Plusnet

The Balance

 2 Pinfold Street

 Sheffield

S1 2GU

Friday, 21 June 2013

RE: Failed installation of fibre broadband account: xxxxxxxx

Dear Sir,

I am writing to complain about the service I have received from you, as well as the way in which you have dealt with my complaint.

I am a long term customer of Plusnet, having previously held an account since 2004. Last year I switched to Virgin Media to take advantage of fibre broadband, but was eager to switch back to Plusnet when I heard the Openreach had put FTTC in the cabinet on my street.

I placed an order on the 5^th June. The earliest appointment I could get for installation was 20^th June. For some reason my landline was activated immediately, meaning I would be charged line rental for the 2 weeks I couldn’t use broadband, but that is another issue, which I’ll come to.

Yesterday, I took the day off work for the installation, which should have been between 8am and 1pm. At 1:45pm, the engineer still hadn’t arrived so I called your team; a ticket was raised (#71005291).

First of all, I want to quash any idea that I missed the engineer appointment.

·         I have a working doorbell with chimes loudly both up and downstairs.

·         I’d included my mobile number in the engineer notes when signing up, with instructions to call if there was any problem. No call was made.

·         I was seated by a window, all day, with full clear view of my street. An Openreach van passed once in the afternoon, but did not slow. No engineer attempted to call. Perhaps he was just checking the colour of my door!

(From here I will refer to the BT engineer as though they are part of Plusnet. Plusnet are my supplier, which you then subcontract some services to BT)

I phoned again this morning, 21^st June, and was told that the engineer said he had called, but couldn’t gain access to the property. After much arguing I was told that they would, of course, expedite an appointment, and I would be given top priority. I was also told I wouldn’t have to pay the £50 rebooking fee.

I later received an email telling me I would need to pay a £50 charge to rebook the appointment.  I phoned again, after which I was told that the supplier (BT) was disputing my claim, based on the broad assertion that I had a “white door”. All of the houses on my street have white doors, it’s hardly proof that an engineer called, knocked, rang the doorbell or tried calling my mobile. In fact, he would only have needed to pull up outside my house, and I’d have opened my front door before he could raise his hand to knock.

Eventually, I was told that an appointment could be rebooked, and I wouldn’t be charged a fee. However, the earliest appointment I could be given was the 4^th July. Wait… Wasn’t I told already that a rebooking would be expedited, due to me being messed around? Yes! I was! I also haven’t even mentioned yet that I’ve wasted a day waiting for this engineer – that day is worth a lot more to me than the £50 that you would charge – I should be charging you the £50, or more like £200 for my wasted time.  It also should be noted that now, with a 4^th July install, I’ll have been paying line rental on my unused line, needlessly activated on 5^th June, for just short of a whole month.

This time scale didn’t suit me, so I asked to cancel my order. Here’s where the line rental story gets a whole lot worse. Due to the line being apparently a completely different service, despite it being ordered at the same time and entirely for the purpose of broadband, it would not be possible (really?) to refund my 12 months saver line rental, as it was after the 10 day cooling down period. Oh, yes, because YOU needlessly activated it 15 days before it was needed, and 15 days before I would be completely let down by your engineer. Now I’m left in a position where I would lose £131.88 for cancelling a service from a company that has failed to deliver. To make this worse, my Virgin Media broadband will now deactivate before you are able to provide a replacement service.

Finally, I was told by your agent on my last call, that “as it stands we do go with the engineers notes”. Essentially, that means that when an engineer lies about visiting a property, you stick two fingers up at the customer, and charge them £50 for wasting their time. I have a full recording of all of the calls, as do you. You should listen to them.

So, in summary, here’s a list of the things I’m angry about:

·         You activated my line 2 weeks before the planned install, and now 4 weeks before the rebooked install, costing me £10.99 in wasted line rental.

·         Your engineer lied about visiting my property.

·         Your support staff believe the testimony of the lying engineer over that of the customer whose time you have wasted.

·         After being told on the first and second phone call that I would not be charged the £50 fee, I was STILL emailed, asking to pay it.

·         1 day of my time, wasted, at an approximate cost of £200 to me.

·         No broadband for several days due to delay.

·         Unable to get a full refund because (again) you activated my line 2 weeks too early. Now I’m stuck with the provider that screwed me over for at least a year.

Nobody at Plusnet has considered how I should be compensated for my inconvenience. Letting me off the £50 charge is NOT compensation. I SHOULDN’T HAVE TO PAY IT ANYWAY. I’m actually still out of pocket by: £10.99 + 1 day of my life/holiday + being stuck with a provider with no sense of customer service.  The worst thing is I can hear you right now thinking that I should think myself lucky that I weaselled my way out of the £50 charge.  

I’m sure you can understand, I’ve had enough of the service of Plusnet. I understand fully that this problem was caused entirely by one of your suppliers, but that is your problem, not mine. You have utterly failed in your response to rectify the situation.

Yours faithfully

Martin Long

A word of warning. Virgin DO NOT store your password securely.

Today I'm angry. I should be angry anyway - I have to work from home and my broadband service is down until "at least this afternoon". Worst than that, the customer service rep told me to "think yourself lucky" because some people would be out of service until the end of the month! What a professional way to inspire confidence in your service. Add to this that the Virgin Media Superhub just doesn't work, on so many levels, and you'd probably expect me to be fuming.

All of that pales into insignificance when you understand the real reason I'm so angry - Virgin's apparent lack of understanding for online security.

I phoned Virgin Media customer service this morning, to try and understand why my broadband was disconnected. The agent preceded to ask me a series of security questions: my account number; name; first line of address... my password?! I looked around the room, my wife and son were there. Now, I trust my family, but I don't give my passwords to ANYONE. Did I trust this guy on the end of the phone more than my family? "Oh, I'm only going to use it to verify who you are" he said. An argument ensued.

Over the next few minutes, it became apparent that Virgin have no regard whatsoever for online security. From talking to this agent, I was able to determine that he had my password displayed on the screen right in front of him. When I finally told him what my password was, and without telling him the quirky camel-case I used for the password, he was immediately, without pressing a single key, able to verify that it was indeed my password.

This means 2 things:

 1. My password is not secured securely, using a hash algorithm. If Virgin try to argue that it is stored securely, they clearly don't know what they are talking about.
 2. Darren, or Bill, or Jen at VM can see my password right there on their screen.

For the uninitiated I'll explain a little about hashing and password security at the bottom of this post. I shouldn't have to explain this stuff to Virgin, but clearly I do.

It gets worse - sometimes the customer service rep will ask you for two or three characters from your password. This gives the illusion of security, as you might get the impression that the service rep doesn't ever get to find out your FULL PASSWORD. However, it's just an illusion, and in fact, only confirms further that they do not hash your passwords before storing them. It's impossible to validate a hashed password with just a few characters.

Actually, number 2 bothers me a lot more than number 1. Not storing my password as a hash is bad. It's really BAD. But giving the customer service team access to my email and password is just unacceptable. I'd be tempted to say that Virgin should enforce a "two character" system, if it were possible to do that without storing unhashed passwords (it isn't). The approach that Virgin SHOULD take, is to implement a different security policy - one that doesn't require me to give my password over the phone. Maybe ask me a security question, or text a unique number to my mobile phone, or ask me for the MAC address on my router, just don't ask me for my RUDDY PASSWORD!

Then the rep tried to feed me a line. "This is a legal requirement, for data protection purposes". I'm afraid at this point he got an earful from me. It's true that VM do need to establish the identity of the caller before they can give out any personal information. However:

 1. They weren't about to divulge any personal information
 2. There are other ways of establishing my identity, without asking for my password

My BANK don't ask for my password over the phone. NOBODY DOES. Well, except for Virgin Media, and possibly Tesco too. I went on to explain to Darren or Bill, or whatever his name was, that I'm a software engineer, that I actually know a little bit about password security, and that there was no need for him to need to know my personal password. After assuring me that he really did need to know it "for legal reasons", he then preceded to mock me, saying "well, you're the expert!". Actually I told him I was a "security expert", which I'm not, but compared to him I am! Does Virgin even employ a security expert?

I use a different password for every site or service I use. With companies like Virgin Media and Tesco around you really have to, because you have no idea who can see your password. However, passwords are hard to remember, especially if you have to have a different one for every site you visit. If this means that you have to write your passwords down, they are even less secure, because now somebody else could get hold of them. This ultimately means that many people reuse passwords across many sites. It's not recommended practice, but lots of IT professionals do this. This means that companies like Virgin Media have a moral (and probably legal) responsibility to ensure your passwords are stored securely.

Virgin Media engage in so many bad practices regarding security, it's just gone beyond the point of neglegence. Sadly, these companies don't seem to even be aware of their cavalier attitude to security. Normally not until they have been compromised. Virgin even have a forum dedicated to helping users with internet security. Worst of all is the response when you try to point out that they have a problem. "Look, we know what we're doing", they say. We've seen this attitued from both Tesco and Virgin Media.

Just a look at Virgin's password policy should start to ring alarm bells: "8 - 10 characters long, letters and numbers only, no spaces, first character must be a letter". Why limit password entropy? I like to use punctuation characters in my passwords, as it makes them stronger. Why only 10 characters? Most of my passwords for other services use AT LEAST 12 characters. I'll quote Troy Hunt here: "someone’s got themselves a varchar(10) under there somewhere and it’s all sitting in plain text"

Continued pressure and exposure of Tesco has forced them to review their policies, and start to act. I wonder what it will take for Virgin Media to sit up and start taking online security seriously.

So how should it be done?

A little background about hashing (and salting)

Disclaimer: This is for illustrative purposes and not intended to be security advice. You should always observe security practices, such as PBKDF2 iterations, guard against XSS attacks, use expiring tokens, SSL etc. 

The problem with storing your password is that someone could get hold of it. That could be a disgruntled employee, or perhaps an employee that is a bit short on cash. Your online service could even get hacked. The main key to password security us to be able to validate your password, without actually knowing your password. Surely that's not possible? Enter the "hash algorithm"!

A hash algorithm is a ONE WAY encryption of your password. It scrambles your password up into a bunch of nonsense, in a way that it is impossible to unscramble it. Some hashes are more secure that others - a secure one is one that is cryptographically sound (i.e. it can't be reverse engineered), and preferably it takes time and computing power to generate a hash (this helps to prevent brute-force attacks, by trying every possible password).

Example:

Using an SHA-256 hash:

mypass123 -> e6e07510d6531af5f403d1e6d0eb997855b6453488aaee6a9dd10ad5133f936a

Try it yourself. Go to http://www.xorbin.com/tools/sha256-hash-calculator and type in "mypass123" and then compare the results.

When you sign up for a website or service, the provider SHOULD store the HASH of your password, not the password itself. This means that they don't know what your password is. If you lose it, they can provide the means for you to reset it, but they can't tell you what it was, and the customer service department certainly can't see it on their screen!

So, how do they validate your password. Well, you go to the login screen and type in your password: "mypass123", this gets sent to the server (hopefully over a secure SSL connection). The server then calculates the hash of the password you typed, and compares it to the hash it has stored in the database. If they match, then you must have typed the password correctly. Nobody is able to take the data from the database and figure out what you password is.

There are still some vulnerabilities associated with using a hash alone. Users with the same password, or a commonly used password, will have the same hash stored in the database. This gives a hacker certain clues that can be used to quickly "brute-force" some of the accounts in the database. This is overcome by included some random "salt" in the hash. A random number is generated for each user, and appended to the password before it is hashed:

mypass123+187456 -> 921e1d21705b45bd710aecadedb3e748e2ad9f1910e9f4b4a112d03e27857823

This salt is then stored in the database along with the hash. When the user types his password, the server adds the salt to it before calculating the hash and comparing with what is in the database. This means that if two users have the same password, providing they have different salt, the hashes will be different.

mypass123+187456 -> 921e1d21705b45bd710aecadedb3e748e2ad9f1910e9f4b4a112d03e27857823
mypass123+223547 -> ecaf0018e016361ac6d48db393489d5abaf8fe3d43ac78e6325c223baa59d202

The ICO are investigating Tesco for their lack of security when storing passwords. Virgin Media are not providing online commerce on the scale that Tesco are, however, security of users' passwords needs to be taken seriously.

Why I don't understand App.net

A lot of prominent technical blog figures seem to be raving about App.net. I still just don't get it.

1. $50 is well above my "just pay it" threshold. It's a new set of headphones, or a new graphics card or something. Given that I only give myself £100 a month 'pocket money', it's a considered purchase. 
2. I really REALLY want to ditch Facebook, but everyone I've ever known (just about) is on Facebook. Twitter is a smaller subset of people I'm actually interested in. Google Plus is by far the best platform, but so few people actually use it that it barely gets any attention from me. If App.net doesn't beat twitter in terms of penetration it will be basically useless. If people won't move away from Facebook for FREE alternatives, what chance does a paid option have?
3. People EXPECT online apps and services to be free. I know from experience that if 300,000 people will download something for free, only 24,000 will pay $1.60 for it. Increase that to $50, and make that a $50 per year subscription, I only see a small fraction of my twitter followers/followees to subscribe.
4. Right now, Twitter is just fine. I never notice any advertising, and clients work just ok. Maybe that won't be the case for ever, as it is clearly not sustainable. However, for now, it is just fine. If Twitter were to become Facebook, I would stop using it. Facebook is horrible, intrusive, plastered with ads and horrible crap that I'm not interested in (basically the Zynga stuff). 
5. No free tier. If I could pay $50 a year to turn Facebook into something more palletable - ie remove the ads, make it easier to use for me as a developer, and feel like I'm the customer, then I would pay that. However, there would need to be a free tier, because 90% of my friends would stop using Facebook if they had to pay for it. 

I understand that a lot of people are saying that this could be the next big thing, and they want to be part of that. Maybe I'm being naive about it, but how can I miss out? I'm not such an important internet figure that it's important to reserve my username now - my Twitter name is 'martinlong1978'. If this turns out to be the next big thing, then I'll subscribe as and when it becomes important for me to be a part of it. I have no doubt that this project will get 'funded'. This project isn't hosted on Kickstarter, it honestly wouldn't surprise me if they have rigged it to report success even if they fall slightly short of their target, or if key project members have pledged to 'make up' the difference at the last minute. Right now it is $467,000 of $500,000 - forgive me for thinking those numbers look slightly suspicious to me.

But what if it doesn't get funded?  Will social networks continue to spiral into the depths of evil? Twitter will become as bad as Facebook, Facebook will be owned by Beelzebub himself, and Google Plus will carry the motto "Do much evil".  Will I be blamed for not believing in it enough? Will I be chased through the streets by an angy mob with pitch forks, yelling "Hang him high, he ruined our last chance of salvation". I don't think so. If there is a space in the market for something like App.net, then it will happen, whether it is Dalton Caldwell behind it or not.

Then there is the proposal. It talks a lot about the concept, the idea of users paying for the service, the business model, motivations, and stakeholders. However, it doesn't really bring me any closer to understanding what I really get for my $50 in the first year. If I understand correctly, I get something like Twitter, with fewer people to follow, no ads, and use of any "app.net" clients that might pop up in the first year (which may not be many). Next, as a developer, do I pony of the $100 for the SDK? Well, how many of my users are going to demand App.net connectivity? I suspect this answer will be around the zero mark. Already the majority of my users post to Facebook, and a small proportion post to Twitter. I don't think App.net will have any effect on my sales whether I do or don't include it.

I have nothing against what Dalton is trying to do, and I hope it is successful. I really hope that App.net will allow me to ditch Facebook, though I have serious doubts it will. If Twitter increases sponsorship and removes client access, then I may have to ditch Twitter anyway, and App.net might prove to be a good alternative (I also think Google Plus could be a good alternative, but they need to add an API first). I just don't feel it is worth spending any money on yet, and that may be the overall problem.

I await the opportunity to be proved wrong.