When security checks are not secure at all: my experience with John Lewis is a warning that we might all be at risk
In Dante’s Inferno there is a special place for those guilty of applying invalidated offline security methods to the digital world — their punishment is being forced to prove their identity without having any document or utility bill. Or so my memory goes, which might be slightly affected by a little incident I recently had with John Lewis’ online store.
Last month I decided to buy a new camera, after mine had been stolen by burglars. After checking the prices, the delivery times, and T&Cs, I opted to buy it online from John Lewis. Very simply, the reasons I did so were
- it would be a next-day delivery on a Saturday, something not everyone offers
- they would deliver to a local shop for my collection, rather than forcing me to wait for the parcel at home
- it cost exactly the same as Amazon and other stores
- John Lewis is an employee-owned British company, something that makes them very close to my ethics, so I’d want to reward that proximity.
I placed the order and got an e-mail confirming it was all right. This was at about 11:50 AM on Friday, February 3rd. We used my partner’s credit card but other than this the purchase was rather ordinary.
If you start thinking “oh, not your credit card” as a source of the problem I’m about to tell about, note that in order to collect the parcel I would have had to
- present said credit card
- present my ID.
Everything seemed to be OK, until some hours later I received a call from a landline number. As I am a bit obsessive about personal security, I did not take the call and googled the number, which turned out to be one of John Lewis customer service. When they called again, I picked up the phone but became a bit suspicious of the questions — card number and things like that. I took it to Twitter:
After a bit of back and forth, which you can see from the thread, I did ask at about 5 PM if they would be able to deliver:
To which they replied inviting me to send an e-mail with the order for verification. Guess what their reply said?
With this e-mail, received at about 8 PM, I went to bed thinking everything would be OK.
Imagine my surprise when the next day at about 11 AM I received, again, a call from John Lewis. I picked it, and went through the security questions. Now, to really understand what I’m aiming at, I must disclose these security questions. They were *drum rolls*
- the cardholder’s address
- the order amount
- the item ordered
- the delivery point.
I will talk in a minute about how senseless these are. After going through the questions, the customer service representative greeted me (now as Mr Sollazzo), and went on to say:
“As you did not answer our security questions yesterday we need to delay the delivery by 24 hours”.
To which I just lost it and started ranting at the phone. (I hate myself for putting the poor worker through it — I know they’re just following procedures.)
Thirty seconds later, I had cancelled the order.
Security is something I take very seriously. I work in the business. Why did I get so upset? It’s not just about a failed delivery, or the fact that I wanted my toy. It was the fact that John Lewis are clearly in a state of dangerous delusion if they think those questions would make an online purchase anymore secure.
Think about it.
Let’s assume I was going to commit the fraud by using someone else’s card; let’s assume I managed to place the order which required me to know the card number, the cardholder’s address, and to decide where to get it delivered. Now, let’s go back to the security questions:
- the address: if I managed to place the order I clearly knew it (we don’t know if they check it against the card, but either way they were asking for something I must have known)
- order amount: if I was committing fraud, I would of course have had access to this
- item ordered: if I was committing fraud without knowing what I was ordering, I would probably be in an asylum (or be a very unsuccessful fraudster)
- delivery point: I decided it when I placed the order.
You see where I’m getting at? There is NO WAY these questions are increasing security because they’re asking for things a fraudster must have known in advance to place the order; moreover, in order to collect the object I would have had to present the credit card, physically, and my ID card. Which basically makes the whole idea of security checking at the phone utterly useless.
John Lewis are playing with fire here — no, I don’t mean with a unhappy customer’s anger, but with flawed data security. I don’t know the source of their security procedures, but my feeling is that they adapted some old offline process to the online world. It doesn’t work. It never does. They are using security checks that are not secure, and wasting their own and their customers’ time doing so.
One good thing, however, is that John Lewis seem responsive on social media. I tweeted a summary of this story, and they responded:
I do hope they will review and act upon this. Security is a serious business, and a good company whose ethics I love should not be disappointing me for something this obvious.
