TSB Upgrade issues

[Steampunk]

Speaking as someone who worked for two of the big telcos, and specifically in the SMS area for one, I'm wondering how the system relies on call centre staff?

SMS to mobiles is being outsourced as part of the bank's security infrastructure - but the banks don't control it, and do not have control over the training of the staff that run it. By running successful social engineering attacks aimed at the telco's staff, the integrity of the bank's two-factor authentication system is being compromised.

The banks would be far better off running some kind of software securid-style hashing app where they control the generation of passcodes over SMS, rather than just relying on a clear-text authentication from a phone number that can be easily appropriated by fraudsters. There would still be the weak point where a fraudster could try to have a new phone/app's hash resynced with the bank's server, but then they would be dealing with bank staff trained to look out for social engineering, and could have procedures in place to stop it (security questions, new code sent by post, etc). This would be far more secure than relying on a telco's staff who are not trained in spotting and responding to banking fraud attempts, and in many cases would actually be trained to help the customer transfer to new phones/numbers.

 

[dowie]

Speaking as someone who worked for two of the big telcos, and specifically in the SMS area for one, I'm wondering how the system relies on call centre staff?

well allegedly the customer who got ripped off in the earlier post was a result of the mobile company transferring his number of another phone thanks to some social engineering - though given the state of journalism when it comes to tech articles I'm wondering if that isn't really the full picture - I mean how easy is that to actually pull off - surely the PAC code gets sent to his existing phone unless they're perhaps also able to convince the mobile company that it has been stolen, in which case surely he'd be alerted to that as soon as his phone gets blocked


@sideways14a - mate I agree with your sentiments completely but, just. a heads up, you should censor that swearword and then word after 'technical' in your post else you'll risk getting an infraction or suspension if the mods have to do it for you

 

[sideways14a]

Thanks Dowie, i have edited my post, although i am uncomfortable with having to censor my words, your right in that this forum has a less than ... liberal approach to wording..
Which being Scottish is rather hard sometimes to put aside

As for the actual point... i dont trust for a flipping microsecond tech journalists... yeah the full picture is rather obscured with some haze.. .also known as backhanders/early samples/sponsorship ect...

 

[PapaLazaru]

Customer accounts and details became visible in the monumental I.T balls up. Fraudsters stole the information and probably sold it into some other fraudsters who either smished or phished the victims, or merely hijacked their mobile number by a simple SIM change or port out, they had all the info needed to pass secondary DPA with the info stolen from the bank. Once they have control of the number they can pass 2FA with TSB and steal all the money.

 

[Caged]

Speaking as someone who worked for two of the big telcos, and specifically in the SMS area for one, I'm wondering how the system relies on call centre staff?

As others have said, the act of delivering a one-time code doesn't rely on call centre staff, but ensuing that those codes are only delivered to the intended recipient does rely on them. If you have someone's address and bank details and mobile number then how effective do you think most call centre staff are going to be at handling a customer getting increasingly worked up that you can't send them a working SIM card and oh by the way they moved house two weeks ago, when the emphasis is on providing customer service rather than being gatekeepers. They won't have access to see that the cells the phone has been sat in are nowhere near this new address, they will likely be marked down on reviews if they keep having to escalate to management, and they aren't really paid enough to intentionally make a situation more hassle than it needs to be.

 

[Participant]

Is there an argument for me to be able to remortgage all accounts to another provider without penalty? Anyone with a TSB mortgage looked into this?

 

[dowie]

Is there an argument for me to be able to remortgage all accounts to another provider without penalty? Anyone with a TSB mortgage looked into this?

if you want to remortgage then just do it

though if you're trying to use this to get out of a fixed rate deal early without paying a penalty then it is hard to see what excuse you'd have there

 

[Participant]

if you want to remortgage then just do it

though if you're trying to use this to get out of a fixed rate deal early without paying a penalty then it is hard to see what excuse you'd have there

One of the accounts cannot be transferred to another TSB product due to their system issues, forcing me into either staying with TSB on the SVR or moving to another provider. I basically want all my mortgage accounts with a single provider.

If that's not reason enough then fine.

 

[dowie]

One of the accounts cannot be transferred to another TSB product due to their system issues, forcing me into either staying with TSB on the SVR or moving to another provider. I basically want all my mortgage accounts with a single provider.

If that's not reason enough then fine.

is your/are your other mortgage(s) in any fixed rate periods?

 

[Participant]

is your/are your other mortgage(s) in any fixed rate periods?

Yes all of the other ones.

 

[Bumstead]

I've had experience of people in India who have dealt with queries much better than UK based staff have more often than not.

You're lucky. I've been an IT contractor since the late 80's. From 2001 to 2005, when I lived in the US, I'd say more than half my business was fixing or completely re-writing applications that came back from offshore firms in India. I had never seen such shoddy code in my life. Sometimes, the code was so bad, I couldn't help but laugh out loud which didn't help the mood of the red-faced managers that were responsible for such a "brilliant" strategy in the first place. None of these firms hired real coders. It appears that unless you fail to fog a mirror, you'll be hired as a "senior programmer" at any Indian firm. I could have brought in a 14 year old kid in high school to do a better job that than that. The shoddiness of Indian offshoring work is legendary in IT circles - it's not even debatable. I'm convinced that anyone who says otherwise either works for one of them, or has no forking clue about developing IT systems.

To add insult to injury, these offshore firms shamelessly lie about their billing hours. In fact, last year, I was at a major bank where I went over the source code repository of changes made by the offshore firm. I noticed in almost all the cases, the company was billing 50+ hours for mundane things such as changing a label on a report - something that would take any self respecting programmer about 15 seconds to do. They would claim 20+ hours of testing for things like this Companies who hire these yokels aren't saving any money - it just looks that way on paper for a few quarters; but by then, they've already cashed in on their bonuses.

It's no wonder that banks are feeling the pain now. IT is the backbone of a bank and yet it has been the victim of relentless budget cuts and a race to the bottom for the cheapest technical talent they can find. They've accumulated loads of technical debt over the years on which they've only been paying the interest (hence the 80% of IT budgets spent on maintenance of legacy (read: practically unusable) systems). Now the principal is coming due - and that's going to hurt badly; we see it already.

 

[Freakbro]

I'm convinced that anyone who says otherwise either works for one of them, or has no ******* clue about developing IT systems.

(hence the 80% of IT budgets spent on maintenance of legacy (read: ******) systems)

Welcome to the forum, and for once an actual intelligible first post!

Though since you are new around here, the rules don't allow disguised swearing (though dropping one letter is hardly disguising it ) so if you don't want a suspension I'd fully star out both swearies

 

[Bumstead]

Welcome to the forum, and for once an actual intelligible first post!

Though since you are new around here, the rules don't allow disguised swearing (though dropping one letter is hardly disguising it ) so if you don't want a suspension I'd fully star out both swearies

Fixed! Thanks ..

 

[Bumstead]

It does in many projects without a lot of care and a handful of luck. It works well for smaller projects that aren't critical. For larger projects it really pays to have proper planning, and extended testing and evlaution periods before anything goes close to the production environment.


The salary is lower due to living costs, not the quality of the engineering. The quality standards are often hgiher than you could get buying UK based engineering

Sorry, I don't believe it - not a single word. I've seen a lot of work coming from India. Never, and I mean not even once did I ever see any good code come from there. In fact it's been laughably poor. I have no doubt India must have some great programmers - but they won't be sitting in some coding sweatshop working for the lousy 20% of the prevailing UK wage. YOu get a good local developer, and that person will nearly always perform the same work 10-20x faster. Sure, they may have a higher day rate, but they're vastly cheaper when you compare pay vs. output.

 

[gjrc]

You're lucky. I've been an IT contractor since the late 80's. From 2001 to 2005, when I lived in the US, I'd say more than half my business was fixing or completely re-writing applications that came back from offshore firms in India. I had never seen such shoddy code in my life. Sometimes, the code was so bad, I couldn't help but laugh out loud which didn't help the mood of the red-faced managers that were responsible for such a "brilliant" strategy in the first place. None of these firms hired real coders. It appears that unless you fail to fog a mirror, you'll be hired as a "senior programmer" at any Indian firm. I could have brought in a 14 year old kid in high school to do a better job that than that. The shoddiness of Indian offshoring work is legendary in IT circles - it's not even debatable. I'm convinced that anyone who says otherwise either works for one of them, or has no forking clue about developing IT systems.

To add insult to injury, these offshore firms shamelessly lie about their billing hours. In fact, last year, I was at a major bank where I went over the source code repository of changes made by the offshore firm. I noticed in almost all the cases, the company was billing 50+ hours for mundane things such as changing a label on a report - something that would take any self respecting programmer about 15 seconds to do. They would claim 20+ hours of testing for things like this Companies who hire these yokels aren't saving any money - it just looks that way on paper for a few quarters; but by then, they've already cashed in on their bonuses.

It's no wonder that banks are feeling the pain now. IT is the backbone of a bank and yet it has been the victim of relentless budget cuts and a race to the bottom for the cheapest technical talent they can find. They've accumulated loads of technical debt over the years on which they've only been paying the interest (hence the 80% of IT budgets spent on maintenance of legacy (read: practically unusable) systems). Now the principal is coming due - and that's going to hurt badly; we see it already.

agreed. great post.

 

[Jokester]

My experience of outsourcing to India is that anyone worth their salt will have emigrated to the U.K./US leaving behind dross.

Previous company I worked at had laughably bad work done out in India and the amount of rework by engineers here would have completely blown out the water any cost saving they had made by putting it out there in the first place.

 

[ianh]

TSB to be investigated by the FCA for IT Meltdown - Unsurprising really considering the calamity but it's also interesting to see the head of the FCA saying that the banks UK boss Paul Pester was "overly confident and optimistic" when giving a brief to MP's which is very polite terms for "talking out of his backside" and, as the FCA had it's own team within TSB to monitor the correction work and could actually see that Pester was talking rubbish, I'm surprised that more isn't being made about his claims to MP's.

 

[dowie]

Is there anything to suggest this upgrade was developed in India? I'm not sure the Indian comments are really relevant here.

Though since the subject has been brought up I'll comment that I too have worked with these Indian people.... (and am familiar with promises of an "updation" or statements that they will "do the needful").

Joking aside there are good Indian developers out there (sure some of them do obviously emigrate to higher paying countries). There are also some cultural issues that cause problems - firstly plagiarism/corruption is rampant in Indian universities, secondly nepotism is pretty rampant too - so essentially you can get people with both a degree and some experience that really don't mean too much.

There are cultural issues relating to loss of face too, they don't want to admit fault and it is in their culture to lie rather than lose face. This can be both amusing and frustrating when it comes to say annual reviews where employees fill out a self appraisal form grading themselves from 1 to 10 on different areas and half the Indian team has graded themselves 10 for everything. It can also be frustrating if they answer a question by trying to guess what you want to hear rather than just telling the truth (especially if it relates to something they might have done incorrectly), or sometimes just answer "yes" to a question that isn't a yes/no question.

But anyway there are good ones out there but people have understandably had some bad experiences with others.

 

[Jokester]

https://www.bbc.co.uk/news/business-44385710

7000% increase in fraud incidents as a result of the upgrade. Oops.

 

[dowie]

It certainly seems like they rushed this project in order to hit some arbitrary targets in order to collect some bonuses. There ought to be some sackings over this (like most of the senior management), frankly the whole business deserves to fail if consumers actually bothered to move current accounts after receiving such bad service.