1 December, 2003: Where to hide your Excellence so the cleaning personnel can't find it

[ Home page | Web log ]

So, two stories of corporate Excellence from the British service sector:


A little while ago I wrote about a bit of incompetence from Barclaycard whereby it turns out that any random person can change the registered address on a Barclaycard customer's account simply by returning a piece of mail with a new address written on it. I recently received a response to my letter from a chap named Chris Garner at (presumably) Barclaycard Mission Control in Manchester. He assured me that (a) my Barclaycard account now has a note on it preventing future unauthorised changes of address -- we'll see how much good that does --- and, (b) that I am not liable for any fraud committed because of their incompetence. Which is nice. Unfortunately, things go downhill from there. So I've written them another letter:

Chris Garner,
PO Box 599,
M60 3NF

Dear Chris Garner,

Thank you for your letter (ref. bc/XXXXXXX) of 19th November about your change of address procedures. I am pleased that you have noted that no further changes of address are to be made on my account without my permission, and by your assurance that I carry no liability for fraud against my Barclaycard account. However, your other statements leave me little-reassured and I have more questions:

Barclays Bank and `linked customers'

You state,

Our first step [on suspecting that a customer address has changed] would be to check if the cardholder concerned is a linked customer i.e. they bank with Barclays. If the address has been changed on the bank account, we are obliged to change the address on the Barclaycard also as we are part of the Barclays group.

In fact I do bank with Barclays. I have not taken any steps to change the address on my Barclays bank account. Two questions therefore arise:


You state, (emphasis mine)

[When the address on an account is being changed without action by the cardholder...] A letter is also sent to the new address which asks for confirmation of the change and confirms that no new cards will be issued until we have received signed confirmation from the cardholder. This then prevents the account being open to fraud.

This statement cannot be correct.

To give an example, suppose that a fraudster were to change the address on my account to their own. If your procedures are correctly followed, they --- not I --- will then receive a letter --- at the new address --- telling them that they need to sign and return a form in order to receive a new card.

Signatures don't provide much security in this type of situation. According to researchers (see, e.g., Ross Anderson, Security Engineering (2001); New York, Wiley; and references therein) a failure rate of around 40% is to be expected in signature comparisons of this type. Requiring a signature at this stage does not of itself prevent fraud.

The fact that you send the request for confirmation to the new, not the old, address means that the cardholder will remain ignorant of the fraud while -- because of the limited value of signatures -- the fraudster stands a good chance of fooling Barclaycard into sending them a new card. You cannot prevent fraud relating to changes of address if -- as your statement above implies -- you implicitly trust any new address on a customer's account. Thus,

As I stated in my previous letter, this procedure could be greatly tightened up by telephoning cardholders to confirm changes of address on their cards, and not allowing them to go ahead until such confirmation is received. If you'd done that, I wouldn't have wasted any time unpicking Barclaycard's mistakes, either.

Yours sincerely,

Chris Lightfoot


BUPA, the British United Provident Association, is a health insurer (as you all know). They do not insure my health. However, they do insure the health of a Mr. Christopher W. Lightfoot of Leamington Spa, who is a completely different person. I get his bills. (I know about him from 192.com, an extraordinary web site which appears mostly to be designed for stalkers and other cranks. Whatever.) Telephoning BUPA to try to fix this is a joyless experience. So, letter number two:

Bryan Sanderson CBE,
BUPA House,
15--19 Bloomsbury Way,

Dear Bryan Sanderson,


From time to time BUPA send me bills for health insurance. These come with a `registration number', XXXXXXXXXX, and demand money from me by direct debit. Happily you do not have my bank details and have not succeeded in taking any of my money --- happily, because I do not and have never had health insurance with BUPA. I enclose a photocopy of one of these bills for your edification and amusement.

Apparently what has happened is that somebody else -- who lives in a different place, and has a different (if similar) name -- does have health insurance from BUPA. He gets the insurance, and I get the bills. No doubt he is completely content with this state of affairs. I am not.

I have telephoned BUPA on several occasions to ask you to stop sending me these bills. Your staff tell me that they cannot and spin some story about Data Protection and all sorts of other nonsense. Further, they make the extraordinary claim that it's my problem to sort this out. Well, now it's your problem and you can sort it out.

(Obviously I have no intention of giving you any money. However, I am very concerned that BUPA, acting under the misapprehension that I should be paying these bills, may be passing on details of my `non-payment' to credit reference agencies and therefore damaging my credit rating. Naturally if this has happened you will take steps to correct any such misinformation and to prove to me that it has been so corrected.)

On a completely different topic.... I do not have health insurance. One day I would like to. However, it is my ambition to get health insurance from a company which sends correspondence to its rightful recipients, not to random third parties.

What would you suggest?

Enclosed: photocopy of someone else's BUPA bill

Yours sincerely,

Chris Lightfoot

And in other news

-- in fact, I don't have it that bad. Tim Ireland was marched out of Waterloo Station by the Police for daring to complain about piss-poor train company South West Trains. I suppose we should chalk this up as another victory for privatisation.

Copyright (c) 2003 Chris Lightfoot; available under a Creative Commons License.