Identity verification – why do some companies get this so wrong?

Recently I’ve spoken to a mobile phone company about trying to cancel my contract, requesting the cancellation using their online form. Firstly, they said the email address I’d given didn’t match the one on the account, so they couldn’t do anything. I responded that they could have responded to the email address on the account for confirmation – verifying my identity is one thing, using it as an excuse for not trying to resolve the issue and take the requested action is another. However, I resent using the account address (it forwards to my current one, but in 10 years my primary email address has changed… once). In response to this, they asked for my postcode, which I duly responded. This time I got a response saying that it didn’t match what they had on record, so they couldn’t do anything.
Given that I’ve had the same address for 12 years, there shouldn’t have been any other address on record, but in case it was something like my parent’s address (again, I’m going back 10 years here, so I’m no longer 100% sure on what details I used, it’s been a while), I asked if they could confirm the first part of the postcode and (assuming it was a valid one) I could then confirm the second half. No. They couldn’t provide any information because of ‘data protection’. So I’m left with no idea what address they think I have, but I’m pretty sure it’s wrong.
However, given that I had received bills for previous contracts to my current address from this provider, I also know that they have had my current address on the system, so there should be some potential for working out that the postcode I gave them is a known address for me. However, the fallback again was that they couldn’t take any action. I even asked them to contact the email address they had for me to get confirmation (as I know if they send a message to that I’ll receive it), but no, because I couldn’t confirm some unknown but definitely incorrect address they wouldn’t do anything.
To this I cancelled my direct debit and emailed them to confirm this had been done, saying that this should be proof that I am who I say I am and that they should cancel the contract because they have no further authorisation to take payments anyway. Only then did they agree to cancel the contract.
To me this has got far beyond the point of being a reasonable process, but where I reached a point of disbelief was on the phone calls.
Having asked for a formal complaint to be be made as well as the contract cancelled, because they had been overly obstructive to cancelling the account, they phoned me. I got a call from an unlisted number, from someone claiming to be from Three wanting to speak about a recent contact. They wouldn’t provide any further details unless I provided them with my full postcode and date of birth. Now at this point I wasn’t handing over these details. I have nothing whatsoever to validate their identity, but they want me to hand over my security details. I really don’t think that a company should be demanding that their customers be willing to hand over full security details to a totally unverified caller from an unlisted number – that’s just encouraging their customers to leave themselves open to identity fraud.
I said as much. I offered to confirm part of the postcode and part of the date of birth, to which they said no, although I’m not sure the postcode bit would have helped given I was already dealing with a question about whether they had the correct address for me. I asked if they could do anything to confirm their identity to me, some piece of information that they would know, but they refused on the spurious basis of ‘data protection’. How, exactly, is it protecting my data to encourage me to hand over my security detail to a totally unknown caller?
In response to this I made a further complaint, that they were compromising customer’s data security by encouraging the risky practice of divulging security information to unknown callers. I said that since they have called the registered number, partial security information should be sufficient and would mitigate the risk, that they could provide something like an account number of the like to provide some validation of identity, and if someone is not happy to confirm details to an unlisted number, they should have a process in place to give a reference code and get the customer to look up and call a number from the company website, so that they can be confident that they are then speaking to the company and can be happy divulging that information. Additionally, I suggested that it would be simple to allow a customer to register a security word or phrase which can be used by the company to identify themselves if calling, and similarly the contact forms could prompt for a security word or phrase to use in relation to calling about that specific contact.
It’s not rocket science. There are many things which a company can do to sufficiently confirm the identity of who they are speaking to without encouraging excessively risky practices, and there are fairly straightforward practices such as those outlined above (or even just emailing a generated reference number in response to any contact form which can be quoted in any call) which can provide more than enough validation of the caller’s identity before demanding the customer confirms their identity.

Basically, a company can royally mess up data protection and customer identity security in multiple ways. They can fail to confirm who they’re speaking to, and accidentally divulge personal information that way, which obviously has to be avoided. However, they can also encourage the customer to adopt bad practices and fail to support the customer protecting their own identity security by demanding the customer compromises their own identity security for themselves. The latter is no better than the former, just probably a bit less likely to see the company in question getting fined. However, banks have realised this problem, and have adopted processes similar to the above to address this, so there’s no reason why other companies should not adopt similarly sensible practices to allow customers to protect the security of their identity. After all, in the former case, unless they’re completely reckless, then they’re unlikely to divulge sufficient information to allow the customer to be impersonated with another company, but encouraging freely divulging security information on the phone does risk exactly that. A company therefore risks causing a far more significant cost and difficulty to their customers if their ‘data protection’ processes are not sufficiently considered. Hiding behind legislation doesn’t adequately justify this – banks can manage to fulfil their identity verification requirements without creating the same risk (and will almost invariably have a process to point a customer to look up a number on the site and call back as a standard fallback), so mobile phone companies certainly can.

The ‘icing’ on the whole scenario was this: Having made a complaint about encouraging the risky practice of divulging full security information to an unlisted number caller, I received a call from the company about my complaint. Before they’d discuss the detail of my ‘contact’ with them, they ‘needed’ to verify they were speaking to the right person, and demanded I give them my full postcode and date of birth. The EXACT thing I was complaining about them doing they were doing again in ‘trying’ to address the complaint. Needless to say, I was gobsmacked by this, and told them that I was astonished that they would do that.

Needless to say I’ve no intention of giving them any further custom, despite having previously been a customer continuously for 10 years… they’ve managed to entirely reverse my opinion of them.

Posted in Food and family | Leave a comment

Review: Smashing CoffeeScript, by Alex A. Hudson

I’ll admit I’m still on the fence about CoffeeScript, because of tool support, amounts of documentation, etc. What this book hasn’t done is shown me any compelling reason to use CoffeeScript over JavaScript or TypeScript. Better object-oriented development support aside, most of the examples show idiomatic CoffeeScript that is not really any easier to understand than the original JavaScript, particularly if you’re already comfortable with the latter. Indeed, this doesn’t really seem to be the focus. After giving a fairly brisk run-through of the ways you use CoffeeScript differently to JavaScript, the remainder of the book then focuses more on actual usage, creating dynamic pages, doing calls to the server, and implementing server-side functionality using CoffeeScript and Node.
Unfortunately, this means that the book is trying to cover a large number of topics – client-side interactivity, libraries (like JQuery), MVC frameworks, server-side development, security issues, persistence, HTML5, browser storage, differences between browsers, as well as CoffeeScript itself. It doesn’t have space to compare different options and sings the praises of the chosen solution without really justifying it properly. I’m sure on the whole the choices are worthwhile (JQuery, for example, is very widely adopted), but in addition to this the coverage is mainly confined to implementing a particular example solution, rather than giving detailed, comprehensive coverage of even a single solution in any of these.
The net result is that this is effectively an extended walk-through explaining how to implement an example application, covering the client and server sides and briefly discussing the various elements to consider. It may be a good starting point for getting some working code to play with, and seeing what bits you haven’t covered fully to look elsewhere for full details. I was looking for a book to fully discuss CoffeeScript, its rationale, further reasons to consider it over JavaScript, etc, so I came away disappointed. I wouldn’t say it’s a bad book – if you like the extended walk-through format, this may be ideal, but for me it kept the scope too broad at the expense of detail.

Posted in Code and Tech | Comments Off

Fun with Broadband…

Anyone who knows me knows that most of my interests involve computers and the internet… as a result a good, reliable broadband service is very important to me.

Now, supposedly the fastest provider in my area is Virgin Media. The Fibre Broadband offerings only offer around 26Mb downstream compared to 60+ on Virgin. So the decision should be easy, right?

Unfortunately, I don’t really have that much indication that the Virgin Media connection is that great… when it’s working (generally after I’ve just rebooted the modem), then I might get the full 60Mb – over WiFi, too, if I’m using an external router (the SuperHub is so misnamed…). However, after a short period then the reliability tanks. Downloads fail, streaming fails, and speed tests fail. The connection seems to go racing off at a decent enough pace initially, but then at some point it’s just lost… stuff like BitTorrent or similar services which are really designed to use connections when available and retry and connect elsewhere as necessary therefore work much better than conventional donwloads, but that doesn’t really help for watching YouTube or Sky HD or the like over the connection.

Combine that with the phone line not having a dial tone for the last few weeks, and noting that this is far from the first time I’ve had problems with the broadband or the phone line or both (the phone went for a few weeks or so over xmas, and just started working again eventually), and that VM claim there are no service issues in my area, and I’m less than happy.

It comes down to an awkward decision – whether to switch to a nominally slower connection in the hope it’s more reliable, or stick with VM and hope they can resolve their problems? if there was an option that cost noticeably more but offered good speed and reliability, then I’d go for it – I’m really not that sensitive to the cost in the range that home broadband runs to, so I’m happy to pay a bit more for a good service. Unfortunately I’m not sure there are any options available. Anyone who knows otherwise let me know, because the issues with Virgin Media are really annoying me…

Posted in Food and family | Leave a comment

Started a new contract

Well, the Barclays contract came to an end… a number of contractors gone, and some permanent staff, too. Queue the usual period scurrying around seeing what’s around, and then waiting for those efforts to result in something worthwhile. I’m pretty happy so far with the result, though.

Although it was a bit more of a break than planned (6 weeks), and the new location isn’t ideal (Welwyn Garden City), the team and project are much more interesting. I’m working on a project that’s importing a genuinely large amount of transaction data (expected to be in the hundreds of TB of storage space required in the end), and getting further experience with MongoDB – a NoSQL technology that has generally seemed like a good option for flexibility on schema, levels of adoption, and scalability. Hopefully by the end of the project I’ll have a degree of confidence in its scalability from personal experience, as well as some additional experience with resolving those issues that arise particularly at larger scales (when schema migrations may not be so readily performed in a single hit, and when backups take long enough that they have to be able to be run while new data is being loaded and queried). It should be an interesting project, and the kind of work that I’ve been looking to get.

Now, if it veers off into classification and statistical analysis to make use of the Machine Learning and Data Analysis knowledge I’ve been acquiring of late, then it will be even better still, but we’ll have to wait and see…

Posted in Food and family | Leave a comment

Mouldy Hartleys Low Calorie Mango & Passion Fruit Jelly

Since Donna’s on a diet, she had some low-calorie Jelly pots in the fridge by way of dessert. Since she’s vegetarian this rules out most of the Jelly pots like Rowntree’s, so she has Hartleys instead.

However, we might be a little less keen on getting them after the latest pot. Despite not requiring refrigeration, this pot was kept in the fridge so it’s nice and chilled when eaten. It had been there for a few weeks, but had a Best Before date of end of November 2013. 
As a result it was a little surprising to see that the top had gone mouldy, some 6 months before that date:
Posted in Food and family | Leave a comment

Book Review: Financial Risk Modelling and Portfolio Optimization with R (Statistics in Practice)

Having found another in the series impenetrable, I wasn’t sure what to expect of this book. What I found was a book that covers a number of topics on risk modelling in turn, going through in about as easy to approach a manner as the topic is likely to receive.
Each chapter first outlines the subject, discussing the previous mainstream theory, its failings, and the latest methods to address those shortcomings. It describes these before providing equations to outline the necessary maths. It doesn’t aim to offer full proofs (instead referring to other texts for those if desired), but rather aims to provide the key equations having outlined their purpose. Having done this it then outlines the relevant packages available in R, highlighting key functions and particular limitations or areas where they each excel. In many cases multiple libraries are identified which offer similar functions, and their support for standard R statistics functions and what class model was used to implement them is noted. Finally, it provides a sample script to do some example processing using those libraries, giving an example of the main calculations required for the theories detailed earlier in the chapter, then providing a detailed explanation of how the script works and the output it creates.
The presentation is excellent. Even where the maths proves formidable the text could be used to identify the necessary derived functions and how to use them, so this could be used to implement the necessary calculations without a full understanding. Meanwhile, it provides a lucid explanation for why they are used, and reasonable detail to seek to understand both the theory and the maths behind the functions to gain a full understanding. As such, it provides an excellent insight into the techniques which will be relevant to those seeking to move beyond he basic financial models outlined in introductory finance classes, and those wishing to develop more sophisticated models suitable for use in real-world investment situations.

It is not, nor does it aim to be, a tutorial for using R – it largely assumes a reasonable level of knowledge about the language and the standard functions, but even with a limited knowledge of the language you could lift the scripts to do something useful. With a reasonable grounding in the language, however, some of the explanations of library structure and functions makes more sense.
Posted in Code and Tech | Leave a comment

Review: The View on the Way Down: Rebecca Wait

From the peaceful, warm start, through the complex perspectives of the members of the family later, the story is a harrowing exploration of the emotional challenges of bereavement. The stories start out separate, with each suffering from their own pains, and gradually the events of the past become clear. The story unfolds in a manner that draws you into their emotions. Emotionally sophisticated, well written and engaging, it is one of the most emotive and painfully beautiful pieces of writing I’ve had the privilege of reading in a very long time. Simply breathtaking.

Posted in Food and family | Leave a comment

Microcontrollers and electronics

Recently I’ve been playing around with Microcontrollers. I’ve got a Freescale board to play with at some point, but mainly I’ve been looking at the Arduino/Atmega and MSP430 boards. While using an Arduino with the various shields available is fairly convenient (and can make hooking up a few micro servos even easier), I’ve mainly been wanting to set things up so that simple circuits can be set up which I don’t have to pull apart for my next project without buying lots of expensive components.

For this reason I’ve been looking more at the MSP430 Launchpad boards and chips. The boards themselves provide a complete environment for programming and running the chips, and come with 2 microcontroller chips, all for the princely sum of $4.30, shipped to you. The MSP430 value line chips are designed to run at 3.3V rather than the 5v the Arduino runs on, but for some simple circuits this is ideal. You can easily run it off a CR2032 button cell battery, too.
I set up an electronic die using an LED numeric display, which the kids eagerly took into school for show-n-tell. The first time it got knocked around and needed repair, but Sian was still keen to show her class how an LED display works using the battery to connect to particular input pins. The second time I made sure all the wires were cut to length and the battery connectors made more secure, so she was able to demonstrate the working system which did use the microcontroller, and explained what this did.
This was around the same time as she took in a couple of simple kit robots (an obstacle avoiding one and a line following one), which prompted the class to take over the hall to set up a long path to follow.
My latest experiment is a simple traffic light. Firstly, to see how long a battery does last with a single CR2032 cell running an MSP430 (it’s at 12 hours and still going strong, so enough for the whole day at school), but secondly to have a go at soldering a socket and other components to a prototype board rather than keep using solderless breadboards. The circuit is now working, although it took a little longer than expected to go from the breadboard to the prototype bard. 
This has taught me a few things. Firstly, that my soldering skills need some more work. Secondly, that I need a different tip for my soldering iron (I hear a chisel shape would be better). Third, that the solder I bought is too thick. Fourth, that using a bulldog clip to hold a couple of wires against the board may split the insulation and create a short. Fifth, that a multimeter really is your friend for working out why a circuit that looks OK is not working. And sixth, that most components really aren’t that sensitive to a little heat from a soldering iron – I needn’t be that wary.
So, having ordered some improved components – chisel tip, fine solder wire, some flux, and some solder wick, hopefully my next experiment will go a little smoother.
In the meantime, though, if you’re looking at using an Arduino, I’d recommend picking up a Launchpad board to play with as well. For $4.30 you get something which can do similar things, has a second chip, and which has the Energia IDE available to run almost identical code to the Arduino. You can’t really go wrong there.
Additionally, there are some things it just gets right. The Arduino changes around most of the pins, so going from a ‘duino to a bare chip on a board requires working out how those pins compare to the board labels. To run properly it also needs an external crystal and some capacitors as well as multiple connections to VCC and Ground. By comparison the MSP430 runs pretty well on its internal clock (full speed, just slightly lower accuracy), and just needs VCC, Ground and a connection from VCC to Reset to enable the chip. The chips are cheaper, too – £8.70 for 10 from Farnell, for example, although for the first few, perhaps just get 2 or 3 Launchpad boards from Texas Instruments – either use the chips or pass one or two onto friends – it’s pocket money pricing, really. Finally, the pins map straight to the pins on the board – norearranging or confusion. And you can readily convert the board into a programmer to reprogram a chip sat on a breadboard.
OK, so there’s some slight limitations. The value line only has 20 pins, so if you want to control a lot of things perhaps you want the Arduino Mega instead. Some stuff only runs on 5v, which would then require some additional thought for running both the MSP430 and the external components (e.g. a servo). If you’re just getting started, though, it’s much easier to set up a breadboarded MSP430 than an Arduino chip, and cheaper to boot, so why not give it a try?
My next project will hopefully control 8 motors – and read from the digital compass… the aim is to make a compass belt, vibrating the motors to indicate the direction of North. Apparently after a while you stop feeling the motors and just ‘sense’ North, which sounds quite intriguing. All the components have arrived now, so hopefully I’ll have a chance to put that together soon.
Finally, if you’re a software developer thinking about giving it a try – do it. If you know any C (or C# or Java even) then getting Arduino or Energia code done will be easy. And with microcontrollers and starting projects you’re mainly looking at hooking in a few sensors (inputs) and a few effectors (outputs) and doing all the rest in code, so the circuits really are pretty easy.
Posted in Code and Tech | Leave a comment

Amazon Paperwhite official case review

There’s usually not that much to say about a case. The weight is reasonable, it feels like it should protect the screen very well with a sturdy front cover, and it’s not too bulky. Additionally the Paperwhite feels like it’s very secure in the case while not sticking up from it thanks to the choice of materials as well as shape. Finally, there’s a magnet to hold the cover closed and, like a Blackberry, it also controls the power – close the case and the Paperwhite goes off, open it and it automatically turns on. It’s that kind of little bit of smart thinking to save time and battery that makes this case worth 5 stars. I doubt a better case will be released for the device.

Posted in Food and family | Leave a comment

Another entertaining gig – Lacuna Coil

On Sunday we had the day to ourselves (the kids being at my parents), finishing up with a trip to Koko in Camden for the Lacuna Coil gig. Having seen that there were meet and greet tickets available, at only a modest markup over the price of entry plus a t-shirt (which was included in the package), I was sold. 4 tickets – Donna and I, plus my brother and my sister-in-law Sarah.

The meet and greet took place before the gig itself (understandably, joining an afterparty would be cool, but a) unlikely, and b) would have made work the next day rather taxing). This had the advantage that while others were forming an ever longer queue outside (some having arrived a few hours before standard entry), we got to get inside, out of the cold and wet weather, to meet Lacuna Coil.
While this ran a little late, and seemed a little disorganised at first, everyone was formed into a queue to get signatures from the band – a few had (lots of) photos with them, but most of us just had supplied posters and laminated passes to get signed. After that everyone had the option of getting their photo taken with the band (Donna, being Donna, declined this, as did James and Sarah). Obviously I took the opportunity to get the photo, complete with my usual cheesy grin.
After the organised bit, the band then mingled for a little bit. They were called on to pass on a proposal, which got a round of applause, and Donna managed to get a message from Cristina for Sian. This was probably the best bit, because they’d done their formal bit and just talked randomly to us fans, rather than just disappear off immediately. 
Having got our goodies and met the band, the meet and greeters got to claim the entire front row. Not only that, but the bar opened about 5 minutes before the main doors opened, so we got to pick up drinks from the bar and return to said front row positions.
The support act was This Is She. I wasn’t familiar with them, but they’re an American band that incorporated some more dance/dubstep elements to their sound, but with guitars and female vocals, and generally I rather enjoyed their set, buying their EP a little later on (getting that signed as the lead singer Alana was manning the merch stand at the time). Only on track from their set seems to be on YouTube at the moment, but it’s here: 
Lacuna Coil came on to play a set that celebrates 15 years as a band. Cristina definitely doesn’t look her age (and certainly less mum-sy than Nightwish’s lead at Download). They started with some recent stuff – the key track I was wanting to hear (I Won’t Tell You) was their second track, so I was happy. Soon after they played the first that of theirs that I ever heard – Senzafine. After a track or 2 more I went back to meet my colleague who had come along on standard tickets and couldn’t get anywhere near the front. It was at that point I discovered that there were a lot of places in Koko where you had a limited view of the stage, and didn’t get anywhere near the front after that… however the acoustics were pretty good, so it was easy enough to enjoy the rest of the set in a more relaxed manner.
My brother preferred the acoustic set they did in the middle, and I have to say that aside from a couple of recent tracks I’m rather partial to, they were probably amongst my favourites, too. I was surprised by how many of the tracks I was familiar with – I haven’t got that many of their albums, but I have been keen on them for at least 12 years, so it was old as well as new stuff that I knew and liked, and knew at least half of the tracks, probably nearer 3/4. There was no messing about with encores, just a good, long set including all of their most successful tracks, all delivered with energy, feeling and accuracy.
One of the debates that comes up with Lacuna Coil is which is better – Lacuna Coil or Evanescence. There are similarities between the bands styles – more so in the early days of Evanescence when you had male and female vocals also, but for me they never managed to get those vocals to mesh properly, unlike Lacuna Coil. LC have been doing it better, and for longer, and whether they’re singing in English or Italian, they’re still the better band.
Posted in Music | Leave a comment