Aiding and Abetting Criminal Activity

December 9, 2014

That’s what our phone companies are doing. It is an offence to harass people. It is fraud to entice people into believing that they have money due to them when the caller has no evidence that that is the case. It is an offence to hold people’s data without their permission. It is fraud to lie to persuade people to reveal their personal information. According to a government task force, a BILLION of these crimes are committed every year, with the assistance of our phone companies.
Our telecoms companies are making money out of these crooks, one way or another. They are certainly making no effort to prevent their infrastructure being used for criminal activity, despite being fully aware of the scale of what is going on. All we get is mealy mouthed platitudes recommending that we take actions which are either unfeasible or ineffective. Let’s get a few facts straight on just how useless these recommendations are.

  • Register with TPS? It’s a waste of time.
    • TPS doesn’t actually do anything with complaints
    • The crooks ignore TPS anyway
  • Block callers?
    • The crooks are spoofing numbers so blocking one number has little effect
  • Don’t answer if the number is withheld?
    • There are, unfortunately, some genuine companies which call from withheld numbers, ignoring good customer service for their own administrative convenience
  • Don’t answer if you don’t recognise the number?
    • Few if any people have complete knowledge of all the numbers they could be called from, whether personal or business. A child whose phone battery is dead could borrow a friend’s phone to call so no parent can afford to ignore unknown numbers. A friend can change phone number. A business contact could call from a landline when you only have their mobile number recorded. There is a host of reasons why a call from an unknown number could be both valid and important.

There are various reporting mechanisms – the ICO, Action Fraud, TPS, Ofcom, to name but a few. All those websites are badly designed. Their automated responses are uninformative and, in the case of Action Fraud, hide the content of their response in a dubious looking attachment. There is little if any evidence of any use being made of the information provided by these routes.
It would not be unreasonable to expect phone companies to make significant and meaningful effort to prevent their infrastructure being used to harass people, commit large scale fraud, and commit widespread identity theft. It would not be unreasonable to expect legitimate organisations not to behave in a way which emulates crooked behaviour.
Here are a few suggestions for the Nuisance Call Task Force.

  • Make it an offence to spoof a number
  • Make it an offence to deliver a call with a spoofed number
  • Make it an offence for a commercial organisation to withhold their number
  • Make it an offence for any organisation to sell or give away the personal details they collect
  • Limit the period for which an organisation can retain personal details and use them for sales and marketing
  • Create a single, simple, effective means of reporting the numbers used by scammers
  • Use the scammer reporting facility to create and maintain a single database of numbers recognised as being used by scammers
  • Make the database publicly visible
  • Flag numbers which are consistently being used in a criminal manner – say after 10 reports of the number as one which makes scam / harassing calls
  • Make it an offence for a phone company to issue the scamming number to anyone
  • Make the ban on reissue of scammer numbers meaningful – say a 10 year ban on their reissue
  • Make use of existing legislation to prosecute scammers for harassment as well as data protection and telecoms offences
  • Hold the directors of those companies responsible – directors of the calling company, its parent company, and any company on whose behalf it makes outbound calls
  • Since the crimes are being committed in this country in the homes of those being called, ignore the country of residence of those responsible for the scams and arrest any responsible directors who set foot in this country
  • Recognise that it is individuals who are responsible for encouraging / permitting these crimes and hold all directors responsible and liable to prosecution
  • Set penalties so that they automatically include both default and a significant fine

So why does the DeliveryDemon thinks this would work?

  • It will create an incentive for phone companies to take responsibility for the way in which they allow their infrastructure to be used
  • It would prevent genuine customers from being issued with numbers which people have blocked because the numbers were being used for scam calls
  • It would prevent banks from grooming their customers to give away security information to people who call them – for over a decade banks’ cavalier attitude to customer security has been demonstrated time and again when they make outbound calls to customers and proceed to ask for passwords and other sensitive information
  • It would encourage organisations to start to take data protection seriously
  • It would do away with the loophole which allows all the enforcement organisations to abdicate responsibility for scam calls originating overseas
  • A mandatory penalty of imprisonment would prevent those responsible from buying their way out of loss of liberty
    Significant fines for every offence would start to undermine the business model which makes scam calls profitable.

Let’s face it, we are talking of 32 crimes every second of every day. If our politicians and legislature and police and regulators aren’t prepared to take this seriously, the DeliveryDemon wonders what the hell we pay them for.

Advertisements

Delivering Complexity at the Expense of Security

June 20, 2012

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

  • Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
  • Asking the cardholder to ring a number which could belong to any scammer
  • Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
  • Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

  • A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
  • Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
  • Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

  • Mortgage
  • Mortgage-related insurance
  • Life insurance
  • Health insurance
  • Current account
  • Savings account
  • Debit card
  • Credit card
  • ISA
  • Pension
  • E-mail account
  • Work e-mail account
  • Mobile account
  • Landline / broadband account
  • Car insurance
  • Car radio code
  • Electricity account
  • Gas account
  • Water account
  • Council tax account
  • Supermarket account
  • Amazon account
  • i-Tunes account
  • Comparison site accounts – up to half a dozen
  • Social media accounts – another half a dozen
  • Technology support arrangements – say 3
  • Travel accounts for commuters – another couple
  • Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.


Olympics…..We’re Dooooooomed!!!! Jubilee….We’re Dooooooomder!!!!

April 25, 2012

The Delivery Demon isn’t really much of a spectator so she didn’t bother tying up her credit card limit in the fiasco of Olympic ticket sales. Why put all that effort into a lottery level probability of seeing an event that might be of some slight interest? She stood back from that, leaving the remote chance of getting a ticket to those who really wanted to watch. As the chaos was delivered, she felt a few pangs of sympathy to those sportspeople who, even if they managed to get tickets, had very little opportunity of getting tickets to see the sports they actually participate in. The whole setup seemed pretty half-baked.

Beyond some vague plans to avoid the areas of transport mayhem during the Olympics, the DeliveryDemon has tended to ignore the media hype, but a recurring theme has been carping for her attention in news reports. There seems to be a developing assumption that the Olympics, like the equally-hyped Jubilee, will damage the economy. The DeliveryDemon recollects some reference to think tanks in those reports but a cursory web search hasn’t provided any hard evidence, so perhaps the reporters concerned are inventing or misinterpreting. Whatever the case, the DeliveryDemon has become interested in what those reports imply.

The general theme is that workers will be taking holidays and days off, will be surreptitiously following the events on their mobiles and their work PCs, will be spending long lunches in pubs, watching events unfold. Transport chaos will make people late for work. Workers will be tired and hungover from late night TV watching and alcoholic celebrations. Production will plummet, customer service will suffer, the economy will drag its way into another recession. Two big events in a single year? We’re all doooooomed!!!

So what are the facts behind the scaremongering?

  • Yes, people will want time off – they usually do in the summer. But it may be easier to achieve a spread of holiday dates as a significant number of people may choose to avoid holidaying during the Olympic peak times – much as many people avoid taking their break during school holidays.
  • Transport chaos? Commuters are used to this but it’s likely to have a worse than usual impact on venue access routes and the air and rail hubs which serve them. That’s not the whole country, and the areas concerned have a relatively high concentration of work which can be carried out remotely with a little bit of forethought.
  • People will spend more than they plan then cut back after the event? Pretty normal for any holiday type event, except that the spend will be in the UK.

So far, so normal. No reason to predict a recessive impact from normal human behaviour. So what might these pundits be suggesting?

  • All that well-paid Olympics work will disappear in the aftermath, true. Why should that be a surprise to anyone?
  • In some – but not all – businesses, less work will be done during the various events and celebrations. Really?
  • There will be a fairly heavy demand for time off during the peak period. A bit like Christmas and the school holidays. After all, people work to live, not the other way round.

Either the reporters who come up with these doom-laden headlines lack the most elementary understanding of business planning, or they are trying to deliver the message that UK management is so lacking in basic business skills that the entire country went down the plughole years ago.

The DeliveryDemon wishes that those recruiting for media positions would realise that those jobs have a need for basic commonsense and the ability to use data sensibly.


Delivering Poor Banking Security

April 2, 2012

The DeliveryDemon has the rather naive expectation that banks who are entrusted with our money should operate reasonably secure procedures. Hang your heads in shame RBS and Barclays.

The DeliveryDemon has had cause to complain to both banks recently. In each case the complaint was about their processes, not anything specific to the account. In both cases an idiot from their customer ‘service’ team phoned up and demanded to know secure account access details before they would consider listening to the complaint. Do they really think it is sensible for someone to give out account password information to a random caller?

RBS, there is no need to access my account in order to hear that it does not constitute ‘faster payment’ if you take details of a payment on Friday and can’t process it till Tuesday unless the I ring again on Monday.

In fact there is no need for your customer ‘service’ to access my account at all. The default action should NEVER be to access the customer account. Basic security is that this should only be done if the customer raises a matter specific to the account, i.e. if there is a genuine need to access the account.

Banks are piling on nuisance value processes to make it more difficult for the customer to access their own money, all in the name of security. It’s about time they got their own house in order, introduced secure internal processes and gave their customer contact staff some basic security training.


Not Delivering Faster Payments

March 30, 2012

Since the bureaucrats took over RBS, the service has been going rapidly downhill, to the point that now they cannot even operate the faster payments system which banks should have been signed up to for several years.

The online service was never good, a classic example of security completely overwhelming usability. With public ownership, the phone service was drastically reduced. Then the ability to set up advance payments was cut back. The commonest requirement for advance payments is the ten month council tax cycle. It was once possible to set up 6 months worth of payments at a time, but that has been cut back to 3. Instead of 1 oppportunity to forget a payment, RBS has created 3.

The latest service cutback is the faster payments system, to which all banks are nominally committed. This system should, within certain limits, transfer money to the payee’s account within 2 hours. Not with RBS. The latest unintelligent development to their system cannot cope with a payment being set up on a Friday evening. It won’t do anything with it till the Tuesday. If the customer wants a payment to arrive on the Monday, they have to phone again on the Monday. In other words, RBS’s system cannot cope effectively with faster payments for nearly 3 days out of 7. The DeliveryDemon is seriously unimpressed with this constant erosion of customer service.

The gulf between the words ‘public’ and ‘service’ has never been wider. And it’s growing.


A Very Silly KPI

November 30, 2009

Shop in a typical UK supermarket and you’ll see how little priority is given to customer service. Checkout staff are measured on how many items they scan per minute. This doesn’t speed up the checkout process. The goods pile up in a random heap at the end of the conveyor as the hapless customer tries to re-sort them into a sensible order for packing. The end result is an irate customer, damaged goods, and a queue which is processed more slowly than if the checkout operator had been allowed to deliver the simple customer service of matching scanning speed to the customer’s packing speed. Similar examples can be found in many other areas, where easily measurable targets are used as a substitute for good process. The DeliveryDemon is not impressed!


Delivering Food in the Internet Age

September 23, 2009

The DeliveryDemon hates shopping. Walk round the supermarket spending money on stuff to eat, and you only have to do the same thing a week later. It’s SUCH a chore!! So it came as a bit of a surprise, returning from a holiday in the Lake District, to have a reasonably enjoyable shopping experience. Which, of course lead the DeliveryDemon to wonder why she doesn’t mind picking up foodstuff at Booths in Keswick, while she absolutely hates trudging round each and every one of the local supermarkets in her home area.

And before anyone suggests that the DeliveryDemon shop online to avoid the supermarket experience, think about trust. On a visit to a supermarket you can form an opinion about how the goods are handled when customers can see what’s going on. If an online order is packed in some distant warehouse, that discipline has gone. If you don’t see respect for food in a store, how is food being handled behind the scenes? If, when you come to unpack your order and cook dinner, the veg are unappetisingly wilted or bashed, what do you do? You can complain and return items but by then your meal has been spoiled, and often people find it too much hassle to return stuff. It’s you who has to deal with the quality problem.

So why does Booths deliver a shopping experience which is so different? Certainly the layout is a bit more spacious, reducing the frustration caused by shoppers who stop for an extended chat, trolleys carefully parked to block the aisle. The excellent selection of beers on offer is an attraction, as is the carefully chosen range of local products, but the range doesn’t dictate the shopping experience. The secret is in the way the goods are handled and displayed, something long known to every market trader with a layer of shiny polished apples hiding a stock of poorer quality fruit.

Compare and contrast:

  • A freshly picked carrot with a glazed looking item from near-zero storage,  in its brief orange period between frozen lump and black slime
  • The tight white curds of a trimmed new cauliflower with the brown-splodged, limp-leaf-hidden face of one which has survived a lengthy trip along the supply chain
  • Tomatos with the sharp green smell of the plant, and the green-red, rock hard spheres, picked long before ripeness to prevent bruising in transit
  • A choice of breads from various bakers, each with their own baking method, and a choice of breadshapes all made to the same process and with zero taste variation
  • Glittering fish you need to get up early for because it comes in fresh every day and sells out every day, and dull-eyed specimens dragged from the freezer
  • Large packs of perky-leaved herbs, and niggardly sachets bulked out with parsley stalks and leaf fragments.

When the Delivery Demon stops at Booths she usually heads back south with a full shopping bag. Lakeland plum bread, Morecambe Bay prawns, rye loaf, ‘Cornish’ pasties, fresh fruit and vegetables, chocolates, artisan crisps and some interesting local beers. When she shops in her home area, she comes back with a bad temper and a list of items which were out of stock.

What’s this got to do with the internet age? In the old days, word of a poor shopping experience would circulate in a local community, but lack of convenient options would to some extent protect a poor quality shop from wholesale customer defection. The internet has widened the options. Supermarkets think they have addressed the internet age by offering online shopping and web-based information. Many have still to realise that the web has created a window into the quality of their entire operation.