Delivering Complexity at the Expense of Security

June 20, 2012

The DeliveryDemon is frequently flabbergasted by the sheer stupidity demonstrated by so many financial institutions when it comes to security. They obstinately pretend that imposing complexity on account access equates to security, in the face of all evidence to the contrary. At the same time they refuse to acknowledge that their own processes are often staggeringly insecure.

Some time ago after a trip abroad, the DeliveryDemon had a phone message claiming her credit card had been compromised, and asking her to ring the issuer on an unidentifiable number. It clearly sounded like a scam which needed to be reported to the issuer. So the DeliveryDemon phoned the switchboard and asked to be put through to the person who had left the message. She was unsurprised when the switchboard had never heard of this person, and asked to be put through to the security and fraud department – where she found herself talking to the person who had left the suspect message.

So how many security mistakes was that?

  • Leaving a message about a card compromise on a landline answering machine without knowing who might pick it up
  • Asking the cardholder to ring a number which could belong to any scammer
  • Creating a situation designed to justify a request for secure information, using a process riddled with fundamental security flaws
  • Preventing a customer from carrying out basic security checks by using a name not recognised by the switchboard.

But the biggest mistake of all was the fact that some time afterwards the DeliveryDemon had to deal with the identical flawed process. Needless to say, the DeliveryDemon had complained to the card issuer on the first occasion, yet the organisatioj had taken no notice of the complaint and had continued knowingly to operate processes which were fundamentally insecure.

This type of stupidity is remarkably common in the financial services sector, and a couple of very similar examples are described in an earlier post .

https://deliverydemon.wordpress.com/2012/04/02/delivering-poor-banking-security/

The other side of this refusal to operate secure processes is a determined effort to create barriers to prevent a customer from accessing their own funds. This goes hand in hand with lengthy and inequitable Ts and Cs which attempt to absolve banks from any responsibility whatsoever. The DeliveryDemon recently encountered this while opening a very basic bank account. This ‘simple’ account required no less than EIGHT authentication factors, including providing answers to some remarkably stupid questions.

  • A memorable number? Seriously? Numbers are not intrinsically memorable. Those which are memorable usually relate to public domain information, which is hardly secure.
  • Details of various third parties? Public domain again. It is also questionable in data protection terms whether a bank should be asking for information about third parties who have nothing to do with the account.
  • Favourite TV programs, newspapers, historical person, sleb, town? Get a life! This sort of preference is transient and likely to be forgotten months or years down the line when it is eventually needed in order to deal with some call centre drone who is not empowered to think beyond the mindless detail on the screen in front of them.

This sort of pseudo security is not just stupid in its own right, it is creating a situation where complexity makes life difficult for the customer, while being used as an excuse for financial institutions to try to avoid their own responsibilities.

Put these so-called security processes in the context of today’s digital native. Basic security advice is not to use the same details in multiple places, since compromise of one account can lead to compromise elsewhere. Typically, an account asks for 4 pieces of information, even when no financial transactions are involved. Try counting them up. Even without an intricate lifestyle the following range of accounts is pretty commonplace.

  • Mortgage
  • Mortgage-related insurance
  • Life insurance
  • Health insurance
  • Current account
  • Savings account
  • Debit card
  • Credit card
  • ISA
  • Pension
  • E-mail account
  • Work e-mail account
  • Mobile account
  • Landline / broadband account
  • Car insurance
  • Car radio code
  • Electricity account
  • Gas account
  • Water account
  • Council tax account
  • Supermarket account
  • Amazon account
  • i-Tunes account
  • Comparison site accounts – up to half a dozen
  • Social media accounts – another half a dozen
  • Technology support arrangements – say 3
  • Travel accounts for commuters – another couple
  • Online information sources such as newspapers, news sites and the like – say 3.

All of these want a login ID and a password, plus several additional pieces of information for ‘security’ should you be unable to log in. Security guidance suggest that unique information should be used for each situation, and that the information should not be written down in a recognisable format, even when months or years may elapse between accesses to the account.

Put this into the context of the real world. Current security guidance expects the individual to memorise in excess of 172 unique pieces of information, and to relate each piece of information to one of 43 or more situations. Current practice is for Ts and Cs to forbid keeping written records of passwords in any useful format. This is complete nonsense, not security.

So what’s the answer? There are organisations which can be used to store multiple passwords, but these then become a single point of failure should the access password be compromised or the organisation’s own security be breached. It’s not clear whether this sort of password storage is acceptable under access Ts and Cs either.  Even if banks start to give some form of approval to these organisations, it could be withdrawn, leaving the customer with the option of dealing with multiple password holders or changing to a new one. If a security breach underlies the reason for change, that would mean working through every single account to change access details. In some circumstances that may mean the delay of going through the account provider to replace codes which they do not allow the customer to change.

The current security situation is clearly unsatisfactory, ineffective,  and unfair to the customer. The DeliveryDemon thinks it is time that organisations which are responsible for security got together with both security and usability experts to come up with a solution which is designed to protect the customer’s interests, not a solution based on allowing financial institutions to avoid responsibility.

Advertisements

Olympics…..We’re Dooooooomed!!!! Jubilee….We’re Dooooooomder!!!!

April 25, 2012

The Delivery Demon isn’t really much of a spectator so she didn’t bother tying up her credit card limit in the fiasco of Olympic ticket sales. Why put all that effort into a lottery level probability of seeing an event that might be of some slight interest? She stood back from that, leaving the remote chance of getting a ticket to those who really wanted to watch. As the chaos was delivered, she felt a few pangs of sympathy to those sportspeople who, even if they managed to get tickets, had very little opportunity of getting tickets to see the sports they actually participate in. The whole setup seemed pretty half-baked.

Beyond some vague plans to avoid the areas of transport mayhem during the Olympics, the DeliveryDemon has tended to ignore the media hype, but a recurring theme has been carping for her attention in news reports. There seems to be a developing assumption that the Olympics, like the equally-hyped Jubilee, will damage the economy. The DeliveryDemon recollects some reference to think tanks in those reports but a cursory web search hasn’t provided any hard evidence, so perhaps the reporters concerned are inventing or misinterpreting. Whatever the case, the DeliveryDemon has become interested in what those reports imply.

The general theme is that workers will be taking holidays and days off, will be surreptitiously following the events on their mobiles and their work PCs, will be spending long lunches in pubs, watching events unfold. Transport chaos will make people late for work. Workers will be tired and hungover from late night TV watching and alcoholic celebrations. Production will plummet, customer service will suffer, the economy will drag its way into another recession. Two big events in a single year? We’re all doooooomed!!!

So what are the facts behind the scaremongering?

  • Yes, people will want time off – they usually do in the summer. But it may be easier to achieve a spread of holiday dates as a significant number of people may choose to avoid holidaying during the Olympic peak times – much as many people avoid taking their break during school holidays.
  • Transport chaos? Commuters are used to this but it’s likely to have a worse than usual impact on venue access routes and the air and rail hubs which serve them. That’s not the whole country, and the areas concerned have a relatively high concentration of work which can be carried out remotely with a little bit of forethought.
  • People will spend more than they plan then cut back after the event? Pretty normal for any holiday type event, except that the spend will be in the UK.

So far, so normal. No reason to predict a recessive impact from normal human behaviour. So what might these pundits be suggesting?

  • All that well-paid Olympics work will disappear in the aftermath, true. Why should that be a surprise to anyone?
  • In some – but not all – businesses, less work will be done during the various events and celebrations. Really?
  • There will be a fairly heavy demand for time off during the peak period. A bit like Christmas and the school holidays. After all, people work to live, not the other way round.

Either the reporters who come up with these doom-laden headlines lack the most elementary understanding of business planning, or they are trying to deliver the message that UK management is so lacking in basic business skills that the entire country went down the plughole years ago.

The DeliveryDemon wishes that those recruiting for media positions would realise that those jobs have a need for basic commonsense and the ability to use data sensibly.


Delivering Poor Banking Security

April 2, 2012

The DeliveryDemon has the rather naive expectation that banks who are entrusted with our money should operate reasonably secure procedures. Hang your heads in shame RBS and Barclays.

The DeliveryDemon has had cause to complain to both banks recently. In each case the complaint was about their processes, not anything specific to the account. In both cases an idiot from their customer ‘service’ team phoned up and demanded to know secure account access details before they would consider listening to the complaint. Do they really think it is sensible for someone to give out account password information to a random caller?

RBS, there is no need to access my account in order to hear that it does not constitute ‘faster payment’ if you take details of a payment on Friday and can’t process it till Tuesday unless the I ring again on Monday.

In fact there is no need for your customer ‘service’ to access my account at all. The default action should NEVER be to access the customer account. Basic security is that this should only be done if the customer raises a matter specific to the account, i.e. if there is a genuine need to access the account.

Banks are piling on nuisance value processes to make it more difficult for the customer to access their own money, all in the name of security. It’s about time they got their own house in order, introduced secure internal processes and gave their customer contact staff some basic security training.


Not Delivering Faster Payments

March 30, 2012

Since the bureaucrats took over RBS, the service has been going rapidly downhill, to the point that now they cannot even operate the faster payments system which banks should have been signed up to for several years.

The online service was never good, a classic example of security completely overwhelming usability. With public ownership, the phone service was drastically reduced. Then the ability to set up advance payments was cut back. The commonest requirement for advance payments is the ten month council tax cycle. It was once possible to set up 6 months worth of payments at a time, but that has been cut back to 3. Instead of 1 oppportunity to forget a payment, RBS has created 3.

The latest service cutback is the faster payments system, to which all banks are nominally committed. This system should, within certain limits, transfer money to the payee’s account within 2 hours. Not with RBS. The latest unintelligent development to their system cannot cope with a payment being set up on a Friday evening. It won’t do anything with it till the Tuesday. If the customer wants a payment to arrive on the Monday, they have to phone again on the Monday. In other words, RBS’s system cannot cope effectively with faster payments for nearly 3 days out of 7. The DeliveryDemon is seriously unimpressed with this constant erosion of customer service.

The gulf between the words ‘public’ and ‘service’ has never been wider. And it’s growing.


Delivering a Drought

March 12, 2012

It’s not even full spring yet and we’re about to get our water supplies reduced – but not our water bills.

Every time the DeliveryDemon puts something in the waste bin, the drought springs to mind, as do thoughts of how ‘un-joined-up’ this country’s bureaucracy is.

Why? Well, if you live in an administrative area which is committed to the recycling, have you realised that you are using up precious water supplies to WASH the rubbish you pay taxes to have collected?

The DeliveryDemon has nothing against recycling. In fact her household were recycling long before the bureaucrats decided it had to be imposed. Bottles, cardboard, paper, tins, old clothing, garden waste – it all got sorted and composted or taken to bottlebanks or charity shops or recycling centres. No problems and no transport overhead as disposal fitted in with the weekly routine. But now the dead hand of bureaucracy has descended. So:

  • We have slop buckets.
    • They’re too small for the remnants from a day of cooking proper food, or even a single meal, so they are forever needing to be emptied into the bigger slop bucket.
    • They stink because they don’t close tight enough to keep the smell in.
    • They’re made of poor quality plastic which isn’t resistant to the acid remnants of food, so they stink even more.
    • Because they stink they have to be washed out at every emptying, and that takes water. So in just one area, that’s over 30,000 of these slop buckets needing washed out at least once a day.
    • Because the bins are never properly emptied, there’s a residue of rotted food wo go in the next collection, accelerating the decay of new food waste.
  • Then there’s the bigger slop bucket.
    • It’s not really big enough to hold a week of food waste if you use fresh ingredients and lots of fruit and vegetables. But it’s the only bin that gets emptied weekly.
    • Of course it stinks.
    • It gets pretty filthy by the time it’s been chucked at the bin lorry’s automation then thrown back anyhow on the ground, so it needs washed after every emptying.
    • It isn’t really emptied, just waved at a bigger bin, with no account taken of the fact that week old food debris tends to stick to the container, so that’s another load of water cleaning out the 30,000 bins.
  • There’s a massive bin for stuff that doesn’t go into the slop buckets.
    • This is designed to hold about 15 times the amount of rubbish produced by a household that recycles as a matter of course.
    • It’s too light to withstand the boisterous winds in open countryside so local cars and pedestrians are at danger from flying bins.
    • It’s a third bin to be cleaned out, fortnightly for this one.
  • There’s an even more massive bin for paper and cardboard and bottles.
    • That’s another fortnightly collection and another bin that needs washed out.
    • Rubbish needs to be washed before going in the bin, or it stinks and the lids are not proof against odour or flies
    • That’s another flying bin on windy days.
  • There’s another massive bin – at additional cost – for garden waste

Then there’s the disruption and complication.

  • Multiple handling of food waste from one slop bucket to another
  • Complex collection arrangements, needing a section in the local paper to remind people which bins go out when.
  • Up to three days a week when the peace is destroyed by noisy rubbish vehicles, with the constand grinding and beeping audible for streets around for hours at a time
  • Up to three days a week when the roads are blocked by rubbish vehicles whose drivers never pull in to the kerb,  thinking they have no duty of care to other road users

Of course the taxpayer can spend more money on biodegradable bags for all the slop bins. And sit on summer days with the windows closed and earplugs in till the rubbish lorries have gone. That’s what the bureaucrats want us to do. But let’s think about what this is really about.

There’s a need to dispose of rubbish effectively, recycling as much of it as possible. That doesn’t mean it’s necessary to manufacture and distribute 150,000 bins in one small area. There’s no reason why each and every household should turn into a mini waste-sorting and cleaning plant. The council is trumpeting its greenness on the basis of the council doing less, but the full picture is a lot less green.

  • The council is generating noise pollution in previously peaceful rural areas and making it worse in town.
  • The council, at the taxpayer’s expense, is financing the manufacture and use of 4 times as many rubbish vehicles as were previously needed.
  • The council is adding to the overcrowding of roads by blocking them with rubbish vehicles
  • The council is worsening the drought situation by forcing people to use water to clean multiple bins

There’s a very well established principle of economies of scale. Apply it to rubbish collection and you end up with the single collection of waste and central sorting. The rubbish industry is becoming ever more sophisticated, with technology becoming increasingly able to separate different types of waste.

The DeliveryDemon wishes her local council would acquire the intelligence to see the difference between effective recycling, and a bureaucratic ego trip which consumes resources and creates pollution.


A Message for Micro$oft

June 18, 2011

The DeliveryDemon thought that Micro$oft had grown out of the sort of stupidity that leads it to ignore the most basic security principles in favour of a hard sell. Not so.

A few days ago, Micro$oft spewed out a massive download of fixes for Win7. Hidden in the myriad bug fixes is a nasty little payload which throws up messages  insisting that some perfectly respectable McAfee files are viruses. Having scared users with an irritating recurring false-positive security alert, Micro$oft then pops up message after message demanding that the user installs the Micro$oft antivirus product.

This is a recurrence of an old story. Micro$oft has used this trick in the past but recently it seemed to have learned a little sense. It’s clearly reverting to its old, discredited, behaviours.

Listen carefully, Micro$oft. Your hard sell tactics are making it abundantly clear that you’re not interested in distinguishing between respectable software and malware, just in scaring people into parting with money. This is remarkably similar to the behaviour of many of the scammers who lurk on the web.

Whether these false positives arise from poor software design, inadequate testing, or dishonest sales tactics doesn’t really matter. They irritate the hell out of your customers and seriously undermine your corporate credibility.

Get your act together, Micro$oft. PLEASE!


How NOT to Deliver Customer Service – #Orange

May 15, 2011

The DeliveryDemon recollects that one of the Scandinavian countries has decided that access to high speed broadband is a necessity of life, possibly even a human right. They obviously don’t have to deal with Orange.

Last night the DeliveryDemon was trying to upload a video to Facebook. She kicked off the upload and went to do something else. Half an hour later, the screen still showed a miniscule thread of blue on the progress bar. A quick check with www.speedtest.net showed a download speed of 0.1Mbps compared to the minimum of 4Mbps Orange claim to deliver. The Delivery Demon picked up the phone and right from the start was faced with the Orange attitude to customer service.

  • The IVR scriptwriters must have to sit a stupidity test to qualify for the job.
  • First an idiotic statement that a customer whose broadband had failed should check the Orange website – and Orange kept repeating this.
  • The error status option announced that Orange knew of no faults on its lines.
  • Then an announcement that the helpline was busy, why doesn’t the customer just go away and stop bothering them, or call another day if they really must bother Orange.
  • Either the IVR script is a lie or the phone staff lie, because after a 20 minute effort to get through to a person, the response was that no faults were being reported and the helpline wasn’t busy.
  • Needless to say, dire music punctuated the IVR idiocies, with choices designed to set teeth on edge and increase the ire of the caller
  • There was a particularly obnoxious and recurrent sales pitch trying to plug cinema tickets. Bad enough to be paying for an extremely long call to get Orange to sort its service – definitely NOT the time for Orange to ask the customer to spend more money with them

The phone jockeys are no better than the IVR. The DeliveryDemon has enough knowledge of help desks to know that, if the person you’re talking to can’t explain the effect of what they’re asking you to do, then it’s a bad idea to follow their instructions blindly, especially when their command of the English language is poor and their instructions are delivered in a barely intelligible mumble.

  • After being told the router was in another room so it would take a couple of minutes to carry out the requested light status check, the Orange moron didn’t bother to hold on for the few minutes it took so it was back to the Orange IVR hell.
  • There was a sudden improvement in the line speed, but all too brief.
  • It took 40 minutes to get through to Orange this time
  • The so-called technical support proposed a configuration change which he couldn’t explain beyond saying that the result would be loss of broadband for a period he couldn’t specify.
  • The supervisor who eventually took over actually tried to claim that there was no such thing as a capacity constraint, that no matter how many users there are of a service, performance will never degrade.
  • The supervisor also said they weren’t getting many calls. What’s going on here? Is Orange building in delays to its IVR system in the hope that complaining customers will go away?
  • After TWO HOURS on the phone there was still no progress.
  • After TWO AND A HALF HOURS on the phone, Orange finally admitted that there was a fault on their line.

Needless to say, this phone marathon did not result in the problem being solved. The phone jockeys aren’t competent to resolve problems, the DeliveryDemon had to wait till next day for a call from an engineer. In the meantime she was stuck with a service so poor she had to resort to her mobile for web access.

Next day the DeliveryDemon waited for the call. The agreed hour passed without any action from Orange so the DeliveryDemon picked up the phone again, only to discover that Orange cannot be bothered to make outbound calls, so the promise of a call from an engineer was based on a lie or incompetence on the part of their helpline, apparently a common occurrence.

What the phone jockey should have said is that, when the Orange service fails, it’s the customer’s job to carry out a number of tests over a 24 hour period before Orange will deign to do anything. So it’s another couple of days of a seriously degraded service which is still crawling along at well below 0.5Mbps most of the time, and yet another stint of battling the Orange IVR customer barrier.

Complaining about this fiasco is even more difficult. Orange won’t accept complaints over the phone, and their customer ‘service’ department don’t do email. The DeliveryDemon supposes they find it easier to claim that snail mail has been lost in the post sent to Orange Customer Support, PO Box 486, Rotherham, S63 5ZX.

There is a disturbing tendency for companies to think it is sufficient to set up a service and walk away. Monitoring and preventative maintenance seem to be a thing of the past, with companies expecting customers to do those particular jobs for them. And companies don’t want to deal with the problems their customers do identify, erecting barriers of IVR delay and complexity, and call centres whose staff lack the basic competencies required to deal with customers, never mind resolve problems. The DeliveryDemon disapproves of this trend, and thinks it’s high time for customers to fight back.