Feeds

OK, so we paid a bill late, but did BT have to do this?

Just between us, they told everybody...

Reducing the cost and complexity of web vulnerability management

Opinion One of the pains of running a business is billing and cash collection, especially if your customers are big. It really doesn’t matter what you put on the quote or the invoice, they pretty much pay you when they feel like it, and 60 days is usually the quickest if you’re lucky. In effect, SMBs act in aggregate as an unwilling source of free cash for large enterprises, and there’s very little you can do about it.

But what about the other way around? When BT sends us an invoice, they want it paid within 14 days. And being principled about these things, the person that runs our accounts has dutifully sent a cheque on or about the due date for the past several years. For the latest BT invoice, though, what with holidays and other things going on, last month, they hadn’t paid the bill by the day it was due.

So what would you expect to happen? The usual routine when collecting money is to send some kind of reminder or call the accounts payable department and sweet-talk someone so your cheque gets cut in the not too distant future. You might therefore think that an obvious thing to do would be for BT to send an email to the registered contact person for the account.

What actually happened was on the day payment was due, in the words of my non-technical colleague “I have had this threatening message come up in my browser, and it won’t go away. I think I might have a virus”.

Here is what they saw (click to enlarge slightly):

Now you probably do as we do and drum into non-technical users that they should never click on links and buttons appearing in unsolicited messages or on anything that pops up unexpectedly, no matter how authentic things might look. And this seemed even more suspicious given the number of spam calls we get that start with the question “Can I speak with the person that looks after your BT account?”

Suspecting scam or spam, the user did the right thing and called BT to check what was going on. In the meantime, everyone else on the network had their internet connectivity blocked with the same persistent message appearing in their browser.

And remember, this was on the day the bill was due – it wasn’t even overdue yet!

As suspicious as it gets?

It was at this point that I entered, and took over the call to BT. The agent explained that this was BT’s way of reminding us to pay, and that the user should have known this was authentic because it had our customer reference in the top right hand corner. I have blanked out that reference on the above image because it is actually the login ID entered into the router to authenticate the DSL connection. The format is c999999@hg99.btclick.com, which is not going to be meaningful to a non-technical person. And as our user pointed out, a link labelled “Is this page authentic?” is probably as suspicious as it gets.

The BT agent told me to just click on the ‘Yes’ button and acknowledge the next message that pops up which highlights that payment has not been received, and that would remove the suspension. After that, everything was back to normal and the team here was back online.

Use of alerts that mimic malware behaviour is not helpful

As a result of this episode, I donned my industry analyst cap and contacted BT. As part of an extended conversation over the following couple of weeks with one of the senior managers responsible for ‘customer experience’, we discussed the following concerns:

Use of alerts that mimic malware behaviour is not helpful. Even if we accept this as a legitimate reminder mechanism, telling users that they can make an exception in the case of such messages from BT runs the risk of confusing them and encouraging assumptions to be made in other situations.

The indiscriminate nature of the reminders could easily cause embarrassment. The message pops up on the screen of every user that has a browser open on the local network. The business owner may not be comfortable having accounts-payable matters pushed into the face of every employee. And what if someone is sitting shoulder to shoulder with a customer when the threatening message appears?

The tactic appears to be quite heavy-handed, especially as the alert appears on the day payment is due. Such tactics for persistent, extreme late payers might arguably be more justifiable, but it seems excessive as a routine part of the cash collection process.

During my discussions with BT, I agreed not to publish any of the specific responses that were provided to me. What I can say is that time was taken within the BT team to understand my concerns and there appeared to be a will to do the ‘right thing’. I can’t say any more, other than that there is still a question-mark over what the ‘right thing’ translates to in terms of changes in policy or behaviour, if any. However, I agreed to provide the BT guys a link to this article so they can respond in their own words.

In the meantime, given that BT is in a unique position to use this kind of alerting mechanism, I would be interested in the views of Reg readers on things the BT customer experience team should think about as it further considers what’s appropriate in this area. ®

Bootnote

BT have been in touch with us, and given the following statement:

“As Dale Vile says at the end of his article we appreciated the feedback and were keen to understand the concerns, and we are changing a number of things as a result.

“The on screen reminder is only one of several reminder mechanisms we use with our non-direct debit customers including letters, emails and calls. It’s certainly not our intention to cause embarrassment or raise any security concerns and therefore we are changing the actual message and are making the procedures to validate it much simpler and effective.

"We would also like to make it clear that BT is committed to ensuring that all our dealings with suppliers – from selection and consultation, to recognition and payment – are conducted in accordance with the principles of fair and ethical trading – this is stated in our policy statement ‘The Way We Work’. We are also a signatory to the UK Government’s ‘Prompt Payment Code’.”

The next step in data security

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Why Oracle CEO Larry Ellison had to go ... Except he hasn't
Silicon Valley's veteran seadog in piratical Putin impression
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.