Delivering Complexity at the Expense of Security

June 20, 2012

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

  • Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
  • Asking the cardholder to ring a number which could belong to any scammer
  • Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
  • Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

  • A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
  • Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
  • Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

  • Mortgage
  • Mortgage-related insurance
  • Life insurance
  • Health insurance
  • Current account
  • Savings account
  • Debit card
  • Credit card
  • ISA
  • Pension
  • E-mail account
  • Work e-mail account
  • Mobile account
  • Landline / broadband account
  • Car insurance
  • Car radio code
  • Electricity account
  • Gas account
  • Water account
  • Council tax account
  • Supermarket account
  • Amazon account
  • i-Tunes account
  • Comparison site accounts – up to half a dozen
  • Social media accounts – another half a dozen
  • Technology support arrangements – say 3
  • Travel accounts for commuters – another couple
  • Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.

Advertisements

Delivering Poor Customer Service – Sony and 4ourhouse.co.uk

February 16, 2012

All the DeliverDemon needed was a replacement battery for a perfectly good laptop that has been around for a couple of years. Previous experience with Sony meant it was no surprise to discover that Sony discontinue supply of their model-specific batteries long before the average lifespan of the laptop has expired. The Sony callcentre gave the DeliveryDemon the number of their accessory supplier 4ourhouse.co.uk as a supplier of the required battery model. The DeliveryDemon does NOT recommend this outfit. Why?

  1. The wrong battery turned up
  2. The price which had been quoted was not the price for the battery required – the correct battery, needless to say, was more expensive than the quoted price
  3. They cannot just send out the correct item, the customer has to pay for a new item and go through a time consuming process in order to get a refund on the incorrect item
  4. The promised email details for a return did not arrive
  5. The callcentre system loses incoming calls
  6. 4ourhouse had incorrectly recorded the DeliveryDemon’s email address – a particularly stupid mistake as the email address uses the same name as was correctly entered on the delivery address
  7. The callcentre cannot change an incorrect email address
  8. The supervisor gave a time of up to 24 HOURS to get an email out through their automated system.

That is one hell of a lot of mistakes and stupidities to pick up on one single, simple order. And of course every facet of this error allows 4ourhouse to use their own mistake to hold on to the customer’s money. In the meantime the customer, instead of having the convenience of online purchasing, has to waste time taking the incorrect item to the Post Office and obtaining proof of posting.

This is a stunning example of practices which give a bad name to online retailing. The DeliveryDemon will NOT be wasting any more time buying via 4ourhouse.co.uk In fact, the DeliveryDemon, after several years of using Sony equipment is seriously considering changing to a manufacturer with a more ethical and effective spares supply chain.


The DeliveryDemon Is Blogging Again – and thinking about the Supply Chain

January 17, 2011

The DeliveryDemon has been thinking abut delivery and technology. One of the benefits of technology is its ability to dematerialise goods and deliver them electronically. For music and videos and software that’s great. Where it falls down is when there’s a need for physical delivery. Interestingly, that puts at risk the delivery of the bits and pieces of hardware we need to exploit all this technology. We can use technology to place our orders, then it all comes down to sending stuff through the physical supply chain.

Two things happen once our goods get into the supply chain – they become unimportant and they become attractive.

  • The unimportance of our parcels

From the factory production line to the doorstep our parcel is just one of millions being thumped, bumped and dumped. No-one really cares about it. If it gets lost or damaged, it’s the sender’s problem, or the intended recipient’s problem, or an insurance company’s problem. Even at source, the supplier doesn’t care, it’s just another item off the production line. So goods get lost and damaged and no-one is answerable. There’s a cost to remedying the problem, of course, and inevitable the cost finds its way back to the end consumer.

  • The attractiveness of our goods

Many electronic gadgets and components are small, so easily lost, and just as easily fitted into pockets. Packaging, even if it doesn’t show explicit sender details, is often easily identifiable as containing some sort of technology. The value of such items can be high.

The DeliveryDemon has been told of many examples recently of people buying technology, only to have it beaten to a pulp on its way to its destination.

  • A card for a camera never arrived. The supplier came up with conflicting excuses, with one person claiming it was lost in the post while another claimed it should have been in the envelope with its companion which did arrive, but that it had not been packed.
  • A laptop arrived in a seriously battered box.
  • A mobile phone arrived in a sturdy plastic envelope which had been ripped open. An attempt had been made to slit the box inside, to remove items without breaking the seal on the box.

Of course, the costs of all this is being passed to the consumer in the form of higher prices, insurance premiums, and credit card charges.

Some suppliers are fighting back, attempting to make their packaging bash-proof. The DeliveryDemon knows a supplier of personalised beers who has taken it as a personal challenge to ensure that the full complement of bottles arrives undamaged – not a technology issue but the principles are the same. The packaging battle has its own cost, and not just the cost of producing and applying it. The more robust the packaging, the more likely it is to be persistent, and usually voluminous. Most often it will end up in landfill, perhaps via the complex recycling arrangements imposed by many local authorities.

Some companies offer tagging and tracking of goods in transit. For high volumes, manual checkin systems are likely to be error prone, even if with electronic detection of tags. For example, even if a box or jiffybag is tagged, that’s no guarantee that it still contains all its original contents. The cost of tagging individual components would be prohibitive, and would create electronic waste.

It’s often said that the main components of a solution are people, process and technology. From the DeliveryDemon’s observations, the money is going into technology (including packaging technology), the protagonists are hiding behind the theory of how the process should happen, but not nearly enough effort is going into delivering the people aspects of the supply chain. For many jobs in the supply chain, temptation can be high while rewards are low, and in a high transaction volume environment the effect of this is easily predictable. Yet it’s the aspect of e-commerce that no-one is getting to grips with.