August 15, 2016

A security nightmare

And I'm not talking about disaffected youth with grudges, religious mania or a right to keep and bear arms under the Second Amendment.

I'd had the same email address for donkey's years, provided by a British telco company. I kept it when I moved to Australia so that old work contacts would still be able to find me to offer employment. (In fact, that's only happened twice in more than six years.) Long after I no longer had a telephone line or internet with the telco, they began to charge for my email, but only about £1.20 a month, which was acceptable. A few months ago however, without warning or explanation, they increased that charge by more than 300%. I thought that was a bit rude. The Direct Debit Guarantee (UK) stipulates that you must be notified in advance of any changes to the amount, date or frequency your of direct debit. I never received such a notification, but that doesn't mean it wasn't sent.

When I was in the UK a few weeks ago, I phoned them. I had to hang on for 15 minutes before I got through to a real person. There was no apology; nor an explanation of the size of the increase; only that I wasn't on a contract so I had to pay more. A contract for an email? Were they serious?  I could be on a contract for £1.80 – still a 30 per cent increase – or non-contract for little short of £6.

Then we got cut off. So I was cross as well as outraged. I went online banking and cancelled the  direct debit immediately.

Before I returned to Australia, I called them again. I'd decided it was time to start using my other, dormant email. I offered to pay the telco for three months, to give me time to let everyone know of my 'new' address, and asked if I could then close the account online. No, I would only be able to cancel by phone. Call from Oz with the hang-on waits the company is famous for? I don't think so. The woman said she would transfer me to billing, but I couldn't face another lengthy wait.

I returned with the intention of getting the new address up and running right away, but there were distractions and more urgent jobs to do. Two weeks later my email stopped working. Of course, I assumed it was because I hadn't paid them. I frantically sent out notifications of the alternative address to my contacts, and started working my way through a long list of organisations who either email me or use my email as ID.

All went smoothly at first. Some updating processes were more straightforward than others.

Recently, I have observed increased sensitivity – some would say over-sensitivity – to perceived security breaches. Twitter, for example, frequently sends an email telling me they've 'noticed a recent login attempt from an unusual device or location'. This usually follows me accessing Twitter on my mobile rather than my computer! They recommend a change of password, which I ignore.

Then one day, they locked my account (see top). I had to change my password to 'secure' my account before I could access Twitter again. You can probably guess what's coming. Once you start the process they have to send you an interim password, to the email address they have on file, the one I could no longer use. Believing there must be a way to solve the problem, I spent hours going round in circles but always coming back to the dead end, my unusable email. I sent Twitter 'Support' three, increasingly desperate, messages. I explained that I do not use my account for frippery; to follow celebrities, friends or sporting idols; but to further my environmental research for the blog or my volunteering. I explained that my email address had been terminated for me, not by me, and that contacting the provider was unlikely to achieve a result for a number of reasons.

Twitter don't care to use discretion, however; to consider a plea for reinstatement on its merits. This was their final over-and-out, you're on your own, mate, response, after which they went deathly quiet. (Click to enlarge.)
Having built up a number of followers, starting up a new account wasn't an option. My followers' details were locked away in my current account. I didn't believe that phoning the UK telco would get me anywhere if they'd terminated me.

I beat my head against a brick wall for a few more days. I was stumped. I missed tweeting, and checking the latest enviromental news via trusted followees.

There was no alternative: I had to phone the telco; throw myself at their mercy; throw money at them; plead my case for reconnection; anything, to get Twitter back.

There was such a narrow window, at the beginning of the UK working day, 5pm in Oz, to avoid hanging on to the point of financial ruination. The first time, I spoke to a helpful chap, but he was puzzled because my account had not been 'restricted'. He concluded that I would have to speak with the email team. I had already seen in online chat rooms that the email team waits were particularly lengthy and problematical. So, I tried a couple of times to 'chat' online with an advisor. They confirmed what the first man had said.

I summoned up all my strength and wherewithal and rang the number they gave me. I was convinced, even if I reached a real person, that all attempts to reconnect my old email would be thwarted. But, surprise, I got through quickly, and discovered they hadn't annihilated me. Without further ado, the lady gave me a temporary password and talked me through restoration.

So, a result, and easier than anticipated. But I could have so easily been condemned to Twitter silence forever more. I have yet to tackle the same problem with LinkedIn, which I am living without much more easily.

The most pertinent issue remains, however. According to Twitter's so-called support, these almost insurmountable hurdles, aka account verification requirements, are in place to protect accounts and private user data. But if the measures lock out the account holder to the extent they prohibit any course of action, then data protection is a secondary issue. Security hoops are held ever higher and they're flaming: it is time to introduce flexibility and discretion into the madness. An end to faceless 'support' would also be helpful.

One lesson here is clear. If your email is 'compromised', act quickly, otherwise problems will quickly escalate and your stress levels head off the scale.


2 comments:

  1. Fellow Brit in Bris here (long time reader, probably no-time commenter)

    Being in control of your own email is the lesson you've learnt. Having a @btinternet.com or @bigpond.com.au account is a lock-in to that provider, and you're entirely at their mercy.

    Registering your own email address - or even using one from Gmail - that is independent from your ISP is always a massively good plan. Apart from anything else, it looks nice. And it gives you ultimate flexibility in what you do in the future. garlick.id.au is available... :)

    Twitter's in a no-win situation here: there was no way of proving that you were who you said you were; and your email problems weren't their fault. "Discretion" sadly simply means a loop-hole that others could exploit.

    ReplyDelete
  2. Hey James,
    Thanks for your interesting comments and suggestions. You're right, of course.
    I am having a website designed at the moment for transferring the blog. (As you say, it looks better.) I should have an email associated with that.
    Re Twitter, I realise discretion is a pipe dream, but sometimes I get fed up of being assumed to be a bad guy rather than an honest one with an IT problem that's beyond her ken.

    ReplyDelete