Opinion: FinTech vs High Street

If you’re a regular reader of this blog, you may have noticed that I have strong opinions regarding consumer financial services, particularly when it comes to Revolut, which I wrote about a lot by now.

I didn’t start writing about these services because of a professional interest, but rather because when I moved from Italy to Dublin (via Los Angeles), I felt like I stepped back ten or more years with the banking system. And while this improved significantly when I moved to London, there are still a few things baffling me from time to time.

But as I discussed in one of my recent Revolut-bashing posts, compared to Ireland the high street banking options in London are so much more interesting that I’ve effectively ditched Revolut for day-to-day payments. So why would anyone care about FinTech products?

I have been thinking this for a while, not just as a customer, but with an awareness that, if I decided to change my perspective in life and go for a riskier professional position, from my rather cushy one, FinTech appears to be the place to be right now. Particularly given the unfortunate experience I have gained in this field by now.

One of the issues appears to be one of branding, and trust. Quite a few people appear to have a dislike for high street banks because of their association with previous scandals or news. And that’s what makes it funny to see how high street banks appear to just want to enter the market with new brands.

Another thing that Monzo appears to capitalize on, in their tube advertisements, is the ability to receive instant notification of the money spent. And that’s something that I deifnitely can relate to. This is particularly important when you get to more shady stores, or to coffee stores with untrained staff, that may suggest that a transaction didn’t really go through, and suggest you to pay cash instead, charging you twice.

Indeed, this was one of the biggest advantages of using Revolut for me in Ireland. The “famous” Tesco Bank credit card didn’t really have even an online banking platform, and the only way for me to confirm whether a transaction went through was by looking at my Tesco points statements. But this is not something revolutionary: I had notifications of all online transactions, and card-present transactions over €50, on my Italian pre-paid card in 2006 (via SMS, not via app at the time, of course.)

While I feel Monzo is right to take a swing to most high street banks for not implementing these notifications, even in 2019 London it’s not true that you need to “go FinTech” to have this level of support. My American Express does the same, and you cannot say that AmEx is a new player on the market!

And it doesn’t stop at just sending me notifications for the charges: American Express goes one step further, and integrates with Google Pay so that you get the notifications even without having the American Express application installed.

Indeed, I have a feeling that, for the most part, customers would be happy if the level of support in high street banking was on par with American Express:

Their website lets you log in with a simple username/password combination, rather than the silly security theatre of “Give me the 1st, 2nd, 123th character of your password, and 1st, 5th and 6th digit of your PIN” (seriously, setting aside the random index selection, why on Earth do you need two equivalent factors?)
New charges on the card are notified immediately, either through app or through Google Pay (I don’t know about Apple Pay but I assume that’s the case there as well).
You can get your card’s PIN online, which is usually verified by a text message OTP.

One of the things that AmEx does not do, that I think all of the FinTech players appear to do, is freezing/unfreezing the card on the fly. A feature that Barclays has been advertising all over as if they had invented it.

It is pretty much possible, or certain, that some UK high street banks already started providing all of these options, maybe in different combinations. As I said, Barclays does appear to have the ability to freeze/unfreeze the card. Fineco does not mail out the PIN but rather has you requesting it online and delivers it as text message. And as I made as a point before, Santander has a credit card with no foreign transaction fees.

Many of the articles I read over the importance to FinTech startups imply that the main reason why big banks can’t be this flexible or “innovative” is that they have old, heavy and difficult to manage backends. From second hand discussions, I can believe that the backends are indeed as heavy and clunky as they are purported to be, but it does seem to me that many of the features involved can’t be that tied to the backends, given that most of the banks can provide those features already.

A number of features that I see being deployed throughout different banks is the ability to “budget” expenses. While they sound particularly interesting, this appears to be mostly a “frontend” feature. Santander has this feature, but somehow they decided to implement this on a separate Android app only, which I gave up on. Indeed, it does not allow you to correct their classification of expenses, which makes it pretty much useless, not just because some vendors are classified completely wrong, but also because sometimes the same vendor might be used for different reasons (Boots, CVS, Walgreens, and similar all provide both medicines and groceries; how you categorize their spend depends on what you bought!)

While Santander have already won me over as a bank customer, I do feel that they would win over more of my credit card expenses from American Express if they implemented “this one weird trick” of informing me of charges as they happen. Because small things like that are one of the reasons I use my AmEx quite a lot in the UK, even after I reach the needed spend to upgrade my Marriott membership to gold.

So yeah, my hope is that high street banks will finally see the competition from FinTech as a list of features that they should, opportunistically, implement, rather than an excuse for the branding and marketing departments to come up with new ideas to be “hip”.

Dear Amazon, please kill the ComiXology app

Dear Amazon, Dear Comixology,

Today, May the 4th, is Free Comic Book Day. I thought this was the right time to issue a plea to you: it’s due time you get rid of the ComiXology app, and ask your customers to just use an unified Kindle app to read their comic books.

I love comic books, and I found ComiXology an awesome service, with awesome selection and good prices. I have been a customer for many years, starting from when I just had bought an iPad for a job. For a while, I have signed up for their ComiXology Unlimited service, that for a monthly fee gave you access to an astounding amount of comics — particularly a lot of non-mainstream comics, a great way to discover some interesting independent authors.

When Amazon bought ComiXology, I was at the same time pleased and afraid — pleased because that could have (and did) boost ComiXology’s reach, afraid because there was always a significant overlap with the Kindle app, ecosystem and market. And it turned out that my fears were just as real, as I found out last year.

I don’t want to repeat the specifics here, the short version is that the ComiXology app has been broken for over a year now for any Android user that relies on microSD storage rather than the internal storage, such as mine. After multiple denial from ComiXology support, the blog post helped me get this to the attention of at least one engineer on the team, who actually sent me a reply nearly 11 months ago:

I followed up with our team and a few weeks ago we met about your report. We realized you are 100% correct, and we’re re-evaluating our decision RE adoptable storage. I don’t have news on when that answer is coming, but the topic is open internally and I want to thank you for your detailed emails and notes. Hopefully we can figure this out and get you back.
Matt, ComiXology Support, May 30, 2018

Unfortunately, months passed, and no changes were pushed to the app. The tablet got an Android OS update, ComiXology got updates every few months, but the app to this day has any way to store its content on microSD cards. The last contact I have from support is from last summer:

Our team has tracked down what’s going on and you are correct in your analysis. They are working on a solution, though we do not have an estimate for when you will be seeing it. We will keep on checking in on this and making sure things move along.
Erin, ComiXology Support, August 13th, 2018

This is not just a simple annoyance. There is a workaround, that involves using the microSD as so-called “portable storage”, and telling the app to store the comics on the SD card itself. But it has another side effect: you can’t then use the SD card to download Netflix content. The Netflix app cannot be moved to the card, either as adopted or portable storage – just like ComiXolgy – but it supports selecting an “adopted storage” microSD card for storage, and actually defaults to it. So you end up choosing between Netflix and ComiXology.

And here’s the kicker: the Kindle app, developed by a different branch of the same company, does this the right way.

And this brings me back to the topic of this post: the Kindle app is not stellr for reading comic books in my experience, ComiXology did a much better job at navigating panels. But that’s where it stops — Kindle has a better library handling, a better background download support, and clearly better support for modern Android OS. But I can’t read the content I already paid for in ComiXology on that.

I think the best value for the customers, for the people actually reading the comic books, would be if Amazon just stopped investing engineering into the ComiXology app at this point, which clearly appears understaffed and not making any forward progress anyway, and instead allowed reading of ComiXology content on Kindle apps. And maybe Kindle hardware — I would love reading my manga collection on a Kindle, even if I had to upgrade from my Paperwhite (but please, if you require me to do that, use USB-C for the next gen!)

Will you, Amazon?

“Planets” in the World of Cloud

As I have written recently, I’m trying to reduce the amount of servers I directly manage, as it’s getting annoying and, honestly, out of touch with what my peers are doing right now. I already hired another company to run the blog for me, although I do keep access to all its information at hand and can migrate where needed. I also give it a try to use Firebase Hosting for my tiny photography page, to see if it would be feasible to replace my homepage with that.

But one of the things that I still definitely need a server for is keep running Planet Multimedia, despite its tiny userbase and dwindling content (if you work in FLOSS multimedia, and you want to be added to the Planet, drop me an email!)

Right now, the Planet is maintained through rawdog, which is a Python script that works locally with no database. This is great to run on a vserver, but in a word where most of the investments and improvements go on Cloud services, that’s not really viable as an option. And to be honest, the fact that this is still using Python 2 worries me no little, particularly when the author insists that Python 3 is a different language (it isn’t).

So, I’m now in the market to replace the Planet Multimedia backend with something that is “Cloud native” — that is, designed to be run on some cloud, and possibly lightweight. I don’t really want to start dealing with Kubernetes, running my own PostgreSQL instances, or setting up Apache. I really would like something that looks more like the redirector I blogged about before, or like the stuff I deal with for a living at work. Because it is 2019.

So sketching this “on paper” very roughly, I expect such a software to be along the lines of a single binary with a configuration file, that outputs static files that are served by the web server. Kind of like rawdog, but long-running. Changing the configuration would require restarting the binary, but that’s acceptable. No database access is really needed, as caching can be maintained to process level — although that would men that permanent redirects couldn’t be rewritten in the configuration. So maybe some configuration database would help, but it seems most clouds support some simple unstructured data storage that would solve that particular problem.

From experience with work, I would expect the long running binary to be itself a webapp, so that you can either inspect (read-only) what’s going on, or make changes to the database configuration with it. And it should probably have independent parallel execution of fetchers for the various feeds, that then store the received content into a shared (in-memory only) structure, that is used by the generation routine to produce the output files. It may sounds like over-engineering the problem, but that’s a bit of a given for me, nowadays.

To be fair, the part that makes me more uneasy of all is authentication, but Identity-Aware Proxy might be a good solution for this. I have not looked into that but used something similar at work.

I’m explicitly ignoring the serving-side problem: serving static files is a problem that has mostly been solved, and I think all cloud providers have some service that allows you to do that.

I’m not sure if I will be able to work more on this, rather than just providing a sketched-out idea. If anyone knows of something like this already, or feels like giving a try to building this, I’d be happy to help (employer-permitting of course). Otherwise, if I find some time to builds stuff like this, I’ll try to get it released as open-source, to build upon.

London, an Year and a Half Later

Given that nearly everything we hear, both here in the UK, and it appears everywhere else, is the stinking pile of burning rubbish that is Brexit, I thought I would bring at least a bit of positivity, by giving an update on my life in London, which I announced just shy of two years ago.

London has been a significant change of pace for me, both professionally (not always in a good way) and personally (almost all in a good way). I now live in a flat with my girlfriend, who’s the world to me. I have effectively stopped globetrotting, compared to Dublin — because I have so many things to do here, that were not available there. And I’m actually dedicating a forced 45 minutes a day to reading books (and another 45 are usually dedicated at reading the news), thanks to my higher-than-median commute.

As I said, the professional change of pace was not entirely positive. I ended up with a bad case of burnout between teams, and took two weeks of stress leave in February to “recenter myself”, which mostly involved me spending time on usbmon-tools, and a few kernel patches that (hopefully) I’ll be sending out this week. I am not entirely sure if this is due to a difference in the office environment, or in my own way to relate to the office itself. In Dublin I found there was more camaraderie, which might be caused by being a smaller office for my organisation, or the fact that so many of us lived in the same area that we spent a lot more time together outside of work too. As for myself, I find myself trying to put more explicit boundaries on how much I interact with my colleagues, even when I find them stimulating company.

On the personal level, the past two years (including the few months before the actual move) have been a roller-coaster ride, between the fear of change, my computer getting stolen, meeting my girlfriend, attending a number of concerts (not all, but most, metal), and getting photographed together with some of my most admired celebrities (I would put Simon Jones, John Lloyd, and Alexander Siddig as the top-three!)

And even when we didn’t go full-fan waiting over two hours to get a quick sketch of Spider-Man from John Romita, Jr, being able to go and see the Elves at No Such Thing as A Fish, or listen to Stephen Fry tell stories of ancient Greece all have had a very positive impact to my personal mental health.

And now that the rollercoaster is slowing down (and ending in a high note, at least on the personal side, ignoring Brexit), I think you may get more content from me. Because I have missed my blog tremendously, and migrating to WordPress was also a very good idea, as it allows me a lot more flexibility in writing.

Speaking of Foreign Transaction Fees

In the previous post about Revolut, I have left open a topic that I wanted to move to its own post: foreign transaction fees.

For those who are not acquainted with the terminology here, with foreign transaction fee I’m referring to the additional fee levied by banks and payment card companies when you incur expenses in a different currency than the one the card was issued for. Sometimes (particularly in UK and Ireland) this is referred to as an “overseas transaction fee” — which is confusing, particularly for Ireland, where the fee is applied for expenses in GBP (which is not overseas, but rather “up the road”), but not in EUR (which is mostly oversea).

This is a different cost incurred than the possible bad exchange rate that the financial institution may be applying, and it has nothing to do with the various DCC scams that you may run into when going to touristy destinations with a non-local card, although there is a link there: even online, services may suggest you to apply the charge in your local currency to avoid foreign transaction fees — as you can see in the linked post, that’s rarely a good idea, with a few exceptions (e.g. PayPal actually applies sane conversion fees in my experience, even if not the best ever).

These foreign transaction fees are set by the card issuers, and vary widely. I have seen cards with up to 6% “fex fees”, but that was back in Italy (why I say that will be clearer in a moment). In Ireland, with the exception of various fintech companies, the typical fex fees were of 2-3% — I was very happy with Tesco Banks‘s 1.75% fex fee (Tesco Bank no longer operates in Ireland.) In the UK, it appears most cards either have 0% fex fee, or 2.99% fex fee; there are a few divergences, but those two appear to be the most common options.

The reason why I am specifying this information with a country attached is that, in addition to telling you what the currency is, the mix of local-vs-foreign spend for the average person is also connected to the country. For instance, for my friends and family living in Italy, foreign transaction fees only exist when buying from foreign websites (or eBay), or when going on a “far” trip — Croatia and Switzerland being the closest countries that incur the fex fee. On the other hand, if you live in Ireland, you’ll probably have at least one recurring expense in GBP — depending on how Brexit is going to go this may change.

Indeed, for electronics you often need to look at the UK, rather than the continent — because of plugs, regulations, availability, etc. And quite a few eShops with presence both in the continent and the UK used to refuse you service from the European website, referring you to the UK one instead — this is another thing that may change after Brexit. There is a reason why, when discussing markets, most companies call it “UKI”.

I’m told that a similar situation exists for those living in Switzerland, and I can imagine this goes similar in the Nordics, given that Denmark, Sweden, and Norway have their own currencies as well, and likely a lot of services overlap.

In the UK (and again this may change after Brexit), you may very well never spend money outside of GBP because all the services exist within the country. Unless you’re an expat, in which case you’re probably still visiting the continent (Eurozone or not) fairly often, or may be paying for ongoing services (such as cellphone contracts) in that currency. This probably explains why the two sets of fex fee groups: if you’re part of the first group, you probably don’t need a card with no foreign transaction fees — while you really do in the latter case.

In my case, I have two credit cards: one from Santander, which I spoke of last time, with no foreign transaction fee, and an American Express with a 2.99% foreign transaction fee. I effectively spread the expenses on the two cards, depending on where I am — namely I try to use the Amex in the UK, and the Santander anywhere the other does not work. I could give up on the Amex, as the Santander is strictly a superset usage, but the perks provided by Amex are worth having. And that’s the most important thing: cards have perks, so you should probably consider those as well.

Thus the utility of fintech services like Revolut and Curve depend on the country you live in not just because it sets the band for foreign transaction fees, but also because they set the tone of foreign currency usage. In the UK, with the wide availability of debit and credit cards with no foreign transaction fees, their services are likely less useful than in other countries — except when it comes to perks. Indeed in the case of Curve, you would be able to keep most of the perks of a credit card, such as cashback, even if the card comes with a hefty foreign transaction fee. Except for Amex of course.

But is it convenient for you to pay for such a service? That’s another very good question. And to answer it, I’ll try to forget about the UK and go back to Ireland — mainly because here, as I now repeated a number of times, cards with no foreign transaction fee exists and you can just use one of those. Metro Bank has free current accounts with cards that come with cards without foreign transaction fees in Europe. Santander has a £3/month credit card with no foreign transaction fees, and 0.5% cashback. Halifax has a Clarity MasterCard that comes with no monthly fee, no foreign transaction fees (and of course no perks.)

But let’s go back to Ireland and take a look at the options. As I said the usual foreign transaction fee in the country was between 2% and 3%. In the case of Ulster Bank, the card I used to have had 2.75% foreign transaction fee. At which point would it have been cheaper for me to subscribe to Curve Black, at €9.99/month, rather than give Ulster Bank their fees? (And for simplicity here, I’m not talking about exchange rates; the exchange rate for their MasterCard is network-provided so it’s not at all bad, and in fact it’s comparable to Revolut’s.)

As most services would require a yearly commitment, we should consider the spend on an yearly basis too. This makes the cost €119.88, but we’ll call it €120 to make it easier to run umbers on them. Let’s just call the twelve cents a rounding error. If we’re ignoring the cashback options (as in Ireland there were none, beside Tesco Bank), the amount of foreign expenses you’d need to break even on Curve black with the foreign transaction fee noted above is about €4364 (divide the yearly cost by the foreign transaction fee). That’s the cost of fairly big vacation for a family (note that you can’t include flights in the vacation cost, as those would be billed by the currency of the country of origin, which is likely local).

If you have a card that provides cashback, then things become more complicated, because you’d have to include the cashback in the calculation. If you’re curious the following formula will give you the number, making S the yearly subscription cost of the service, F the foreign transaction fee percentage, and C the cashback percentage:

(S + (S/F) * C) / F

For Revolut Metal, with their variable cashback, figuring out the number is a bit more annoying. But we’re also talking about 1% in the best case scenario (all non-European spend). So the basic number (€5673) only goes down to €5616. The 0.1% cashback option of all European spend is so minimal that it’s not worth calculating exactly.

So what should you do if you don’t usually spend that kind of money on foreign transactions? You can still use the Revolut and Curve and other fintech services without paying for them, and grab the best deal you can until they go bust. Or if you don’t want to bother, you can just spend on your normal cards, get your usual perks and ignore the need for no foreign transaction fees.

Indeed, if your options are spending on Curve attached to a debit card with no cashback and no perks, or spend on an American Express Platinum Cashback Credit Card, you would need to spend more than £5330 a year in foreign transactions for it to be worth it — and that’s assuming you don’t qualify for the higher tier. And this is probably the worst case scenario for the UK, for a non-zero foreign transaction fee card.

Blog Redirects & AppEngine

You may remember that when I announced I moved to WordPress, I promised I wouldn’t break any of the old links, particularly as I kept them working since I started running the blog underneath my home office’s desk, on a Gentoo/FreeBSD, just shy of thirteen years ago.

This is not a particularly trivial matter, because Typo used at least three different permalink formats (and two different formats for linking to tags and categories), and Hugo used different ones for all of those too. In addition to this, one of the old Planet aggregators I used to be on had a long-standing bug and truncated URLs to a certain length (actually, two certain lengths, as they extended it at some point), and since those ended up indexed by a number of search engines, I ended up maintaining a long mapping between broken URLs and what they were meant to be.

And once I had such a mapping, I ended up also keeping in it the broken links that other people have created towards my blog. And then when I fixed typos in titles and permalink I also added all of those to the list. And then, …

Oh yeah, and there is the other thing — the original domain of the blog, which I made a redirect for the newest one nearly ten years ago.

The end result is that I have kept holding, for nearly ten years, an unwieldy mod_rewrite configuration for Apache, that also prevented me to migrate to any other web server. Migrating to a new hostname when I migrated to WordPress was always my plan, if nothing else not to have to deal with all those rewrites in the same configuration as the webapp itself.

I have kept, until last week, the same abomination of a configuration, running on the same vserver as the blog used to run. But between stopping relationships with customers (six years ago when I moved to Dublin), moving the blog out, and removing the website of a friend of mine who decided to run his own WordPress, the amount of work needed to maintain the vserver is no longer commensurate to the results.

While discussing my options with a few colleagues, one idea that came out was to just convert the whole thing to a simple Flask application, and run it somewhere. I ended up wanting to try my employer’s own offerings, and ran it on AppEngine (but the app itself does not use any AppEngine specific API, it’s literally just a Flask app).

This meant having the URL mapping in Python, with a bit of regular expression magic to make sure the URL for previous blog engines are replaced with WordPress compatible ones. It also meant that I can have explicit logic of what to re-process and what not to, which with Apache was not easily done (but still possible).

Using an actual programming language instead of Apache configuration also means that I can be a bit smarter on how I process the requests. In particular, before returning the redirect to the requester, I’m now verifying whether the target exists (or rather, whether WordPress returns an OK status for it), and use that to decide whether to return a permanent or temporary redirect. This means that most of the requests to the old URLs will return permanent (308) redirects, and whatever is not found raises a warning I can inspect and see if I should add more entries to the maps.

The best part of all of this is of course that the AppEngine app is effectively always below the free tier quota marker, and as such has an effectively zero cost. And even if it wasn’t, the fact that it’s a simple Flask application with no dependency on AppEngine itself means I can move it to any other hosting option that I can afford.

The code is quite of a mess right now, not generic and fairly loose. It has to workaround an annoying Flask issue, and as such it’s not in any state for me to opensource, yet. My plan is to do so as soon as possible, although it might not include the actual URL maps, for the sake of obscurity.

But what is very clear from this for me is that if you want to have a domain whose only task is to redirect to other (static) addresses, like projects hosted off-site, or affiliate links – two things that I have been doing on my primary domain together with the rest of the site, by the way – then the option of using AppEngine and Flask are actually pretty good. You can get that done in a few hours.

Is Revolut Still a Good Thing?

You may remember that a few years ago I wrote a positive review of Revolut, the fintech startup that provides payment cards with stored value and no foreign transaction fees. I have been using it for a long time by now, and had mostly stood by that review, until the second half of last year, where things started to appear more complicated. Given the current flurry of stories on the company, from silly advertising shenanigans to uncovering of poisonous working conditions, I thought it would be a good time to write some more up to date words, as I don’t think I can recommend Revolut as much as I did before anymore.

First of all, I started feeling uneasy recommending Revolut since they started down the path of selling cryptocurrencies as an added-value feature. I hold a personal belief that participating in the trading of Bitcoin and other similar “currencies” is unethical (see Thomas’s rant on the topic), and I don’t like being associated with companies focusing on them. I have looked the other way for a while, though, because I knew that using the words “cryptocurrency” and “blockchain” make money appear out of nowhere for most startups, even when there’s no rhyme or reason for it. I just had a bad taste in my mouth for this.

The problem is that Revolut, even when I had the Premium version, built something very cool, but a bit rough around the edges. And as a customer, it is annoying to see them jumping the shark onto cryptocurrencies, instead of making location-based security actually reliable, implementing 3DSecure/VBV integrations, or finding a way to get a proper banking license and FSCS insurance (all of which would be requirements for me and most people to use Revolut as a replacement for high-street banking).

Instead, what we see is that Revolut is adding “features” trying to upsell you into their premium services. This is not entirely bad, because you need paying customers to run a business. Unfortunately my impression is that they offered and offer so much on their free tier, that they are tackling on random stuff that has nothing to do with banking itself, just to get people to sign up for their Premium and Metal tiers.

As an aside, I still don’t understand this trend of providing heavy (“18g” as they boast some companies) metal cards. The last thing I want from a credit card is to be heavy, as I barely even want to have to take it out. I’m all in favour of the trend of not embossing the name and number, preferring to print it on the back, but it does not need to be metal for it. Indeed, Curve (that I’ll get again in a moment) did exactly that.

We’ve just come back from a trip to the Continent, and what we did notice that Revolut tried to upsell us medical and travel insurance at every change of country (even when we just connected flights through third countries). This is not just annoying as we’re not interested in it (we’re European citizens, visiting European countries, and work provides both of us with a basic travel insurance), but it’s also annoying because it makes use of the location information, which I provide for the security feature, for marketing. Similarly, I recently had more notifications about them trying to upsell me Metal than actual transactions.

For a while, I actually did pay for the Premium service. Mostly under the idea of “putting my money where my mouth is”, that is to make sure that the company could keep operating a service I loved. Unfortunately it turned out a bad idea: not just because Revolut cannot replace a high street bank in the UK (no FSCS to protect your account, no BACS direct debits, etc), but also because the Premium “perks” were not something I cared about, and the dedicated service team was still useless when it came to even telling me the top-up limits when I changed the card I used for top-up.

If you already have two physical cards (and paid for it), you need to pay to replace one of them with a Premium card, if you so wish (but it gains nothing but a different colour, so I never did that). The unlimited exchange is not particularly useful when you already don’t reach the free tier’s spend, and the ATM limits is only useful if you plan to actually use cash, which I really try not to. The one interesting feature that is advertised for Premium customers, but as far as I can tell is also present as a one-off charge for non-Premium one, is the disposable virtual card, that changes PAN every time you use it. But even that is not as secure as it looks, as I’m told that vendors are still able to charge again a disposable card that already changed number.

Okay admittedly there’s the travel and medical insurance, but as I said earlier, I get a better travel medical insurance from work (and probably there’ s better out there) and a credit card such as American Express would provide a better baggage/flight insurance. This is very subjective of course, it’s well possible that for other people, with other employers, and in other countries, these insurances are actually worth it.

Speaking of circumstances, I think I might not have felt so strongly against Revolut if I was still in Ireland. Not just because they seem to have implemented SEPA DD Core support, so you can actually use it to pay your bills there, but also because the alternatives of high street banking there are significantly worse than here.

In London, I now settled on Santander as my primary bank, both for the current account and for a 0% foreign transaction fee credit card, their All-in-One Credit Card. These come to £5 per month for the account, and another £3 per month for the credit card (compare against Revolut’s premium at £6.99 and Metal tier at £12.99), and while the free foreign ATMs withdrawal are limited to Santander’s own network (limiting the countries you can use them on), this is a full-featured, FSCS-insured account, with cashback, retailer offers, and active interest on the current account’s deposit. If you don’t want (or can’t afford) a credit card, Metro Bank offers 0% foreign transaction fee for European transactions on their free accounts’ debit cards. And I’m sure that other banks have similar arrangements all over the place. Basically, the UK has a significantly wider range of offers, that make Revolut less necessary than in Ireland.

But even for Ireland, and for other countries that do not have such a selection of high-street banks, Curve – that I complained about before – decided to change their target marketing a bit, now offering a “front” for any Visa and MasterCard card to provide 0% foreign transaction fee, with their premium option existing to raise the limit of monthly transactions. That would have been something awesome to have when I lived in Dublin, to keep getting Tesco points, while not paying the 1.75% of foreign transaction fee on their credit card. (If you are interested to try that, my referral code is BG2G3).

Both Curve and Revolut have a Metal card with which they provide cashback. In the case of the former, these are retailers-limited, and I can only assume they are based on some third party’s selection of perks, as the retailers are pretty much the same that Santander and Lloyd’s provide retailers offers for. Revolut instead provides cashback on all spend, 0.1% on European spend, and 1% for non-European spend (although there does not seem to be an obvious definition of Europe on their marketing material, I assume it’s deep into the terms of service).

While cashback is always a nice bonus, it only makes sense if you can break even on the cost of one’s service by spending. With Revolut Metal, that would be an astounding £13k (thirteen thousands pound) per month in European spend, or £1299 of non-European spend. I do know some extremely frequent travellers to the States or Asia that would be able to spend the latter, but that’s more of an exception than a rule. And if you can spend the former, you probably can get more than that in interest by keeping the money in an active-interest current account, and paying with a normal credit card.

For comparison, Santander’s card I linked above costs £3/month (you don’t even need their bank account). It has 0% foreign transaction fee on all spend. And a cashback of 0.5% (five times Revolut’s European cashback) on all spend. It takes only £600 a month to break even, and that’s without counting additional retailer offers, or additional perks from their current accounts.

And even if you look at American Express (which is never considered a cheap option) and their cashback options, the numbers are significantly different. Their Platinum cashsback card is £25 per year, and includes a better travel insurance, 1% cashback on all spend to £10k and 1.25% over that. Plus retailers offers and supplementary cards for the family. Although be warned if you want to go down that road, that American Express charges you 2.99% foreign transaction fees, for every single one of their cards in the UK.

I was going to take a detour talking about foreign transaction fees, but I will leave it for another post, because it’s a lot of content, and a lot of explanation to be done there.

So the final words of this post are: I’m not sure I trust Revolut anymore. They seem to be taking “marketing risks” to get people to pay for services, but at the same time there’s very little value in their paid services. I don’t think that the company will be able to sustain the current trajectory without venture capital money, and I find scary the idea of relying on a VC-funded pseudo-bank for my own money.

Update (2019-03-27): just a few days after I wrote this blog post, I received two email from Revolut, with widely different content, that I think merit a bit of description, thus why this update.

The latest email is an announcement of new details (new sort code and account number) for their GBP accounts. This is effectively a change in intermediary bank that maintains the GBP account proxies for Revolut. Nothing particularly eventful in by itself, but there are a few notable things. The announcement is declared “great news” for their customers, but it also highlight yet another feature that high street banking would have, and Revolut lacks: redirections.

When you switch bank account with a high street bank, the bank will take care of moving standing orders, direct debits, automatic salary payments, and redirect any transfer to the old bank account to the new one. Revolut is instead telling all the customers that they have to deal with all the required changes of both payment and transfer. Not just that, but they don’t appear to guarantee any specific grace period in which both accounts would exist: they say that the new details will appear in the app before May 22nd, which is when the old account will stop working:

⚠️ Your old account details will stop working from the 22nd May 2019.

Salaries and standing orders

If you receive your salary into your Revolut account, you’ll need to send your new account details to your employer before the 22nd May. Again, we’ll let you know as soon as they arrive.

For standing orders from your external bank to your Revolut account, you’ll need to update your bank with your new details before 22nd May. For recurring payments set up from your Revolut account to another bank, you don’t need to do anything.
Revolut email arrived on 2019-03-27

To give you an idea of time frame involved, the company I work for freezes the salary payment details around the 5th of the month for payments on the 25th. This means that if the new details arrive after 5th of May, and you’re paid monthly, you may be unable to receive the salary. Hopefully, the old accounts would just reject the transfer, but even in that case, retrieving the missing salary can easily take two weeks, which for a number of people would be a significant risk.

For comparison, the previous email I received just twenty hours before, also from Revolut, had as subject «👕Should we release Revolut merch?». This is a company that just before announcing a significant disruption of service, that a high street bank would never subject their customers to, asks whether you would like to wear their brand around, making yourself not just a product, but a walking billboard.

Update 2019-01-04: see also the October update.

Introducing usbmon-tools

A couple of weeks ago I wrote some notes about my work in progress to implement usbmon captures handling code, and pre-announced I was going to publish more of my extraction/inspection scripts.

The good news is that the project is now released, and you can find it on GitHub as usbmon-tools with an Apache 2.0 license, and open to contributions (with a CLA, sorry about that part). This is the first open source project I release using my employer’s releasing process (for other projects, I used the IARC process instead), and I have to say I’m fairly pleased with the results.

This blog post is meant mostly as a way to explain what’s going on my head regarding this project, with the hope that contributors can help it become reality. Or that they can contribute other ideas to it, even when they are not part of my particular plans.

I want to start with a consideration on the choice of language. usbmon-tools is written in Python 3. And in particular it is restricted to Python 3.7, because I wanted to have access to type annotations, which I found extremely addictive at work. I even set up Travis CI to run mypy as part of the integration tests for the repository.

For other projects I tend to be more conservative, and wait for Debian stable to have a certain version before requiring that as a minimum, but as this is a toolset for developers primarily, I’m going to expect its public to be able to deal with Python 3.7 as the requirement. This version was released nearly a year ago, and that should be plenty of time for people to have one at hand.

As for what the project should achieve in my view, is an easy way for developers to dissect an USB snooping trace. I started by building a simplistic tool that recreates a text format trace from the pcapng file, based on the official documentation of usbmon in the kernel (I have some patches to improve on that, too, but that probably will become a post in by itself next week). It’s missing isochronous support, and it’s not totally tested, but it at least gave me a few important insight on the format itself, including the big caveat that the “id” (or tag) of the URBs is not unique.

Indeed, I think that alone is one of the most important pieces of the puzzle in the library: in addition to parsing the pcapng file itself, the library can re-tag the events so that they get a real unique identifier (UUID), making it significantly easier to analyze the traces.

My next steps on the project are to write a more generic tool to convert a USB capture into what I call my “chatter format” (similar to the one I used to discuss serial protocols), and a more specific one that converts HID traces (because HID is a more defined protocol, and we can go a level deeper in exposing this into a human-readable source). I’m also considering if it would be within reach to provide the tool a HID descriptor blob, parse it and have it used to parse the HID traffic based on it. It would make some debugging particularly easier, for instance the stuff I did when I was fixing the ELECOM DEFT trackball.

I would also love to be able to play with a trace in a more interactive manner, for instance by loading this into Jupyter notebook, so that I could try parsing the blobs interactively, but unless someone with more experience with those contributes the code, I don’t expect I’ll have much time for it.

Pull requests are more than welcome!

Updating email addresses, GDPR style

After scrambling to find a bandaid solution for the upcoming domainpocalypse caused by EURid, I set myself out tomake sure that all my accounts everywhere use a more stable domain. Some of you might have noticed, because it was very visible in me submitting .mailmap files to a number of my projects to bundle together old and new addresses alike.

Unfortunately, as I noted on the previous post, not all the services out there allow you to change your email address from their website, and of those, very few allow you to delete the account altogether (I have decided that, in some cases, keeping an account open for a service I stopped using is significantly more annoying than just removing it). But as Daniel reminded me in the comments, the Right to rectification or Right to correction, allows me to leverage GDPR for this process.

I have thus started sending email to the provided Data Protection contact for various sites lacking an email editing feature:

Hello,
I’m writing to request that my personal data is amended, under my right to correction (Directive 95/46/EC (General Data Protection Regulation), Article 16), by updating my email address on file as [omissis — new email] (replacing the previous [omissis — old email] — which this email is being sent from, and to which you can send a request to confirm identity).
I take the occasion to remind you that you have one month to respond to this request free of charge per Art. 12(3), that according to the UK Information Commissioner’s Office interpretation (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/) you must comply to this request however you receive it, and that it applies to the data as it exists at the time you receive this.

The responses to this have been of all sorts. Humans being amused at the formality of the requests, execution of the change as requested, and a couple of push backs, which appear to stem from services that not only don’t have a self-service way to change the email address, but also seem to lack technical means to change it.

The first case of this is myGatwick — the Gatwick airport flyer portal. When I contacted the Data Protection Officer to change my email address, the first answer was that at best they could close the account for the old email address and open a new one. I pointed out that’s not what I asked to do and not what the GDPR require them to do, and they tried to argue that email addresses are not personal data.

The other interesting case if Tile, the beacon startup, which will probably be topic of a separate blog post because their response to my GDPR request is a long list of problems.

What this suggests to me is that my first guess (someone used email addresses as primary keys) is not as common as I feared — although that appears to be the problem for myGatwick, given their lack of technical means. Instead, the databases appears to be done correctly, but the self-service feature of changing email address is just not implemented.

While I’m not privy to product decisions for the involved services, I can imagine that one of the reasons why it was done that way, is that implementing proper access controls to avoid users locking themselves in, or to limit the risk of account takeover, is too expensive in terms of engineering.

But as my ex-colleague Lea Kissner points out on Twitter, computers would be better at not introducing human errors in the process to begin with.

Have computers do the things computers are better at than humans: following rules repetitively and consistently. A ton of data protection and handling rules are better followed by computers than having humans in the mix.
— Lea Kissner (@LeaKissner) February 13, 2019

Of all the requests I sent and were actioned, there were only two cases in which I have been asked to verify anything about either the account or the email address. In both cases my resorting to GDPR requests was not because the website didn’t have the feature, but rather that it failed: British Airways and Nectar (UK). Both actioned the request straight from Twitter, and asked security questions (not particularly secure, but still good enough compared to the rest).

Everyone else have at best sent an email to the old address to inform of the change, in reply to my request. This is the extent of the verification most of the DPO appear to have put on GDPR requests. None of the services were particularly critical: takeaway food, table bookings, good tea. But if it was not me sending these requests I would probably be having a bad half an hour the next time I tried using them.

Among the requests I sent yesterday there was one to delete my account to Detectify — I have used it when it was a free trial, found it not particularly interesting to me, and moved on. While I have expressed my intention to disable my account on Twitter, the email I sent was actioned, deleting my account (or at least it’s expected to have been deleted now), without a confirmation request of any kind, or any verification that I did indeed have access to the account.

Maybe they checked the email headers to figure out that I was really sending as the right email address, instead of just assumed so because it looked that way. I can only imagine that they would have done more due process if I was a paying customer, if nothing else to keep getting money. I just find it interesting that it’s a security-oriented company, and didn’t realise that it’s much more secure to provide the self-service interfaces rather than letting a human decide, there.

Dexcom G6: new phone and new sensor

In the previous posts on the Dexcom G6, I’ve talked about the setup flow and the review after a week, before the first sensor expired. This was intentional because I wanted to talk about the sensor replacement flow separately. Turns out this post will also have a second topic to it, which came by by chance: how do you reconfigure the app when you change phone or, like it happened to me this time, when you are forced to do a factory reset.

I won’t go into the details of why I had to do a factory reset. I’ll just say that the previous point about email and identities was involved.

So what happens when the Dexcom is installed on a new phone, or when you have to reinstall this? The first thing it will ask you is to login again, which is the easy part. After that, though, it will ask you to scan the sensor code. Which made no sense to me! I said “No Code”, and then it asked me to scan the transmitter code. At which point it managed to pair with the transmitter, and it showed me the blood sugar readings for the past three hours. I can assume this is the amount of caching the transmitter can do. If the data is at all uploaded to Dexcom system, it is not shown back to the user beside those three hours.

It’s important to note here that unless you are at home (and you kept the box the transmitter came with), or you have written down the transmitter serial number somewhere, you won’t be able to reconnect. You need the transmitter serial number for the two of them to pair. To compare again this to the LibreLink app, that one only requires you to log in with your account, and the current sensor can just be scanned normally. Calibration info is kept online and transmitted back as needed.

A few hours later, the first sensor (not the transmitter) finally expired and I prepared myself to set the new one up. The first thing you see when you open the app after the sensor expired is a “Start new Sensor” button. If you click that, you are asked for the code of the sensor, with a drawing of the applicator that has the code printed on the cover of the glue pad. If you type in the code, the app will think that you already set up the whole sensor and it’s ready to start, and will initiate the countdown of the warm up. At no point the app direct you to apply the new sensor. It gives you the impression you need to first scan the code and then apply the sensor, which is wrong!

Luckily despite this mistake, I was able to tell the app to stop the sensor by telling it I’d be replacing transmitter. And then re-enrolling the already present transmitter. This is all completely messed up in the flow, particularly because when you do the transmitter re-enrolment, the steps are in the correct order: scan then tell you to put the transmitter in, and then scan the transmitter serial number (again, remember to keep the box). It even optionally shows you the explanation video again — once again, totally unlike just starting a new sensor.

To say that this is badly thought out is an understatement to me. I’ll compare this again with the LibreLink app that, once the sensor terminates, actually shows you the steps to put on a new sensor (you can ignore them and go straight to scanning the sensor if you know what you’re doing).

On the more practical side, the skin adhesive that I talked about last week actually seems to work fine to keep the sensor in place better, and it makes dealing with my hairy belly simpler by bunching up the hair and keep it attached to the skin, rather than having it act as a fur against the sensor’s glue. It would probably be quite simpler to put on if they provided a simpler guide on the size of the sensor though: showing it on the video is not particularly nice.

The sensor still needed calibration: the readings were off by more than 20% at first, although they are now back on track. This either means the calibration is off in general, or somehow there’s a significant variation between the value read by the Dexcom sensor and the actual blood sugar. I don’t have enough of a medical background to be able to tell this, so I leave that to the professionals.

At this point, my impression of the Dexcom G6 system is that it’s a fairly decent technical implementation of the hardware, but a complete mess on the software and human side. The former, I’m told can be obviated by using a third-party app (by the folks who are not waiting), which I will eventually try at this point for the sake of reviewing it. The latter, probably would require them to pay more attention to their competitors.

Abbott seems to have the upper-hand with the user-friendly apps and reports, even though there are bugs and their updates are very far in between. They also don’t do alerts, and despite a few third-party “adapters” to transform the Libre “flash” system into a more proper CGM, I don’t think there will be much in the form of reliable alerts until Abbott changes direction.