28 October, 2003: Taking credit

[ Home page | Web log ]

(Actually, I have more interesting things to talk about than this, but not the energy to write them down right now. So you'll have to take that first bit on trust.)

A letter to Barclaycard:

Gary Hoffman,
Chief Executive,
Barclaycard,
1234 Pavilion Drive,
Northampton,
NN4 7SG

Dear Gary Hoffman,

I am writing to draw your attention to a serious problem in Barclaycard's procedures relating to changes-of-address which has caused me inconvenience and leads to a risk of fraud against me and other cardholders.

I have my Barclaycard bills and other correspondence delivered to my family's home in London, whence it is forwarded to me at my current home address. I take this precaution with Barclaycard and other financial institutions since such companies are often poor at updating address details for their customers, and since my address has changed fairly regularly over the last few years and can be expected to continue to do so over the next few years, it would be foolish to expose myself to the risk that any of the companies with which I do business would foul up a change-of-address.

Recently Royal Mail delivered a redirected Barclaycard statement to Barclaycard, rather than to me. As you will be aware, Consignia isn't exactly the most competent of organisations, and such errors sometimes happen.

According to your customer service staff, Barclaycard interpreted this as an instruction to change my billing address, without ever consulting me. Apparently this is your `policy'.

Comment: observe how this justifies my concern about the correct processing of change-of-address information, though naturally in a way which has caused me the greatest possible inconvenience.

To change the address back (to that given at the top of this letter), I had to give all sorts of `security' details: my birthday (or `six digit pass code' as your telephone answering machine calls it before helpfully explaining what it really means), the card's expiry date, and the CVV2 check digits on the back of the card.

Note the contradiction. Anybody can have my Barclaycard mail -- including, for instance, future cards and PINs -- delivered to their own address by intercepting a single piece of my mail from Barclaycard, and sending it to Barclaycard with a new address on it. But I, as the cardholder, have to go through a complicated -- ostensibly `secure' -- procedure to have the problem fixed.

Comment: this is backwards. It should not be easier for an arbitrary third party to change the address details held by Barclaycard for my account than it is for me to do so.

Barclaycard did not notify me that it had changed my contact address. Your service staff told me that such a notification should have been sent to me, but none was received. Obviously this part of your procedure is -- if followed at all -- not reliable.

Comment: this is as expected, since your notification procedure involves sending a letter to a someone about whose address you must a priori be uncertain. In order to do this properly, you need to contact the customer by some other means, for instance telephone.

This failure reliably to confirm changes-of-address means that, if my contact address had been changed by a fraudster, I would not know about it until it was too late. Indeed, such a criminal could then ring Barclaycard, report the card as stolen, and get a new one delivered to their own address. And, not knowing the new cardholder address, I might not be able to `authenticate' myself to Barclaycard's computer system to find out what had happened.

Comment: this is stupid.

Therefore---

Yours sincerely,

Chris Lightfoot

Of course, this would be much easier if they'd just email me statements. But Barclaycard clearly aren't great fans of email, and have obviously invested so much in their rather feeble web efforts that the chances of them switching to a more sensible internet protocol now are pretty small.


Copyright (c) 2003 Chris Lightfoot; available under a Creative Commons License.