How bad UX design could lead to security holes (BPI Express Online Case Study)
Like most banks in the Philippines, the Bank of the Philippine Islands (BPI) is a major cause of migraine for customers. Its user experience design (UX) is badly done and the web service is unreliable. Both of these headaches lead to a third, much bigger problem: security holes. This probably explains why some BPI customers recently fell victim to phishing scams where unwitting victims divulged their passwords to a website pretending to be the BPI's online service.
BPI's UX design problems
Due to a badly designed user experience, the BPI website creates problems that punish the user. Forgot your password? You would have to call customer service to get a password reset. Maybe they think that this is more secure than doing the password reset online, but really, it's the same thing or even worse -- the human to whom I'm giving my details could jot down my credentials.
Let's discuss the first issue: bad UX. By this I mean not only the clunky design of its user interface that confuses users but also the general lack of empathy with the customer especially in times when the site is down.
As I write this, the BPI website is, yet again, under maintenance. The screenshot below is the usual message that customers get when that happens (and all too frequently at that, if I may add).
There is no information on how long the maintenance will take. Should I just keep clicking the refresh button?
In the homepage, it turns out that there's an inconspicuous and cryptic message saying "Electronic Channels Upgrade Advisory":
Does the extra click I spend give me more helpful information? Nope. Check out the resulting page:
It's just telling me what I already know. At least tell me how long I should wait or when to try again. The message is as helpful as a flood warning a day after the flood has submerged the town.
My retries produced a more problematic error message that gives away database details:
Maybe I stumbled upon a critical procedure during the maintenance. But shouldn't the BPI team be cautious about this and prevent this kind of sensitive error message to be published?