, in fact. You also need to hold your chat vendor and their solution to the highest possible cybersecurity standards.

How, then, to protect yourself against live chat cybercrime?

Chat is a key strategic imperative as well as a sensitive data hotspot. A quick deployment approach is possible but not advisable.

Live chat security checks

A secure chat channel will have a host of defences in place to protect your data and prevent unauthorised access. Ask the chat vendor about:

·       Encryption

Does the chat service encrypt data as standard? What encryption method do they use?

Encryption makes your chat data unreadable without a ‘key’ (i.e. a code) to decrypt it. Because only select users have the key needed to decrypt the data, you’re much safer from unauthorised access.

·       Secure chat connections

Get specific about the number of bits in a session key. WhosOn, for example, secures connections over an initial 2048-bit RSA exchange followed by an exchange of a 128-bit session key.

Then, find out whether these connections use a trusted public certificate authority and are filtered by firewalls. A good chat vendor will have all this info readily available for you.

·       PCI/PII masking

A secure chat solution should automatically detect sensitive data found inside chat sessions. And, more importantly, it should mask that data. So, a credit card number would appear as ****-****-****-****, for instance.

You should also ask how any masked data is processed. (I.e., how it appears in any generated chat transcripts and exported JSON files, etc.) If you operate in a regulated industry, you might also want to set your own custom rules for masking data beyond credit cards, such as names and addresses, for example. So, ask what your options are.

An example of PCI masking

·       Intrusion prevention

Look at how the software prevents intruders from gaining access to your chat channel. For example, can only specified company IP addresses log in to the chat service? What are the whitelist and blacklist options?

Then, what happens if an intrusion attempt is suspected? I.e., what happens to users (malicious or otherwise) if their login authentication fails?

·       Hosting options

For regulated industries, on-premises hosting is usually the preferred deployment route. But only certain live chat vendors will offer you that degree of hosting control – it’s an uncommon option. So, find out if it’s an available (and suited) option for your company.

Cloud deployment is the more common hosting route, but that brings its own range of questions. You’ll want to know whose data centre you’re using and what security measures they take. Then, ascertain which country your data sits in. You might also want to enquire about a dedicated server option, for heightened security.

·       File exchange

You’ll often send and receive files during a live chat session. How safe does your chat channel make it to do so?

First, you should be able to choose which file types are allowed, and whether file sharing is instant or on request. (I.e., can the user send an unsolicited file, or must the operator request it first?) Then, don’t forget to check whether the chat solution runs a virus check against each inbound document. Failing to do so is a glaring oversight.

·       Updates and upgrades

As with any outdated software, legacy live chat suffers from reduced security. The older the version, the less likely it is to withstand the latest live chat cybercrime attacks.

So, how often is the solution updated by its developers? It’s also a good idea to find out how often it’s penetration tested and vulnerability scanned, too.

·       Access control

You don’t want every operator to be able to access every feature, every conversation, every piece of chat data. The more people who can access sensitive information, the higher the security risk.

So, find out how finely you can tune user access rights and set permission levels. A solution that you can configure tightly around your needs is always going to trump a solution with one-size-fits-all options.

Chat user management

·       Data retention

You might want to securely store data for a fixed amount of time. Or, you might not want any storage of chats at all, depending on your industry.

So, ask about the solution’s data retention options. How long is your chat data stored for? How is it deleted? Can you configure these settings yourself?

·       Vendor security

Last, when you’re running through your security checks with the chat vendor, don’t forget to ask them about their own affairs. For example, when they last had a data breach. What kind of security accreditations and certifications they have. What their privacy policy outlines.

Remember: you’re not just picking a tech solution. You’re also picking a technology partner, and you’ll have a relationship with that vendor. So, vet them.

Plus internal processes

Unfortunately, it’s not all on the vendor and their solution to prevent live chat cybercrime. There are also internal measures you need to take to protect your business and its customers.

Here’s an eye-opening fact:  90% of data breaches involve human error. So, you need to give your human chat agents through security training.

Start with the basics – locking machines, using secure passwords, not copy-pasting sensitive data, etc. Then, you also need to go into further detail on the intricacies of your chat channel’s features, on regulation compliance, and general chat best practice.

In short, make sure your team is primed to safeguard chat data.

Keeping the door closed

Any data touchpoint, any technology touching your business, provides a potential back door for cybercriminals. And with its vast wealth of customer and agent data, your live chat channel is no different.

But that doesn’t make chat inherently unsafe, or a business risk. It simply means that you should deploy it with the same thoughtful caution with which you’d deploy a new CRM system, or a new website, or a new help desk.

Don’t be fooled by the availability and accessibility of live chat software. Chat is a heavyweight component of any tech stack. As such, it should be afforded every appropriate consideration and evaluation.

Chat is a heavyweight component of any tech stack. As such, it should be afforded every appropriate consideration and evaluation. Click To Tweet

To partner with the leaders in live chat security and regulation compliance, get in touch with the WhosOn team today.