@madpilot makes

How to lose friends and infuriate people.

Warning: The following post is an usability rant aimed squarely at the incompetent software developers contracted to Citibank. Please enjoy the ride.

When I went to the UK about 4 years ago, I opened a Citibank UK bank account so that I could get paid whilst I was working. The actual account is really great – much better than any account you can get over here in Australia. There are no fees at all – none, nada, zip. At they time they also provided some great overdraft facilities. As I still occasionally do work for UK clients, and as it costs me nothing, it remains opened.

Significant point #1: I can’t go to a branch, and I need to call international to talk to a customer support officer – I rely on internet banking heavily.

Unfortunately, the online banking experience does not reflect the quality of the account. There are so many usability issues, the developers should be brought before some sort of tribunal.

Javascript Keyboard: This is a favourite amoungst banks as they believe it provides security from key logging software. BOLLOCKS! Javascript is a very dynamic language, it would be extremely simple to write a Javascript function that could be injected onto a page which would reveal the password. All a Javascript keyboard does is increase the chance of me getting my password wrong and slows me down. in fact, if someone was shoulder surfing, they would be able able to read my “keypresses” much easier than if I typed them on a normal keyboard. JavaScript keyboards are stupid.

JavaScript Keyboards are stupid.

Secret Question and Answers: Next, Citibank requires you to answer one of five pre-defined question/answer pairs. In a previous session, I was required to spend twenty minutes picking and answering questions. Why twenty minutes? Because you need to enter your username, password twice (both times using the previously labeled stupid Javascript keyboard), then finally pick five out of twenty questions, type in answers, then type in answers AGAIN to confirm them. After you enter an answer, they are automatically starred out, so you can’t see them.

Challenge Questions are not secure. A small amount of digging will allow you to get most of these details about someone. Heck, if you can get hold of someones bank statement, you can work out at least a couple of answers. All they do is make it frustrating for legitimate users. I couldn’t remember if I used capitals (To this day, I’m still not sure if they are case sensitive) or whether I used abbreviations. And what happens if my favourite colour changes? I’m screwed. Challenge questions are stupid!

Challenge questions are stupid

Guess what, I couldn’t remember the specific format of the challenge question I was asked, so I was locked out, which meant I needed to go through the above procedure again. This time, I took too long, so the session timed out.

I click the login link once more, enter my username and password (again, stupid Javascript keyboard) but it confirms that my username is locked. I need to click the “unlock username” link. I click said link, and it tells me I NEED TO ENTER A USERNAME AND PASSWORD. Two problems here:

  1. Generally people do not expect text links to be associated with text boxes. if you want the data in a text box to relate to an action, make that action a button.
  2. There is no indication that I need to fill in this information until AFTER I have tried.

Finally, I have navigated to the “unlock username” page. Only to be presented with another stupid form. This time, I need to fill in my username, card number, e-Pin (welcome back stupid Javascript keyboard) and account number. Now, I don’t know about you, but as far as I’m concerned, my credit card number is probably more valuable to a thief than my e-Pin, yet the former is in full view of everyone and isn’t protected by stupid virtual keyboards.

The unlock you account screen is stupid!

Now, after attempting this frustrating process a number of times, I am completely locked out from my online account and I will need to call the UK to get it sorted out. Go team Citibank.

So what can they do about this to make the process simpler? I think BankWest has got it right:

  1. They issue a Personal Access Number (PAN) – The number is short, so it is easy to remember, but it is not easily derivable from the account number of any user details.
  2. they politely remind users that they haven’t changed they password in a while. Which is much nicer then forcing me to do it. If I’m stupid enough to not change my password regularly, even when warned, well that is my tough luck.

Other things worth trying:

  1. Limit the amount of money that can be transferred in a day, especially for person-to-person transfers – having access to online banking accounts is not much use unless you can transfer the money out.
  2. Give users the choice of blocking person-to-person transfers and BPay – I only ever check my balance through this system so I have no need for transfer facilities.

The bottom line is these “security” measures aren’t that much more secure that a standard username/password conbination yet they are infinately more annoying and frustrating.



  1. That javascript keyboard must be the most stupid thing i've seen, not to mention on an online bank! Seriously, somebody should get fired on this shit. Normally i'm not really keen on ranting about user interfaces because it's probably the most difficult (and underrated) part of development but this is just plain stupid. (They probably even spent a huge amount of time to develop the damn thing)

    I figure you emailed the bank in question a link to this 'rant' to get the word out :)
  2. Hey Niek,

    I'm tempted, although a slightly watered down version MAY be more appropriate. It depends on ow my phone call to their customer support line goes today :)
  3. Bank west used to make you restart your browser after (kill the cookie) a session time out or three bad attempts.

    Which is okay, it it does take much to kill the cookie and move on. But when you are in a hurry it was a pain. Especially when they tell you wait 15 minutes between sessions, when it was really a restart. I don't think they counted on Tabbed browsing.

    Your Bank in question needs a rocket.

    At least you can get to the screens, with the Commonwealth Bank you can't get to the screens, and they tell me I'm using an "uncertified insecure browser" give me a break.
  4. After reading this post this morning, I decided to send an email to my bank (Police & Nurses Credit Society), because they also recently implemented an on-screen keyboard.

    The Coordinator for Online and Electronic Channel Management read your post and got back to me directly within a couple of hours. Police & Nurses really do have great service!

    I'm not going to paste the whole thing, but the points he raised were:

    1. "The On-Screen keyboard is successful in eliminating keylogging viruses."

    2. "The encrypted on-screen keyboard that is utilised by Police & Nurses has been used by other Australian financial institutions for almost 18 months and is yet to be

    compromised ... the comment from the writer, in relation to "it would be extremely simple to write a Javascript function that could be injected onto a page which would reveal the password" seems to try and over simplify the level of security that the keyboard provides."

    3. [In regards to changing passwords] "Under Australian regulation (Electronic Funds Transfer Code of Conduct), financial institutions are equally liable for any loss incurred via a fraudulent internet banking transfer, unless they are able to prove "on the balance of probabilities" that the user had contributed to the loss via negligence (eg. allowing their password to be known by others)."

    4. They advise people not to access Internet Banking from an Internet Cafe/Library/etc. [in regards to Shoulder Surfing]

    5. They have session timeouts, and daily BPay/Transfer limits.

    I would like to note here that I am a completely happy Police & Nurses customer. They have excellent service and the accounts are quite good too. I am just a little berated about the new on-screen keyboard.
  5. Hi Justin,

    Sorry it took so long to reply, for some reason you comment got marked as spam.

    I'm interested in point 2 that P&N makes about the encrypted keyboard. I would say (with out seeing the keyboard) there would be a JavaScript method that one could bind to that would effectively be able to log the password, so no, I don't think I'm over simplifing the level of security.

    The rest of the comments from him are great though!

Leave a comment