Now, I understand the need for online security –after all I worked in the area for over 5 years at Baltimore Technologies. However Ulster Bank’s Bankline has the most frustrating levels of security I have ever seen. The following four items are posted out to the customer:
- A smartcard reader
- A separate letter with the actual smartcard
- A separate letter with a onetime pin for the
smartcard - A separate letter with a onetime 10 digit activation
code for the service
Now, it may seem sensible to post these all out separately, so that if an individual package was intercepted, not all the information would be available. However, it doesn’t make any sense if they all arrive on your doorstep at the same time, as they did in my case.
In addition to the above, you then need to:
- Change the pin on the smartcard
- Enter your customer ID
- Enter your user ID
- Enter 3 random digits from a different pin
- Enter 3 random letters from a different password
- Enter a new pin
- Enter a new password
- Enter your activation code
Give how insanely complex and lengthy this process is, you would have thought that the Ulster Bank team would have pulled out all the stops to get the usability perfect. But alas no. When entering pins or passwords, the system does not automatically progress to next input box. So you need to enter one
digit followed by tab, then the next digit. To make matters worse, it asks for the PIN in a random order.
Unsurprisingly I didn’t get through the entire process successfully and locked myself out. However 10 minutes on the phone on Monday morning with a very helpful Ulster Bank employee got me up and running. I still haven’t figured out how to transfer money and have a running wager as to the number of pins, passwords and devices that it will require.
If the same levels of security were applied to their branches in the real world, then you would be forced to ait as they flew a military plane to a secret location on the other side of the planet to bring back the money!
There has to be a balance between usability and security. Normally, security gets in the
way of what the user wants to do. Therefore, if you need a highly secure system you have to be prepared to put in the extra time and effort required in order to make it usable.
May Update
After one month of using it they have forced me to change my password. I can only hope that they are not going to do this every month. Changing passwords this frequency can only result in users writting them down thus reducing the overall effectiveness of the security.
I’ve seen (and been involved with ) Banks create systems with great security and LOW usability.
The UI/usabilty aspect forget about the ‘user on their own’ installation issues and the QA dept says everything works fine (as they follow the instructions 2 the letter) BUT…
your average user is <= average and hence = LOW usage/uptake
any banks then wonder why their system isn’t used that well.
Same for IVR’s and call center’s … but thats another discussion!
Hi, I got onto to Ulsterbank late 08 about all these issues and more. Its a total disaster of a system. Its open to forgery (yes you can in fact re use the password reset form again and again… with some photo shop know how its easy to change things and email or fax for great effect).
The operators on the help line easily breach basic user security offering services outside the remit of their roll and yet the user support / helpline is awful. The standard password 28 auto reset which you might not be aware is totally daft. I have also had to resort to writing down all my details as its to complex to remember anything.
I also warned ulsterbank/rbs/bankline that eventually people would publish their frustration on the Internet and expose the poor UI and over the top security which makes the whole experience unusable.
Its happened I have now found at least 4 disgruntled users so how many more are sitting out their very pissed off including this site.
Once I was told 90% of their customers where happy with their level of new security and I said well its pointless listening to the happy people as its the 10% unhappy who have probably spotted problems and security issues and you are ignoring them at your peril and that of the general user base. I am sure many users who are supposedly “happy” are writing their password on paper on their desk or stickies. Its normal human behavior and this system invokes all the wrong behaviors. People will adapt and if the system is this shit it becomes totally insecure by this process. I think every one has figured that out.
I’ve written to them and received a lengthy and unconvincing response.
IMHO I believe Bankline should desist in telling people their system is secure.
Lets not get started on the usability …. i.e. what usability.
I’ve wasted days and hours and had to reset my password many many times even after writing it down. Its too easy to mess it up as its too complex in terms of user interaction.
I am able to remember complex combination and long passwords over over 30 characters if I need to. You could never guess them unless you could read my mind. They are totally secure and I use this technique on multiple websites since we all have to remember zillions of password. I never use the same one.
I’ve been doing it for over a decade and yet Bankline is the only website I’ve never been able to access trouble free.I know who had the problem and its not me its the awful Bankline design end of story.
If employees of Ulsterbank/RBS are reading this it means you haven’t done your job and millions has probably been wasted on a totally failed website.
Longterm its a deal breaker when it comes to moving my account. I haven’t done it yet but in future online banking will be my primary concern when it comes to ease of use and Bankline is not on my list its a testament to their Dublin staff that I am still with the Bank. They are powerless to help me in my efforts to convince Bankline they are force feeding a bad bad system.
it took me about 3/4 months to actually get any real customer care. Its take a while to figure out how to get past the robots on the helpline eventually I got someone how I think saw I wasn’t nuts and passed me along. This is no way to run helpline. I was only trying to flag serious issues and now I find other on the net with exactly the same problem and concerns.
Ok. that me done for now!
And I thought I was frustrated … Actually I’ve gotten the hang of bankline now and my current frustrations are the regular, weekend long maintenance periods. This is totally unacceptable even in a non-vital trivial application and unforgivable in a banking system
Well I managed to get a hold on it after writing it down (and concentrating even harder) but today I lost that bit of paper and I am once again in a rage after a months of calm. Its a stupid stupid system, I have other online banks accounts and I never have once been locked out.
Bankline is sent form IT Hell as far as I can see.
Someone on twitter mentioned that it was a 3rd party application. That means that it’s been sold into other banks. Imagine that
Do you know who? Do you have a link?
Disagree chaps…I want my online banking site to be as secure as possible. I’m glad Ulster have introduced this new security…really it’s not to hard to remember your password and the system allows you to control your password reset frequency. Seems to me Ulster have raised the security bar and it is big step up from the old Anytime system. The smartcard and reader are also a great job and offer greater security. Coupled with the use of roles allows my own business to have multiple different users with different roles and responsibilities. I’m definitely not one for defending banks…and yes it takes a little bit of getting used to …but have to say we’re happy with the system.
Hi Ronan
I didn’t know there was a password reset frequency setting. Thanks for mentioning it, I’ll hunt it down tomorrow.
I’ve gotten used to the poor usability and my main gripe these days is the long periods of downtime.
Despite having used the system for months. Little things still annoy me and cause error and I use the service almost daily.
For example – why do they ask for the PIN numbers and password characters in random orders? Why doesn’t the cursor automatically progress to the next field upon entry?
These are just the security related ones, I have also never managed to do payroll without it losings all my entries and forcing me to restart (this may just be me).
I agree that it is better than Anytime but just on a functionality scorecard not a usability one . It the most confusing web application that I have used in the last 5 years. BTW does hitting the back button log you out as well, or is this just me?
Dave Concannon has written a much better piece of analysis than I ever could (as usual) – here http://www.apeofsteel.com/167/security-usability-and-customer-service
Hi Caelen…I suspect the random stuff is all down to prevent hacking and removes/reduces the threat of auto key logging software…if it asked for the same characters all the time then this would be definitely be a risk and this could be easily captured….a few other internet banking sites have had this issue. Not automatically moving to the next field probably prevents persistent computerised attacks etc…but it is annoying.
The payroll one I have seen myself..I think you must put the date and totals in 1st…after that it was fine…it you don’t the values get reset as the totals must all add up.
The back button seesms to be a common feature on all banking sites…again I think there are security considerations here. I use a few banking sites and really they all steer you away from using the back button…most open in new browser windows and try to hide the back button from users….depending on your operating system and browsers
Hi Ronan
I spent a good while poking around trying to find the setting for password frequency but no no avail. Do you know where it is of the top of your head? It’s not in preferences and you help doesn’t seem to have a search function.
The back button issue seems to be resolved.
I spent 5 years in online security so I know a little about this area (although I haven’t kept myself up to date). You are correct that asking for random digits of password makes good sense, the typical attack this prevents is shoulder surfing and it would certainly be a guard against a key word logger. Asking for the digits in a random order adds further permutations for an auto-key loggers and I accept that this does add some security.
As regards advancing the cursor, this is just lazy coding. Any automatic attack wouldn’t use the human interface.
This weekend though I’m just happy that the system is up and running and not in maintenance. There have been 6 weekend long maintenance windows since the middle of July. At least this weekend I can settle down and reconcile the week’s invoices. You’d think no one worked the weekends.
And another full weekend’s outage coming up.
“Due to essential system maintenance, Bankline will not be available between Friday 16th October 2009 2200pm to Saturday 17th October 2009 1900pm”
And again. Are they taking the piss
Bankline will be unavailable between 18.30 Friday 30 October and 07.00 Monday 02 November while we update the service.