Sunday, 28 February 2016

I don't know why companies can't get customer feedback right

The dreaded survey email

"You have been chosen to fill in a survey for our company!"

Really? Does a company really think that their customers will be so flattered that they will spend 20 minutes of their time filling in a survey?

"Please click one of these two buttons to indicate whether your service was good"; Clicks button; "Please login to your account in order to continue"; No chance, see you.

I even had this fantastic announcement when I called someone the other day, "we would like to hear your feedback at the end of this call, the feedback will be 1 question and will take no longer than 2 minutes". That is one long question!

Companies are only just catching up to 30 years ago

20-30 years ago, companies started realising that customers were picky, service was not always great and that despite the best efforts, they did not always deliver services in the most efficient way. Customer Service became a thing. It's not that there was no service before that, but before mail, phone or internet sales were a big thing, you simply went back to the shop to tell the manager how the service was or better still, if you didn't like it, you didn't go back!

With the internet having been a big retail channel for probably 15 years or so, some companies are only catching up to 30 year old customer service and most of them are doing it very badly. The examples above are just some of the ways in which companies are not engaging with their customers. I would be interested to know the percentage of conversions of all the feedback requests that come from, say, Pizza Hut, to the number of people who finish a questionnaire.

Getting it wrong

The first thing the companies get wrong is that they assume people want to fill in feedback. They don't. The most likely feedback you get is negative, everyone should know that. If I suffer really badly, I will either simply move to another company or I will vent to you, especially in an email where it's easier to be angry! Sometimes people will feedback exceptional service but in high volume sales like pizza delivery, that is unlikely to happen very often - why? because I don't expect exceptional service from pizza delivery or tool shops or ebay, I just expect normal service. I expect reasonable prices (which I mostly know before-hand) and I expect the item to be delivered roughly when expected and be as it was described online. If it is, that is cool. It is not exceptional and I will not write a feedback survey - that is just normal business.

Not making it worth the customer's time

Some companies might understand that people do not normally want to give feedback but they still want some, so guess what? If you want feedback, offer people something for their time - enter them into a draw for an iPad or 20% off their next order or whatever. Something that says, "we want feedback, you want a reward for your time, let's help both of us out!". Why on earth would someone simply say, "your feedback is really important to us so please fill in this 20 minute survey"?

Single feedback channel

Another mistake is that for some companies, these kinds of surveys are the only channel that a customer has to vent. Take a leaf out of Great Western's book and have a staffed Twitter account that replies to people, usually within a minute or 2. You get quick customer feedback, they get affirmation that you hear them and understand and are feeding stuff back! It also removes the pain from the next part, getting the questions right!

Poor survey questions

I literally shudder when I read some survey questions. They read like they were written by someone who honestly has no idea about how to ask good questions. They don't even read like the author has even been on a course to understand surveys. Ignoring the fact that many ask too many questions, the actual content of the questions is poor which means people give up or worse still, they answer the questions in unexpected ways, which distort the results and don't achieve the aim of the survey, which I would hope is improvement. Let me give you the one that almost always appears in surveys and which is mostly useless unless asked correctly:

"On a scale of 1 to 10, how likely are you to recommend our company to a friend". I actually read this one most recently in Great Western's survey and told them why it was a poor question. Firstly what is a scale of 1 to 10? At most you will have 5 views of a company: very poor, slightly poor, neutral, quite good and very good. Secondly, when asking if I would recommend a train company to a friend, it would depend whether they are getting a train from Paddington to Bristol, in which case I would definitely recommend the only company that provides that service (unless they were so exceptionally poor that I would recommend the coach or a taxi instead!). What it needs to read is more specific, something like, "after your last interaction with our company, did it leave you feeling that we are: A great company; A company that is meeting expectations; A company that is making mistakes or a Useless company?"

The missing middle

A lot of surveys make assumptions about the way the question will be answered and often either miss out the "N/A" option e.g. "Were customer services helpful?" - Don't know! I didn't call them. Or otherwise they miss the fact that you can't measure everything between the spectrum of good and bad or perhaps what I consider normal is what you consider good. For instance, how was the service when your pizza was delivered? "It was absolutely amazing! The guy arrived in his car and gave me my pizza. I can't describe how happy I was" (said no-one ever). The question should be worded with the top answer like, "I received my order with no problems".

Writing the survey for the company instead of the Customer

Honestly, if you surveys are long-winded and complex, the chances are your customer service system is fundamentally broken. You should already know 90% of how your service is by talking to people, monitoring your call centre systems, listening in on some calls etc. If you have to ask ultra-detailed questions then you have already lost, you will get nothing more than a load of information that is already not matched to probably what you want to know.

Even if the survey is not long-winded and complex, you absolutely must think about how the customer will approach the survey in their mind and how you can match that to what you want to know. Ultimately, is our brand strong or are you choosing us over our competitors. Then you should ask simple questions like, "when you are planning a holiday do you ever choose the airline or do you simply pick the cheapest flights to a destination" if 'yes', "Do you consider our airline to be your first choice?" "Why?: Price, flexibility, offers etc.".

In so many surveys, the questions look like they relate to internal issues that the customer is both blissfully unaware and more importantly, does not care about. Don't ask about detailed use of the loyalty scheme, you should already know. Don't ask 25 questions about customer service, just send "secret shoppers" on some of your flights or into some of your shops or whatever. God forbid you could enable your staff to own their areas and give them a reason to make it good off their own back rather than controlling the organisation and then trying to monitor your way to good service - you have already failed.

Bottom line

Before you even consider sending out a survey, do something that appears to be controversial in the extreme! Go and talk to your customers regularly. If you are a Customer Service Manager who doesn't do this, you should be fired!

Wednesday, 24 February 2016

Verified by visa - So bad, it's criminal

So, most of you have probably seem Verified by Visa or MasterCard secure or whatever it's called. You make a payment on your credit card and the site redirects you (or sometimes iFrames) a small dialog that asks you for a password. This is to secure your transaction against fraudulent use.

The ONLY thing that is correct is that by asking for something that a wallet thief won't know, you are less likely to have people buying stuff with your card online.

Everything else is rubbish and is doing a massive disservice to the end user, the merchant and the web security industry. Here are some of the problems:

  1. Verified by Visa doesn't seem to be a real company, more of a collaboration without any accountability. If there is an error with the system, who should you call? Your merchant? (can't help you), your bank? (can't help you), Verified by Visa? Sounds right but good luck getting hold of someone. I emailed them once and got an automatic reply about VbV did and no response at all about my complaint. Does everyone get the auto-reply and that's it or did somebody read the complaint and not be bothered to reply?
  2. Why on earth are companies allowed to iFrame payment providers? We've had the web commonly available for about 20 years and people still don't seem to know that it is easy to copy and paste HTML code and make a fake page. One of the best mitigations is the URL bar, especially with an EV https certificate but you don't see that in an iframe. Am I typing my password into a VbV window or just some hacker capturing passwords? No idea.
  3. There should always be a way of connecting into the organisation behind the technology. If I have a problem with a merchant, I call or email them and they help me with the problem but if I have a problem with VbV there is nowhere to properly query or complain and worse than that, I can't just go somewhere else, like I can if I don't like a merchant, it is part of my credit card process and unavoidable. How much money have merchants lost due to this debacle?
  4. There is no competition. A merchant cannot just say they don't want it because it's rubbish otherwise they incur higher transaction charges and potentially more charge-backs for fraud. They can't even say that they don't like VbV and want to use Acme Secure instead because the banks (or credit agencies) dictate what you have to do.
  5. I got a message on VbV because something failed, it gave me a phone number to call if I wasn't called back in 5 minutes (I wasn't!), but the timeout for the transaction caused the page to reload and I then lost the number so I had to attempt payment again to get the number, which was wrong (out of date). I called up the number had to enter my FULL CARD DETAILS on the phone (I mean, honestly?). Is that even legal? After that, the guy on the phone, who I guess works for my bank and picks up the calls because of my card number then asks for my card number again because it doesn't come through.
  6. Try resetting your password and it asks you for information from your wallet! Well done VbV, you must have written the procedure when you were in nursery school.
  7. Many companies, like mine, are burdened with PCI audits and the usual expense and hassle of proving your system is secure, yet VbV somehow gets their software through the audit without so much as a question as to its suitability.
  8. Try using it in Opera (at least I think that was the variable). You get an error due to iframe policy of SAME_ORIGIN but that isn't picked up by the user interface, it just sits there forever with that stupid animated gif that means nothing and you only see the error in the developer console or if the page eventually times out. Try passing that information on to your bank or merchant. Good luck with the response.
I mean, honestly, it is the smallest piece of functionality ever and its complete insecure, unaccountable crap. Visa and Mastercard, how about you do something useful with all that obscene amount of money you make each year for basically piggy-backing off the internet and software that you could probably rewrite in 10 minutes and make something that demonstrates good security practice, good UX practice and perhaps you could pretend that you at least partially care about the awful user experience that accompanies so many online payments!

Thursday, 18 February 2016

Apple and the iOS data recovery saga

So this week, we have been made aware that Apple have refused a US warrant obtained by the FBI to assist them in hacking the iPhone of Syed Farook, the man who killed a group of people in San Bernardino after which he was killed in a shootout with police.

As with many stories like this, we understand why the FBI would want access to his phone. Clearly, there is a chance that there are other people involved who would be found out if they could read the contents of his phone (but that isn't guaranteed). Because he is dead, they cannot coerce his PIN number from him and since iOS has an automated kill mechanism, too many wrong guesses and the phone wipes itself, for good. The line that is taken by law enforcement, is basically, "If you don't help, you are helping the terrorists".

The question, however, is not as simple as whether Apple support terrorists or not, clearly they would not. The question is a deeper one about privacy, about where the line is drawn, about a country who are famously liberal with application of law when they want to obtain something (which is presumably why they have the "fruit of the poisonous tree defence"). The government, or at least the executive branch, have an unprecedented level of power, as they do in many countries, to play fast-and-loose with the law, to mislead judges in order to obtain warrants, or simply to do what they want under the protection of these secret services on the basis that it mostly doesn't get found out. If it does e.g. Edward Snowden, they justify it, get some judge to rule that it is OK and use their vast resources to fight out any court challenges. In the UK, even the oversight committees are so secret that you still don't really know if things are covered up "for national security", since that defence can apply to anything that the police or secret services do.


What the FBI are actually asking Apple for is to allow them to bypass the lockout mechanism on the iPhone by modifying or replacing the software on the phone, ideally to allow them to electronically brute-force the PIN and then, of course, they will have access and can carry on their job.

Apple have refused by citing privacy concerns and needing to not only protect their customers, some of whom operate in very dangerous parts of the world, but to make it public that Apple are serious about privacy - which is all very commendable.


There is something that the tech community have started smelling and it is an out-of-band attack that would potentially undermine everyone's iPhone. But let's go back a step.

Ideal encryption mechanisms are not only based on algorithms that make the encrypted data basically unusable without brute-forcing a key (we'll ignore subtle weaknesses like padding attacks and such) but it also has to include everything in the entire encryption system. For instance, using something solid like AES256 encryption but then leaving the encryption key stored on a flash disk would undermine the encrypted data. We would call this a side-channel attack - effectively not needing to attack the main thing by attacking something that gives you the same result, a bit like Luke Skywalker shooting into the Death Star's ventilation shaft.

On the surface, the iPhone is secure since even though it only uses a PIN (10,000 combinations for 4 digits) by only allowing 3 guesses, it restricts the abuse potential - all good so far.

But because the FBI are asking for a bypass and because Apple have not said that it is impossible, the implication is that somebody with the correct source code or tools could carry out the same attack - bypass the lock mechanism, brute-force the 10,000 PIN combinations (which let's be honest is not hard) and access an iPhone, even if it has the most wonderful and secure encryption algorithm known to mankind.

So my own opinion is that Apple are not just worried about privacy from a libertarian point-of-view but also the worry that any production or exposure of their software to this backdoor would quickly render all iPhones worldwide vulnerable to the same attack and their much touted security credentials go down the pan.

To be fair, there aren't many other options for Apple that couldn't be bypassed by their own software team but presumably it would be possible to engineer something, in software or physically, that would make it impossible to crack a phone at a later date without causing the data to be wiped. They could perhaps also create a large kill switch which any would-be terrorist would simply press before committing their crimes to leave no trace. I would be interested to know whether any useful data is found on phones. I would think a terrorist would be smart enough to use a prepaid mobile that is only used to call other prepaid ones...

"We will investigate to learn from our mistakes..."

I'm starting to get physically ill when I read that hackneyed expression that is often churned out after people make mistakes - usually organisations. NHS making mistakes so basic, it is hard to understand; companies losing data because it was not protected; the police allowing a criminal to escape, a politician excusing a poor policy (that everyone knew wouldn't work in the first place), they all tout the same poor justification that looks something like this:

1) This is very serious
2) ...but it doesn't happen very often
3) We take it very seriously
4) We will carry out a full investigation
5) We will ensure it doesn't happen again.

Except, it's nonsense. Take password storage. Anyone who's anyone knows that you should always store passwords as hashes, you should never email them in plain text and you should use a recognized "slow" hash function to make it the most difficult for an attacker to crack the passwords. In fact, with a little extra effort, you could also hash and/or encrypt email addresses so an attacker could not easily match a cracked password to an email address.

So when someone gets hacked and the attacker steals a load of unencrypted passwords or passwords hashed with something like MD5, which is pathetically weak nowadays, "we will ensure it doesn't happen again" is unacceptable, because it has already happened to many other people and you did nothing proactively.

Even when this happens, punishment is rare and, to be fair, it should probably be an executive who is punished, not the company itself. It worries me that across the world, managers make decisions that can be criminally uninformed and by the time something bad happens, they are long-gone and the company takes the hit (although that it probably the CEOs fault).

I have decided that the law in Britain needs to take a new modern form in lots of areas where it involves regulation of businesses and although I don't have a name for it, the idea is very simple.

1) The government implements a baseline, legally enforceable set of guidelines. Although the spirit is that you should not take them as a target, if you do adhere to them, you are by definition covered by law. These guidelines would be quite restrictive but would cover simple cases or small businesses and would provide a free and easy to use baseline.
2) If you are a larger company for whom the baseline is too restrictive, you can extend or modify the guidelines in your own documentation, specifying what exactly you are overidding and what you are using. You can choose to have these audited by an accredited auditor and if there are passed and adhered to, you will also be covered against negligence legislation.
3) If you simply cannot do either 1 or 2 above, you can choose your own method of process. Perhaps you are such a niche or specialized industry that you cannot get your processes audited. Fine, you do your own thing and if something happens, you will have a much higher burden of proof in court as to why the problem happened.

These default guidelines should be designed to be easily update-able but this should be done at reasonable intervals so that people can keep up.

For instance, some basic data protection guidelines would mandate the use of bcrypt, scrypt, pbkdf2 or argon2 as the minimum acceptable for password storage. By default you just do what you're told. A larger company have invented their own has (for whatever reason) so they get it audited and signed off as acceptably strong. A specialist company decides its process is too advanced and takes the risk that their own people have validated its strength.

In another industry e.g. scaffolding, the baseline says that you always wear hard hats if you are erecting, disassembling or working underneath scaffolding. You wear hi-vis vests whenever moving plant is on the same site and perhaps other requirements. A large company might decide that because they have a special walkway cage, that hardhats are not required when using the walkway - they can extend the baseline and have it audited. Alternatively, they could decide that they are using advanced scaffolding that is all made of rubber and hard hats are not required - they decide not to wear them but they take them at their own risk.

I think I will call it the Luke system but it's about time the government caught up and realised that regulation across the whole country (and most of the world no doubt), is completely not fit for purpose in the modern fast-moving, highly populated world.

Monday, 1 February 2016

What we must learn from the Accident Investigation Branches

We have endemic problems in the UK economy and while a lot of Politicians speak about growth and cutting costs, many simply do not have any qualification to make these decisions. Too many Politicians have no business experience to speak of and yet are allowed to make multi-million pound decisions.

What happens? The lowest common denominator is that we do obvious things that anyone could do - we could tell departments to cut budgets without really knowing where we can even save money, we can arbitrarily decide that it should cost less to run the NHS, or the Local Authorities or Education but in reality, there is little evidence for real ways in which costs can be cut.

There are, however, many ways in which our society from the bottom to the top have failed to recognise the most basic of mathematics - that is spending more on things than you should. When you recognise that, you dig down deeper and deeper until you find the root cause and then you must fix that.

You will find this in the Rail, Marine and Air Accident Investigation Branches. Their job, by necessity is to attempt to find root causes of accidents causing serious injury, death or major damage. For them, root cause analysis is critical to serve their fundamental aims but it is also obvious that it is important to find out not what happened but what series of events led to the accident happening and then to apply recommendations to avoid a repeat of it. When flying on a plane, I am glad that this attention to detail is made but as opposed to the Japanese who have been famous for efficiency and reliability since the 1980s, the UK are really poor at applying the principles to other areas of business.

Example. Every day, I see Tweets by railway companies talking about signal failures, train failures, people at stations delaying trains etc. which all adds up to people not using the railway. There is only one use-case for me that works on the trains and that is medium to long-distance journies which are tedious by car and sometimes bearable by train but since trains make several stops, sometimes, the time savings are minimal if existent and even a delay of 10 or 20 minutes on the train makes it seem like the car would have been better. 150 years after we invented the railways when certain things have got better, there are still fundamental issues that are not addressed. Most people would argue that signal failures are unavoidable but yet they are not unavoidable on a plane! You can't control how people behave, but airports are pretty controlled environments, other countries manage to work out solutions and yet we languish with a lack of hope that we have the ability to improve these things.

To be honest, subsequent governments have not helped because where efficiency can be contained by centralising certain functions, instead they are spread between various levels of government, public bodies, independent regulators and private companies. This increases red tape by 500% and makes the worst possible foundation for a can-do attitude. Network rail say they don't have money, the government will say it's Network rail's job, the train operators already pay loads of money and are not responsible for signals and track so every passes the buck and the sad thing is, they are all probably right. The system is so fragmented that no-one can sit in an office somewhere and say, "this is how all signalling systems need to be renewed", "this is the cable that doesn't rot under water" or whatever, instead, each company will make their own decisions for better or worse and cause the disparity and desperation that we all experience.

There are other examples: road surfaces, road markings and enforcement, traffic offences, planning, regulation of construction trades and many others where so many very obvious problems are either unseen or people are impotent to do anything about it.

What do we need? A government which recognises a fundamental structural problem but which doesn't try and fix it piecemeal but which works out for each industry and each sector, what provides the best mix of regulation and freedom to make decisions balanced with the fact that a single office with a few experts might be better than lots of offices of average people.

It sounds hard but I think everyone wants it to be like that, so you would get support from all manner of people and departments who would happily discuss the ways for these things to work. It probably even requires a bigger step back so we can resolve how to mitigate opposite opinions (such as planning officials vs planning applicants), while being fair to everyone.

Until then, we will keep pouring obscene amounts of money into things that should already work correctly just to maintain them in their rubbish state. As long as it employs people, I suppose it's not the worst thing in the world. But it's pretty bad.