Delivering An Open Letter to BT

June 23, 2016

An open letter because BT continues with its custom of blatant dishonesty and obstruction of customer complaints. This letter was sent to Gavin Paterson, BT’s CEO, following a correspondence string which invariably received responses whose honesty was noticeable by its absence.

It appears that your staff are unable to check customer history correctly. Your complaints system should have comprehensive details of my previous complaints which state very clearly that, having been an extremely dissatisfied customer of BT, I was formally requiring that you did not pester me with junk sales communication via any channel.

It is unsatisfactory that your staff are pretending that the problem lies with another company. This is WRONG. I had enough unpleasant dealings with BT to be very sure of the name of the company causing the problem.

Your staff claim that the problem would not have existed were the number registered with TPS. Your staff should be capable of checking this before making such a stupid recommendation. They should also have the basic understanding that TPS registration is done directly, not through the service supplier. The number has in fact been registered with TPS for years, apart from a brief period when BT abused its position by instructing TPS to remove the number from its Do Not Call list. If your staff think that the TPS list is an effective way of preventing unwanted calls, then your processes should ensure that a check is made against TPS records BEFORE attempting to nuisance call people.

It is also clear from the reply below that your processes are unacceptably inadequate in dealing with the issue of nuisance calls. When BT is told that its nuisance calls are unwanted it has no excuse for failing to record that, whether or not the requirement comes from a BT customer. In this instance, your staff are wrong in claiming that there is no account to mark. There is the historic account, whose management left me disgusted with BT’s dishonesty. And, as I said in earlier correspondence, you are holding sufficient information to have my name associated with the number. Were you making the least attempt to comply with the Data Protection Act, this alone should have prevented your nuisance call.

It is very clear that BT is hiding behind company size and ignorant staff to try and block serious complaints. While this is not surprising given BT’s history, it is completely unacceptable.

Advertisements

Delivering Infrastructure Failure, Delivering Fraudulent Bills

May 28, 2015

To describe it politely, the EE service amounts to crap. The broadband itself is bad enough – ongoing SNR problems mean something as simple as getting a connection to common or garden websites is a hit and miss affair. Ping time can exceed 8500 ms and speed can drop as low as 0.04 Mbps for download. What EE call ‘broadband’ fails dismally to meet definitions of the term, to the extent that, in charging what they provide as if it were broadband, they are in fact defrauding customers.
In the US, broadband is now defined as 25Mbps download and 3Mbps upload, a definition also being used by government body Broadband Delivery UK. These are figures which EE never reaches. It even fails to meet the old-fashioned definition of 4/1 Mbps.
And of course, speed figures are completely irrelevant when EE fails entirely to connect to websites.
For months the DeliveryDemon has been trying to get EE to sort its service, through various channels. The hell line is as dire as one would expect from an Indian call centre whose staff match their arrogance level to their total technical incompetence. Front line phone drones reading mindlessly through badly designed scripts actually claim to be ‘technical support’, totally unaware that this claim has no credibility whatsoever. And of course, it is completely impossible to get these idiots to record anything which doesn’t fit their scripts.
Time and again the DeliveryDemon has spelt out in the simplest of words that speed is not the primary issue, that the problem is EE equipment failing to make connections. Invariably the response is that the line speed is OK, a completely different issue and a stunning display of incomprehension of the fact that point measurement of line speed is no indicator of what is happening over time.
Today the DeliveryDemon has spent over an hour getting past EE’s complaints blocking processes. The phone drone whined that their account system was down so they couldn’t get off their backside to do anything. It doesn’t actually require any account information to check whether there is a problem at an exchange, but doing that would be too much like providing customer service, and that’s not the EE way.
Eventually the DeliveryDemon managed to battle through the obstructions to find someone who would listen and exert a modicum of intelligence. That person actually recognised that the problem was on their records as being longstanding – not that EE had actually done anything to deal with it, other than continue its fraudulent billing for a service it wasn’t providing.
You might expect that an ongoing problem like this could be dealt with via the regulator, Ofcom. Not so. Ofcom, with the responsibility for dealing with poor customer service from telecoms companies, outsources this tedious core activity to a bunch called CISAS. Well, that’s what they call themselves on the Ofcom website but it’s actually a company called IDRS, and they are signally unfit to deal with the most basic elements of complaint handling.
The first step is to record the complaint online, using a site designed by morons. Font size fails the most basic accessibility criteria. The site makes no mention of the word complaint, you are supposed to guess that you have to ‘make an application’. Then it’s necessary to guess the meaning of unexplained acronyms. After this, the system churns out a reference number along with the statement that, if IDRS don’t receive your supporting information within 5 days, they won’t get off their backsides. No intelligent assessment of whether any additional information is actually needed, and certainly no statement of what additional information is needed.
It gets worse from there. IDRS don’t actually process the complaint, they try to sell their paid for dispute resolution service, for a job they are already being paid public money to perform. Needless to say, the DeliveryDemon was not happy with the misuse of her data for such sleazy sales tactics, and the Information Commissioner upheld her complaint.
Eventually CISAS / IDRS agreed to do the job they are being paid to do, and actually deal with the complaint by contacting EE. From today’s conversations it seems that there has been some sort of escalation within EE, in terms of recording the problem but not of doing anything about it. CISAS / IDRS have gone 10 weeks beyond the response time they eventually promised, and have made no contact whatsoever.
So, with that total absence of action, the DeliveryDemon spent several hours on the phone again today, eventually getting acceptance that someone needs to check for problems at the exchange.
Unfortunately, that checking is done by a bit of BT calling themselves Openreach. Yes, BT, not a company known for providing the most basic levels of customer service. How responsive are they? Responsive??? You must be joking. First they want the customer to waste an entire half day so the engineer can start with the standard lie that the fault is in the customer’s home and they will charge silly money to look at it. Yes, despite the fact that earlier attempts to solve the problem have covered all the necessary tests, these shysters will do their damndest to avoid doing basic maintenance tests on their own equipment. And not only that, even when they are not providing the service they charge for, they won’t even bother checking a problem for 5 days.
And, after all these delay, although EE has admitted fault and said that the DeliveryDemon will be compensated, it will be up to the DeliveryDemon to chase that compensation through an entirely different part of the organisation.
The saga didn’t stop there. BT sent out a landline engineer, not a broadband engineer. This engineer confirmed that there was no fault within the property – not news. Once again it’s down to the DeliveryDemon to try and get EE / Orange off their backsides to do what they are being paid to do.
Next thing is a junk call to the DeliveryDemon’s mobile, the usual sort of recorded and badly pronounced trash which scam call crooks tend to generate. The DeliveryDemon tends to report these to the various regulators, so checks to see if the owner of the number can be identified – lo and behold, this is EE making classic nuisance calls. Time to find out what the hell is going on now.
After battling through EE’s deliberately unhelpful IVR, the DeliveryDemon got through to the thinking of leaving section, only to get a shyster who insisted on trying to shift the DeliveryDemon to a cheaper plan, totally and misleadingly avoiding mentioning the fact that change to a different plan usually involves a contract lockin with penalties for leaving early. He repeatedly tried to push this new plan despite the DeliveryDemon making it abundantly clear that a plan change was not the aim of the call. There was a grudging mention of a month’s charges refund as compensation for months of non-service, even more grudgingly upped to 2 months when the DeliveryDemon pointed out that this was worse than derisory. Worse still, he promised a refund of the engineer callout charge as though it was compensation. Since the person who arranged this callout had already said there would be no charge, this looks like yet another EE cockup about to manifest itself on the DeliveryDemon’s bill.
It took the best part of an hour to get bounced back to EE’s useless first line support, who do nothing but revert mindlessly to scripted diagnostics and are incapable of understanding that, after multiple repetitions, this amounts to nothing but a waste of the customer’s time. Having been cut off, the DeliveryDemon phoned back, and was connected to someone with a basic understanding of customer service. However, after another 35 minutes, the trail ended with someone who called themself ‘Technical Support’ but was actually a first line phone drone. It turned out that his job is to tell the customer that a real technical support person will ring back a day later to arrange for an engineer to do tests.
So the process to date looks something like this:
•   Multiple timewasting calls over months with no improvement
•   Multiple instances of time wasted in repeating diagnostics and router swap which exclude the existence of problems which can be blamed on, and charged to, the customer
•   Complaint to the regulator, OFCOM, results in their outsourcer misusing complainant details to try and sell their paid for services
•   After ICO intervention, the outsourcer raises the complaint with EE and promises feedback. Neither the outsourcer nor EE does anything and deadlines pass
•   Contact with EE about further problems takes hours and eventually results in an agreement to get an engineer out 6 days later to check for faults on customer property
•   Promise of compensation but customer has to guess how to follow this up
•   Engineer confirms no problems on customer property. Unable to do any broadband checks since only trained for landlines
•   No-one at EE acts on this so customer has to chase again
•   EE tries to lock customer into new contract
•   After considerable customer effort, customer is bounced to first line phone drones who again fail to understand the issue and try to repeat the first steps of their mindless process
•   First line drone arranges for 2nd line to call 24 hours later to arrange for the engineering checks which should already have happened
•   Another automated call leaves a message requesting the customer rings a particular number. Person who answers doesn’t know what’s going on, can barely speak comprehensibly, and cannot transfer call to anyone else who might be competent to deal with it
Obviously, that’s not the end of the story, and the DeliveryDemon has no faith in EE doing anything useful, never mind shelling up for the fact that it has been charging for a service and not providing it.
With this one single service we have a classic example of why Britain’s infrastructure is being designed and managed to fail:
•   The regulator takes no responsibility for dealing with problems
•   The regulator makes no check on the competence and honesty of its outsourcers
•   The regulator’s outsourcer is fundamentally incapable of doing the job it is paid to do
•   The regulator’s outsourcer is using its access to personal data in ways which are a blatant breach of data protection legislation
•   The regulator’s outsourcer is not doing the job it is paid by the taxpayer to do
•   EE is getting away with charging for services it is not providing
•   EE is wasting customer time with a call centre staffed by incompetent and dishonest operators
•   EE, when fully aware of a problem, doesn’t bother to do anything about it unless the customer puts an incredible level of effort into trying to make them act
•   EE, like so many large companies, has no effective complaints process whatsoever
•   EE has no compunction about wasting customer time as an alternative to providing the service which customers pay for

And, on top of all this, it appears likely that the proposed merger between these two telecoms companies will go through on the Competition Commission’s nod, with every prospect of vast numbers of customers being locked without option into a service so bad that it amounts to blatant fraud.


Not Delivering Financial Regulation

February 18, 2015

The DeliveryDemon is sick to the back teeth of the legions of scammers who employ phone drones who are thick enough to expect people to believe them when they call out of the blue and try to scam all the personal data needed for ID theft and financial crime. When she can be bothered, she reports them to the appropriate regulatory bodies. DeliveryDemon does not have much faith in the great British bureaucracies, and in this she is rarely disappointed.

Take for example a call received recently from some sleazy bunch in Manchester calling themselves Beyond Comparison, pretending to offer free insurance. Obviously, the FCA should know about this sort of thing since either the company is regulated and not conforming to the rules, or it is not regulated and shouldn’t be peddling financial products and advice. In this case, the DeliveryDemon saw that they are registered with the FCA, so reported appropriately. She was somewhat flabbergasted to receive a reply claiming:

  • I’ve found an entry for Beyond Comparison.Com Limited (click link to double check), but I don’t know whether this is the same firm that contacted you.
  • If you do business with a firm we don’t regulate, you won’t have access to the Financial Ombudsman Service or the Financial Services Compensation Scheme if you have a dispute or something goes wrong.
  • You haven’t provided me with enough information about who has contacted you for me to pass it anywhere. If you would like to provide us with any more information, you may wish to use our unauthorised firms reporting form

Yes, the FCA regulate this company but is indulging in a coverup by pretending it might be another company calling, and uses the opportunity to try and frighten a complainant by abdicating responsibility for companies operating within the FCA’s remit without authorisation. The FCA can identify the company as one it regulates but says it doesn’t have enough information to do anything about its malfeasance, and suggests I report it as unauthorised. Yes, really, the FCA suggests the DeliveryDemon should report an authorised firm as being unauthorised!

So what is the FCA choosing to ignore?

  • The DeliveryDemon has provided the company name, which is registered with the FCA.
  • The company call from a Manchester number and the company’s registered office is in Manchester
  • The company is phoning people claiming to hold data about them, which they are not authorised to hold.
  • The company are quoting as a source of personal information a company which has been dissolved for several years and never had authorisation to hold such information.
  • The company start by misleadingly offering free insurance, and only back off from this when explicitly queried about whether the caller is authorised to offer financial advice.
  • The company claim to be holding personal information but do not have a data protection registration

If the FCA can’t identify the company from the first two items, there’s something badly wrong with its process. If the FCA regards the other items as acceptable, it’s hardly surprising that the British financial sector is rife with corruption. But if the FCA isn’t going to get off its backside and do a bit of regulation, why the hell should the British taxpayer be paying nearly half a billion a year for this useless bureaucracy? Not only can we not trust financial companies, we can’t even trust the regulator to do its job.


Aiding and Abetting Criminal Activity

December 9, 2014

That’s what our phone companies are doing. It is an offence to harass people. It is fraud to entice people into believing that they have money due to them when the caller has no evidence that that is the case. It is an offence to hold people’s data without their permission. It is fraud to lie to persuade people to reveal their personal information. According to a government task force, a BILLION of these crimes are committed every year, with the assistance of our phone companies.
Our telecoms companies are making money out of these crooks, one way or another. They are certainly making no effort to prevent their infrastructure being used for criminal activity, despite being fully aware of the scale of what is going on. All we get is mealy mouthed platitudes recommending that we take actions which are either unfeasible or ineffective. Let’s get a few facts straight on just how useless these recommendations are.

  • Register with TPS? It’s a waste of time.
    • TPS doesn’t actually do anything with complaints
    • The crooks ignore TPS anyway
  • Block callers?
    • The crooks are spoofing numbers so blocking one number has little effect
  • Don’t answer if the number is withheld?
    • There are, unfortunately, some genuine companies which call from withheld numbers, ignoring good customer service for their own administrative convenience
  • Don’t answer if you don’t recognise the number?
    • Few if any people have complete knowledge of all the numbers they could be called from, whether personal or business. A child whose phone battery is dead could borrow a friend’s phone to call so no parent can afford to ignore unknown numbers. A friend can change phone number. A business contact could call from a landline when you only have their mobile number recorded. There is a host of reasons why a call from an unknown number could be both valid and important.

There are various reporting mechanisms – the ICO, Action Fraud, TPS, Ofcom, to name but a few. All those websites are badly designed. Their automated responses are uninformative and, in the case of Action Fraud, hide the content of their response in a dubious looking attachment. There is little if any evidence of any use being made of the information provided by these routes.
It would not be unreasonable to expect phone companies to make significant and meaningful effort to prevent their infrastructure being used to harass people, commit large scale fraud, and commit widespread identity theft. It would not be unreasonable to expect legitimate organisations not to behave in a way which emulates crooked behaviour.
Here are a few suggestions for the Nuisance Call Task Force.

  • Make it an offence to spoof a number
  • Make it an offence to deliver a call with a spoofed number
  • Make it an offence for a commercial organisation to withhold their number
  • Make it an offence for any organisation to sell or give away the personal details they collect
  • Limit the period for which an organisation can retain personal details and use them for sales and marketing
  • Create a single, simple, effective means of reporting the numbers used by scammers
  • Use the scammer reporting facility to create and maintain a single database of numbers recognised as being used by scammers
  • Make the database publicly visible
  • Flag numbers which are consistently being used in a criminal manner – say after 10 reports of the number as one which makes scam / harassing calls
  • Make it an offence for a phone company to issue the scamming number to anyone
  • Make the ban on reissue of scammer numbers meaningful – say a 10 year ban on their reissue
  • Make use of existing legislation to prosecute scammers for harassment as well as data protection and telecoms offences
  • Hold the directors of those companies responsible – directors of the calling company, its parent company, and any company on whose behalf it makes outbound calls
  • Since the crimes are being committed in this country in the homes of those being called, ignore the country of residence of those responsible for the scams and arrest any responsible directors who set foot in this country
  • Recognise that it is individuals who are responsible for encouraging / permitting these crimes and hold all directors responsible and liable to prosecution
  • Set penalties so that they automatically include both default and a significant fine

So why does the DeliveryDemon thinks this would work?

  • It will create an incentive for phone companies to take responsibility for the way in which they allow their infrastructure to be used
  • It would prevent genuine customers from being issued with numbers which people have blocked because the numbers were being used for scam calls
  • It would prevent banks from grooming their customers to give away security information to people who call them – for over a decade banks’ cavalier attitude to customer security has been demonstrated time and again when they make outbound calls to customers and proceed to ask for passwords and other sensitive information
  • It would encourage organisations to start to take data protection seriously
  • It would do away with the loophole which allows all the enforcement organisations to abdicate responsibility for scam calls originating overseas
  • A mandatory penalty of imprisonment would prevent those responsible from buying their way out of loss of liberty
    Significant fines for every offence would start to undermine the business model which makes scam calls profitable.

Let’s face it, we are talking of 32 crimes every second of every day. If our politicians and legislature and police and regulators aren’t prepared to take this seriously, the DeliveryDemon wonders what the hell we pay them for.


Harassment – The Crime Committed By Nuisance Cold Callers and Similar Scammers

November 6, 2014

We’ve all had it, the persistent calls at ridiculous hours, with recorded or spoken scripts riddled with lies. The smarmy sleazy voices. They pretend to represent or be authorised by government departments. They pretend they know about a claim or right you have. They pretend you have to do something because of new legislation. They lie and lie and lie. They want your money for some dubious product, and people have been scammed out of thousands of pounds this way. They want your personal information, and giving them that is a large step on the way to the hell of ID theft and further fraud.

They got your data from somewhere illegally, and once one bunch of these crooks have your data it gets sold around. Try as you will, you can’t stop it. It’s not just data breaches. It’s not just small naïve organisations not being good enough with their data security. It’s not just all these marketing offers. Government departments have been publishing sensitive personal data for years, and two of the biggest are doing their damndest to start selling it on a large scale to all and sundry – step forward HMRC and the NHS. We have in the space of a few short years been forced into dealing with constant harassment within our homes.

I’m actually surprised that telecoms companies aren’t protesting about this. There’s been a lot of recent publicity about people giving up on landlines for the simple reason that the bulk of calls come from fraudsters autodialling or using illegally obtained information. At least with a mobile you can cut the call off. When it comes to the primitive technology of landlines, the caller has control and can block your line.
With elections coming up we’re getting mealy mouthed platitudes from politicians about doing something to stop this. Why haven’t they done it before? The legislation already exists. These calls easily fall within harassment legislation and it is a criminal offence.
• It certainly distresses people to be constantly interrupted
• Frequently numbers are withheld, which is intrinsically threatening since the caller appears to be untraceable
• Many of these calls are silent, which is particularly threatening.
• A frequent tactic is to pretend that there is legislation which means the called person must do something
• The callers refuse to say where they obtained the personal information they so clearly have, which is a tactic of intimidation – ‘we know about you, we won’t say how’
• Buying or selling or passing on illegally obtained information is certainly harassment since it perpetuates and escalates the distress being caused.

The CPS provides the following definition of harassment:
‘the term harassment is used to cover the ‘causing alarm or distress’ offences under section 2 of the Protection from Harassment Act 1997…. The term can also include harassment by two or more defendants against an individual or harassment against more than one victim.
Although harassment is not specifically defined in section 7(2) of the PHA, it can include repeated attempts to impose unwanted communications and contact upon a victim in a manner that could be expected to cause distress or fear in any reasonable person.
A prosecution under section 2 or 4 requires proof of harassment. In addition, there must be evidence to prove the conduct was targeted at an individual, was calculated to alarm or cause him/her distress, and was oppressive and unreasonable.
Closely connected groups may also be subjected to ‘collective’ harassment. The primary intention of this type of harassment is not generally directed at an individual but rather at members of a group. This could include: members of the same family; residents of a particular neighbourhood; groups of a specific identity including ethnicity or sexuality, for example, the racial harassment of the users of a specific ethnic community centre; harassment of a group of disabled people; harassment of gay clubs; or of those engaged in a specific trade or profession.

Well, distress is being caused on a large scale. There are very clearly repeated attempts to impose unwanted communication, and there is no realistic opt out – the so called opt out option on automated calls has long been recognised as being used as confirmation that the person called is gullible so a good target for further harassment.

As to evidence, since these scammers are being allowed by telecoms providers to withhold numbers or display numbers, there’s not a lot the victim can do. But the information is flowing through the telecoms companies. They make money from these calls. In effect they are abetting fraud and harassment by doing this. Let’s see them forced to take some responsibility.

Are individuals being targeted on the basis of ‘protected characteristics’? Look at the age profiles. Ask people who have hit 50 or 60 or 70. Ask people who have started getting a state pension. Age is a recognised trigger for increasing volumes of scam calls. The fraudsters assume that older people are easier to intimidate into parting with information and money, and sometimes they are right. It may be the targeting of people who grew up in more innocent times and who, by retiring, are predictably likely to be at home at times to suit scammers. It may be people who are vulnerable through bereavement, particularly if the late spouse took responsibility for financial matters. It is more common for elderly people to be confused, through dementia or medication, so less resistive to scams. It sure as hell means that these scammers are targeting people on the basis of the protected characteristic of age.

Of course the people doing all this cannot help but be fully aware that they are following a course of conduct which amounts to harassment. It takes little intelligent thought to recognise the conduct as unreasonable. In fact it takes a highly determined effort at self-deception to find even the flimsiest framework which shows the conduct as anything other than deceptive, dishonest, unreasonable, and intimidating.

They know all of this when they buy data without checking it has been legally obtained so the defence of legitimate trade does not apply. They know it when they sell the data on illegitimately. They know it when they autodial. They know it when they phone TPS registered numbers. They know it when they write and approve scripts full of lies. They know it when they train their staff.

They? The Board of Directors, obviously, and also those in senior management who promote and collude with harassing behaviour. That covers operational management and strategic decision making. It covers HR when they set targets which depend on harassment producing results. It covers those who accept financial reports based on results obtained by harassment. It covers auditors who turn a blind eye to the way a company generates its profits. It covers those businesses which provide outsourced outbound calling services and pretend that they have no responsibility for the legitimacy of the data they use for calling. They are all executing or colluding with institutionalised practices of harassment.

There is of course Data Protection legislation, but that is too weak to be useful, more so since it relies on civil prosecution by the victim, and the harassment is executed in a way which prevents the victim from getting access to the necessary proof.

Under Protection From Harassment legislation, a perpetrator can be imprisoned for up to 6 months and fined up to £5000. The legislation for punishment exists. The cases exist to prosecute. The data is available to prosecute. Yet there has yet to be a prosecution. Not a single politician has risen from their backside to ask why there have been no prosecutions.

The DeliveryDemon, like a lot of people, is pretty quick to recognise scammers and tell them where to go. They are still a bloody nuisance and their calls are still harassment. She would dearly love to hear just one actual or prospective MP actually stand up and ask – loudly – for action to be taken using the ample legislation which is already in place.

Yes, let’s see the Action Fraud database being used to collect details of these harassers. And Data Protection reports. And Ofcom reports. And TPS reports. All the data collection mechanisms exist. Let’s see a campaign encouraging the victims to report their harassers. Let’s see some pressure on the telecoms companies to take responsibility for ensuring that their networks are not used for harassment. And let’s see the data being used for prosecutions.

We have seen a few prosecutions in other sectors for blatant criminal activity. Doing the same to the decision makers in nuisance cold calling organisations just might prompt an improvement in their behaviour.


Delivering Libellous Content

March 17, 2014

The DeliveryDemon had to chuckle at this article http://www.pressgazette.co.uk/content/dont-let-internet-linked-stories-land-you-libel-writ

The law has certainly been working hard to catch up with technology, and the impact of this sort of libel is very real to those who are libelled. But the legal profession is missing a trick here. Behind the scenes, there is technology which looks for keywords and tries to interpret them. By and large this software is still remarkably primitive. It has yet to get to grips with the ability to interpret the context. Basically it lacks ‘intelligence’. It is designed to provide an answer at the expense of providing a sensible answer.

Google predictive text gives some good examples of what can happen http://www.telegraph.co.uk/technology/google/6161567/The-20-funniest-suggestions-from-Google-Suggest.html and various mobile phone predictive text engines can be even funnier. The automated parsers used by recruiters cannot distinguish between Coral the bookmaker and Coral the programming language. Amazon’s ‘you might like’ suggestions suggest you buy an identical item to a recent purchase, with a different brand name.

To some extent, many of these tools are designed to depend on data which is not quality-controlled in any effective way. Certainly an Amazon vendor will enter the keywords likely to maximise search hits. that can mean the entry of keywords with little relation to the product being sold.

Google is one of the more sophisticated players since its product depends on understanding what a searcher is likely to want, but the Telegraph article shows how primitive the logic is. Asking users to log in and relating searches to their search history has the potential to improve search result quality, but people are becoming increasingly sensitive to the amount of their data held by large corporations, and legislators are starting to respond to those concerns, so relying on users logging in may not be the most fruitful development path for this type of tool.

The examples in libel article certainly have merit. Either the tool is not fit for purpose, or it is being used unintelligently. A fairly obvious solution would be for the news website to flag articles as being either positive or adverse, provided the tool refrains from coming up with links to ‘similar’ articles unless they were also flagged as adverse. If the tool can do this, the web publisher is at fault. If the tool can’t do it, then there are two potential breaches. The tool may be inadequate for the purpose for which it is being sold. Or the web publisher may be making inappropriate use of the tool. Of course, when a payment model is based on click throughs, the incentives tend not to favour anything which limits the number of links displayed.

A fruitful approach for legislators would be to look beyond individual libels and examine the capabilities of current tools, and the processes which web publishers use to to mitigate the risks arising from tool limitations.


Delivering Complexity at the Expense of Security

June 20, 2012

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

  • Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
  • Asking the cardholder to ring a number which could belong to any scammer
  • Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
  • Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

  • A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
  • Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
  • Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

  • Mortgage
  • Mortgage-related insurance
  • Life insurance
  • Health insurance
  • Current account
  • Savings account
  • Debit card
  • Credit card
  • ISA
  • Pension
  • E-mail account
  • Work e-mail account
  • Mobile account
  • Landline / broadband account
  • Car insurance
  • Car radio code
  • Electricity account
  • Gas account
  • Water account
  • Council tax account
  • Supermarket account
  • Amazon account
  • i-Tunes account
  • Comparison site accounts – up to half a dozen
  • Social media accounts – another half a dozen
  • Technology support arrangements – say 3
  • Travel accounts for commuters – another couple
  • Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.