If it is not part of my experience then I probably won’t learn it unless it is intuitive or standardized.
The brilliant Nik Cubrilovic wrote about:
The NYTimes is reporting this morning that a joint Harvard and MIT study into personalized images used on many bank login screens are only effective for around 2% of users
He continues his article looking at this from a holistic security perspective including some scary results from an investigation he collaborated on in 1999.
What interested me was that I results validated my own awkward experience with the Bank of America1 SiteKey system. Do I put in my password here or the label of the image? I am logging in from a different computer why is it asking me a different security question?
Nik is correct that “[the joint Harvard and MIT study] should have tested with other banks and other implementations, which would have given the study a better conclusion.”
Is Bank of America’s implementation lousy ?
Online banking came to Canada early and it quickly became very good. I use TD Canada Trust, and have also experienced Bank of Montreal’s a few years ago. The early quality likely is because we have a few big players in Canada.
Or is the user experience too foreign? Too unintuitive? Standardization; your competitors adopting your experience makes your customer’s experience better.
Related Articles on the Web
“The problem is that users only notice the image once or twice and then are quickly desensitized to the fact that it is even there.”
- Ryan Singel’s Users Ignore Security Features, Including HTTPS
- “The Bankwatch” ask ‘who commissioned the study?’ and what about RSA’s PassMark?
- RSA Annual Consumer Online Fraud Survey (thanks coyote_code)
- Bank of America is the very worst banking experience that I have ever had, but Jesse Andrews had a great time! [↩]
4 Comments
My wife is far from comfortable on the web. She also checks (runs) our finances and checks things daily. All the bank did was change one sentence and she stopped.
Just that one change turned the familiar to the unfamiliar.
But she was in a regular environment with no rush to see details.
Maybe the banks should say “This is YOUR screen” and let the customer change it (widgets!) so they have more control and it becomes theirs.
I only have experience with the Bank of America login solution from my home computer, and am comfortable with their UX. It’s all about reducing your vulnerability to phishing attacks and increasing trust in their site. The trick is to pick an image and text caption that you strongly associate. Once this is in place, it reduces the possibility of someone catching you with a phishing page and randomly choosing the correct image, because the caption will not match.
I guess the Bank of America login experience is different when logging in from a different computer; I don’t have experience with this, but I’m fairly sure they ask one of your three security questions (something you know).
Other banks might use an RSA SecurID or a similar key fob. Non-sophisticated computer users may find this frustrating to use as well. There’s nothing about the key fob itself that prevents phishing — the SiteKey program addresses this issue.
Done right, a key fob could prevent phishing.
1. Key fob gives you a nonce (NONCE1, a substr() of a hash of KEY1, which changes every time you refresh)
2. You input NONCE1 into the site
3. The site gives you KEY1
4. You input KEY1 into the key fob
5. Key fob verifies that substr(hash(KEY1)) == NONCE1
6. If they match, it gives you NONCE2, which is used to access the site, else, it gives you a mild electric shock (ok, not really)
Annoying, but I think that’d act as both authorization and verification of authenticity.
Hi Chris,
Reading your comments makes me realized how biased I am against Bank of America both because of the online and in person experience I had with its representatives. (And am still having.)