Sunday, 22 October 2017

Fraudsters get £120,000 in email scam - who is to blame?

An interesting story in the Guardian yesterday, ‘We lost £120,000 in an email scam but the banks won’t help get it back’.

The story is relatively simple, and one of those cases where the victim of the fraud was the couple that lost the money.

I have spoken out about banks and credit/debit card fraud before, where the bank are the ones being defrauded (someone lies to a bank pretending to be me, the bank believe them and give them money) - in such cases the victim is the bank not the account holder. However, this story is one where the couple in question have been defrauded, not the bank.

They were lied to by a fraudster claiming to be solicitors, and given the fraudsters bank details to which to make a large payment. The story is not 100% clear on how the email exchange was done such that it was with the fraudster and not the actual solicitors, and suggestions are that the solicitors were hacked - but that is not even necessary for such a fraud.

Twitter is abound with cries for changes. Basically, the bank did what they were told and sent money to a specific sort code and account. The CHAPS form the couple filled in will have had the warning about them not checking names, and the bank staff should have explained that, so: "presumably, they knew what they signed up for".

Who is to blame?

We all look for someone to blame, but it is perfectly possible that nobody is to blame - that the fraudster defrauded the couple, and they sent money to the wrong place, simple as that. From the story, the bank simply did as instructed (with the explained caveat that they don't check the name). If the solicitors email systems were hacked and they were negligent then maybe they have some blame, but this scam could quite easily have happened without the solicitors actually being involved or doing anything wrong.

Should banks check the name on payments?

The issue here is people are surprised banks don't check the recipient name, and are saying that they should. You can see why, and on the face of it I would agree, except...

I am not in banking, but we deal with banks and customers and I can be pretty damn sure that this would not work.

Every day people pay us by bank transfer and get the reference wrong. We tell them the sort code, the account number, and the reference, and people manage to just about get two out of three right. If we had to tell them recipient name, as well then they would get it wrong a lot. If the recipient name had to match then a lot of payments would fail, services would get cut off, late payment charges applied, and arguments about whether people quoted the right name or not would ensue.

We digitally sign the email we send with the bank details on it, by the way.

Even worse, do you know what your bank use as the 18 character version of your name - this is what BACS has for a name, 18 characters. Your account will have one. But even I do not know. I could be:-
  • MR AJ KENNARD
  • MR A J JENNARD
  • MR A KENNARD
  • MR ADRIAN J KENNARD*
  • MR ADRIAN KENNARD
Or any of these without the MR, or any of those with REV instead. Actually the one with a * is too long, so most systems would send MR ADRIAN J KENNAR instead. So I don't even know what to tell people as the recipient name to pay me, and it is not a lot easier for companies - which may use trading names, or have complicated abbreviations to fit in 18 characters.

Just for high value payments?

Arguably, if this was only high value payments, maybe it could be done with some manual sanity check by the receiving bank. After all, CHAPS payments have a fee, which I guess could be made higher to cover that manual work.

So fraudsters would do more frauds on payments that fit within BACS or fast payment levels, but actually, it is not hard for fraudsters to work with this and still get the large payments.

In the story the fraudster made a company - this makes sense as it is easy to make a company and then, as the company is legitimate, easy to get a bank account. So all they have to do is make a company in a similar name.

That means that either the banks manual checks for a match pass, as name is close enough, or simpler still, the fraudsters use the similar name in their instructions, e.g. "Pay STEED PARTNERS LTD, sort code, X, etc" when the company they are dealing with is Steed & Steed. What normal person would spot that as an error? Indeed, I bet loads of people would just follow the instructions even if a very different name - how many times have you seen companies with a well know trading name that is actually some limited company you have not heard of?

I checked there is not a Steed Partners Ltd, but googling for Steed Partners Ltd gets the Steed & Steed web site all over the place.

So basically checking names would have stopped the specific fraud, but will not stop future frauds which simply need to take a few more steps. It will also have a side effect of breaking many genuine bank transfers and causing a lot of hassle because of that.

What about signed email?

Well, sadly, signed emails still are not common or simple. One of the big issues is that any system typically needs blind trust in third parties (like https uses certificate authorities) or a web of trust (complicated for end user to manage), and some degree of user involvement in the process (not being gullible).

Bear in mind, what I said about about Steed Partners Ltd. Once such a company is made and bank account made, a domain name can be obtained, and properly digitally signed with https, and certified signed email set up. The whole lot can be branded to look like the real solicitors, and the whole process can probably be done for under £100 within a couple of days.

So to scam someone, you just have to find someone that is dealing with those solicitors and send them an email (from your similar looking email address) with contact details for payment, and even (your) phone contact details and link to (your) https web site which shows the same contact details. No need to hack the solicitors email or phone system even, and calls can be made and received to confirm the payment, etc. It is quite easy to say that the email and phone number are your direct contact details. It is easy to get a number in the same area code even.

I do think proper email signing would help a lot in many case, but it would drive fraudsters to be slightly more sophisticated. Getting people using signed emails is a long game - and one I hope will happen eventually.

Paying HMRC

Someone did suggest banks should have details of known payees and check them. Sounds good, but hang on a second - they do that...

Firstly, if I owe HMRC they send a letter (aka demand) and they have the good sense to include bank details on that. As such, I never have any trouble paying HMRC large sums of money :-(  I am not sure why the couple were paying a solicitor they had not dealt with before, rather than just HMRC - perhaps there are reasons.

Similarly if I want to pay someone I simply put the name in the on-line banking, and known common payees are listed...


What is interesting here is that even though AAISP are listed if you check, Steed & Steed are not! Maybe they should contact their bank and get themselves listed. It seems to be a BACS level thing, so should apply to all banks.

Other ideas!

Maybe the banks should simply adopt a similar view to couriers - and when paying by CHAPS, for a small extra fee you can insure the payment (with a pay out if it turns out to be some sort of fraud). I expect it might be a large fee, and I bet people would turn it down - but if that happens the banks would have an even clearer case for "not our fault".

How did they know?

One thing I have not touched on - how did the fraudster know to send the fake email? Well, there may be ways, if an inheritance, check obits, etc. The other thing people forget is that scammers can spam millions of people with one in a million happening to be dealing with that solicitor that day - it works for bank site phishing frauds. But obviously a better way is if you can access the genuine email, either the solicitors or a load of end user email accounts. Just passively searching emails could find the details you need, but intercepting can ensure a genuine email from the solicitors is removed. For this scam to have worked, there may be more to it that a random email to someone that happens to be expecting an email, and it is guess work at this stage. It will be interesting if we see how the story pans out.

Conclusion...

At the end of the day, be careful, double check, especially when paying such large sums. As long as people are gullible there will be fraud, and all the checks and technology we put in place will not stop that, sadly.

P.S. As per one of the comments, assuming it is correct, it was the email of the couple in question that was "hacked", so there is nobody but the fraudster to blame really. The police really should be investigating - follow the money, trace who made the company, CCTV of cash withdrawals, etc.

Wednesday, 18 October 2017

Social care / low income mobile tariffs

For a very long time, since before it was BT, there have been special BT tariffs for low income customers. It used to be a "light user scheme", which fell foul of competition from the likes of Mercury for a bit, but has changed over the years.

The principle is that the majority land line provider, BT, has to offer a social care special tariff for people on low income to ensure they can afford a means of communications. It is now called "BT Basic" and "Basic aims to keep phones ringing in the most vulnerable households by charging as little as possible: £5.10 a month." which is not bad.

Indeed, that should perhaps be good enough, but so often these days an actual landline is not what people want, need, or use. Indeed, even £5 a month is a lot more than you need to spend if you go for some really simple "pay as you go" SIM card on a cheap mobile - and remember, non-smart phones can be purchased SIM free for like £9!

So the real question is should mobile operators be required to provide a special low income tariff. I expect they would want to only have to offer to those on benefits.

What would such a package need to offer?

This is just my musings from what I know of how it works...

Many of these things are covered by PAYG packages. What would make sense is a consistent package, basically the same on all of the major networks, with the same costs, so people can make sure they get the right package if they are on benefits and just need to stay in touch.

Obviously it has to be SIM only - the packages that include the "latest phone every 6 months" can only do so by charging enough on an ongoing basis. Cheap SIM free phones are readily available, so this is not a problem for someone on low income that needs to stay in touch. No, it does not get them a nice "smart-phone", but they do cost money, sorry.

In general mobile phone companies can still make some profit on incoming calls, it is not ideal these days, but basically there is a good argument that keeping a SIM live on the network is almost no cost, and even the occasional incoming call can cover that cost. So it makes a lot of sense if such a package has no ongoing rental. That way someone can stay in touch if they have no income and people call them. Some PAYG packages work like that. The same applies to incoming SMS. If you have no money at all and cannot afford to make any calls apart from 080 numbers, people can still call you back.

Freephone calls from mobile are now set up to ensure the mobile operator gets some reverse payment for the call, and so such a service could offer freephone calls (080 at least, even if not 00800) for no charge. The recipient pays.

Mobile data is a tricky one - I image that is not "needed" for a social care package, but maybe that is changing and actually it is becoming more important. It makes a lot of sense if this is pre-pay and charged but at some sensible rate. The whole "data" and "access to the Internet" debate is somewhat separate.

I guess outgoing calls make sense to charge on a simple pre-pay, pay as you go basis, but something the operator can manage like 1p/minute to normal numbers and something sensible for actual SMS. I suspect that this is close to cost price for a lot of operators, but this is a social "low income" package here.

Special numbers - a good gesture would be to allow 030 numbers to be free, or a certain number of minutes per month free. This is tricky as they will cost the mobile operator, but they are unlikely to be abused as they are numbers only for government and registered charities. It would make sense for the universal credit helpline to move to an 0300 number for this. I am puzzled as to why they are on an 03 and not an 030 number now!

International calls - a fair price on a pre-pay basis may make sense.

I would be in favour of such a tariff not allowing any sort of premium rate calls or texts at all. They can be a trap for those on low income, especially gambling...

So what do you think?

Should the big mobile operators be obliged to offer such a tariff to people on benefits?

(Yes, as I say, some PAYG tariffs are damn close, but should there be a defined tariff and all operators offering it?)

55p a minute

As reported a lot in the news, the leader of the opposition raised questions of the Prime Minister over the 55p/minute universal credit helpline number.

There have been many stories on this, that 55p/minute is a rip off.

But what is going on? Is the helpline set up on some super expensive premium rate number?

No it is not.. It was on an 0345 number. This is a number charged at normal rates - the same as calling a normal landline. It is nor premium rate, no money from calls goes to the recipient. It is no different in cost to the millions of normal landline numbers in the country.

You would be hard pushed to find which tariff has the 55p/minute charge, and apparently there is one, a mobile package that, when calls are out of bundle, does actually charge 55p/minute for calling normal landline numbers and so for calling the helpline.

The issue is a stupid issue blowed out of all proportion. It is not an expensive number it is an expensive mobile phone contract which is expensive for all numbers.

Pay as you go mobile SIMs are readily available charging a few pence per minute, and in fact most mobile and landline contracts have an "inclusive minutes" package which includes such calls at no extra cost at all. If someone chooses a mobile contract that charges 55p/minute to call normal numbers, that is their look out - there are a lot of alternatives.

What really annoys me about this is that I would love to get the Prime Minister discussing loads of things, real issues that cause problems, but instead we have parliamentary time wasted on a contrived news story like this.

Some poor telecoms manager will be over budget now after being forced to quickly change it to a freephone number, so will be paying a surcharge for incoming calls from mobiles, when previously they did not have to pay for incoming calls and 99% of callers were not paying either as it was in their call bundle.

Is the country now run purely on news stories, even made up ones?

P.S. I have had some interesting comments on this (here and irc). Basically, if the criticism was valid it would surely equally apply to say, my Doctor's surgery, who have a normal Bracknell landline number which would also be 55p/minute on that tariff. Should everyone that could possibly be called by someone on low income be forced to run 0800 numbers?

P.P.S. Holy crap, there are scammers with web sites quoting 0844 (very expensive) numbers that presumably simply call through to the actual number...

Monday, 16 October 2017

Recording

Audio recording of conversations is a tricky business, and call recording is one aspect. The rules and advice and laws have changed. Some aspects are simple telecommunications and "interception" laws, and some can fall in to data protection where the identity of a living individual is apparent from the recording. Even with data protection laws, caveats like "public interest" and "preventing or detecting crime" come in to play. So it is not simple.

We, as a communications provider, sell telephony services where call recording is a standard feature. If you have a number from us even if connected with a mobile SIM, or VoIP phone, we can record calls and email them to you as a standard feature at no extra cost. It is really very useful.

Personally, I record all calls. As a business (A&A) we record all calls. Indeed, for business it is so common it is to be expected and you don't even have to say that calls are recorded (we think).

There are issues with "why" the calls are recorded and "who" gets to access those recordings.

Now, as a service we offer, it is important that our customers understand the rules on the recordings of calls they make or receive.

So later in the year (or next year), in light of GDPR, we need to work it all out. The plan it to make some proper legal advice on call recordings, when and how. I'll be blogging on the matter, and A&A will have advice for customers as much as we can.

At the end of the day, the fact a call was recorded usually only comes up when someone wants to deny what they said, or agreed. Once you get to that the fact you recorded the call is not the issue, it is the fact someone lied, or broke a contract, that matters. They cannot get out of that by saying they did not know the call was recorded. That is saying "If I knew it was recorded I would have told the truth" which is not going to wash with any judge, I suspect.

So watch this space on that...

But there is something weird that happened today. A public body wants a meeting, but their "policy" is (a) you cannot bring a solicitor, and (b) you cannot record the meeting. The second point is odd, well both points are odd, but especially as they say they will be recording the meeting and will send a copy of the recording...

Policy!

They say this is "policy"! Policy is a lovely term and we see it all the time. We have encountered BT policy as a company. We counter such things saying "A&A policy is X". When anyone spouts "policy" they are dictating something as an immutable rule when not considering that the other party may legitimately have their own conflicting "policy" on such matters.

It is my policy to record all meetings... This is one reason it is not me going tomorrow.

Let's record...

So we have pondered some legal points - if all participants of the meeting know it is recorded and know that we will get a copy of the recording, is there any legal impediment to us covertly recording the meeting? I think not... I am not a lawyer, but it is an interesting legal point. Comments?

You also have to wonder why, though? I can think of two reasons. The main one is for them to be able to edit the recording before providing a copy. That is not, in any way, a stated intention, and would be unethical I feel. The other is to hold copyright on the recording - but one could make your own transcript using the recording to ensure accuracy and hold your own copyright on the transcript - so not a useful right to retain. Either way, something wrong with not allowing both parties to make a recording. Neither party making a recording may be a valid thing in some cases, but hard to see why a public body would want such an "off the record" meeting, and they have not said they do. It just makes no sense to refuse us making a recording when they will and provide us with a copy!

So, what do to... We will have two see...

I find myself in one of those situations where I would love to say more - to say which public body, and what is at stake. As you may imagine, doing so at this stage could be a problem legally. But it is an interesting legal point, and I know several legal minds read my blog - so comment away...

What is the law on recording a meeting?

P.S. Thanks for all the interesting comments. Meeting went well enough and no sign of a coverup, which was a surprise. Not something we can say more on at this stage. Solicitors next. Sounds like the no-recording is just bullshit policy crap (incompetence rather than malice).

Blip

I'd thought I'd share one of the challenges of my day today - a very minor thing but it shows why some software can be such a nightmare. Maybe I can explain it in a way that is easy enough for non engineers to understand.

Sometimes a computer may be doing something wrong. That happens. One example which customers will have noticed is our "blip graph".

What is wrong is pretty obvious in that it is meant to have red (logouts) and green (login) bits, and until a few minutes ago it was only green. It is not a big deal, or highest priority, which is why I am looking today and not yesterday. We use it mostly to identify issues with the network, so it is useful and did need fixing.

What did you change?

One of the key steps in diagnosis of something like this is to look at what you changed. You then try and see if there is some link between what you changed and what is going wrong. In many cases you can just look at the changes and the error sticks out like a sore thumb.

A perfect example would be if I had, for some reason, been working on the code that creates the blip graph from the database, or if I had been working on the code that puts the blip counts in to the database.

I would be able to look at my change, and wonder why my own testing had not shown the problem as well. There are tools to show me exactly what I changed.

It is also really useful if a problem is reported quickly as you also remember why you changed something and what you were trying to actually do as well.

We changed everything and nothing!

The problem is that we changed everything because we have done a major upgrade on clueless. We have also changed nothing, in that none of the code has been changed, just built on the new machine.

The code that makes the blip graph has not changed, and the code that displays the blip graph has not changed. Clearly the database is working as we have some of the blip graph. Indeed, it really made no sense.

Error logs?

One of the key things that lots of systems have are error logs, and we check these. But there are no errors being reported by the system that generates or displays the blip graphs after the upgrade, and were not in the past. So no clues there...

How did it ever work?

After a lot of digging I have found the cause, and it leads to one of those special things that can so often happen with software. HOW THE F*CK DID THIS EVER WORK?!

The "digging" took quite a few hours, because there simply was no logic to it. Nothing had been changed recently in the code, and no errors showing.

I quickly worked out that the displaying side was probably OK, but the database has zeros for the "logouts". The code to record the data looked the same for both login and logout, so how could it only be recording one side?

The eventual bug was a stupid mistake on my part in the code, written 8 years ago. I was comparing a data and time value with a time field in one case because of a simple typo. For the login side I did not have the same typo. It was subtle.

The problem is that the database server used to (silently) decide that I meant to just compare the time part, and get one with it and "just worked". Now, some change in the date/time logic in the database means that it considers the comparison not to match - though not an error, so it (silently) does nothing, instead.

The fix was therefore very simple, and now we have working blip graphs. Just one of dozens of small things to check today. So, if you do see thinking no quite right on clueless, do let us know.


I hope that gives some insight in to the perils of programming.

Sunday, 15 October 2017

Clueless

I do feel it worth acknowledging the work of the A&A ops team, and especially Jimi and Brucey, for the upgrade today. They are not alone and we have all been involved in the planning for this. Even those not in the ops team have helped out and tested things, and thanks to customers to ongoing feedback.

We have a core server which has logically been the main database and control pages for everything we do for nearly 20 years. It has had many upgrades, but has got to the stage that we really need to do something new and a big upgrade.

A lot of functions are already moved to new servers, with extra redundancy. The database server moved to a cluster of sql servers. Lots of internal VLANs and VPNs. lots of backup servers. And much more we can now move and diversify.

But today was the big upgrade of "clueless".

It is interesting to think how "clueless" has changed over the years - at the start it was very much "the" key database server albeit only for our dialup services and even then accounts were very much separate. Now it covers many more services but is far less critical being mainly a front end for staff and customer use. Even so, it is an important server.

For those that do not know, this is the origin of "clueless" is a cartoon from June 2000.


It is that old in origin. Yes, we have a "pointy" as a test platform for clueless...

The changes are supposed to be simple, but the upgrade is operating system, and apache, and mysql, and, well everything. Apache config has changed enough that despite of a lot of planning and testing it has taken hours of work today to get it right. Scary how many things run on clueless, at least for now.

But all tools and scripts, and there are a lot, needed rebuilding and testing and fixing,

There will be some things not fixed until tomorrow, but the basics are all working and the important things were sorted first. Well done all.

Friday, 13 October 2017

Another little gem in the OFCOM CoP

There is another little gem in the OFCOM Broadband Speed Code of Practice in 2.23

When network infrastructure providers or wholesalers make available the live access line speed that is actually received on the customer's specific line, ISPs must use this as the basis for speed estimates (rather than using an access line speed range for similar lines) in circumstances where they will be using the same infrastructure and access technology to provide service. This must incorporate the measures of contention derived from the testing outlined in paragraph 2.20, and should still take the form of a range, where possible.

So, let's make sense of this. Normally the requirement is to provide a range of estimated speed that are the 20th and the 80th percentile speed of "similar customers", and set a guaranteed minimum of 10th percentile speed. As I say this makes one in ten lines faulty by definition.

But consider one of those random one in ten that are faulty, getting service. They complain. The ISP "canna change the laws of physics captain" and it gets no better, so the customer gets a refund and leaves to another ISP.

So new ISP ideally gets to see the sync speed, or gets from a carrier new speed figures based on the carrier knowing the actual sync speed. This gives a few problems :-
  1. Knowing the new sync speed it is still necessary to report a "range" ("where possible"). Well, the only range allowed is 20th and 80th percentiles, but this is a sample size of one! The 20th and 80th percentiles are the actual sync speed of that one sample. How could a range be given? What are the rules for working out that range. I can only assume it is going to be not possible, or the range will have to use some other, perhaps saner, criteria than percentiles.
  2. Assuming the ISP just makes shit up and picks a range from below the actual sync to above the actual sync in some arbitrary and undefined way, and then, of course, picks an arbitrary minimum guaranteed speed that is even lower, what then? Well now the customer migrates to a new ISP, using the same modems and the same line, and getting the same speed. All that has changed is that now they no longer has cause to complain.
This helps the customer how, exactly, OFCOM?
This helps the ISPs or gives them any incentive to change things or invest, how, exactly, OFCOM?

Maybe the existing ISP, on complaint, can offer to "migrate you to us, at not charge, here are your revised speed estimate and guarantee"? Who knows...