In October last year I posted about my email phishing attack against a group of my friends (at least, I think they are still my friends). That post was an attempt to describe some of the problems inherent in the way people trust the systems they use on a daily basis. People are naturally trusting, but unfortunately people also do dumb things. A lot.
Because people do dumb things, and because on-line systems are now so highly sophisticated and their usage is so deeply embedded in the way people do things on a day to day basis, many organisations (particularly in the finance sector) offer guidance and best practice advice on how people should protect themselves from on-line scams and attacks. All, but all, of that advice stresses that:
– you should not automatically trust an email, particularly if it comes from an unusual or unexpected source;
and
– you should be particularly suspicious of any text or email that gives a link to an unknown website or asks you to download an attachment or install a new app or package.
I was therefore more than a tad annoyed to receive the following email from a company called Credas.
——————————————– text of email ——————————————
From: An Estate Agent <no-reply@credas.com>
To: Mick Morgan <mick@somedomain.com>
Subject: Credas: Register with XXXXXXXX
Hi Mick Morgan,
As part of our due diligence process, xxxxxxxxxxx needs you to complete a new identity check.
Our external partner, Credas Technologies Ltd will carry out your identity check via their secure portal.
Click ‘Register Now’ to access the Credas portal and complete your identity check. Click href=”httpx://u5132886.ct.sendgrid.net/ls/click? upn=u001.nzhGZlKtcBEK7RdttdLlEtaNlltgM46iDpVo0d2DbpzfH1MR99agf-2F5SahNF7Vmz3UnPFkHiVQAJifHimwXTIZGz-2FJYncGTFe3sYIPaaAlg4cF1PdeAl3jcO2Z5M8Qauu7aiaKeEPgZneik-2F5Eu0gNiooqhEOaUZB47IwiWmb7nowcV8Qlge4Bwannkltx66Bo-2F4h7-2FnsdgWyko3JkV0SiKAfUt-2FShfnSbOFK849aj73EqAl4e1mbFl7d6QfgQVV6-2FfG5t4-2Bt8M3ivuCd-2Fk-2FPaxDNZZeBxK4w-2F9OCGln8DdJkfPJOdfbWd6RMQW-2BMpLXDeoFvcJoLBiIU-2FnZE-2BUaY0d5EwK81mIS9nYUF3uReuxwtlEkl-2F0TJgMuYmV5fszX4971wR5NcbFeCfXw8it9AFYJ-2Fg5MDu9sGh4HH3xMFvxBMdteiGfOY58ssvRiJ7CsHct6IeTIwx-2Fu8qRKIGpIbEMLfrpDjSNq7f9JFa93tIh0oMvkZMyfcnlxmyf3Lcrg90U9dA9HZEqjpNBqjygA8B2z2rpZHMhHt6BsD6UHQkyqOFSLuU6MAA0Y32DT7-2B0b0F5fw-3D-3DtJd6_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZMSl-2B3j1LfOv7M9Gt7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sctAw2wLc9MBi3Yck8XbxX7jZWtzFb1T2E9A-2BARUXHlXpIVVxXFGEFxQ2Cuz88wLWO9gS3gjDNhDadBAniUR6tkbO5X56yuPeX3lsZlGOKrzZqAK51YEmqPvQvmzCB-2Bvj2KD13h5QOft7UlPFgmXj3UxldhivDIKcigYEPDRk8jHo-2F-2BptTB5ga0Y7YnjDUCar0IfEkRfi47Kw-2F0O8pm3sWcGQJfIZxPVQDgVA2kyEPnIAwbu889adyJKB8CvaAmlZhRy01T8YTB3D3ZcIus9ZgkNwB2BYiyYpWAxvfLd2f334BqIW-2BpdGPmXdoRIj94h0x0q7QrVwaMRc0PnGAP-2FL5-2BUN2G2SGSTRe3lHWlK6oun0QFt5ffhk29EIco-2Bfp3Yaofg4ZGigfVXPRtIA7kv9yCx3j0xfUMcLWE6-2BwG2bVLYF15YwZhq9QsHk57no7IP data-auth=”Verified” originalsrc=”httpx://u5132667.ct.sendgrid.net/ls/click? upn=u0222.nzhGZlKtcBEKLfSrp7aJr5201aHxB6Jdk-2FmDJ-2Bz9a7Fbq5nW3Fmpx1SnMCY5GZUFajE1_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZMSl-2B3j1LfOv7M9Gt7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sctAw2wLc9MBi3Yck8XbxX7jZWtzFb1T2E9A-2BARUXHlXpIVVxXFGEFxQ2Cuz88wLWxjXmH54LKwAqLV1gB-2FZSXoFll0fxVfg1L97hL2bLhPdPylDDn08j0efWlNKJwFwWrXeNDYUYXX9t1qIE9zTrOz6Hit42FYBS-2FNx6FRkqfeHorW1KV6Pe7846Nt-2FcCMlpnnvDjEjWbVItSduh5gc2Sr7xQu0pnFn7YcSjh7ApYCdoPrfhE3-2BLIPEBhH8gymI-2F5r5X9cOlZlAn6L9BoPaQpbqUKi0Xix8Bvg2pXSHCrYcNNvqMlSNy9n8T9kN9imORLIJsKBEdVn10axNy7cSZSsHa5k5KrYGsNTLh22pR8Sugs0VOD2RyqnPGpgV8kyJiKoBxkLQ7Qj2dv-2FJQPKvoVcPO02M6tO3-2BM568-2F-usn8lDsFhlQRhx shash=”oi/mRQFbciX3f7x3OO7jPTaR/OHB0g6pm3t3tdwXERy9HbGjkCY8qwYdqvGdMMxE3A9fotIS65???pppiut5yrZDHIRIXAikLWWnMtnE5G7u2XB0oPxWDkR+c9OCAdnvi/7A/jfT5pXoE9/MqtN+I3MSg8RPXWWqTBUYiWro/6IRitasI=” title=”Original URL: httpx://u675213.ct.sendgrid.net/ls/click?upn=u9871.nzhGZlKtcBEKLfSrp7aJr5201aHxB6Jkht-2FmDJ-2Bz9a7Fjg9ABCX2Y-2BNa3CWPiQ03DOFlh_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZMSl-2B3j1LfOv7M9Gt7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sctAw2wLc9MBi3Yck8XbxX7jZWtzFb1T2E9A-2BARUXHlXpIVVxXFGEFxQ2Cuz88wLWsl5g6-2BqXvKkRdOc2Tj-2Bs8EZSgEftoPJwqrtOVfo5lmkIbzJnH5xo-2FEnmaclqZnpaX33uVPjsqJNslPzTTjjm-2FgMUIgZaKl2O3DLm1wDCyqAu8iFicFnUs7Z0nKcCHw-2Flq5hQBaOEqdwvr9XDzYnqc5FoeiXRwz5CIWdQohRAoAa4Ag4Xk6lkqkxL3RuHVmEzZFtkw833rQb1SfTMmFPcoSgDfIp-2FKoa5m68OIn9ixnUUJCUS444-2F24a-2FCRZ5uWhoLsTzuaxlLrzznW-2BlXRhSSUne1Q-2FX908oVAGEx8-2FLMoFs62zIiMpwSznAcAo43Ua134XsqdKXYGOqXw-2FUoayTvs2trJ4vwuOdwxCJvpz40-2FYwuF3lihdaE7pPvkw-2Bu88A Click or tap if you trust this link.” data-linkindex=”12″ style=”border: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-stretch: inherit; font-size: 14px; line-height: inherit; font-family: Tahoma, sans-serif; font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; margin: 0px; padding: 0px; vertical-align: baseline; color: blue; background-color: #ffffff;”>here to find out more information about how Credas Technologies uses your data.
Don’t forget to have your Reg code to hand:
Reg Code: XXXXXXXX
Register now ( httpx://u5132667.ct.sendgrid.net/ls/click?upn=uy765nzhGZlKtcBEKLfSrp7aJryacxqZSVhxwQutbF3sjLOCE1zpibyfjc9kp1EhSdULQJ8v4iZ0uS39Fu9LxV4QhFp-2FGgAq-2BkjZjpH-2BSwtK2ZEqLrtoweVX6-2BGfgGGrFZGNo-2FDBfS-2FJJLP3wjiUj6pE5J7L0NNAniFdljbJNN1dcvWdY-2Bo-2BXfRqWNtJAYRmv1SCEP22eU-2BDB63D6r3lu-2BUX9p5cTnYK0N1xFKuEu4p7GUVTz3tbMVG7n8Rq3bBsCGxiyPutugw5Jik0kW6nH57fqvjMxzHuVH9DWM9nSVSvNXPLr8VeTOJEbgobNUk3eAUCLeX4LxU6-2FnAuCYoaBlRPrvQ-3D-3Dl90f_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZCxe32B3j1LfOv7M9Gt7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sctAw2wLc9MBi3Yck8XbxX7jZWtzFb1T2E9A-2BARUXHlXpIVVxXFGEFxQ2Cuz88wLWPArGitOvLatbxCyxIJuIxpA03d7A5jNi638DypcH-2FWTBEcMZijVV7dkfyq1pe-2BWS6L1hSajk8wkfv1Mb-2FYfOOwJ9lCK1CBJwuqLNH9vJKBu-2BbXVEdJd7ikllaf-2F5eCoZhT6l6OGe4-2F5pdC-2FoTK6Q7nffv57KU6FjfG9efKxca6UFybWpYWPZuFTUaODKR7DIh3t5reUVF7JSX37jvBskoyuvjz8-2BvZlXtrtjbJ3TzarR7ks8ER0xswQS2tR9tFoKKs8NwJ72sobeVtymqBwHEr079eEA6SvEuIHjy2K-2FK2HKSuh59TINEJPZaelfuo7R907ugr26ZvnFFRuNgn8-2FkS1WfWWW8T9ZCU6waQsDI5GrHrfzOUkismRjwliy1YsGkjYYt )
*If you’re having trouble with the button above, copy and paste the URL below into your web browser. httpx://u(876.ct.sendgrid.net/ls/click?upn=u0987hzhGZlKtcBEKLfSrp7aJryacxqZSVhxwQutbF3sjLOCEgt4byfjc9kp1EhSdULQJ8v4iZ0uS39Fu9LxV4QhFp-2FGgAq-2BkjZjpH-2BSwtK2ZEqLrtoweVX6-2BGfgGGrFZGNo-2FDBfS-2FJJLP3wjiUj6pE5J7L0NNAniFdljbJNN1dcvWdY-2Bo-2BXfRqWNtJAYRmv1SCEP22eU-2BDB63D6r3lu-2BUX9p5cTnYK0N1xFKuEu4p7GUVTz3tbMVG7n8Rq3bBsCGxiyPutugw5Jik0kW6nH57fqvjMxzHuVH9DWM9nSVSvNXPLr8VeTOJEbgobNUk3eAUCLBUkyCA2q0G-2BqOJmGrMnqYg-3D-3DboUO_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZMSl-2B3j1LfOv7M9Gt7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sctAw2wLc9MBi3Yck8XbxX7jZWtzFb1T2E9A-2BARUXl;kwopejouhoihoYtrWZC-2FrJrFiQq8ewlLWoY55wbNA6Gy6luEH4w0TjWkCCVqtAWTT-2FPBrg2F-2FI-2FqBLNRlImj7fHagU9w-2FJ-2B4QqVI6ON6Hy9jx5p2300GfgV4stfnB7PeKsM27jLGcFwuv41gTn65-2Fy9ve0m3Kh4cqVbnWS-2FFWoeuBfgES-2FtlhDQ4dGw3IzuoxvT5SZRAvJ5k9cFHi1qoK13A2xjzbt8HbBQWZ0nJqqhkef3gvrlKTxqA5gGQXEV-2BFIdszwDVm641QP-2BGSo6-2B-2B0j49IhLvBgZyltzO-2Br3REjCmKjVsdk-2BDsQ2MZO5zg6p-2BGZlYrt4£ezSe5FfkdoxgzqeO41IE5epOaXqnCXwkgDA1907SY1dm9beLEvIPhTEtzcRzm-2Fd2Gkk47FQAz
The information enclosed is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Credas Technologies Ltd and is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately by returning e-mail and delete the material from any device/computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.
Facebook ( httpx://u786734.098sendgrid.net/ls/click?upn=uJy6532hGZlKtcBEKLfSrp7aJr1G7tm9No2RR0lxQH-2FIFcwRjGnCINOHdvsvtZr3Db2R5PwG6_69lB8EfvJWLk2zXkyR00F2QHuWgBpH1GGeDoe51AI5njQfAa9m1g2h1FqrvZMSl-2B3j1LfOv7M9GtctAw2wLc9MBi3Yck8Xb7QhYkOaJWebVUyu3x5W9tzK1UCJnP-2BpG3TmRvyru9uFUAP0OJ03sxX7jZWtzFb1T2E9A-2BARUXHlXpIVVxXFGEFxQo514PMta3ualz5lITbV-2BLsNUZAzsgSvvEvUCc3crGE-2BX2BLy7rFgkWo8H5CH4Sc6u-2F8kJXEiVcAjet2nJ2LDvh923naQvAK1IfYdzi80kidcR-2F2Cuz88wLWxyNCK6s2qHTI9m78zWkMmYISUf7LcKHCqVbvDrAN94sQY5lC75rl8BSgkRBlssuzG-2BqhC30bc-2F5-2BoMeqqSIgQnl-2FIB8Go9SQ1Ans8bH4deIFlqRgs-2F-2BkeuAwQ5kdxfJtq7VZX8GyaftEngXSHT9iv-2BGrKVtXMgTwkBPMvtd3vJrW69r3HfetSS0kCuCdVb-2FLyRcDxY8-2B1ybep98kfgSa73O80cO3Aw1Oo8bYZjZXhi-2FrF0BAGvT56rUr2gdZIPITwsanspVGnOC3usYe63A ) Twitter ( ) LinkedIn ( ) Instagram ( ) YouTube ( ) E-Mail ( )
———————————————- end email ——————————————–
OK, that is not the exact text of the email I received because I have edited it to preserve some privacy issues and also to prevent wordpress from interpreting the HTML code and rendering it in a way that would potentially send you readers to websites outside trivia itself. Additionally, all “https” references have been changed to “httpx” for much the same reason. But, and this is an important but, it does look like the email I received as rendered by my preferred email client “Claws”. I use Claws for many reasons (interested readers can explore why elsewhere on trivia) but primarily I use it because I trust it and it is so configured as to render all my incoming (and outgoing) email as plain text, and emphatically not as bloody HTML. In case it not obvious, I abhor HTML email – for some very good reasons.
Here is an image of the way the above email renders in claws own HTML engine (and thus the way it would look on a mobile phone which uses a less intelligent MUA).
Note that here again I have edited the image to preserve some privacy issues. Note particularly though that all that horrible HTML code above is now hidden behind a single blue button asking me to “Register Now”.
Ummm, I think not thank you.
However, here I feel should explain why I received this email and what I did next.
In fact, and in fairness to Credas, this email did not reach me completely unannounced (if it had, I would simply have binned it unread – a lesson for the Estate Agent concerned). It came because I am in the process of trying to sell my Mother’s house in order to pay for her Care Home fees – a long, difficult and awkward process and one I am not going to discuss on trivia except where it impacts on topics (like this one) I deem pertinent. Before I received this email, I received a short email from the Estate Agent appointed by my brother introducing themselves and giving me an ID code to use on the Credas site.
Estate Agents, like other “regulated” industries (particularly in the Finance Sector) are required by UK Law to undertake due diligence checks as part of their “Know your Customer” (KYC) and “Anti Money Laundering (AML) processes. Such checks typically require the customer to prove their identity to the Agent and usually involve the Agent having sight of a passport, driving license, bank statement or Central or Local Government communication to the customer at their claimed address. In the digital age in which we live, that process is often undertaken on-line in preference to people turning up at a physical address with actual copies of the required documents. Indeed, I have recently undertaken just such a process with both the Court of Protection (which eventually granted me Authority to act for my Mother in her financial and property affairs) and my Mother’s Bank. In neither of those case was I presented with such a poorly thought through process as that offered by Credas and the Estate Agent who appointed them.
Because the checks required can be complex and are required by Regulatory Authorities, many smaller organisations, exactly like Estate Agents. will perforce, outsource the process to third parties – parties like Credas which offer to automate the process of compliance. Herein lies the difficulty. Third parties may indeed offer KYC compliance checks, but what they do NOT do is offer customer understanding. it is one thing to “know your customer”, it is quite another to “understand that customer”.
On receipt of the Credas email, the first thing I did was to check out Credas’ own Website to establish who they were (or claimed to be) and what services they offered. On the face of it, Credas would seem to be what they say they are, a technology company providing automated KYC/AML checks for various UK companies, primarily in the Real Estate, Legal, Recruitment and Finance sectors. The home page of their website says:
No matter the market or sector, Credas can streamline your onboarding process using market leading identity verification technology to revolutionise the way you manage compliance and due diligence.
Crap Americanisms like “onboarding” aside, I think I can see what they are trying to sell.
Further investigation of the services they offered, their processes and the software they use, led me to this page on their site. That page lists their “data partners” as the sort of respected organisations you would hope would partner with such a critical process company.
In addition, the footer to that page says that Credas can, “reduce operational expenses”, “speed up outcomes” and, critically, “increase customer satisfaction.”
Way to go Credas!
So, having established that Credas might be who they say they are, and that the Estate Agent my brother had chosen did indeed use them (he had seen exactly the same invitation as I did) I decided to give them the benefit of the doubt and try their process. Here dear reader is where it went horribly wrong (and need not have done). And here again, to be completely fair to Credas, I must say that I am emphatically NOT picking on them as a particularly bad example of the sort of idiocy that so incenses me. They are not. They have simply made the same assumptions about me (albeit bad ones) as are routinely made by umpteen other Companies in the current world we live in. My point here is that despite all that they say about Customer engagement, they got me horribly wrong (though I must admit that I may be an edge case).
On opening the Credas’ email on my PC and entering the URL required I was presented with the following:
And on clicking the “Let’s get started” button, I was presented with the following options:
So, in order to proceed I must download a mobile app for either iOS or Android.
On my PC.
Which runs Linux.
Nowhere am I given the opportunity to continue using a browser so I cannot, and moreover, will not continue.
Whilst I do use a mobile phone, I most emphatically do not use an apple phone, and the android phone I do use runs a version of AOSP which is completely (or as near as I can get it) stripped of all privacy breaking software from the likes of Google. So to expect me to follow a process which:
a) expects (nay, requires) me to be using a mobile phone;
b) requires that mobile phone to be running one of only two particular pieces of software;
c) requires me to download an app to that phone;
d) run that app when I have no idea who wrote it, how safe it is, what private data may be shared by that app and with whom.
is beyond silly.
At this point I decided to check the google play store to see what the app authors say about it. What I found did not reassure me. Take a look for yourself.
Furthermore there were some delicious comments on the app in the “ratings and reviews”. See for example:
Continually crashed on one phone – had to use an old phone to use the app. The app struggles to work with valid Irish passports, possibly because of the monochrome photo. When it works it works ok, but it’s not compatible with all phones. The app doesn’t list the required documents except passport – you have to try to find the information from the original user – there should be more linkage between the app & the firm needing the information.
and
This is hard work! Requires a selfie but with glasses removed – I wear glasses to see! Also requires proof of address via original documents either utility bills or bank statements. We do not have paper documents, everything is online! I printed a document to photograph it – waiting to see if accepted. Absolutely no supportive information on the app as far as I could see.
and
Terrible app – iOS version doesn’t allow you to click ‘Submit’ with only a 6 digit code, so had to revert to Android version. Android version gives you 3 screen fulls of information about what documents you need to upload, but then never allows you to refer back to it. So now you’re scratching around trying to remember what constitutes ‘Proof of address’ rather than ‘Proof of Ownership’ with nothing to refer back to. The photo buttons are also halfway off the screen and hard to press. Buggy.
I particularly like the delicious irony of the second commenter who laments that the app requires sight of paper documents for proof of ID when they do not have such documents because they transact entirely on-line.
And this, dear reader, is the nub of the issue. As I say above, this is most emphatically not a dig at Credas alone, nor at the Agent which employs them, it is a critique of the idiocy of the business (and hence allied technological) processes which make such broad assumptions about the way that individuals, and we are all individuals, interact with their Companies in the real world. We are not all alike. We do not all use the same tools. We are not all as comfortable using some tools as are others. Your processes should recognise that and include provision for the less technically capable persons in our society, persons who may be impaired in some way (like the commenter above who has to wear glasses in order to read what your process requires of her), edge cases (like me) who may be perfectly technically competent but for a variety of reasons do not wish to conform to your view of the way I should do business, or the just plain curmudgeonly.
So, as the title says, “understand your customer”, do not just try to “know your customer.”
(As a postscript to this I should add that, after correspondence with the Agent appointed by my brother, I have agreed to visit a local (ish) representative of their Company in order to “present my papers”.)