2020-05-20

Case study: Payments and trust (Monzo)

Credit (and debit) cards are immensely useful, and I am even more appreciative of them after the fiasco with a holiday refund. Amex were great.

But there is always a balance of trust with customer and supplier, and a range of ways to manage that. Cards provide a good means to handle suppliers that fail. Direct Debits also offer some high level of bias towards the customer, which is very important because of how easy it is to collect payments. This ability to claim for a mistake helps ensure Direct Debits are rarely used for fraud.

For the most part, whichever type of payment is used, where supplier and customer are both honest, all goes well. Sadly when one or the other is not so honest, or even something unexpected, like a global pandemic, happens, the way you pay for things matters.

But some times, as a supplier, you want a reliable payment that you know cannot be clawed back or reversed. This is, of course, a huge bias towards the supplier, and away from the customer, but it is also rather "traditional" in that cash payment was always irreversible.

Bank transfers via BACS, or fast payments, provide this - they are like cash, and generally impossible to reverse as the person paying. Obviously the person paid can send money back if they want. They do create an audit trail, you know where the money went (unlike cash), which helps with any possible fraud.

As a business we do a lot with Direct Debits. This puts a lot of control in the hands of the customer who can make a DD guarantee claim at any time, and we would have to reimburse the bank. Thankfully this is rare, but it does allow some opportunity for fraud by a rogue customer using someone else's bank details. This is one reason why suppliers are expected to check the bank details of new DD instructions where they can. That is not so easy.

Thankfully Monzo have opened up an interesting new option for us - a deposit by fast payment!

We have started asking for a deposit, for new accounts, optionally, for some services (VoIP and L2TP). Just £10 paid by bank transfer as part of the order process. We see it instantly, and it provides the bank details for setting up the Direct Debit for on-going payment.

We have even set it up so that we will automatically send the money back in a few days if the order does not go through.

Whilst we face very little fraud, we have found some services, like VoIP, have had issues. Providing the service instantly, even in the middle of the night, means that false/fraudulent details do not show up for a couple of days, or much longer. Until now we have actually blocked some types of out-of-hours VoIP orders because of this, which is not ideal.

Taking payment by card would be an option, but that too is rather biased to the card holder, and does not allow us to validate bank details for Direct Debit. We have had cases of card fraud too.

The deposit is optional, but we are making it so that the order can go ahead instantly if you make a deposit. At the end of the day this is not about the £10, it is that a scammer will not want to send any money. If it is their account, those account details can go to the police if there is fraud. They are creating much more of a paper trail by sending money. Of course if they have compromised someone else's account they can send a deposit, but I am sure they have more interesting things they can send money towards than our services in such cases. I hope so.

This means we have opened up the VoIP ordering at any time of day if you pay a small deposit. Ongoing payments are then by Direct Debit, which give the customer a lot of control if we do anything wrong, but we are able to ensure we have the right bank details that match the deposit. It seems to me to be a good trade off - the trust/risk is biased to us for first £10 and then to customer ongoing by Direct Debit.

We have been running it for a few days, and in spite of it very clearly being optional, so far, every new customer has chosen to pay a deposit - which is really great news. Apart from one test we ran to ensure we do auto-refund, nobody has given up on an order after paying a deposit, either.

It is a very different approach to taking credit cards, which is so common these days, and I think it is working well. And it is all down to Monzo providing the instant feedback for us via a web hook for the incoming payment.

If someone does not want to pay a deposit, that is fine, but it means accounts staff checking the order during office hours, and adds a small delay. So it is a choice people can make if they want, either way.

I am really pleased that Monzo have meant this is now possible. It is a shame the major existing banks did not think it worth while providing this level of control and information to their customers really. Well done Monzo!

P.S. Sales pitch - if you are a business and need this type of integration, we know people that can help you (some A&A customers we work with).

2020-05-16

Holiday refund

Like many, in those heady care-free days of 2019, I booked a holiday, and now it is not happening.

If you are stuck without a refund for your cancelled holiday, do keep reading for some of the options I explain below.

The amount does not really matter - for anyone booking a major holiday, whether a few hundred pounds, thousands, or tens of thousands, it will be a lot to them. That is how we all work. There is a BBC article about a school holiday firm not refunding people - it seems to be happening a lot. In my case, having had debt in my life in the past, I try to make a rule of not spending money I don't have. Sadly, this holiday was for my family (those that can sensibly go on a cruise) and co-ordinating a cruise they all were happy to go on, with dates they could all go, for 7 people, was not easy. So when I managed it I snapped it up, extending my mortgage to pay for it. If I had any inkling about 2020 I would not have done that, obviously. So, in short, like everyone else stuck with an intransigent holiday firm right now, this is a lot of money to me.

When the "lockdown" started we had no idea how long it would last. The cruise was planned for June, and my grandson is so looking forward to it - I even made him a countdown clock he has by his bed with days, hours, minutes, seconds to the cruise on it. We sort of hoped it would still be on, but understandably we were concerned at going on a cruise due to the close quarters of so many people.

NCL had cancelled some cruise, but not ours. Then they launched a Peace of Mind scheme. This allows you to cancel up to 48 hours before sailing for a credit of what you paid against a future cruise by 2022. This is great deal compared to their normal cancellation policy/terms. I can see a lot of people going for this, especially with the perceived dangers of being on a cruise.

But this was, itself, a bit cunning. It means that lots of people leave their money with NCL, voluntarily, rather than getting a refund. Well played NCL.

I did consider it, but sadly it makes no sense for me. The effort of organising 7 people and a date and the right cabin was hard enough - I have been trying for years. The chance of that cabin coming up at all is slim, and it being on a suitable date to a suitable destination is pretty much zero. The time limit means that even if I found other suitable cruises, we would end up wasting some of the money. So no, I decided to wait. That said, I was getting concerned in case NCL waited until the last minute to cancel.

Finally, on 24th April, they cancelled the cruise. This was, in many ways a relief. Given the financial uncertainty facing us all, I would rather put the money back on my mortgage than spend it on a cruise. Also, I was uncertain a cruise was a good idea at all at the moment. So, yes, phew, I could get my refund.

However, the wording of the NCL notice cancelling the cruise was odd. It said they would give me a "refund" by way of a cruise credit and 25% bonus, and that if I wanted the "lesser refund" of just what I paid, I could fill in a form (not yet available) and wait 90 days. Well, no, the terms are crystal clear and have no ambiguity at all - they have to refund me within 14 days, simple as that. Obviously I could choose to agree alternatives, but if not, it is refund. In light of the wording I contacted them, on Twitter, and Facebook (and once I found the email address) by email.

I got a ticket reply saying they would answer in 48 hours. But nothing, not for 5 days, and then only confirming their idea of a cruise credit or refund in 90 days.

A few days later my NCL account page showed a cruise credit, but even with a 25% bonus it was around half of what I had paid, and expired next March. That is not a good deal!

This got silly with various exchanges, with them continuing to refuse to acknowledge their own contract terms.


Then they posted that "Terms and conditions are subject to change". I was fuming! Nothing in their contract allows them to change terms like this.

Obviously a change to the contract like this would not normally be legal. Even if their terms allowed such changes that would probably fall foul of consumer protection legislation. The Competition and Markets Authority are also looking in to this. This makes it clear that refunds should always be a clear option and paid in a timely manor.

They backed down a bit, saying the terms at the time I booked do apply, but still refusing to acknowledge that they have to refund me in 14 days. They really went in to "head in sand mode"...

Am I being reasonable? Are they?

One thing to get out of the way is the question of whether I am being unreasonable. After all, these are somewhat unprecedented times.

If you have ever been on a cruise (not just NCL) you will know how petty they can be - even an "all inclusive" cruise, sold using those exact words, will find you able to drink as much whisky or wine as you like, but paying $5 for a bottle of water or a coffee. It is unbelievable, and takes a lot of getting used to.

All I am asking is the they do what they agreed, nothing more, and this is what they agreed in the case of "circumstances beyond our control" such as "epidemic". This was not something they did not foresee in their contract. Given how petty they are I feel entirely justified is simply asking that they do what they agreed, nothing more, nothing special. And I fully endorse that they are offering a range of alternatives for those that want them, including bonus credits and discount holidays. Well done.

But one has to think of the bigger picture. If everyone expected them to do what they agreed (something we used to call "normal" for contracts), they would go bust, wouldn't they? Well maybe, but they are offering attractive alternatives, and if many take those, they have it covered, one would hope.

One argument is that holiday companies are having to wait for refunds from their suppliers, and hence unreasonable to expect them to pay up as per their terms. This is not a good argument, as it basically means a short term cash flow issue for a business, which is exactly what a loan is for. The government are even backing business loans for just this sort of reason. It is not fair to expect consumers to lend money, interest free, without any choice in the matter. In my case it is literally costing me interest!

So, basically: if they had asked to borrow my money; if there was clear protection in case they go bust; and if they were paying competitive interest on the loan; then maybe I would consider it reasonable. Otherwise, no, sorry, even in these circumstances (especially in these circumstances) I do not think they are being reasonable.

What are my options

There are some options, and this is perhaps where this blog post will be helpful to others in the same situation.

Waiting / taking up their offer

One option is to accept what they say, agree new terms waiting 90 days for a refund, or accepting the cruise credit. As I say, a cruise credit is unlikely to be something I could use in the time limit, but my main concern is whether they go bust, and if they do, it is unlikely I will ever see my money from them. So no thanks.

Dispute/chargeback

This is a useful one if you pay by card, as the card schemes all have a dispute/chargeback process. Basically it allows you to dispute a charge and if agreed, to get the money back.

The only issue is that it can take a couple of months, it seems. I also get the feeling it is reliant on the card company getting the money back, so if the company goes bust before the dispute is resolved, it may not work.

When I got the message about terms changing, even though several days to go before the 14 days were up, I took that as them saying they would not honour the contract, so I put in a dispute on Amex - why not?

Holiday Insurance

Holiday insurance may be an option. It has possible issues, and this is one for the lawyers to comment on I am sure. I bet every insurance company has a team of people making sure they know exactly where they stand.

One possible issue I have heard, and cannot be sure of, is what happens if I pay for someone else to go on holiday. Does my insurance cover that, after all, if they don't get the holiday I have not lost out. Does their insurance? After all, they have not lost money. In my case this was a holiday for 7 people - would I only get my share back from my holiday insurance?

I also don't know what happens if you accept a cruise credit instead - you have not lost out then, so does insurance cover it. If they later go bust, it is the credit, not a holiday that you have lost. I have no idea if that is covered.

I also hear that some insurers no longer cover COVID-19 issues for holidays booked after a certain date (mine was well before).

It remained an option for me if all else fails. 

Consumer credit act

This is a biggie - if you pay by credit card you have extra protection, as the card company end up jointly liable with the supplier for providing the goods and services. Liable for the whole lot even if you only pay part (e.g. a deposit) on a credit card. And this liability is on the card company even if the supplier goes bust. So long term this is a massive consumer protection for you.

Obviously it could take time, which is no help if you need the money now, and sadly it does have an upper limit, which won't be an issue for most people.

What I don't know if whether accepting a cruise credit would remove this option - one for the lawyers to comment on.

County court

This is always an option when someone breaks a contract, and the Money Claim Online web site makes it quite easy. It costs a bit, but that is added to the claim.
  • In a perfect case, you issue a claim and the defendant coughs up. This happens a lot when the defendant is simply in the wrong, and they know it, like NCL do.
  • In a slightly less perfect case you issue a claim and they ignore it. Two weeks later you get judgement by default (one click on the web site) which takes a day or so. At that point you can pay for bailiffs to go round and collect money or goods. NCL have a Southampton office, or maybe the bailiffs could find an NCL ship in a UK port :-)
  • Sadly if they do put in a defence, no matter how daft, it goes to a hearing, which takes time. It probably takes a lot more time in "lockdown" as well.
Given my options, and the time the Amex dispute could take, this was a real consideration. I even sent a formal "notice before action" after I had waited 7 days to allow me this option (you have to do that before you take someone to court giving them time to pay up instead).

Statutory demand

One option I had forgotten, and was suggested on twitter, was a Statutory demand.

The principle is simple, any company that cannot pay its debts as they become due has to be wound up. If you are owed more than £750 you can serve a Statutory Demand for the money. They get a few weeks to pay, and if not, then you have to go to court and get a winding up order, forcing the company in to liquidation.

This is tricky, if they don't pay you wind them up (which costs money) and may not see any money. The idea is that no company ignores a Statutory Demand, and would rather pay what, for them, is a relatively small sum than be forced in to liquidation.

One issue is that NCL (Bahamas) Ltd is a UK establishment of a foreign company. Given a UK office, I may be wrong, but I am reasonably sure I could take them to court and even send bailiffs - I have no idea if it is possible to actually wind up such a thing.

So I decided to basically rule this out, especially as I have never done one before.

What happened

Amex are stars! What can I say!

I put in the dispute on the web site - it is simple - find the transaction, answer a couple of questions and put in a one line description. I did that.

The next day, I got around to making up a PDF with screen shots of the terms, and discussions to prove I had tried to resolve it and that the cruise was cancelled, etc. This is to upload on to the dispute.

But I could not find the dispute, it was not there. I checked "closed" disputes, and there it was. I was about to get cross at them rejecting my dispute, but clicked on it to see :-


Wow, just wow, this was in under 24 hours. I had not even loaded my "evidence" yet. What can I say. A couple of days later it shows on my Amex app. A quick message to Amex, and the credit is being sent to my bank.

I really have to thank Amex for making that such a quick and easy option. I am really impressed with their customer service. This was causing a lot of stress for me, and is such a weight off my mind now.

Two weeks later, NCL still show the cruise credits and no indication of the chargeback, they even called me trying to get me to book more cruises with my cruise credits, and they really did not understand the whole concept of being in breach of contract. Crazy. It may be some time before we remotely consider a cruise, let alone with NCL.

2020-05-06

Cycle lane logic?

There are number of separated cycle path / footpaths on the estate where I live, and I use these a lot, both walking and cycling. As a cyclist I always notice the people walking on the wrong side :-)

However, I wondered if there was any logic to the way the sides are chosen. So I decided, on my walk this morning, to take a few pictures and see if there was indeed any logic to it.

I am not sure there is.

The first one is off the main road outside the estate, so at that end there is no preference for which side would be better as a cycle lane. However, at the other end (2nd image) one side goes on to the footpath and the other on to the road. It makes sense that the side that goes on to the footpath is the footpath, and so it is, very logical.


The next one is not so obvious. On one end, one side goes on to the footpath straight on, and the other at right angles. However, on the other end (2nd picture) one side has no footpath, so makes sense to be the cycle lane, as shown. Not that daft.


The next one is much more obvious. As you see on the approach (1st picture) the foot path continues in to the cycle path and serves several houses, so pretty much has to be the footpath side. The other end is just on to the road, so no preference. Good choice.


This final one does annoy me when cycling. At one end (1st picture) it is just on to the road, but at the other end (2nd picture) the left side has no path, it goes on to the road, yet they have chosen to make the cycle path the other side, with a give way. OK, they would have had to put the pole the other side, but that is the sign saying which side is which.


So maybe there is no logic at all and it is just random, who knows.

2020-05-02

JSON all the things

I have a feeling that industry is moving away from XML and towards JSON...

Just a feeling, but even HMRC, who used to used XML for VAT and do for RTI, have moved to JSON for MTD (VAT).

Fundamentally XML is too complicated - especially with name spaces. The options in XSD (which is the common way to define what is valid in an XML file) is also a bit of a mess - defining the order of the XML objects even, which is a pain if you ever work with any XML. JSON does not expect values in an object to be in any order (just in an array).

JSON is simpler in many ways, but there are differences. The type of a simple value can be more than just text (as you have in XML), it can be null, boolean, number, or text. Javascript tents to just convert between things seamlessly in most cases. It does get to be fun in arrays where each value can be a different type, even an object or array itself.

JSON also makes it a lot easier to create and process using languages like Javascript, obviously.

As it happens, at A&A, we have been working on new APIs for our control systems (more on that another day), and these are all JSON based too. But this week I have started on some work on the accounts system.

I now have JSON for documents, i.e. invoices. We currently allow customers to access invoices in XML, PDF, Plain text, and HTML, and as of now also JSON. You can ask for a JSON attachment to be automatically included in your invoice emails if you wish - digitally signed, obviously.

Whilst we have loads of work behind the scenes improving the way the accounts work, this JSON interface should be pretty stable now.

2020-04-23

Be reasonable

Update: New rules 13th May change the examples that are reasonable.

This is a blog about a little bit off the way laws are drafted. I am not an expert on legal drafting, and not a lawyer - however, laws are meant to be understood - as a member of the public I should be able to work out if something I am about to do is legal or not, even if that means I need a bit of help to understand the way laws are written. I'd be delighted in any feedback from those that are experts.

I'm picking, topically, on section 6 of The Health Protection (Coronavirus, Restrictions) (England) Regulations 2020 as amended. In particular, it basically says, in 6(1) that you need a reasonable excuse to leave home.

So that gives us a test - is my excuse a reasonable excuse or not. If that is all it said, it would be somewhat open to interpretation, and my view could be very different to yours. This is an issue where one party is a policeman and disagrees on what is and is not reasonable.

Of course, I would hope, being public health legislation, not public order, that any excuse that does not pose a public health risk should be considered reasonable. It is shame there is not paragraph clarifying the basis of a reasonableness test. Surely taking your household for a drive to a secluded spot for a picnic should be reasonable, clearly, as not a health risk as you do not interact with anyone. Even more reasonable if you ensure well serviced car, enough fuel, and driving carefully. Sadly this is not so simple, and we know the police are quite clear on that not being reasonable, so we need clues. We need to know how to apply this reasonableness test.

6(2) of the regulations helps, it defines reasonable as including... and a list of things. The use of the word "including" here is very important as it means it is a non-exhaustive list. It means some thing may be reasonable but not on the list. Sadly it gives no real idea how to tell if things not listed are or are not reasonable. So, for example, I would consider feeding a horse reasonable, but that probably comes under 6(2)(h) as a legal obligation under animal welfare laws.

This is where a computer programmer and a lawyer would diverge somewhat. To a computer programmer the rules in 6(2) are simple tests - if you pass any then you are reasonable. If not then there is an implicit final "generally reasonable" test, but the wording of the tests in 6(2) would not have any bearing on that "generally reasonable" test.

However, the wording does matter. The items in 6(2) are not simply positive things. They do not say "this is reasonable" and "that is reasonable", no, they say "this is reasonable except in this case", and "that is reasonable, if another thing applies".

This is quite clever in a way as it uses examples to couch the boundaries of the test, to say what goes in and what goes out - where the line is drawn.

So, for example, 6(2)(ga) to visit a burial ground or garden of remembrance, to pay respects to a member of the person’s household, a family member or friend; says visiting a burial ground is reasonable, but only in some cases. It has caveats, and they matter. It is was just that visiting a burial ground was reasonable the clause would not go on to say member of the person’s household, a family member or friend at all, so this means that visiting someone you don't know is not in fact reasonable.

So even though 6(2) is a non exhaustive list, using "includes", every restriction or caveat in the clauses in 6(2) effectively define the edge - line beyond which something is not reasonable, for those things that are listed.

Looking at 6(2)(b) to take exercise either alone or with other members of their household; the caveat is either alone or with other members of their household matters, and so exercise with someone else is not reasonable. As I say, as a computer programmer it would be different - exercise with someone else would simply fail 6(2)(b) but a "generally reasonable" test would not consider why it failed 6(2)(b), or that 6(2) has a test relating to exercise in it with caveats. However in English, those caveats start to matter as we list "exercise" and they say where the line is drawn. Exercise itself is not something not listed, and so possibly also included, because 6(2)(b) does cover exercise.

Looking at 6(2)(f) to travel for the purposes of work or to provide voluntary or charitable services, where it is not reasonably possible for that person to work, or to provide those services, from the place where they are living; seems to clearly relate to doing work (or volunteering, etc) but it has a caveat of not being possible to do it from where you are living. Again, the clause covers working, so you would not consider it reasonable to go out to work when you can do it at home - even if that is not a public health issue.

Of course, the use of "includes" does allow for something completely different to be reasonable and not be in the list. Ideally something that is obvious to all that it is clearly reasonable. But anything that is in the list with deliberate constraints clearly defines the boundary and implied directly what is beyond that boundary and hence not reasonable.

Sadly, 6(2)(f) also has the caveat "to travel", which directly implies that outside of that caveat, working away from home at all is not a reasonable excuse.

Sadly, on that last point, as 6(1) now needs an excuse to simply be outside, it suggests doing work that is not travelling for work, outside your home, is no longer reasonable.

Oddly even 6(2)(k) in the case of a minister of religion or worship leader, to go to their place of worship; is a problem as such a minster can go to their place of worship, but then no longer has a reasonable excuse to be there, or even to travel back home!

Some clauses just muddy the water, like 6(2)(l) to move house where reasonably necessary; effectively defining reasonable excuse as a thing that you need to do because is reasonably necessary! That is not helpful...

P.S. Stay home!

2020-04-22

Going to work?

Update: Fixed on 13th May

Drafting legislation is obviously a complex issue, and needs a lot of work.

As we have seen, the regulations for COVID-19 are badly drafted, with many things people consider "loopholes". The original legislation was, after all, done in a rush.

Thankfully the civil servants have has several weeks now to carefully draft some amendments to fix some of the issues, so these should be really good now, obviously.

Some issues:-
  • Previously you could leave home for one reason but then did not have to have a reason for being "outside". I.e. you could leave for exercise and then decide to go and have a picnic. As long as not a gathering of more than 2 people not from the same household in a public place, that was legal, even if the police said it was not and fined people.
  • Previously if you have a party at your home with lots of friends, it was clearly a gathering, but not in a public place, so you (at home) were not breaking the law. Any of your friends that left where they live with reasonable excuse and then decided to come to your party would also not be breaking the law. Even so, police would break up parties and fine people.
  • Previously if you left home for exercise, went to the park, you could sit on the bench for a while, even have lunch. What mattered is why you left home.
The changes at 11am today address some of these, and are listed here.

They fixed interesting things like in paragraph (1)(b), for “over the age of 18” substitute “aged 18 or over”; and in sub-paragraph (i)(iii), for “Department of Work” substitute “Department for Work”.

But one of the changes is this :-

(4) In regulation 6—
(a)in paragraph (1), after “leave” insert “or be outside of”;


This means that it now reads :-

6.—(1) During the emergency period, no person may leave or be outside of the place where they are living without reasonable excuse.
This covers a lot of previous loopholes. Now you no longer just need an excuse to leave where you live, but to be outside (yes, your garden is still counted as inside your home for this). So the picnic is not longer valid, and neither is the house party (not because a gathering, but because the people there have no reasonable excuse for being outside their own home). Sadly it may also mean the rest during a long walk is a problem. I am actually a tad surprised that "returning home" is not in itself a reasonable excuse.

However, what concerns me is that they did not update the actual list of reasonable excuses having now changed the context.

Notably the reasonable excuse: (f) to travel for the purposes of work or to provide voluntary or charitable services, where it is not reasonably possible for that person to work, or to provide those services, from the place where they are living;

Now, previously, it was OK to leave home to "travel for the purposes of work" (if you could not do that work at home), and, having left home with reasonable excuse, you could, well, do the work!

Yes, the list is not exhaustive, but given how the police seem happy to fine people when they were covered by the list it is tricky doing anything not on the explicit list. Arguably the specificity of the use of the word "travelling" for work in the list highlights anything other than travelling as not being "reasonable". A simple fix would be to remove the "to travel" part, so "for purposes of work" (where you can't do it from home) would be covered, including any travelling.

But the excuses don't list actually "doing work", or "being at your office", or anything that is not actually "travelling". And this reasonable excuse has to cover not just leaving your home, but being outside your home.

So now it seems they have plugged the loophole allowing a picnic, but made supermarket workers illegal sat at their tills. Indeed, if you are an MP sat in parliament right now, which of the reasonable excuses do you have for not being at home?

Really? This is the competence level of our current parliament?

2020-04-19

BGP

Border Gateway Protocol is a thing that happens very much behind the scenes in the Internet and not something anyone outside the industry should have to know anything about. So this post is going to try and really dumb down some of the technical issues.

Firstly I'll try and explain what BGP is, and a couple of the challenges that have come up over the years. Some were an urgent issue that made us all realise a risk that was not known before. The others are more of a gradual change in best practice that needs doing, in my view.

Extra dumbed down

  • For the Internet to work - there has to be a "road map" so that your Internet provider can direct traffic.
  • Roads change, and so there is a way to update this road map with new instructions (that's BGP).
  • There can be errors in these instructions, and bad people can give wrong instructions.
  • This is all something that is being worked on. It is complicated.
Thanks to Simon Crowe #FBPE@UHDDreamer for some inspiration on the above.

What is BGP

First off, BGP is the way internet providers manage routing of internet packets. It involves, normally, an ISP communicating with another ISP over some link to say what they can route for them.

It is not fundamentally complicated, and I recall one occasion talking to someone working for a major peering point about us plugging in to them. We (AAISP) use FireBrick routers, and I had personally written the ethernet drivers, IP, TCP, and BGP protocols from scratch for our equipment. We plugged it in and it worked as expected. The idea that we were not using CISCO, or Juniper, or some other common vendor, was a shock at first, but bear in mind that not only are these all well defined and published standard protocols, they are designed to allow a degree of tolerance to errors.

Our code worked as designed and to the standard, and in some ways was way faster than some vendors. I was pretty proud of the design.

For anyone to be able to take part in BGP you need to agree with another ISP, over something called "peering" which is ISP to ISP, or "transit" which is where an ISP gets "the Internet" from some larger company. In both cases, and especially the latter, there are filters on what you can "announce" to the world via BGP

As a system, this should work. I cannot "announce" someone else's routes to transit - they won't let me. I cannot "pretend" to be some part of Facebook's network, for example, and hijack their traffic. If everyone that allows and connection to the BGP network had such filters all would be well, and mostly it is.

This issue is that some parts of the world are not as robust, and so rogue routes can be announced. It can be (and often is) a mistake, or it can be malicious. Hijacking someone's routes can be a way to break security (getting new certificates for https), or just causing disruption to their network and traffic. It is a concern for the industry as a whole.

Just to explain, unlike your broadband router which has only one route to the internet, your ISP has many peers and transit and routes to send data. That is why BGP is needed in the first place.

Path overload issue

One incident that happened was where someone made a simple typo on a configuration (more details here). A setting which they thought was a number to quote was in fact how many times to quote it. This created a message in the routing which was unexpectedly long and caused some special edge case in the code for longer data.

The problem was a bug in some makes of router which meant that it could not cope, and broke routing. It created invalid data that was sent on.

Now, I hate to say this, but my memory is sketchy on this, but the solution was to not forward invalid data. We realised this and ensured FireBricks would not do so (a config setting with a default not to, called "ignore-bad-optional-partial") even though the specification said we should. We had new code within days to ensure FireBricks could not be part of the problem - even before the RFC (standard) on this was created.

Some times the industry has to act quickly as even though the cause of the issue was a mistake, it could be exploited as an attack.

TCP RST issue

Another issue that became apparent was the way the BGP links between ISPs are set up. They use a normal TCP connection. Now TCP works on IP and IP has a "TTL" or "hop count" which stops IP packets going to far. A convention in BGP (not part of the spec for BGP or TCP) was to set up TCP session to "peer" links with a one hop TTL. This means the TCP connection cannot got more than one hop to the directly connected router. This makes sense as the peer is directly connected on a link one hop away.

The problem that came up was that someone could inject a TCP packet called a RST, with a faked source address, sent on the Internet, which when it arrives closes the TCP connection for the BGP session itself. This drops all routing, and causes disruption. Repeatedly done it can take down a link, or set of links, completely and cause a lot of problems.

The first fix was a way to digitally sign the TCP packets. We, at FireBrick created this feature to allow it to work for BGP, and a few of AAISPs peers required signed BGP sessions. This works using a password at a low level and so ignoring the rouge RST packet.

It turns out there is a way simpler way to fix the issues called "TTL security". Instead of using a hop count of 1, use a hop count of (maximum) 255, but make sure the peer checks it is 255. The reason this works is a packet from anywhere else on the Internet will see this hop count go below 255 as it drops at each "hop" on the way.

Again, FireBrick implemented TTL security, not just setting the required hop count, but checking it based on number of hops allowed/expected (usually no intermediate hops).

Using RPKI

There are still issues with BGP, even with all of these steps.

The main one is that someone can "inject" a route in to the system that is not genuine. They can do so alongside the genuine route, or inject a more specific route. This hijacks all of the traffic.

As I said before, where transit providers check their customer routes, this cannot happen. But some countries are a bit more lax.

The "fix" is double edged - it involves a way to certify that a route is correct, specifically that it is to the right "autonomous system". But the downside is that puts someone in control of certifying the route is correct. Who has that power?

This was a controversial issue in that, for example, the whole of Europe is controlled by RIPE. So if a Dutch court demand RIPE remove a route, they would have to. This puts huge power in the Dutch courts. The same applies in the US and every other registry where a local court could command a change. To be clear, actual routing is handled by the ISPs, but the issue comes when they all work on one authority as to what is valid. I am not sure that has now been fixed in RPKI, but happy to be corrected on this point.

The other issues is that certification can lead to mistakes, causing routes not to work based on some technicality.

Not everyone is checking these certificates, and even then the system will not be bullet proof if the origin AS is spoofed (I think). So any errors will cause partial failures. These are massively difficult to diagnose. What does an ISP do when just some of the Internet cannot see some of its network? In most cases the networks not routing will have no contract or direct relationship with the ISP in question. That is hard to diagnose and fix.

In the long term, this is generally good. Even with the risk of a court attack, the industry can work around if needed. That is a last resort, and measures to avoid rogue routes are a good idea.

If the major transit providers start filtering routes checking RPKI then that alone will solve the problem of rouge routes - but if they all filtering what they receive anyway from customers, that would avoid the issue without RPKI. So is it worth it?

But as I say, this is all behind the scenes policy and technical issues for ISPs and transit providers. It will be sorted by ISPs and industry as a whole around the world. We are all working to improve the security and reliability of the Internet.

Who should do what and when?

[new section after original post] I have been learning more on the whole RPKI thing. Overall it is a good idea as it blocks some types of attack. It is not perfect, it does not block all types of attack, and is, itself, prone to new types of attack via courts and also new mistakes, but it helps. It helps a lot with some types of mistakes, which have been a cause of issues as you can see above. It is best practice, which is important. So that is why we (AAISP) are doing it.

There seem to be three steps that make this work.
  1. Everyone should be signing their routes - i.e. ensuring they have signed route details saying which routes via which AS, so they can be checked by the Internet as a whole. AAISP have signed routes for some time and are currently working on ensuring some hosted routes for customers are also signed. This is the first step, else RPKI could not work at all - you cannot check routes if you have nothing against which to check them.
  2. The big players, the transit providers, need to filter based on RPKI. This, with step 1, basically stops all route injection attacks in their tracks, and problem solved.
  3. Smaller edge ISPs should also filter routes. This is mainly to catch the peering sessions and pick up mistakes. If transit are filtering, this is a mopping up exercise - an attack or mistake could impact a small group of peering ISPs maybe, not the Internet as a whole. Such ISPs probably already filter peering to some extent anyway, but RPKI is a good start for making this better and more automated.
So if you felt things in the industry were not moving fast enough, you could make a site and allow tweets saying people have "unsafe" Internet. But if you did that, should you say that the edge ISP has unsafe internet or maybe work out which transit they are using and say that transit provider is unsafe?  Maybe if the edge ISP is not signing routes, highlight that. But really, who should you "shame". The edge ISPs filtering is a good idea, but the last steps involved for completeness - the signing and the transit filters, they are what matter here. Personally, don't try shaming people, talk to them!

But to be clear, AAISP were doing 1, we are now nagging transit re 2, and we are working on 3. The last stage is complex as it means development and testing in our core routers - not something you do during a pandemic.

It is interesting that, even with recent publicity, we have one customer concerned that we will be deploying RPKI filtering - feeling it will break things and even accusing us of breach of contract. This kind of shows it is not a simple matter to deploy quickly.

There is also an excellent post by Andrew Aston on the issue of shaming ISPs: here.

2020-04-17

Losing all respect

I am just astounded by the way the UK police are behaving right now.

TL;DR: Massive over reaction and police state style action way above what the law provides and with no regard for public health, for weeks now. Then massive under action on a public gathering with no regard for public health last night. They seem to have no clue. How can any of us have any respect for them?

Update: it is worth saying that I don't assume this is all police, but with the power the police have over us we need to hold them to the highest standards. It is clear that a lot of the police do not understand the rules, or the simplest concern of this being public health legislation, as I have heard numerous reports from friends who have been stopped and questioned unnecessarily when doing nothing wrong, each occasion creating risk of spreading the virus.

In the last few days we have had :-

Police surrounding a journalist after telling some women she cannot sit down for a moment whilst exercising, and telling him that he is killing people, even they are "in his face" with no PPE. They really are trying to be the plague spreaders here, aren't they?


Also, we have new guidelines by NPCC and College of police on why you can leave your home - but the rules have not changed. The only difference is these guidelines are perhaps easier to read and are more widely publicised (here) - apparently several police twitter accounts saying they are unenforceable even though the rules HAVE NOT CHANGED! We can only assume they are cross that the rules are not what they would like them to be and only just realised, weeks after they came in to force. (it is a separate debate as to whether the rules are adequate or not, and not one for the police to decide).

And then you have this, a public gathering on Westminster bridge yesterday and the police don't appear to be dispersing the gathering or enforcing the rules but actually participating!


Ever crazier, the police themselves posted about this gathering as if it was a good thing!!!

I have sent a freedom of information requests (here and here), and we'll see what they say.

Update: as of 11am on 22nd April the law changed to cover "being outside" not just "leaving". Here.

2020-04-15

Monzo Business Account

Finally, Monzo have launched a business account.

I have taken the step of moving the incoming payments account for customers paying us (AAISP) to Monzo. This means we have updated the account details people see on invoices and statements and on the web site, and we are working on a "redirect" for the old Barclays account.

This is not a decision I have taken lightly. We rely on people paying us money, but thankfully a lot of that is via Direct Debit (for which we use Lloyds). But quite a lot of money comes in via bank transfers to us. I appreciate people prefer this than Direct Debit in many cases as I know a lot of companies are nowhere near as pedantic in following the Direct Debit rules as we are.

Up until now, payments arrive at Barclays and we can download a statement. At various points in the past I have managed to screen scrape that on Barclays, but that is not ideal and for a couple of years it has meant I log in every day, even when on a cruise ship in the Pacific! Either way, all we get is a CSV file up to the end of the previous day.

We can then load that in to the accounts to record who has paid us, and how much.

Fraud

It is always a concern advising customers of new bank details as this is the way a lot of frauds work. So we are asking customers to check our web site to confirm details, as well as digitally signed invoices and statements. https://www.aa.net.uk/legal/bacs-payments/

Also, of course, now it is all real time, customers can easily sent say £1 deposit and see on their on-line account at A&A that it has arrived. This is very sensible, and thanks to the customers doing this to be sure.

Real time

Changing to Monzo for incoming payments is a huge difference. We have a simple means to have web hooks which means Monzo send us a secure post of the details of the transaction as it happens.

And I mean real time here - before the sender has seen on their mobile or web banking app even that the payment has gone, we know we have the money! It is impressive.

This is also very robust, retrying if we don't answer, and we can reload all transactions if we need. They have a unique reference on each transaction too, unlike Barclays where no unique reference meant it was tricky if someone paid the same amount twice on the same day.

Barclays even have a limit on how many transactions are in the statement, which meant that at one point it was impossible to download the previous days transactions. When that happened we set up two accounts for people paying us to keep the daily total below the limit. Crazy. Direct Debit solved that, but it shows how behind the times banks are. As far as I know, that limit (I think 300, off the top of my head) still applies.

Moving to Monzo makes a big difference for our accounts staff as it mean they can see people have paid in real time. This avoids delay sending equipment and any delay enabling, or re-enabling, a service that has been suspended.

Payer details

We also get proper payer details, notably sender sort code and account number. This means that when people forget to put the right reference on the payment we can often find the account based on their bank details. Remember that when you used a cheque in the past you gave your bank details on the cheque.

This helps with privacy as well, as our accounts staff can be looking at the customer account and not a general "company bank account". Only if the payment does not match anyone do we put it in a suspense account to be allocated.

In those rare cases of a random, unexplained, payment to us, we used to be a tad stuck. We have had money from someone listed as "CURRENT ACCOUNT" before now, and nobody complaining they had paid and we had not seen it. What do you do? Well, now, we can, simply, send back to the sort code and account from which it came, if all else fails. That said, we also get more of the payer name as Fast Payments have longer fields that are not truncated to 18 characters used by BACS (and what Barclays gave us).

Opportunities

The process also allows some opportunities, which we are working on. Some of our services are, sadly, prone to fraudulent orders. We manage these quite well both automatically and with manual checks by our accounts staff, but this means, for example, you cannot order 07 VoIP numbers from us outside some restricted office hours, and there are some services we don't sell on-line yet.

Live incoming payments would allow many of these services to be activated immediately if we get a small deposit by bank fast payment, and also allow us to confirm the details for subsequent Direct Debit.

Obviously we can make this optional - allowing customers that would rather talk to our accounts staff and delay activating a service, to do so. But it would allow people to order services any time, day or night, and have them immediately activated if they are prepared to send a small deposit by on-line banking.

I'm not sure when we will have that in place, but Monzo make it possible.

2020-04-13

NHS ID not good enough to prove "Essential travel"

Worrying times indeed - that police have reportedly stopped NHS staff (here) and would not accept their NHS ID card as good enough evidence for "essential travel".

There are people saying that it should be good enough to show "essential travel", and others saying that it is crazy the police don't think NHS staff are doing "essential work" or are "key workers". I agree that it is wrong, but these comments show people don't understand the rules at all (and clearly, neither do the police). There is no need to prove you are on "essential travel" as there is no law against "travel". Similarly there is no law saying only "essential work" can be done, or only "key workers" can work.

But first, again, please stay at home if you can - be sensible.

So let's look at the logic here a bit. There are a couple of key rules - one on public gatherings (not relevant) and one on leaving the place where you live.

Update: The college of police have released more guidance (here).

Update: as of 11am on 22nd April the law changed to cover "being outside" not just "leaving". Here.

No "stop and account" power.

The first problem is that the police (see this report) have no "stop and account" power anyway.

"The helpful National Police Chief’s Council and College of Policing Guidance makes clear that there is no power to “stop and account”. Therefore, the police should not be intercepting people who they do not suspect to be causing health risks by their behaviour in violation of Regulation 6 or 7."

They also say road checks on every vehicle are disproportionate.

So why were they stopping someone anyway? Note the "causing health risks" part - this is public health law, not public order law, so they don't just have to suspect you left where you live without reasonable excuse, they have to think you are causing a public health risk by doing so. It is hard to see how anyone in a car driving on a road is "causing a health risk" at all. Yes, they could be doing something stupid, and there are laws on public gatherings, but just driving in a card, especially if alone, clear is not in itself a public health risk.

Plague spreaders?

Obviously, the police should also not, themselves, be causing a health risk - yet stopping and questioning people does just that as they become "plague spreaders" as they are in contact with so many people, and are doing it deliberately! Stopping NHS staff is even worse as they too are high risk not just of having the virus (spreading to police) but also of spreading it to those vulnerable (in hospital).

Where are you going?

We don't know what was actually asked when they stopped this NHS worker. I would not be surprised if they asked where someone is going - accounts from friends who have been stopped suggest this is the case. I have heard reports of someone stopped when going to tend to their horse and having to make an hour long round trip back home to get proof that they have a horse and where it is stabled, and so on. This is crazy!

Actually the only relevant question to ask is "For what reason did you leave where you live?"

But even that is a bit of a useless question. Nothing you are doing now has to relate to why you left where you live. Whilst you don't even have to say why, you can say any of the reasons listed (here) and there is really no way a police officer, or anyone else, can really prove beyond reasonable doubt whether that was or was not your "reason" when you actually left where you live. It is hard to even justify simply suspecting someone of leaving for some other reason as they can leave for one reason and be doing something else now - so current actions do not have to relate to the "reason". Yes, the law is a tad daft if so unenforceable - but most people try follow the law which makes it a useful law even so.

Where do you work?

One presumes the NHS staff member said they were going to work, i.e. they left where they live as they need to travel for work for the NHS. So what is the next question, perhaps "where do you work?".

Actually the only relevant question to ask is "Could you do that work at home?"

But even that is a bit of a useless question. If you say "no", the police officer cannot prove beyond reasonable doubt that is not the case, can he/she? Even if your work is done solely on a computer that does not mean you have a computer, or your computer is or can be set up to allow that work. Even if set up to work from home, if your Internet link breaks or computer breaks or any other reason, you may not be currently able to do that work from home.

Thankfully, with a lot of work from our ops team, my work has set up so that all but one person is working from home, and doing a great job, but that is not the case for many companies, and almost impossible to prove that someone can work from home.

Essential work?

Some people have suggested it is crazy that the police did not consider NHS work essential, but again, there is no question of what the work is - everyone is allowed to work, and allowed to leave where they live if they need to travel for work if they cannot do it from home.

A gardener, or florist, or bricklayer, can all work and can leave where they live to travel for work if they cannot do that work at home. What ID would police expect to see for such workers to somehow justify their "essential travel"?

Essential travel?

Even the news article talks of proving it was essential travel, and that NHS ID was not good enough to prove that. But again travel is not limited to "essential travel". It is not even limited to "travel for work" - just that one of the reasonable excuses for leaving home is that you need to travel for work. There are many other reasons to leave home that could involve travelling including to go some where to exercise, or to go shopping. But these are not actually the only reasons allowed for "travel" as travel itself is not in any way restricted or banned! Essential travel is not a "thing".

Proving innocence!

There is a big issue, in my view, with people somehow expected to prove their innocence, and even be able to do that on the spot or face a fine - or be turned back, or escorted home.

Why does it matter?

  • Police should enforce just the law, and not "policy" - the fact that government guidelines go beyond the law and that police are trying to enforce "guidelines" and not just the law is bad - it is the very concept of a "police state", but importantly it undermines trust and respect in the police. We should trust and respect the police, especially at a time like this. But in return they need to actually follow the rules and the law.
  • Stopping NHS workers getting to work is just plain stupid, not legal, and very much not in the interests of public health.
  • Police can be spreading the virus far more than the people they are stopping and talking to. That undermines the whole public health objectives and means more people will die.

That said, obviously, it is sensible to only leave home if you have to, and only to travel where you have to, and wash your hands. But the police have no place demanding people justify their travel at all - it is all about the reason for leaving where you live, not where you are going or even why you are going somewhere, nor how far you are going.

But once again, please stay home and only go out if you really need - and wash you hands!