Thursday, September 20, 2007

Citibank Secure Login and Payment Facility


This is Citibank’s login page.
For the sake of security, Citibank thought it was a better idea to click on a keypad rather than the good old style of typing in a password for authentication.

This seemed like a neat concept if I had Private Banking in mind (Banking in Citibank Kiosks or someplace like that) But I don’t think this is really secure considering I’m at open cyber cafe and clicking on this keypad (giving anyone crossing my desk to take a peek at my monitor and guess my password).

Wasn’t typing the password using a keyboard a better idea?? Considering my hands is covering the keyboard reducing the chances for anyone to guess my password.

Citibank has a feature “View and Pay”. This feature helps make paying monthly utility bills a lot easier. The bill account details need to be entered once and then a message and email is sent to the user every month for a payment confirmation.

It’s pretty convenient, but there is no way of cancelling a payment.

For example, I have my telecom provider registered with Citibank. I pay the bill through the website every time. But, this one time, I paid the bill when I was at the Telecom store and not through the website. After the payment was done, it did not reflect on my website. It still asked me to pay my bill I had already paid for. If a user makes a payment through the website once, they assume that he is going to do the same every time, not handling multiple payment methods.

Do you guys have any comments???

(Written after discussion and inputs from Nikhil Chandran)

16 comments:

Vinodh Nandakumar said...

I have always hated this page of Citibank.. so irritating.. definitely an usability improvement candidate :)

Umesh said...

The actual idea behind this kind of a virtual keyword is to tackle Key Logger softwares which can be installed in the internet cafe machines. A key logger software captures anything you type using the Key Board and mails it to the person who installed it after you leave. This gives him your password.

But of course it doesnt help coz of the problem you have explained here. as we have to click on the alphabets and numbers anyone overlooking can easily find out our password. no need of a keylogger to do that.

The good old keyboard would have been better in this case and also a warning not to login to the bank account from shared or unknown machines. Even after that someone wants to login from an internet cafe, its at his own risk.

Jay Sharma said...

If you see a bit more carefully, the page does provide the option to type both your card number and password using keyboard. Look at the right bottom corner where it says "Click here to login using keyboard".

Upma_Sharma said...

Jay nice observation. But then as you said "If you see a bit more carefully". They have written it in one corner and in such a small font that no one will notice until someone explicitly search for it. They should have this in bigger font so that users can easily notice it.

smartass said...

As Umesh has pointed out, the on screen keyboard is for providing safety against key logger softwares which might be installed on the shared computers.
When Jay says 'if you see a bit more carefully' I suppose he is being humble (...or sarcastic). The font size is maintained uniform on that page for other options as well. The Copyright logo in the right hand bottom is the smaller font.
The term private banking refers to banking services being offered to HNI clients on more personal/flexible terms. And I’m sure Citi bank does not do private banking at kiosks.
To discuss the on screen keyboard, you say that someone can look over your shoulder and guess the password. Let me try, I’m typing a password in this 'good old style' and there is someone trying to guess my password. Now he has to look at my hands and try to spot the sequence of keys. My hands partially cover the keyboard and movement of which key i'm pressing is quite visible. And now for the on-screen keyboard, he has to look at my screen, very simple? No. Note that the buttons are not changing when I’m clicking on those buttons (except for dotted border in IE, does not appear in Fire Fox). Now for someone to guess my password, he has to look at the screen and my hand & spot when I’m clicking, all at the same time. Which one do you think is easier?
Moving to ‘View & Pay’ feature, this feature does take care of the multiple payment methods but that’s why you were able to make the payment at the telecom shop. What it does not take care of is the updating of the payment made using other payment method. Note that this is a value added service; hence the functionality is bound to be basic.

Kum said...

you said that you paid your mobile bill at telecom counter. but i donno why are you expecting this update in citibank database rather than in your service provider's database :)
actually the citibank payment utility provides you the facilty for every billing period by reminding you on time.

DnZ said...

The reason why CitiBank came up with this option is, cos there are people who still use cyber cafes to log into their site, where a proper antivirus or a adware/spyware remover is at most times is not present.As umesh has rightly pointed out this way of interacting with the site reduces the risk of a Key Logger software.

The other possible way of designing the UI would be to have a much smaller keyboard at let's say the bottom of the screen & layed out in a horizontal row instead of keyboard layout. The reason here is when you actually get your chair close to the monitor and bend over to view it bottom part of your screen is covered quite efficiently .
Secondly using a on screen keyboard with smaller font, reduces the chances of soomeone seeing what you click on.

Anonymous said...

I inclination not approve on it. I over nice post. Particularly the designation attracted me to review the intact story.

Anonymous said...

Nice post and this enter helped me alot in my college assignement. Thank you seeking your information.

Anonymous said...

Well I assent to but I dream the post should have more info then it has.

Anonymous said...

Genial brief and this enter helped me alot in my college assignement. Say thank you you seeking your information.

Anonymous said...

Easily I to but I dream the post should acquire more info then it has.

Anonymous said...

Genial post and this enter helped me alot in my college assignement. Say thank you you as your information.

Anonymous said...

Genial brief and this mail helped me alot in my college assignement. Say thank you you seeking your information.

Anonymous said...

Amiable post and this enter helped me alot in my college assignement. Thank you as your information.

Anonymous said...

i actually love your writing style, very useful.
don't give up and also keep penning considering it simply just that is worth to follow it,
looking forward to view a lot more of your article content, kind regards ;)