Category: Bad Service

Posted on

Multi-Factor Authentication: Security Control or Single Point of Failure?

Introduction

Multi-Factor Authentication (MFA) has become one of the most widely promoted security controls in modern digital services. Registrars, hosting providers, cloud platforms, and identity providers increasingly present MFA as a non-negotiable requirement, often mandating it as a condition of account access.

From a purely technical perspective, the argument is compelling: MFA reduces the effectiveness of stolen credentials and raises the cost of attack. From a legal, compliance, and operational standpoint, however, the picture is far more complex.

This article does not argue against MFA itself. Instead, it examines the systemic risks introduced by mandatory MFA, particularly when it is implemented without regard for real-world failure modes, recovery obligations, or the legal consequences of denying legitimate access to critical accounts.

For registrars, service providers, and security professionals, the key question is not “Does MFA improve security?” but rather:

“Does this MFA implementation reduce overall risk, or does it merely shift liability while creating new points of catastrophic failure?”

What MFA Is Intended to Do

The primary purpose of MFA is to mitigate credential compromise. If a password is stolen through phishing, malware, or reuse across breached services, MFA should prevent unauthorised access by requiring an additional factor.

In security frameworks, MFA is commonly categorised as a preventive control, not a compensating or detective one. Its effectiveness assumes:

  • Independence between authentication factors
  • Availability of the second factor
  • A functional and accessible recovery mechanism

When these assumptions fail, MFA ceases to be a safeguard and becomes an availability risk.

Mandatory MFA and the Loss of User Agency

From a compliance standpoint, mandatory MFA is often justified using language such as “industry best practice”“risk reduction”, or “duty of care”. However, mandating a control without accommodating edge cases introduces legal and operational exposure.

The Legal Tension

In regulated or quasi-regulated environments (including registrars), providers owe users:

  • Reasonable access to services they have paid for
  • Predictable and documented recovery mechanisms
  • Proportional security controls

A mandatory MFA policy that results in irreversible account loss due to foreseeable circumstances may be defensible from a policy standpoint, but it is increasingly difficult to defend from a consumer protection or negligence perspective.

Security controls must be proportionate not only to threat, but also to consequence.

Email-Based MFA: A Structural Failure

Email-based MFA remains common despite its well-documented shortcomings. From a security architecture perspective, it is fundamentally flawed.

Why Email Is Not a Second Factor

Email MFA fails the independence test:

  • Email accounts are frequently compromised first
  • Email is already the primary recovery channel
  • Access often relies on the same password hygiene
  • Access is often obtained using the same password

In effect, email-based MFA often collapses into single-factor authentication with latency.

Circular Dependency Risks in Registrar Environments

The problem becomes critical in registrar and hosting contexts, where email addresses are commonly hosted on domains managed within the same account.

A real-world example illustrates this failure mode clearly.

In my case, Gandi.net has recently required MFA, of which I was not aware. This morning (3rd February 2026) I had to renew an expired domain. The MFA code was sent exclusively via email to an address hosted on that domain, not the domain, but hosted on the domain. The domain had expired only hours earlier, but email delivery was already disrupted.

The result was a circular dependency:

  • Domain renewal required MFA
  • MFA delivery required email
  • Email required the domain to be active
  • Domain was not active and reactivating required renewal

Absent unauthorized workarounds, this design could have resulted in permanent domain(s) loss. This is particularly pertinent as the expired domain resulted in the loss of all contact email addresses that would be required for support communication.

From a compliance and risk standpoint, this represents a design-induced denial of service against the legitimate account holder.

SMS-Based MFA: Exclusion by Design

SMS MFA is often positioned as a universal fallback. It is not.

Practical Limitations

  • Not all users own mobile phones (This is me for the last 2 years and life is better!!)
  • Some users deliberately avoid mobile devices
  • International SMS delivery often is unreliable, particularly when roaming
  • Number portability and SIM swap attacks are both documented and common

Requiring a mobile phone as a condition of access imposes a non-neutral lifestyle requirement. In legal terms, this creates an exclusionary control that may not be justifiable where alternative secure mechanisms exist.

iiNet, Internode, TPG etc are guilty of this, I cannot access the account settings of my internet service at all because I don’t have a mobile phone. To pay the bill I have to phone the customer care line and pay manually, they incorrectly cite law and the ACMA as the reason for this requirement.

Compliance Implications

For providers operating internationally, SMS-only MFA may conflict with:

  • Accessibility expectations
  • Reasonable accommodation standards
  • Consumer fairness obligations

e.g. Under Australian Law, This may conflict with accessibility expectations under the Disability Discrimination Act 1992 (Cth) or consumer fairness obligations overseen by the ACCC and ACMA.

Security controls should not assume that all users share the same technological footprint.

Hardware Tokens and App-Based MFA: Strong but Brittle

Authenticator apps and hardware tokens are often presented as best practice. Cryptographically, this is largely correct. Operationally, they still introduce fragility.

Common Failure Scenarios

  • Device loss or theft
  • Battery depletion
  • Device damage
  • Factory resets or OS corruption

In isolation, these are manageable risks. The problem arises when recovery mechanisms are inadequate or inaccessible.

A strong MFA factor paired with a weak or opaque recovery process is not a secure system, it is a denial mechanism.

The Recovery Gap: Where MFA Systems Fail

The least discussed aspect of MFA is recovery. Yet from a legal and operational perspective, recovery is the most important component.

Typical Provider Failures

Many providers:

  • Require MFA to access recovery options
  • Use the same (possibly compromised) email for recovery
  • Provide only automated or non-responsive support
  • Offer no human escalation path
  • Offer human escalation paths that are obscured and often days or weeks in length

Real-World Consequences

Large providers such as Google/Gmail have continually demonstrated that their accounts are not a reliable backup/access point. They often lock accounts due to inactivity and that loss is usually permanent, even for long-standing users, and have no meaningful appeal process. In multiple documented cases, accounts have been terminated or locked with no recovery, including accounts used as identity anchors for other services. For example: I have had 3 Google accounts, one of which was used for purchase of Android applications, all are permanently locked and as such I have lost access to all those purchases.

When MFA is layered onto such systems, users are exposed to compound failure risk: the loss of one account cascades into the loss of many others.

For registrars and infrastructure providers, this is particularly dangerous, as domains frequently underpin identity, authentication, and communication across entire organisations.

When MFA Actively Reduces Security

MFA becomes counterproductive when it causes users to adopt unsafe behaviours:

  • Storing backup codes insecurely
  • Using shared or third-party email accounts
  • Avoiding MFA on critical systems
  • Circumventing controls through automation

These outcomes undermine the very risk reduction MFA is supposed to provide.

Security that users must bypass to function is not effective security.

Legal and Compliance Considerations for Providers

From a legal perspective, providers should consider:

Foreseeability

Loss of devices, expired domains, inaccessible email accounts, and provider outages are foreseeable events, not edge cases.

Proportionality

The security control must be proportionate to the harm caused by failure. Locking a user out of a social media account is not equivalent to locking them out of domain ownership. Similarly it also not the same as denying access to legally purchased services such as GPS applications.

Duty of Care

Where providers control access to identity-critical assets, they assume a duty to provide reasonable recovery paths.

Auditability

Recovery processes should be documented, testable, and reviewable, not ad-hoc or opaque.

Lessons for Providers

1. MFA Should Be Optional but Strongly Encouraged

Mandating MFA without flexibility increases legal exposure and user hostility. Encourage adoption through better design, not coercion.

2. Never Use Email as the Sole Second Factor

Email should not be the only MFA or recovery channel, particularly when hosted within the same service.

3. Avoid Circular Dependencies

If access to a resource depends on that same resource functioning, the design is broken. This can be difficult to identify, but it is not the users’ responsibility to ensure this works.

Consider Gandi.net today:

  1. MFA email to ‘address@example.org
  2. example.org‘ is hosted on a mail server in the domain ‘example.com‘.
  3. The domain ‘example.com‘ had expired recently (7 hours previously).
  4. Renewal of ‘example.com‘ required logging into the account with the email ‘address@example.org

4. Provide Multiple Independent MFA Options

Users should be able to choose from genuinely independent factors, not cosmetic variations of the same dependency.

5. Treat Recovery as a First-Class System

Recovery is not an afterthought. It is part of the authentication system and should be designed, tested, and audited accordingly.

6. Offer Human Escalation for High-Impact Accounts

For registrars and infrastructure providers, automated recovery is insufficient. Human review must be available, accessible and within reasonable response times where consequences are severe.

Conclusion

Multi-Factor Authentication is an important security control, but it is not inherently safe, fair, or effective. Its value depends entirely on how it is implemented.

Mandatory MFA that relies on email, SMS, or single-device access, without resilient recovery, does not reduce risk. It shifts it, often onto the user, and frequently in ways that are legally and operationally indefensible.

For registrars, Internet Service Providers, Hosting providers, telecommunications providers and security professionals, the challenge is not to enforce MFA at all costs, but to design authentication systems that acknowledge reality:

  • devices fail,
  • accounts expire,
  • providers make mistakes,
  • users make mistakes,
  • users might not be ideally located when, not if, issues occur (e.g. PTO)

Users should not lose critical assets as a result.

Security should protect users from attackers, not trap them in systems they cannot escape.

Posted on

Dive gear – The Do’s And Don’ts

Some of you will know I’ve been a diver for many years, the more astute of you will know of my love of underwater photography.

So a little about my policy on gear.. I tend to choose a manufacturer after doing a bit of research and stick with it, for everything. Its called brand loyalty…

Photographic equipment, I went with Nikon, and have gear worth in excess of €25,000, underwater housings, Sea and Sea worth a not insignificant amount. Dive gear, Oceanic, even my computer gear, all Apple (and no I’m not a “fan boy”.). I have just found if you stick to a brand everything “just works”.

Well unfortunately it seems I was wrong to trust brand loyalty is not a great thing for some brands as they have no customer loyalty.

This, therefore, is the story of Oceanic. Regulators, BCD, computers (three of them), masks, fins, even wetsuits, all of which I have despite certain items being better with other manufacturers I was sucked in by the “lifetime warranty” initially, and the deal was sealed when their “medium large” size for the wetsuit fit me perfectly.

Oceanic – Australia

Without fail in Australia I took my gear back to Nautilus SCUBA of Brisbane an authorized service center/dealer for Oceanic and all was fine. I then moved from Brisbane to Canberra and found myself visiting Norm Green from Indepth SCUBA who is both a good friend and great dive shop though this is where my problems started. They serviced my regulators one year and some mixup resulted in the Warranty being voided because I had supposedly no serviced the regulators one year… of course this I balked at and persisted in chasing Norman over the issue and after showing receipts and numerous emails from him to Oceanic the Warranty was reinstated due to me keeping to the service records over the years (turns out it was a late submission of paperwork that caused the problem.)

Oceanic – Malta

Then in 2009 I moved to Malta, and searched out a local Oceanic dealer.. world wide warranty? Pfft! From day one they told me there was no world wide warranty and I would have to pay in full for all servicing and parts, so I did, even when I had to stop diving because of a bout of cancer… Every year the regs, computer and BCD was serviced.

8 years later I returned to Australia and went to Dive Jervis Bay to get my gear serviced … especially after getting wet and finding my regs started free flowing. After waiting months for servicing and repair I was informed that the regulators were missing 2 parts, one of which was a critical O-ring and, in the words of Dive Jervis Bay, I was lucky to be alive as the regs could have failed at anytime.

The battery died on my Oceanic OC1 (not the first time), so I took it to Dive Jervis Bay and asked them to replace, test and service it. A couple of weeks and a few hundred dollars later it was returned to me and I booked a dive.

30 seconds into the dive I found the computer going into “calibrate compass” mode and buttons failing, then the dreaded water droplets. Dive aborted, and waited the first dive out, second dive I went with a backup. On return to shore I gave the computer back to the shop and asked them to look at it, they said they sent it back to Oceanic.

Weeks later (6-8 weeks) I was informed the computer was out of warranty and it was a write off as they were an obsolete model and $1000+ would need to be paid for a replacement. I suggested they should reconsider, and several weeks later received the reply that no, that was that, new computer at $1000 or I should go with another manufacturer. In shop I was asked to consider the Suunto range.

Well upshot of all this, after months of asking for the return of my now dead computer it was returned to me, and finally tonight I got around to opening it up. To my astonishment I found the computer very obviously had not even been opened, as it was still full of water, and the reason for the flood was the seal on the battery cover was both damaged and had debris on it.

So the do’s and don’ts …

Don’t trust a world wide warranty particularly by Oceanic, it’s not, and it will be cancelled at the drop of a hat, even if it is not your (the consumers) fault.

Don’t trust authorized service agents (particularly in Europe) to actually safely service your gear, let alone honor service agreements.

Don’t trust the manufacturer or their authorized service agents to care about you respecting brand loyalty (they don’t give a crap, it’s all money to them.)

Do research what you’re buying.

Do research “authorized service centers” to see if they have mandatory training.

Do learn how to service your own gear so you can at least check the work done by the agent.

Don’t assume because you are paying top dollar for gear you’re getting top quality.

Don’t bother with brand loyalty, it used to be worth something, but nowadays its worth nothing, the only thing brands care about are the number of greenbacks you can give up.

Footnote

So as I don’t expect to hear anything from Oceanic or any other Dive gear manufacturer, I’m now ridding myself of Oceanic stuff and going with what ever suits the purpose by which ever manufacturer I feel is not offering the best deal/value for money… Starting with a new air-integrated Computer.

Posted on

New Computer for Xmas? From Amazon? Watch out you might need a HazMat suit….!!

What is it with me, I seem to attract trouble at the moment, either that or I just don’t take s**t like others do…

So I’m not going to talk about the ripoff known as Ebay seller StuffUSell who sells stuff that they know doesn’t match the description… that’s Ebay and par for the course… No this is about someone you would think would know better… Amazon…!

Yeah the price of globalisation.. they’re so big in every country that when searching for stuff you don’t even see Ebay at the top of the list anymore, you just see 100’s of Amazon links leaving you little choice about where you can purchase items…  Even if they can’t/won’t deliver.

Many of you the readers know I live in Malta (Europe, not the town in the USA) it’s a small island in the middle of the Mediterranean sea and unfortunately getting stuff that is available to the rest of the world can be a task… and it’s not cheap (sometimes as much as double to RRP.)  For this reason I often use online services such as Amazon to get what I need at a reasonable price, paying extra for shipping.  Obviously because of Tax and VAT I prefer to order from Amazon EU/UK where ever possible.

So what is the subject about, you’re thinking.. well simple are you in Europe, are you thinking about ordering a computer/tablet for Christmas 2013…?  Well my advice is avoid Amazon at all cost as you might find yourself without what you are waiting for until after Christmas, with the excuse the Item you are ordering has a HAZMAT sticker on it and we can’t ship it to you…

Here’s the screenshot of the item I ordered over a week ago.. (click for hi-res version)

Thecus N4510UR 12TB NAS
Thecus N4510UR 12TB NAS

So as you can see ‘Ordered on 21 November 2013’ .. however lets take a look at ‘My Orders’ (click for hi-res)…

My Orders at Amazon
My Orders at Amazon

So I didn’t get any delivery, so I checked the order status, found it not yet dispatched so I got onto Customer Support (politely at first)… and after 24 hours I got this response:

 Hello,

I am writing to let you know about your order #202-2620275-0284318.

I have received an update from our fulfillment center stating that this item has been held up at JKPT this is because the item has been identified as having HAZMAT control on it and therefore can not be shipped to the address used as we can not ship this type of product to an overseas address.

I hope this helps you.

We loo forward seeing you again soon.

Warmest regards,

Ruban S.

It’s like ‘WFT?!?!?!’ HAZMAT?!?!??!  its a computer – it doesn’t even contain battery backup batteries!!

I got back to Customer support (again politly(ish) at first).. and couldn’t get a response as to what “JKPT” is … eventually I persuaded the Customer Support person to email me later what it meant, I got the following:

Hello,

I’m writing regarding your order #202-2620275-0284318.

Please be informed that, JKPT is a condition that an item is put into when we have no shipping method for the item due to HAZMAT regulations. It is usually to either an overseas address or a PO box address, locker or a parcel motel type place.

If we can be of further assistance, you can reply directly to this e-mail. You can reach us by chat or phone from this link:

http://www.amazon.co.uk/contact-us

Customer Service can be reached by phone and chat 7 days a week 06.00 to midnight, local UK time.

If you need to call us, we can be reached on Freephone (within the UK) 0800 496 1081. International customers can reach us on +44 207 084 7911.

We look forward to seeing you again soon.

Warmest regards,

Babuvignesh S.

At this point I got a little narcky and phoned them on the 0800 number for the UK and pointed out, that the address for delivery is a real address that they have delivered to previously, and that whilst they are correct ‘overseas’ pretty much everywhere in Europe could be classified as such if the origination point is Jersey as they previously indicated… and again the response:

 Hello,

Regarding your Order No: 202-2620275-0284318, we’ve got an update from our fulfilment team:

”  I’m sorry but this item has been held up at JKPT this is because the item has been identified as having HAZMAT control on it and therefore can not be shipped to the address used as we can not ship this type of product to an overseas address ”

Warmest regards,

Thangjam M

Then 24 hours later I get this:

Hello,

I’m sorry for the inconvenience caused to you with the restrictions to Malta.

I do understand your concern regarding the item being allowed to ship to Malta.

I’ve checked and can see that my colleague has already contacted appropriate department to investigate this issue.

As it is not yet possible to provide you with a resolution, we continue to work hard to provide an update and we still expect to be in contact with you on the date provided by my colleague, November 29, 2013.

Please accept my apologies for the inconvenience; we want to be sure to address this matter as thoroughly as possible.

If you don’t hear back from us by November 29, 2013, please contact us again by replying directly to this email.

I hope this helps. We look forward to seeing you again soon.

Warmest regards,

Imran A.

So the moral, if you want/need something quick (even as a business user buying business class items) don’t bother with Amazon, and certainly if it’s a computer or tablet (as tablets are computers).. go down the high street and buy over the counter – even if it costs more or takes your time, at least you’ll get it, and the shop is likely to be still there next time you need something!!

 

UPDATE [5th December 2013], this just in from Amazon:

Hello,

We’re writing about your Amazon.co.uk order 202-2620275-0284318 which included the following:

——————————————————

B009E0X9Q4

Thecus N4510UR 12TB (4 x 3TB) 4 Bay 1U Rackmount NAS with McAfee Antivirus Protection

——————————————————

Unfortunately, due to delivery restrictions on such items, we won’t be able to send you this item and have cancelled it from your order.  This is because this item contains flammable, pressurised, corrosive, environmentally hazardous or otherwise harmful substances classified as dangerous goods under the European Agreement concerning the International Carriage of Dangerous Goods by Air.

Although the amount of these substances in these products is usually quite limited, these products need to be transported in a certain way to ensure that they are handled with care and are therefore assigned to a specialist carrier.  Unfortunately this means that we can’t dispatch this to any destination outside of mainland UK.

We’re sorry for any inconvenience caused and hope to see you again soon.

Warmest regards

Customer Service Department

Amazon.co.uk

Please note: This e-mail was sent from a notification-only address that can’t accept incoming e-mail.  Please don’t reply to this message.

So there you have it, if you are buying a computer from Amazon (UK) and are not in the UK they cannot and will not ship the item – even if it is marked as being sold by Amazon Europe (S.a.r.L.) and even if it is marked as available for delivery to your country…

UPDATE 2:  Bit the bullet today, and went to one of the local computer stores and bought the non rackmount version of the NAS, found for €1123.00 (less than Amazon) I was able to get a 16TB version.. then I thought about it…  We’re on an island, everything is flown in.. but wait, Amazon said it was a HAZMAT marked item….!

Posted on

Old School corruption still around in Malta…?

Well all those know me, know I do not have tolerance for Political parties or Political grandstanding however, in the case of the 2013 Maltese Elections it is time I waded in with my 2 cents.  This is not a political statement for either side, because to be honest, if I were voting I wouldn’t vote for either one, both are in it for themselves and not in it for the people as elections really should be.  However, this is about the events (or more specifically one event) surrounding the election which is a clear disgrace…

According to the Maltese Law, 24 hours prior to the opening of the polling booths all campaigning must cease or those responsible will be in breach of the law and subject to arrest.  This applies to all candidates, parties and news media (both the services themselves and journalists.)

This evening, in Malta well know blogger and journalist Daphne Caruana Galizia was arrested for blogging about the election in her usual, sometimes course, manner.  This in itself is not wrong, and indeed it appears her arrest was made with good reasoning and because it appears she violated the 24 hour law.  What is NOT right and clearly a prejudice either against her, or what she stands for, the the fact that some of the candidates themselves continued their campaigning clear into the 24 hour ‘no campaigning’ period, and no-one else has been arrested.

Lou Bondi, from TVM’s Bondi+ was there at the time of the arrest and the video of the arrest has been uploaded to You Tube here.  Now before any of you the readers get hot under the collar about the police officers involved, please remember they are doing their jobs, they were told to make the arrest.  Instead, focus your attention and appeals on the two following things:

  • First: Who ordered those police to arrest Daphne Caruana Galizia?  
  • Second: Why were others who clearly violated the same laws not arrested?

What follow are screenshots of the Facebook pages of some of the candidates and their delegates, all of which are in violation of the same law.  All of the people posting should be arrested on the same charges as Daphne Caruna Galzia immediately.  If the person ordering the arrest of Daphne Caruana Galizia is not willing to order the arrest of these people, that person should be fired and prosecuted for discrimination in the highest, and investigated for corruption.

 

313425_10151556788557994_712534173_n 544071_10151556858647994_81101859_n copy 599028_10151556864642994_1313463993_n 601296_10151556836607994_1203630769_n 734424_10151556861707994_630670272_n

You will note, that there are candidates from both sides of the Election.  All should be arrested for the violation of the 24 hour rule as they are all clearly in breach.

 

Note: Comments are open, however any political statements for or against any party will be reported as campaign statements or deleted.  I will allow comments about the unbalanced treatment of the parties and journalists involved in this scandalous arrest.

Note 2: Just to be clear, I am in the USA currently, and have no idea of the timezones/timestamps on the Facebook pages, these have been reported as postings within the 24 hour window to me, please excuse and inform me if any are not in fact in the 24 hour window.  Also if there are other examples, please screenshot them and post them to me at michelle@shellsshots.com and I will update this page with them.

Posted on

ARMS… The Saga continues…

So the saga continues… ARMS (Malta’s Automated Revenue Management Services company that collects electricity bills) have so far ignored me, ignored my lawyer, and ignored my emails… Today I received a letter (scans of the letter at the bottom of this page) threatening legal action and disconnection again… This is despite me sending the following letter to them a month previously (on the 4th December 2012)..

ENGLISH:

I am writing to you about a number of things, including a long standing
issue that is still not resolved. My next step is talk to Parliament
and the Times of Malta.

FIRST:

I bought a house here in Malta in June/July 2010, and was named on the
bill by the former owner as she changed the service from herself. I was
placed on a ‘Residential Rate’ even though I have a residency
certificate and I operate a commercial enterprise from my premises.

In September/October 2011 I was in the USA on business and the meter
reader came to my premises was unable to get an answer at the door (due
to me being 5000+ miles away in the USA.)

ARMS proceeded to ‘Estimate’ a reading (of only some 70ish units) and
mark the bill as a ‘N’ (Non Read) when the actual reading would have
shown considerably more (circa 11,000 units.)

In March 2012 an ARMS employee visited my premises and read the meter
(and the accurate read of some 20,000+ units) and shortly there after I
received a bill for some €12900+. Upon examining it I saw several errors:

1/ The law provided discounted rating had been disregarded and the
20,000 unit difference between the ‘non read’ and the current reading
had been pro-rated to just 6 months (rather than the law provided 12
months.)
2/ The bill showed ‘0 (zero) residents’ – This is wrong on 2 counts.
a/ I am a commercial (non-residential) entity
b/ I am a Maltese resident and therefore should not be paying the
‘Domestic’ ratings.

Shortly after I asked my lawyer and friend Ms G Spiteri to accompany me
to the ARMS office in Pieta for an explanation and correction. Both Ms
Spiteri and I were astonished when the ARMS staff member told us that it
was a computer programming error that could not be rectified (and would
not be rectified) without involvement from the CEO of ARMS. He then
proceeded to inform us that the incorrect tariff would not be corrected
without filling out a change of service form, which I had to download
from the website and fill in. I read your form and noted at the
signature line that there is a statement alluding to the change would
only be applied to the date of signing onwards. This is unacceptable as
it was not my mistake in the first instance.

In September 2012 I receive a ‘notice of disconnection’ from ARMS, I
informed Ms Spiteri, who wrote to yourselves indicating that you would
be held responsible to the amount of €1000 per 24 hour period in lost of
business earnings should you proceed. I repeated the same to your
customer care line, they indicated that I (rather than my lawyer) should
have contacted yourselves. Whom I chose to contact you is dependent on
your responses to me, and so far they have been such that I am
considering taking a very public class action suit against ARMS for this
completely discriminatory, defamatory, inadequate and prejudicial service.

I note that as of today (4 December 2012) responses have been slow (if
at all) and the service is still considered by yourselves as ‘Domestic’
My latest bill shows some €17000+ in arrears and it is getting to the
point when I think if it is even sorted out and I am billed at the
correct rate I will not be able to afford to pay the bill in a complete
hit and may be left with interest charges that you apply without any
credit agreement that enables such.

ALSO:

Last night I suffered 3 separate power outages when the ‘smart meter’
shut the supply off each time indicating ‘Over Usage by 18%’ … The
additional power I was consuming were an electric cooking ring (single)
and the oven. I am sure you are aware the power usage by said items
does not exceed what 3×3.5kw Airconditioning units and a 7kw unit would
use during the summer (which I was using this summer, without issue.) I
am fully aware the ‘Smart Meters’ are remote programmable and remote
controllable and as such you can remotely tell the unit to terminate the
supply at any time without my interaction. This means either one of 2
rational possibilities:

1/ Someone instigated a remote power outage.
2/ The meter is faulty and is incorrectly reading the power consumption.

(a third option would be someone stealing power, however with the
exception of the existing ground level wiring, I am fully aware of all
the connections and intersecting points of my installation as I
installed most of it myself, including additional grounding to bring the
installation to a greater safety level than required by Maltese law.)

The power outages caused several issues. First, I lost 7 days of work
(80 hours of work) due to it as it caused damage to one of my computers
that had not managed to complete it’s backup. Second, it was highly
dangerous to the members of the household, not to mention myself because
we were plunged into darkness, one person in the shower, myself cooking
with a hot deep fat fryer, and someone had to navigate through the dark
building and fumble in the electricity cupboard for the breaker to reset
it (had there been power this could have proved fatal.)

LASTLY:

Some time ago (possibly summer 2011) I requested a larger meter to be
installed in this premises as when the Smart Meter was installed they
installed a 60Amp meter which was lower than the original, and is
totally inadequate for a 4/5 bedroomed air conditioned house. I noted
on your website at that time that you had the option of a larger single
phase meter (80 amp) which is more realistic to the needs of a large
house. I was informed by the ARMS staff that there was no such meter
and I would have to “upgrade” to a 3 phase installation. The internal
wiring of this building is not suitable for a 3 phase installation,
though it is conceivable that I could separate out individual phases for
certain parts of the house. I was informed the cost would be in excess
of €3000 for the said ‘upgrade’ (as opposed to the website quoted change
of €300 for a larger meter – which would put me back to the original
meter size pre-smart meter.)

SUMMARY:

I am to date disgusted with the service of ARMS, I cannot get correct
billing, I cannot get responses from persons responsible, I have an
inadequate service that you refuse to change without exorbitant fees and
considerable inconvenience, not to mention the prejudicial and
discriminatory service I have received to date.

Michelle Sulivan

PS: Please reply in English.

MALTI:

Qed nikteb dwar numru ta’ affarijiet, inkluz kwistjoni antika li ghada
mhijiex rizolta. Il pass li jmiss minghandi huwa li nkellem
lill-Parlament u l-‘Times Of Malta’.

L-EWWEL:
Xtrajt dar hawn Malta f’ Gunju/Lulju 2010, u kont msemijja fuq il-kont
li kien miktub mill-proprjetarju precedenti kif qalbet is-servizz minn
isimha ghal fuq ismi. Kont fuq “Rata Residenzjali” anka jekk ghandi
certifikat tar-residenza u nopera intrapriza kummercjali mill-bini tieghi.

F’Settembru/Ottubru 2011 kont fl-Istati Uniti fuq negozju u it-tekniku
ta’ l-arlogg tad-dawl gie id-dar tieghi pero ma’ fetahlu hadd (peress li
kont 5000+ mili il-boghod fl-Istati Uniti.)

ARMS ipproċedew biex jghamlu “Stima” tal-qari (ta’ circa 70 units biss)
u mmarka l-kont bħala “N” (Non Read) meta l-qari attwali kien juri
konsiderevolment aktar (circa 11000 units.)

F’Marzu 2012 impjegat tal-ARMS żar il-post tiegħi u qara l-arlogg
tad-dawl (il-qari preċiż kien ta ‘xi 20,000 + units) u ftit wara
rcievejt kont ta xi € 12,900 +. Meta eżaminajt dan il qari sibt bosta
żbalji:

1 / Il-liġi provdiet rata skontata li kienu ġew injorati u l-20000 units
differenza bejn il-“non read ‘u l-qari attwali kien distribwit biss fuq
6 xhur (minflok skond il-liġi fuq 12-il xahar.)
2 / Il-kont wera 0 (żero) residenti “- Dan huwa ħażin ghal 2 ragunijiet.
a / Jiena entità kummerċjali (mhux residenzjali)
b / Jiena residenta’ Maltijja u għalhekk m’għandiex ghalfejn nħallas
ir-rati domestici.

Ftit wara tlabt l-avukata tiegħi u ħabiba Sinjura G Spiteri biex
takkumpanjani fl-uffiċċju tal-ARMS fi Pieta għal spjegazzjoni u
korrezzjoni. Kemm is-Sinjura Spiteri u jien konna ixxukjati meta
l-membru tal-persunal ARMS qalilna li dan kien żball ta ‘programmazzjoni
fil-kompjuter li ma setgħux jiġu rettifikati (u mhumiex ha jigu
rettifikati) mingħajr l-involviment mis-CEO tal-ARMS. Huwa mbagħad
infurmana li t-tariffa skorretta mux se tigi ikkoreġuta jekk il-forma
tal-bidla fis-servizz ma tigiex mimlijjha, u ghalek kelli nniżżilha
mill-websajt u nimlijha. Jien u naqra il-formola tiegħek innutajt
mill-linja tal-firma li hemm stqarrija tirreferi indirettament
għall-bidla li tigi applikata biss mid-data tal-iffirmar l-quddiem. Dan
mhuwiex aċċettabli għaliex ma kienx żball tiegħi fl-ewwel istanza.

F’s-Settembru 2012 irċievejt “avviż ta ‘skonnessjoni” minn ARMS, jiena
nfurmajt lis-Sinjura Spiteri, li kitbet lillkom infuskom li jindika li
inthom ser tkunu responsabbli għall-ammont ta’ € 1,000 fuq perjodu ta
kull ’24 siegħa ghat-telfa ta’ qligħ tan-negozju jekk tipproċedu.
Irripetejt l-istess lill-linja taghkom tal-‘customer care’, li ndikaw li
kelli nikkuntatjakom jien stess (minflok l-avukat tiegħi). Lil min
għażilt jikuntatjak huwa jiddipendi fuq it-tweġibiet tiegħek lili, u
s’issa kienu tali li jiena qed nikkonsidra nieħu azzjoni pubblika kontra
ARMS għal dan is-servizz kompletament diskriminatorju, malafamanti,
inadegwat u ta ‘preġudizzju.

Ninnota li mil-lum (4 Diċembru 2012) risposti kienu ftit (jekk xejn) u
s-serviżż għadu meqjus minnkom bħala “Domestiku”. L-ahhar kont tieghi
juri xi €17,000+ b’lura u qed nasal sal-punt fejn naħseb jekk saħansitra
hija mifthiema u jiena ċċarġjata b’rata korretta, mhux ser inkun kapaċi
niflah nħallas l-kont mil-ewwel u nista nithalla bl-ispejjeż tal-imgħax
li inthom tapplikaw mingħajr ebda ftehim ta ‘kreditu li tippermetti tali.

WKOLL:

Il-bierah filghaxija soffrejt 3 qtugh tal-eletriku separati meta
lis-“Smart Meter” wera uzu eccessiv bi 18% … L-elettriku addizzjonali
li kont qed nikkonsuma kien ċirku tat-tisjir elettriku (singlu) u
l-forn. Jiena ċerta li inthom konxji li l-użu tal-enerġija mill
imsemmija oġġetti ma jeċċedix dak ta’ 3×3.5kw units tal-airconditioning
u 7kw units li jintuza matul is-sajf (li kont qed nuża dan is-sajf
mingħajr problemi) Jiena konxja li lis-“Smart Meters”huma programmati u
kkontrollati b’mod remot u bħala tali inthom tistghu iggielhu l-unit
ttemm l-provvista fi kwalunkwe waqt mingħajr l-interazzjoni tiegħi. Dan
ifisser xi wieħed mill-2 possibbiltajiet razzjonali:

1 / Xi ħadd instiga qtugh tal-enerġija mill-bogħod.
2 / L-arlogg tad-dawl huwa difettuż u il-qari tal-konsum tal-enerġija
huwa zbaljat.

(A tielet possibilta’ hija li xi hadd qed jisraq l-elettriku, madankollu
bl-eċċezzjoni tal-wiring eżistenti livell ma l’art, jiena konxja ta
‘l-konnessjonijiet u l-punti li jaqtgħu lil xulxin tal-installazzjoni
tiegħi peress li installajt il-maggorita’ jien stess, inkluż ert
addizzjonali sabiex l-installazzjoni f’sigurta’ aqwa minn dak meħtieġ
mil-liġi Maltija.)

Il-qtugħ ta’l -enerġija ikkawża diversi kwistjonijiet. L-ewwel, jiena
tlift 7 t’ijiem ta ‘xogħol (80 sigħat ta’ xogħol) peress li kkawża dannu
lil wieħed mill-kompjuters tiegħi li ma lahaqx jlesti il ‘backup’.
It-tieni, kien ferm perikoluż għall-membri mimsuba fil-bini, biex ma
nsemmux li konna mitfugħin fid-dlam, persuna waħda fid-doċċa, jien stess
nsajjar bi fryer jahraq, u xi ħadd kellu jinnaviga fil-bini mudlam u
jfittex fil-cupboard tal-elettriku għall-interruttur sabiex jerga
jixghelu (li kieku kien hemm elettriku dan seta’ jirrizulta’ fatali.)

Fl-aħħarnett:

Xi żmien ilu (possibilment fis-sajf ta’ l-2011) jien tlabt sabiex jiġi
installat arlogg tad-dawl akbar f’din ir-residenza bħal meta lis-‘Smart
Meter’ kien installat dawn installaw arlogg 60Amp li kien inqas
mill-oriġinali, u hija totalment inadegwata għal dar b’ 4/5 kmamar
tas-sodod b’arja kundizzjonata. Kif ukoll, f’dak iz-zmien innotajt fuq
il-websajt taghkom li kellkom l-għażla ta ‘phase meter’ singlu akbar (80
amp) li huwa aktar realistiku għall-ħtiġijiet ta’ dar kbira. Pero kont
infurmata mill-persunal ARMS li ma kienx hemm meter bħal dan u li jkolli
namel “upgrade” għal ‘3 phase installation’ . Il-wajers interni ta’ dan
il-bini mhumiex adattati għal ‘3 phase installation’, għalkemm ma jistax
jiġi eskluż li jien nista nissepara l fażijiet individwali għal ċerti
partijiet tad-dar. Jien kont infurmata li l-ispiża tkun f’eċċess ta ‘€
3,000 għal l-imsemmija “upgrade” (kif oppost għal-bidla kkwotata
fil-websajt ta’ € 300 għal meter akbar – li jpoġġini lura għad-daqs
oriġinali tal- ‘pre-smart meter’)

SOMMARJU:

Sal-lum jiena ddisgustata mis-servizz tal-ARMS, ma nistax nikseb
kontijiet korretti, ma nistax nikseb tweġibiet minn persuni
responsabbli, Ghandi servizz inadekwat li intom qed tirrifjuta li tbidlu
mingħajr miżati eżorbitanti u l-inkonvenjenza konsiderevoli, biex ma
nsemmux il-preġudizzju u d-diskriminazzjoni fis-servizz li irċevejt sal-lum.

Michelle Sulivan

PS: Jekk jogħġbok irrispondi bl-Ingliż.

— Michelle Sullivan http://www.mhix.org/

 

One can only hope that the likes of the Times of Malta will take up the story and expose their discrimination and illegal strong arm tactics. (They have ignored at least one law in Malta – my Lawyer has already threatened them with legal action should they not comply.)

 

ARMS Final Notice
ARMS Final Notice (1)

 

ARMS Final Notice
ARMS Final Notice (2)