Category : Audit
How to stop Google Tag Manager being hacked
In two high-profile data breaches this year – at Ticketmaster and British Airways – over half a million credit cards were stolen via a compromised script inserted on the payment pages. Update 8/7/19: British Airways was fined a record £183m over this data breach, under new GDPR regulation. They are contesting the fine. Google Tag Manager is a powerful tool which enables you to insert any script you want onto pages of your website, but that power can used against you by hackers if you're not careful – and below we’ll look at how to stop GTM being a security risk on your payment pages. Firstly, how did the hackers get the card details from these sites? And how is it relevant to GTM on your site? Security firm RiskIQ has traced the breach to a compromised Javascript file which skimmed the card details from the payment form. So when a user entered their credit card number and security code on BritishAirways.com (or their mobile app) those details were posted to a third party server, unknown to British Airways or the customer. This is a high-scale equivalent of placing a skimming devices on an ATM, which reads one card at a time. In Ticketmaster’s hack the script was one loaded from a chatbot vendor on their site, Inbenta. Inbenta claims not even to have been aware the script was used on payment pages. The changes to the script were subtle: not breaking any functionality, and in BA’s case using a domain ‘baway.com’ which looked somewhat authentic. To protect your site against a similar attack you obviously need to lock down accounts used by your developers to change scripts in the page source code, but you also need to secure GTM – which can be used to deploy such scripts. We have a few rules at Littledata to help reduce risks in using tag management on payment pages: 1. Use pixels over custom JavaScript tags on payment pages You probably need a few standard tags, such as Google Analytics, on payment pages but try to avoid any custom scripts which could possibly skim card details. Many non-standard tags use JavaScript only to create the URL of a tracking pixel – and it is much safer (and faster) to call the tracking pixel directly. Contact the vendor to find out how. (Littledata's Shopify app even removes the need to have any script on the payment pages, by hooking into the order as it's registered on Shopify's servers) 2. Avoid loading external JavaScript files in GTM Many vendors want you to load a file from their server (e.g. myvendor.com/tracking.js) from GTM, so they can update the tracking code whenever they want. This is flexible for them, but risky for you. If the vendor gets hacked (e.g. with Inbenta above) then you get compromised. It’s less risky to embed that script directly in GTM, and control version changes from there (although a fraction slower to load the page). Of particular risk is embedding a tag manager within a tag manager – where you are giving the third party rights to publish any other scripts within the one tag. Don’t do that! [subscribe] 3. Lock down Edit and Publish rights on GTM Your organisation probably has a high turnover of contract web developers and agencies, so have you checked that only the current staff or agencies have permission to edit and publish? It's OK to have external editors use 'workspaces' for version control in GTM, but ideally someone with direct accountability to your company should check and Publish. 4. Blacklist custom JavaScript tag on the payment pages You can set a blacklist from the on-page data layer to prevent certain types of tags being deployed on the payment pages. If you have a GTM container with many users, this may be more practical that step 3. 5. Remove tags from old vendors There are many thousands of marketing tools out there, and your company has probably tried a few. Do you remove all the tags from vendors when you stop working with them? These are most at risk of being hacked. At Littledata we run a quarterly process for marketing stakeholders opt-in tags they still need for tracking or optimisation. 6. Ensure all custom JavaScript tags are reviewed by a developer before publishing It can be hard to review minimised JavaScript libraries, but worth it for payment pages if you can’t follow rules 1 and 2. If you’re still worried, you can audit the actual network requests sent from payment pages. For example, in Chrome developer tools, in the 'Network' tab, you can inspect what requests sent out by the browser and to what servers. It’s easy for malicious code to hide in the patchwork of JavaScript that powers most modern web experiences, but what is harder to hide is the network requests made from the browser to external servers (i.e. to post the stolen card information out). This request to Google Analytics is fine, but if the domain of a request is dubious, look it up or ask around the team. Good luck, and keep safe with GTM!
How auditing Google Analytics can save you money
When is the last time you audited your Google Analytics account? If the answer is 'never', I understand, but you could be wasting a ton of cash - not to mention potential revenue. It's easy to put off an analytics audit as a 'someday' project considering the multitude of other tasks you need to accomplish each day. But did you know that auditing your Google Analytics account can save you money and add a big bump to online revenue, even with sites that are not ecommerce? Whether people spend money directly on your site, or your site is primarily for lead generation, you spend money to get those site visitors through your marketing channels. When you view a channel like AdWords, there is a clear financial cost since you pay for clicks on your ads. With organic traffic, such as from Facebook fans, you spend time crafting posts and measuring performance, so the cost is time. With an investment of any resource, whether time or money, you need to evaluate what works - and what does not - then revisit the strategy for each of your marketing channels. In this post, I’ll walk you through some of the automated audit checks in Littledata and take a look at what they mean for your online business. If your analytics audit doesn't ask the following questions, you're probably wasting money. Is your AdWords account linked to Google Analytics? If you run AdWords campaigns, linking AdWords and Analytics should be at the top of your to-do list. If AdWords and Analytics are not linked, you cannot compare your AdWords campaign performance to your other channels. Although you can still see how AdWords performs within the AdWords interface, this comparison among channels is important so you can adjust channel spend accordingly. If you discover that AdWords is not delivering the business you expected compared to other marketing channels, you may want to pause campaigns and reevaluate your PPC strategy. Are you tracking website conversions? There should be several conversion goals set up on your website because they represent visitor behavior that ultimately drives revenue. The above example shows a warning for a lead generation website. Although it is possible that no one contacted the site owner or scheduled an appointment in 30 days as indicated in the error, it does seem unlikely. With this warning, the site owner knows to check how goals are set up in Google Analytics to ensure they track behavior accurately. Or, if there really was no engagement in 30 days, it is a red flag to examine the strategy of all marketing channels! Although the solution to this warning will be different based on the individual site, this is an important problem to be aware of and setting up a goals in Google Analytics, such as for by destination, is straightforward. You can also get creative with your goals and use an ecommerce approach even for non-ecommerce websites. Do you use campaign tags with social media and email campaigns? This is an easy one to overlook when different marketing departments operate in silos and is a common issue because people do not know to tag their campaigns. Tagging is how you identify your custom social media and email campaigns in Google Analytics. For example, if you do not tag your paid and organic posts in Facebook, Google Analytics will lump them together and simply report on Facebook traffic in Google Analytics. In addition to distinguishing between paid and organic, you should also segment by the types of Facebook campaigns. If you discover poor performance with Facebook ads in Google Analytics, but do great with promoted posts in the Facebook newsfeed, you can stop investing money in ads at least for the short term, and focus more on promoted posts. Are you recording customer refunds in GA? Refunds happen and are important to track because they impact overall revenue for an ecommerce business. Every business owner, both online and offline, has dealt with a refund which is the nature of running a business. And this rate is generally fairly high. The return rate for brick-and-mortar stores is around 9% and closer to 20% for online stores, so less than 1% in the above audit seems suspicious. It is quite possible the refund rate is missing from this client’s Google Analytics account. Why does this matter? Let’s assume the return rate for your online store is not terrible - maybe 15% on average. However, once you track returns, you see one product line has a 25% return rate. That is a rate that will hurt your bottom line compared to other products. Once you discover the problem, you can temporarily remove that product from your inventory while you drill into data - and talk to your customer support team - to understand why that product is returned more than others, which is a cost savings. Are you capturing checkout steps? Most checkouts on websites have several steps which can be seen in Enhanced Ecommerce reports in Google Analytics. Shoppers add an item to their cart, perhaps log-in to an existing account or create a new one, add shopping information, payment etc. In the ideal world, every shopper goes through every step to ultimately make a purchase, but in the real world, that is rare. Last year alone, there was an estimated $4 trillion worth of merchandise abandoned in online shopping carts. Reasons for this vary, but include unanticipated extra costs, forced account creation, and complicated checkouts. By capturing the checkout steps, you can see where people drop out and optimize that experience on your website. You can also benchmark checkout completion rates see how your site compares to others. [subscribe] Are you capturing product list views? If you aren't tracking product list views correctly, your biggest cash cow might be sleeping right under your nose and you wouldn't even know it! Which products are the biggest money makers for you? If a particular product line brings in a lot of buyers, you want to make sure it is prominent on your website so you do not leave money on the table. Product list views enable you to see the most viewed categories, the biggest engagement, and the largest amount of revenue. If a profitable product list is not frequently viewed, you can incorporate it in some paid campaigns to get more visibility. The good news An audit is not only about what needs fixing on your website, but also can show you what is working well. After you run an audit, you will see the items that are set up correctly so give yourself a pat on the back for those - and know that you can trust reporting based on that data. Either way, remember to run an analytics audit regularly. Once a month is a good rule. I have seen cases where a website was updated and the analytics code was broken, but no one noticed. Other times, there may be a major change, such as to the customer checkout, so the original steps in your existing goal no longer work. Or an entirely new marketing channel was added, but with missing or inconsistent tagging. It is worth the time investment to ensure you have accurate Google Analytics data since it impacts influences your decisions as a business owner and your bottom line. Littledata's automated Google Analytics audit is especially useful for ecommerce sites, from online retailers to membership sites looking for donations. It gives a clear list of audit check results, with action plans for fixing your tracking. And Shopify stores can automatically fix tracking to capture all marketing channels and ensure that data in Google Analytics matches Shopify sessions and transactions (not to mention the data in your actual bank account!), even when using special checkouts like ReCharge and CartHook. When you're missing out on the revenue you should already have, an audit is the first step in understanding where it's falling away, or where you're over-spending. Run an audit. Make a list. Fix your tracking. Grow your revenue. Sometimes it really is that simple!
Subscribe to Littledata news
Insights from the experts in ecommerce analytics
Try the top-rated Google Analytics app for Shopify stores
Get a 30-day free trial of Littledata for Google Analytics or Segment