Delivering An Open Letter to BT

June 23, 2016

An open letter because BT continues with its custom of blatant dishonesty and obstruction of customer complaints. This letter was sent to Gavin Paterson, BT’s CEO, following a correspondence string which invariably received responses whose honesty was noticeable by its absence.

It appears that your staff are unable to check customer history correctly. Your complaints system should have comprehensive details of my previous complaints which state very clearly that, having been an extremely dissatisfied customer of BT, I was formally requiring that you did not pester me with junk sales communication via any channel.

It is unsatisfactory that your staff are pretending that the problem lies with another company. This is WRONG. I had enough unpleasant dealings with BT to be very sure of the name of the company causing the problem.

Your staff claim that the problem would not have existed were the number registered with TPS. Your staff should be capable of checking this before making such a stupid recommendation. They should also have the basic understanding that TPS registration is done directly, not through the service supplier. The number has in fact been registered with TPS for years, apart from a brief period when BT abused its position by instructing TPS to remove the number from its Do Not Call list. If your staff think that the TPS list is an effective way of preventing unwanted calls, then your processes should ensure that a check is made against TPS records BEFORE attempting to nuisance call people.

It is also clear from the reply below that your processes are unacceptably inadequate in dealing with the issue of nuisance calls. When BT is told that its nuisance calls are unwanted it has no excuse for failing to record that, whether or not the requirement comes from a BT customer. In this instance, your staff are wrong in claiming that there is no account to mark. There is the historic account, whose management left me disgusted with BT’s dishonesty. And, as I said in earlier correspondence, you are holding sufficient information to have my name associated with the number. Were you making the least attempt to comply with the Data Protection Act, this alone should have prevented your nuisance call.

It is very clear that BT is hiding behind company size and ignorant staff to try and block serious complaints. While this is not surprising given BT’s history, it is completely unacceptable.


Delivering Complexity at the Expense of Security

June 20, 2012

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

  • Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
  • Asking the cardholder to ring a number which could belong to any scammer
  • Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
  • Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

  • A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
  • Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
  • Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

  • Mortgage
  • Mortgage-related insurance
  • Life insurance
  • Health insurance
  • Current account
  • Savings account
  • Debit card
  • Credit card
  • ISA
  • Pension
  • E-mail account
  • Work e-mail account
  • Mobile account
  • Landline / broadband account
  • Car insurance
  • Car radio code
  • Electricity account
  • Gas account
  • Water account
  • Council tax account
  • Supermarket account
  • Amazon account
  • i-Tunes account
  • Comparison site accounts – up to half a dozen
  • Social media accounts – another half a dozen
  • Technology support arrangements – say 3
  • Travel accounts for commuters – another couple
  • Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.


Delivering Demands for Blind Acquiescence

June 13, 2012

The DeliveryDemon is becoming increasingly fed up with growing expectations of blind acquiescence. It may make it easier for an organisation to use ill-trained operatives and unintelligent processes if customers mindlessly comply with demands for vast amounts of sensitive personal information despite the absence of justification for the request. After all, if everyone provides every piece of information which might be required for every conceivable circumstance, the admin drone can just tick a load of boxes and the organisation doesn’t have to bother making the effort of deciding which information is actually required. And the DeliveryDemon is fully aware that many such demands for information are purely box ticking exercises, with no intelligent use being made of the information gathered. She is also fully aware that, when no thought is applied to deciding which information is needed, it is highly likely that an equal lack of intelligence and diligence is applied to the storage and management of information collected.

This rant was provoked by the need to go through a ‘proof of ID’ process, where the conversation with the call centre went something like this:

DD – You don’t need my marriage certificate since I never changed my name – why do you need my divorce documentation?

CC – It’s the regulations

DD – Which regulations?

CC – HMRC regulations

DD – Which HMRC regulations?

CC – I’ll check with my supervisor

CC calls back – It’s our own rules

DD – Why do you need it?

CC – It’s our rules

DD – If you need it you have a duty to explain why it’s needed

CC – I’ll get someone to call you back

CC2 calls back – We might be able to accept copies with a letter

DD – That wasn’t my question. You have already said you don’t need my marriage documentation since I have never changed my name. Why do you need my divorce documentation?

CC2 – We don’t need it.

Unfortunately, this sort of conversation is, in the DeliveryDemon’s experience, all too common. Far too many organisations feel entitled to pressurising customers into providing information well in excess of the organisation’s real need. Let’s look at what actually happened here.

  • First there was a request for information without an adequate explanation of why it was required.
  • Second there was the assumption that a reference to some unspecified regulations would make a customer stop asking questions.
  • Third there was an assumption that a reference to HMRC would stop a persistent customer from asking questions.
  • Fourth, there was an admission that it wasn’t valid to blame the law or the taxman, that this was an internal blocker.
  • Fifth there was an attempt to avoid the issue by offering an alternative (certificate copies), in the hope that the customer would be fed up enough to comply.
  • Sixth was the admission that the information was not required.

This was not an isolated incident. The DeliveryDemon frequently encounters organisations which behave as though Data Protection legislation didn’t apply to them. If there is a genuine need for a piece of information in one specific instance, they embed the requirement in their general process. They try to blame the law, or various bureaucratic bodies. Call centre operatives are trained to give woolly and misleading responses to questions about the need for information. They expect the customer to be acquiescent and unquestioning, in the interests of lazy process.

It is simply not good enough. The DeliveryDemon is familiar with data protection provisions, and has a good understanding of how a wide range of businesses operate. This puts her in a good position to challenge demands for excessive information. Not everyone is so lucky.

It’s not a matter of being awkward. Our personal data has value, and the cost to the individual of identity theft is massive. Both the law and business ethics demand that organisations only collect the data they need, and on the basis of explicit customer agreement and understanding. It is shocking how many organisations are prepared to ignore both the law and ethical considerations. Unfortunately, the UK’s enforcement of data protection legislation is weakly and tardily applied – enforced would be too strong a word. It’s down to the customer to resist the tsunami of demands. The DeliveryDemon recommends the following questions:

  • Why do you need it?
  • Which legislation requires it?
  • No, I need to know exactly which legislation so I can check the requirement.
  • Who will have access to it?
  • How will it be kept secure?
  • How long will it be held?

Olympics…..We’re Dooooooomed!!!! Jubilee….We’re Dooooooomder!!!!

April 25, 2012

The Delivery Demon isn’t really much of a spectator so she didn’t bother tying up her credit card limit in the fiasco of Olympic ticket sales. Why put all that effort into a lottery level probability of seeing an event that might be of some slight interest? She stood back from that, leaving the remote chance of getting a ticket to those who really wanted to watch. As the chaos was delivered, she felt a few pangs of sympathy to those sportspeople who, even if they managed to get tickets, had very little opportunity of getting tickets to see the sports they actually participate in. The whole setup seemed pretty half-baked.

Beyond some vague plans to avoid the areas of transport mayhem during the Olympics, the DeliveryDemon has tended to ignore the media hype, but a recurring theme has been carping for her attention in news reports. There seems to be a developing assumption that the Olympics, like the equally-hyped Jubilee, will damage the economy. The DeliveryDemon recollects some reference to think tanks in those reports but a cursory web search hasn’t provided any hard evidence, so perhaps the reporters concerned are inventing or misinterpreting. Whatever the case, the DeliveryDemon has become interested in what those reports imply.

The general theme is that workers will be taking holidays and days off, will be surreptitiously following the events on their mobiles and their work PCs, will be spending long lunches in pubs, watching events unfold. Transport chaos will make people late for work. Workers will be tired and hungover from late night TV watching and alcoholic celebrations. Production will plummet, customer service will suffer, the economy will drag its way into another recession. Two big events in a single year? We’re all doooooomed!!!

So what are the facts behind the scaremongering?

  • Yes, people will want time off – they usually do in the summer. But it may be easier to achieve a spread of holiday dates as a significant number of people may choose to avoid holidaying during the Olympic peak times – much as many people avoid taking their break during school holidays.
  • Transport chaos? Commuters are used to this but it’s likely to have a worse than usual impact on venue access routes and the air and rail hubs which serve them. That’s not the whole country, and the areas concerned have a relatively high concentration of work which can be carried out remotely with a little bit of forethought.
  • People will spend more than they plan then cut back after the event? Pretty normal for any holiday type event, except that the spend will be in the UK.

So far, so normal. No reason to predict a recessive impact from normal human behaviour. So what might these pundits be suggesting?

  • All that well-paid Olympics work will disappear in the aftermath, true. Why should that be a surprise to anyone?
  • In some – but not all – businesses, less work will be done during the various events and celebrations. Really?
  • There will be a fairly heavy demand for time off during the peak period. A bit like Christmas and the school holidays. After all, people work to live, not the other way round.

Either the reporters who come up with these doom-laden headlines lack the most elementary understanding of business planning, or they are trying to deliver the message that UK management is so lacking in basic business skills that the entire country went down the plughole years ago.

The DeliveryDemon wishes that those recruiting for media positions would realise that those jobs have a need for basic commonsense and the ability to use data sensibly.


Delivering Sports Participation

April 3, 2012

The DeliveryDemon isn’t hugely fascinated by the 2012 Olympics. She didn’t bother with the ticket allocation fiasco. She hopes she won’t be in London, or near one of the few non-London venues during the event. She has no intention of going anywhere to peer through crowds at anyone trotting along with a badly designed bit of metalwork, which is the nearest many Brits will get to the Olympics. She certainly won’t be watching the Olympics on television, as she still hasn’t found a good reason to go out and buy one.

According to BBC talking heads, this means that the DeliveryDemon is not interested in sport. No matter that she walks for miles in the mountains and across country – that doesn’t count. Nor does bodyflying, an activity which tests muscles most people never get round to using. As soon as she finishes rehab from last year’s skydiving accident, she aims to be back flowriding and doing the occasional bit of running. But she’s not interested in sport. The DeliveryDemon was delighted when recovery reached a point that allowed her back in the gym and the pool – but that’s not sport. She’s looking forward to being able to take winter holidays with ice climbing and snowshoeing and cross country skiing and dog sledging – but according to those in the know, she’s not a sporty person. Obviously not, since she isn’t inclined to sit on the couch, munching and drinking, while watching others do something which may be active – or which may be as inactive as darts or snooker or angling or even poker, all of which are skilled, none of which contribute much to the body’s need for physical activity.

There’s a lot of justification of Olympic costs on the grounds that the fact of the Olympics will increase sports participation. It’s a pity that those who made the decisions to spend shed loads of public money didn’t do some realistic thinking:

  • What does participation actually mean?
  • How can you demonstrate that it’s happening?

Since the powers that spend our taxes clearly haven’t done this thinking, please allow the DeliveryDemon to suggest a few actions and measures.

Work is spread throughout the country so that people don’t have to spend so much time commuting that there’s no weekday time for anything else and no weekend time because weekends are used up with recovering from the week’s commute and doing all the chores there wasn’t time for during the week.

School offer a range of activities within the timetable with sufficient variety so that all children can particpate without feeling useless or stupid, and sufficient competition to give the competitive a way of measuring their success.

Sports funding includes reasonable support for public facilities which provide ready access for the public at times when people want to use them.

Bylaws and bureaucrats do not use health and safety as an excuse to prevent popular and emerging sports like inline skating and skateboarding and freerunning in public places.

Planning decisions require provision of public open spaces including green space, and sports facilties, with properly thought out arrangements for their long term upkeep.

That’s just for starters. The Olympics will long be remembered for the white elephant developments it leaves behind, but any effect it has on sports participation will be as transient as the annual blip  in tennis court use around the time of Wimbledon – but without Wimbledon’s annual influence. If the powers that be seriously want to influence public health for the better, they need to think more pragmatically than low usage monolithic development and nanny state pronouncements.


Delivering Poor Banking Security

April 2, 2012

The DeliveryDemon has the rather naive expectation that banks who are entrusted with our money should operate reasonably secure procedures. Hang your heads in shame RBS and Barclays.

The DeliveryDemon has had cause to complain to both banks recently. In each case the complaint was about their processes, not anything specific to the account. In both cases an idiot from their customer ‘service’ team phoned up and demanded to know secure account access details before they would consider listening to the complaint. Do they really think it is sensible for someone to give out account password information to a random caller?

RBS, there is no need to access my account in order to hear that it does not constitute ‘faster payment’ if you take details of a payment on Friday and can’t process it till Tuesday unless the I ring again on Monday.

In fact there is no need for your customer ‘service’ to access my account at all. The default action should NEVER be to access the customer account. Basic security is that this should only be done if the customer raises a matter specific to the account, i.e. if there is a genuine need to access the account.

Banks are piling on nuisance value processes to make it more difficult for the customer to access their own money, all in the name of security. It’s about time they got their own house in order, introduced secure internal processes and gave their customer contact staff some basic security training.


Not Delivering Faster Payments

March 30, 2012

Since the bureaucrats took over RBS, the service has been going rapidly downhill, to the point that now they cannot even operate the faster payments system which banks should have been signed up to for several years.

The online service was never good, a classic example of security completely overwhelming usability. With public ownership, the phone service was drastically reduced. Then the ability to set up advance payments was cut back. The commonest requirement for advance payments is the ten month council tax cycle. It was once possible to set up 6 months worth of payments at a time, but that has been cut back to 3. Instead of 1 oppportunity to forget a payment, RBS has created 3.

The latest service cutback is the faster payments system, to which all banks are nominally committed. This system should, within certain limits, transfer money to the payee’s account within 2 hours. Not with RBS. The latest unintelligent development to their system cannot cope with a payment being set up on a Friday evening. It won’t do anything with it till the Tuesday. If the customer wants a payment to arrive on the Monday, they have to phone again on the Monday. In other words, RBS’s system cannot cope effectively with faster payments for nearly 3 days out of 7. The DeliveryDemon is seriously unimpressed with this constant erosion of customer service.

The gulf between the words ‘public’ and ‘service’ has never been wider. And it’s growing.