Online Banking Experience
When Bill Buxton kicked MIX 09 off with User Experience theme, I can’t stop thinking about how UX is so obvious but easily forgotten by developers. One thing that came into my mind lately was my online banking experience.
As a background information, I have used several online banking applications, sadly, none provide the ultimate experience. When I talk about experience, I’m talking about ease of use and peace of mind when using it.
For this writing, I’m focusing on how each system treats users when interacting with it, focusing on authentication.
Bank Niaga
Bank Niaga is an Indonesian local bank. I opened an account with the bank for my first job salary credit. The company refused to use another bank, thus so it went.
They don’t offer free account but comes with free online banking. If I remember correctly, they only provide one factor authentication, username-password. I have used it once or twice to check whether my salary is properly credited, but after a while, I forgot all information regarding my account even though it is still active.
Moreover, they have been constantly sending notification e-mails regarding URL address changes (I received three or so this month) due to vendor switch I presume. That was really confusing. Can’t they buy a proper domain and redirect from there (if anything change)?
Verdict: simple but useful when you use it often, but people can forget username-password combination.
Bank Central Asia
BCA is another Indonesian local bank. This is by far the biggest consumer bank, and the best network in Indonesia, so no reason not to have an account with them.
They don’t offer free account but comes with free online banking. You also need to pay the token for multifactor authentication. They use two factor authentication; username-PIN and token. They have a dedicated domain name for the application. Currently, I forgot my username-password combination and the account is probably locked out.
The most annoying part of the experience is that you always need to have your token ready for almost all transaction you’re making. Usability of the token is appalling, because it tries to be smart without being helpful (i.e. does not adhere to KISS principle).
Verdict: almost downright useless but the sense of security is everywhere because all transaction needs to be authenticated.
DBS Singapore
DBS is a Singapore bank with branches in several countries, I’m using the Singapore branch online banking application. It has the best network in Singapore.
They offered free account, free online banking, and free token. They use two factor authentication; username-PIN and token. The token is only used during authentication.
The annoying part of the experience is that the authentication uses a Java applet. If you don’t have Java installed or for some (unknown) reason it doesn’t run, you can’t use the application.
Verdict: more usable than two Indonesian banks, if and only if all the support components work.
Citibank Singapore
Citibank is a US bank with branches in several countries, this section is for Singapore branch application.
They offered free account, free online banking, and free token. They use two factor authentication; user ID-PIN and token. The application has two good usability points:
- Instead of username, it uses your card number as your ID. You can’t lose your card number.
- The token is used the first time you want to see details such as transaction history or do transfers, but not if you just want to see your account balances on the home page.
But, there are also two annoying points:
- It uses on screen keyboard to key in PIN, nice if you have tablet, but painful if you’re using a mouse.
- The authentication uses a Java applet. If you don’t have Java installed or for some reason it messed up, you can’t use the application.
Verdict: better than DBS most of the time, but with additional annoyances.
HSBC UK
It’s hard to say which country HSBC is from, so I’ll just call it international bank, like how they want to be known as.
They don’t offer free account for foreigners but it comes with free online banking. They are using one factor authentication: a combination of user ID with birth date and PIN. They are not using any applet to authenticate it.
The user ID is randomly generated, thus quite safe to write on the card (by being not related to anything I own/know). I do have a negative feedback; the system doesn’t require you to enter your whole PIN number (for security purposes), instead only requiring three out of six. The problem is, they address the numbers to enter by using text ordinals like “first”, “second last”, etc. It would be helpful for me to also have graphical representation of which number enter.
Verdict: the most usable of all so far.
Citibank UK
Citibank is an American bank with branches in several other countries, this section is for UK branch application.
They offered free account with online banking. They use username-password and additional personal information. They also uses an on screen keyboard for the password, now full keyboard instead of number pads (like the one from Singapore) because the password is a string not just PIN.
Verdict: less usable than HSBC, because of the additional annoyances.
The Ultimate Experience
Well, learning from all the systems, I would like the banks to build an authentication system that is perfectly usable without being insecure or annoying.
- I would use a username / user ID that I will never forget. Citibank Singapore made a big win on this point by using your card number instead of some random string. You will always have access to your card, it doesn’t have any personal info, it’s just always available.
- I would use birth date and personal information as “password”. You will never forget your birth date or your primary school town name or your mother’s maiden name, for instance.
- For multi factor authentication, I would use a simple One Time Password token with additional alternative mechanism such as OTP via SMS or e-mail.
- Don’t annoy user by keep requiring them to enter codes after the first one, instead implement short timeout. I would prefer be punished because of my slowness (that causes a timeout) instead of my impatience.
- Don’t use Java or on screen keyboard whatsoever, it is plain PITA and doesn’t really help security. Instead, use partial numbers (like HSBC) and invest on SSL!