Delivering Infrastructure Failure, Delivering Fraudulent Bills

To describe it politely, the EE service amounts to crap. The broadband itself is bad enough – ongoing SNR problems mean something as simple as getting a connection to common or garden websites is a hit and miss affair. Ping time can exceed 8500 ms and speed can drop as low as 0.04 Mbps for download. What EE call ‘broadband’ fails dismally to meet definitions of the term, to the extent that, in charging what they provide as if it were broadband, they are in fact defrauding customers.
In the US, broadband is now defined as 25Mbps download and 3Mbps upload, a definition also being used by government body Broadband Delivery UK. These are figures which EE never reaches. It even fails to meet the old-fashioned definition of 4/1 Mbps.
And of course, speed figures are completely irrelevant when EE fails entirely to connect to websites.
For months the DeliveryDemon has been trying to get EE to sort its service, through various channels. The hell line is as dire as one would expect from an Indian call centre whose staff match their arrogance level to their total technical incompetence. Front line phone drones reading mindlessly through badly designed scripts actually claim to be ‘technical support’, totally unaware that this claim has no credibility whatsoever. And of course, it is completely impossible to get these idiots to record anything which doesn’t fit their scripts.
Time and again the DeliveryDemon has spelt out in the simplest of words that speed is not the primary issue, that the problem is EE equipment failing to make connections. Invariably the response is that the line speed is OK, a completely different issue and a stunning display of incomprehension of the fact that point measurement of line speed is no indicator of what is happening over time.
Today the DeliveryDemon has spent over an hour getting past EE’s complaints blocking processes. The phone drone whined that their account system was down so they couldn’t get off their backside to do anything. It doesn’t actually require any account information to check whether there is a problem at an exchange, but doing that would be too much like providing customer service, and that’s not the EE way.
Eventually the DeliveryDemon managed to battle through the obstructions to find someone who would listen and exert a modicum of intelligence. That person actually recognised that the problem was on their records as being longstanding – not that EE had actually done anything to deal with it, other than continue its fraudulent billing for a service it wasn’t providing.
You might expect that an ongoing problem like this could be dealt with via the regulator, Ofcom. Not so. Ofcom, with the responsibility for dealing with poor customer service from telecoms companies, outsources this tedious core activity to a bunch called CISAS. Well, that’s what they call themselves on the Ofcom website but it’s actually a company called IDRS, and they are signally unfit to deal with the most basic elements of complaint handling.
The first step is to record the complaint online, using a site designed by morons. Font size fails the most basic accessibility criteria. The site makes no mention of the word complaint, you are supposed to guess that you have to ‘make an application’. Then it’s necessary to guess the meaning of unexplained acronyms. After this, the system churns out a reference number along with the statement that, if IDRS don’t receive your supporting information within 5 days, they won’t get off their backsides. No intelligent assessment of whether any additional information is actually needed, and certainly no statement of what additional information is needed.
It gets worse from there. IDRS don’t actually process the complaint, they try to sell their paid for dispute resolution service, for a job they are already being paid public money to perform. Needless to say, the DeliveryDemon was not happy with the misuse of her data for such sleazy sales tactics, and the Information Commissioner upheld her complaint.
Eventually CISAS / IDRS agreed to do the job they are being paid to do, and actually deal with the complaint by contacting EE. From today’s conversations it seems that there has been some sort of escalation within EE, in terms of recording the problem but not of doing anything about it. CISAS / IDRS have gone 10 weeks beyond the response time they eventually promised, and have made no contact whatsoever.
So, with that total absence of action, the DeliveryDemon spent several hours on the phone again today, eventually getting acceptance that someone needs to check for problems at the exchange.
Unfortunately, that checking is done by a bit of BT calling themselves Openreach. Yes, BT, not a company known for providing the most basic levels of customer service. How responsive are they? Responsive??? You must be joking. First they want the customer to waste an entire half day so the engineer can start with the standard lie that the fault is in the customer’s home and they will charge silly money to look at it. Yes, despite the fact that earlier attempts to solve the problem have covered all the necessary tests, these shysters will do their damndest to avoid doing basic maintenance tests on their own equipment. And not only that, even when they are not providing the service they charge for, they won’t even bother checking a problem for 5 days.
And, after all these delay, although EE has admitted fault and said that the DeliveryDemon will be compensated, it will be up to the DeliveryDemon to chase that compensation through an entirely different part of the organisation.
The saga didn’t stop there. BT sent out a landline engineer, not a broadband engineer. This engineer confirmed that there was no fault within the property – not news. Once again it’s down to the DeliveryDemon to try and get EE / Orange off their backsides to do what they are being paid to do.
Next thing is a junk call to the DeliveryDemon’s mobile, the usual sort of recorded and badly pronounced trash which scam call crooks tend to generate. The DeliveryDemon tends to report these to the various regulators, so checks to see if the owner of the number can be identified – lo and behold, this is EE making classic nuisance calls. Time to find out what the hell is going on now.
After battling through EE’s deliberately unhelpful IVR, the DeliveryDemon got through to the thinking of leaving section, only to get a shyster who insisted on trying to shift the DeliveryDemon to a cheaper plan, totally and misleadingly avoiding mentioning the fact that change to a different plan usually involves a contract lockin with penalties for leaving early. He repeatedly tried to push this new plan despite the DeliveryDemon making it abundantly clear that a plan change was not the aim of the call. There was a grudging mention of a month’s charges refund as compensation for months of non-service, even more grudgingly upped to 2 months when the DeliveryDemon pointed out that this was worse than derisory. Worse still, he promised a refund of the engineer callout charge as though it was compensation. Since the person who arranged this callout had already said there would be no charge, this looks like yet another EE cockup about to manifest itself on the DeliveryDemon’s bill.
It took the best part of an hour to get bounced back to EE’s useless first line support, who do nothing but revert mindlessly to scripted diagnostics and are incapable of understanding that, after multiple repetitions, this amounts to nothing but a waste of the customer’s time. Having been cut off, the DeliveryDemon phoned back, and was connected to someone with a basic understanding of customer service. However, after another 35 minutes, the trail ended with someone who called themself ‘Technical Support’ but was actually a first line phone drone. It turned out that his job is to tell the customer that a real technical support person will ring back a day later to arrange for an engineer to do tests.
So the process to date looks something like this:
•   Multiple timewasting calls over months with no improvement
•   Multiple instances of time wasted in repeating diagnostics and router swap which exclude the existence of problems which can be blamed on, and charged to, the customer
•   Complaint to the regulator, OFCOM, results in their outsourcer misusing complainant details to try and sell their paid for services
•   After ICO intervention, the outsourcer raises the complaint with EE and promises feedback. Neither the outsourcer nor EE does anything and deadlines pass
•   Contact with EE about further problems takes hours and eventually results in an agreement to get an engineer out 6 days later to check for faults on customer property
•   Promise of compensation but customer has to guess how to follow this up
•   Engineer confirms no problems on customer property. Unable to do any broadband checks since only trained for landlines
•   No-one at EE acts on this so customer has to chase again
•   EE tries to lock customer into new contract
•   After considerable customer effort, customer is bounced to first line phone drones who again fail to understand the issue and try to repeat the first steps of their mindless process
•   First line drone arranges for 2nd line to call 24 hours later to arrange for the engineering checks which should already have happened
•   Another automated call leaves a message requesting the customer rings a particular number. Person who answers doesn’t know what’s going on, can barely speak comprehensibly, and cannot transfer call to anyone else who might be competent to deal with it
Obviously, that’s not the end of the story, and the DeliveryDemon has no faith in EE doing anything useful, never mind shelling up for the fact that it has been charging for a service and not providing it.
With this one single service we have a classic example of why Britain’s infrastructure is being designed and managed to fail:
•   The regulator takes no responsibility for dealing with problems
•   The regulator makes no check on the competence and honesty of its outsourcers
•   The regulator’s outsourcer is fundamentally incapable of doing the job it is paid to do
•   The regulator’s outsourcer is using its access to personal data in ways which are a blatant breach of data protection legislation
•   The regulator’s outsourcer is not doing the job it is paid by the taxpayer to do
•   EE is getting away with charging for services it is not providing
•   EE is wasting customer time with a call centre staffed by incompetent and dishonest operators
•   EE, when fully aware of a problem, doesn’t bother to do anything about it unless the customer puts an incredible level of effort into trying to make them act
•   EE, like so many large companies, has no effective complaints process whatsoever
•   EE has no compunction about wasting customer time as an alternative to providing the service which customers pay for

And, on top of all this, it appears likely that the proposed merger between these two telecoms companies will go through on the Competition Commission’s nod, with every prospect of vast numbers of customers being locked without option into a service so bad that it amounts to blatant fraud.

Aiding and Abetting Criminal Activity

That’s what our phone companies are doing. It is an offence to harass people. It is fraud to entice people into believing that they have money due to them when the caller has no evidence that that is the case. It is an offence to hold people’s data without their permission. It is fraud to lie to persuade people to reveal their personal information. According to a government task force, a BILLION of these crimes are committed every year, with the assistance of our phone companies.
Our telecoms companies are making money out of these crooks, one way or another. They are certainly making no effort to prevent their infrastructure being used for criminal activity, despite being fully aware of the scale of what is going on. All we get is mealy mouthed platitudes recommending that we take actions which are either unfeasible or ineffective. Let’s get a few facts straight on just how useless these recommendations are.

• Register with TPS? It’s a waste of time.
  • TPS doesn’t actually do anything with complaints
  • The crooks ignore TPS anyway
• Block callers?
  • The crooks are spoofing numbers so blocking one number has little effect
• Don’t answer if the number is withheld?
  • There are, unfortunately, some genuine companies which call from withheld numbers, ignoring good customer service for their own administrative convenience
• Don’t answer if you don’t recognise the number?
  • Few if any people have complete knowledge of all the numbers they could be called from, whether personal or business. A child whose phone battery is dead could borrow a friend’s phone to call so no parent can afford to ignore unknown numbers. A friend can change phone number. A business contact could call from a landline when you only have their mobile number recorded. There is a host of reasons why a call from an unknown number could be both valid and important.

There are various reporting mechanisms – the ICO, Action Fraud, TPS, Ofcom, to name but a few. All those websites are badly designed. Their automated responses are uninformative and, in the case of Action Fraud, hide the content of their response in a dubious looking attachment. There is little if any evidence of any use being made of the information provided by these routes.
It would not be unreasonable to expect phone companies to make significant and meaningful effort to prevent their infrastructure being used to harass people, commit large scale fraud, and commit widespread identity theft. It would not be unreasonable to expect legitimate organisations not to behave in a way which emulates crooked behaviour.
Here are a few suggestions for the Nuisance Call Task Force.

• Make it an offence to spoof a number
• Make it an offence to deliver a call with a spoofed number
• Make it an offence for a commercial organisation to withhold their number
• Make it an offence for any organisation to sell or give away the personal details they collect
• Limit the period for which an organisation can retain personal details and use them for sales and marketing
• Create a single, simple, effective means of reporting the numbers used by scammers
• Use the scammer reporting facility to create and maintain a single database of numbers recognised as being used by scammers
• Make the database publicly visible
• Flag numbers which are consistently being used in a criminal manner – say after 10 reports of the number as one which makes scam / harassing calls
• Make it an offence for a phone company to issue the scamming number to anyone
• Make the ban on reissue of scammer numbers meaningful – say a 10 year ban on their reissue
• Make use of existing legislation to prosecute scammers for harassment as well as data protection and telecoms offences
• Hold the directors of those companies responsible – directors of the calling company, its parent company, and any company on whose behalf it makes outbound calls
• Since the crimes are being committed in this country in the homes of those being called, ignore the country of residence of those responsible for the scams and arrest any responsible directors who set foot in this country
• Recognise that it is individuals who are responsible for encouraging / permitting these crimes and hold all directors responsible and liable to prosecution
• Set penalties so that they automatically include both default and a significant fine

So why does the DeliveryDemon thinks this would work?

• It will create an incentive for phone companies to take responsibility for the way in which they allow their infrastructure to be used
• It would prevent genuine customers from being issued with numbers which people have blocked because the numbers were being used for scam calls
• It would prevent banks from grooming their customers to give away security information to people who call them – for over a decade banks’ cavalier attitude to customer security has been demonstrated time and again when they make outbound calls to customers and proceed to ask for passwords and other sensitive information
• It would encourage organisations to start to take data protection seriously
• It would do away with the loophole which allows all the enforcement organisations to abdicate responsibility for scam calls originating overseas
• A mandatory penalty of imprisonment would prevent those responsible from buying their way out of loss of liberty
  Significant fines for every offence would start to undermine the business model which makes scam calls profitable.

Let’s face it, we are talking of 32 crimes every second of every day. If our politicians and legislature and police and regulators aren’t prepared to take this seriously, the DeliveryDemon wonders what the hell we pay them for.

Delivering Complexity at the Expense of Security

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

• Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
• Asking the cardholder to ring a number which could belong to any scammer
• Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
• Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

• A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
• Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
• Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

• Mortgage
• Mortgage-related insurance
• Life insurance
• Health insurance
• Current account
• Savings account
• Debit card
• Credit card
• ISA
• Pension
• E-mail account
• Work e-mail account
• Mobile account
• Landline / broadband account
• Car insurance
• Car radio code
• Electricity account
• Gas account
• Water account
• Council tax account
• Supermarket account
• Amazon account
• i-Tunes account
• Comparison site accounts – up to half a dozen
• Social media accounts – another half a dozen
• Technology support arrangements – say 3
• Travel accounts for commuters – another couple
• Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.

How NOT to Deliver Customer Service – #Orange

The DeliveryDemon recollects that one of the Scandinavian countries has decided that access to high speed broadband is a necessity of life, possibly even a human right. They obviously don’t have to deal with Orange.

Last night the DeliveryDemon was trying to upload a video to Facebook. She kicked off the upload and went to do something else. Half an hour later, the screen still showed a miniscule thread of blue on the progress bar. A quick check with www.speedtest.net showed a download speed of 0.1Mbps compared to the minimum of 4Mbps Orange claim to deliver. The Delivery Demon picked up the phone and right from the start was faced with the Orange attitude to customer service.

• The IVR scriptwriters must have to sit a stupidity test to qualify for the job.
• First an idiotic statement that a customer whose broadband had failed should check the Orange website – and Orange kept repeating this.
• The error status option announced that Orange knew of no faults on its lines.
• Then an announcement that the helpline was busy, why doesn’t the customer just go away and stop bothering them, or call another day if they really must bother Orange.
• Either the IVR script is a lie or the phone staff lie, because after a 20 minute effort to get through to a person, the response was that no faults were being reported and the helpline wasn’t busy.
• Needless to say, dire music punctuated the IVR idiocies, with choices designed to set teeth on edge and increase the ire of the caller
• There was a particularly obnoxious and recurrent sales pitch trying to plug cinema tickets. Bad enough to be paying for an extremely long call to get Orange to sort its service – definitely NOT the time for Orange to ask the customer to spend more money with them

The phone jockeys are no better than the IVR. The DeliveryDemon has enough knowledge of help desks to know that, if the person you’re talking to can’t explain the effect of what they’re asking you to do, then it’s a bad idea to follow their instructions blindly, especially when their command of the English language is poor and their instructions are delivered in a barely intelligible mumble.

• After being told the router was in another room so it would take a couple of minutes to carry out the requested light status check, the Orange moron didn’t bother to hold on for the few minutes it took so it was back to the Orange IVR hell.
• There was a sudden improvement in the line speed, but all too brief.
• It took 40 minutes to get through to Orange this time
• The so-called technical support proposed a configuration change which he couldn’t explain beyond saying that the result would be loss of broadband for a period he couldn’t specify.
• The supervisor who eventually took over actually tried to claim that there was no such thing as a capacity constraint, that no matter how many users there are of a service, performance will never degrade.
• The supervisor also said they weren’t getting many calls. What’s going on here? Is Orange building in delays to its IVR system in the hope that complaining customers will go away?
• After TWO HOURS on the phone there was still no progress.
• After TWO AND A HALF HOURS on the phone, Orange finally admitted that there was a fault on their line.

Needless to say, this phone marathon did not result in the problem being solved. The phone jockeys aren’t competent to resolve problems, the DeliveryDemon had to wait till next day for a call from an engineer. In the meantime she was stuck with a service so poor she had to resort to her mobile for web access.

Next day the DeliveryDemon waited for the call. The agreed hour passed without any action from Orange so the DeliveryDemon picked up the phone again, only to discover that Orange cannot be bothered to make outbound calls, so the promise of a call from an engineer was based on a lie or incompetence on the part of their helpline, apparently a common occurrence.

What the phone jockey should have said is that, when the Orange service fails, it’s the customer’s job to carry out a number of tests over a 24 hour period before Orange will deign to do anything. So it’s another couple of days of a seriously degraded service which is still crawling along at well below 0.5Mbps most of the time, and yet another stint of battling the Orange IVR customer barrier.

Complaining about this fiasco is even more difficult. Orange won’t accept complaints over the phone, and their customer ‘service’ department don’t do email. The DeliveryDemon supposes they find it easier to claim that snail mail has been lost in the post sent to Orange Customer Support, PO Box 486, Rotherham, S63 5ZX.

There is a disturbing tendency for companies to think it is sufficient to set up a service and walk away. Monitoring and preventative maintenance seem to be a thing of the past, with companies expecting customers to do those particular jobs for them. And companies don’t want to deal with the problems their customers do identify, erecting barriers of IVR delay and complexity, and call centres whose staff lack the basic competencies required to deal with customers, never mind resolve problems. The DeliveryDemon disapproves of this trend, and thinks it’s high time for customers to fight back.