So, two stories of corporate Excellence from the British service sector:
A little while ago I wrote about a bit of incompetence from Barclaycard whereby it turns out that any random person can change the registered address on a Barclaycard customer's account simply by returning a piece of mail with a new address written on it. I recently received a response to my letter from a chap named Chris Garner at (presumably) Barclaycard Mission Control in Manchester. He assured me that (a) my Barclaycard account now has a note on it preventing future unauthorised changes of address -- we'll see how much good that does --- and, (b) that I am not liable for any fraud committed because of their incompetence. Which is nice. Unfortunately, things go downhill from there. So I've written them another letter:
PO Box 599,
Dear Chris Garner,
Thank you for your letter (ref. bc/XXXXXXX) of 19th November about your change of address procedures. I am pleased that you have noted that no further changes of address are to be made on my account without my permission, and by your assurance that I carry no liability for fraud against my Barclaycard account. However, your other statements leave me little-reassured and I have more questions:
Barclays Bank and `linked customers'
You state,Our first step [on suspecting that a customer address has changed] would be to check if the cardholder concerned is a linked customer i.e. they bank with Barclays. If the address has been changed on the bank account, we are obliged to change the address on the Barclaycard also as we are part of the Barclays group.
In fact I do bank with Barclays. I have not taken any steps to change the address on my Barclays bank account. Two questions therefore arise:
- Why was the address on my Barclaycard account changed when Barclays would have been able to verify that the address for my bank account had not changed?
- You say that you are obliged to change an address if the bank's record of a cardholder's address has changed. Is this procedure reciprocal? Do I now need to go through all the same inconvenience with my bank as I am presently doing with you? They have not contacted me about any such change, but then again, neither did Barclaycard.
You state, (emphasis mine)[When the address on an account is being changed without action by the cardholder...] A letter is also sent to the new address which asks for confirmation of the change and confirms that no new cards will be issued until we have received signed confirmation from the cardholder. This then prevents the account being open to fraud.
This statement cannot be correct.
To give an example, suppose that a fraudster were to change the address on my account to their own. If your procedures are correctly followed, they --- not I --- will then receive a letter --- at the new address --- telling them that they need to sign and return a form in order to receive a new card.
Signatures don't provide much security in this type of situation. According to researchers (see, e.g., Ross Anderson, Security Engineering (2001); New York, Wiley; and references therein) a failure rate of around 40% is to be expected in signature comparisons of this type. Requiring a signature at this stage does not of itself prevent fraud.
The fact that you send the request for confirmation to the new, not the old, address means that the cardholder will remain ignorant of the fraud while -- because of the limited value of signatures -- the fraudster stands a good chance of fooling Barclaycard into sending them a new card. You cannot prevent fraud relating to changes of address if -- as your statement above implies -- you implicitly trust any new address on a customer's account. Thus,
- How can you claim to prevent account addresses being changed fraudulently when you implicitly trust any new address you obtain?
As I stated in my previous letter, this procedure could be greatly tightened up by telephoning cardholders to confirm changes of address on their cards, and not allowing them to go ahead until such confirmation is received. If you'd done that, I wouldn't have wasted any time unpicking Barclaycard's mistakes, either.
BUPA, the British United Provident Association, is a health insurer (as you all know). They do not insure my health. However, they do insure the health of a Mr. Christopher W. Lightfoot of Leamington Spa, who is a completely different person. I get his bills. (I know about him from 192.com, an extraordinary web site which appears mostly to be designed for stalkers and other cranks. Whatever.) Telephoning BUPA to try to fix this is a joyless experience. So, letter number two:
Bryan Sanderson CBE,
15--19 Bloomsbury Way,
Dear Bryan Sanderson,
WITHOUT PREJUDICE TO ANY FUTURE LEGAL ACTION
From time to time BUPA send me bills for health insurance. These come with a `registration number', XXXXXXXXXX, and demand money from me by direct debit. Happily you do not have my bank details and have not succeeded in taking any of my money --- happily, because I do not and have never had health insurance with BUPA. I enclose a photocopy of one of these bills for your edification and amusement.
Apparently what has happened is that somebody else -- who lives in a different place, and has a different (if similar) name -- does have health insurance from BUPA. He gets the insurance, and I get the bills. No doubt he is completely content with this state of affairs. I am not.
I have telephoned BUPA on several occasions to ask you to stop sending me these bills. Your staff tell me that they cannot and spin some story about Data Protection and all sorts of other nonsense. Further, they make the extraordinary claim that it's my problem to sort this out. Well, now it's your problem and you can sort it out.
(Obviously I have no intention of giving you any money. However, I am very concerned that BUPA, acting under the misapprehension that I should be paying these bills, may be passing on details of my `non-payment' to credit reference agencies and therefore damaging my credit rating. Naturally if this has happened you will take steps to correct any such misinformation and to prove to me that it has been so corrected.)
On a completely different topic.... I do not have health insurance. One day I would like to. However, it is my ambition to get health insurance from a company which sends correspondence to its rightful recipients, not to random third parties.
What would you suggest?
Enclosed: photocopy of someone else's BUPA bill
And in other news
-- in fact, I don't have it that bad. Tim Ireland was marched out of Waterloo Station by the Police for daring to complain about piss-poor train company South West Trains. I suppose we should chalk this up as another victory for privatisation.