Following on from my last post, it appears that the gliding club is doing the same for Father's Day. In other words, will offer a trial flight gift voucher for Father's Day too.
Finding an interesting and thoughtful gift for Father's Day is perhaps easier than for Mum - football tickets, or a nice bottle of wine, perhaps - but surely what he wants most is the chance to fly? Certainly that would be number one on my list, though I'm a pilot. But seriously, almost all fathers will appreciate a trial flight.
Again, I wish them success with this campaign - the more trial flights we have, Father's Day or otherwise, the more revenues we generate, the more members we recruit and generally the more flying we all do. Not bad, eh?
Sunday, 28 February 2010
Saturday, 27 February 2010
Mother's Day Gift Ideas
I always struggle when it comes to Mothering Sunday - or Mother's Day, as it has become known. Buying my Mum an interesting and thoughtful gift is harder and harder each year - a bunch of flowers and some chocolates just doesn't meet the grade. This is why it was interesting to see my glider flying school offering Mother's Day gift vouchers. This is ideal if your mother is local to Cambridge or Bedford and keen on trying something new - which mine is - but I know that it may not appeal to all mothers.
Still I wish them all the best with this campaign - the more trial flights we have, the better services the club can offer.
Still I wish them all the best with this campaign - the more trial flights we have, the better services the club can offer.
Friday, 12 February 2010
In the doghouse: Barclaycard
ATTN: Elaine Mockler, Customer Service Director, Barclaycard
I travel a fair bit for work, racking up considerable expenses all over Europe in the process. A long time ago, a good friend of mine gave me a tip: always use a different credit card for expenses and avoid using your own cards as much as you can. This is excellent advice and has helped keep me sane in many different and trying situations. Like this latest episode with Barclaycard.
For the second time in less than a year, my Barclaycard has been compromised - much to my annoyance and disgust. I am disgusted that my card security can be broken so often and so quickly. Working in Information Security, I am perhaps more careful than most: I encrypt my electronic data whenever and wherever I can, I shred all semi-official and official letters, and I am very careful as to how and when I purchase on-line. Further, I do not share my personal data if I can avoid it, actively opting out of information requests wherever possible.
However, without me breaking the law by faking or hiding my identity, many aspects of my true personal identity are available for all to see. Electoral rolls, birth/marriage/death certificates (the original joiner/mover/leaver lists?), and numerous other widely-accessible databases can be rapidly used to identify exact address, date of birth, and mother's maiden name, for example.
So for a bank just to rely on this exact same data is criminal.
This is how my card was compromised:
The attack would have succeeded were it not for the following. Barclaycard has an automated text message service to advise you of changes of address. This simple little tool allowed me to respond and shut the attack down before the fraudster could complete the scam.
So why is Barclaycard in the doghouse? I should be pleased with this service, right?
Wrong! Let me detail the many reasons...
(By the way, the number in the text message of course did not seem like a typical Barclaycard phone number and I proceeded very carefully to ensure that this was not a different scam, i.e. pretend to be the bank and grab all the data that way. As an aside, many people fall for this scam each year - we are not used to the bank proving they are who they say they are. If they led by example on this, we would not fall for this kind of scam nearly as often.)
The credit card compromise failed this time simply because the fraudster made a mistake. Next time, he'll change the mobile phone number first. Then, later, he will change the address and perform the remaining actions.
Barclaycard do not have an automatic letter or email service to query a change of mobile phone number. This is so very wrong...
Furthermore, after this latest compromise, Barclaycard finally offered me the chance to add a password on to my account. If this had been implemented when the account had been first opened (as I requested), or after my previous card had been compromised, I may feel better disposed towards them. But relying on the publicly known trio of questions (address, DoB, mother's maiden name) is wrong, wrong, wrong!
To add further insult to injury, after setting a password on my account, they sent me a new, replacement card attached to a cover letter. This card apparently needed activating before use, which you do by calling a specific phone number. Whether this call really activates the card or not, I cannot say. I doubt it though, as it actually isn't a service run by Barclaycard, but by a card protection and insurance company trying to sell you credit card and identity theft protection.
The irony is not lost on me.
Of course, this service has to go through the motions of authenticating me, so imagine my surprise when, yes, they only need the new credit card number (supplied on the card and also helpfully printed on the letter as well - why?!?), your name (printed on the letter), your address (yup, on the letter) and your DoB (oh, about 5 seconds to look up online). No account password, and for a change, no mother's maiden name either.
How exactly does this authenticate me as the correct recipient of the credit card?!
And of course, the card's CVC number has been printed in an ink that seems to run sufficiently well to leave a very readable mirror image on the letter itself.
All in all, Barclaycard score a 3/10 for credit card security.
How could they improve? Here are some starting points:
I travel a fair bit for work, racking up considerable expenses all over Europe in the process. A long time ago, a good friend of mine gave me a tip: always use a different credit card for expenses and avoid using your own cards as much as you can. This is excellent advice and has helped keep me sane in many different and trying situations. Like this latest episode with Barclaycard.
For the second time in less than a year, my Barclaycard has been compromised - much to my annoyance and disgust. I am disgusted that my card security can be broken so often and so quickly. Working in Information Security, I am perhaps more careful than most: I encrypt my electronic data whenever and wherever I can, I shred all semi-official and official letters, and I am very careful as to how and when I purchase on-line. Further, I do not share my personal data if I can avoid it, actively opting out of information requests wherever possible.
However, without me breaking the law by faking or hiding my identity, many aspects of my true personal identity are available for all to see. Electoral rolls, birth/marriage/death certificates (the original joiner/mover/leaver lists?), and numerous other widely-accessible databases can be rapidly used to identify exact address, date of birth, and mother's maiden name, for example.
So for a bank just to rely on this exact same data is criminal.
This is how my card was compromised:
- Somehow my card number and full name were intercepted. How I do not know, but I suspect it could be one or more of the following: dodgy WiFi service, hacked online database, physical swipe at restaurant/hotel, or the bank's internal/outsourced card management division (Indian call-centre perhaps?).
- With this information, an identity profile is quickly assembled, e.g. using the tools and databases mentioned above.
- Fraudster then phones the corresponding bank (easy to identify from the initial Visa card numbers, the first few digits match the specific issuing bank).
- Fraudster then has to answer the address, DoB and Mother's maiden name trio to authenticate themselves.
- Fraudster then can change the victim's address, credit card limit, contact details, etc. Even request a new card, an additional card holder, etc.
- Fraudster then can start shopping online (typical 'cardholder not present' transaction) and have the goods delivered to the new address (which is fake, disused, or otherwise untraceable to the fraudster himself). And yes, it's normally a 'him', rarely a 'her'.
The attack would have succeeded were it not for the following. Barclaycard has an automated text message service to advise you of changes of address. This simple little tool allowed me to respond and shut the attack down before the fraudster could complete the scam.
So why is Barclaycard in the doghouse? I should be pleased with this service, right?
Wrong! Let me detail the many reasons...
(By the way, the number in the text message of course did not seem like a typical Barclaycard phone number and I proceeded very carefully to ensure that this was not a different scam, i.e. pretend to be the bank and grab all the data that way. As an aside, many people fall for this scam each year - we are not used to the bank proving they are who they say they are. If they led by example on this, we would not fall for this kind of scam nearly as often.)
The credit card compromise failed this time simply because the fraudster made a mistake. Next time, he'll change the mobile phone number first. Then, later, he will change the address and perform the remaining actions.
Barclaycard do not have an automatic letter or email service to query a change of mobile phone number. This is so very wrong...
Furthermore, after this latest compromise, Barclaycard finally offered me the chance to add a password on to my account. If this had been implemented when the account had been first opened (as I requested), or after my previous card had been compromised, I may feel better disposed towards them. But relying on the publicly known trio of questions (address, DoB, mother's maiden name) is wrong, wrong, wrong!
To add further insult to injury, after setting a password on my account, they sent me a new, replacement card attached to a cover letter. This card apparently needed activating before use, which you do by calling a specific phone number. Whether this call really activates the card or not, I cannot say. I doubt it though, as it actually isn't a service run by Barclaycard, but by a card protection and insurance company trying to sell you credit card and identity theft protection.
The irony is not lost on me.
Of course, this service has to go through the motions of authenticating me, so imagine my surprise when, yes, they only need the new credit card number (supplied on the card and also helpfully printed on the letter as well - why?!?), your name (printed on the letter), your address (yup, on the letter) and your DoB (oh, about 5 seconds to look up online). No account password, and for a change, no mother's maiden name either.
How exactly does this authenticate me as the correct recipient of the credit card?!
And of course, the card's CVC number has been printed in an ink that seems to run sufficiently well to leave a very readable mirror image on the letter itself.
All in all, Barclaycard score a 3/10 for credit card security.
How could they improve? Here are some starting points:
- Change the authentication mechanisms. Drop the insecure triad and move to something only I (or very few people) would know: name of my first pet, my second car, my first kiss, etc.
- Never, ever, print the full credit card number in correspondence (use **** **** **** 1234 instead, for example).
- Never outsource your credit card authentication service. Ever.
- Send a letter to the old address, a text to the old mobile number, etc. when these contact details are changed
- Authenticate yourself to your customers - prove that you know a shared secret (a password, but in reverse, for example). Train your customers to expect this every time you contact them. With time, they will grow to expect and demand this - reducing fraud
- Finally, prosecute these fraudsters. Stop accepting the current levels of fraud and invest more in combating this. It will gain you good publicity and attract/retain customers. And investors.
Subscribe to:
Posts (Atom)