Wednesday, April 5, 2017

Bad UX design could lead to security holes (BPI Express Case)

How bad UX design could lead to security holes (BPI Express Online Case Study)

Like most banks in the Philippines, the Bank of the Philippine Islands (BPI) is a major cause of migraine for customers. Its user experience design (UX) is badly done and the web service is unreliable. Both of these headaches lead to a third, much bigger problem: security holes. This probably explains why some BPI customers recently fell victim to phishing scams where unwitting victims divulged their passwords to a website pretending to be the BPI's online service. 

BPI's UX design problems 

Due to a badly designed user experience, the BPI website creates problems that punish the user. Forgot your password? You would have to call customer service to get a password reset. Maybe they think that this is more secure than doing the password reset online, but really, it's the same thing or even worse -- the human to whom I'm giving my details could jot down my credentials.

Let's discuss the first issue: bad UX. By this I mean not only the clunky design of its user interface that confuses users but also the general lack of empathy with the customer especially in times when the site is down.  

As I write this, the BPI website is, yet again, under maintenance. The screenshot below is the usual message that customers get when that happens (and all too frequently at that, if I may add).


There is no information on how long the maintenance will take. Should I just keep clicking the refresh button?

In the homepage, it turns out that there's an inconspicuous and cryptic message saying "Electronic Channels Upgrade Advisory":



Does the extra click I spend give me more helpful information? Nope. Check out the resulting page:

It's just telling me what I already know. At least tell me how long I should wait or when to try again. The message is as helpful as a flood warning a day after the flood has submerged the town. 

My retries produced a more problematic error message that gives away database details:


Maybe I stumbled upon a critical procedure during the maintenance. But shouldn't the BPI team be cautious about this and prevent this kind of sensitive error message to be published? 

UX design problems create security holes

The examples above are just one aspect of BPI's UX design issue. What's more problematic is that the UX design could lead to major security holes. For example, BPI requires users to change passwords once in every three months. You cannot repeat passwords so you have to create a new one every quarter. 

Can you imagine the burden of remembering a new password every three months, especially since your password cannot be a string of letters? This unreasonable policy forces people to write down their passwords -- which defeats the purpose of a strong password in the first place. 

Another consequence of frequently changing passwords is that people will forget their passwords and would have to call customer service, which leads us to another security hole. BPI does not have an online password reset service. If you forget your password, you have to call a customer representative to reset your password for you. Adding a human introduces a weakness in the security chain. Before the customer representative resets your password, you must answer security questions that force you to divulge private details to a stranger. 

In forcing users to call a human instead of offering an online password reset service, BPI probably thought it was creating tighter security. Yet this did not prevent users from giving away their passwords from a phishing scam, did it? 

Many know that UX design is important to any piece of software to improve usability. But as I explained above, UX can also lead to security problems that could be exploited by online criminals.   

The case I outlined above also shows how corporations build their security measures based on outdated assumptions. But that is for another blog which I will be writing soon. 

What to do when you've got a virtual scrum team

Scrum and Agile are suddenly popular in Asia, and because a lot of companies take on outsourced projects, they usually have virtual teams, w...