Wednesday, 28 November 2012

Barclaycard security: setting a good example?

Good advice used always to include 'tell your bank when you go on holiday abroad' but this doesn't include Barclaycard, apparently.

Last October, I took a trip from the UK for a fortnight in L.A. so thought it would be a good idea to warn my bank and credit card issuers to prevent any embarrassing moments. I visited the various finance web sites and used secure messaging facilities to tell most of them, or, in the case of MBNA's way of actively encouraging such messages, I told them via SMS.

I thought nothing more about those messages, nor expected replies. I had a few acknowledgements. Good. I had no problems using a new Saga card whilst abroad.

I was puzzled, though, by messages from Barclaycard I found on my return, telling me I didn't need to give them notice about holidays because their policy was that if there were any suspicion of a fraudulent transaction, they phone cardholders. Why couldn't they just say "Thanks for letting us know and have a nice trip"? Surely this information would help them make an informed decision before deciding to phone a customer. Something flagged potential fraud by their systems may obviously not be. Or they can ignore messages customers send as a matter of courtesy and accepted best practice, it is their choice.

What do your customers think?

Barclaycard, I don't want you phoning me on holiday because I just bought breakfast in Sylmar Denny's or had a doctor's appointment on Venice Beach. I may not want to take my smartphone on a sandy beach and I may want to buy souvenirs. I also would not appreciate the cost of roaming charges, nor the fact you phone me from withheld numbers and demand security information about my account before you'll discuss anything. I have told you to phone my number to speak to me. Who else sounding like a grumpy man of 57 is likely to answer my phone? Why on earth don't Barclaycard understand that when someone phones me, it is ME who needs to identify THEM. When they compound that problem of identification by not showing Caller Line Identification at all: I have no way of telling THEM from Adam. Should I believe anyone phoning me who claims to be Barclaycard is Barclaycard? And no, I don't want to phone you back on a number you want to tell me now. I will phone the number on my card. It's there, right?

In my correspondence with various Barclaycard people, they seem to miss the entire point about their security behaviours setting their customers a Very Bad Example.

Imagine you receive a phone call with no Caller Line Identity and the caller says they are Barclaycard Security and they want to verify a transaction. They ask if you know about the card being used in Toronto for can$500. You say 'no'. Then they ask for your passwords to confirm your identity and to stop the transaction need your card details for good measure.  They say thanks, hang up, and run off to empty your account. It wasn't Barclaycard.

This a fictional representation of how a fraudster may try to obtain all your card information. How does it differ from what Barclaycard does? Well, Barclaycard never ask for your entire password(s) or your card details. But that's all. Is that different enough? If you didn't know that - or have forgotten - and have a Barclaycard or two you may agree it could be easy to inadvertently give out the whole lot . . . and have that horrible sinking feeling in the pit of your stomach as you hang up, staring at your phone which just says 'Unknown'. But it would say 'unknown' even if it was Barclaycard calling you. Wouldn't you expect a gazillion-pound business to sort out something as simple as getting its own Caller Line Identity correct?

What should you do?

Please, never give your security information to people who phone from unknown  numbers, even if they claim to be Barclaycard. And come on, Barclaycard, I worked in retail banking for 25 years but it doesn't take that experience to know that your security policies need a major overhaul. If you ever want to telephone me please ask and I will send you a 36-letter password from which you will be asked for four letters when you call me. Currently it is: "Gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah!"

The best I can extract from Barclaycard and their CLI shortcomings is that "I have also given these comments to the relevant department as feedback". Well, that's ground-shaking stuff which'll bring any meeting to order. Not.

The stupidity and irony of this whole business was lost on their handlers. They kept on phoning me about this complaint from an unknown number and wouldn't discuss it until I divulged security information. Dozens of unknown calls went unanswered. Boy, did they persevere? I am going to call this phenomenon "how to amplify a complaint": Customer complains about security flaw in bank's communications with customers; bank uses that method to try and contact customer about it. It almost defines recursion. They phone me dozens of times over several days: they are obsessed with gaining confirmation that they have dealt with a complaint well. Barclaycard, you haven't. You don't understand it or how to behave towards customers. For one thing, if I write you a secure message I expect your to reply in kind, not to bombard me with phone calls which don't stop until I shout. For another, you don't understand that your sloppy security practices rub off on your customers.

What should Barclaycard do?

Okay, Barclaycard Relevant Department, I challenge you to enable your phone systems so that any outgoing call from any Barclaycard office gives out one phone number as its CLI, being the cheapest one to call back and which is also prominent on your statements and on your cards. Until you have this sorted out, never waste your time or my battery trying to phone me again.

In the meantime, please also go away and learn the phrase "Thanks for letting us know and have a nice trip". It would have saved so much time. Customers are not interested in being lectured about your internal policies. You only have to tell us what we need to know and make an effort to understand when what you are doing is silly and counter-productive security-wise.

Tuesday, 4 September 2012

National Rail and Atos

When I booked a ticket with National Rail to travel home from the Paralympics I received an email confirmation which HTML version says:

On visiting that last-mentioned web site it turns out to be rather anonymous - where is the statutory footer giving details of name, address, phone and company registration number? The web site designer's own site is as mysterious. Perhaps the only clue is that the only clear email address on is But wait! Atos? The foot of the email message puporting to be from National Rail says: "(c) copyright Atos Origin IT Services UK Limited 2010". So it looks as though Atos have inserted their own ticketing site's address in the confirmation email from their client, National Rail whose copyright they seem to have usurped. IANAL but the word "corruption" leapt unbidden into my brain. In order to obtain some clarification, I tweeted. (This is snapped from so is in reverse order)

So, as obfuscation seems to be the only skill of National Rail's Twitterer (see below) I don't expect a straight answer but as there seems to be a general interest in the business practices of Atos, given their appalling track record assessing disability claimants, I wrote all this.

What? That is no justification whatsoever. An axe-wielding maniac could have a web site which links to yours. I look forward to hearing back from an Organ Grinder. You won't find it difficult to contact me if you spend five minutes with Google.

Later addition (in the correct order):
What does it take for them to see this is simply wrong?

Wednesday, 22 August 2012


I never expected to be posting something about Madasafish. As a minor customer but of many years' standing and originally with FreeNetName,  I have never had a bad word to say about Madasafish since they took over and PlusNet took them over, except for that silly name. I always thought they needed to grow-up their name (as a USian may say) but their provision of some web space and email services had never given a moment's trouble so I accepted them as quirky. Until now.

I closed a bank account at short notice. I asked the bank to advise Direct Debit originators of new bank details. They refused and simply cancelled the DDs. (HSBC at its least wonderful - another story: about the decline in banking.)

Thu, 16 Aug 2012 09:42:12 Email from Madasafish: my DD has been cancelled. "Future subscription payments will be taken using the card details saved for your account." You have card details? Okay.

Mon, 20 Aug 2012 10:01:29 Email from Madasafish: "Unfortunately, we've not received the regular Direct Debit payment for your Madasafish account. This was due on 11/08/2012." Well, derr, you just told me the DD has been cancelled. Do you mean "we have no Card details on file so that failed too"?

Mon, 20 Aug 2012 11:55:20 Email from Madasafish: confirms DD is being set up. A good boy, I went online and caused that. Was a bit puzzled by the frequent error boxes telling me some of the page content was insecure. Did I want to see that too? Using IE9-64. Isn't that up-to-date enough?

Mon, 20 Aug 2012 11:57:43 Email from Madasafish: "We've successfully taken an outstanding payment of £2.50 for your service." I caused that online too, I think. MasterCard Securecode dumped me onto a Madasafish error page rather than a proper landing page but on checking my account, the payment seems to have been processed.

Mon, 20 Aug 2012 13:44:20 Email from Madasafish: "We couldn't take a payment for your Madasafish account." WTF? I'm going to ignore this. I'll bet their accounts system has its knickers in a twist.

Monday, 13:45 SMS from Madasafish: "We couldn't take a payment.." I know.

Mon, 20 Aug 2012 13:47:44 Email from Madasafish: "We've successfully taken an outstanding payment of £ for your service." That won't buy much.

Monday, 13:48 SMS from Madasafish: "thank you, the payment..was successful" So you said.

I raised tickets about these happenings. Wednesday's reply message?
"I have checked [and] it appears the payment you made went through twice so I have arranged for a refund for one of the £2.50 charges." Thanks for that, Bill.

The moment a person intervenes, good sense can prevail but it's interesting to note that despite the barrage of messages from Madasafish, the messages do not reflect what actually happened.

I'm probably going to be told I am too harsh and "things like that happen sometimes" and "I was unlucky to be at the unlikely juxtaposition of a handful of coincidental glitches" but really, I don't care. I don't expect to see such a buggers muddle from anyone, let alone an ISP.

Madasafish is a trading name of PlusNet plc

Monday, 25 June 2012

Royal Bank of Scotland Group and its seven day glitch

Now, I have no idea if this story is actually true or whether it has any bearing on the current situation which has resulted in the RBSGs major high street bank accounts being broken but I repeat it here anyway. I just had to share.

Years ago I worked for Lloyd's Bank and as one of their Regional Trainers I used to spend a lot of time around Head Office types. You know the sort. They thought the sun went out when they sat down. One day in the dim past I was sitting with a group of them in the bar at our national training centre (it was dark outside, obviously) when one of them - an IT bod loosened up by half a shandy - proceeded to tell us a tale of cost cutting and management incompetence at the (then) NatWest IT centre.

Senior managers at NatWest were tasked with cost-cutting and decided to slim-down their IT centre by letting-go a few short-term contractors. One of the projects was considered by NatWest management to be finished (it wasn't) so the programming team of about half a dozen were presented with brown envelopes and told to clear their desks and leave immediately.

Having rounded up their personal belongings, the team ended up in the pub nearby to drown their sorrows. At first a bit  maudlin, their conversation soon turned to their now defunct project. It was something to do with customer accounting and had been running live for a while as the last few bugs were uncovered.

"Hey" says one contractor "in the rush of being thrown out, did anyone remember to hand over the passwords to our project?"


"I didn't"

"Me neither"

"I still have mine right here" says one, pulling a small red notebook from his pocket.

After only a few nanoseconds thought they decided not to rush back to NatWest and hand them over. They offered them back at a price instead. The bank said they were not interested in blackmail and the new bit of the system worked anyway, didn't it?

Saturday, 7 April 2012

Switching Energy Suppliers

Claiming to have the best rated customer service amongst conventional energy suppliers must be like claiming to be the best cow pat in a field. Do you think these days that any company can push customers around and behave in an offhand manner? Are you sick and tired of confusing tariffs which move up quicker than down, generating excessive profits being given away to shareholders, to overpaid executives on the whim of a old-boy's remuneration committee, or to a foreign parent company?

I never had a problem dealing directly with Atlantic until now but they are a conventional limited company whose common mantra of 'shareholder value' outweighs any consideration they give to customer value, or so it seems. I was particularly annoyed at aggressive doorstep selling by Scottish and Southern Energy, Atlantic's parent company; particularly as this is a 'no doorstep selling zone'. Signs on every lamppost clearly state that and I was already a customer of the same group.  Deciding that I no longer liked the way conventional energy suppliers operate, I applied on-line to switch energy suppliers to a co-operative one but my ex-supplier Atlantic managed to screw up the switch. They claimed to receive the gas and electricity meter readings separated by several weeks and were quick to blame my new supplier.

Really? Are you certain Atlantic? My readings were in one simultaneous submission on the new supplier's web site so I think Atlantic are lying: what they did was to conjure up an estimated reading in its stead when they didn't need to: this was weeks after the gas bill was issued and I was being aggressively chased for payment of the gas bill long before the electricity bill turned up with their (wrong) guesstimate. So much for being a 'dual fuel supplier'. They wasted my time, delayed the process, blamed everyone else and were so rude by phone, letter and particularly SMS and their post so slow to arrive, I wrote paying only 95% of the final bill, telling them 5% (less than £20 of both bills) was a fine for their  rudeness and incompetence. This is a language they understood: my accounts have been cleared. Please follow my example,

Customer service incompetence is always worth a stamp and withholding a token part payment. I know from bitter experience that management (and staff) are often oblivious about how terribly they come across to the public, often thanks to institutionalised ignorance - or it can be a couple of rogue staff - but in this case: institutionalised incompetence. Will everybody in the Scottish and Southern Energy group please note that a computer generated voice-mail message from a withheld number which only says "please phone" to some 'random' unknown number and without a reason is probably illegal, bloody rude, unacceptable, assumed as spam, deleted and ignored. But if I do phone you back, even if your humans leave messages which are terse and with no REASON, please have the nous to answer the phone in a professional manner. "Southern Electric" is not a firm which currently exists: it never has. "Can I have the reference number?" should never be the first question any clerks ask: apart from its grammatical wrongness it makes you seem rude and impersonal. I am not a number, I have a name and I know my postcode. You have a computer. Work it out yourself. Your reference numbers are of no interest to me. Who am I? The Prisoner?

Another thing: having to identify me over the phone WHEN YOU HAVE PHONED ME is largely unnecessary. To paraphrase Andy Parsons as he said in his stand-up routine: what are the chances of a burglar breaking into your home (or stealing your mobile) to answer the phone and pay your gas bill? Surely it's for ME to identify YOU before I give you my credit card details: the Data Protection Act does not dictate that you have to do stupid things, so stop blaming it.

Why, oh why, do these rude and incompetent companies which provide our energy still have any customers at all? They will never, ever, get me back as one. Atlantic was relatively cheap for a while but I would sooner pay a bit more for competence and for not being ripped off so they can satisfy greedy executives, greedy shareholders, or foreign parent companies. It's time to give Co-operative Energy a try and have a proper stake in my energy supplier who will bulk buy energy for the benefit of its customers. If a profit is made, I'll get some of my bill refunded.  

Please use this link will which will enable both you and I to receive a £25 discount - off your first and my next bill: Co-operative Energy