Free Web Advice: Marvel

It’s been a few years since I wrote a “free web advice” piece, but I got really annoyed by the Marvel web site this morning.

About a year ago I subscribed to Marvel Unlimited – a plan that gave me access to all of Marvel’s digital comics for about £40 a year. This morning, I got an email from them saying that my subscription was about to be renewed but that my credit card had expired so I should log on to my account and update my credit card details.

I went to log on and found that I had forgotten my password. So I used the “forgotten password” link expecting to get an email containing a link I could use to reset my password. Instead, I got an email that contained both my username and my password in plain text. If Marvel are able to send my password to me, then they must be storing everyone’s password in a readable format. It’s astonishing that a company the size of Marvel don’t understand just what an incredibly stupid idea that is. And sending both my username and password in the same email just compounds their error.

So that’s strike one – storing plain text passwords.

Having recovered my password, I was able to log on and found the page where I could give them my credit card details. But it looked like this:

Marvel Credit Card Maintenance Page

If you look closely, you’ll see that three fields – credit card type, expiration date and country – have captions, but no way to enter the required data. I’ve tried this page in both Firefox and Chrome and get the same results in both. I expect I’ll have to dig out a PC running Windows and try it on Internet Explorer as well.

I didn’t actually notice the missing fields at first. I just filled in the fields I could see and submitted the form. At that point I got an error pointing out what was missing. It’s interesting to note that the credit card type isn’t marked as required on the form (there’s no red asterisk next to it) but the error I got complained that it wasn’t filled it.

So that’s strikes two and three.
Strike two – always ensure that your web pages work on all the popular browsers.
Strike three – always mark your required data inputs accurately.

At that point I gave up trying to give money to Marvel. I poked around the site for a while to find a contact form. When I found it, it had the same problems as the credit card form – most of the input fields didn’t appear. Luckily, the contact page also gave an email address (that’s a really good idea that most web sites don’t follow). So I used that to report the problems. I’ll update this post if I get a response.

Interestingly, on my account page I was also given the option to upgrade my account. Apparently Marvel and I disagree on the meaning of the word “unlimited”. It’s not clear to me what extra benefits I could expect.

Update (four months later): Somehow, Marvel managed to renew my subscription, even though I never managed to update my credit card details. But bizarrely, this evening (over four months after writing to them) I got a reply from Marvel’s customer support. It said this:

Thank you for contacting Marvel’s Online Support services. We apologize for the delay in getting back to you. We see that you were able to renew your subscription, after contacting us. If you have any further questions, please do not hesitate to contact us. Thanks again for contacting Marvel.

Four months to reply to a simple customer support message must be some kind of record.


Free Web Advice: TalkTalk

Ten days ago I got a cold-call from TalkTalk. They called me on a number which is registered with the TPS and I have no existing business relationship with them so they should not have called that number.

In this situation most people, and this includes me, will probably just be mildly rude to the caller and hang up. But on this occasion I decided that I would take it further. I went to their web site to find a way to complain to them.

The don’t make it easy to find a way to get in touch via their web site, but eventually I found this form. The form starts by asking what your question is about. But the choice of subjects doesn’t include “Unwanted Cold Calls”. Eventually I decided to use “Joining TalkTalk” as it was the only option that seemed even vaguely appropriate. My problems didn’t end there as the form then changed to present me with a another list of options to choose from. Once more none of them matched so I chose “Before You Order” which was, at least, technically accurate.

Filling in the rest of the form was easy. I gave them my contact details, selected the option saying that I wasn’t a customer and wrote a description of my complain.

Lesson one: Making it hard to contact you will not stop people from contacting you. It will only ensure that that they are a little bit more angry with you when they eventually work out how to do it.

A couple of days later I got a reply by email. But it was useless. They said that they would remove my details from their marketing list (within 28 days!) but completely ignored my request for an explanation of why they thought it was reasonable to call me in the first place. So I replied to the email explaining in some detail why their response was unsatisfactory.

A few minutes later. I got an email telling me that my message could not be delivered as the email address was unknown. They had sent the email from an invalid email address. Presumably this is to stop people getting into a dialogue with them. Maybe it works for some people, but it didn’t work for me. I went straight back to the web form from hell and explained their shortcoming to them.

Lesson two: Never ever send customer complaint responses from an undeliverable email address. It gets your customers (and potential customers) really angry.

A couple of days later I got another reply. This one came from someone who at least seemed willing to try to deal with my problem. But they seemed somewhat confused. They said that they were unable to locate my file in their system and asked me to confirm whether or not I was a TalkTalk customer. Two problems with this. Firstly, they’re asking me to provide more details and not giving me an easy way to get the information back to them. And secondly, a few paragraphs back when I was talking about filling in the form for the first time I said that I “selected the option saying that I wasn’t a customer”. Yes, this information is included in the contact form. So why ask me for it.

Lesson three: If you ask someone for more information in order to progress a complaint, give them an easy way to get back to you. Otherwise they’ll just get even more angry.

Lesson four: If your contact form collects information, them make sure that information is available to the people dealing with the complaint. Asking people to repeat information that they have already given you is a great way to make them really angry.

I went back to the dreaded web form and filled it in again. Every reply I get has a case number assigned to it. Each new reply I submit generates a new case number. I’ve been copying the case numbers from the emails I’ve received and pasting them into the new request in the hope that someone will tie all of the replies together into a single thread.

Lesson five: Make it easy for your customer (or potential customer) to track the progress of their single ticket through your system. Forcing people to open multiple tickets for the same issue will just confuse your support staff and anger your customers.

Five simple lessons. All based around the idea that you really don’t want to make customers (or potential customers) angry. Let’s review the list.

Lesson one: Making it hard to contact you will not stop people from contacting you.
Lesson two: Never ever send customer complaint responses from an undeliverable email address.
Lesson three: If you ask someone for more information in order to progress a complaint, give them an easy way to get back to you.
Lesson four: If your contact form collects information, them make sure that information is available to the people dealing with the complaint.
Lesson five: Make it easy for your customer (or potential customer) to track the progress of their single ticket through your system.

Throughout this piece I’ve portrayed myself as a potential customer. I’m not, of course. The way the company have dealt with this complain has ensured that I’m never going to do business with TalkTalk.

But I’ll continue pushing this until they answer my questions. I’ll let you know how I get on.


Free Web Advice: VirginMedia

I’m not a web designer, but I’ve been working in this industry since before there were web sites so I like to think I know a bit about what does and doesn’t work as far as web site usability goes. It’s mainly the stuff which doesn’t work that stands out. And there’s so much of it.

Earlier this week I was using the VirginMedia web site. Specifically, I wanted to log on to my account and download a PDF copy of my latest bill. There were three things in the process that really annoyed me. I should point out that I’m a registered user of the site, so I already had an account set up.

Username or email
The login screen asks for your username and password. That’s pretty standard stuff, of course. But when a site asks me for a username then I assume that it is going to be “davorg” (the username I’ve used on web sites for as long as I can remember). In this case, that’s not what they wanted. Your username on the VirginMedia site is your email address. Other sites use email addresses as your username, but in most cases they then label the field as “email”. Labelling it as “username” adds an unnecessary complication. I gave them my username and, as it was incorrect, the error message pointed out that my username would, in fact, be my email address. So they recovered from the problem well, but there was a moment or two of unnecessary frustration.

Limited length passwords
Having established what my username was, my next problem was remembering my password. I tried a few likely candidates and, eventually, resorted to the “forgot my password” link. That sent me an email containing a link to a page where I could set a new password. And that’s when I remembered why I had forgotten the original password.

VirginMedia have strange limits on what can go in your password. They have the usual stuff about having both letters and digits in your password, but they also have a maximum length of ten characters. That’s why I couldn’t remember it – most of my standard passwords are longer than that. It seems strange to restrict users to such short passwords.

It’s worrying in another way too. If you’re following best practice for dealing with users’ passwords then you won’t be storing the password in plain text. You’ll have some encrypted version of the password. And many of the popular encryption algorithms (for example, MD5) have the property that no matter how long the text that you start with is the “hashed” version will always be the same length. So you create a database column of that length and you don ‘t need to restrict your users at all. Having this restriction isn’t conclusive proof that they’re storing plain text password, but it’s enough to worry me slightly.

Naming downloaded files
Having (finally) logged into my account it was easy enough to find the link to download my current bill. And within seconds I had the file on my computer. But the file was called “GeneratePDF”. And when I come to download next month’s bill that will also be called “GeneratePDF”. What has happened here is that GeneratePDF is the address in their web site that is used to.. well… generate PDFs. And in the absence of other information, browsers will name downloaded files using the address that they came from. It’s easy enough to change that default behaviour using the content-disposition header. Using this header it would be easy to tell my browser to save the downloaded file as, for example, vm-2011-05.pdf. Anything would have been more useful than the current set-up. Notice that the current name doesn’t even have a ‘.pdf’ extension so it’s likely that on some computers double-clicking the downloaded file won’t open in the the user’s PDF-reading software.

So there you have three things that annoyed me about the VirginMedia site. And the really annoying thing is that two of them (the first and third) are really trivial to fix. The second is probably harder to fix, but it’s possibly evidence of some rather broken design decisions taken early in the process of developing this web site.

I tweeted these three issues on Wednesday and I got a response from the virginmedia Twitter account saying “Ok, some fair points there. Will feed this back for you, thanks for taking the time to let us know!” I’ll be downloading my bill every month, so I’ll let you know if anything gets fixed.