Poor TfL, about to get a bout of my ire, and while they are not the only miscreants in this area, what I just saw is pretty high up the rankings of poor practice.
I have to change my Oyster prepay top up card details today, as my bank card has expired. So, for the first time in a year, I log-in to the Oyster website, or more accurately, after several attempts at retrieving a long lost password, I log in.
Then I am presented with a page asking me to update all my account details.
Not a problem — until I get to the security questions.
I need to provide them with a 6-digit passcode to use should I ever need to phone customer care. There is no option to say “no thanks”, I must enter a code.
Problem is, I am hardly ever going to phone up TfL, except in the most egregious of difficulties, and at that point in time, am I really likely to remember a 6-digit passcode I may have typed into a website a number of years ago?
Not a hope. Seriously, not a chance. I’ve nearly forgotten what I typed in a few minutes ago, as I just had to enter something, anything — junk in fact.
So, in order to be more secure, they have basically locked me out of the telephone customer care system. Which is one way of making my account secure!
Except that if I am phoning them up, then it’s because there is a damn serious problem, and the last thing I am going to want to do is waste time arguing about some damn fool passcode I wont have remembered.
It wouldn’t be so bad if it were a 4-digit code, as I could use a bank PIN, but that is probably why they decided not to allow such a code to be used.
But, it gets worse!
They also want a security question to be filled in — and worryingly, they require that I provide answers to their preset questions. I can’t type in a question of my own, and provide an answer, I have to answer their questions.
Fortunately, there is one, just the one, that I can answer in the list. However, I have often found websites mandating this sort of thing where I absolutely cannot answer any of the question options they present.
In that sense, by happy accident, I am able to fill in the TfL question — but honestly, how many people can remember their very first birthday? Seriously?
Apart from the sheer difficulty sometimes of answering questions to which I have no answer, a single (hopefully encrypted) answer in a database is less secure than a free text field with a user submitted question, and an encrypted answer. Two records being more hassle for hackers than one.
So, someone at TfL has decided that an Oyster account that has “limited useful to a hacker” information on it, is deemed so sensitive that it has to have both a 6-digit passcode AND a preset security question in case I ever need to phone up customer care.
I just hope I never have to do so, as I am sure I wont remember the answers I gave today.
As XKCD said recently, “Through 20 years of efforts, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”
Finally though — it is very bad industry practice to ask people to tick a box on email contacts preference to opt-out of mailings.
The default should always be opted out, unless I tick to opt-in.
Not just good customer service, but actually good email policy, as people are less likely to mark unexpected emails as spam, so the email sender’s reputation score is protected against spam filters.
This is just poor email management by when practised by any organisation.
Curiously enough, I wasn’t asked if I would like to opt-in to the weekly email listing travel disruptions this coming weekend. It’s a very good email, and one I suggest everyone should get — but it wasn’t an option here.
I will be generous and presume their clever system knew that I already get the email, but sadly, I suspect that it doesn’t, and the option was simply missing.