Steve Pardoe's Cellnet Pages Cellnet Index page
Logotype of Telecom Securicor Cellular Radio Limited used here for the purposes of illustration and fair comment only. During the life of this campaign, Cellnet have changed their trading name to BT Cellnet. The two may be interpreted interchangeably in what follows

BT Cellnet's Head of Security, Mr John Cross, on Watchdog

John Cross talking to Anne Robinson
Image © BBC 2000

BBC1's "Watchdog" consumer affairs programme on 17. February featured an interview with Mr John Cross, Cellnet's Head of Security, which was suggested during recent telephone calls and e-mail correspondence with the BBC, and partly researched via this web site.

An annotated, unofficial transcript follows, and further comment will appear here when I've had a chance to check some of Mr Cross's assertions with my contacts in the credit card industry.

BBC1's "Watchdog" programme has now featured five stories about Cellnet. My case featured in their Cellnet credit card fraud story on Thursday 11. March 1999. You can read a summary of that programme, and find links to the others, here.

Please bookmark this page, and call back soon.


Revision of 21. February 2000

There's still been no reply to my letter to Mr Cross, which put to the test Cellnet's claims (repeated in the interview) that they will cooperate in tracing phones which have been used in fraudulent credit-card top-ups. They certainly haven't cooperated with me, or my colleague, after taking money without right or permission from both of us.

Interestingly, BT Cellnet's PR firm, Fishburn Hedges, visited this website the day before the programme (Wednesday 16th), presumably to prepare their response. Fishburn Hedges downloaded my letter to John Cross, again presumably so that Mr Cross could be primed on the issues raised, and on how to account for his decision to ignore it. They were back again on the day of transmission, for a good look round the site.

BT Cellnet's willful failure to respond confirms that their promises of cooperation are false, and Mr Cross's remarks in the programme should be seen in this context.


My unofficial transcript of the interview between Anne Robinson and John Cross, 17/2/2000. Apologies for any material transcription errors.

My comments are in this font

Anne Robinson

OK, with me (is) John Cross, he's Head of Security for BT Cellnet. Mr Cross, are you happy about your security?

John Cross

Not at all, but we have made a lot of changes since March of last year.

Interesting, in view of his later remarks. 11. March 1999 is of course when "Watchdog" first raised the issue of Cellnet's credit card fraud, and Cellnet promised them then that better security would be put in place within a fortnight. Here's my summary of that programme, and here's an external link to the BBC's synopsis. Watchdog ran the story again on 25. March 1999, reporting that Cellnet had broken their promise to make their pre-pay system secure, and had refused to give a date when they would do so.

Anne Robinson

Right.

John Cross

I've put in place three strands, really : one is to do with prevention of the fraud; one is to do with detection of the fraud, if it gets through the preventative measures; and the third is a process which we use with the police, which is arresting the people responsible, after all ...

I have found Mr Cross, and Cellnet's Customer Care Line, and the Police, completely unhelpful in detecting the fraudulent phone user, who is of course Cellnet's customer. Cellnet tried to fob me off after they stole 150 from me in January 1999, which is why I started this campaign.

This time, I've explored every avenue open to me in trying to get Cellnet to do something about the theft from my company in December. I've contacted the Police, in person and by phone ; John Cross, by phone and by letter ; and Cellnet's Customer Service line by phone.

I still can't get them to help me identify the fraudulent phone user, and (a) turn the phone off (with some evidence of having done so) and (b) provide me with the time and location of the top-up call, so that the Police can detect the crime and start a prosecution (they won't even log it as a crime, without that information). Cellnet insisted that I had to tell them the number of the phone used in the fraud, which of course remains a cosy secret between Cellnet and their customer, and they refused point blank to try and trace it from the card number used in the transaction.

Anne Robinson

So are you telling me that somebody whose credit card is used, what happens, will they be alerted immediately?

John Cross

No, they won't be alerted immediately, the prevention has a set of rules : it stops the number of times you can use a card with a particular phone, the number of phones that you can use with a particular card, it checks whether the card is lost or stolen.

Let's look at these "rules".

There's still no requirement for the phone user to register the credit or debit card to be used (see below). Limiting the number of card/phone combinations is pretty hopeless, since (as the programme showed) the determined fraudster can simply throw the phone away, and use another one.

Checking whether the card is lost or stolen is merely for Cellnet's protection during legitimate card transactions, and does nothing to protect the owner of a fraudulently-used card, since it's unlikely to be on a "hot list".

Disappointingly, the programme showed the "fraudster" getting the numbers from a dropped till receipt, which implied a degree of carelessness on the part of the victim. Cellnet are keen to emphasise this factor when trying to put the blame on complainants, as they did with me. They told me I should be more careful about giving my card details to people.

In fact, the numbers are printed on the shop copy of the receipt, and remain visible in the till drawer, so there's nothing that the victim can do to make this information secure. It's a pity the programme didn't point this out, as it might have reassured victims who've been left believing it was their fault, and have been browbeaten into abandoning their claims against Cellnet.

Anne Robinson

But you see Steffie Ogden has had it happen to her twice more, and you still haven't done ... about it since she was interviewed.

(Stephanie Ogden is a recent and repeated victim of Cellnet's credit card fraud, whose case was studied in the programme).

John Cross

If it gets through the prevention side we get into the detection side, it monitors the use of the card, and it monitors the use of the phone.

Really? That's not my experience : Cellnet don't know which phones are being used fraudulently until the victims complain, and then Cellnet won't take from them the card details that would enable the fraudster to be traced. See my letter to him.

Anne Robinson

But, Mr Cross, she's ... two months and you haven't done anything about it, and now she's had it happen to her twice more!

John Cross

The customer's first recourse is back to their bank, I'm afraid, it's not directly to BT Cellnet.

Only because Cellnet wash their hands of the problem, and leave the fraudster free to carry on ripping off the victim.

Note that there is absolutely no trace of an apology here : it's up to Stephanie Ogden to notice the theft, contact her bank and make all the arrangements to (eventually) get her money back, and probably change her credit card, with all the hassle that entails. Cellnet won't compensate her for this, or for her distress and inconvenience : they simply say her "recourse" is to her bank. It's a disgraceful abdication of responsibility.

Anne Robinson

But it's your problem, isn't it, you're causing the problem.

Exactly! It's a pity Anne Robinson didn't follow up on this point more specifically. Instead, she asks further questions, letting Mr Cross off that particular hook.

Why are you sending customers back to their bank? Why don't you just have a system whereby you immediately get those cards blacklisted and you make a point of taking names and addresses when people are pre-paying for their phones?

John Cross

We do blacklist the cards that are used ...

Oh, really? How do they know, and do they tell the victims that their cards are blacklisted?

Anne Robinson

OK, but the banks say you're the worst offender, you're not the biggest service provider, but you're the worst offender.

John Cross

That's not the view that I get from the banks, the banks are a lot happier with us than they were ...

That's not the story that the Association for Payment Clearing Services (APACS) and Barclaycard are telling, so I'll be researching this point later this week. APACS described Cellnet's system as "an encouragement to fraud" and "unacceptable" in the "Independent" article of 30/6/1999 (see our media page).

... and the problem in the industry is equal across all the networks.

I think Cellnet are much worse offenders than the other networks, precisely because they have such deliberately lax credit card security. It's the inevitable consequence of their failure to insist on card registration, which the other networks are responsible enough to do.

Orange, for example (as I know from personal experience) require the credit card you want to top up your phone with to be registered, in conversation with a human operator. The card user's name and address are checked on-line, just as in a mail-order transaction, and the operator also points out that the details will be kept on file against that phone number. If you want to use another card later, you have to go through the process again.

BT Cellnet chose not to have human operators, so the only data that can be entered are numeric. With their most recent "Pay & Go" phones, there are only minor usage restrictions, as the "Watchdog" researchers found out for themselves. "Registration" simply means keying in the card details. On their older "easylife" phones, I understand that there are still no restrictions at all, giving the lie to Cellnet's repeated statements to the media. You can use any card, any time, on any phone.

Anne Robinson

But why (are) you ... is it the fact that you would need to have bodies taking, you know, staff taking names and address(es), rather than this rather economical touch-phone system you've got at the moment?

John Cross

Not at all, when I revamped the whole system we looked at all the possibilities.

Note the "I" here : is Mr Cross taking personal responsibility for this shambles?

The rather disturbing implication of his reply is that Mr Cross and BT Cellnet chose, both initially and since March last year, not to introduce a proper credit-card registration process, for reasons other than economy.

I have speculated for some time that the real reason for Cellnet's continuing to operate a top-up system they know to be insecure is mainly to do with market share. BT can easily afford to subsidise a system which costs Cellnet a small amount of airtime when refunding fraudulent revenue (to which they were never entitled anyway), if that means customers choose their network in preference to those of their more fastidious competitors.

I looked at everything that the other networks were doing, and other people who had this sort of transaction ...

Well, if he did look, he chose not to follow their example. Cellnet are unique in not requiring registration of credit card details, which is contrary to industry practice and advice (see my earlier comments).

Anne Robinson

But you've still got the worst record, haven't you?

John Cross

I don't believe we have any more.

Well, gentle reader, what do you believe?

Anne Robinson

OK, John Cross, thank you.

John Cross

Thank you.


Website
©
Cellnet Home page E-mail to us if you have something to say about this!
[Cellnet fraud index page] [Site directory] [Home page] [E-mail us]