...making Linux just a little more fun!

Henry's Techno-Musings: User Interfaces

By Henry Grebler

Techno-Musings image

"I've bought us a new potato peeler. Doesn't it look fantastic!"

My wife's enthusiasm was boundless. Meanwhile I struggled with the nuances of her declaration.

Why us? I wondered uncharitably. I was perfectly happy with the three other potato peelers we already had. Why did we need a new one? And why would I care what it looked like?

A few days later, I complained, "It doesn't do a good job."

"You're such a curmudgeon. It's beautiful. That's all that matters."

This is our endless debate. For her, style is all. I, on the other hand, believe that, without function, form is irrelevant.

Sadly (for me), my wife is in the majority. And nowhere is this demonstrated better than on websites.

I see many jobs for web designers, but I can't get my head around what people mean. If all these websites are designed, how come they are so dreadful at what they do?

Perhaps I'm begging the question. Maybe the purpose of each website is to be a monument to its designer, an item for her folio, a notch on his belt.

Perhaps, in the vein of "your call is important to us" (newsflash: it isn't), these websites do indeed reflect the desires of their owners. These desires start with a complete disdain for their users, whom they treat with contempt. They seem to want their websites to be vehicles to push other products.

In the Beginning

Take my bank, Citibank. When I first started using their website for banking (over 3 years ago), I was extremely impressed. It seemed that they had found a balance between security and usability. (Of course, I'm talking about my experience in Australia. I have no knowledge of how Citibank's websites work anywhere else in the world. I'm guessing it's the same throughout Australia, but I can't even guarantee that.)

What impressed me the most was their out-of-band confirmation. Before I transfer money to any party, I must first set that party up as an account in my profile. I use normal browser procedures to create the account, but before the account can be activated (ie used), I have to ratify it. In the past, I could do that in one of 2 ways: ring Citibank (a not particularly convenient mechanism - but it is only once per account); or respond to an email.

In the meantime, they have replaced both of these with another mechanism: they SMS a code which I must manually enter. I think most banks do that now.

Using SMS rather than email is likely to be more secure. In theory, if your PC is compromised, the hacker has access to your bank account and your email. To rip you off now, the hacker would also have to be in possession of your phone.

That's all basically good news. Now for the not-so-good news.

In the first incarnation of Internet banking, I had to provide my ATM card number and PIN (pretty much the same as when I went to an ATM). That seemed to me to be secure enough. If it was adequate protection for me at the ATM, why was it less than adequate for Internet banking?


I am not an authority on security, but neither am I a complete stranger.

The theory is that security is about something you have and something you know. (Technically, there's a lot more to it than that. There's also something you are. But that doesn't apply here, so let's move on.) So, when I go to the ATM, what I have is my bank's card. And what I know is my PIN.

One way that fraud is perpetrated on such a system is that the baddies capture (usually photograph or film) the details of your card (basically its number) and use the captured data to create a clone card. Capturing someone's PIN is often not difficult. There are video cameras everywhere these days; and most people are almost reckless in their failure to even try to conceal their activity when they enter their PIN. Just look around the next time you are in the queue at a store's checkout.

You should take the view that if your eyes can see what you are keying when you enter your PIN, then it is susceptible to capture. Ideally, you should cover your keying hand as you key.

When you pay your bill at the restaurant, the something you have is your credit card. There really isn't anything that you know. Arguably, you know how to produce your signature; but then so does any respectable forger. Once she has obtained your card, she has all the time in the world to practice forgery. Even better, if a baddy gets hold of a copy of your card's imprint, he can produce a clone and sign the clone in his handwriting (with your name).

I guess the weakness in Citibank's first incarnation, is that it converts something you have (the card) into something you know (the card's number). When it comes to things you know, two are not better than one. (Perhaps marginally better.)

There are techniques that achieve a de facto something you have. "RSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource." (http://en.wikipedia.org/wiki/SecurID) In essence, it's a gizmo that displays a number (at least 6 digits). The number changes every minute. Every gizmo has its own unique sequence of numbers. So, in theory, unless you are holding the gizmo, you cannot know which number is correct at any time. Put another way, knowledge of the correct number is de facto proof that you have that special something you have.

These techniques are probably expensive. Perhaps the bank thought that its customers are too stupid to be able to use such a gizmo.


After some time, Citibank changed the access mechanism. I was invited (read ordered):

	You will be guided to create your own User ID, Password and
	three "Security Questions". You will be asked to choose from a
	range of questions. Each time you sign on you will be asked
	one question.

My guess is that most users access their accounts from a PC running Microsoft, um, products (I cannot bring myself to write software in the same sentence as Microsoft). And I guess there was a concern that many of these machines could be (or had been) compromised. I generally don't use Microsoft platforms to access the Internet; I run Linux on my desktop (as any sensible person would). And I NEVER use Microsoft platforms to access anything to do with dollars.

So I wonder why I have to suffer. Why can't I choose the mechanism with which I access Citibank's facilities?

Ostensibly, Citibank's brave new world of banking was better than the previous world. Here's how it worked (and still works at time of writing).


	By now, the reader must have realised that I have no personal
	inside knowledge of Citibank or any of its personnel. This
	entire piece is speculation on my part, together with my actual
	personal experience. As they say, YMMV. So I'm going to drop
	the "my guesses" and "I supposes"; it's all getting too

I go to the login screen (affectionately called a "sign on" so as not spook the cattle). I enter my User ID. I click on the field where I would normally expect to enter my Password. Up pops a virtual keyboard. This is supposed to defeat keyboard sniffers. Even if a sniffer has captured a session during which I entred my User ID and Password, the only bit that is usable is the User ID (and maybe part of the Password). The virtual keyboard consists of 3 parts. The letters of the alphabet are pretty standard; there's a numeric pad to the right; but there are no numbers on the top row of the keyboard, only the characters produced when these keys are shifted:


The special characters and digits are not in fixed positions; each time the virtual keyboard pops up, the order of these keys changes. So even if a keyboard sniffer detects where you clicked, it does not establish what you clicked.

The perpetrators of this approach had better be really really sure that this last assertion is true. Because the virtual keyboard with the changing keycaps comes at the expense of reducing my password strength. They have decreased the size of the symbol set. There are 94 ASCII printable characters available to a random password generator. Citibank's keyboard is case insensitive; there are only 46 characters to choose from.

Further, I'm not certain it defeats all hacks. If your PC is compromised, perhaps it is also possible that your browser has been hijacked. If the baddies present you with their virtual keyboard, would you notice?

There are other hacks that are theoretically possible.

My suspicion is that the virtual keyboard came from the same school as many of the security "enhancements" inflicted on people in the US after 9/11. These "enhancements" are more about creating the illusion of security than being effective.

It's horrendous to use. For me, when my eyesight was bad, the characters were almost unreadable. On a normal keyboard, I don't have to see the characters clearly; it's enough that I know where they are. But on the virtual keyboard they are never in the same place twice. I changed my password to use characters that I could more readily distinguish.

[ ...thus decreasing the password strength even further (it's not that hard to guess which characters are more distinguishable with poor eyesight.) This reinforces Henry's point: the Law of Unintended Consequences is alive, well, and hyperactive, particularly in the area of UI/security interactions. -- Ben ]

Because my eyesight was so poor, I was in the habit of using my browser's feature for increasing text size. That should solve the problem with the virtual keyboard, I hear you say. Missed it by that much. When I increased text size in the browser window, each character in the virtual keyboard was no longer aligned with the box with which it was associated. In some cases it became even harder to read, even though it was bigger.

My personal biggest gripe with this mechanism is that it takes me much longer to enter my password. Instead of a simple swipe-paste, I must click each character.

My other bank (Commonwealth Bank) has a simple Client Number and Password. As far as I'm concerned, that's perfectly acceptable and vastly preferable. Commonwealth Bank also uses SMS for ratification.


That brings us to yesterday (March 2010). The folk (web designers?) at Citibank have given their website a makeover. It has a completely different look. What's really galling is that the functionality is not better than it was. However, it is vastly different; so now I have to learn how to use the new user interface.

Imagine you've bought yourself a shiny new car. (Obviously it wouldn't happen like this.) You drive it for six months. And then one day you jump behind the wheel - er, wait! where is the steering wheel? Oh, they've moved it to the other side of the car. I have to get in the passenger side to drive. I wonder which one of these pedals is the brake? Ok, I'm starting to get used to it. Now, indicator? Hmm, where would they have put the indicator?

I think you get my drift.

And it's not any better than the previous user interface! - which wasn't great and could have done with some improvement.

But we're back to the potato peeler. If it doesn't peel potatoes, who cares what it looks like? In my opinion (obviously not worth much), Citibank's new look is really terrible.

But here we've come full circle also. The one noticeable difference is that there are many more references to and come-ons for Citibank's other products. Once again, the customer is treated with contempt - unless he's about to buy something.


Talkback: Discuss this article with The Answer Gang


Henry has spent his days working with computers, mostly for computer manufacturers or software developers. His early computer experience includes relics such as punch cards, paper tape and mag tape. It is his darkest secret that he has been paid to do the sorts of things he would have paid money to be allowed to do. Just don't tell any of his employers.

He has used Linux as his personal home desktop since the family got its first PC in 1996. Back then, when the family shared the one PC, it was a dual-boot Windows/Slackware setup. Now that each member has his/her own computer, Henry somehow survives in a purely Linux world.

He lives in a suburb of Melbourne, Australia.

Copyright © 2010, Henry Grebler. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 179 of Linux Gazette, October 2010