I recently had an email from Microsoft Bing Places requesting that I ensure our company registration record was up-to-date. The experience which followed was a good reminder of the frustrations of users when dealing with inefficient processes delivered by IT solutions.

To be honest I can’t even remember registering for Bing Places and hadn’t thought to update the registration when we moved offices last year. I certainly didn’t have a Bing Places account to make the changes.

There then followed one of the most ridiculous processes I’ve ever experienced.

  1. I visited the Bing portal to “claim” Baskerville Drummond’s registration record and to make the required changes to the office phone number and address.
  2. Then I had to “associate” my “Bing Business” record with my Microsoft account.
  3. Once the Bing record was “linked” to my account I went to change the office phone number and office address.
  4. Shortly afterwards I received an email stating that someone had changed the Bing record.
  5. I had to logon to the Bing Portal again for the second time to prove it was me who’d made the changes. At this time, I had to make the changes again.
  6. I then received a phone call on my mobile number from an automated “call handler” where I had to confirm via various menu options that I had made the changes.
  7. I then received a phone call on the new DDI number to again confirm that the number was correct.

So far so good and some very good controls to stop business fraud and business spoofing scams.

Then I hit a road block – It was not possible to complete verification until Microsoft had sent me something through the post.

I then realised the glaring errors in the process:

  1. I was effectively “claiming” my Bing Business record for the first time but I was able to do so and link my Bing Places record to my other Microsoft account without proving (or at least visibly proving) I had the rights to do so.
  2. Microsoft used the new data provided (mobile number, office number and address) to validate I was who I said I was. To my knowledge nothing was sent to the previous phone numbers or address.

I then received through the post a postcard which gave a verification PIN to complete the verification process.

This card was completely open with the PIN on full public display. Whilst on the postcard it said it was necessary to logon to your existing Microsoft account that wasn’t needed – the verification PIN was enough to claim ownership of the record.

The card also contained all the other information needed to reset the verification process.

All in all, the overly complex process was totally ineffectual and didn’t add the level of protection that the process designers had intended – in fact, instead of addressing a security risk, the process itself had created the risk!

With the legal industry in an exciting period of system changes and technology advances this is a timely reminder of the need to keep the focus on the required outputs / objectives of a process rather than the introduction of unnecessary complexity and self-defeating processes.

Leave a Reply