7DayShop security - lack of transparency, or understanding?

[Short link to this post if you need it - http://goo.gl/6o5zL - or retweet me]

Recently a number of people received password reset notifications from the 7dayshop website - a site that many people I know use that supplies batteries, camera accessories and the like, and I've used them for a few years now. The email came through as the sort of email you get when you go to a site and request a password reset. The notification included the text

  There was recently a request to change the password for your account.

  If you requested this password change, please click on the following link to reset your password: [Link removed]

  If clicking the link does not work, please copy and paste the URL into your browser instead.

  If you did not make this request, you can ignore this message and your password will remain the same.

So there is no indication in there that it was intentionally sent out by the company, and the last line explicitly seems to suggest otherwise. Now this, understandably, made a few people panic and go around change many other passwords in case the site had been somehow compromised. So what had happened to make so many people receive password reset notifications - was it a real attempt to break into people's accounts? Here's a perfectly reasonable train of thought by anyone who takes security seriously.

1. Maybe someone's trying to break into my account
2. If such an attacker is doing a reset in this way, maybe it's because they've already broken into my email account and can get the notification
3. Maybe they've already reset a number of other accounts this way, and already comporomised my other online accounts
4. I might not know if they've done this, as they could delete the evidence if they have access to my mailbox!
5. I'd better change all my passwords on all my systems.

The above thought process is entirely reasonable, and obviously generates a bit of work for the person receiving 7dayshop's mail.  So what really happened?

I found some more information when later in the day they made this post on their facebook page suggesting that as a result of changing their website they had "improved security". The also acknowledged "I agree that the wording could have been better but we will learn from our mistakes" OK, both those points are superficially good things, but it also included the following:

"all customers who had passwords less than 5 characters or passwords with special characters, which were not transferred over to the new site, were sent a new computer generated password."

OK, so that might explain the reset requests - although "sent a new computer generated password" isn't quite the same as "We've forced the reset process on you and suggested you'd initiated it yourself" More worryingly is that they appeared to know which passwords were <=5 characters. Surely any site that hashes passwords properly would have no idea how long the passwords were? They have confirmed that passwords were encrypted before and after the update - I suppose it's possible they're stored with an encryption key somewhere rather than a 1-way hash algorithm, although that would mean if that key is stored on their servers it's potentially subject to compromise if someone gets into their systems, so is less than ideal. Another comment they made to me was this:

A number of customer records did not migrate correctly onto our new system. We issued an email to these customers informing them to change their password. We received great feedback from our customers that implied the majority of issues were due to short passwords

I have to wonder who was providing this "great feedback" - I wouldn't normally think to tell the company I had a short password when I get a random reset notification, so I wonder what the nature of this feedback is. I emailed "Mandy" mentioned in the facebook thread, but that did not elicit a response. In order to try and get some concrete information I chose to email their customer support directly, instead of the general customer service people on Facebook. This is how it went:

---

Hi, I've tried to get this question answered via your facebook page, but the person on the end doesn't appear to answer the issues directly, merely skirting around the issue. I also tried emailing the address they gave me in that thread, but did not receieve a reply. All I'm getting is "We take security very seriously" and "we store encrypted passwords". Can you get someone with a clue about online security to please answer these two questions:

1) Were the passwords encrypted PREVIOUSLY i.e. prior to the site makeover.

2) If the answer to the first question is no, how do you know which passwords had the problem. You refer to vague "migration issues" but what were the issues that lead you to believe that the 5 character etc. ones were the ones that caused problems. If encrypted/hashed, you wouldn't be able to tell, and it shouldn't have mattered. Vague "feedback from our customers that implied the majority of issues were due to short passwords" is dancing around the question.

Please back up your statement about taking security seriously by providing answers to the questions. since if you haven't got someone who is technically capable of understanding the questions, then you cannot claim to take security seriously.

I'm just looking for a straight answer

---

And here is the response I got:

Hi Stewart

1. yes
2. Some records did not load. We dont know the exact reason. But customers mentioned about short passwords. Seems a logical link.

Is that straight enough?

---

So there you go - they have no technical explanation, and merely anecdotal evidence that the "migration failures" were caused by short passwords. I find it very strange that they would not be able to know for sure based on the sorts of failures they were seeing what caused the issues. Based on the evidence the most likely explanation seemed that they were previously unencrypted, and the insertion process into the new system had stricter rules, which many people's passwords were violating. But we have to believe them when they say that wasn't the case and that they've always been encrypted. But if a developer of a site for my company came to me and said they couldn't provide an explanation for password migration failures other than anecdotally from the end users, I'd be very concerned as to their competence. On the basis of them now knowing why they're system had problems, I do not see myself dealing with 7dayshop in the future.

Three - doubling the cost of my (3Pay) tariff so I've moved network

[Short link to this article if you need it: http://goo.gl/bSY0x - or retweet me]

For the past two years I've been on UK mobile network Three's "3Pay" tariff. And I won't be paying any more money to them. This tariff was the whole reason that I bought a SIM free handset at full price instead of going for a contract. Overall, it worked out more cost effective for me with the usage I have. The details of the 3Pay tariff are here, and the change was made so that the 'bonuses' (i.e. inclusive stuff) now expire after 45 days instead of 90. Unfortunately I can't provide a link to the change announcement because inexplicably this link only works of you're connecting via 3's network. So here's a cut & paste of the text from it:

You’re currently on 3Pay, one of our older Pay As You Go Tariffs, which we are updating. 

On the 3Pay tariff, you get a bundle of free texts, internet and Three-to-Three calls which last for 90 days, every time you top-up. From the 13th of March, you’ll still get all your free allowances, but they’ll last for 45 days instead of 90 days. 

Even with the change, our 3Pay tariff is one of the most competitive in the market, and it’s no longer available to new customers. 

We hope you continue to enjoy being on Pay As You Go with Three, and don’t forget, you can double the free texts you get on some top-ups if you top-up using your My3 account. 

For more information on your 3Pay tariff click here. 

Any Top-ups made before midnight on the 12th of March will still get their free allowances for 90 days, any made after, will have their free allowances for 45 days. 

For full terms and conditions, visitthree.co.uk/terms on your PC. 


So there you have it. In effect they've used 4.1b in their T&C:



4.1  We may vary any of the terms of your agreement, including our Packages, on the following basis:
(b) we will let you know at least one month in advance if we decide to: 
(i) discontinue your Package; or
(ii) make any variations to your agreement which are likely to be of material detriment to you; or
(iii) increase the fixed periodic charges for your Package (if applicable) by an amount which is more 
than the percentage increase in the Retail Prices Index Figure (or any future equivalent) in any twelve month period. You can end the agreement for such variations as explained in Section 10

Now bearing in mind that I joined Three on the basis of the cost of their deal over the expected life of the handset, this is somewhat disappointing. I have NEVER known any other network to withdraw a deal in this way (I also have a PAYG Vodafone "Stop The Clock" SIM that hasn't been available for years, but it's never been withdrawn or had it's essence taken away for existing users of it). I have no problem with such clauses in the T&C existing for changing minor things (for example the introduction of a 1p delivery confirmation charge last year) but to double the tariff (my usage was very close to exactly what 3Pay provided) is something I consider unacceptable, and means I find it hard to trust the network for any future purchasing decisions. My handset developed a fault in December 2011 (I got it, and the 3Pay SIM in January 2009) and fortunately it was repaired under warranty, but at the time I was considering replacing it with a £399 SIM free Nokia Lumia 800. If I'd done that, then 3 months later lost the deal I was on, then it would have been a financial loss to have chosen that over a contract. And it amazes me that Three consider it acceptable to treat it's current customers in that way.

In my opinion their balance screen is also highly misleading. If I top up my account before I've used my existing balance, then they are listed as being "queued", whereas the parts of the account actively being used at the moment are listed with the remaining number of minutes/texts/data and an expiry date:

Now to me "queued" gives the impression that the 90 45 days will take effect from when it comes out of queued state, but it appears this is not the case. In reality it's still subject to the original 90 days from when the top up was made, the queuing just refers to the fact that texts come out of your earlier allocation first. My most recent top up (made 90 days priort to the expiry date of 05/05/12 which you can see) was made purely because my credit card had expired and to register a new one I was forced to make a top up. I expected that to queue up an extra 90 days of use after my current allocation expired (the one made 90 days prior to the 28/04/12 date shown), but apparently not. If the expiry date is fixed, then it should list the date next to "in queue" otherwise it is misleading (and I've effectively wasted a £10 topup).

I made these points to their support channels, and received a reply saying that in order to log the complaint they needed the following:

• Your Three mobile number/account number
• The best number for us to contact you on
• The full name on your account
• Your postcode
• Your date of birth

I'm not quite sure why they need all of that - surely my mobile/account number is all they require, and they didn't ever try to contact me by phone. I also raised the question of why the tariff change terms were only accessible via their network and was told

"There was a temporary glitch with the link we sent you by SMS.  If you still have the SMS can you please try and access it now?  This will need to be accessed from your Three phone to be viewed properly."

Thus failing completely to understand and answer the question. I had no problem with the link they sent on their network, i just wanted a reference link I could include in this blog entry...

They also offered this "If you want to move on to one of our new tariffs we can offer other exciting benefits such as all-you-can-eat data and a higher text message allowance." - do they really expect that I'd choose to pay several times more than I have been (£15/month is the price for all-you-can-eat) for things I won't use?

My last email on the subject was not replied to, I won't reproduce it here because he content of this blog covers what was in it, and pointed out that I was looking for a more usable 3Pay change document link to include in this blog.

Goodbye Three, it was fun. Your data coverage and speed was good (except where I work, but that's another reason I'm happy to move) but I simply can't trust you again.

Barclaycard: 3 issues, 2 months to get (some) answers. Lies about FSA guidelines. Goodbye

[Short URL to this article if you need it: http://goo.gl/UnyZi or retweet me]

I raised three issues with Barclaycard in the last few months of 2011:

1. My contactless (PayPass) card stopped working for payments where it had been ok before
2. I wanted to understand a £1 transaction that was on my account (October 13)
3. A circular URL on the web site (an error message telling me I was using the wrong login URL directed me to a log in page that showed the same message again) (December 6)

The first (most problematic) of these is still unresolved, the second was something that should have been fairly easily answered (both were things I initially raised on the phone to their foreign call center and failed to get an acceptable response with). The third issue received no response

To clarify point 1, my contactless card had been working fine, then stopped. I suspected some sort of security check, and since I only use that card for contactless payments, I didn't have a PIN to try using the card in a non-contactless way. When I called them an hour later, they just told me to try again as they did not even have a record of a transaction failure  on my account in their system.

For the second point, the answer was (as I had started to suspect, but expected customer service to know for sure) that the £1 showing on my account online as a pending transaction was from an automated petrol pump doing a test transaction before refueling to verify the card. This is normal, and the transaction gets subsequently cancelled. Again customer service failed to provide an explanation, and merely suggested I check again later once the transaction was finalised. I always thought it was a good thing to alert the company to something that might count as potential fraud ... but apparently that's futile.

Because of the failings I'd had obtaining useful answers from their customer service advisors, I chose to contact them via their "secure message" system on the web site, which may well be secure when you send the message, but any online reply you get comes via email, and doesn't include your original text. So you have to remember what you said to them, and remember that everything else isn't as secure as was initially suggested. Now Barclaycard have what I consider to be the extremely annoying habit of trying to call you back even when you contact them online - and worse it's from a number that doesn't have caller ID so you have no idea who is calling you asking you to confirm your security information. It's hard to say if that's due to the aforementioned low security of their secure message system, or some other reason.

Either way I had hoped to get it resolved online, giving them time to fully consider a response, given the problems I'd had with their call centers. They initiallly tried to call me via phone (I have no reception on my personal mobile phone at work) and so left me several voicemail messages, all from an Indian-sounding call centre. I replied to them via email indicating that I wanted a resolution that didn't involve their call centers, both because of the apparent lack of expertise, the accents often being problematic especially via a mobile phone network, and the amount of time I seem to spend on hold with them. I'm looking for efficiency in resolution.

On emailing them regarding the £1 transaction I receieved a couple of responses from their email team such as confirming that it was from an automated pump and that:

• "I understand your concern regarding this extra amount will be added to the real price of the fuel once the correct transaction amount reflects. I can confirm that this is the only one transaction appearing in Outstanding Authorisation related to the merchant and appears to be real amount"
• "an account can only legally be debited once the credit card company is in receipt of the sales voucher receipt. We are expecting to receive the sale voucher by 14/10/2011, may I request you to check your statement after Monday"

Now ignoring the fact that the first bullet point is grammatically poor and therefore not as clear as it should be, the assertion that it is the "real amount" appears to only confuse the matter. It is not "real" in any useful sense regarding how much I will be charged, which backs up my comment about there being problems with non-native English speaking customer service staff, whose job is communicating with their customers.
I would also have expected the full transaction to be in the system by that point - why does the initial authorisation show up as pending immediately, but the full amount took days? I'm sure this isn't specific to Barclaycard but it is worth mentioning. It would have been good if the credit card company could explain whether the same transaction could be modified while pending if that's what's really happening here. After all, I couldn't have filled up with just £1 of fuel since most pumps have a 5 litre limit or so common sense dictated that the "real amount" is unlikely to be true ... Despite the fact that I had enough of an idea about where the £1 transaction had originated from at this point that I was no longer concerned about it, but the issue fell into the complaints process. I do wonder how true this is - they'll get a link to this blog:


On these issues raised via email I subsequently received the following letters through the post from Barclaycard:

• 9 November I received a letter apologising for the delay after their October 17 complaint acknowledgement letter and that "we will contact you again by 07 December 2011".
• A second letter also arrived daed 9 November 2011 saying that I had been put into their complaints process, one saying they would "aim to resolve matters by the 02 December 2011" (I presume this was for a different issue from the first one, but neither letter mentioned which issue it was in relation to)
• 2 December 2011: Referencing the letter on the 09 November, they said they would contact me again by 04 January 2012
• 7 December 2011: I received a letter headed as a "Final Reponse" addressing the issues (For the record, my complaint reference numbers are 1000DC4Y AND 1000HX2T if anyone important is reading this) and telling me it had been closed.

It's somewhat amusing that they they seem to perpetually say "We'll be in touch in a months time" rather than getting down and dealing with the issues, especially when it includes a customer unable to use their card.
Part of the response included this sentence:

• "unfortunately if we are unable to respond to your within 48 hours or you do not respond to one of our emails within the same time frames, we have to raise the complaint to a higher level under the guidelines set out by the FSA"

This, to me is shocking. Apparently their complaints process allows them to take months to reply ... once they've broken the apparent FSA 48 hour limit. But wait a minute, their automated email response included this:

• "Barclaycard staff are always available and ready to respond during regular business hours, excluding holidays, and will normally answer you within 3 working days."

So their own automated responses give expectations that break those claimed FSA guidelines that they are telling me they are adhering to in order to justify not responding for months.
So there we go, confirmation that the information supplied by Barclaycard was false. I will continue with analysing the original response I received from Barclaycard

• "Although we aim to resolve all queries within 24 hours, we are experiencing a high volume of messages at the moment so please allow 3 working days for a response. There is no need to resend your message as we will deal with all messages in the order in which they are received."

So their targets are three working days, but you get sent into a complaints process at the request of the FSA if they don't reply in 48 hours. Something's not right there.

I emailed the FSA on 3rd February about the 48 hour limit and got this automated reply: "please be aware that we work to a service level of 12 working days, and it is likely that it will take this long to respond to you." Oh the irony, although I still waited for them since if they do have a 48 hour limit it probably won't apply to themselves as they aren't a bank... As it happens they missed the 12 day limit anyway so I sent a follow up on 26th February. I got a reply on Wednesday 29th February apologising for missing their targets "due to a high level of correspondence" and including a lengthy reply (mostly talking about the process which my bank had already given me) including these two pieces of information:

• "If the firm cannot send you a final response within eight weeks, then they must inform you that you can ask the Ombudsman to consider your case."
• "With regard to the 48 hour limit on responses that your bank has set, I can advise that this is not a rule set by the FSA and therefore could be an internal rule for your bank. The FSA do have rules that state that a firm should respond to consumer complaints within a reasonable time but we do not set what that time should be. Its is for the banks themselves to set."

Which says, fairly clearly, that the information that Barclaycard have supplied to me was incorrect.
Going back to Barclaycard's letter it also states that "All of our front line Customer Staff are trained to the same high standards". I appear to have a different expectations of "high standards", given that they were unable to resolve my problems when I called. In terms of the other problems their letter responded on my specific points as follows:

I was told they have been unable to determine the paypass problem, and that they have no notes from their technical team, or fraud department to show a security check being requested from me. At the very least I'd have hoped they'd logged my call about it. Apparently not.

The £1 charge was explained in the letter as a 'test' transaction which was normal for automated petrol pumps and that it would "drop off" the account, which sounds to me like it gets removed, and the real transaction added, as opposed to being "added to the real price of the fuel" as suggested via email. Frankly, since these messages have had an air of inconsistency about them, and so it's hard for me to trust the company with any of my finances.

The letter also stated that

• "For the purposes of the Financial Ombudsman Service please consider this to be our final response. If you are unhappy with the outcome, you may ask the financial Ombudsman Service to review your complaint and you have six months from the date of this letter to do so".

Which I will happily do ... It's also worth pointing out that this was the FIRST response they'd provided to my electronic contact on the paypass issue which is the most problematic one as it stops me using my card. In fact since this "Final Response" doesn't fix my ability to use my Barclaycard for contactless payments I've moved my contactless banking to a Virgin Money charity card (1% including Gift Aid of all my transactions is given to a charity of my choice) which I can heartily recommend, and my second Barclaycard (which was used exclusively for online transactions - I feel safer having a separate card for those) has had most of it's use transferred to a card issued by Creation.

I've happily used Barclaycard for many years (in fact since I was at university), but their customer service incompetence recently has lost me as a previously loyal customer. Such a shame, and all down to issues that a genuinely "trained to high standards customer service team should have been easily able to avoid. Clearly they have staff who know some answers, but they're not the ones you get through to when you call them. And multi-month escalation delays to get answers to such questions is unacceptable.

In summary, here are the problems I encountered:

1. Nobody has been able to explain why my contactless card no longer works or apparently made any effort to resolve it
2. The "high standard" customer service staff who I initially called on the phone didn't to have a clue how petrol pump authorisation works (although after all this, I feel like an expert)
3. When you contact them online you often receive a callback from an unidentifiable source asking for your security information
4. The "secure message" system results in online replies and subsequent follow ups are all via not so secure email and their replies don't include the original request. Plus replies all come through with changed subject lines which makes threading conversations very hard. They need a proper, secure, ticketing system.
5. The 48 hour limit that Barclaycard claim is required by the FSA is false.
6. Barclaycard on the 2nd December said they'd contact me again by 4th January 2012. I assume at this point they panicked and realised they'd break the 8 week FSA deadline if it took that long, which is why I got a reply just one week days later well before the 4th January date they said to me.

(As an aside I might as well mention another problem I've had - if you catch their online system at the wrong time you can get anomalies suggesting that you're statement balance gets duplicated in the "new transactions" section making it look like you've spent more than you have - see this screen capture You'd think banks would have mastered transaction atomicity by now)

The letter came with the feedback leaflet which I've shown a photo of in the middle of this article. I shall fill it in and send the address of this blog entry to them. If anyone from Barclaycard wishes to convince me to stay (frankly, it's almost certain to be too late, but maybe if they let me try their PayTag system - after all they should have a record of me asking about their plans in this area) or someone high up wants me to test their customer services some more, then feel free to get in touch. With a dislike of banks at an all time low, they need to do better to retain our custom, and not let long time customers down like this.

O2 - Trying but not serious on customer service?

[Short link to this blog entry if you need it: http://goo.gl/oMbyw or retweet me]

In the middle of last year I had an issue withe reception in a particular area going from full signal to zero where I work. The SIM was on GiffGaff, which uses the O2 network. I initially tried contacting GiffGaff on twitter and received an answer suggesting I use their "community" model to get an answer. This is the thread which is best described as "no useful response". I had also raised two tickets with GiffGaff - 110725-000194 and 110902-000256 - both of which got marked as SOLVED without any full response - the most recent message was "someone will get back to you on Monday once the tech team are working again"

I wrote a letter to O2 about the local mast - which had in fact been removed from service. I'd previously spoken on the phone to O2 support and it was clear that the assistant had less information available than I did as a customer, and so I was simply told that there was no problem in the area, despite the fact I'd dropped to zero signal, and everyone else at the location had the same problem - many of which I know had reported it to customer services too. O2 don't seem particularly willing to accept problem reports - in fact I get the impression that their first line service team are there to prevent problem reports being raised ...

To progress this I sent them a letter via the post (included in full later in this blog) to which I got no response. After mentioning this on twitter, the @O2 account asked me to email them with the details. I sent them a soft copy of the same letter, which again got ignored, despite me chasing it up a few weeks later and being told they'd chase up the complaints department for me. I tried again another month later and was told to send them all the current details since the letter was written. At which point, since I had to collate it all, I'm blogging it here and sending them a link instead. Here's the original letter in full, other than personal details having been removed.


sxa555: @O2 Hi, Ref your DM on Nov21, I emailed complaint letter to you after not getting a response via post - did you forward it appropriately?
O2: @sxa555 Hi Stewart, yep we did. We've also chased it up today again for you. Keep checking the site for updates


Now I'm not entirely sure what updates I was supposed to be checking for, but unsurprisingly given my previous communications with them, I received nothing further from O2...

A month later, after someone else in the area made a comment about reception, to which @O2 responded (it's interesting that they try to be 'social' and respond to people talking about O2, but go quiet when you try to get a real problem fixed) I joined in the conversation since it was someone in the same area affected by the mast remobal. They asked me if I'd raised it with their customer service, to which I replied:

sxa555: @O2 Your CS gave incorrect information. My letter was ignored. i emailed letter to you. You then said you'd chase it up. Still nothing
O2: @sxa555 What information did they give? They should at least be able to log the area as having poor coverage.
sxa555: @O2 read the letter I emailed to you weeks ago. i was told no change in coverage despite going fromall full bars to zero due to mast removal
O2: @sxa555 ok sorry about this Stewart. This letter was posted via an address CS gave you? Have you chased it up with them since?
sxa555: @O2 Yes, address given by CS. I confirmed address with u then also emailed it to webteam address you DMd me on Nov21. Chased with you in Dec
O2: @sxa555 Hi Stewart. I apologise for this. Can you send you DM us again so we can get you to email us with the latest details? Thanks

I really hope someone high up in O2 reads this and realises how useless their customer service has been in this case. And telling me in more than one tweet that "customer service should be able to log a problem in that area" seems reasonable, but I've logged a problem via GiffGaff, I know others that had reported a problem, yet their support staff told me on the phone there was no issue, so the problems are NOT being logged correctly. Repeatedly apologising and using the word sorry doesn't help in itself - it becomes just a word, and is meaningless in the absence of the actions necessary to move towards a resolution of the dissatisfaction that their customer has experienced. O2 have already lost me as a customer - my main phone is now on Three although I still have the GiffGaff account. The experience so far means I would almost certainly reject them in the future on the basis of their inability to respond honestly to customer service queries. Also as I'm sure you can imagine it has taken me some time to collate all the communication for this report, and for that reason I'm choosing to post it here so that if they manage to lose my details again, I can just resend them the link, while letting everyone know that they have failed to give a useful response after several months.

So this is a second failed customer service attempts with O2, and both have been complete disasters (see the end of this article, below the letter, for my attempt to get handset firmware from them after finding an apparently incorrect link). It's 2012, you can't do this and get away with it. The reception issue has lost O2 a lot of customers - mainly to Vodafone. The lack of reception is one thing, but the way they are treating their customers is unacceptable.

To give the full story, after initially contacting them on twitter regarding not getting a response from my reception letter, they first gave me an email address of customer services. When I went back a few days later to email them that tweet seemed to have disappeared. I queried this and they told me to email the web team who would forward it on for me. Here is the letter I had sent via post, and subsequently sent to their web team as requested, and I've referenced them while tweeting this blog entry:

---

Dear Sir/Madam,
I am writing to you to complain about the level of support I received after a problem with your service recently. I am a customer of GiffGaff (which is of course, part of O2’s parent company) and in July I initially used O2’s online support talking to someone calling themselves “Jenny” who told me “the network seems to be working fine in your area” and asked if I’d spoken to the Network Support Team, so I then called to report an issue with reception. The person on the end of the line appeared to refuse to acknowledge that there was a problem, saying the service was showing fine and that no-one else had reported any problems with the cell tower in the location. There were two problems with this response:

Firstly there was an issue because the reception went from maximum 2G signal down to zero. There was a clear change in service, that was not being acknowledged
Secondly, the statement that no-one else had reported a problem in that location was incorrect. It is a site with several thousand people, many of whom selected O2 as their service provider and were tied into contracts because of the excellent reception, and they had been disappointed. Several of them I’d spoken to HAD already reported the issue.
Thirdly, your own status checker showed this:






which confirmed what the problem is (so why coverage is listed as ‘good’ is a mystery), so that contained information that your support line didn’t not appear to be aware of. I was reporting the fact that the ‘normal coverage’ simply wasn’t present, where it had been 100% - full bars - previously. The above screen shot was how it displayed for a few weeks then disappeared.

Your assistant (who I was talking to on a chargeable 0844 number) after refusing to acknowledge a problem, said he’d let me speak to the supervisor and put me on hold for a while before coming back to tell me he’d raised an issue with the network team and that they’d get back to me via GiffGaff. I didn’t get to speak to a supervisor, and the call back did not happen. I received no response, plus trying to respond to me on a number that didn’t give reception while I was at work wasn’t very smart anyway (although no texts/voicemails/emails were received so clearly no action was taken. Given that your assistant had told me that there was no existing reports of problems I can only assume that was a lie, as had been the assurances given to some of my colleagues on the phone that “engineers were working on the issue” when they called.

I think it’s shocking that you would treat customers like this. There have been a large number of people inconvenienced at my place of work, and you have lost custom and respect due to this issue with several people subsequently being able to secure release from their contracts as a result of this sudden change in reception, which I know was known about in advance.

I also raised the issue through GiffGaff a few days after calling you (reference number 110725-000194) and was told again that O2 had no reported faults (as previously mentioned I knew this was untrue) and that the mast “has been locked and is down at the moment“ After telling them I knew that to be untrue I got a message a few days later saying “The cell closest to **** *** has been decommissioned a new cell has been built 3/4 of a mile away to cover the decommissioned cell.”.

Now what I would like to know is why that wasn’t acknowledged in the first place (The mast was decomissioned in the first week of July) and what O2 had hoped to achieve by lieing about the existance of any change of service in that area - contrary to your own web site - and the fact that you had explicitly deactivated the mast and therefore no repair was going to take effect. You have alienated your customers over this, and I can’t imagine how it would make any business sense to do that. I was very close to reporting your deception directly to OFCOM but I felt it was appropriate to make my feelings clear in this letter. For reference if you need to check your records, my GiffGaff number is 07*********.

---

On another topic, I had also asked them about a firmware link for one of their phones - the XDA Ignito - which had the wrong link on the O2 site (It points to the Serra).

sxa555: @O2 The link to the XDA Ignito firmware points to the Serra one instead. trunc.it/iruma Can you give correct link and fix web page

At which point they said they'd look into it, and to their credit, they did reply a few days later with:

O2: @sxa555 Hi Stewart, can you check the link and let us know if you can access it now? Thanks.

At the time of writing the Ignito link to "Download Software" on the page still points to the Serra firmware. Now it's not impossible that the same firmware is valid for both handsets (they are similar other than the keyboard - rebadged HTC Touch Diamond/Touch Pro) but I'd expect to be told if that was the case, not just ask me to try again when nothing's been done.