Citibank has introduced a Virtual keypad to their Login page Via Lalith
The “Virtual Key Pad” functionality has “Load Time” issues:
It takes a while for the keys to become “ clickable”. As a User, I tried to clicking on a alphabet but NOTHING happened. This creates Disharmony.
The Interface needs to display a “ Loading…” message and must communicate the fact that the System is ready for User Input. Till that time, the keys can be grayed out or appear “ un-clickable”
Inconsistency:
While the QWERTY keyboard pattern is retained from the exiting Physical Keyword, the location of the Numeric Keys is randomized. As a User I expect to numbers arranged in a logical order and not randomized. (I am still thinking about this from a Security point of view)
The “Backspace/ Back” button is displayed differently from the alpha-numeric keys and placed above the keypad.
Visual Feedback/ Affordance:
The Virtual Keypad can have a Mouse over effect. This gives a additional visual confirmation of an “alphabet selection”. The Keypad can also have a 3d effect (push button”)
Further, the entire square/rectangle shaped key is not mapped to be clicked. This again creates Disharmony. As a user I expect the entire key area to be “clickable”
Why do i need an IPIN and then a QPIN? Then there’s a TPIN? Citibanks gotta work on a Single PIN concept.
Citibank has given more importance to Security than Usability.
Update : Just finished making a presentation on Touch Screen Design Guidelines. Instead of using QWERTY keypad, its better to arrange alphabets aphabetically into 3 rows. When it come to numeric keys, its better to arrange when in “telephone” format ( digit 1 being on the upper left). Read More on Touch Screen Interfaces >>
Just a word on the second point… If you are referring to Inconsistency i.e., keys showing up every random place, it is very much part of their requirements. I really don’t want to bore everyone here by explaining it in detail, but it suffices to say that some malicious program can’t really really capture your click position and learn your password.
Baji
Hey Bajji,
- This aint boring man. You can go ahead and explain the details. I am trying to understand the NEED for randomizing the numeric key position”
- ” some malicious program can’t really really capture your click position and learn your password”
), then why randomize? 
If this is not possible ( at this point of time?
Consider this scenario.
1. You go to browsing center and quickly check out your Bank Balance. But some one using the machine before you could have installed a Key Logger. This captures anything you type using the Key Board and mails it to him after you leave. This gives him your password.
2. Suppose you have the Citibank Suvidha with Non-randomised on-screen keypad. When you log-in you aren’t typing anything from the key-board, but just clicking something on the screen. Ah ! Secure ? Alas not. The key loggers have grown intelligent enough to capture the x,y positions of the mouse clicks and can compare them with the Standard KeyPad to glean your password.
3. Suppose you have a ramndomised KeyPad, the keylogger doesn’t have a Standard KeyPad to compare your clicks with. It doesn’t know which one to Compare against.
Aha…! Secure ? .. Better but not absolute.. Why ? See here
http://www.securityfocus.com/archive/107/395184/2005-04-06/2005-04-12/0
Hey Bajji, Neat Scenario!
We have an interesting problem here. It appears that no matter what your “Password Input Mechanism” is, it IS possible to track it on Internet Cafes loaded with Key Loggers. ( Right?) This means that currently, Online Banking is NOT SECURE on Internet Cafes. ( Are they secure on Home PCs? And hey, it is possible to install a KeyLogger on a Home PC through the internet and log passwords of top 10 banking sites of a particular country? )
Logically, the other alternative is to change the Password after every login ( not logout? ) with a predefined rule. Can this rule be tracked too? This also means that there is an additional cognitive load on the User’s memory. And mostly importantly, the User will stop TRUSTING the Online Banking Application, the more complex it gets.
Coming back to Citibank Suvidha’s Virtual Keypad….
Currently, the Citibank’s virtual login keypage, the position of the NUMERIC KEYS ALONE are randomized and that of the ALPHABETIC KEYS are not randomized. Guess partial randomization is better then zero or total randomization.
Total randomization of all the keys might totally put off the user / totally increase the task completion time.
Is your mail id vidyabalaji at gmail com?
An interesting problem and observations.
On an accessibility note, is the virtual keypad totally mouse driven? If so, it’ll be a bit tricky for someone who can’t use the mouse….
Yea Ruth, the virtual keypad IS totally mouse driven and will be a little user unfriendly for disabled users.
Wonder if Citibank has done User Research to understand how many % of its users are disabled.
Muthu
I Agree, online banking via an internet cafe is not completely secure.
Coming to talk about home PCs. I refer to your point.
“Are they secure on Home PCs? And hey, it is possible to install a KeyLogger on a Home PC through the internet and log passwords of top 10 banking sites of a particular country?”
How is it possible to install a keylogger on a home PC. There are severe restrictions on what the information Browser can access and what it can install in the home PC. Ask any webdeveloper who has done web programming with frames and JavaScript.
Another point …
“the virtual keypad IS totally mouse driven and will be a little user unfriendly for disabled users.”
In the login page I see a link which says …
“Still have problems logging in ? Click here to login using keyboard ”
Shouldn’t that suffice .. ?
Bajji,
“Still have problems logging in ? Click here to login using keyboard ””
- The copy is not very intuitive.
- The placement is incorrect.
- Many users missed this part.
[...] While ECS ‘Standing Instruction’ is my most preferred payment method, I am surprised as to why online payment feature at http://www.Airtel.in is missing. If you wanna make online payment, then you gotta register and log-on to http://www.billdesk.com or http://www.billjunction.com. Now, i dont have the time to go and make yet another registration. I’d be much happy to make online payments through my CitiBank Suvidha Account. ( However sad their UI and their online keypad looks) [...]
it makes my password entry (clicking on the letters and making sure if its cliked) too slow and anyone else who is looking at my screen can guess my password. no need to install a keylogger or whatever.
india keyword online tool
Generate huge laser-targeted low competition, high demand keyword lists in minutes.